Problems with OpenVPN

josu · June 13, 2016, 10:15am

Hello,

I have 2 Mikrotik routers and I want to do a OpenVPN between both networks.

I configured this way the server:

/interface ovpn-server server
set certificate=myCa enabled=yes require-client-certificate=yes

/ip firewall filter
add chain=input dst-port=1194 in-interface=pppoe-out1 protocol=tcp

/ppp secret
add local-address=172.16.16.1 name=myuser password=mypass remote-address=172.16.16.2 routes="192.168.1.0/24 172.16.16.2 1" service=ovpn

In the client side:

/interface ovpn-client
add auth=md5 certificate=cert_export_client1.crt_0 cipher=aes128 connect-to=ServerIP mac-address=02:30:42:xx:xx:xx name=ovpn-out1 password=mypass user=myuser

/ip route
add distance=1 dst-address=192.168.2.0/24 gateway=ovpn-out1

Server LAN is 192.168.2.0/24 and client LAN is 192.168.1.0/24.

The VPN is running and I can do a ping from server LAN to 172.16.16.2:

# ping 172.16.16.2 -c 4
PING 172.16.16.2 (172.16.16.2) 56(84) bytes of data.
64 bytes from 172.16.16.2: icmp_seq=1 ttl=63 time=30.2 ms
64 bytes from 172.16.16.2: icmp_seq=2 ttl=63 time=29.1 ms
64 bytes from 172.16.16.2: icmp_seq=3 ttl=63 time=32.0 ms
64 bytes from 172.16.16.2: icmp_seq=4 ttl=63 time=29.2 ms

--- 172.16.16.2 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3003ms
rtt min/avg/max/mdev = 29.111/30.172/32.098/1.204 ms

But not to the client LAN:

# ping 192.168.1.1 -c 4
PING 192.168.1.1 (192.168.1.1) 56(84) bytes of data.

From client side I can not ping to server LAN:

# ping 172.16.16.1 -c 4
PING 172.16.16.1 (172.16.16.1) 56(84) bytes of data.

# ping 192.168.2.1 -c 4
PING 192.168.2.1 (192.168.2.1) 56(84) bytes of data.

Need I configure something else? Someone could help?

Thanks and best regards.

pe1chl · June 13, 2016, 11:15am

Look if the route table looks OK and the firewall allows the forwarding of the traffic.
Also check if the NAT rule does not apply to your traffic between local networks.

javino · June 13, 2016, 11:30am

Did you set proxy-arp in the lan interface?

J.

josu · June 13, 2016, 1:31pm

Thanks for the reply.
This is the server-side information:

/ip route print 
Flags: X - disabled, A - active, D - dynamic, 
C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, 
B - blackhole, U - unreachable, P - prohibit 
 #      DST-ADDRESS        PREF-SRC        GATEWAY            DISTANCE
 0 ADS  0.0.0.0/0                          192.168.144.1             0
 1   S  0.0.0.0/0                          255.255.255.255         255
 2   S  0.0.0.0/0                          255.255.255.255         255
 3 ADC  10.26.128.0/18     10.26.137.240   vlan3                     0
 4 ADr  10.31.255.128/27                   10.26.128.1             120
 5 ADC  10.64.0.0/10       10.102.132.22   vlan2                     0
 6 ADC  172.16.1.2/32      172.16.1.1      <ovpn-myuser>          0
 7 ADr  172.26.22.0/26                     10.64.0.1               120
 8 ADr  172.26.22.23/32                    10.64.0.1               120
 9 ADr  172.26.22.56/29                    10.64.0.1               120
10 ADr  172.26.23.0/27                     10.64.0.1               120
11 ADr  172.26.23.4/32                     10.64.0.1               120
12 ADr  172.26.23.5/32                     10.64.0.1               120
13 ADr  172.26.23.23/32                    10.64.0.1               120
14 ADr  172.26.23.24/32                    10.64.0.1               120
15 ADr  172.26.23.30/32                    10.64.0.1               120
16 ADr  172.26.80.0/21                     10.64.0.1               120
17  DS  192.168.1.0/24                     172.16.16.2               1
18 ADC  192.168.2.0/24     192.168.2.1     bridge-local              0
19 ADC  192.168.100.0/24   192.168.100.10  ether1-gateway            0
20 ADC  192.168.144.1/32   83.x.x.x     pppoe-out1                0

/ip firewall filter print 
Flags: X - disabled, I - invalid, D - dynamic 
 0  D ;;; special dummy rule to show fasttrack counters
      chain=forward 

 1    chain=input action=accept in-interface=vlan2 log=no log-prefix="" 

 2    ;;; default configuration
      chain=input action=accept protocol=icmp log=no log-prefix="" 

 3    ;;; default configuration
      chain=input action=accept connection-state=established log=no 
      log-prefix="" 

 4    ;;; default configuration
      chain=input action=accept connection-state=related log=no log-prefix="" 

 5    chain=input action=accept protocol=tcp in-interface=pppoe-out1 
      dst-port=8080 log=no log-prefix="" 

 6    chain=input action=accept protocol=tcp in-interface=pppoe-out1 
      dst-port=1194 log=no log-prefix="" 

 7    ;;; default configuration
      chain=input action=drop in-interface=pppoe-out1 log=no log-prefix="" 

 8    ;;; default configuration
      chain=forward action=accept connection-state=established log=no 
      log-prefix="" 

 9    ;;; default configuration
      chain=forward action=accept connection-state=related log=no 
      log-prefix="" 

10    ;;; default configuration
      chain=forward action=drop connection-state=invalid log=no log-prefix=""

/ip firewall nat print  
Flags: X - disabled, I - invalid, D - dynamic 
 0    ;;; default configuration
      chain=srcnat action=masquerade out-interface=pppoe-out1 log=no log-prefix="" 

 1    ;;; default configuration
      chain=srcnat action=masquerade out-interface=ether1-gateway log=no log-prefix="" 

 2    ;;; default configuration
      chain=srcnat action=masquerade out-interface=vlan2 log=no log-prefix="" 

 3    ;;; default configuration
      chain=srcnat action=masquerade out-interface=vlan3 log=no log-prefix=""

This is the client-side:

/ip route print 
Flags: X - disabled, A - active, D - dynamic, 
C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, 
B - blackhole, U - unreachable, P - prohibit 
 #      DST-ADDRESS        PREF-SRC        GATEWAY            DISTANCE
 0 ADS  0.0.0.0/0                          82.130.132.1              1
 1 ADC  82.130.132.0/22    82.x.x.x  ether1-gateway            0
 2 ADC  172.16.1.1/32      172.16.1.2      ovpn-out1                 0
 3 ADC  192.168.1.0/24     192.168.1.1     ether2-master             0
 4 A S  192.168.2.0/24                     ovpn-out1                 1

/ip firewall filter print 
Flags: X - disabled, I - invalid, D - dynamic 
 0  D ;;; special dummy rule to show fasttrack counters
      chain=forward 

 1    ;;; defconf: accept ICMP
      chain=input action=accept protocol=icmp log=no log-prefix="" 

 2    ;;; defconf: accept established,related
      chain=input action=accept connection-state=established,related log=no log-prefix="" 

 3    chain=input action=accept protocol=tcp in-interface=ether1-gateway dst-port=8080 log=no log-prefix="" 

 4    ;;; defconf: drop all from WAN
      chain=input action=drop in-interface=ether1-gateway log=no log-prefix="" 

 5    ;;; defconf: fasttrack
      chain=forward action=fasttrack-connection connection-state=established,related log=no log-prefix="" 

 6    ;;; defconf: accept established,related
      chain=forward action=accept connection-state=established,related log=no log-prefix="" 

 7    ;;; defconf: drop invalid
      chain=forward action=drop connection-state=invalid log=no log-prefix="" 

 8    ;;; defconf:  drop all from WAN not DSTNATed
      chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface=ether1-gateway log=no log-prefix=""

/ip firewall nat print    
Flags: X - disabled, I - invalid, D - dynamic 
 0    ;;; defconf: masquerade
      chain=srcnat action=masquerade out-interface=ether1-gateway log=no log-prefix="" 

 1    ;;; default configuration
      chain=srcnat action=masquerade to-addresses=0.0.0.0 out-interface=ether1-gateway log=no log-prefix=""

I am new in Mikrotik, I see lots of rules in firewall, I copy from a blog, I have 3 services (vlan2, vlan3 and vlan6) with my ISP provider.
Do you see something wrong?
Best regards.

josu · June 13, 2016, 1:32pm

Thanks javino,
How could I check it?
Best regards.