Route all LAN traffic through OpenVPN

RouterOS General
1

Hello all; I’m trying to set up an hAP ac Lite to route all LAN traffic through an OpenVPN connection. I have the OpenVPN connection established already, and have confirmed that the OpenVPN server is configured correctly using another client. From the hAP, if I run interface ovpn-client monitor ovpn-out1, it shows the status as connected, and I am able to ping the OpenVPN server interface (in my case 10.11.12.1 - with the hAP’s ovpn-out1 address being 10.11.12.2). However, I cannot get it to route traffic through the OpenVPN interface. I’m sure I’m missing something stupidly obvious, but I can’t for the life of me figure out what it is! I posted my config below - please don’t judge too harshly: it’s still a work in-progress. Any help would be greatly appreciated!

/interface bridge
add admin-mac=CC:2D:E0:2D:4C:D0 auto-mac=no comment=defconf name=bridge
/interface ethernet
set [ find default-name=ether2 ] name=ether2-master
/interface list
add exclude=dynamic name=discover
add name=mactel
add name=mac-winbox
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=LackingTrust
add authentication-types=wpa2-psk management-protection=allowed mode=dynamic-keys name=Home \
    supplicant-identity=LackingTrust wpa2-pre-shared-key="thePasswordToTheWiFi"
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-Ce disabled=no distance=indoors \
    frequency=auto security-profile=Home ssid=AWiFiNetwork wireless-protocol=802.11
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=20/40/80mhz-Ceee distance=indoors frequency=auto \
    security-profile=Home ssid=AWiFiNetwork wireless-protocol=802.11
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=default-dhcp disabled=no interface=bridge name=defconf
/ppp profile
add address-list=vpn.MyTLD.com change-tcp-mss=yes name=vpn.MyTLD remote-address=default-dhcp \
    use-compression=no use-encryption=required use-mpls=no
/interface ovpn-client
add certificate=NoTrustClient+Cert.crt_0 connect-to=vpn.MyTLD.com mac-address=01:23:45:67:89:AB name=\
    ovpn-out1 port=1196 profile=vpn.MyTLD user=!
/snmp community
set [ find default=yes ] addresses=0.0.0.0/0 read-access=no security=private
/interface bridge port
add bridge=bridge comment=defconf interface=ether2-master
add bridge=bridge interface=ether1
add bridge=bridge interface=ether3
add bridge=bridge interface=ether4
add bridge=bridge interface=ether5
/ip neighbor discovery-settings
set discover-interface-list=none
/interface wireless connect-list
add interface=wlan1 security-profile=Home ssid=AWiFiNetwork
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=192.168.88.0
/ip dhcp-client
add dhcp-options=hostname,clientid disabled=no interface=wlan1 use-peer-dns=no use-peer-ntp=no
add add-default-route=no dhcp-options=hostname,clientid interface=wlan2 use-peer-dns=no use-peer-ntp=no
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4
/ip dns static
add address=192.168.88.1 name=NoTrustClient
/ip firewall filter
add action=accept chain=input dst-port=22 protocol=tcp src-address=192.168.88.0/24
add action=drop chain=input dst-port=22 protocol=tcp
add action=drop chain=input connection-state=new in-interface=all-wireless
add action=drop chain=input connection-state=untracked in-interface=all-wireless
add action=drop chain=input connection-state=invalid in-interface=all-wireless
add action=drop chain=forward in-interface=all-wireless
add action=drop chain=forward out-interface=all-wireless
/ip firewall mangle
add action=mark-routing chain=prerouting new-routing-mark=vpn src-address=192.168.88.0/24
add action=mark-routing chain=prerouting dst-address=192.168.88.0/24 new-routing-mark=vpn
/ip route
add distance=1 gateway=10.11.12.1 routing-mark=vpn
add distance=1 dst-address=10.11.12.0/29 gateway=ovpn-out1 routing-mark=vpn
add distance=1 dst-address=192.168.88.0/24 gateway=bridge routing-mark=vpn
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh address=192.168.88.0/24
set api disabled=yes
set winbox disabled=yes
set api-ssl disabled=yes
/system clock
set time-zone-name=America/Denver
/system identity
set name=notrust-client
/system ntp client
set enabled=yes server-dns-names=time1.google.com,time2.google.com
/system routerboard settings
set silent-boot=no
/tool bandwidth-server
set enabled=no
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=none
2

You need a ip route in and out (both sides) - if not using nat - then you only need out.

3

I’m slightly confused - in which scenario am I missing a route? I am not using NAT.

4

One point - if you remove (ok, disable for the beginning) the following mangle rule:
add action=mark-routing chain=prerouting dst-address=192.168.88.0/24 new-routing-mark=vpn
you can also remove this route:
add distance=1 dst-address=192.168.88.0/24 gateway=bridge routing-mark=vpn

However, the critical point here seems to be how the OpenVPN server at the remote end is configured. Unless it is another Mikrotik, it is not enough to indicate in its system routing table the 10.11.12.2 as the gateway to 192.168.88.0/24, you have to tell that separately also to the openvpn process using the client configuration file.