clients in Mikrotik cannot access Debian OpenVPN Server
Posted: Thu Mar 21, 2013 2:56 pm
Hello,
I have problem with ovpn settings or firewall settings.
Problem is that i cannot connect/traceroute/ping from lan network on Mikrotik_ovpn_client to Debian_ovpn_server.
/tool sniffer packet shows that packets was sent from 192.168.88.1 to 172.19.18.1
but "tcpdump -v -n -i tun0" on server side doesnt show any packets(except discovery packets)
and i can see in "tcpdump -v -n -i tun0" if I ping from 172.19.18.14 -> 172.19.18.1
I can traceroute Mikrotik_ovpn_client->Debian_ovpn_server
But i cannot traceroute from lan network on Mikrotik_ovpn_client->Debian_ovpn_server
Can ping local ovpn ip on Mikrotik_ovpn_client
Mikrotik_Client route
Mikrotik_Client firewall
Debian(OVPN server) route
firewall
SOLUTION:
1.
With no extra routes and firewall rules you can ping only inside of ovpn network: client(172.19.18.14)<->ovpn server(172.19.18.1)
With additional settings in ovpn.server(Debian server /etc/openvpn/Server.conf):
client-to-client
you can now ping whole opvn network inside
2.
With additional settings in ovpn.server(Debian server /etc/openvpn/Server.conf):
route 192.168.88.0/24 255.255.255.0
and ccd setting in ovpn.server.client.ccd(Debian server /etc/openvpn/servers/Server/ccd/client):
iroute 192.168.88.0 255.255.255.0
both route and iroute are necessary This was my main mistake, I tried it once one and then another without first.
And no extra firewall rules(if you drop all packets on server firewall(mikrotik client firewall) , you probably need forwarding networks before drop packets, I cant test it because doing it remotely).
Now it is possible to ping from client network 192.168.88.0/24 -> 172.19.18.1 and vice versa
3.
If ovpn server is connected to another LAN(gateway 172.18.19.11) f.e. as a ovpn box with ip 172.18.19.222, you can add to additional settings in ovpn.server(Debian server /etc/openvpn/Server.conf):
push "route 172.18.19.0/24 255.255.255.0"
Set routes in gateway 172.18.19.11
ip route add 172.19.18.0/24 via 172.18.19.222
ip route add 192.168.88.0/24 via 172.18.19.222
now you can access from ovpn_client lan network 192.168.88.0/24 -> 172.18.19.0/24 and vice versa
Remember to allow forwarding on server if you are dropping packets
Now all clients on all networks can ping another
Final config on ovpn_server:
/etc/openvpn/Server.conf
/etc/openvpn/servers/Server/ccd/client
ovpn_server routes:
mikrotik network on which ovpn_server is connected:
Some info about my system.
Mikrotik ovpn_client:
LAN addresses
192.168.88.0/24
OVPN address:
172.19.18.14
/interface ovpn-client print
0 R name="ovpn-out1" mac-address=xyz max-mtu=1500
connect-to=serverIP port=1194 mode=ip user=client
password="" profile=default-encryption certificate=cert1 auth=sha1
cipher=aes256 add-default-route=no
****
Debian ovpn_server:
LAN:
172.18.19.222/24
OVPN_LAN:
172.19.18.1/24
I have problem with ovpn settings or firewall settings.
Problem is that i cannot connect/traceroute/ping from lan network on Mikrotik_ovpn_client to Debian_ovpn_server.
/tool sniffer packet shows that packets was sent from 192.168.88.1 to 172.19.18.1
but "tcpdump -v -n -i tun0" on server side doesnt show any packets(except discovery packets)
and i can see in "tcpdump -v -n -i tun0" if I ping from 172.19.18.14 -> 172.19.18.1
I can traceroute Mikrotik_ovpn_client->Debian_ovpn_server
Code: Select all
[admin@MikroTik] > /tool traceroute 172.19.18.1
# ADDRESS RT1 RT2 RT3 STATUS
1 172.19.18.1 13ms 13ms 12ms
Code: Select all
[admin@MikroTik] > /tool traceroute 172.19.18.1 src=192.168.88.1
# ADDRESS RT1 RT2 RT3 STATUS
1 0.0.0.0 0ms 0ms 0ms
Code: Select all
[admin@MikroTik] > /tool traceroute 172.19.18.14 src=192.168.88.1
# ADDRESS RT1 RT2 RT3 STATUS
1 172.19.18.14 5ms 4ms 5ms
Mikrotik_Client route
Code: Select all
# DST-ADDRESS PREF-SRC GATEWAY DISTANCE
0 ADS 0.0.0.0/0 10.151.0.1 2
1 ADC 10.151.0.0/22 10.151.0.115 ether1-gateway_1 0
2 ADC 172.19.18.1/32 172.19.18.14 ovpn-out1 0
3 ADC 192.168.88.0/24 192.168.88.1 bridge-local 0
Code: Select all
0 chain=forward action=accept in-interface=ovpn-out1 out-interface=bridge-local
1 chain=forward action=accept in-interface=bridge-local out-interface=ovpn-out1
2 chain=input action=accept protocol=icmp in-interface=ovpn-out1
3 ;;; default configuration
chain=input action=accept protocol=icmp
4 ;;; default configuration
chain=input action=accept connection-state=established in-interface=ether1-gateway_1
5 ;;; default configuration
chain=input action=accept connection-state=related in-interface=ether1-gateway_1
6 ;;; default configuration
chain=input action=drop in-interface=ether1-gateway_1
0 ;;; default configuration
chain=srcnat action=masquerade to-addresses=0.0.0.0 out-interface=ether1-gateway_1
Code: Select all
ip route show
172.19.18.2 dev tun0 proto kernel scope link src 172.19.18.1
172.18.19.0/24 dev eth0 proto kernel scope link src 172.18.19.222
172.19.18.0/24 via 172.19.18.2 dev tun0
default via 172.18.19.11 dev eth0
Code: Select all
iptables --list-rules
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-N fail2ban-ssh
-A INPUT -p tcp -m multiport --dports 22 -j fail2ban-ssh
-A FORWARD -i tun0 -o eth0 -j ACCEPT
-A FORWARD -i tun0 -o tun0 -j ACCEPT
-A FORWARD -i eth0 -o tun0 -j ACCEPT
-A fail2ban-ssh -j RETURN
1.
With no extra routes and firewall rules you can ping only inside of ovpn network: client(172.19.18.14)<->ovpn server(172.19.18.1)
With additional settings in ovpn.server(Debian server /etc/openvpn/Server.conf):
client-to-client
you can now ping whole opvn network inside
2.
With additional settings in ovpn.server(Debian server /etc/openvpn/Server.conf):
route 192.168.88.0/24 255.255.255.0
and ccd setting in ovpn.server.client.ccd(Debian server /etc/openvpn/servers/Server/ccd/client):
iroute 192.168.88.0 255.255.255.0
both route and iroute are necessary This was my main mistake, I tried it once one and then another without first.
And no extra firewall rules(if you drop all packets on server firewall(mikrotik client firewall) , you probably need forwarding networks before drop packets, I cant test it because doing it remotely).
Now it is possible to ping from client network 192.168.88.0/24 -> 172.19.18.1 and vice versa
3.
If ovpn server is connected to another LAN(gateway 172.18.19.11) f.e. as a ovpn box with ip 172.18.19.222, you can add to additional settings in ovpn.server(Debian server /etc/openvpn/Server.conf):
push "route 172.18.19.0/24 255.255.255.0"
Set routes in gateway 172.18.19.11
ip route add 172.19.18.0/24 via 172.18.19.222
ip route add 192.168.88.0/24 via 172.18.19.222
now you can access from ovpn_client lan network 192.168.88.0/24 -> 172.18.19.0/24 and vice versa
Remember to allow forwarding on server if you are dropping packets
Now all clients on all networks can ping another
Final config on ovpn_server:
/etc/openvpn/Server.conf
Code: Select all
port 1194
proto tcp-server
dev tun0
ca ca.crt
cert server.crt
key server.key
dh dh1024.pem
server 172.19.18.0 255.255.255.0
crl-verify crl.pem
ifconfig-pool-persist servers/Server/logs/ipp.txt
cipher AES-256-CBC
user nobody
group nogroup
status servers/Server/logs/openvpn-status.log
log-append servers/Server/logs/openvpn.log
verb 2
mute 0
max-clients 100
management 127.0.0.1 10001
keepalive 10 120
client-config-dir /etc/openvpn/servers/Server/ccd
client-to-client
persist-key
persist-tun
ccd-exclusive
route 192.168.88.0/24 255.255.255.0 ## this will link with iroute in client config when he is up
push "route 172.18.19.0 255.255.255.0"
Code: Select all
ifconfig-push 172.19.18.14 172.19.18.1 ## for static client ip
iroute 192.168.88.0 255.255.255.0 ## this will add on debian server route to client's LAN
Code: Select all
172.19.18.2 dev tun0 proto kernel scope link src 172.19.18.1
172.18.19.0/24 dev eth0 proto kernel scope link src 172.18.19.222
172.19.18.0/24 via 172.19.18.2 dev tun0
192.168.88.0/24 via 172.19.18.2 dev tun0
default via 172.18.19.11 dev eth0
Code: Select all
# DST-ADDRESS PREF-SRC GATEWAY DISTANCE
1 ADC 172.18.19.0/24 172.18.19.11 bridge1 0
2 A S 172.19.18.0/24 172.18.19.222 1
4 A S 192.168.88.0/24 172.18.19.222 1
Some info about my system.
Mikrotik ovpn_client:
LAN addresses
192.168.88.0/24
OVPN address:
172.19.18.14
/interface ovpn-client print
0 R name="ovpn-out1" mac-address=xyz max-mtu=1500
connect-to=serverIP port=1194 mode=ip user=client
password="" profile=default-encryption certificate=cert1 auth=sha1
cipher=aes256 add-default-route=no
****
Debian ovpn_server:
LAN:
172.18.19.222/24
OVPN_LAN:
172.19.18.1/24