Community discussions

MikroTik App
 
Technetium
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 75
Joined: Sun Oct 16, 2016 10:56 pm

Can't access Winbox from VPN - OpenVpn

Mon Jul 22, 2019 7:03 pm

I've setup a OpenVPN server on the router to be able to change it's config (using winbox) but when i'm connected from an external connection in a OpenVPN tunnel i can't connect t the router.

The connection is correctly initated. Assigned ip 10.255.255.3
Ip pool for OVPN sever is 10.255.255.2/24.

I can ping 192.168.1.1 (the router)
but i can't open webfig or use winbox.

What's wrong ?

My config:
/interface bridge
add admin-mac=4C:5E:0C:07:63:3C arp=proxy-arp auto-mac=no comment=defconf \
    name=bridge
/interface ethernet
set [ find default-name=ether1 ] advertise=\
    10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full arp=proxy-arp \
    name=WAN1
set [ find default-name=ether5 ] advertise=\
    10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full name=WAN2
set [ find default-name=ether2 ] advertise=\
    10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
set [ find default-name=ether3 ] advertise=\
    10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
set [ find default-name=ether4 ] advertise=\
    10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
/interface wireless
set [ find default-name=wlan1 ] antenna-gain=2 band=2ghz-b/g/n country=italy \
    disabled=no distance=indoors frequency=auto frequency-mode=\
    regulatory-domain hide-ssid=yes mode=ap-bridge ssid=Tss tx-power=25 \
    tx-power-mode=all-rates-fixed wireless-protocol=802.11
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add exclude=dynamic name=discover
add name=mactel
add name=mac-winbox
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk eap-methods="" mode=\
    dynamic-keys supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip ipsec peer
add name=peer1 passive=yes
/ip pool
add name=dhcp ranges=192.168.1.10-192.168.1.254
add name=dhcp_pool1 ranges=192.168.1.2-192.168.1.254
add name=dhcp_pool2 ranges=10.0.2.2-10.0.2.254
add name=pool-ovpn ranges=10.255.255.2-10.255.255.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
/ppp profile
add local-address=192.168.1.1 name=Ovpn-profile remote-address=pool-ovpn
/queue simple
add disabled=yes dst=192.168.1.250/32 max-limit=10M/700k name=WAN1_total \
    target=WAN1
add disabled=yes limit-at=1M/256k max-limit=10M/512k name=Server_wan1 parent=\
    WAN1_total target=192.168.1.250/32
/queue tree
add disabled=yes max-limit=700k name=uploadWAN2 parent=WAN1
add limit-at=200k max-limit=600k name=Voip_upload_WAN2 packet-mark=fromVoip \
    parent=uploadWAN2
add max-limit=690k name=otherClientWAN2 packet-mark=no-mark parent=uploadWAN2
/system logging action
set 1 disk-file-count=1
/interface bridge port
add bridge=bridge comment=defconf interface=wlan1
add bridge=bridge interface=ether3
add bridge=bridge interface=ether4
/ip neighbor discovery-settings
set discover-interface-list=discover
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=WAN1 list=WAN
add interface=wlan1 list=discover
add interface=ether2 list=discover
add interface=ether3 list=discover
add interface=ether4 list=discover
add interface=WAN2 list=discover
add interface=bridge list=discover
add interface=bridge list=mactel
add interface=bridge list=mac-winbox
add interface=WAN2 list=WAN
/interface ovpn-server server
set auth=sha1 certificate=Server cipher=aes256 default-profile=Ovpn-profile \
    enabled=yes port=1200 require-client-certificate=yes
/ip address
add address=192.168.1.1/24 comment=defconf interface=bridge network=\
    192.168.1.0
/ip cloud
set ddns-enabled=yes ddns-update-interval=10m
/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid disabled=no interface=WAN1
add dhcp-options=hostname,clientid disabled=no interface=WAN2
/ip dhcp-server lease
add address=192.168.1.254 client-id=1:6c:3b:6b:ed:b3:5f disabled=yes \
    mac-address=6C:3B:6B:ED:B3:5F server=defconf
add address=192.168.1.251 client-id=1:64:d1:54:46:af:ee mac-address=\
    64:D1:54:46:AF:EE server=defconf
/ip dhcp-server network
add address=10.0.2.0/24 dns-server=192.168.178.1,8.8.8.8,8.8.4.4 gateway=\
    10.0.2.1
add address=192.168.1.0/24 comment=defconf gateway=192.168.1.1 netmask=24
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4
/ip dns static
add address=192.168.1.1 name=router.lan
/ip firewall filter
add action=accept chain=input connection-state=new dst-port=1200 protocol=tcp
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-mark=!WAN2 connection-state=established,related disabled=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked disabled=yes
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall mangle
add action=accept chain=prerouting comment="Accept da WAN1" dst-address=\
    192.168.178.0/24
add action=accept chain=prerouting comment="Accept da WAN2" dst-address=\
    10.0.2.0/24
add action=mark-connection chain=prerouting connection-mark=no-mark \
    in-interface=WAN1 new-connection-mark=WAN1 passthrough=yes
add action=mark-connection chain=prerouting connection-mark=no-mark \
    in-interface=WAN2 new-connection-mark=WAN2 passthrough=yes
add action=mark-connection chain=prerouting comment=\
    "Voip connection mark WAN2" connection-mark=no-mark dst-address-type=\
    !local in-interface=bridge new-connection-mark=Voip_WAN2 passthrough=yes \
    src-address=192.168.1.250
add action=mark-connection chain=prerouting comment="PCC stream WAN1" \
    connection-mark=no-mark dst-address-type=!local in-interface=bridge \
    new-connection-mark=WAN1 passthrough=yes per-connection-classifier=\
    both-addresses:2/0
add action=mark-connection chain=prerouting comment="PCC stream WAN2" \
    connection-mark=no-mark dst-address-type=!local in-interface=bridge \
    new-connection-mark=WAN2 passthrough=yes per-connection-classifier=\
    both-addresses:2/1
add action=mark-routing chain=prerouting comment=\
    "Voip routing mark WAN2_mark chain prerouting" connection-mark=Voip_WAN2 \
    in-interface=bridge new-routing-mark=WAN2-mark passthrough=yes
add action=mark-routing chain=prerouting connection-mark=WAN1 in-interface=\
    bridge new-routing-mark=WAN1-mark passthrough=yes
add action=mark-routing chain=prerouting connection-mark=WAN2 in-interface=\
    bridge new-routing-mark=WAN2-mark passthrough=yes
add action=mark-routing chain=output comment=\
    "Voip routing mark WAN2_mark chain output" connection-mark=Voip_WAN2 \
    new-routing-mark=WAN2-mark passthrough=yes
add action=mark-routing chain=output connection-mark=WAN1 new-routing-mark=\
    WAN1-mark passthrough=yes
add action=mark-routing chain=output connection-mark=WAN2 new-routing-mark=\
    WAN2-mark passthrough=yes
add action=mark-packet chain=postrouting connection-mark=Voip_WAN2 \
    new-packet-mark=fromVoip
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
/ip route
add check-gateway=ping comment="WAN 2 marked route" distance=1 gateway=\
    192.168.43.1 routing-mark=WAN2-mark
add check-gateway=ping comment="WAN 1 marked route" distance=1 gateway=\
    192.168.178.1 routing-mark=WAN1-mark
add comment="Default route WAN 1" distance=1 gateway=192.168.178.1
add comment="Defult route WAN 2" distance=1 gateway=192.168.43.1
/ip ssh
set forwarding-enabled=remote
/ppp secret
add local-address=10.255.255.2 name=Utente1 profile=Ovpn-profile \
    remote-address=10.255.255.3 service=ovpn
/system clock
set time-zone-name=Europe/Rome
/system identity
set name=hAP
/system logging
add topics=ovpn,debug
/system ntp client
set enabled=yes
/tool mac-server
set allowed-interface-list=mactel
/tool mac-server mac-winbox
set allowed-interface-list=mac-winbox
 
2frogs
Forum Veteran
Forum Veteran
Posts: 713
Joined: Fri Dec 03, 2010 1:38 am

Re: Can't access Winbox from VPN - OpenVpn

Mon Jul 22, 2019 9:02 pm

This rule is blocking access:
/ip firewall filter
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
Your VPN is not included in interface-list. You can add it under /ppp profiles:
/ppp profile
add local-address=192.168.1.1 name=Ovpn-profile remote-address=pool-ovpn interface-list=LAN
 
Technetium
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 75
Joined: Sun Oct 16, 2016 10:56 pm

Re: Can't access Winbox from VPN - OpenVpn

Mon Jul 22, 2019 9:15 pm

But why ping to the devices is working ?
 
2frogs
Forum Veteran
Forum Veteran
Posts: 713
Joined: Fri Dec 03, 2010 1:38 am

Re: Can't access Winbox from VPN - OpenVpn

Mon Jul 22, 2019 9:25 pm

/ip firewall filter 
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
This rule, since no interfaces are listed and it is above the drop rule (they are processed in order), allows pings from any where.
 
Technetium
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 75
Joined: Sun Oct 16, 2016 10:56 pm

Re: Can't access Winbox from VPN - OpenVpn

Tue Jul 23, 2019 12:29 am

I've added the interface list LAN in the profile.
It worked only if i set a local ip in the dhcp range (es. 192.168.1.2) al local address and "dhcp" pool as remote address.
It not work if a use a separate pool (10.255.255.2-10.255.255.254) for the ovpn profile.
I can't figure out why using a separate pool the access won't work.

Who is online

Users browsing this forum: Google [Bot], Shambler and 50 guests