Community discussions

MikroTik App
 
User avatar
abraham
just joined
Topic Author
Posts: 5
Joined: Sat Jun 13, 2020 9:24 pm
Location: MONACO

problem Route all traffic to vpn (openvpn client) V7

Wed Nov 16, 2022 6:34 pm

Hello friends, Hello Mikrotik.

I have a problem that I haven't been able to solve for several nights.

My Mikrotik router is connected to my vpn as an openvpn client.

But I can't route all network traffic to the vpn.

I can't do it since version v7

If someone can help me to solve this problem, because I am really desperate and I did not find any tutorial on the internet

Thank you :-)

Abraham
 
User avatar
own3r1138
Long time Member
Long time Member
Posts: 680
Joined: Sun Feb 14, 2021 12:33 am
Location: Pleiades
Contact:

Re: problem Route all traffic to vpn (openvpn client) V7

Wed Nov 16, 2022 7:49 pm

/routing table
add disabled=no fib name=via-vpn
/routing rule
add action=lookup-only-in-table disabled=no dst-address=172.20.20.0/24 src-address=172.20.20.15/24 table=main
add action=lookup-only-in-table disabled=no dst-address=172.20.20.0/24 src-address=0.0.0.0/0 table=via-vpn
/ip firewall address-list
add address=192.168.88.0/24 list=LOCO
add address=192.168.88.5-192.168.88.15 comment=VPN list=VPN
/ip firewall filter
add action=fasttrack-connection chain=forward comment=FastTrack connection-mark=no-mark connection-state=established,related hw-offload=yes
/ip firewall mangle
add action=mark-connection chain=prerouting comment="VIA VPN Route" dst-address-list=!LOCO new-connection-mark=via-vpn passthrough=yes src-address-list=VPN
add action=mark-routing chain=prerouting connection-mark=via-vpn dst-address-list=!LOCO new-routing-mark=via-vpn passthrough=yes src-address-list=VPN
add action=change-mss chain=forward new-mss=clamp-to-pmtu passthrough=yes protocol=tcp routing-mark=via-vpn tcp-flags=syn tcp-mss=!0-1400
/ip firewall nat
add action=src-nat chain=srcnat comment="VIA VPN " dst-address-type="" out-interface-list=VPN to-addresses=172.20.20.15
add action=dst-nat chain=dstnat connection-mark=via-vpn dst-address-type="" dst-port=53 protocol=udp routing-mark=via-vpn to-addresses=172.20.20.1
add action=dst-nat chain=dstnat connection-mark=via-vpn dst-address-type="" dst-port=53 protocol=tcp routing-mark=via-vpn to-addresses=172.20.20.1
/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=ovpn-out1 pref-src="" routing-table=via-vpn scope=30 suppress-hw-offload=no target-scope=10
 
User avatar
abraham
just joined
Topic Author
Posts: 5
Joined: Sat Jun 13, 2020 9:24 pm
Location: MONACO

Re: problem Route all traffic to vpn (openvpn client) V7

Wed Nov 16, 2022 8:44 pm

Hi, thank you for your reply :-)

I test this immediately.

I'll let you know if it worked
 
User avatar
own3r1138
Long time Member
Long time Member
Posts: 680
Joined: Sun Feb 14, 2021 12:33 am
Location: Pleiades
Contact:

Re: problem Route all traffic to vpn (openvpn client) V7

Wed Nov 16, 2022 9:10 pm

YVW, This is just an example. You could make the necessary changes to suit your VPN and your needs.
 
User avatar
abraham
just joined
Topic Author
Posts: 5
Joined: Sat Jun 13, 2020 9:24 pm
Location: MONACO

Re: problem Route all traffic to vpn (openvpn client) V7

Wed Nov 16, 2022 9:30 pm

Yes I am modifying but it is not easy for me;
here is my basic setup

I'm really very dumb
You do not have the required permissions to view the files attached to this post.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: problem Route all traffic to vpn (openvpn client) V7

Wed Nov 16, 2022 9:41 pm

Post config
/export file=anynameyouwish (minus router serial# and any public wanip information)
 
User avatar
abraham
just joined
Topic Author
Posts: 5
Joined: Sat Jun 13, 2020 9:24 pm
Location: MONACO

Re: problem Route all traffic to vpn (openvpn client) V7

Thu Nov 17, 2022 1:54 pm

Hello,

Here is my setup

# nov/17/2022 12:52:55 by RouterOS 7.6
# software id = VVJJ-W73F
#
# model = RB952Ui-5ac2nD
# serial number = F0DB0F416C4D
/interface bridge
add admin-mac=DC:2C:6E:BE:65:E5 auto-mac=no comment=defconf name=bridge
/interface ovpn-client
add cipher=aes256 connect-to=70.35.194.72 mac-address=02:83:8A:07:91:53 name=ovpn-out1 user=openvpn
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX disabled=no distance=indoors frequency=auto installation=indoor mode=\
ap-bridge ssid=MikroTik-BE65EA wireless-protocol=802.11
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=20/40/80mhz-XXXX disabled=no distance=indoors frequency=auto installation=indoor mode=\
ap-bridge ssid=MikroTik-BE65E9 wireless-protocol=802.11
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=default-dhcp interface=bridge name=defconf
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=wlan1
add bridge=bridge comment=defconf interface=wlan2
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=192.168.88.0
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=\
WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=33434-33534 protocol=udp
add action=accept chain=input comment="defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=input comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=forward comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
/system clock
set time-zone-name=Europe/Paris
/system identity
set name=Abraham-Server
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
[admin@Abraham-Server] >
 
IgorAugustynski
just joined
Posts: 1
Joined: Tue Oct 10, 2023 8:10 pm

Re: problem Route all traffic to vpn (openvpn client) V7

Tue Oct 10, 2023 8:11 pm

Were You able to resolve the issue? I'm trying to do something similar without success.

Who is online

Users browsing this forum: araqiel, Maggiore81, Marc1963 and 92 guests