Hi,
this is my first post. So please be fair if something is missing...
My situation:
OpenVPN Server in the internet.
Mikrotik Router (FW 5.x and 6.x) as OpenVPN Client.
Now I want to be able to route all the traffic from die LAN Clients (192.168.88.0/24) into the tunnel.
Problem (which I've identified)
As far as I set the ether1 interface to dhcp-client with add-default-route I get one default route (that's up to this point OK). Internet is OK, everything ist fine.
Now the OpenVPN Client connects. And the client gets also one default route (to the VPN Server). At this point, I've two default routes. I can't change or disable the
first one (to the GW of the ether1-network).
If I change the network type of ether1 from dhcp client to static, set a route to the OpenVPN Server over the GW of ether1 everything is fine. The tunnel comes up,
default-GW points to the VPN tunnel-endpoint and all the traffic goes through the tunnel.
BUT: I do not want to set the ethernet-GW of ether1 by hand. I need this interface to be dhcp-enabled (changing networks).
One "solution" should be: Writing a script in combination with netwatch. On ether1 dhcp-client with add-default-route is enabled. Every minute netwatch/ script
checks if ether1 is up, reading out the default gw, adding one host-route for the OpenVPN server to the GW of ether1, change ether1 from dhcp enabled to static.
If ether1 goes down: changing all back. Set ether1 dhcp-enabled and waiting for connection (ether1 comes up again and OpenVPN server is reachable).
Not very usefull.
Another, but also not very practicable solution:
Adding a mangle rule, add a connection mark and add a static route with this connection-mark. This solves it a little bit. Routing from Client-LAN goes
to the VPN-GW through the tunnel.
BUT: I've also a transparent proxy rule for the LAN client-network. This rule is now ignored and all traffic is marked with the connection mark and routet
to the VPN GW. The usage of the dst-rule is ignored and no proxy is used...
If it is possible to change this behavior now back to
- first change outgoing traffic (dst-port 80) to local port 808 (with a parent proxy) and
- than route all traffic (for my part use this mangle rule with connection-mark) to the VPN GW?
Any other suggestions? Am I blind?
I've searched a long time with no real answers......
Thanks a lot.