Community discussions

MikroTik App
 
looper
just joined
Topic Author
Posts: 9
Joined: Thu Oct 02, 2014 5:40 pm

OpenVPN routing problem

Mon Oct 06, 2014 11:42 pm

Hello,

I have one OpernVPN server having 10.8.0.1 as vpn IP. I want to connect some devices from a remote location to that vpn server without doing NAT. I configured Microtik router DHCP server to offer IP addresses from 10.8.0.50 to 10.8.0.59 with NAT disabled.

I can see using WinBox and log that connection get established and 10.8.0.6 is offered to Microtik router. I can ping 10.8.0.1 from Mikrotik ping tool but I am not able to ping from a device behind the router having 10.8.0.59.

I think I missed to add any rule, but I don't know which. Do you have any idea where the problem is?

Regards
 
User avatar
rickfrey
Trainer
Trainer
Posts: 610
Joined: Sun Feb 14, 2010 11:41 pm
Location: Van, Texas
Contact:

Re: OpenVPN routing problem

Tue Oct 07, 2014 5:32 pm

Do you have the OpenVPN setup in Bridging mode? That would be the easiest way to set that up. On the server side, put your LAN segment in a Bridge and add the bridge to the OVPN profile. The OVPN server should be set to Ethernet. The other side will be pretty much the same, although it may or may not have any other interfaces in its bridge.
Launch your company forward with professional training!
http://rickfreyconsulting.com/product-c ... raining-2/
 
looper
just joined
Topic Author
Posts: 9
Joined: Thu Oct 02, 2014 5:40 pm

Re: OpenVPN routing problem

Tue Oct 07, 2014 5:39 pm

Do you have the OpenVPN setup in Bridging mode? That would be the easiest way to set that up. On the server side, put your LAN segment in a Bridge and add the bridge to the OVPN profile. The OVPN server should be set to Ethernet. The other side will be pretty much the same, although it may or may not have any other interfaces in its bridge.
I prefer using tun (IP) instead tap (Ethernet). I don't need to pass layer 2 traffic to the server.

Regards
 
User avatar
rickfrey
Trainer
Trainer
Posts: 610
Joined: Sun Feb 14, 2010 11:41 pm
Location: Van, Texas
Contact:

Re: OpenVPN routing problem

Tue Oct 07, 2014 7:50 pm

In that case, you may need to use proxy-arp because arp broadcast will not flow over a routed link.
Launch your company forward with professional training!
http://rickfreyconsulting.com/product-c ... raining-2/
 
looper
just joined
Topic Author
Posts: 9
Joined: Thu Oct 02, 2014 5:40 pm

Re: OpenVPN routing problem

Tue Oct 07, 2014 11:04 pm

Hello,

Setting proxy-arp in both port 1 and 2 (internet link and local lan) still doesn't work.

Regards
 
User avatar
rickfrey
Trainer
Trainer
Posts: 610
Joined: Sun Feb 14, 2010 11:41 pm
Location: Van, Texas
Contact:

Re: OpenVPN routing problem

Wed Oct 08, 2014 1:32 am

Post a compact exp of both routers, please.
Launch your company forward with professional training!
http://rickfreyconsulting.com/product-c ... raining-2/
 
looper
just joined
Topic Author
Posts: 9
Joined: Thu Oct 02, 2014 5:40 pm

Re: OpenVPN routing problem

Wed Oct 08, 2014 9:16 pm

Trying to set up a more simple scenario I reseted factory the router, I reconfigured openvpn connection and I added one rule to masquerade traffic to vpn server. That config work.

Next step, I'll try to do the routing without NAT having 192.168.88.0/24 as local network and 10.8.0.0./24 as vpn network.. I delete the masquerading rule for vpn traffic and then the it doesn't reach to the vpn server.

Would I need any other rule?

Regards
 
User avatar
rickfrey
Trainer
Trainer
Posts: 610
Joined: Sun Feb 14, 2010 11:41 pm
Location: Van, Texas
Contact:

Re: OpenVPN routing problem

Wed Oct 08, 2014 10:10 pm

The far side will need a route for the 192.168.88.0/24 traffic.
Launch your company forward with professional training!
http://rickfreyconsulting.com/product-c ... raining-2/
 
looper
just joined
Topic Author
Posts: 9
Joined: Thu Oct 02, 2014 5:40 pm

Re: OpenVPN routing problem

Wed Oct 08, 2014 11:38 pm

No, I think is a client side misscounfiguration as I can see no icmp packets received using tcpdump. Adding the route you suggest doesn't work. Now, vpn server route table is:


Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         94.94.94.94     0.0.0.0         UG    0      0        0 eth0
10.8.0.0        10.8.0.2        255.255.255.0   UG    0      0        0 tun0
10.8.0.2        0.0.0.0         255.255.255.255 UH    0      0        0 tun0
94.23.196.0     0.0.0.0         255.255.255.0   U     0      0        0 eth0
192.168.88.0    10.8.0.2        255.255.255.0   UG    0      0        0 tun0
 
User avatar
MTeeker
Frequent Visitor
Frequent Visitor
Posts: 92
Joined: Tue Jun 14, 2011 2:42 pm
Location: Australia

Re: OpenVPN routing problem

Fri Oct 10, 2014 5:28 am

Initially I had same problem accessing LAN behind router even I had the routes specifically added in the client.ovpn script.

e.g. route 192.168.1.0 255.255.255.0 172.20.1.1 (172.20.1.1 is the ovpn server IP address)

In the end I added this:

add chain=forward action=accept src-address=172.20.1.0/28 in-interface=!ether10 log=no log-prefix=""

Where 172.20.1.0/28 represents the network I assigned to the ovpn connections. And I was able to access my LAN.
 
looper
just joined
Topic Author
Posts: 9
Joined: Thu Oct 02, 2014 5:40 pm

Re: OpenVPN routing problem

Mon Oct 13, 2014 8:42 pm

I added one rule to forward chain to mikrotik from source lan to destination open vpn without result...

Who is online

Users browsing this forum: eminem9207 and 62 guests