Desription of things we want to do is:
we have one rb3011 in our office. On that we have a lot of ipsec tunnels to our customers. We have some switches with vlans and set vlans on rb3011. If i connect to untagged port with vlan of one our customer, everything is well - we have in that customers network.
But we need connect to customer network from everywhere - I want connect via openvpn from my laptop everywhere to that customer network.
I hope you understand me.
I discovered Openvpn Server Binding interface. Now i have intefrace added to /bridge vlan and bridge port with specific tag on bridge1 (only bridge I have) and it work on my office network - i can touch my office printer etc in current vlan. But cannot route to ipsec tunnel.
I don't want if its possible with mikrotik.
It did not even come to my mind that interface binding might work for OpenVPN L2 interfaces as not long ago out of all PPP flavors, only L2TP supported interface binding, the rest had to make do with the address-list
properties of /ppp profile
. So I've just tried that, at server side:
add name=ovpn-hugo user=hugo
/interface bridge vlan
add bridge=bridge tagged=bridge,ether5 untagged=ether4,ovpn-hugo vlan-ids=6
/interface bridge port
add bridge=bridge interface=ovpn-hugo pvid=6
add interface=bridge name=bridge.ovpn.6 vlan-id=6
add address=192.168.59.1/24 interface=bridge.ovpn.6 network=192.168.59.0
At client side:
add certificate=fv1 connect-to=192.168.5.1 mac-address=FE:E4:7C:DA:FD:DB mode=ethernet name=ovpn-out1 user=hugo
add address=192.168.59.2/24 interface=ovpn-out1 network=192.168.59.0
And it works normally. So now the question is what is missing in your case that it doesn't work with the IPsec tunnels to customers.
As you gave no details, I suppose that in each VLAN representing a remote customer, you have a distinct local subnet which is used as src-address
of /ip ipsec policy
items whose dst-address
match the various customers' internal addresses. So if your OpenVPN client gets an IP address from the subnet which "lives" in the VLAN, the IPsec should handle it properly, so there must be something else missing.
Can you export the complete configuration of the 3011, obfuscating only passwords and other secrets, customer names, and public IP addresses? Because all the other things must match each other (policies vs. local IP addresses and address pools), so any change in the exported data may hide some relationship.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.