Hello

I am sure this is a simple task and i am not that experienced with the RouterOS.

I have a server on connected to the local VLAN that will not respond to any requests that do not originate from the same subnet.
I use OpenVPN client to make a vpn connection back to the office for remote management of the router and other equipment connected to it.

Is there a way to masquerade the ip of the OpenVPN client to the local VLAN subnet so the server will respond?

The VPN client is in the subnet 10.8.0.x /24

Hi,

first of all, the best (most correct way to do what you want) is to configure the server to accept connections from your VPN subnet. I'm going to assume that's not possible for some reason.

Second, just an idea. If you only rarely need to access the given server, Mikrotik's SSH server actually provides port forwarding, which would make your connection appear to come from the local network with the minimum amount of effort on your part. This is of course not a good long-term solution, but for some occasional admin stuff it might suffice.

Third, it's the server side of the connection that assigns ip addresses and so adjustments must be made on the server side of things: the usual way to do this is to simply have the OpenVPN server allocate addresses from the local subnet (on Mikrotik, it's even possible to use the same address pool for this). You will have to set arp mode to proxy-arp on the local interface.

Fourth - it's actually possible to do this with masquerading, but it is also done on the server side, and is more complex and generally less desirable then the previous option. So while it's possible, I wouldn't go that way.

HI,

Thanks for getting back to me.

I have explored the first and correct option but its a locked down embedded linux image with no command line option. The admin interface is HTTP and there is no ssl only a RS232 port for the console.

The vpn server has 50+ other endpoints connected each with its own local subnet, that would be a nightmare to reconfigure.

IS there a way using the firewall snat to do this?

The other option would be to throw this 1 server in the trash and buy a decent solution (that has been suggested but was not taken too well LOL )

I would repeat my suggestion to use SSH port forwarding.

OpenVPN server - at least on Mikrotik - supports configuring multiple server instances (in more recent versions), but also on older versions, it's fully supported to have different "ppp profiles" assigned to different users, so you would only have to change the configuration for the specific user that has to have access to this.

Src-nat can be used as a last resort, the basic version of the rule is some variation of:
/ip firewall nat add chain=srcnat action=masquerade src-address=your-vpn-subnet/24 dst-address=your-problematic-server-ip

This rule will only translate the address when accessing the problematic server. If you wish to use this, take care to place it appropriately early in the srcnat chain, because only a single arcnat action is executed for a given connection (whichever comes first and matches) Also the rule translates addresses for the entire VPN subnet; if you only want it for a specific user, restrict the rule to only that source address.

The Openvpn server is on an Ubuntu box so I am not sure I want to start changing that around for a 1 off pain in the rear server that is so old and obsolete that the company that supply it dont really support it!

I will try the snat route and see if it works. Luckily all the kit is currently on the bench so if I break it its easy to fix, but it will be installed on site in a couple of days.

Thanks for your help.