Configuration is operator mikrotik antena as router → my MikroTik hAP mini (RB931-2nD) ( as router ). On first router forwarded ports are 1723,1194. On my mikrotik PPTP and OPENVPN vpns are configured. VPN works but RDP, Winflector, VNC over VPN sometimes work but often don’t work. My customer internet is good its 30 MB download, 10 MB upload.Should I add something to VPN config ( maybe change MTU ) ?
Good Morning,
I’m not sure if a quite understand your Question / IT-Setup
Your have a Home-Network with a Mikrotik-Router (hAP mini (RB931-2nD))
The Router as an Internet-Connection and connect to a VPN-Server over PPTP and OPENVPN
and ???
Question 1: Are you trying to communicate over RDP, Winflector, VNC from the Internet to your Home-Network ? (Incomming Traffic)
or from your Home-Network to the Internet ? (Outgoing)
Question 2: Does All the Traffic on your Home-Network travel thru the VPN, and only RDP, Winflector, VNC isnt working?
or is only RDP, Winflector, VNC traveling thru the VPN-Tunnel and it isn’t working ?
My config is
home -------> office mikrotik1 as router ( model unknown this device is from ISP ) ----> office main router mikrotik2 RB931-2nD —> devices in office ( including server )
Mikrotik1 - ports forward ( made by ISP ) - TCP 1723,TCP 1194
Mikrotik2 - PPTP server, OVPN serwer
from home I can connect to mikrotik2 with VPN. Sometimes I can connect over VPN ( first I connect to VPN and then I connect in local network ) to server with RDP , VNC and other software but very often not. This is not related to server because there are also others computers in office network which I often cannot connect. This is not related with home computer because I tried to connect from diffrent locations and diffrent computers.
Hmmmm…
On-Again Off-Again Problems are always a Pain to diagnose
I would,
-
Trace the connection
Make a “Trace” when its both working and not working to compare -
DNS
If your not already connecting to your Servers via IP-Address, i would try for diagnostic purposes to circumvent DNS -
IP-Ranges
Check if Home and Office-Network dont have same Network-Range
- Difficult, now it is not working ( VPN connection is OK but RDP, WInflector etc … don’t work )
2,3 server address is 192.168.1.10 , my home network is other let’s say 192.168.50.x
If you would like us to look through your configuration then, please, export it from the router (we don’t need to see the sensitive details e.g.: passwords) and attach it to your post. Also, PPTP is no longer considered secure and it would be a good idea to replace it with L2TP/IPSec or SSTP.
/export hide-sensitive file=RouterConfig
One thing that I did for my OpenVPN configuration is to use a mangle rule to mark the port 1194 connections and then added a NAT masquerade rule. This allowed me to do everything I needed through the VPN connection.
/ip firewall mangle add action=mark-connection chain=prerouting in-interface=ether1 \
new-connection-mark=OpenVPN passthrough=yes protocol=tcp src-port=1194
/ip firewall nat add action=masquerade chain=srcnat connection-mark=OpenVPN
NB: This assumes that your Internet port is ether1. If it isn’t, you’ll need to change the in-interface setting to the correct port.
for e.g. what? how easy can i test this rule. Also i’m using ovpn , it allows me to do everything as well. I’m trying to get deep and dive in to your rule.
Im asking for some basic examples
basic e.g.
if i add on nat
add action=masquerade chain=srcnat out-interface=ovpn-client.
i can get access to that site, by using your one it doesn’t allow me. That why im wondering in which caises can se
I don’t have examples to provide but the basic configuration I’ve used successfully is (Adjust the IP addresses and ranges to suit your situation):
/ip pool add name="VPN Pool" ranges=192.168.89.100-192.168.89.200
/ppp profile add name="VPN Profile" local-address=192.168.88.1 \
remote-address="VPN Pool" change-tcp-mss=yes only-one=yes \
use-encryption=yes dns-server=1.1.1.1,1.0.0.1
/ppp secret add name=user1 password=p@sSword1 profile=”VPN Profile”
/interface ovpn-server server set default-profile="VPN Profile" \
certificate=MikroTikServer require-client-certificate=yes \
auth=sha1 cipher=aes128,aes192,aes256 enabled=yes
/ip firewall filter add chain=input dst-port=1194 protocol=tcp \
comment=”OpenVPN VPN”
/ip firewall mangle add action=mark-connection chain=prerouting \
in-interface=ether1 new-connection-mark=OpenVPN \
passthrough=yes protocol=tcp src-port=1194
/ip firewall nat add action=masquerade chain=srcnat \
connection-mark=OpenVPN
You also need to create the OpenVPN config file and necessary certificates.
Create MikroTik CA
/certificate add name=ca-template common-name=MikroTikCA key-usage=key-cert-sign,crl-sign
/certificate sign ca-template name=MikroTikCA
/certificate set MikroTikCA trusted=yes
Create MikroTik Server Certificates
/certificate add name=server-template common-name=MikroTikServer
/certificate sign server-template ca=MikroTikCA name=MikroTikServer
/certificate set MikroTikServer trusted=yes
Create MikroTik Client Certificates
/certificate add name=client1-template common-name=Client1
/certificate sign client1-template name=Client1
/certificate export-certificate Client1 export-passphrase=password
Use OpenSSL to remove the password from the client key
openssl rsa -in cert_export_Client1.key -out cert_export_Client1.nopass.key
Create An OpenVPN Configuration File
dev tun
client
proto tcp
remote fqdn 1194
remote ip-address 1194
persist-key
persist-tun
verb 3
mute 20
keepalive 10 60
cipher AES-256-CBC
auth SHA1
float
reneg-sec 28800
nobind
mute-replay-warnings
auth-user-pass
redirect-gateway def1 bypass-dhcp
<ca>
<-- CA Cert -->
</ca>
<cert>
<-- Client Cert -->
</cert>
<key>
<-- Client Key -->
</key>
Replace the following entries:
fqdn: With the fully qualified domain name
← CA Cert → : With the MikroTik CA certificate
← Client Cert → : With the client certificate
← Client Key → : With the client key that has had the password removed.
Check your settings for the PPP VPN Profile as this may also be important to your configuration. I hope this helps.
i think you didn’t get me.
I don’t worry about the config ,
i got ovpn running on my router behind NAT, and the rule that im using is (on my main rb)
NAT
add action=dst-nat chain=dstnat comment=OpenVPN dst-port=1194 in-interface-list=WAN protocol=tcp to-addresses=local_ovpn
what im asking is:
by adding the mangle rule and then doing masquerade from your above. What you getting by there, or what do you want me to do to make sure that that works.
I did misunderstand. The configuration I’ve been using has only one MikroTik directly connected to the Internet so I didn’t need to worry about the NAT aspect of an intervening router.
From memory (I don’t have access to the necessary equipment anymore), the Internet connected router just needs to do port pass-through (as you already have) to the second router (where the OpenVPN server is configured if I’ve followed what you’re saying). The second router needs to have the mangle and NAT rules.
I can’t be sure that this will work and, not having the equipment anymore, I can’t test the arrangement (I wish I could).