I have been trying to set up a virtual private network for the past day using RouterOS 5.26 on a RouterBoard as a server and differing "road warrior" clients. A client can connect and authenticate with the server but I neither side can ping one another. I suspect incorrect routing on my part and wish to ask you for advice.
Setup was done as instructed by Mikrotik wiki. The RouterBOARD is the main router for Network A, managing the Internet connection (eth1-master-gateway), a wireless AP and the local network. All mentioned are bridged to "bridge-lan". Clients A1, A2, A3 have addresses from 192.168.1.1/24. Clients from outside network, for example B1 or C1, should access SMB shares from 192.168.1.10 and other services from 192.168.1.0/24. If I understand VPN in theory correctly, birding/TAP is preferable in such situation. The eth1-master-gateway has a publicly accessible IP address 164.8.107.162 and iptables accepts incoming connections on 1194 encrypted with use of CACert.org certificates. When the connection from a OpenVPN client B1 is established, it is assigned the IP address 192.168.2.2 (pool-specified). If Client B1 pings 192.168.2.1, it does not get a reply (timeout). The same goes with Client B1 pinging 192.168.2.1 or 192.168.1.1 or any host on Network A. Network A also can not ping Network B.
Why does this happen and how to resolve it? If have so far tried exchanging the certificates, switching from TAP to TUN (ip versus ethernet mode), assigning the VPN pool from 192.168.1.50-192.168.1.100 instead of 192.168.2.1-192.168.2.254.
Thank you,
Luka
---
Client B1 Sample Connection Log
Code: Select all
May 25 16:39:14: Checking reachability status of connection...
May 25 16:39:14: Connection is reachable. Starting connection attempt.
May 25 16:39:18: OpenVPN 2.3.2 i386-apple-darwin [SSL (OpenSSL)] [LZO] [PKCS11] [MH] [IPv6] built on Jun 7 2013
May 25 16:39:19: WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
May 25 16:39:19: Attempting to establish TCP connection with [AF_INET]164.8.107.162:1194 [nonblock]
May 25 16:39:20: TCP connection established with [AF_INET]164.8.107.162:1194
May 25 16:39:20: TCPv4_CLIENT link local: [undef]
May 25 16:39:20: TCPv4_CLIENT link remote: [AF_INET]164.8.107.162:1194
May 25 16:39:20: WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
May 25 16:39:23: WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1576', remote='link-mtu 1575'
May 25 16:39:23: WARNING: 'comp-lzo' is present in local config but missing in remote config, local='comp-lzo'
May 25 16:39:23: [vpn.radiomars.si] Peer Connection Initiated with [AF_INET]164.8.107.162:1194
May 25 16:39:38: DHCP enabled on tap interface tap0
May 25 16:39:38: IPv6 enabled on tap interface tap0
May 25 16:39:36: TUN/TAP device /dev/tap0 opened
May 25 16:39:36: do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
May 25 16:39:36: /sbin/ifconfig tap0 delete
May 25 16:39:36: NOTE: Tried to delete pre-existing tun/tap instance -- No Problem if failure
May 25 16:39:36: /sbin/ifconfig tap0 192.168.2.254 netmask 255.255.255.0 mtu 1500 up
May 25 16:39:36: Initialization Sequence Completed
May 25 16:39:39: Disabling DHCP on interface tap0 (not required)
Code: Select all
16:39:19 ovpn,info TCP connection established from 46.150.33.248
16:39:19 ovpn,info <ovpn-0>: dialing...
16:39:23 ovpn,info <ovpn-0>: using encoding - BF-128-CBC/SHA1
16:39:23 ovpn,info <ovpn-0>: connected
Code: Select all
enabled: yes
port: 1194
mode: ethernet
netmask: 24
mac-address: FE:6E:17:5B:42:68
max-mtu: 1500
keepalive-timeout: disabled
default-profile: VPN
certificate: VPN
require-client-certificate: yes
auth: sha1,md5
cipher: blowfish128,aes128,aes192,aes256
Code: Select all
1 name="VPN" local-address=192.168.1.1 remote-address=vpn
bridge=bridge-local use-mpls=default use-compression=no
use-vj-compression=default use-encryption=default only-one=default
change-tcp-mss=default
Code: Select all
1 vpn 192.168.2.2-192.168.2.254
Code: Select all
Flags: X - disabled, R - running
0 R name="bridge-local" mtu=1500 l2mtu=1598 arp=enabled
mac-address=D4:CA:6D:F2:F6:ED protocol-mode=rstp priority=0x8000
auto-mac=no admin-mac=D4:CA:6D:F2:F6:ED max-message-age=20s
forward-delay=15s transmit-hold-count=6 ageing-time=5m
Flags: X - disabled, I - inactive, D - dynamic
# INTERFACE BRIDGE PRIORITY PATH-COST HORIZON
0 ether2-master-local bridge-local 0x80 10 none
1 I MARS wlan bridge-local 0x80 10 none
2 I ether1-gateway (unknown) 0x80 10 none
3 I (unknown) bridge-local 0x80 10 none
4 D <ovpn-luka> bridge-local 0x80 10 none
Code: Select all
Flags: X - disabled, I - invalid, D - dynamic
# ADDRESS NETWORK INTERFACE
0 ;;; local network
192.168.1.1/24 192.168.1.0 bridge-local
1 ;;; wide area (Univerza v Mariboru)
164.8.107.162/28 164.8.107.160 ether1-gateway
2 ;;; VPN
192.168.2.1/24 192.168.2.0 bridge-local
3 D 192.168.1.1/32 192.168.2.254 <ovpn-luka>
Code: Select all
Flags: X - disabled, A - active, D - dynamic,
C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme,
B - blackhole, U - unreachable, P - prohibit
# DST-ADDRESS PREF-SRC GATEWAY DISTANCE
0 A S 0.0.0.0/0 164.8.107.161 1
1 ADC 164.8.107.160/28 164.8.107.162 ether1-gateway 0
2 ADC 192.168.1.0/24 192.168.1.1 bridge-local 0
3 ADC 192.168.2.0/24 192.168.2.1 bridge-local 0
4 ADC 192.168.2.254/32 192.168.1.1 bridge-local 0
Code: Select all
tap0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
ether de:14:0c:39:a3:11
inet 192.168.2.254 netmask 0xffffff00 broadcast 192.168.2.255
nd6 options=1<PERFORMNUD>
open (pid 21115)
