What I want to achieve
An employee connects to company network through OpenVPN from a remote PC, so that he/she can access company LAN resources as if they were connected locally in the office. Traffic to destinations outside of company LAN ranges are still handled by the PC's own internet gateway, and not routed through the VPN.


Client end
Windows 10
IP: 192.168.8.3
Gateway: 192.168.8.1

Server end
MikroTik RB750GR3
VLAN1 192.168.1.1/24, DHCP 192.168.1.50-70
VLAN2 192.168.2.1/24, DHCP 192.168.2.50-70
VLAN3 192.168.3.1/24, DHCP 192.168.3.50-70

Server end VPN settings
Local address: 192.168.1.1
Remote address: 192.168.1.80
Protocol: TCP
Mode: tun

Server end firewall settings
INPUT allow TCP 1194

Symptoms
Authentication successful
Unable to ping server end LAN address
For example, ping 192.168.1.1 or 192.168.1.5 unreachable

I thought this is the most typical scenario of vpn remote access - an employee remotely connecting to office network and accessing the LAN that he/she usually connects in the office. However I couldn't find a guide on internet or MikroTik website demonstrating how to set up. In most guides on internet that I read, the client is allocated an IP in a different subnet, and routed to the office LAN.

I noticed that MikroTik creates a new interface for each VPN connection, instead of adding the remote client PC to the local LAN straight away. This actually makes the PC in a separate LAN. This also makes it Impossible to configure firewall to allow traffic from the remote PC, because it's a dynamic interface which doesn't persist and cannot be referenced in firewall rules. I don't know why it's designed like this.

Could someone please let me know how to properly set up remote access VPN so that client PCs can access local LAN as if they were connected locally in the office? Thanks.

Did client install routes to this network?

On windows, run Check it has routes to `192.168.1.0/24`.

because it's a dynamic interface which doesn't persist

you can filter by IP address.

Also, since ovpn server uses PPP profiles, you can use `address-list` feature so MT will add all clients to this list.

Did client install routes to this network?

On windows, run

Code: Select all

C:\> route print

Check it has routes to `192.168.1.0/24`.

because it's a dynamic interface which doesn't persist

you can filter by IP address.

Also, since ovpn server uses PPP profiles, you can use `address-list` feature so MT will add all clients to this list.

Thank you.

There is not a route to the server end network. Is the route supposed to be pulled from the server end to the client?

I learned from some technical articles that firewall rules based on vlan are preferred as they are more reliable, in comparison to rules based on IP address..

Try to add route using `route add` or `New-NetRoute`. Then, manually add firewall forwarding rule on MT. Does it work?

If it does, then you need to persist it.

In OpenVPN client might have its own configuration but server might also push it.
https://openvpn.net/community-resources ... er-subnet/

but here are some bad news:
viewtopic.php?t=193618

It says:

I have to edit every client config file with a new "route x.x.x.x" config line.

and it seems to be your case.

so, your only option is to include it into the openvpn client config AFAIK
https://openvpn.net/community-resources ... p-routing/