Using hEX as VPN gateway only - almost working, sorta

Anyone willing to help a n00b?

My hEX is behind my DSL modem/router. Maybe I should just set the modem/router into bridge mode and make the Mikrotik device handle the routing, but I’m in way above my head. My networking knowledge is rudimentary, and right now I want to just get a VPN server running without clobbering and exposing my entire network.

After a bunch of repetitive work, I have managed to get OpenVPN running and can successfully connect to it externally. However, I can’t access the internet. I suspect the problem is in DHCP or routing. Maybe some subnet problem. When I connect to the VPN, my router assigns my laptop the same IP address I have when I’m normally connected locally on wifi. Local IPs work, but not the internet.

Is this an exercise in futility?

/interface bridge
add admin-mac=6C:3B:6B:6C:3B:6B auto-mac=no comment=defconf name=bridgeLocal
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=ovpn-pool ranges=192.168.252.240-192.168.252.245
/ppp profile
add dns-server=84.200.70.40,84.200.69.80 local-address=ovpn-pool name=ovpn-profile remote-addre
    use-compression=no use-encryption=required
/interface bridge port
add bridge=bridgeLocal comment=defconf interface=ether1
add bridge=bridgeLocal comment=defconf interface=ether2
add bridge=bridgeLocal comment=defconf interface=ether3
add bridge=bridgeLocal comment=defconf interface=ether4
add bridge=bridgeLocal comment=defconf interface=ether5
/interface list member
add interface=ether1 list=WAN
add interface=ether2 list=LAN
add interface=ether3 list=LAN
add interface=ether4 list=LAN
add interface=ether5 list=LAN
/interface ovpn-server server
set auth=sha1 certificate=server-certificate cipher=aes256 default-profile=ovpn-profile enabled
    require-client-certificate=yes
/ip address
add address=192.168.1.252/24 disabled=yes interface=ether2 network=192.168.1.0
/ip dhcp-client
add comment=defconf disabled=no interface=bridgeLocal
/ip firewall filter
add action=accept chain=input comment="accept related, established" connection-state=establishe
    connection-type=""
add action=accept chain=input comment="Accept OVPN" dst-port=1194 protocol=tcp
/ip firewall nat
add action=masquerade chain=srcnat comment="OVPN -> LAN" src-address=192.168.1.0/24
/ppp secret
add name=blackvelvet profile=ovpn-profile service=ovpn
/system clock
set time-zone-name=America/Toronto
/system ntp client
set enabled=yes server-dns-names=\
    0.ca.pool.ntp.org,1.ca.pool.ntp.org,2.ca.pool.ntp.org,3.ca.pool.ntp.org,pool.ntp.org

Well, don’t do it.

What Ip does your hEX get from your modem?
Specify the completely different subnet for vpn clients.
And then two options:

1. Either change your masquerade rule to-addresses to the hEX’s IP in the modem’s network.
2. Or add static route on your modem pointing to your vpn subnet via hEX’s IP in the modem’s network.

Mikrotik has static IP from modem - 192.168.1.252

Modem range is 192.168.1.0/24 subnet 255.255.255.0
–DHCP scope 192.168.1.50-150
–should subnet be 255.255.0.0 if I want to use 192.168.252.0/24 range for VPN? I guess not, because that is the point of adding a static route.

VPN range in Mikrotik was 192.168.252.240-245, I changed it to 192.168.252.240/30 so it’s easier to read
–but is modem DHCP supposed to assign those addresses? I guess not, because how is it supposed to know what’s going on in Mikrotik VPN.
----therefore, Mikrotik should have a DHCP server for just the VPN scope?

1. originally I had masquerade srcnat 192.168.1.0/24 – when I changed it to 192.168.1.252, VPN would not connect
2. okay I have done this before, for making a wireless link. so I added static route – gateway 192.168.1.252, destination 192.168.252.240/30. Also added ACL to allow traffic between 1 and 252 subnets (because that is what I did to make the wireless link work, I just copy/pasted what I did before)

But right now I can’t connect to VPN any longer. I guess I just made a big mess. You think it’s better to just start over or keep trying? It’s like cooking an omlet, if you don’t know to crack the eggs, it’s gonna take a long time to cook. If you don’t understand networking, making simple VPN gonna take two weeks.

Ok, so in the modem all you need is a route to 192.168.252.0/24 via 192.168.1.252.
That’s all.
I see, that you already have it.

Exactly, we are trying to route here, so leave it as it was: 255.255.255.0

OVPN server will do it - you have a pool specified in the relevant ppp-profile.

1. Remove the masquerade altogether.
2. Already covered.

It looks like it should work.
Only this from your original post is bugging me:

When I connect to the VPN, my router assigns my laptop the same IP address I have when I’m normally connected locally on wifi.

It looks like it was connecting as L2 tunnel, but I don’t see it in the config.
Check that Mode is set to “ip” in ovpn server settings.

First I did all the settings with 192.168.252.0/24 as you suggested to make sure I can connect, then I changed the range to 192.168.252.240/30 (because I don’t need /24 subnet for VPN) – both seem to be working equally. If you think that is a problem, I will change it back to /24. But I did test connectivity with both, and got the same results (internal IP works, but no internet access).

Only this from your original post is bugging me:

When I connect to the VPN, my router assigns my laptop the same IP address I have when I’m normally connected locally on wifi.

It looks like it was connecting as L2 tunnel, but I don’t see it in the config.
Check that Mode is set to “ip” in ovpn server settings.

Yes, Mode is set to IP. I don’t know what the problem was before, but now when I connect, I’m correctly getting an IP in the vpn-pool range 192.168.252.240/30

And now I understand OVPN will serve the IP address, no DHCP required. Thanks for explaining.

Now, sorry it’s kind of repetition. Directly from the Mikrotik, I can ping internal/external IPs, but when I connect to VPN, I only get access to internal IPs. I can access my modem and Mikrotik, it correctly shows that I have an IP in from the vpn-pool range. But I cannot ping the vpn-pool IP from the modem (probably ping is blocked, no ICMP allow in Mikrotik firewall).

So my guess is this is probably a routing issue. We’ve fixed some settings for sure (extra masquerade setting, missing static route on modem), but the same result for now.

Modem situation: well, I double checked everything to make sure I’m not forgetting something obvious. It is as described in the previous post, with static route between 192.168.1.0/24 and 192.168.252.240/30, as well as ACL to allow traffic in/out.

–Does it matter that I’m connected to ether2? I guess it shouldn’t make a difference, because bridgeLAN is supposed to address all the ports.
–Do I need some routing rule or firewall rule for routing to work from Mikrotik side, passing traffic to modem? This is all the firewall rules I have (two), I thought it should be enough for making a VPN connection. It’s probably not secure, but for testing maybe it’s okay (I disable outside port forwarding when I’m not making a test). I can see in the log that I get the occasional connection attempts from other IPs, looking for some easy target. Many international guests trying to visit me.

/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=accept chain=input comment="Allow OVPN" dst-port=1194 protocol=tcp

Also I tried adding input, ouput, forward rules for srcadr 192.168.252.240/30 but it made no difference. Actually now I’m just doing random things, because my technical understanding is limited. It just seemed logical to try, but I don’t know if it actually makes any sense.

Mikrotik routes:

Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, 
B - blackhole, U - unreachable, P - prohibit 
 #      DST-ADDRESS        PREF-SRC        GATEWAY            DISTANCE
 0 A S  0.0.0.0/0                          192.168.1.1               1
 1 ADC  192.168.1.0/24     192.168.1.252   bridgeLocal               0
 2 A S  192.168.252.240/30                 192.168.1.1               1

The last one I added myself for testing, it didn’t seem to make any difference. And anyway, I guess it’s a duplicate of route 0.

By the way, in the log, I get OVPN “duplicate packet” error.

ovpn,debug,error,,,,,,,,,l2tp,info,,debug,,,critical,,,,,,,,,,,,,warning duplicate packet, dropping

This happens once every time during OVPN connection. I don’t know if it means anything. After Googling, it seems there are many possibilities; many conclusions say it might be harmless, and I could not narrow one issue in my case.

Updated config

/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=ovpn-pool ranges=192.168.252.240/30
/ppp profile
add dns-server=84.200.70.40,84.200.69.80 local-address=ovpn-pool name=ovpn-profile remote-address=ovpn-pool use-compression=no use-encryption=required
/interface bridge port
add bridge=bridgeLocal comment=defconf interface=ether1
add bridge=bridgeLocal comment=defconf interface=ether2
add bridge=bridgeLocal comment=defconf interface=ether3
add bridge=bridgeLocal comment=defconf interface=ether4
add bridge=bridgeLocal comment=defconf interface=ether5
/interface list member
add interface=ether1 list=WAN
add interface=ether2 list=LAN
add interface=ether3 list=LAN
add interface=ether4 list=LAN
add interface=ether5 list=LAN
/interface ovpn-server server
set auth=sha1 certificate=server-certificate cipher=aes256 default-profile=ovpn-profile enabled=yes netmask=30 require-client-certificate=yes
/ip address
add address=192.168.1.252/24 disabled=yes interface=ether2 network=192.168.1.0
/ip dhcp-client
add comment=defconf disabled=no interface=bridgeLocal
/ppp secret
add name=blackvelvet profile=ovpn-profile service=ovpn

I guess you are missing local-address in your ppp-profile.
I suggest you set it to 192.168.252.1 and change to /24 instead of /30 in the route on the modem and in ovpn-server settings.
Can leave /30 in the pool though.

And for sure no such route should be present:
2 A S 192.168.252.240/30 192.168.1.1 1

Wow, that was exactly the problem. local-address was set to vpn-pool, after changing to 192.168.1.252, everything worked. So obvious, looking back now. When someone doesn’t understand it, of course it’s magic. I also set static routes to /24 as you suggested, it makes sense what you said.

Now I will just add some more firewall rules, so I don’t have a worldwide bot party on my Mikrotik.

Many thanks! I appreciate your time, good sir.

Cheers! Glad to help