VPN clients cannot reach each other

inkdude · September 10, 2020, 1:48pm

Hi! I have a router CCR1016-12S-1S+ and i setup VPN server on router (PPTP, L2TP, openvpn)

i have simple LAN network in office on SFP12 port

Office network 10.10.10.0/24
VPN network 10.10.100.0/24

My VPN clients can’t ping each other, ssh don’t work for example
10.10.100.3 can’t ping 10.10.100.4, but computer in office (10.10.10.5) can reach 10.10.100.3 and 10.10.100.4. And VPN users also can reach the office computer.

Can you help me? Anything ideas?

I use tcpdump on 10.10.100.3 and don’t receive ARP reply from 10.10.100.4

tdw · September 10, 2020, 3:46pm

Firstly stop using PPTP or L2TP with MPPE encryption as they are not secure. L2TP/IPsec, SSTP and OpenVPN are fine if properly configured.

Office network 10.10.10.0/24
VPN network 10.10.100.0/24

My VPN clients can’t ping each other, ssh don’t work for example
10.10.100.3 can’t ping 10.10.100.4, but computer in office (10.10.10.5) can reach 10.10.100.3 and 10.10.100.4. And VPN users also can reach the office computer.

Can you help me? Anything ideas?

Which type of VPN? Mostly they are point-to-point tunnels with /32 addresses at each end, your 10.10.100.0/24 VPN network isn’t an ethernet subnet, just a collection of 256 sequential /32 addresses so routing and firewall rules are important.

I use tcpdump on 10.10.100.3 and don’t receive ARP reply from 10.10.100.4

For layer 3 (IP) VPNs, e.g. L2TP, PPTP, SSTP or OpenVPN TUN, you will never see ARP - it only exists for layer 2 (ethernet) VPNs, e.g. OpenVPN TAP.

inkdude · September 11, 2020, 8:00am

Hi! It’s doesn’t matter which type VPN i use. Problem have on any VPN.

Yes, you are right. point to point tunnels with 32 mask. Just a collection, yes.

On screenshot all my routes. Each VPN client create a dynamic route. Should i add any route as static?

tdw · September 11, 2020, 4:04pm

The routes for the l2tp connections are wrong - as they are all the same /24 only one can be active, each should have a unique /32.

This is not normal, there must be something else in your configuration creating them, post the output of /export hide-sensitive after redacting any other information (e.g. public IPs) rather than screenshots which do not tell the whole story.

inkdude · September 15, 2020, 3:28pm

I use freeradius to send ip addresses when user connect to router (I use Freeradius and openldap auth for users). I don’t use dhcp server on mikrotik

On screenshot you will see my config for users

May be i should change mask from 255.255.255.0 to 255.255.255.255?

tdw · September 15, 2020, 4:47pm

Just remove the Framed-IP-Netmask attribute from your FreeRADIUS configuration.

Defining a pool in FreeRADIUS and the Mikrotik PPP profile is redundant - the ‘Remote Address’ in the Mikrotik profile (vpn_pptp in your original screenshot) is overridden by the Framed-Pool attribute from FreeRADIUS, this in turn would be overridden by a Framed-IP-Address attribute if present (see https://wiki.mikrotik.com/wiki/Manual:RADIUS_Client#Supported_RADIUS_Attributes).

inkdude · September 17, 2020, 9:19am

Solved!!

I change mask on radius and my L2TP and PPTP clients can ping each other
And also i change my openvpn server on mikrotik some settings - i change mode “ethernet” to “ip” and change mask from 24 to 32. And all works!

Thank you very much for your support!!!