[Solved] OpenVPN Routing Problem

dliebchen · October 20, 2016, 2:59pm

Hi,

I am administrator in my company and we are using a RB3011UiAS with latest stable firmware (6.37.1).
I’ve read allmost every RouterOS/OpenVPN tutorial I could find and tried several described ways but I still got problems.

Scenario:
People which are working at home need to connect to the company’s network in order to reach the intranet and some data.

Simple Setup:
For the moment only 2 Ports are used.

eth1_LAN: 192.168.0.250/16
eth6_INTERNET: 62.62.62.82/29
DNS: 8.8.8.8 and 8.8.4.4 (remote requests allowed)
masquarading srcnat on out.interface eth6
Routing:
0.0.0.0/0 gateway 62.62.62.81 reachable eth6_INTERNET
192.168.0.0/16 eth1_LAN reachable
62.62.62.80/29 eth6_INTERNET reachable

What I’ve allready tried:

Create/import server/client certificates
Create IP-Pool (first I did it the hard way and I have created 64 IP-Pools 10.100.10.1-2, 10.100.10.5-6, 10.100.10.9-10 and so on. Later I’ve created 1 Pool and set the Local-IP to 10.100.10.1)
Set up OpenVPN client on a Windows based system
Establish connection

Here is the Problem:
I am not able to reach servers which are inside LAN from outsid. F.e 192.168.0.1, 0.2, 0.3 and so on.

Client OpenVPN config:
proto tcp-client
remote 62.62.62.82 1194
dev tun
nobind
persist-key
tls-client
ca ca.crt
cert client1.crt
key client1.key
ping 10
verb 3
cipher AES-256-CBC
auth SHA1
pull
auth-user-pass
route 192.168.0.0 255.255.0.0

Client ipconfig output while connection established:
Local:
IPv4-Address: 192.168.43.169
Subnet: 255.255.255.0
Gateway: 192.168.43.1

OpenVPN:
IPv4-Address: 10.100.10.3
Subnet: 255.255.255.0
Gateway:

Client route output while connection established:
dst: 0.0.0.0/0 gateway: 192.168.43.1 interface: 192.168.43.169
dst 192.168.0.0/0 gateway 10.100.10.1 interface 10.100.10.3

Some debugging facts:

Inside the router I can reach (ping) all local systems.
If I forward the ports I can also reach services (f.e FTP) from outside (62.62.62.82).
I can reach the internet from the local clients (f.e 192.168.2.1)

It seems like the router doesn’t know how to route VPN (10.100.10.X) to the local net (192.168.X.X).

Please help.

Best Regards,
Dominik

patrickmkt · October 22, 2016, 5:12pm

did you create an OVPN server binding in PPP interface and add forward rule for that interface in your firewall to allow the traffic from the VPN to your LAN?

dliebchen · October 24, 2016, 9:38am

for the moment the OVPN server binding is created dynamically. I’m adding a input and forward rule to allow traffic from ovpn into my LAN.

The OVPN client is able to ping 192.168.0.250 and 10.100.10.1
But I can’t ping any host connected to the LAN interface (f.e 192.168.0.1 or 192.168.4.41)
The router itself is able to ping the hosts.
The router itself is NOT able to ping the OVPN client (10.100.10.5)

Thank you for your answer

dliebchen · October 25, 2016, 2:36pm

Solved:
It was a very simple failure. I have to test in the live environment but I cannot change the clients. The gateway set on serverside is NOT the new router. So I couldnt reach them through OpenVPN connection because the targeted system has to have set the 192.168.0.250 as gateway.

Thanks

adamslats · February 12, 2018, 8:30pm

Hi Dominik,

Im currently setting up a similar configuration and having what looks to be the same problem.
I don’t completely understand what you did to solve this issue.

Can you tell me what configuration changes you made please?

Kind Regards,
Adam.