Community discussions

MikroTik App
 
rkrisi
Member Candidate
Member Candidate
Topic Author
Posts: 163
Joined: Fri May 08, 2020 11:54 am

Place VPN client connection in seperate VRF

Wed Nov 09, 2022 4:51 pm

Hi all!

I want to make a VPN connection from a router for management purposes.

So I want to place this VPN in a seperate VRF, so that the VPN cannot be accessed from the router interfaces, the VPN is only there to connect to it remotely.

I have created the ovpn-client as usual, and created a VRF table and placed the ovpn-client interface in that VRF. However nothing happens, the tunnel is running and up, but I cannot access it remotely.

Tried marking the connections from the VPN subnet and directing it to its routing table, but I couldn't find an example for this use-case.


Thanks for anyone helping!
 
pe1chl
Forum Guru
Forum Guru
Posts: 10186
Joined: Mon Jun 08, 2015 12:09 pm

Re: Place VPN client connection in seperate VRF

Wed Nov 09, 2022 6:15 pm

When your use of VRF is just a direction you took for this, and not some mandatory situation, you can achieve the same thing using a firewall forward rule.
Drop any forward traffic towards that interface. Your management traffic towards the router will only appear in input and output chains, not in forward chain.
 
rkrisi
Member Candidate
Member Candidate
Topic Author
Posts: 163
Joined: Fri May 08, 2020 11:54 am

Re: Place VPN client connection in seperate VRF

Wed Nov 09, 2022 7:18 pm

When your use of VRF is just a direction you took for this, and not some mandatory situation, you can achieve the same thing using a firewall forward rule.
Drop any forward traffic towards that interface. Your management traffic towards the router will only appear in input and output chains, not in forward chain.
Thanks for your answer! However, what if I have a similar local subnet which collides with the subnet of the VPN?
That way there will be a subnet collision in the routing table which I can't solve with simple filtering, right?

I think I might found why it did not work. I tried SSH and winbox connection and these need to be set to that VRF where I want to use it, but I did not had time to test it.
 
rkrisi
Member Candidate
Member Candidate
Topic Author
Posts: 163
Joined: Fri May 08, 2020 11:54 am

Re: Place VPN client connection in seperate VRF

Fri Nov 11, 2022 6:52 pm

When your use of VRF is just a direction you took for this, and not some mandatory situation, you can achieve the same thing using a firewall forward rule.
Drop any forward traffic towards that interface. Your management traffic towards the router will only appear in input and output chains, not in forward chain.
Thanks for your answer! However, what if I have a similar local subnet which collides with the subnet of the VPN?
That way there will be a subnet collision in the routing table which I can't solve with simple filtering, right?

I think I might found why it did not work. I tried SSH and winbox connection and these need to be set to that VRF where I want to use it, but I did not had time to test it.
This was the problem. If I move the services to that VRF it will work.
But what if I want to access it from multiple VRF? Also Remote Syslog does not seem to work on different VRF (can't set VRF).
 
pe1chl
Forum Guru
Forum Guru
Posts: 10186
Joined: Mon Jun 08, 2015 12:09 pm

Re: Place VPN client connection in seperate VRF

Fri Nov 11, 2022 11:49 pm

Yes, VRF seems like a clean solution but often it is just a little bit too limited... and the configuration is incoherent.
You always need to check the manual because in some places you specify VRF separately, in other places you can use address@vrf notation.
Still, all services operate in a single VRF even when that is counter-intuitive. E.g. for NTP client you can set only a single VRF and then an IP per server, but you would want @vrf independently for each server (so the router can sync to servers in different VRFs).
 
rkrisi
Member Candidate
Member Candidate
Topic Author
Posts: 163
Joined: Fri May 08, 2020 11:54 am

Re: Place VPN client connection in seperate VRF

Sat Nov 12, 2022 7:07 pm

Yes, VRF seems like a clean solution but often it is just a little bit too limited... and the configuration is incoherent.
You always need to check the manual because in some places you specify VRF separately, in other places you can use address@vrf notation.
Still, all services operate in a single VRF even when that is counter-intuitive. E.g. for NTP client you can set only a single VRF and then an IP per server, but you would want @vrf independently for each server (so the router can sync to servers in different VRFs).
Yes, after using it for some days, I can see the problems with it in ROS...

Right now what I have in my mind about this, is that I should create a separate bridge, place it in a different VRF, add some physical ports to it (so that I can manage it locally) and place the VPN here.
Set the needed services to this VRF, so it can be accessed through that bridge.

I just don't know what should I do with services which does not seem to support VRF. Syslog is one of them. You can't define VRF and it does not accept the @vrf notation either...
 
pe1chl
Forum Guru
Forum Guru
Posts: 10186
Joined: Mon Jun 08, 2015 12:09 pm

Re: Place VPN client connection in seperate VRF

Sat Nov 12, 2022 7:32 pm

I would advise to put all management functions like config, logging, timesync etc in VRF main, and use other VRFs only for the client data traffic.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Place VPN client connection in seperate VRF

Sat Nov 12, 2022 8:04 pm

The requirement is clear, something like winbox in remotely via the iphone over wireguard, where the incoming admin can connect to the router.
What makes you think this has anything to do with VRF???

A normal wireguard connection and knowledge of firewall rules will meet the requirements!
To spell out for you in simple terms.

/interface wireguard
add listen-port=15115 mtu=1420 name=WG-HOME
/ip firewall filter
Input Chain
{Default Rules}
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp

{Admin Rules}
add action=accept chain=input dst-port=15115 protocol=udp { to allow remote encrypted connection }
add action=accept chain=input dst-port=winboxport in-interface=WG=HOME comment="allow remote admin to config router"
add action=accept chain=input dst-port=winboxport in-interface-list=LAN src-address=local_Admin_IP

add action=accept chain=input dst-port=53 protocol=tcp in-interface-list=LAN
add action=accept chain=input dst-port=53 protocol=udp in-interface-list=LAN
add action=drop chain=input comment="drop all else"
Forward Chain
{Default Rules}
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid

{Admin Rules}
add action=accept chain=forward comment="allow internet traffic" in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="allow port forwarding" connection-nat-state=dstnat
add action=accept chain=forward in-interface=WG-HOME out-interface-list=LAN comment="allow remote admin to all subnets"
add action=drop chain=forward comment="drop all else"

As should be understood by the above, the incoming remote wireguard connection will have access to the router/winbox.
Normally a local admin does this and thus the second rule.
THe rest of the LAN still needs access to the router normally for DNS services ( and sometimes NTP etc.)
On the forward chain side, we give the remote admin coming in access to any of the lan subnets.

With the use of drop rules at the end of both chains no other traffic is permitted. Thus no one else can access the router for config purposes and there are no rules permitting access from any LAN user to the wg interface.
 
rkrisi
Member Candidate
Member Candidate
Topic Author
Posts: 163
Joined: Fri May 08, 2020 11:54 am

Re: Place VPN client connection in seperate VRF

Sat Nov 12, 2022 8:16 pm

The requirement is clear, something like winbox in remotely via the iphone over wireguard, where the incoming admin can connect to the router.
What makes you think this has anything to do with VRF???

A normal wireguard connection and knowledge of firewall rules will meet the requirements!
To spell out for you in simple terms.

/interface wireguard
add listen-port=15115 mtu=1420 name=WG-HOME
/ip firewall filter
Input Chain
{Default Rules}
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp

{Admin Rules}
add action=accept chain=input dst-port=15115 protocol=udp { to allow remote encrypted connection }
add action=accept chain=input dst-port=winboxport in-interface=WG=HOME comment="allow remote admin to config router"
add action=accept chain=input dst-port=winboxport in-interface-list=LAN src-address=local_Admin_IP

add action=accept chain=input dst-port=53 protocol=tcp in-interface-list=LAN
add action=accept chain=input dst-port=53 protocol=udp in-interface-list=LAN
add action=drop chain=input comment="drop all else"
Forward Chain
{Default Rules}
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid

{Admin Rules}
add action=accept chain=forward comment="allow internet traffic" in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="allow port forwarding" connection-nat-state=dstnat
add action=accept chain=forward in-interface=WG-HOME out-interface-list=LAN comment="allow remote admin to all subnets"
add action=drop chain=forward comment="drop all else"

As should be understood by the above, the incoming remote wireguard connection will have access to the router/winbox.
Normally a local admin does this and thus the second rule.
THe rest of the LAN still needs access to the router normally for DNS services ( and sometimes NTP etc.)
On the forward chain side, we give the remote admin coming in access to any of the lan subnets.

With the use of drop rules at the end of both chains no other traffic is permitted. Thus no one else can access the router for config purposes and there are no rules permitting access from any LAN user to the wg interface.
Thanks for your detailed answer, I will look into it, but I think you have missed some key points about my config.
  • I'm using openVPN, not Wireguard (but this does not change much)
  • I'm connecting the router I want to config to a VPN server! So the router is not a VPN server.
  • The problem comes from the fact that I get an IP address from the VPN server from the 172.16.8.0/21 subnet
  • If I don't move the VPN connection to a different VRF and I only use firewall to block anyone accessing the VPN subnet (172.16.8.0/21) and there is another local network with the same network and subnet mask, it won't work (router will drop everything, because it thinks it is VPN traffic).
Am I missing something basic or how it could be done that only specific local devices (ie.: a bridge) can access a VPN and you can access remotely, through its VPN IP and no one can access it?

Thanks!
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Place VPN client connection in seperate VRF

Sat Nov 12, 2022 8:33 pm

You are correct, I have no clue how your network is cobbled together or why.
Seems pretty simple to me, use the VPN capability in MT and drop this ovpnserver.
Done!
 
rkrisi
Member Candidate
Member Candidate
Topic Author
Posts: 163
Joined: Fri May 08, 2020 11:54 am

Re: Place VPN client connection in seperate VRF

Sat Nov 12, 2022 8:43 pm

You are correct, I have no clue how your network is cobbled together or why.
Seems pretty simple to me, use the VPN capability in MT and drop this ovpnserver.
Done!
I can change to any kind of VPN, but it has to be a client on the Mikrotik side, because these routers are usually behind a CGNAT or does not have a public IP address. Also I'm managing 50-100 devices/networks, so it is easier to connect to one VPN and access the routers there.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Place VPN client connection in seperate VRF

Sun Nov 13, 2022 8:34 pm

Once again what you state is more confusing then helpful.
What do you mean mikrotik has to be the client side? The client side to what......

A. do you mean the MT router Wireguard has a publicly accessible WANIP and thus can be used as a server?
B. do you mean that the MT router is a client and does not have a publicly accessible WANIP and thus connects to WHAT ????

If you are connecting to other routers and not linux/android/windows/ios devices, and other routers are not wireguard capable yeah SOL, stuck with crappy other choices.
 
rkrisi
Member Candidate
Member Candidate
Topic Author
Posts: 163
Joined: Fri May 08, 2020 11:54 am

Re: Place VPN client connection in seperate VRF

Mon Nov 14, 2022 1:23 pm

Once again what you state is more confusing then helpful.
What do you mean mikrotik has to be the client side? The client side to what......

A. do you mean the MT router Wireguard has a publicly accessible WANIP and thus can be used as a server?
B. do you mean that the MT router is a client and does not have a publicly accessible WANIP and thus connects to WHAT ????

If you are connecting to other routers and not linux/android/windows/ios devices, and other routers are not wireguard capable yeah SOL, stuck with crappy other choices.
I never talked about Wireguard.
I have a VPS (Virtual Private Server) which has a PUBLIC IP and I want to connect Mikrotik routers (clients) to that server, because the Mikrotik routers (clients) does not have any publicly accessible IP address.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Place VPN client connection in seperate VRF

Mon Nov 14, 2022 1:34 pm

Ahh and when you say VPS, is it a specific type of server? What can be hosted on it?
 
User avatar
spippan
Member
Member
Posts: 333
Joined: Wed Nov 12, 2014 1:00 pm
Location: Austria

Re: Place VPN client connection in seperate VRF

Wed Dec 28, 2022 3:23 pm

Ahh and when you say VPS, is it a specific type of server? What can be hosted on it?
do not overcomplicate the setup

i guess the setup is something like this:
28-12-2022_MTforum_ovpnclientInVrf.png
AFAIU the OP just wants to have the remote mgmt tunnel in its own "mgmt vrf" on the router



EDIT: rOS 7.6 (stable) has added that -> https://mikrotik.com/download/changelogs
*) ovpn - added VRF support for client;
You do not have the required permissions to view the files attached to this post.
 
rkrisi
Member Candidate
Member Candidate
Topic Author
Posts: 163
Joined: Fri May 08, 2020 11:54 am

Re: Place VPN client connection in seperate VRF

Thu Jan 05, 2023 3:35 pm

Ahh and when you say VPS, is it a specific type of server? What can be hosted on it?
do not overcomplicate the setup

i guess the setup is something like this:
28-12-2022_MTforum_ovpnclientInVrf.png

AFAIU the OP just wants to have the remote mgmt tunnel in its own "mgmt vrf" on the router

EDIT: rOS 7.6 (stable) has added that -> https://mikrotik.com/download/changelogs
*) ovpn - added VRF support for client;

Yes, exactly what I would like to achieve! Thanks for your diagram. However I did not find any working solution for this.
I'm open to other options as well, but the "client" networks behind these routers usually include several subnets, sometimes even overlapping with my VPN subnet. That's why it would be ultimate if I can use a different VRF.

Yes, VRF support is there for ovpn, I can place the ovpn connection in its own VRF and it will work. However Some services in Mikrotik does not support VRF, so I can't move management to a different VRF because (for example syslog) can only use the main routing table. Also I don't know if you can make some services available in multiple VRF. For example Winbox should be available locally as well. How this is done usually? Placing a port in the management VRF?
 
User avatar
spippan
Member
Member
Posts: 333
Joined: Wed Nov 12, 2014 1:00 pm
Location: Austria

Re: Place VPN client connection in seperate VRF

Thu Jan 05, 2023 5:48 pm


Yes, exactly what I would like to achieve! Thanks for your diagram. However I did not find any working solution for this.
I'm open to other options as well, but the "client" networks behind these routers usually include several subnets, sometimes even overlapping with my VPN subnet. That's why it would be ultimate if I can use a different VRF.

Yes, VRF support is there for ovpn, I can place the ovpn connection in its own VRF and it will work. However Some services in Mikrotik does not support VRF, so I can't move management to a different VRF because (for example syslog) can only use the main routing table. Also I don't know if you can make some services available in multiple VRF. For example Winbox should be available locally as well. How this is done usually? Placing a port in the management VRF?
services which are VRF aware only can work in ONE vrf. there is no multi-verf-service feature in rOS (yet ;) ? )
so winbox is either in MAIN or in "VRF-xy"

yep, forwarding to syslog is not VRF ready in rOS but for that, as a temp. workaround maybe, you could do a route leak to main table or a lookup for your target in the VRF and test it.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Place VPN client connection in seperate VRF

Thu Jan 05, 2023 11:56 pm

Same answer put CHR on that VPS and run wireguard through the CHR on VPS............... get rid of openvpn
No VRF required...........
 
rkrisi
Member Candidate
Member Candidate
Topic Author
Posts: 163
Joined: Fri May 08, 2020 11:54 am

Re: Place VPN client connection in seperate VRF

Fri Jan 06, 2023 8:09 am


Yes, exactly what I would like to achieve! Thanks for your diagram. However I did not find any working solution for this.
I'm open to other options as well, but the "client" networks behind these routers usually include several subnets, sometimes even overlapping with my VPN subnet. That's why it would be ultimate if I can use a different VRF.

Yes, VRF support is there for ovpn, I can place the ovpn connection in its own VRF and it will work. However Some services in Mikrotik does not support VRF, so I can't move management to a different VRF because (for example syslog) can only use the main routing table. Also I don't know if you can make some services available in multiple VRF. For example Winbox should be available locally as well. How this is done usually? Placing a port in the management VRF?
services which are VRF aware only can work in ONE vrf. there is no multi-verf-service feature in rOS (yet ;) ? )
so winbox is either in MAIN or in "VRF-xy"

yep, forwarding to syslog is not VRF ready in rOS but for that, as a temp. workaround maybe, you could do a route leak to main table or a lookup for your target in the VRF and test it.
Thanks for your help! I will try these methods
 
rkrisi
Member Candidate
Member Candidate
Topic Author
Posts: 163
Joined: Fri May 08, 2020 11:54 am

Re: Place VPN client connection in seperate VRF

Fri Jan 06, 2023 8:12 am

Same answer put CHR on that VPS and run wireguard through the CHR on VPS............... get rid of openvpn
No VRF required...........
I still can't understand your answers. This is a working system, not a hobby project where I can change anything I want.
And also I still can't understand how this will benefit my case. Also why I would use CHR? I could run a Wireguard server on a Linux server as well.
Even if I change it to Wireguard, these questions will stand. How I can ensure that some services are available through VPN and local as well, how I can separate the VPN tunnel from the other networks, etc...
 
gavino
just joined
Posts: 3
Joined: Mon Sep 26, 2022 7:15 pm

Re: Place VPN client connection in seperate VRF

Mon Apr 17, 2023 3:45 pm

Everything you've (rkrisi) asked has been completely clear. It may be because I have spent a lot of time working with management VRFs in the past, and understand their role in segregating overlapping private IP address space (customer IP vs management IP). My familiarity comes from working on such boxes as Cisco ASR and their VRF "Mgmt-intf" which is handy for separating out management functions.... https://www.cisco.com/c/en/us/td/docs/r ... r-asr.html

I am working on a similar thing to you right now and am interested in how you got on.
 
rkrisi
Member Candidate
Member Candidate
Topic Author
Posts: 163
Joined: Fri May 08, 2020 11:54 am

Re: Place VPN client connection in seperate VRF

Wed Apr 19, 2023 12:34 am

Everything you've (rkrisi) asked has been completely clear. It may be because I have spent a lot of time working with management VRFs in the past, and understand their role in segregating overlapping private IP address space (customer IP vs management IP). My familiarity comes from working on such boxes as Cisco ASR and their VRF "Mgmt-intf" which is handy for separating out management functions.... https://www.cisco.com/c/en/us/td/docs/r ... r-asr.html

I am working on a similar thing to you right now and am interested in how you got on.
I put this in my backlog. The best what you can try is to create a separate VRF for client traffic and use main VRF for management. Mainly because there are some services which does not support VRFs and it will use the main one. However, in this case if you want to add some service to client VRF (or any other non-main VRF) you will have to do some magic or might not be possible at all.
Also, for example, winbox can only work in one VRF. I wanted to create more VRFs with winbox access, but it seems you can't do this.

So in overall, I think my original question is still valid and you can't really replace this with anything else (what if I have two exact same networks ie.: 192.168.88.0/24 and I want to route them through with different routing) and it is not because someone knows Cisco more than MikroTik (including myself).
This is what I was able to conclude.

Who is online

Users browsing this forum: No registered users and 65 guests