finally i have setted the open vpn in my hapac2 router, and i can log in from my mobile to vpn. The problem is that i cannot reach any local ip address in my lan. (nas, sprinklering system, alarm system, securty cameras, etc.)
Here is my sensitive hided export file:
Code: Select all
# aug/05/2022 14:49:59 by RouterOS 6.49.6
# software id = VL3Q-ZYA9
#
# model = RBD52G-5HacD2HnD
# serial number = D7160C8BD2C8
/interface bridge
add admin-mac=48:8F:5A:F8:CA:6A auto-mac=no comment=defconf name=bridge
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX \
disabled=no distance=indoors frequency=auto installation=indoor mode=\
ap-bridge ssid="Deme Router 2GHz" station-roaming=enabled \
wireless-protocol=802.11
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=\
20/40/80mhz-XXXX disabled=no distance=indoors frequency=auto \
installation=indoor mode=ap-bridge ssid="Deme Router 5GHz" \
station-roaming=enabled wireless-protocol=802.11
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk mode=dynamic-keys \
supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.1.100-192.168.1.254
add name="ovpn pool" ranges=192.168.2.2-192.168.2.250
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
/ppp profile
add local-address=192.168.2.1 name=openVPN remote-address="ovpn pool"
/user group
set full policy="local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,pas\
sword,web,sniff,sensitive,api,romon,dude,tikapp"
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=wlan1
add bridge=bridge comment=defconf interface=wlan2
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/interface ovpn-server server
set auth=sha1 certificate=server cipher=aes256 default-profile=openVPN \
enabled=yes require-client-certificate=yes
/ip address
add address=192.168.1.50/24 comment=defconf interface=ether2 network=\
192.168.1.0
/ip dhcp-client
add comment=defconf disabled=no interface=ether1
/ip dhcp-server lease
add address=192.168.1.201 client-id=1:50:67:f0:69:75:b4 mac-address=\
50:67:F0:69:75:B4 server=defconf
add address=192.168.1.200 client-id=1:5c:6a:80:37:f6:f2 mac-address=\
5C:6A:80:37:F6:F2 server=defconf
add address=192.168.1.170 allow-dual-stack-queue=no client-id=\
1:44:47:cc:99:c7:68 comment="IP camera behajt\F3" mac-address=\
44:47:CC:99:C7:68 server=defconf
add address=192.168.1.137 client-id=1:0:95:69:83:c9:7a comment=Riasztokozpont \
mac-address=00:95:69:83:C9:7A server=defconf
add address=192.168.1.121 client-id=1:2c:a5:9c:c6:a5:b6 comment=\
"Outdoor station" mac-address=2C:A5:9C:C6:A5:B6 server=defconf
add address=192.168.1.120 client-id=1:2c:a5:9c:b5:8a:5c comment=\
"Indoor station" mac-address=2C:A5:9C:B5:8A:5C server=defconf
add address=192.168.1.171 client-id=1:24:28:fd:81:93:99 comment=\
"IP camera udvar" mac-address=24:28:FD:81:93:99 server=defconf
add address=192.168.1.172 client-id=1:24:f:9b:98:46:ac comment=\
"Udvar h\E1tul" mac-address=24:0F:9B:98:46:AC server=defconf
/ip dhcp-server network
add address=192.168.1.0/24 comment=defconf gateway=192.168.1.50 netmask=24
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.1.50 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input comment="open vpn" dst-port=1194 protocol=tcp
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat
add action=dst-nat chain=dstnat comment="Plc forward\
\n" disabled=yes dst-port=8080 in-interface=ether1 protocol=tcp \
to-addresses=192.168.1.234 to-ports=80
add action=dst-nat chain=dstnat comment="Nas forward" disabled=yes dst-port=\
9091 in-interface=ether1 protocol=tcp to-addresses=192.168.1.200 \
to-ports=9091
/ip upnp
set enabled=yes
/ppp secret
add local-address=192.168.2.1 name=admin profile=openVPN remote-address=\
192.168.1.50 service=ovpn
/system clock
set time-zone-name=Europe/Budapest
/system identity
set name="MikroTik hAP AC2"
/system leds settings
set all-leds-off=immediate
/system ntp client
set primary-ntp=162.159.200.123
/system ntp server
set enabled=yes
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
here you can find the ovpn file for the client
Code: Select all
client
proto tcp
port 1194
remote 92.118.176.26
dev tun
nobind
persist-key
tls-client
ca ca.crt
cert client2.crt
key client2.key
ping 10
verb 3
cipher AES-256-CBC
auth SHA1
pull
auth-user-pass passwd
Dávid