You should probably explain in more details what's the problem. I'm trying to understand it, but no luck so far.
Yes, fair enough.
Hopefully the following makes some sense.
With reference to the image below which is similar (simplified) to the one I am using.
If the client attempts to connect via a VPN to R1 via RMain 1.1.1.1 it works ok with SSTP,
The connection marking, and route marking cause the packets to exit the same way they came in.
(via RMain)
However with OpenVPN and Wireguard it doesn't work. Logging the output packets shows them in the routeros output chain with an IP address of 192.168.1.20, and they head out via R4G (and will get blocked at the client firewall) This sort of makes sense, as routing like this is likely to be somewhat uncommon for most cases where wireguard and openvpn are used.
I think that to get it to work properly the VPN's would have to keep (additional) state and remember which IP address to attach to specific outgoing packets rather than just letting the operating system take care of it.
I was thinking a short term fix that might be good enough (it still has issues), would be to create a mangle action that would change the output Source IP address and reconnect the packet to the existing connection.
For the drawing below a rule something like:
chain=Output, connection-mark=no-mark, source ip-address=192.168.1.20
action=attempt reconnect source-ip=192.168.2.10 connection-mark=from-2
It would test to see if changing the source ip address of the packet to 192.168.2.10 would cause it to match a connection with mark from-2
- If it did match, it would change the source-ip of the packet to 192.168.2.10 and do whatever is required to connect it to from-2, Which is used by a later mangle rule to cause the route mark to be changed to via-2 so the packetgoes out via RMain.
- if not match, it would not change the packet.
Actually looking at the routeros packet flow, maybe this would be better in the raw chain??
Note: It is quite possible I have just messed up my routing somewhere, but the fact that SSTP works correctly gives me some small amount of confidence.
Thanks
DualWan3.png
You do not have the required permissions to view the files attached to this post.