0

I have two locations with Mirkotik routers, connected over OpenVPN. I would like that all clients in each location could contact clients in the other location. Both routers use the default firewall settings from RouteOS 6.44.

Location 1. Router 1: Mikrotik Model: RB941-2nD. Network 10.36.1.0/24. Address: 10.36.1.1, OpenVPN server (10.36.1.1). Location 2. Router 2: Mikrotik Model: RB951G-2HnD. Network 10.84.1.0/24. Address: 10.84.1.1, OpenVPN client (10.36.1.210). Client 1 is connected to Location 1 (LAN): 10.36.1.50 Client 2 is connected to Location 2 (LAN): 10.84.1.50

The VPN connections is established among the two routers.

From client 2 I can ping Router 1: 10.36.1.1. From router 1 I cannot ping Client 2. From client 1 I can ping Router 2: 10.84.1.1. From router 2 I cannot ping Client 1.

I would like to understand if that is a firewall (filter) or interface (bridge) configuration missing.

Thank you.

Create certificate:

 add name=ca-template common-name=example.com days-valid=36500 key-size=2048 key-usage=crl-sign,key-cert-sign
 add name=server-template common-name=*.example.com days-valid=36500 key-size=2048 key-usage=digital-signature,key-encipherment,tls-server
 add name=client-template common-name=client.example.com days-valid=36500 key-size=2048 key-usage=tls-client

sign the certificates:

 /certificate
 sign ca-template name=ca-certificate
 sign server-template name=server-certificate ca=ca-certificate
 sign client-template name=client-certificate ca=ca-certificate

export the certificates:

 /certificate
 export-certificate ca-certificate export-passphrase=""
 export-certificate client-certificate export-passphrase=12345678

chose the pool of addresses for the VPN:

 /ip
 pool add name="vpn-pool" ranges=10.36.1.210-10.36.1.210

create a new encrypted profile

 /ppp
 profile add name="vpn-profile" use-encryption=yes local-address=10.36.1.1 dns-server=10.36.1.1 remote-address=vpn-pool
 secret add name=user profile=vpn-profile password=password

Enable the openvpn interface on the server:

 /interface ovpn-server server
 set default-profile=vpn-profile certificate=server-certificate require-client-certificate=yes auth=sha1 cipher=aes128,aes192,aes256 enabled=yes

Routing:

 /ip route add comment=OpenVPN disabled=no distance=1 dst-address=10.84.1.0/24 gateway=10.36.1.210 scope=30 target-scope=10

Firewall:

 /ip firewall filter 
 add action=accept chain=input comment="OpenVPN" disabled=no dst-port=1194 protocol=tcp

I expect to be able to ping client 2 from client 1.

Steve
  • 97
  • 1
  • 1
  • 9
  • Are you sure that you allowed new outgoing connections from the router to the network of the remote unit through vpn interface? Try full incoming, outing and forward accept on vpn interface to test link. – dash1121 Apr 25 '19 at 06:48

1 Answers1

1

The solution was to add a "masquerade" to the bridge.

Steve
  • 97
  • 1
  • 1
  • 9