Hello guys,

I have the following configuration at the moment:

1. Main router - hEX S
2. AP/Bridge - hAP ac^2 x2

The main router (Dual WAN) is with default firewall rules (IMCP allowed only from local, everything except winbox is disabled) and both hAPs are reset with no configuration and set as AP (all ports are bridged and no firewall present). Behind one of the hAPs I have a server on which there is installed openVPN using UDP.

The main router is forwarding to the server

add action=dst-nat chain=dstnat comment="OpenVPN " dst-address=static address from ISP \
dst-port=1194 in-interface-list=WAN log=yes protocol=udp to-addresses=\
Local address of the server to-ports=1194

Everything seems to work as meant and I have access to the network and the devices from outside. However I recently I saw in the logs that some strange IP addresses are dstnat-ed to to internal server on which is the VPN. These logs are rare (once or twice a day) and seems to be from one range 185.200.118.0 - 185.200.118.255.

Do you guys have any explanation of this and should I be worried? Is there a way to allow only specific IP addresses to be dstned-ed to the server and should I set firewalls also on the hAPs? Currently I've disabled the NAT rule for the 1194 port as I'm not sure what is happening and don't want to risk it.

Thanks for the help in advance.

That rule will allow any IP address to connect to your VPN server, if you expose services on well known ports they will get scanned at some point.

You could create an address list, e.g. 'VPNusers' and add src-address-list=VPNusers to the rule. This will prevent access to your VPN server if the addresses are not present in the list, fine if you have a small number of static client devices connecting but not something you can do for general remote access.

Incidentally 'to-ports' is unnecessary when 'dst-port' is the same (i.e. you are not changing the port number in the rule).

That rule will allow any IP address to connect to your VPN server, if you expose services on well known ports they will get scanned at some point.

You could create an address list, e.g. 'VPNusers' and add src-address-list=VPNusers to the rule. This will prevent access to your VPN server if the addresses are not present in the list, fine if you have a small number of static client devices connecting but not something you can do for general remote access.

Incidentally 'to-ports' is unnecessary when 'dst-port' is the same (i.e. you are not changing the port number in the rule).

Fair enough but isn't there a more elegant IP independent solution to this. Is there a way to do it with MAC or somehow defend the server in another way?

If the service can't defend itself, then you're in deep trouble. The whole secret/ciphering/handshake part of VPN is intended to defend the service from trespassers. If you don't entirely trust it, follow advice by @tdw ...

It's not that I don't trust it as someone who'd like to connect would need to obtain the certificates. I was just wondering if there is a way to increase the security in this case.

There is: use tls-auth. see https://community.openvpn.net/openvpn/wiki/Hardening

But I don't think that OpenVPN on Tik supports that... My vpn runs off Tik

There is: use tls-auth. see https://community.openvpn.net/openvpn/wiki/Hardening

But I don't think that OpenVPN on Tik supports that... My vpn runs off Tik

Thanks for the link. I'll take a look at it. The VPN isn't on the tik, it runs on a omv server which is based on debian. The mikrotik only forwards to the server, but I'm logging every such action so I saw strange adresses being forwarded to the internal server.