Forwarding is set up and non-mikrotik clients can connect and route traffic through this tunnel without any additional setup.
Then, I am trying to hook up my hAP ac^2 (ROS 6.45.5) via VPN (not to forward everything by default).
OpenVPN server is configured to run in tun/tcp without compression and utilizing SHA1/AES256-CBC without ta-auth.
IPv6 is not set up too (mostly because I can't get it work on MT too).
I can ping remote server using its address in OpenVPN subnet and when I try to ping hosts from public network (e.g. 126.96.36.199) tcpdump on VPS show outgoing traffic from MT client to 188.8.131.52 and back to tunnel.
Packet sniffer from MT also show both tx and rx packets but ping show timeouts.
Before moving forward with configuration I must enlist some cloaked IP addresses:
In ccd file of OpenVPN server I have this string to push static IP to OpenVPN client (since dynamic configuration messes up with routes on MT):
REM.SRV.PUB.IP - public IP of remote server where VPN server is running LOC.MTK.PUB.IP - public IP of MikroTik router (now it is dynamic but not NATed though my ISP can't guarantee it) VPN.INT.SUB.0/24 - subnet which OpenVPN server uses VPN.INT.SUB.1 - OpenVPN server internal address VPN.INT.SUB.4 - MT client internal address
OVPN client configured this way:
ifconfig-push VPN.INT.SUB.4 VPN.INT.SUB.1
After digging through documentation and forums I tried to mark VPN traffic using mangle rules and force default route using this mark:
/interface ovpn-client add certificate=<crt_file_name> cipher=aes256 connect-to=REM.SRV.PUB.IP mac-address=XX:XX:XX:XX:XX:XX name=<vpn_name> port=1194 profile=<vpn_profile> user=<cert_cn> verify-server-certificate=yes /ppp profile add name=<vpn_profile> use-compression=no use-encryption=yes use-ipv6=no use-mpls=no
/interface list add name=VPN /interface list member add interface=<vpn_name> list=VPN /ip firewall address-list add address=VPN.INT.SUB.0/24 list=ovpn-addr /ip firewall mangle add action=mark-connection chain=prerouting connection-mark=!ovpn in-interface-list=VPN new-connection-mark=ovpn passthrough=yes add action=mark-routing chain=prerouting connection-mark=ovpn new-routing-mark=ovpn passthrough=yes src-address-list=ovpn-addr /ip firewall nat add action=masquerade chain=srcnat out-interface-list=VPN routing-mark=ovpn src-address-list=ovpn-addr /ip route add distance=1 gateway=<vpn_name> routing-mark=ovpn
Other firewall rules are left as is (except disabling access to 127.0.0.1 for capsman).
Apparently, disabling fasttrack rule is helping but I don't want to completely disable it.
So, do I need to bypass FT somehow?
Also I understand how it should affect routing but I can't figure out why is it recommended to use PBR for VPN connection on MT?
Everyone does it but there's no viable explanation.
Thanks in advance.