Hello. A connection via OpenVPN to Mikrotik client-server has been configured. Hosts connected to the router ping. This router is connected to other offices via IPS so that it is accessible at local addresses. By connecting via OpenVPN, other offices are inaccessible. What needs to be configured so that other offices are available at local addresses?
Hello!!
I am not sure if I understood well. Please tell me if this is correct:
- You have in the Mikrotik, an OpenVPN Server and IPsec tunnels with other offices
- You have clients connected to the Mikrotik, which are reaching IPs in other offices through IPsec tunnels
- The same IPs in other offices are not reachable from OpenVPN clients
Try to run a sniffer in the mikrotik while trying what is not working
https://wiki.mikrotik.com/wiki/Manual:Tools/Packet_Sniffer
Regards,
Damián
Hm, There is a central office, let it be C1, and many other offices. Each of them has a Mikrotik router with white IP installed. C1 is connected to other routers via IPSec, so that while in the office I can connect to both the local network of C1 and the local networks of other offices. However, this will not work in other offices, because they are not connected to each other. Being remote, I need access to all offices, for this I installed C1 OpenVPN in Mikrotik. I can access the C1 local network, but cannot access the local networks of other offices. Perhaps you need to change or add something to route. What is missing?
Send feedback
Side panels
You still didnt say how openVPN is connected, I assume that every office is connected to C1
You need routes to reach each office in every Mikrotik
For example:
C1 LAN: 192.168.0.0/24
Office1 LAN: 192.168.1.0/24
Office2 LAN: 192.168.2.0/24
If Office1 and Office2 are connected to C1 but they are not connected directly, you need to pass that traffic through 2 VPNs: Office1-C1 and Office2-C1
So you need, for example, that mikrotik in Office1 knows how to reach Office2 LAN, you need a route to reach this LAN through the VPN to C1, if not, Mikrotik in Office1 will send this traffic through its default route
With OpenVPN if you have static IPs for the tunnel interface, you can create a route to Office2 LAN using the OpenVPN tunnel in the C1 side
I think you dont need openVPN to do this, you could do this with IPsec policies, but my knowledge about ipsec is very poor.
Regards,
Damián
They didn’t quite understand me. There is a main office with Mikrotik, for example with external IP 111.111.111.111 and local IP 1.1.1.1 and several other offices with Mikrotik, for example with external IP 222.222.222.222 and internal IP 2.2.2.2, external IP 333.333.333.333 and internal IP 3.3. 3.3. etc. The offices are connected by a “Star” topology, with the main office in the center with IP 111.111.111.111, via IPSec. From the computer in the main office I am on local network 1.1.1.1, I can also connect to any host of other offices via local IP, for example 2.2.2.2 or 3.3.3.3. Being remote, I need to access the local networks of all offices via VPN without external IP. To do this, OpenVPN is configured in the main office router as a client-server type. As a result, my phone or home laptop receives external IP 111.111.111.111 and local IP 1.1.1.1. But local addresses of other offices are not available, i.e. I can’t connect to 2.2.2.2 and 3.3.3.3. It is possible to configure OpenVPN and .ovpn config for each office, but this does not meet the requirements. What else needs to be configured and where? Most likely in the ip-route of the main office router, but there are not enough skills. Need a hint.
Ok,
Your OpenVPN clients get IPs in the same main office LAN?
If yes, I dont know how to manage this
If no, I think you need to add ipsec policies in every Mikrotik (One for each site in the main office and one in each office)
Not sure, my knowledge about ipsec is poor
Regards,
Damián
Why are offices a business using a half baked VPN, they should be using IPSEC L2TP etc… or even wireguard if its not a complex VPN requirement.
because ipsec l2tp cannot be used from a phone, wireguard requires white IP addresses on both sides, and mobile operators do not issue such IP to individuals by default. Therefore, you need to configure OpenVPN so that not only the local network of the main office is accessible, but also other offices too