OpenVPN Routing Issues

huso1451 · Sun Aug 04, 2024 12:16 am

Hello,

I have the following configuration in a lab environment:

# aug/03/2024 23:56:44 by RouterOS 6.48.6
# model = 951Ui-2HnD
/ip pool
add name=vpn_pool ranges=172.168.0.5-172.168.0.10
/ppp profile
add local-address=172.168.0.1 name=ovpn_profile remote-address=vpn_pool
/interface ovpn-server server
set auth=sha1 certificate=Server cipher=aes256 enabled=yes require-client-certificate=yes
/ip address
add address=192.168.5.50/24 interface=ether2 network=192.168.5.0
add address=10.10.11.1/24 interface=ether4 network=10.10.11.0
/ip dns
set allow-remote-requests=yes servers=8.8.8.8
/ip firewall nat
add action=masquerade chain=srcnat
/ppp secret
add name=huso password=huso profile=ovpn_profile service=ovpn

Ether2 Port: Connected to a Windows laptop with IP address 192.168.5.51 and subnet mask 255.255.255.0.
Ether4 Port: Connected to another Windows laptop with IP address 10.10.11.2 and subnet mask 255.255.255.0.
The VPN connection is successfully established on the Windows laptop connected to the Ether2 port. However, it is not possible to ping the addresses 10.10.11.1 or 10.10.11.2.

When I add the line route 10.10.11.0 255.255.255.0 to the OpenVPN client config file, the ping works.

What I want to achieve is to perform this routing configuration on the MikroTik device instead of adding routes on the client machine.

I have tried various options, including adding routes and NAT rules, but nothing seems to work.

huso1451 · Sun Aug 04, 2024 1:26 pm

I saw the following information in MikroTik documentation:

Since my RouterOS version is outdated, I cannot use the push route setting. However, when I perform the manual addition, I encounter the following issues:

When adding routes, the ovpn-huso interface is shown as "unreachable."
In the firewall NAT rule, ovpn-huso is shown as "not ready."

/interface ovpn-client
add name=ovpn-client1 connect-to=2.2.2.2 user=client1 password=123 disabled=no
/ip route
add dst-address=10.5.8.20 gateway=ovpn-client1
add dst-address=192.168.55.0/24 gateway=ovpn-client1
/ip firewall nat add chain=srcnat action=masquerade out-interface=ovpn-client1

MikroTik OpenVPN documentation -https://help.mikrotik.com/docs/display/ROS/OpenVPN

Lupowsky · Tue Aug 06, 2024 6:05 pm

Hello,
Can you post your config with the change that you've done ? (please export all your config)

huso1451 · Wed Aug 07, 2024 12:44 pm

Hello,

I upgraded the RouterOS version to 7.15.3 for testing. I added the push route configuration as the latest modification. I couldn't solve the issue with RouterOS versions before v7; as I mentioned, there was no setting like push route in the OVPN server settings before v7, which is why I couldn't configure a similar push route setting in RouterOS v6. The most recent configuration is as follows:

[admin@RouterOS] > export
# 2024-08-04 14:48:17 by RouterOS 7.15.3
# software id = 
#
# model = RB951Ui-2HnD
# serial number = 
/interface wireless
set [ find default-name=wlan1 ] ssid=MikroTik
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=vpn_pool ranges=172.168.0.5-172.168.0.10
/ip smb users
set [ find default=yes ] disabled=yes
/ppp profile
add local-address=172.168.0.1 name=ovpn_profile remote-address=vpn_pool
/routing bgp template
set default disabled=no output.network=bgp-networks
/routing ospf instance
add disabled=no name=default-v2
/routing ospf area
add disabled=yes instance=default-v2 name=backbone-v2
/ip firewall connection tracking
set udp-timeout=10s
/ip settings
set max-neighbor-entries=8192
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface ovpn-server server
set auth=sha1 certificate=Server cipher=aes256-cbc default-profile=ovpn_profile enabled=yes \
    push-routes="10.10.11.0 255.255.255.0" require-client-certificate=yes
/ip address
add address=192.168.5.50/24 interface=ether2 network=192.168.5.0
add address=10.10.11.1/24 interface=ether4 network=10.10.11.0
/ip dhcp-client
add interface=ether2 use-peer-ntp=no
/ip dns
set allow-remote-requests=yes servers=8.8.8.8
/ip firewall nat
add action=masquerade chain=srcnat
/ip route
add disabled=no dst-address=0.0.0.0/0 gateway=192.168.5.1
add disabled=no dst-address=10.10.11.0/24 gateway=172.168.0.1 routing-table=main \
    suppress-hw-offload=no
/ip smb shares
set [ find default=yes ] directory=/pub
/ppp secret
add name=huso profile=ovpn_profile service=ovpn
/routing bfd configuration
add disabled=no interfaces=all min-rx=200ms min-tx=200ms multiplier=5
/system clock
set time-zone-autodetect=no time-zone-name=Europe/Nicosia
/system identity
set name=RouterOS
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp client servers
add address=216.239.35.0
/system package update
set channel=long-term
[admin@RouterOS] >

JohnTRIVOLTA · Wed Aug 07, 2024 1:52 pm

Hello,

I have the following configuration in a lab environment:
Code: Select all
# aug/03/2024 23:56:44 by RouterOS 6.48.6
# model = 951Ui-2HnD
/ip pool
add name=vpn_pool ranges=172.168.0.5-172.168.0.10
/ppp profile
add local-address=172.168.0.1 name=ovpn_profile remote-address=vpn_pool
/interface ovpn-server server
set auth=sha1 certificate=Server cipher=aes256 enabled=yes require-client-certificate=yes
/ip address
add address=192.168.5.50/24 interface=ether2 network=192.168.5.0
add address=10.10.11.1/24 interface=ether4 network=10.10.11.0
/ip dns
set allow-remote-requests=yes servers=8.8.8.8
/ip firewall nat
add action=masquerade chain=srcnat
/ppp secret
add name=huso password=huso profile=ovpn_profile service=ovpn
Ether2 Port: Connected to a Windows laptop with IP address 192.168.5.51 and subnet mask 255.255.255.0.
Ether4 Port: Connected to another Windows laptop with IP address 10.10.11.2 and subnet mask 255.255.255.0.
The VPN connection is successfully established on the Windows laptop connected to the Ether2 port. However, it is not possible to ping the addresses 10.10.11.1 or 10.10.11.2.

When I add the line route 10.10.11.0 255.255.255.0 to the OpenVPN client config file, the ping works.

What I want to achieve is to perform this routing configuration on the MikroTik device instead of adding routes on the client machine.

I have tried various options, including adding routes and NAT rules, but nothing seems to work.

Just use:

interface/ovpn-server/server/set redirect-gateway=def1

huso1451 · Wed Aug 07, 2024 3:18 pm

Hello,

I have the following configuration in a lab environment:
Code: Select all
# aug/03/2024 23:56:44 by RouterOS 6.48.6
# model = 951Ui-2HnD
/ip pool
add name=vpn_pool ranges=172.168.0.5-172.168.0.10
/ppp profile
add local-address=172.168.0.1 name=ovpn_profile remote-address=vpn_pool
/interface ovpn-server server
set auth=sha1 certificate=Server cipher=aes256 enabled=yes require-client-certificate=yes
/ip address
add address=192.168.5.50/24 interface=ether2 network=192.168.5.0
add address=10.10.11.1/24 interface=ether4 network=10.10.11.0
/ip dns
set allow-remote-requests=yes servers=8.8.8.8
/ip firewall nat
add action=masquerade chain=srcnat
/ppp secret
add name=huso password=huso profile=ovpn_profile service=ovpn
Ether2 Port: Connected to a Windows laptop with IP address 192.168.5.51 and subnet mask 255.255.255.0.
Ether4 Port: Connected to another Windows laptop with IP address 10.10.11.2 and subnet mask 255.255.255.0.
The VPN connection is successfully established on the Windows laptop connected to the Ether2 port. However, it is not possible to ping the addresses 10.10.11.1 or 10.10.11.2.

When I add the line route 10.10.11.0 255.255.255.0 to the OpenVPN client config file, the ping works.

What I want to achieve is to perform this routing configuration on the MikroTik device instead of adding routes on the client machine.

I have tried various options, including adding routes and NAT rules, but nothing seems to work.
Just use:
Code: Select all
interface/ovpn-server/server/set redirect-gateway=def1

Hello,

I found the solution you mentioned after researching following my initial post and added an update below it. This feature you mentioned is available from RouterOS v7 onwards, unfortunately it does not exist in v6. My question is whether there is a way to achieve this in v6. Some of my devices are older models like the RB750, so I do not want to upgrade to v7. As a temporary solution, I added a route to the OVPN client file, which worked for me. As I mentioned, I am just curious if there is an alternative solution in v6 that replaces the "set-redirect -gateway" setting.
In the meantime, thank you very much to everyone for your attention.

Lupowsky · Wed Aug 07, 2024 5:40 pm

I saw the following information in MikroTik documentation:

Since my RouterOS version is outdated, I cannot use the push route setting. However, when I perform the manual addition, I encounter the following issues:

When adding routes, the ovpn-huso interface is shown as "unreachable."
In the firewall NAT rule, ovpn-huso is shown as "not ready."

MikroTik OpenVPN documentation -https://help.mikrotik.com/docs/display/ROS/OpenVPN

Can you try this change ?

/ppp secret
add name=huso password=huso profile=ovpn_profile service=ovpn

/interface ovpn-client
add name=ovpn-client1 connect-to=172.168.0.1 user=huso password=huso disabled=no
/ip route
add dst-address=10.10.11.0/24 gateway=ovpn-client1
add dst-address=192.168.5.0/24 gateway=ovpn-client1
/ip firewall nat add chain=srcnat action=masquerade out-interface=ovpn-client1

p.s. I'm not an expert user, i'm kinda new , i have 7 months of experience so treat my suggest with the right precaution...

OpenVPN Routing Issues

OpenVPN Routing Issues

Re: OpenVPN Routing Issues

Re: OpenVPN Routing Issues

Re: OpenVPN Routing Issues

Re: OpenVPN Routing Issues

Re: OpenVPN Routing Issues

Re: OpenVPN Routing Issues