Community discussions

MikroTik App
 
BSL5
just joined
Topic Author
Posts: 6
Joined: Mon May 24, 2021 9:10 pm

OVPN for beginner

Sun Jun 06, 2021 9:08 pm

Hi.
I have HAP Ac2. Configure it with several tutorials (and spend several months).
laptop (wifi) --->mobile phone (tethering)--->|INTERNET|--->HAPAC2 (eth1=WAN) --->my pc (eth2=part of BridgeLAN (eth2-5, all WiFI) )
OVpn pool - 10.0.0.2-10.0.0.20
LAN - 90.90.90.0/24
When I'm connected with ovpn, I can from laptop:
1. ping 10.0.0.1
2. ping 90.90.90.1
But I can't ping my pc (90.90.90.13).
My PC can ping 10.0.0.1 and 90.90.90.1 but can't ping laptop.
Router can ping both.
How use ovpn to connect with my pc like RDP or print on my wifi printer??
When try use Remote desktop - I can't access to my pc.
 
User avatar
MickeyT
Member Candidate
Member Candidate
Posts: 125
Joined: Tue Feb 18, 2020 7:06 am
Location: Australia

Re: OVPN for beginner

Tue Jun 08, 2021 9:48 am

I had the same problem when I initially setup a MikroTik as a VPN server (SSTP and OpenVPN). The solution I found (I don't claim this is the best idea but it worked for the system I configured) is to change the /interface bridge arp setting to proxy-arp.

If anyone has a better/more secure suggestion, I'd like to hear about it.
 
BSL5
just joined
Topic Author
Posts: 6
Joined: Mon May 24, 2021 9:10 pm

Re: OVPN for beginner

Sun Jun 13, 2021 9:11 pm

I tried proxy-arp on Bridge and Bridge with eth ports (2-5) - still nothing.
 
User avatar
erkexzcx
Member Candidate
Member Candidate
Posts: 263
Joined: Mon Oct 07, 2019 11:42 pm

Re: OVPN for beginner

Mon Jun 14, 2021 9:05 pm

Let me ask you something offtopic - why OpenVPN? It's slow...

I've wrote guide some time ago a tutorial of IPSEC/IKE2 VPN with certificates for remote access. Slightly slower than Wireguard, but very well supported VPN type.
viewtopic.php?f=23&t=175656
 
User avatar
MickeyT
Member Candidate
Member Candidate
Posts: 125
Joined: Tue Feb 18, 2020 7:06 am
Location: Australia

Re: OVPN for beginner

Thu Jun 17, 2021 4:40 pm

Let me ask you something offtopic - why OpenVPN? It's slow...
OpenVPN can be slow but has the advantage that (in TCP mode) it survives CG-NAT which is still in common use and causes all sorts of problems for VPNs that use UDP. Plus, being natively supported in RouterOS, you do get some hardware acceleration to improve matters.
 
BSL5
just joined
Topic Author
Posts: 6
Joined: Mon May 24, 2021 9:10 pm

Re: OVPN for beginner

Sat Jun 26, 2021 9:30 pm

I tried IPSEC and you don't belive - it's the same problem. I can't ping 90.90.90.13 or connect to shared folder on 90.90.90.13. I can't ping 10.0.0.x from 90.90.90.13
 
User avatar
erkexzcx
Member Candidate
Member Candidate
Posts: 263
Joined: Mon Oct 07, 2019 11:42 pm

Re: OVPN for beginner

Sun Jun 27, 2021 1:28 pm

My PC can ping 10.0.0.1 and 90.90.90.1 but can't ping laptop.
Router can ping both.
It's because you have the following rule in your router that allows to ping it from literally any IP:
/ip firewall filter add action=accept chain=input comment="Allow ICMP" protocol=icmp

OVpn pool - 10.0.0.2-10.0.0.20
Did you whitelist these IPs in your router? I am fairly sure you have this firewall rule that drops such traffic, because 10.0.0.2-10.0.0.20 is coming from WAN interface and it's private IPs:
/ip firewall filter add action=drop chain=forward comment="Drop coming from WAN where source IP is private" in-interface-list=WAN src-address-list=not_in_internet

Before suggesting you anything, I hope you have these rules at the top of your "forward" chain:
/ip firewall filter add action=fasttrack-connection chain=forward comment=FastTrack connection-state=established,related
/ip firewall filter add action=accept chain=forward comment="Allow established,related" connection-state=established,related
Now add these rules above those 2 rules - you will allow traffic coming from 10.0.0.2-10.0.0.20 and bypass fasttrack. Someone fix me on how to mark OpenVPN traffic, I've never set up OpenVPN in Mikrotik routers (there should be separate interface?):
/ip firewall filter add action=accept chain=forward src-address=10.0.0.2-10.0.0.20
/ip firewall filter add action=accept chain=forward dst-address=10.0.0.2-10.0.0.20
If you go with IPSEC, then adding these 2 rules instead is sufficient:
/ip firewall filter add action=accept chain=forward comment="Accept in ipsec policy" ipsec-policy=in,ipsec
/ip firewall filter add action=accept chain=forward comment="Accept out ipsec policy" ipsec-policy=out,ipsec

Let me know if you managed to fix it :)

More info on firewall: https://help.mikrotik.com/docs/display/ ... t+Firewall
 
BSL5
just joined
Topic Author
Posts: 6
Joined: Mon May 24, 2021 9:10 pm

Re: OVPN for beginner

Sat Jul 03, 2021 7:21 pm

Thx erkexzcx.
You help mi.
I added:
/ip firewall filter add action=fasttrack-connection chain=forward comment=FastTrack connection-state=established,related
/ip firewall filter add action=accept chain=forward src-address=10.0.0.2-10.0.0.20
/ip firewall filter add action=accept chain=forward dst-address=10.0.0.2-10.0.0.20
Connect via Ovpn and ping from laptop to PC - nothing. I want to wrote - IT STILL NOT WORKING.
I check NAT for ovpn (seems all ok for ovpn):
     chain=srcnat action=masquerade src-address=10.0.0.0/24 dst-address=90.90.90.0/24 out-interface=bridge_LAN log=no log-prefix="" 
     chain=srcnat action=masquerade src-address=90.90.90.0/24 dst-address=10.0.0.0/24 out-interface=xray_s log=no log-prefix="" 
This should work with your firewall rules.
I removed both and added once again, and TADDDAAAAAA - IT WORKS.

Small question:
In my work we have 3 shops; main with DB and 2 connected to main. All IP range is 192.168.1.0/24. 3 ISP.
Is possible to do one "range" with ovpn/ipsec (of course after clean up)??

Who is online

Users browsing this forum: GoogleOther [Bot] and 41 guests