Community discussions

just joined
Topic Author
Posts: 1
Joined: Wed Nov 06, 2019 9:10 am

OpenVPN and routing

Wed Nov 06, 2019 9:52 pm

Hi There;

I just bought my first MikroTik RB952UI-5AC2 running 6.45.7, and I almost got everything to work, but I am having a bit of trouble with an openvpn tunnel. The layout is as follows:

Mikrotik ( <- openvpn tunnel -> pfsense (

What works!
The tunnel is up, and the routers can ping each other.
Clients from the pfsense side in ( can ping the openvpn interface on the mikrotik (
On the mikrotik router, one can ping clients in, as long as it it is done from the ovpn-out interface.

What does not work
Clients in can ping but not (pfsense ovpn if)
Clients from cannot ping clients in
On the mikrotik router from LAN if (, one cannot ping or

Mikrotik routing table
0 ADS 1
1 ADC ovpn-out 0
2 ADS 1
3 ADC ether1 0
4 ADC bridge 0

What am I missing here ? :)
Forum Guru
Forum Guru
Posts: 3959
Joined: Mon Dec 04, 2017 9:19 pm

Re: OpenVPN and routing

Thu Nov 07, 2019 11:26 pm

You are missing routes at pfsense towards the Be aware that it's not enough to set them in the kernel routing table (indicating the openvpn TUN interface as a gateway), but the openvpn configuration must contain routes too - the kernel routing table sends the packets to the openvpn process, but the openvpn process must route them to the proper client (assuming that the pfsense acts as a server and Mikrotik acts as a client, I haven't found this information in your post).
Mikrotik's implementation of openvpn deals with this automatically (which is unfortunately more than compensated by its drawbacks).

I didn't get the difference between the two cases below:
What does not work
Clients in can ping but not (pfsense ovpn if)
On the mikrotik router from LAN if (, one cannot ping or
Did you mean, by the second one, that you ping from the Mikrotik itself but with interface=LAN? If so, that's no surprise :)
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.

Who is online

Users browsing this forum: No registered users and 131 guests