Community discussions

MUM Europe 2020
 
ilja
newbie
Topic Author
Posts: 49
Joined: Thu Feb 22, 2018 1:15 pm

Mikrotik RouterOS(OpenVPN client) connecting to OpenVPN server(Ubuntu)

Thu Mar 22, 2018 10:10 am

Hello,

I have some issues with making MT to work with OpenVPN server (Ubuntu). I can make successful connection to OVPN server, but traffic is not routed through OVPN server. Here is my configuration.
Setup:
IMG_1474.JPG
MikroTik configuration
/interface print
Flags: D - dynamic, X - disabled, R - running, S - slave 
 #     NAME                                TYPE       ACTUAL-MTU L2MTU  MAX-L2MTU MAC-ADDRESS      
 0  R  ether1                              ether            1500  1598       2028 6C:3B:6B:76:DC:74
 1  RS ether2-master                       ether            1500  1598       2028 6C:3B:6B:76:DC:75
 2  RS ether3                              ether            1500  1598       2028 6C:3B:6B:76:DC:76
 3  RS ether4                              ether            1500  1598       2028 6C:3B:6B:76:DC:77
 4   S ether5                              ether            1500  1598       2028 6C:3B:6B:76:DC:78
 5 DRS Gitaraga-1                          cap              1500  1600            6C:3B:6B:63:25:1C
 6 D S Gitaraga-2                          cap              1500  1600            64:D1:54:7C:81:7C
 7 D S Gitaraga-3                          cap              1500  1600            64:D1:54:7C:81:62
 8  R  ;;; OpenVPN
       OVPN                                ovpn-out         1500                  02:D9:5B:E8:01:17
 9  R  bridge-guest                        bridge           1500 65535            F6:19:DA:7B:4F:E5
10  R  bridge-hotspot                      bridge           1500  1600            6C:3B:6B:63:25:1C
11  R  ;;; created from master port
       bridge1                             bridge           1500  1598            6C:3B:6B:76:DC:75
/interface bridge print
Flags: X - disabled, R - running 
 0 R name="bridge-guest" mtu=auto actual-mtu=1500 l2mtu=65535 arp=enabled arp-timeout=auto mac-address=F6:19:DA:7B:4F:E5 protocol-mode=rstp fast-forward=no 
     igmp-snooping=no priority=0x8000 auto-mac=yes max-message-age=20s forward-delay=15s transmit-hold-count=6 ageing-time=5m region-name="" region-revision=0 
     max-hops=20 vlan-filtering=no pvid=1 

 1 R name="bridge-hotspot" mtu=auto actual-mtu=1500 l2mtu=1600 arp=enabled arp-timeout=auto mac-address=6C:3B:6B:63:25:1C protocol-mode=rstp fast-forward=no 
     igmp-snooping=no priority=0x8000 auto-mac=yes max-message-age=20s forward-delay=15s transmit-hold-count=6 ageing-time=5m region-name="" region-revision=0 
     max-hops=20 vlan-filtering=no pvid=1 

 2 R ;;; created from master port
     name="bridge1" mtu=auto actual-mtu=1500 l2mtu=1598 arp=enabled arp-timeout=auto mac-address=6C:3B:6B:76:DC:75 protocol-mode=rstp fast-forward=no igmp-snooping=no 
     priority=0x8000 auto-mac=no admin-mac=6C:3B:6B:76:DC:75 max-message-age=20s forward-delay=15s transmit-hold-count=6 ageing-time=5m region-name="" 
     region-revision=0 max-hops=20 vlan-filtering=no pvid=1 
/interface bridge port print
Flags: X - disabled, I - inactive, D - dynamic, H - hw-offload 
 #     INTERFACE                                            BRIDGE                                            HW  PVID PRIORITY  PATH-COST INTERNAL-PATH-COST    HORIZON
 0   H ether3                                               bridge1                                           yes    1     0x80         10                 10       none
 1   H ether4                                               bridge1                                           yes    1     0x80         10                 10       none
 2 I H ether5                                               bridge1                                           yes    1     0x80         10                 10       none
 3   H ether2-master                                        bridge1                                           yes    1     0x80         10                 10       none
 4 XI   ether1                                               bridge1                                           yes    1     0x80         10                 10       none
 5  D  Gitaraga-1                                           bridge-hotspot                                    yes    1     0x80         10                 10       none
 6 ID  Gitaraga-2                                           bridge-hotspot                                    yes    1     0x80         10                 10       none
 7 ID  Gitaraga-3                                           bridge-hotspot                                    yes    1     0x80         10                 10       none
/ip address print
Flags: X - disabled, I - invalid, D - dynamic 
 #   ADDRESS            NETWORK         INTERFACE                                                                                                                       
 0   192.168.88.1/24    192.168.88.0    ether3                                                                                                                          
 1   192.168.90.1/24    192.168.90.0    bridge-guest                                                                                                                    
 2   192.168.92.1/24    192.168.92.0    bridge-hotspot                                                                                                                  
 3 D 172.30.10.72/24    172.30.10.0     ether1                                                                                                                          
 4 D 10.8.0.6/32        10.8.0.5        OVPN    
 /ip firewall nat print
...
28    chain=srcnat action=masquerade src-address=192.168.88.0/24 out-interface=OVPN log=no log-prefix="" 
/ip route print
Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, B - blackhole, U - unreachable, P - prohibit 
 #      DST-ADDRESS        PREF-SRC        GATEWAY            DISTANCE
 0 ADS  0.0.0.0/0                          172.30.10.1               1
 1 ADS  10.8.0.1/32                        10.8.0.5                  1
 2 ADC  10.8.0.5/32        10.8.0.6        OVPN                      0
 3 ADC  172.30.10.0/24     172.30.10.72    ether1                    0
 4 ADC  192.168.88.0/24    192.168.88.1    bridge1                   0
 5   S  192.168.88.0/24                    ether1                    1
 6 ADC  192.168.90.0/24    192.168.90.1    bridge-guest              0
 7 ADC  192.168.92.0/24    192.168.92.1    bridge-hotspot            0
/interface ovpn-client print
Flags: X - disabled, R - running 
 0  R ;;; OpenVPN
      name="OVPN" mac-address=02:D9:5B:E8:01:17 max-mtu=1500 connect-to=159.89.26.162 port=1194 mode=ip user="vpnuser" password="vpnpass" profile=OVPN-client 
      certificate=client auth=sha1 cipher=blowfish128 add-default-route=no 
/ping 10.8.0.1
  SEQ HOST                                     SIZE TTL TIME  STATUS                                                                                                    
    0 10.8.0.1                                                timeout                                                                                                   
    1 10.8.0.1                                                timeout
/ip firewall mangle print 
Flags: X - disabled, I - invalid, D - dynamic 
 0  D ;;; special dummy rule to show fasttrack counters
      chain=prerouting action=passthrough 

 1  D ;;; special dummy rule to show fasttrack counters
      chain=forward action=passthrough 

 2  D ;;; special dummy rule to show fasttrack counters
      chain=postrouting action=passthrough 

 3    chain=prerouting action=mark-routing new-routing-mark=vpn_traffic passthrough=yes src-address=192.168.88.1 dst-address-list=!local_traffic log=no log-prefix=""     
 /ip firewall address-list print 
Flags: X - disabled, D - dynamic 
 #   LIST                                               ADDRESS                                                                CREATION-TIME        TIMEOUT             
 0   local_traffic                                      192.168.92.0/24                                                        mar/21/2018 16:22:10
 1   local_traffic                                      192.168.90.0/24                                                        mar/21/2018 16:22:22
 2   local_traffic                                      192.168.88.2-192.168.88.254                                            mar/21/2018 17:15:40
And from OpenVPN Server side i can sucessfuly see the device:
root@ginnungagap:/etc/openvpn# cat openvpn-status.log
OpenVPN CLIENT LIST
Updated,Thu Mar 22 08:04:42 2018
Common Name,Real Address,Bytes Received,Bytes Sent,Connected Since
mk-gitaraga,105.178.36.40:62138,5337,28035,Thu Mar 22 08:01:33 2018
ROUTING TABLE
Virtual Address,Common Name,Real Address,Last Ref
10.8.0.6,mk-gitaraga,105.178.36.40:62138,Thu Mar 22 08:04:41 2018
GLOBAL STATS
Max bcast/mcast queue length,0
END
root@ginnungagap:/etc/openvpn# ping 10.8.0.6
PING 10.8.0.6 (10.8.0.6) 56(84) bytes of data.
^C
--- 10.8.0.6 ping statistics ---
4 packets transmitted, 0 received, 100% packet loss, time 3024ms
As you can see, MikroTik is connected to OpenVpn server, but i cannot ping the devices either way.

My main goal is to connect MikroTik router and make all router's traffic go through VPN. I do not need to redirects user's traffic(from LAN, wifi1, wifi2) to VPN, i only need to be able to connect to router through VPN server (to remotely change configurations).

Thanks for your help! I'm playing whit this for a while now, and cannot get it running :(

Have a good day!
You do not have the required permissions to view the files attached to this post.
 
yHuKyM
newbie
Posts: 33
Joined: Mon Aug 16, 2004 10:53 am

Re: Mikrotik RouterOS(OpenVPN client) connecting to OpenVPN server(Ubuntu)

Thu Mar 22, 2018 2:55 pm

And your routes?
/ip route print
 
vpnptp
just joined
Posts: 7
Joined: Fri Feb 09, 2018 10:07 pm
Contact:

Re: Mikrotik RouterOS(OpenVPN client) connecting to OpenVPN server(Ubuntu)

Thu Mar 22, 2018 4:45 pm

Hi,

You have to add a route 0.0.0.0/0 with the mark-routing (vpn_traffic)
/ip route
add dst-address=0.0.0.0/0 gateway=10.8.0.1 routing-mark=VPN_traffic

Regards.
Oscar P., VPN server's.
If you need a vpn server contact me.

https://vpnptp.com

Who is online

Users browsing this forum: alexcherry, casperjjordaan, gurvkukreti, JohnNL, Kindis, mradil606 and 178 guests