Community discussions

MikroTik App
 
konclave
just joined
Topic Author
Posts: 19
Joined: Fri May 06, 2022 8:23 pm

Routing issue on Hex with OpenVPN client set up

Sat Jun 25, 2022 1:57 am

I use Mikrotik with the WiFi AP connected as the OpenVPN client and try to route all the traffic (except the connection to Mikrotik itself) from the AP through the VPN tunnel
Screenshot 2022-06-25 at 00.45.03.png
Mikrotik is connected to the DSL router.

Here's the configuration I use:
/interface bridge
add admin-mac=DC:3C:6C:AA:EF:BB auto-mac=no comment=defconf name=bridge
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=default-dhcp interface=bridge name=defconf
/port
set 0 name=serial0
/ppp profile
add change-tcp-mss=yes name=OVPN-client only-one=yes use-encryption=required \
    use-mpls=no
/interface ovpn-client
add certificate=client cipher=aes128 connect-to=62.63.64.65 mac-address=\
    FE:BD:BD:EE:CD:EF name=myvpn profile=OVPN-client protocol=udp user=user
/routing table
add fib name=vpn_traffic
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
    192.168.88.0
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=\
    192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat out-interface=myvpn
/ip route
add dst-address=0.0.0.0/0 gateway=192.168.2.1
add dst-address=0.0.0.0/0 gateway=myvpn routing-table=vpn_traffic
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
    33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
/routing rule
add action=lookup-only-in-table dst-address=192.168.0.0/24 table=main
add action=lookup disabled=yes src-address=192.168.88.0/24 table=vpn_traffic
/system clock
set time-zone-name=Europe/Berlin
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

Routing rule is disabled because right after I enable it, I loose the connection to the Mikrotik and the connection to the outer network as well.
add action=lookup disabled=no src-address=192.168.88.0/24 table=vpn_traffic
-> connection lost and I have to reset the device.

I don't understand what I did wrong. Could anyone please help?
You do not have the required permissions to view the files attached to this post.
 
tangent
Forum Guru
Forum Guru
Posts: 1351
Joined: Thu Jul 01, 2021 3:15 pm
Contact:

Re: Routing issue on Hex with OpenVPN client set up

Sat Jun 25, 2022 8:35 am

First off, you need something like "dst-address=!192.168.88.1" in that routing rule to exclude traffic destined for the router itself.

As for the rest:

/interface ovpn-client
add certificate=client cipher=aes128 connect-to=62.63.64.65 mac-address=\
FE:BD:BD:EE:CD:EF name=myvpn profile=OVPN-client protocol=udp user=user

Why are you setting a MAC address on the connection?

Have you verified that your connection is established, e.g. by "/tool ping src-address=10.8.0.10 8.8.8.8" or "…interface=myvpn" to force the ping packets out the OpenVPN interface?

OpenVPN over UDP has been plagued with bugs and incompatibilities. Are you on the latest RouterOS? (I wouldn't have to ask if you'd left the block comment at the top of the /export output in place…)
 
konclave
just joined
Topic Author
Posts: 19
Joined: Fri May 06, 2022 8:23 pm

Re: Routing issue on Hex with OpenVPN client set up

Tue Jun 28, 2022 12:12 am

First off, you need something like "dst-address=!192.168.88.1" in that routing rule to exclude traffic destined for the router itself.
I'm using the latest stable RouterOS 7.3.1. And it's not allowed to create a routing rule with inversion there =(

Why are you setting a MAC address on the connection?
I didn't set the MAC address, it was set by default. And in the GUI in web admin that field is required – something, at least 00:00:00:00:00 should be entered there.

Have you verified that your connection is established, e.g. by "/tool ping src-address=10.8.0.10 8.8.8.8" or "…interface=myvpn" to force the ping packets out the OpenVPN interface?
Yes, when I run "/tool ping src-address=10.8.0.10 8.8.8.8", it successfully pings the destination server.

OpenVPN over UDP has been plagued with bugs and incompatibilities. Are you on the latest RouterOS? (I wouldn't have to ask if you'd left the block comment at the top of the /export output in place…)
Unfortunately, I couldn't manage the server settings, so, I'm using it as is.
 
tangent
Forum Guru
Forum Guru
Posts: 1351
Joined: Thu Jul 01, 2021 3:15 pm
Contact:

Re: Routing issue on Hex with OpenVPN client set up

Tue Jun 28, 2022 3:18 am

First off, you need something like "dst-address=!192.168.88.1" in that routing rule to exclude traffic destined for the router itself.
it's not allowed to create a routing rule with inversion there =(

On deeper examination, both problems are solved with:

/routing rule
add action=lookup-only-in-table dst-address=192.168.88.0/24 table=main

You had the wrong third octet in the IP address.

Now it says "if it's destined for a local address, skip the VPN; otherwise, use it."

If you really did mean 192.168.0.0, then either you need a wider mask (e.g. /16, arguably an abuse of RFC 1918) or you've got additional subnets not showing up in your posted information, so no wonder we're confused. 😉

Have you verified that your connection is established…
Yes, when I run "/tool ping src-address=10.8.0.10 8.8.8.8", it successfully pings the destination server.

Okay, then, move on to "/tool/traceroute" to ensure it takes the path you expect.

OpenVPN over UDP has been plagued with bugs and incompatibilities.
Unfortunately, I couldn't manage the server settings, so, I'm using it as is.

There are a plethora of VPN providers, and RouterOS offers several VPN technologies, including two new ones in v7. I refuse to believe you have just one option.
 
konclave
just joined
Topic Author
Posts: 19
Joined: Fri May 06, 2022 8:23 pm

Re: Routing issue on Hex with OpenVPN client set up

Tue Jun 28, 2022 11:52 pm

On deeper examination, both problems are solved with:
/routing rule
add action=lookup-only-in-table dst-address=192.168.88.0/24 table=main
Thanks so much! That solved the loosing access issue. I typed 192.168.0.0 instead of 192.168.88.0 and didn't notice it.

Okay, then, move on to "/tool/traceroute" to ensure it takes the path you expect.
Traceroute says that the traffic goes not through the VPN, but via the bridge interface and DSL router:
The first address in the list is 192.168.2.1 which is the address of DSL router.

But it's when I run traceroute on Mikrotik.
If I run traceroute on my laptop, that is connected to Mikrotik over AP WiFi and has IP 192.168.88.199, then the first and the only item in the list is 192.168.88.1 – the Mikrotik bridge interface.

By the way, If I connect to the VPN server from my laptop directly, everything works fine.

There are a plethora of VPN providers, and RouterOS offers several VPN technologies, including two new ones in v7. I refuse to believe you have just one option.
It's not some random VPN provider, so I just need the access to that specific server and it offers only this type of connection. So, I have to deal with it. 🙁
 
konclave
just joined
Topic Author
Posts: 19
Joined: Fri May 06, 2022 8:23 pm

Re: Routing issue on Hex with OpenVPN client set up

Wed Jun 29, 2022 7:53 am

Just to clearify:
I do traceroute with the same params as ping: src-address=10.8.0.10 (the address of the ovpn-client interface). And when I set the src-address as 192.168.88.197, then traceroute resposes that it gets timeout for each request.

Does that mean that it sends requests through the VPN and just doesn't get any response and VPN connection doesn't work no matter that it shows "connected" in the interface status?

Maybe I didn't set up OpenVPN interface correctly?
Here's the part of the config without certificates and user/password:
remote 62.63.64.65 1194
float
nobind
proto udp
dev tun
sndbuf 0
rcvbuf 0
keepalive 15 60
comp-lzo adaptive
auth-user-pass
client
auth SHA1
cipher AES-128-CBC
ns-cert-type server
 
konclave
just joined
Topic Author
Posts: 19
Joined: Fri May 06, 2022 8:23 pm

Re: Routing issue on Hex with OpenVPN client set up

Wed Jun 29, 2022 11:47 am

Looks like the issue is in the OpenVPN connection params. According to Wiki, RouterOS doesn't support UDP mode (but what does
protocol=udp
then mean?) and LZO compression (
comp-lzo adaptive
in opvn config). So,I guess, it's quite impossible to set up the OpenVPN client on Mikrotik, right?
 
konclave
just joined
Topic Author
Posts: 19
Joined: Fri May 06, 2022 8:23 pm

Re: Routing issue on Hex with OpenVPN client set up

Wed Jun 29, 2022 11:58 am

Okay, looks like Wiki is outdated, because I found that UDP is now supported in RouterOS 7.
 
tangent
Forum Guru
Forum Guru
Posts: 1351
Joined: Thu Jul 01, 2021 3:15 pm
Contact:

Re: Routing issue on Hex with OpenVPN client set up

Wed Jun 29, 2022 12:36 pm

Wiki is outdated

To a first approximation, the new docs are for v7, while the old wiki is for the legacy v6 line and earlier.

Because not everything has been moved over to the new docs, you're still best advised to check the wiki before declaring a feature nonexistent, but in a conflict between the two, that's the basic reason for it.

I found that UDP is now supported in RouterOS 7.

Yes, and it's buggy and incomplete, as I said in my first reply.

I'm not telling you it cannot possibly work. I'm just telling you that I'm not surprised you're running into problems with it. There may be some narrow "happy path" through the problems that will work. I cannot advise, since I avoid this tarpit entirely.
 
konclave
just joined
Topic Author
Posts: 19
Joined: Fri May 06, 2022 8:23 pm

Re: Routing issue on Hex with OpenVPN client set up

Wed Jun 29, 2022 11:32 pm

Okay, looks like it's not a routing, but the OpenVPN – Mikrotik connection issue. Anyway, thank you so much for help. At list I stopped losing connection to Mikrotik after the routing rule enable. =)

Who is online

Users browsing this forum: AtomikRoach and 27 guests