Community discussions

MikroTik App
 
tornado21
just joined
Topic Author
Posts: 2
Joined: Wed Jun 08, 2022 7:25 am

Routing settings on RouterOS 7.2.3 for OpenVPN Server at Ubuntu

Wed Jun 08, 2022 9:24 am

Hi all! I am using OpenVPN on Ubuntu 20 (runs on Cloud VM with public IP/fqdn) for devices that are behind Mikrotik router hEX PoE with RouterOS 7.2.3.
Router has white IP. I've set VPN Client connection to OpenVPN server via UDP and can see it is successful.
Below is server config.
port 1194 
proto udp 
dev tun 
user nobody 
group nogroup 
persist-key persist-tun 
keepalive 10 120 
server 10.8.0.0 255.255.255.0 
ifconfig-pool-persist ipp.txt 
push "dhcp-option DNS 8.8.8.8" 
push "dhcp-option DNS 8.8.4.4" 
push "redirect-gateway def1 bypass-dhcp" 
dh dh.pem 
crl-verify crl.pem 
ca ca.crt 
cert server_xcVehZegEHjE22An.crt 
key server_xcVehZegEHjE22An.key 
auth SHA256 cipher AES-256-CBC 
ncp-ciphers AES-256-CBC 
tls-server tls-version-min 1.2 
tls-cipher TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256 
client-config-dir /etc/openvpn/ccd 
status /var/log/openvpn/status.log 
verb 3
I used OVPN profile parsed by Mikrotik to set the connection. Below is profile info:
client 
proto udp 
explicit-exit-notify 
remote FQDN 1194 
dev tun 
resolv-retry infinite 
nobind 
persist-key 
persist-tun 
remote-cert-tls server 
verify-x509-name server_xcVehZegEHjE22An name 
auth SHA256 
auth-nocache 
cipher AES-256-CBC 
tls-client tls-version-min 1.2 
tls-cipher TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256 
ignore-unknown-option block-outside-dns 
setenv opt block-outside-dns 
verb 3
Client successfully connected to Server, and I can ping Server 10.8.0.1 from Client (Mikrotik) and ICMP packets generate traffic.

Image

I can see new Address in Address List and Routes when VPN connection is set.

Image

I added Mangle Rule with chain prerouting to mark routing from some IPs in local network 192.168.1.0 with New Routing Mark - vpn.
I added NAT Rule with chain srcnat with Src. Address from 192.168.1.0 with action masquerade. But traffic from devices that are added into this NAR rule are still going not through VPN connection.

I guess that I need to add routing between 192.168.1.0 and 10.8.0.0 networks, but I have no clue how to do it.
Can someone advise what I need to add more into NAT to make it work?

Who is online

Users browsing this forum: duartev, menyarito, morphema and 50 guests