Community discussions

MikroTik App
 
Blueresto
just joined
Topic Author
Posts: 1
Joined: Sun Nov 06, 2016 9:21 am

Forward Ports for OpenVPN

Sun Nov 06, 2016 9:31 am

I've installed OpenVPN on a Raspberry Pi. I've set up the following nat rule on my RB to allow traffic in:
/ip firewall nat add chain=dstnat dst-port=1194 action=dst-nat protocol=udp to-address=10.0.0.3 to-port=1194
I can see this rule increment when I attempt to connect, but the connection eventually fails. I've also attempted to specify the in-interface so that I didn't leave the rule too broad, but then I don't see the rule increment.

This is frustrating because I've read a ton of posts on these boards and most of them are easily solved by pointing out a typo in the /ip firewall command, or having something backwards. As far as I can tell I've got everything set up correctly.

I will admit that I'm relatively new to both RB products and OpenVPN, so I'm certain I've overlooked something.
 
User avatar
pukkita
Trainer
Trainer
Posts: 3037
Joined: Wed Dec 04, 2013 11:09 am
Location: Spain

Re: Forward Ports for OpenVPN

Sun Nov 06, 2016 11:04 am

Can you post the firewall filter rules?
/ip firewall filter export
Simplicity is the Ultimate Sophistication - Da Vinci
Getting the most out of this forum
 
mpreissner
Member
Member
Posts: 356
Joined: Tue Mar 11, 2014 11:16 pm
Location: Columbia, MD

Re: Forward Ports for OpenVPN

Mon Nov 07, 2016 1:32 pm

You need 2 rules to properly port forward. You already have the NAT rule, but now you need a filter rule in the FORWARD chain. Use this...assuming your inbound interface is ether1:
/ip firewall filter add chain=forward dst-port=1194 protocol=udp dst-address=10.0.0.3 in-interface=ether1 action=accept
Michael Preissner
CISSP, CCSP, CEH, PMP
 
proximus
Member Candidate
Member Candidate
Posts: 113
Joined: Tue Oct 04, 2011 1:46 pm

Re: Forward Ports for OpenVPN

Mon Nov 07, 2016 2:56 pm

A couple of thoughts:

1) Since you are not translating ports, you do not need the "to-port=1194"

2) I'm forwarding to an internal OpenVPN server and it works fine without any other additional forward chain firewall rules. But, if all else fails, give it a shot.

I work with just this (using tcp)
/ip firewall nat
add action=dst-nat chain=dstnat comment=OpenVPN dst-port=1194 in-interface=ether1-gateway log-prefix=openvpn \
    protocol=tcp to-addresses=192.168.1.56
3) Need more clarity on exactly at which point it fails ......
a) Does the OpenVPN session never get established? If that is the case, then you should look at both the client and server logs.

b) Or, does it establish and eventually times out because there is no client traffic? If that is the behavior, then I suspect that you have no routes for the OVPN client networks on the MT that point back to the OVPN server. Like this, where .56 is the OVPN server ..
/ip route
add check-gateway=ping distance=1 dst-address=10.0.8.0/24 gateway=192.168.1.56
add check-gateway=ping distance=1 dst-address=10.0.9.0/24 gateway=192.168.1.56
Last edited by proximus on Mon Nov 07, 2016 3:02 pm, edited 1 time in total.
 
mpreissner
Member
Member
Posts: 356
Joined: Tue Mar 11, 2014 11:16 pm
Location: Columbia, MD

Re: Forward Ports for OpenVPN

Mon Nov 07, 2016 3:02 pm

Proximus - do you have a "Drop All" rule at the bottom of your forward chain? By default, ROS uses an Accept All policy, which you can't actually change, so if you're not dropping unwanted forwarding traffic with an explicit rule at the bottom of your forward chain, then you're correct, you won't need any additional rules. But Accept All rules go against best practices, and create very unsecure networks, so you should be careful when using such rules.
Michael Preissner
CISSP, CCSP, CEH, PMP
 
proximus
Member Candidate
Member Candidate
Posts: 113
Joined: Tue Oct 04, 2011 1:46 pm

Re: Forward Ports for OpenVPN

Mon Nov 07, 2016 3:24 pm

Proximus - do you have a "Drop All" rule at the bottom of your forward chain?
The bottom of my forward chain has "drop invalid" followed by "accept established / related".
But, looking at a default config script, it would be more proper to construct it as.:
 filter add chain=forward action=accept connection-state=established,related comment="default configuration"
              filter add chain=forward action=drop connection-state=invalid comment="default configuration"
              filter add chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface=ether1-gateway comment="default configuration"
Thanks!
 
mpreissner
Member
Member
Posts: 356
Joined: Tue Mar 11, 2014 11:16 pm
Location: Columbia, MD

Re: Forward Ports for OpenVPN

Mon Nov 07, 2016 4:57 pm

The best thing to do is to end all chains with the following:
/ip firewall filter action=drop
This drops ALL traffic that does not match an explicit allow rule above it. You can optionally add a log=yes and log-prefix="drop-<chain>-and-log" parameters so you can trace down any dropped traffic that you want to create an Allow rule for. Just make sure you have the necessary action=accept rules in place for SSH and Winbox to the router before you add the Drop-All rules or you'll lock yourself out.
Michael Preissner
CISSP, CCSP, CEH, PMP

Who is online

Users browsing this forum: ChristopherFS, CZFan and 42 guests