Hi,
I configured an OpenVPN server as below on RB3011(RouterOS 6.38.3). I can connect to the server through my local network, but I can’t connect through an external network even though I have the firewall configured to accept OpenVPN TCP port 1194 and 443. It seems like a firewall issue. But, when I disabled my input firewall rules, I still could not connect. For your information, dual WAN with PCC load balancing is configured on the router, and I’m using the public IP of my second WAN interface to connect to the OpenVPN server. I’ve been trying to fix this for some time, but couldn’t find a solution yet. Thank you.
/interface ovpn-server
add name=ovpn user=username
/ppp profile
set *FFFFFFFE bridge=bridge-lan local-address=lan1 only-one=no remote-address=lan1
/interface bridge settings
set use-ip-firewall=yes use-ip-firewall-for-pppoe=yes use-ip-firewall-for-vlan=yes
/ip firewall filter
add action=accept chain=input comment="ACCEPT OPENVPN" dst-port=1194 protocol=tcp
add action=accept chain=input dst-port=443 protocol=tcp
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept established,related" connection-state=\
established,related
add action=drop chain=input comment="defconf: drop all from WAN" in-interface=pppoe-interface log=yes log-prefix=\
"dropped input WAN1:"
add action=drop chain=input in-interface=ether2-wan2
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related" connection-state=\
established,related
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid log=yes log-prefix=\
"invalid connection:"
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface=pppoe-interface
add action=drop chain=forward connection-nat-state=!dstnat in-interface=ether2-wan2
add action=drop chain=forward comment="block intervlan routing" in-interface=bridge-lan1 out-interface=\
bridge-lan2
add action=drop chain=forward in-interface=bridge-lan2 out-interface=bridge-lan1
add action=add-src-to-address-list address-list=Port_Scanner address-list-timeout=1d chain=input comment=\
"port scan detection" protocol=tcp psd=21,3s,3,1
add action=drop chain=input src-address-list=Port-Scanner
add action=add-src-to-address-list address-list=P2P address-list-timeout=0s chain=forward comment=\
"block bittorrent traffic" p2p=bit-torrent
add action=drop chain=forward src-address-list=P2P
/ppp secret
add name=username password=ygbujknfe profile=default-encryption service=ovpn
Tried disabling require client certificate as well.
/interface ovpn-server server
set auth=sha1 certificate=server cipher=aes256 default-profile=default-encryption enabled=yes require-client-certificate=yes
OVPN client configration
client
dev tun
proto tcp
remote 108.99.45.78 1194
resolv-retry infinite
nobind
#comp-lzo
persist-key
persist-tun
#mute-replay-warnings
tls-client
verb 1
#verb 3
#verb 6
#cipher BF-CBC
#cipher AES-128-CBC
#cipher AES-192-CBC
cipher AES-256-CBC
#auth MD5
auth SHA1
auth-user-pass
auth-nocache
dhcp-option DNS 8.8.8.8
redirect-gateway def1
<ca>
-----BEGIN CERTIFICATE-----
jknfe
-----END CERTIFICATE-----
</ca>
<cert>
-----BEGIN CERTIFICATE-----
kjnbej
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN ENCRYPTED PRIVATE KEY-----
jtweniejnre
-----END ENCRYPTED PRIVATE KEY-----
</key>
EDIT
Here’s the load balancing firewalls mangle rules and IP routes. The configuration is almost like https://wiki.mikrotik.com/wiki/Manual:PCC . It is what worked for my network which is PPPOE + static WAN:
add action=mark-connection chain=input in-interface=pppoe-interface new-connection-mark=wan1 passthrough=no
add action=mark-routing chain=output connection-mark=wan1 new-routing-mark=to-wan1 out-interface=pppoe-interface passthrough=no
add action=accept chain=prerouting dst-address-list=LAN in-interface-list=lan
add action=mark-connection chain=prerouting dst-address-type=!local in-interface-list=lan new-connection-mark=wan1 passthrough=yes per-connection-classifier=both-addresses:2/0
add action=mark-routing chain=prerouting connection-mark=wan1 in-interface-list=lan new-routing-mark=to-wan1 passthrough=no
add action=mark-connection chain=input in-interface=ether2-wan2 new-connection-mark=wan2 passthrough=no
add action=mark-routing chain=output connection-mark=wan2 new-routing-mark=to-wan2 out-interface=ether2-wan2 passthrough=no
add action=accept chain=prerouting dst-address-list=LAN in-interface-list=lan
add action=mark-connection chain=prerouting dst-address-type=!local in-interface-list=lan new-connection-mark=wan2 passthrough=yes per-connection-classifier=both-addresses:2/1
add action=mark-routing chain=prerouting connection-mark=wan2 in-interface-list=lan new-routing-mark=to-wan2 passthrough=no
/ip route
add check-gateway=ping comment="LOAD BALANCING ROUTES" distance=1 gateway=pppoe-interface routing-mark=to-wan1
add check-gateway=ping distance=1 gateway=ether2-wan2 routing-mark=to-wan2
add check-gateway=ping distance=1 gateway=pppoe-interface,ether2-wan2
/ip firewall nat
add action=masquerade chain=srcnat comment=WAN1 out-interface=pppoe-interface
add action=masquerade chain=srcnat comment=WAN2 out-interface=ether2-wan2 to-addresses=108.99.45.78