Community discussions

MikroTik App
 
misucatinas
newbie
Topic Author
Posts: 32
Joined: Thu Mar 01, 2018 9:11 am

OpenVPN works but no internet

Tue Jul 05, 2022 12:34 pm

Hello,
I configurred openvpn on mikrotik and installed client on windows 10.
I am able to connect fine with clients and access hosts on the LAN, but I am unable to reach the outside internet when connected VPN, can ping only 8.8.8.8 but can`t browse google/yahoo etc.
mikrotik config
# model = 951G-2HnD
# serial number = 
/interface bridge
add admin-mac=CC:2D:E0:23:97:80 auto-mac=no comment=defconf name=bridge
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-Ce \
    country=romania disabled=no distance=indoors frequency=auto mode=\
    ap-bridge ssid=XSDCentru_MKT wireless-protocol=802.11
/interface ethernet
set [ find default-name=ether1 ] name=ether1-WAN
set [ find default-name=ether2 ] name=ether2-LAN
set [ find default-name=ether3 ] master-port=ether2-LAN
set [ find default-name=ether4 ] master-port=ether2-LAN
set [ find default-name=ether5 ] master-port=ether2-LAN
/ip neighbor discovery
set ether1-WAN discover=no
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk mode=\
    dynamic-keys supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.1.200-192.168.1.220
add name=vpn ranges=192.168.89.2-192.168.89.250
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
/ppp profile
set *0 dns-server=8.8.8.8
set *FFFFFFFE change-tcp-mss=default dns-server=192.168.1.1 local-address=\
    192.168.89.1 remote-address=vpn use-compression=yes
/interface bridge port
add bridge=bridge comment=defconf interface=ether2-LAN
add bridge=bridge comment=defconf interface=wlan1
/interface l2tp-server server
set allow-fast-path=yes enabled=yes use-ipsec=yes
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1-WAN list=WAN
/interface ovpn-server server
set auth=sha1 certificate=SERVERTEST cipher=aes128,aes256 default-profile=\
    default-encryption enabled=yes require-client-certificate=yes
/interface sstp-server server
set default-profile=default-encryption
/ip address
add address=192.168.1.1/24 comment=defconf interface=bridge network=\
    192.168.1.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid disabled=no interface=\
    ether1-WAN
/ip dhcp-server lease
add address=192.168.1.214 client-id=1:0:17:c8:97:5f:cf comment=KYOCERA \
    mac-address=00:17:C8:97:5F:CF server=defconf
add address=192.168.1.207 client-id=1:f0:4d:a2:fd:2c:cb comment=\
    "viorica conta" mac-address=F0:4D:A2:FD:2C:CB server=defconf
/ip dhcp-server network
add address=192.168.1.0/24 comment=defconf gateway=192.168.1.1 netmask=24
/ip dns
set allow-remote-requests=yes servers=8.8.8.8
/ip dns static
add address=192.168.1.1 name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=accept chain=input comment="allow IPsec NAT" dst-port=4500 \
    protocol=udp
add action=accept chain=input comment="allow IKE" dst-port=500 protocol=udp
add action=accept chain=input comment="allow l2tp" dst-port=1701 protocol=udp
add action=accept chain=input comment="allow ovpn" dst-port=1194 \
    in-interface=ether1-WAN protocol=tcp
add action=accept chain=input comment="allow sstp" dst-port=443 protocol=tcp
add action=accept chain=input dst-port=80,8291,22 in-interface=all-ppp \
    protocol=tcp src-address=192.168.89.0/24
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN src-address=192.168.1.0/24
add action=masquerade chain=srcnat comment="masq. vpn traffic" log=yes \
    src-address=192.168.89.0/24
/ip route
add disabled=yes distance=1 gateway=192.168.5.1
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www address=192.168.1.0/24,192.168.89.0/24
set ssh address=192.168.1.0/24,192.168.89.0/24
set api disabled=yes
set winbox address=\
    192.168.1.0/24,192.168.89.0/24,83.103.130.59/32,90.84.229.149/32
set api-ssl disabled=yes
/ppp secret
add name=vpn profile=default-encryption
add name=joco profile=default-encryption
add name=misu profile=default-encryption service=ovpn
/system clock
set time-zone-name=Europe/Bucharest
/system identity
set name=MikroTik-XSD
/system ntp client
set enabled=yes primary-ntp=89.36.93.8 secondary-ntp=193.22.95.9
/tool mac-server
set [ find default=yes ] disabled=yes
add interface=bridge
/tool mac-server mac-winbox
set [ find default=yes ] disabled=yes
add interface=bridge
Client config
client
dev tun
proto tcp
remote xxx.xxx.xxx.xxx 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert client.crt
key client.key
remote-cert-tls server
cipher AES-256-CBC
verb 3
auth-user-pass secret.cfg
route 192.168.1.0 255.255.255.0

What is wrong?
 
misucatinas
newbie
Topic Author
Posts: 32
Joined: Thu Mar 01, 2018 9:11 am

Re: OpenVPN works but no internet

Wed Jul 06, 2022 2:38 pm

Hi,
It works now after deleting src-address from nat masquerade.
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN src-address=192.168.1.0/24
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: OpenVPN works but no internet

Wed Jul 06, 2022 6:10 pm

It should work even without that, src-address condition in first masquerade rule won't match, but if client has 192.168.89.x, then the second one will.

Who is online

Users browsing this forum: rogerioqueiroz and 103 guests