I'm having some difficulties wrapping my head around this.. Here's what I have.

OpenVPN Server - Router1
public static IP - 192.168.10.1/24 - ether1

OpenVPN Client - Router2
public DHCP assigned IP - 192.168.20.1/24 - ether1


I have an OpenVPN client on Router2 that can successfully connect to Router1 through the interwebs. But, I'm having to allow traffic from Router1 back to Router2 with the rule of:

/ip firewall filter
add chain=input in-interface=ether1 src-address=192.168.10.1 protocl=tcp src-port=1194 action=accept

Without this rule on the OVPN client (router2), the ovpn connection will not connect, and in my default "drop everything else" rule at the end of my firewall list, I can see packets being dropped from 192.168.10.1 with a source port of 1194 and a destination address of 192.168.20.1(router2) and a random dst port.

Is this normal for OVPN, for the client to need connections originating from the server to be allowed back into the client router?

Obviously, I see the need for port 1194 to be opened in the firewall rules of the server, but, didn't expect it to need to be open on the client too?

post your rules in input chain (Router2)

/ip firewall filter> print
Flags: X - disabled, I - invalid, D - dynamic
0 ;;; ALLOW --> Winbox
chain=input action=accept protocol=tcp dst-port=8291 log=no log-prefix=""

1 ;;; ALLOW --> OpenVPN
chain=input action=accept protocol=tcp src-address=192.168.10.1 in-interface=ether1 src-port=1194 log=no log-prefix=""

2 ;;; DROP --> Everything Else
chain=input action=drop in-interface=ether1 log=no log-prefix=""

yes, problem in rules - you need a rule to accept related,established.
in first place!

chain=input action=accept connection-state=related,established

then remove
1 ;;; ALLOW --> OpenVPN
chain=input action=accept protocol=tcp src-address=192.168.10.1 in-interface=ether1 src-port=1194 log=no log-prefix=""

http://wiki.mikrotik.com/wiki/Manual:IP ... c_examples

This fixed it; seems I still have a lot more to learn about filters! Thanks!