Hi,

this is my first post. So please be fair if something is missing...


My situation:
OpenVPN Server in the internet.

Mikrotik Router (FW 5.x and 6.x) as OpenVPN Client.

Now I want to be able to route all the traffic from die LAN Clients (192.168.88.0/24) into the tunnel.

Problem (which I've identified)
As far as I set the ether1 interface to dhcp-client with add-default-route I get one default route (that's up to this point OK). Internet is OK, everything ist fine.
Now the OpenVPN Client connects. And the client gets also one default route (to the VPN Server). At this point, I've two default routes. I can't change or disable the
first one (to the GW of the ether1-network).

If I change the network type of ether1 from dhcp client to static, set a route to the OpenVPN Server over the GW of ether1 everything is fine. The tunnel comes up,
default-GW points to the VPN tunnel-endpoint and all the traffic goes through the tunnel.

BUT: I do not want to set the ethernet-GW of ether1 by hand. I need this interface to be dhcp-enabled (changing networks).


One "solution" should be: Writing a script in combination with netwatch. On ether1 dhcp-client with add-default-route is enabled. Every minute netwatch/ script
checks if ether1 is up, reading out the default gw, adding one host-route for the OpenVPN server to the GW of ether1, change ether1 from dhcp enabled to static.
If ether1 goes down: changing all back. Set ether1 dhcp-enabled and waiting for connection (ether1 comes up again and OpenVPN server is reachable).

Not very usefull.

Another, but also not very practicable solution:
Adding a mangle rule, add a connection mark and add a static route with this connection-mark. This solves it a little bit. Routing from Client-LAN goes
to the VPN-GW through the tunnel.
BUT: I've also a transparent proxy rule for the LAN client-network. This rule is now ignored and all traffic is marked with the connection mark and routet
to the VPN GW. The usage of the dst-rule is ignored and no proxy is used...

If it is possible to change this behavior now back to
- first change outgoing traffic (dst-port 80) to local port 808 (with a parent proxy) and
- than route all traffic (for my part use this mangle rule with connection-mark) to the VPN GW?



Any other suggestions? Am I blind?



I've searched a long time with no real answers......



Thanks a lot.

In 6.x dhcp-client, you can set the gateway distance/priority. Is that what you are looking for?

you can tell the openvpn server to send to the client routing instructions

So if you don't want split horizon.. .ie all traffic to go over the vpn, you can instruct the client to setup routing that way. I am not sure how that will work with ROuterOS!
what it does it add in a routing to get to the VPN server and to the DNS server.

Then it adds in

0.0.0.0/128 and 128.0.0.0/128 routes to take over from the dgw..

if you want split horizon, tell the openvpn server to tell the clients to only router specific routes you want.

BUT you milage might vary as I haven't done this with routeros ... not sure what it will do to the route table !

A

Hi,

sorry, if it's not clear enough...


I can set default-route via the OpenVPN server, of course. This is the problem. I get the default route via the dhcp client.
About the GW the openVPN client can connect to the Server and get the second route.


As I tried it some times: If not adding the "add-default-route=yes" to the dhcp client I've no route to the OpenVPN. So the
client could not connect....

Changing an existing default GW is not possible while using dynamic route via the dhcp-client...

Thanks.

malte