Community discussions

MikroTik App
 
Overhead8101
just joined
Topic Author
Posts: 3
Joined: Fri Mar 17, 2023 6:58 pm

No access to internal network from OpenVPN clients

Fri Mar 17, 2023 7:05 pm

Hello, my OpenVPN server is at 192.168.0.161. The OpenVPN clients cannot seem to reach any addresses on my LAN. Any advice is greatly appreciated.

Here is my config:
# mar/17/2023 12:47:13 by RouterOS 6.49.6
# software id = W0T5-PBGI
#
# model = RouterBOARD 750 r2
# serial number = 67D306B9A00A
/interface bridge
add admin-mac=6C:3B:6B:C6:43:18 auto-mac=no comment=defconf name=bridge
/interface pppoe-client

/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.0.10-192.168.3.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=pppoe-out1 list=WAN
/ip address
add address=192.168.0.1/22 comment=defconf interface=bridge network=\
    192.168.0.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server lease

/ip dhcp-server network
add address=192.168.0.0/22 comment=defconf dns-server=192.168.0.5,192.168.0.3 \
    gateway=192.168.0.1 netmask=22
/ip dns
set allow-remote-requests=yes servers=208.67.222.222,208.67.220.220
/ip dns static
add address=192.168.0.1 comment=defconf name=router.lan
/ip firewall address-list

/ip firewall filter
add action=drop chain=input comment="Block IP cameras from WAN access" \
    src-address=192.168.1.121
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="Hairpin NAT" dst-address=\
    192.168.0.0/22 out-interface=bridge src-address=192.168.0.0/22
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat comment="openvpn port forward" \
    dst-address-list=WAN-IP dst-port=19847 protocol=udp to-addresses=\
    192.168.0.161 to-ports=19847
/ip route
add disabled=yes distance=1 gateway=192.168.10.1
add check-gateway=ping distance=1 dst-address=192.168.229.0/24 gateway=\
    192.168.0.161 pref-src=192.168.0.161
/system clock
set time-zone-name=America/Toronto
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19099
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: No access to internal network from OpenVPN clients

Fri Mar 17, 2023 11:11 pm

Yeah, use wireguard, faster, easier better supported by RoS.
 
Overhead8101
just joined
Topic Author
Posts: 3
Joined: Fri Mar 17, 2023 6:58 pm

Re: No access to internal network from OpenVPN clients

Sat Mar 18, 2023 12:31 am

Yeah, use wireguard, faster, easier better supported by RoS.
Thanks for your reply. Surely there must be a way to make it work. But I am a novice at RouterOS. I have never had issues with OpenWRT and EdgeOS allowing OpenVPN clients to access the internal network.
 
User avatar
bpwl
Forum Guru
Forum Guru
Posts: 2983
Joined: Mon Apr 08, 2019 1:16 am

Re: No access to internal network from OpenVPN clients

Sat Mar 18, 2023 1:52 am

OpenVPN has modes TUN (routed tunnel or L3) and TAP (bridged or L2).
In Mikrotik these are called "ip mode" and "ethernet mode"

Seen here: http://ict.smkn1bawang.sch.id/2021/08/3 ... l-eng-sub/
 
Overhead8101
just joined
Topic Author
Posts: 3
Joined: Fri Mar 17, 2023 6:58 pm

Re: No access to internal network from OpenVPN clients

Sat Mar 18, 2023 9:14 am

OpenVPN has modes TUN (routed tunnel or L3) and TAP (bridged or L2).
In Mikrotik these are called "ip mode" and "ethernet mode"

Seen here: http://ict.smkn1bawang.sch.id/2021/08/3 ... l-eng-sub/
Apologies all, I should mention that OpenVPN is on a virtual server (192.168.0.161) inside an ESXI host. I am quite sure the OpenVPN server is setup correctly because it was working fine before moving from EdgeRouter to Mikrotik Hex Lite.

Thanks for all the help from you experienced ninjas!
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19099
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: No access to internal network from OpenVPN clients

Sat Mar 18, 2023 3:18 pm

Hahaha, like I said, wireguard is included on RoS, no need for any additional complexity............ can lead a horse to water........

Who is online

Users browsing this forum: Ahrefs [Bot], Google [Bot], jahieulislam, lmeira, MarkoB, menyarito and 99 guests