Community discussions

 
Technetium
newbie
Topic Author
Posts: 46
Joined: Sun Oct 16, 2016 10:56 pm

Can't access Winbox from VPN - OpenVpn

Mon Jul 22, 2019 7:03 pm

I've setup a OpenVPN server on the router to be able to change it's config (using winbox) but when i'm connected from an external connection in a OpenVPN tunnel i can't connect t the router.

The connection is correctly initated. Assigned ip 10.255.255.3
Ip pool for OVPN sever is 10.255.255.2/24.

I can ping 192.168.1.1 (the router)
but i can't open webfig or use winbox.

What's wrong ?

My config:
/interface bridge
add admin-mac=4C:5E:0C:07:63:3C arp=proxy-arp auto-mac=no comment=defconf \
    name=bridge
/interface ethernet
set [ find default-name=ether1 ] advertise=\
    10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full arp=proxy-arp \
    name=WAN1
set [ find default-name=ether5 ] advertise=\
    10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full name=WAN2
set [ find default-name=ether2 ] advertise=\
    10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
set [ find default-name=ether3 ] advertise=\
    10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
set [ find default-name=ether4 ] advertise=\
    10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
/interface wireless
set [ find default-name=wlan1 ] antenna-gain=2 band=2ghz-b/g/n country=italy \
    disabled=no distance=indoors frequency=auto frequency-mode=\
    regulatory-domain hide-ssid=yes mode=ap-bridge ssid=Tss tx-power=25 \
    tx-power-mode=all-rates-fixed wireless-protocol=802.11
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add exclude=dynamic name=discover
add name=mactel
add name=mac-winbox
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk eap-methods="" mode=\
    dynamic-keys supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip ipsec peer
add name=peer1 passive=yes
/ip pool
add name=dhcp ranges=192.168.1.10-192.168.1.254
add name=dhcp_pool1 ranges=192.168.1.2-192.168.1.254
add name=dhcp_pool2 ranges=10.0.2.2-10.0.2.254
add name=pool-ovpn ranges=10.255.255.2-10.255.255.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
/ppp profile
add local-address=192.168.1.1 name=Ovpn-profile remote-address=pool-ovpn
/queue simple
add disabled=yes dst=192.168.1.250/32 max-limit=10M/700k name=WAN1_total \
    target=WAN1
add disabled=yes limit-at=1M/256k max-limit=10M/512k name=Server_wan1 parent=\
    WAN1_total target=192.168.1.250/32
/queue tree
add disabled=yes max-limit=700k name=uploadWAN2 parent=WAN1
add limit-at=200k max-limit=600k name=Voip_upload_WAN2 packet-mark=fromVoip \
    parent=uploadWAN2
add max-limit=690k name=otherClientWAN2 packet-mark=no-mark parent=uploadWAN2
/system logging action
set 1 disk-file-count=1
/interface bridge port
add bridge=bridge comment=defconf interface=wlan1
add bridge=bridge interface=ether3
add bridge=bridge interface=ether4
/ip neighbor discovery-settings
set discover-interface-list=discover
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=WAN1 list=WAN
add interface=wlan1 list=discover
add interface=ether2 list=discover
add interface=ether3 list=discover
add interface=ether4 list=discover
add interface=WAN2 list=discover
add interface=bridge list=discover
add interface=bridge list=mactel
add interface=bridge list=mac-winbox
add interface=WAN2 list=WAN
/interface ovpn-server server
set auth=sha1 certificate=Server cipher=aes256 default-profile=Ovpn-profile \
    enabled=yes port=1200 require-client-certificate=yes
/ip address
add address=192.168.1.1/24 comment=defconf interface=bridge network=\
    192.168.1.0
/ip cloud
set ddns-enabled=yes ddns-update-interval=10m
/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid disabled=no interface=WAN1
add dhcp-options=hostname,clientid disabled=no interface=WAN2
/ip dhcp-server lease
add address=192.168.1.254 client-id=1:6c:3b:6b:ed:b3:5f disabled=yes \
    mac-address=6C:3B:6B:ED:B3:5F server=defconf
add address=192.168.1.251 client-id=1:64:d1:54:46:af:ee mac-address=\
    64:D1:54:46:AF:EE server=defconf
/ip dhcp-server network
add address=10.0.2.0/24 dns-server=192.168.178.1,8.8.8.8,8.8.4.4 gateway=\
    10.0.2.1
add address=192.168.1.0/24 comment=defconf gateway=192.168.1.1 netmask=24
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4
/ip dns static
add address=192.168.1.1 name=router.lan
/ip firewall filter
add action=accept chain=input connection-state=new dst-port=1200 protocol=tcp
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-mark=!WAN2 connection-state=established,related disabled=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked disabled=yes
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall mangle
add action=accept chain=prerouting comment="Accept da WAN1" dst-address=\
    192.168.178.0/24
add action=accept chain=prerouting comment="Accept da WAN2" dst-address=\
    10.0.2.0/24
add action=mark-connection chain=prerouting connection-mark=no-mark \
    in-interface=WAN1 new-connection-mark=WAN1 passthrough=yes
add action=mark-connection chain=prerouting connection-mark=no-mark \
    in-interface=WAN2 new-connection-mark=WAN2 passthrough=yes
add action=mark-connection chain=prerouting comment=\
    "Voip connection mark WAN2" connection-mark=no-mark dst-address-type=\
    !local in-interface=bridge new-connection-mark=Voip_WAN2 passthrough=yes \
    src-address=192.168.1.250
add action=mark-connection chain=prerouting comment="PCC stream WAN1" \
    connection-mark=no-mark dst-address-type=!local in-interface=bridge \
    new-connection-mark=WAN1 passthrough=yes per-connection-classifier=\
    both-addresses:2/0
add action=mark-connection chain=prerouting comment="PCC stream WAN2" \
    connection-mark=no-mark dst-address-type=!local in-interface=bridge \
    new-connection-mark=WAN2 passthrough=yes per-connection-classifier=\
    both-addresses:2/1
add action=mark-routing chain=prerouting comment=\
    "Voip routing mark WAN2_mark chain prerouting" connection-mark=Voip_WAN2 \
    in-interface=bridge new-routing-mark=WAN2-mark passthrough=yes
add action=mark-routing chain=prerouting connection-mark=WAN1 in-interface=\
    bridge new-routing-mark=WAN1-mark passthrough=yes
add action=mark-routing chain=prerouting connection-mark=WAN2 in-interface=\
    bridge new-routing-mark=WAN2-mark passthrough=yes
add action=mark-routing chain=output comment=\
    "Voip routing mark WAN2_mark chain output" connection-mark=Voip_WAN2 \
    new-routing-mark=WAN2-mark passthrough=yes
add action=mark-routing chain=output connection-mark=WAN1 new-routing-mark=\
    WAN1-mark passthrough=yes
add action=mark-routing chain=output connection-mark=WAN2 new-routing-mark=\
    WAN2-mark passthrough=yes
add action=mark-packet chain=postrouting connection-mark=Voip_WAN2 \
    new-packet-mark=fromVoip
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
/ip route
add check-gateway=ping comment="WAN 2 marked route" distance=1 gateway=\
    192.168.43.1 routing-mark=WAN2-mark
add check-gateway=ping comment="WAN 1 marked route" distance=1 gateway=\
    192.168.178.1 routing-mark=WAN1-mark
add comment="Default route WAN 1" distance=1 gateway=192.168.178.1
add comment="Defult route WAN 2" distance=1 gateway=192.168.43.1
/ip ssh
set forwarding-enabled=remote
/ppp secret
add local-address=10.255.255.2 name=Utente1 profile=Ovpn-profile \
    remote-address=10.255.255.3 service=ovpn
/system clock
set time-zone-name=Europe/Rome
/system identity
set name=hAP
/system logging
add topics=ovpn,debug
/system ntp client
set enabled=yes
/tool mac-server
set allowed-interface-list=mactel
/tool mac-server mac-winbox
set allowed-interface-list=mac-winbox
 
2frogs
Long time Member
Long time Member
Posts: 540
Joined: Fri Dec 03, 2010 1:38 am

Re: Can't access Winbox from VPN - OpenVpn

Mon Jul 22, 2019 9:02 pm

This rule is blocking access:
/ip firewall filter
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
Your VPN is not included in interface-list. You can add it under /ppp profiles:
/ppp profile
add local-address=192.168.1.1 name=Ovpn-profile remote-address=pool-ovpn interface-list=LAN
 
Technetium
newbie
Topic Author
Posts: 46
Joined: Sun Oct 16, 2016 10:56 pm

Re: Can't access Winbox from VPN - OpenVpn

Mon Jul 22, 2019 9:15 pm

But why ping to the devices is working ?
 
2frogs
Long time Member
Long time Member
Posts: 540
Joined: Fri Dec 03, 2010 1:38 am

Re: Can't access Winbox from VPN - OpenVpn

Mon Jul 22, 2019 9:25 pm

/ip firewall filter 
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
This rule, since no interfaces are listed and it is above the drop rule (they are processed in order), allows pings from any where.
 
Technetium
newbie
Topic Author
Posts: 46
Joined: Sun Oct 16, 2016 10:56 pm

Re: Can't access Winbox from VPN - OpenVpn

Tue Jul 23, 2019 12:29 am

I've added the interface list LAN in the profile.
It worked only if i set a local ip in the dhcp range (es. 192.168.1.2) al local address and "dhcp" pool as remote address.
It not work if a use a separate pool (10.255.255.2-10.255.255.254) for the ovpn profile.
I can't figure out why using a separate pool the access won't work.

Who is online

Users browsing this forum: No registered users and 138 guests