Community discussions

 
glmnet
just joined
Topic Author
Posts: 6
Joined: Wed Jul 17, 2019 6:01 pm

VPN Server routing issues

Fri Jul 26, 2019 5:09 am

Hi Community,

I have a VPN server setup, my lan is 10.0.1.x mostly, DHCP is giving IPs in that range
I've setup VPN following a guide online, and it worked, I have the OpenVPN client on the iPhone and it connects ok
I want my VPN clients to have IP 10.0.2.x
What is working now:
- Connect to the VPN
- iPhone client gets IP address: 10.0.2.20
- ping from PC on LAN to iPhone, eg ping from 10.0.1.13 to 10.0.2.20
- ping from iPhone to 10.0.2.1 (this is the mikrotik IP)

-- not working
ping / connect from iPhone to any 10.0.1.x

I'm attaching my router config and my ovpn file which is loaded on the phone and where I attempted write the route info

Thanks.

here is my config:
# jul/25/2019 21:15:30 by RouterOS 6.45.2
# software id = BKDF-7MVH
#
# model = RBD52G-5HacD2HnD
# serial number = A64A0AA56014
/interface bridge
add admin-mac=74:4D:28:60:F1:A2 auto-mac=no comment=defconf name=bridge
/interface ethernet
set [ find default-name=ether1 ] comment="cpe wan" name=ether1-cpe speed=100Mbps
set [ find default-name=ether2 ] advertise=10M-half,10M-full,100M-half,100M-full comment=hassio speed=100Mbps
set [ find default-name=ether3 ] comment=dvr speed=100Mbps
set [ find default-name=ether4 ] comment="flight radar" speed=100Mbps
set [ find default-name=ether5 ] comment=switch speed=100Mbps
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-Ce comment=2.4 disabled=no distance=indoors frequency=auto \
    mode=ap-bridge ssid=glmn wireless-protocol=802.11
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=20/40/80mhz-Ceee comment=5 disabled=no distance=indoors frequency=\
    auto mode=ap-bridge ssid=glmn wireless-protocol=802.11
/interface wireless manual-tx-power-table
set wlan1 comment=2.4
set wlan2 comment=5
/interface wireless nstreme
set wlan1 comment=2.4
set wlan2 comment=5
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk mode=dynamic-keys supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip pool
add name=dhcp ranges=10.0.1.10-10.0.1.100
add name=vpn-pool ranges=10.0.2.10-10.0.2.20
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
/ppp profile
add dns-server=10.0.2.1 local-address=10.0.2.1 name=vpn-profile remote-address=vpn-pool use-encryption=yes
/dude
set enabled=yes
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=wlan1
add bridge=bridge comment=defconf interface=wlan2
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface detect-internet
set detect-interface-list=all
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1-cpe list=WAN
/interface ovpn-server server
set auth=sha1 certificate=server-certificate cipher=aes128,aes192,aes256 default-profile=vpn-profile enabled=yes \
    require-client-certificate=yes
/ip address
add address=10.0.1.1/24 comment=defconf interface=ether2 network=10.0.1.0
add address=192.168.1.252/24 interface=ether1-cpe network=192.168.1.0
/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid interface=ether1-cpe
/ip dhcp-server config
set store-leases-disk=never
/ip dhcp-server lease
add address=10.0.1.202 mac-address=74:E1:82:5E:26:B3 server=defconf
add address=10.0.1.206 mac-address=B8:27:EB:D0:76:DF server=defconf
/ip dhcp-server network
add address=10.0.1.0/24 comment=defconf gateway=10.0.1.1 netmask=24
/ip dns
set allow-remote-requests=yes servers=192.168.1.1,8.8.8.8
/ip dns static
add address=10.0.1.1 name=router.lan
/ip firewall address-list
add address=****.duckdns.org list=wan_ips
add address=192.168.1.252 list=wan_ips
/ip firewall filter
add action=accept chain=input dst-port=1194 protocol=tcp
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" disabled=yes in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new \
    in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat dst-address-list=wan_ips dst-port=443 protocol=tcp to-addresses=10.0.1.206
add action=masquerade chain=srcnat dst-address=10.0.1.206 dst-port=443 out-interface=bridge protocol=tcp src-address=10.0.1.0/24
/ip route
add distance=1 gateway=192.168.1.1
/ip ssh
set allow-none-crypto=yes forwarding-enabled=remote
/ip traffic-flow
set cache-entries=16k
/ppp secret
add name=glm profile=vpn-profile
/system clock
set time-zone-name=America/Argentina/Buenos_Aires
/tool graphing
set store-every=24hours
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool sniffer
set filter-interface=*F00035

.ovpn file
client
# this is a layer 3 (IP) VPN
dev tun
topology subnet
# Mikrotik only supports TCP at the moment
proto tcp
# put your VPN Server's routable (WAN or Internet-accessible) IP address here
remote ***.duckdns.org 1194
resolv-retry infinite
nobind
# Mikrotik does not support link compression at the moment
#comp-lzo
persist-key
persist-tun
#mute-replay-warnings
# OpenVPN client debug log verbosity
verb 1
#verb 3
#verb 6
#cipher BF-CBC
#cipher AES-128-CBC
#cipher AES-192-CBC
cipher AES-256-CBC
#auth MD5
auth SHA1
# Mikrotik's PPP server requires username/password authentication
# at the moment and it uses this in conjunction with both client and
# server-side x.509v3 certificate authentication
auth-user-pass
# domain name for home LAN
dhcp-option DOMAIN mydomain.com
# DNS server (replace with your own)
dhcp-option DNS 8.8.8.8
# SMB WINS name server if you have one
#dhcp-option WINS 192.168.1.1
# route to reach the encryption domain, that is our internal LAN
route 10.0.1.0 255.255.255.0 10.0.2.1
# Mikrotik accepts a CA cert
<ca>
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
</ca>

# Mikrotik expects a VPN Client Certificate
<cert>
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
</cert>

# OpenVPN Client needs the VPN Client Private Key to decrypt
# info sent by the server during the SSL/TLS handshake
<key>
-----BEGIN RSA PRIVATE KEY-----
-----END RSA PRIVATE KEY-----
</key>
Then on the iPhone i have this information:

2019-07-25 23:05:15 Session is ACTIVE

2019-07-25 23:05:15 EVENT: GET_CONFIG

2019-07-25 23:05:15 Sending PUSH_REQUEST to server...

2019-07-25 23:05:16 Sending PUSH_REQUEST to server...

2019-07-25 23:05:18 Sending PUSH_REQUEST to server...

2019-07-25 23:05:21 OPTIONS:
0 [route] [10.0.1.0] [255.255.255.0] [10.0.2.1] 
1 [dhcp-option] [DOMAIN] [mydomain.com] 
2 [dhcp-option] [DNS] [8.8.8.8] 
3 [dhcp-option] [DNS] [10.0.2.1] 
4 [ping] [20] 
5 [ping-restart] [60] 
6 [topology] [subnet] 
7 [route-gateway] [10.0.2.1] 
8 [ifconfig] [10.0.2.20] [255.255.255.0] 


2019-07-25 23:05:21 PROTOCOL OPTIONS:
  cipher: AES-256-CBC
  digest: SHA1
  compress: NONE
  peer ID: -1

2019-07-25 23:05:21 EVENT: ASSIGN_IP

2019-07-25 23:05:21 NIP: preparing TUN network settings

2019-07-25 23:05:21 NIP: init TUN network settings with endpoint: 201.xxxx

2019-07-25 23:05:21 NIP: adding IPv4 address to network settings 10.0.2.20/255.255.255.0

2019-07-25 23:05:21 NIP: adding (included) IPv4 route 10.0.2.0/24

2019-07-25 23:05:21 NIP: adding match domain mydomain.com

2019-07-25 23:05:21 NIP: adding DNS 8.8.8.8

2019-07-25 23:05:21 NIP: adding DNS 10.0.2.1

2019-07-25 23:05:21 NIP: adding DNS specific routes:

2019-07-25 23:05:21 NIP: adding (included) IPv4 route 8.8.8.8/32

2019-07-25 23:05:21 NIP: adding (included) IPv4 route 10.0.2.1/32

2019-07-25 23:05:21 Connected via NetworkExtensionTUN


.

Who is online

Users browsing this forum: Bing [Bot] and 65 guests