I have remote VPS instance with OpenVPN 2.4.7 installed (Debian 9) and set.
Forwarding is set up and non-mikrotik clients can connect and route traffic through this tunnel without any additional setup.
Then, I am trying to hook up my hAP ac^2 (ROS 6.45.5) via VPN (not to forward everything by default).
OpenVPN server is configured to run in tun/tcp without compression and utilizing SHA1/AES256-CBC without ta-auth.
IPv6 is not set up too (mostly because I can’t get it work on MT too).
I can ping remote server using its address in OpenVPN subnet and when I try to ping hosts from public network (e.g. 8.8.8.8) tcpdump on VPS show outgoing traffic from MT client to 8.8.8.8 and back to tunnel.
Packet sniffer from MT also show both tx and rx packets but ping show timeouts.
Before moving forward with configuration I must enlist some cloaked IP addresses:
REM.SRV.PUB.IP - public IP of remote server where VPN server is running
LOC.MTK.PUB.IP - public IP of MikroTik router (now it is dynamic but not NATed though my ISP can't guarantee it)
VPN.INT.SUB.0/24 - subnet which OpenVPN server uses
VPN.INT.SUB.1 - OpenVPN server internal address
VPN.INT.SUB.4 - MT client internal address
In ccd file of OpenVPN server I have this string to push static IP to OpenVPN client (since dynamic configuration messes up with routes on MT):
ifconfig-push VPN.INT.SUB.4 VPN.INT.SUB.1
OVPN client configured this way:
/interface ovpn-client
add certificate=<crt_file_name> cipher=aes256 connect-to=REM.SRV.PUB.IP mac-address=XX:XX:XX:XX:XX:XX name=<vpn_name> port=1194 profile=<vpn_profile> user=<cert_cn> verify-server-certificate=yes
/ppp profile
add name=<vpn_profile> use-compression=no use-encryption=yes use-ipv6=no use-mpls=no
After digging through documentation and forums I tried to mark VPN traffic using mangle rules and force default route using this mark:
/interface list
add name=VPN
/interface list member
add interface=<vpn_name> list=VPN
/ip firewall address-list
add address=VPN.INT.SUB.0/24 list=ovpn-addr
/ip firewall mangle
add action=mark-connection chain=prerouting connection-mark=!ovpn in-interface-list=VPN new-connection-mark=ovpn passthrough=yes
add action=mark-routing chain=prerouting connection-mark=ovpn new-routing-mark=ovpn passthrough=yes src-address-list=ovpn-addr
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=VPN routing-mark=ovpn src-address-list=ovpn-addr
/ip route
add distance=1 gateway=<vpn_name> routing-mark=ovpn
Other firewall rules are left as is (except disabling access to 127.0.0.1 for capsman).
Apparently, disabling fasttrack rule is helping but I don’t want to completely disable it.
So, do I need to bypass FT somehow?
Also I understand how it should affect routing but I can’t figure out why is it recommended to use PBR for VPN connection on MT?
Everyone does it but there’s no viable explanation.
Thanks in advance.