Community discussions

 
mikbrew
just joined
Topic Author
Posts: 5
Joined: Tue Oct 27, 2015 9:14 pm

OpenVPN and LAN access

Fri Nov 24, 2017 3:17 pm

RouterOS version: 6.40.5
Router: RB750r2

I've set up an OpenVPN server on my router and my client can connect, but the client then can't ping the router or any computer on the remote network.

The router has LAN 192.168.10.0/24
The OpenVPN server has IP 192.168.11.1 and is configured to give the client the IP 192.168.11.2

As things stand currently, I haven't touched the firewall filter rules (except to allow the actual OpenVPN client to make a connection, rule 0 below), mangle rules or ip routes. I tried many suggestions after searching here and Google but none worked so I wanted to ask for help from a fresh perspective on my particular scenario.

The relevant configs (please let me know if I should post more):
[local@MikroTik] > /ppp profile print
Flags: * - default
 0 * name="default" use-mpls=default use-compression=default use-encryption=default only-one=default
     change-tcp-mss=yes use-upnp=default address-list="" on-up="" on-down=""

 1   ;;; openvpn profile
     name="openvpn-profile" local-address=192.168.11.1 remote-address=192.168.11.2 use-mpls=default
     use-compression=default use-encryption=yes only-one=default change-tcp-mss=default use-upnp=default
     address-list="" dns-server=192.168.11.1 on-up="" on-down=""

 2 * name="default-encryption" use-mpls=default use-compression=default use-encryption=yes only-one=default
     change-tcp-mss=yes use-upnp=default address-list="" on-up="" on-down=""
[local@MikroTik] > /interface ovpn-server server print
                     enabled: yes
                        port: xxx
                        mode: ip
                     netmask: 24
                 mac-address: FE:89:F0:D8:88:24
                     max-mtu: 1500
           keepalive-timeout: 60
             default-profile: openvpn-profile
                 certificate: server-certificate
  require-client-certificate: yes
                        auth: sha1
                      cipher: aes128,aes192,aes256
[local@MikroTik] > /ip firewall filter print
Flags: X - disabled, I - invalid, D - dynamic
 0    ;;; Allow OpenVPN
      chain=input action=accept protocol=tcp dst-port=xxx

 1    ;;; allow established, related connections
      chain=input action=accept connection-state=established,related log=no log-prefix=""

 2    ;;; drop invalid connections
      chain=input action=drop connection-state=invalid log=no log-prefix=""

 3    ;;; allow lan requests
      chain=input action=accept in-interface=ether5-lan log=no log-prefix=""

 4    ;;; allow udp
      chain=forward action=accept protocol=udp in-interface=ether5-lan log=no log-prefix=""

 5    ;;; ssh for secure shell
      chain=input action=accept protocol=tcp dst-port=22 log=no log-prefix=""

 6 X  ;;; winbox access
      chain=input action=accept protocol=tcp dst-port=8291 log=no log-prefix=""

 7    ;;; log everything else
      chain=input action=log log=no log-prefix="BLOCK"

 8    ;;; drop everything else
      chain=input action=drop log=no log-prefix="BLOCK"
[local@MikroTik] > /ip firewall nat print
Flags: X - disabled, I - invalid, D - dynamic
 0    ;;; default masquerading nat rule
      chain=srcnat action=masquerade log=no log-prefix=""
[local@MikroTik] > /ip route print
Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme,
B - blackhole, U - unreachable, P - prohibit
 #      DST-ADDRESS        PREF-SRC        GATEWAY            DISTANCE
 0   S  ;;; Gaming traffic
        0.0.0.0/0                          *10                       1
 1   S  ;;; Game Downloads
        0.0.0.0/0                          192.168.8.1               1
 2 A S  ;;; Motsamai
        0.0.0.0/0                          browse-pppo...        1
 3 A S  ;;; Mobereki
        0.0.0.0/0                          uncapped-pp...        1
 4 A S  ;;; Sabnzbd
        0.0.0.0/0                          uncapped-pp...        1
 5 A S  ;;; Transmission
        0.0.0.0/0                          uncapped-pp...        1
 6 A S  ;;; Moraloki
        0.0.0.0/0                          browse-pppo...        1
 7   S  ;;; P2 S6e
        0.0.0.0/0                          192.168.8.1               1
 8   S  ;;; Xbone
        0.0.0.0/0                          5.5.5.5                   1
 9 A S  ;;; Default gateway route
        0.0.0.0/0                          browse-pppo...        1
10 ADS  0.0.0.0/0                          browse-pppo...        0
11  DS  0.0.0.0/0                          uncapped-pp...        0
12  DS  0.0.0.0/0                          200gb-pp...        0
13 ADC  xxx/32   xxx 200gb-pp...        0
14   S  192.168.1.1/32                     ether3-wan-lte            1
15   S  192.168.8.1/32                     ether1-wan-lte            1
16 ADC  192.168.10.0/24    192.168.10.83   ether5-lan                0
17 ADC  192.168.11.2/32    192.168.11.1    ovpn-ph                   0
18 ADC  xxx/32     xxx   uncapped-pp...        0
                                           browse-pppo...
[local@MikroTik] > /interface print
Flags: D - dynamic, X - disabled, R - running, S - slave
 #     NAME                                TYPE       ACTUAL-MTU L2MTU  MAX-L2MTU MAC-ADDRESS
 0  X  ;;; LTE
       ether1-wan-lte                      ether            1500  1598       2028 E4:8D:8C:93:C9:FA
 1  R  ;;; Fiber
       ether2-wan-fiber                    ether            1500  1598       2028 E4:8D:8C:93:C9:FB
 2  X  ;;; V LTE
       ether3-wan-lte                      ether            1500  1598       2028 E4:8D:8C:93:C9:FC
 3  X  ;;; VACANT
       ether4                              ether            1500  1598       2028 E4:8D:8C:93:C9:FD
 4  R  ;;; LAN
       ether5-lan                          ether            1500  1598       2028 E4:8D:8C:93:C9:FE
 5  R  ;;; 200gb 01
       200gb-pppoe-out1             pppoe-out        1480
 6  R  ;;; openvpn-ph
       ovpn-ph                             ovpn-in          1500
 7  R  ;;; browse
       browse-pppoe-out                pppoe-out        1480
 8  R  ;;; dl
       uncapped-pppoe-out1             pppoe-out        1480
ovpn config file (client is Windows 10 if that matters)
client
dev tun
proto tcp
remote yyy xxx
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert home.crt
key home.key
remote-cert-tls server
cipher AES-128-CBC
auth SHA1
auth-user-pass home.txt
verb 3
route 192.168.10.0 255.255.255.0 vpn_gateway
When I start a torch on the ovpn-ph interface and try load a webpage that is on the remote network from the client, it doesn't load but this is what I see:
Image

And occasionally on the log I'll see the following entries:
Image

What rules must I add to the firewall/NAT/route to make this work? I'll really appreciate any help.
 
mikbrew
just joined
Topic Author
Posts: 5
Joined: Tue Oct 27, 2015 9:14 pm

Re: OpenVPN and LAN access

Sun Nov 26, 2017 9:22 am

Anyone? Or is my issue more complicated than I thought? :(
 
User avatar
matiaszon
Member
Member
Posts: 305
Joined: Mon Jul 09, 2012 9:26 am

Re: OpenVPN and LAN access

Sun Nov 26, 2017 2:40 pm

As far as I know OVPN server does not support all features of OpenVPN server running for example on linux. I have 2 subnets in my network and after logging in to OVPN on MikroTik I can see only the devices from the same subnet of the IP I have got, i.e. if I set up OVPN to assign IP from subent1, I can see only subnet1 devices, if I set it up to get from subent2, I can see subent2 devices. If I set it tup from different (admin) subnet, I can't see anything. That's why I use L2TP/IPSec instead.
 
mikbrew
just joined
Topic Author
Posts: 5
Joined: Tue Oct 27, 2015 9:14 pm

Re: OpenVPN and LAN access

Mon Nov 27, 2017 9:10 am

As far as I know OVPN server does not support all features of OpenVPN server running for example on linux. I have 2 subnets in my network and after logging in to OVPN on MikroTik I can see only the devices from the same subnet of the IP I have got, i.e. if I set up OVPN to assign IP from subent1, I can see only subnet1 devices, if I set it up to get from subent2, I can see subent2 devices. If I set it tup from different (admin) subnet, I can't see anything. That's why I use L2TP/IPSec instead.
This is the first time I've heard of that limitation since all the guides I've seen give the VPN network a different subnet, so what would be the point then? Just purely for routing Internet traffic? Can anyone else confirm that what I'm trying to do won't work?

In the meantime I'll give the VPN client an address in the same subnet as the LAN and see if that works.

Do you have a guide for setting up L2TP/IPSec? Will I be able to VPN into the router relatively easily from a Windows PC?
 
User avatar
matiaszon
Member
Member
Posts: 305
Joined: Mon Jul 09, 2012 9:26 am

Re: OpenVPN and LAN access

Mon Nov 27, 2017 10:27 am

As far as I know OVPN server does not support all features of OpenVPN server running for example on linux. I have 2 subnets in my network and after logging in to OVPN on MikroTik I can see only the devices from the same subnet of the IP I have got, i.e. if I set up OVPN to assign IP from subent1, I can see only subnet1 devices, if I set it up to get from subent2, I can see subent2 devices. If I set it tup from different (admin) subnet, I can't see anything. That's why I use L2TP/IPSec instead.
This is the first time I've heard of that limitation since all the guides I've seen give the VPN network a different subnet, so what would be the point then? Just purely for routing Internet traffic? Can anyone else confirm that what I'm trying to do won't work?
I had the same problem and this is the answer. OVPN in MikroTik is under development process, so some things are just not working.
In the meantime I'll give the VPN client an address in the same subnet as the LAN and see if that works.

Do you have a guide for setting up L2TP/IPSec? Will I be able to VPN into the router relatively easily from a Windows PC?
You will connect eveneasier, because you can use Windows built-in client for L2TP/IPSec. There are a lot of tutorials on youtube:
https://www.youtube.com/results?search_ ... l2tp+ipsec

I don't remember which one i used, but I am sure you can manage that.
 
mikbrew
just joined
Topic Author
Posts: 5
Joined: Tue Oct 27, 2015 9:14 pm

Re: OpenVPN and LAN access

Mon Nov 27, 2017 10:46 am

Thanks for taking the time to explain. I just need a way to reliably gain access to my home network so I'll definitely look into L2TP/IPSec and report back.
 
spookymulder84
just joined
Posts: 13
Joined: Sat Nov 11, 2017 1:37 pm
Location: Croatia

Re: OpenVPN and LAN access

Fri Dec 08, 2017 1:53 pm

How about SSTP, does it have that same limitation as OpenVPN?
I don't have all ports forwarded and only SSTP and OpenVPN seem to allow port choosing.
Also, does SSTP with no certificates and only Secrets password provide encryption*
 
Mariusz
just joined
Posts: 1
Joined: Sat Feb 16, 2019 10:03 pm

Re: OpenVPN and LAN access

Sat Feb 16, 2019 10:13 pm

Hi mikbrew,

Did you find answer? I have the same problem with my Mikrotik router. I have enabled Openvpn server and can connect to my network as a vpn client, but I can't ping. No access to LAN from VPN. Could you help me?

Best regards
Mariusz M.
 
bar1
just joined
Posts: 4
Joined: Thu Feb 28, 2019 6:19 pm

Re: OpenVPN and LAN access

Thu Feb 28, 2019 6:21 pm

EDIT:

I Enable the masquerade rule and it seems to be working!
 
eskejp
just joined
Posts: 1
Joined: Sun Jan 13, 2019 3:15 pm

Re: OpenVPN and LAN access

Sun Mar 03, 2019 1:51 pm

Bar1 can u explain how exactly did set the masquarade.thanks

Who is online

Users browsing this forum: No registered users and 16 guests