Community discussions

MUM Europe 2020
just joined
Topic Author
Posts: 22
Joined: Fri Aug 22, 2014 3:27 pm

OpenVPN Firewall Best Practice

Tue Mar 03, 2015 6:41 pm


i just configured an openvpn server on mikrotik for testing and i set up a very basic firewall.

The setup is the following:

@CRS125 the port 24 is set up with no master port.
On that port is a external modem for the internet connection which is done via pppoe.
The openvpn server is listening on port 443 and has ip pool
My internal subnets connected to the router are

In the first tests, i only allowed on the input chain port 443 and could connect the openvpn server, but i was not able to reach the router itself on ip or my private subnets (i pushed the correct route in the client config though)

After the first tests i allowed at the input and forward chain the subnets and everything is working as expected.
/ip firewall filter print
Flags: X - disabled, I - invalid, D - dynamic 
 0    chain=input action=accept connection-state=established,related log=no log-prefix="" 
 1    chain=input action=accept in-interface=ether1-master-local log=no log-prefix="" 
 2    chain=input action=accept protocol=tcp dst-port=443 log=no log-prefix="" 
 3    chain=input action=accept src-address= log=no log-prefix="" 
 4 X  chain=input action=drop connection-state=invalid log=no log-prefix="" 
 5    chain=input action=drop log=no log-prefix="" 
 6    chain=forward action=accept connection-state=established,related log=no log-prefix="" 
 7    chain=forward action=accept dst-address= in-interface=ether1-master-local log=no log-prefix="" 
 8    chain=forward action=accept src-address= log=no log-prefix="" 
 9    chain=forward action=drop connection-state=invalid log=no log-prefix="" 
10    chain=forward action=drop log=no log-prefix="" 
The openvpn device is dynamic, so it could not be used for firewalling i guess.
What is the best practice to allow all traffic that is coming in via openvpn without handling it with subnets?

Greetings Reiner
just joined
Posts: 10
Joined: Tue Feb 10, 2015 1:22 am
Location: London, UK

Sat Mar 07, 2015 1:22 am

About dynamic bit. When creating firewall rules that involve openvpn server I assigned static interface. Under /interfaces open ovpn-server . Like add name=<ovpn-user1> user=user1. Took it from whatever print said I got assigned dynamically, assigned same thing statically and deleted former. After this in firewall <ovpn-user1> was persistent interface. Not sure what to do with oodles of vpn users. Script? Hope it's relevant.

Who is online

Users browsing this forum: No registered users and 18 guests