Community discussions

MikroTik App
 
CrazyFin
just joined
Topic Author
Posts: 2
Joined: Thu Sep 09, 2021 3:29 pm

OpenVPN works (can access local LAN) but still no access to router from outside

Fri Sep 10, 2021 12:38 pm

I have 7.0.2 on Mikrotik Chateau LTE12

After many hours of reading here in the forum about OpenVPN setup on RouterOS I have been able to configure my RouterOS so that I am able to access my local servers on my local LAN from internet.

However, I am still not able to access my router from internet. I do get traffic to it but the router web page just responds with
This site can’t provide a secure connection192.168.10.1 uses an unsupported protocol.
ERR_SSL_VERSION_OR_CIPHER_MISMATCH
When I start Winbox on my remote computer it does not see the Mikrotik router at all.
I am able to ping my router though so it does respond and hence I think I have configured something wrong with the certificates?

I have my local LAN with IP 192.168.10.xx and my OpenVPN has IP pool with addresses 192.168.11.xx.
My OpenVPN client config looks like this:
client
dev tun
proto tcp-client
remote <I have my public IP here> 1194
nobind
persist-key
persist-tun
cipher AES-256-CBC
auth SHA1
pull
verb 2
mute 3
auth-user-pass user.auth
auth-nocache
ca CA.crt
cert client.crt
key client.key
# Add routes to networks behind MikroTik
route 192.168.10.0 255.255.255.0
My RouterOS config looks like this:
# sep/10/2021 11:19:06 by RouterOS 7.0.2
# software id = PJ8R-F8ZN
#
# model = D53G-5HacD2HnD
# serial number = <cleared out>
/interface bridge
add admin-mac=2C:C8:1B:9B:35:C2 auto-mac=no comment=defconf name=bridge
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX \
    country=sweden disabled=no distance=indoors frequency=auto installation=\
    indoor mode=ap-bridge ssid=CrazyMikro-2.4 wireless-protocol=802.11
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=\
    20/40/80mhz-XXXX country=sweden disabled=no distance=indoors frequency=\
    auto installation=indoor mode=ap-bridge ssid=CrazyMikro-5 \
    wireless-protocol=802.11
/interface ethernet
set [ find default-name=ether1 ] arp=proxy-arp
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface lte apn
add apn=online.telia.se name="Telia Mobile"
/interface lte
set [ find ] allow-roaming=no apn-profiles="Telia Mobile" name=lte1
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk mode=\
    dynamic-keys supplicant-identity=MikroTik
add authentication-types=wpa-psk,wpa2-psk mode=dynamic-keys name=profile \
    supplicant-identity=MikroTik
/interface wireless
add disabled=no mac-address=2E:C8:1B:9B:35:C8 master-interface=wlan2 name=\
    wlan3 security-profile=profile ssid=CrazyMikro-Guest
add disabled=no mac-address=2E:C8:1B:9B:35:C7 master-interface=wlan1 name=\
    wlan4 security-profile=profile ssid=CrazyMikro-Guest
/ip pool
add name=dhcp ranges=192.168.10.50-192.168.10.254
add name=ovpn ranges=192.168.11.20-192.168.11.30
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
/ppp profile
add dns-server=192.168.10.1 local-address=192.168.11.25 name=open_vpn \
    remote-address=ovpn use-compression=no use-encryption=required
/interface bridge filter
add action=drop chain=forward in-interface=wlan3
add action=drop chain=forward out-interface=wlan3
add action=drop chain=forward in-interface=wlan4
add action=drop chain=forward out-interface=wlan4
/interface bridge port
add bridge=bridge comment=defconf interface=ether1
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=wlan1
add bridge=bridge comment=defconf interface=wlan2
add bridge=bridge interface=wlan3
add bridge=bridge interface=wlan4
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface l2tp-server server
set enabled=yes use-ipsec=yes
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=lte1 list=WAN
/interface ovpn-server server
set auth=sha1 certificate=server cipher=aes256 default-profile=open_vpn \
    enabled=yes require-client-certificate=yes
/interface pptp-server server
set enabled=yes
/interface sstp-server server
set default-profile=default-encryption enabled=yes
/ip address
add address=192.168.10.1/24 comment=defconf interface=bridge network=\
    192.168.10.0
/ip arp
add address=192.168.10.99 interface=bridge mac-address=68:05:CA:36:94:FF
/ip cloud
set ddns-enabled=yes
/ip dhcp-server network
add address=192.168.10.0/24 comment=defconf dns-server=192.168.10.1 gateway=\
    192.168.10.1 netmask=24
add address=192.168.11.0/24 comment=vpn dns-server=192.168.10.1 gateway=\
    192.168.10.1 netmask=24
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.10.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=accept chain=input comment="allow IPsec NAT" dst-port=4500 \
    protocol=udp
add action=accept chain=input comment="allow IKE" dst-port=500 protocol=udp
add action=accept chain=input comment="allow l2tp" dst-port=1701 protocol=udp
add action=accept chain=input comment="allow pptp" dst-port=1723 protocol=tcp
add action=accept chain=input comment="allow sstp" dst-port=443 protocol=tcp
add action=accept chain=input comment=VPN dst-port=1194 protocol=tcp
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat comment="masq. vpn traffic" src-address=\
    192.168.89.0/24
add action=dst-nat chain=dstnat comment=Fileserver dst-port=6601 protocol=tcp \
    to-addresses=192.168.10.99 to-ports=6601
add action=masquerade chain=srcnat src-address=192.168.11.0/24
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
    33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
/ppp profile
set *FFFFFFFE local-address=192.168.89.1 remote-address=*2
/ppp secret
add name=vpn
add name=crazyfin profile=open_vpn service=ovpn
/system clock
set time-zone-name=Europe/Stockholm
/system routerboard settings
set cpu-frequency=auto
/system routerboard mode-button
set enabled=yes on-event=dark-mode
/system script
add comment=defconf dont-require-permissions=no name=dark-mode owner=*sys \
    policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    source="\r\
    \n   :if ([system leds settings get all-leds-off] = \"never\") do={\r\
    \n     /system leds settings set all-leds-off=immediate \r\
    \n   } else={\r\
    \n     /system leds settings set all-leds-off=never \r\
    \n   }\r\
    \n "
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

EDIT:
By adding the following filter rule above the rule that drops all traffic that is not coming from LAN I was able to access my router via WinBox (still get the same cert error though via web browser access):
chain=input action=accept src-address=192.168.11.0/24 log=yes log-prefix="VPN - " 
I hope this a decently secure way of accessing my Mikrotik router from WAN side.

Who is online

Users browsing this forum: tangent, titinas and 46 guests