D
D
Der AlSem2016-12-19 18:58:22
openvpn
Der AlSem, 2016-12-19 18:58:22

How to get from the OpenVPN server to the network behind the Mikrotik client?

Standard link.
OpenVPN server on Ubuntu with external IP.
Mikrotik with LTE with a gray IP, there are two computers behind NAT, a database is running on one of the computers, which you need to access from the OpenVPN server (in the database is a warehouse, you need to take the quantity / cost for buyers from it for the site). If there was RealIP on the modem, there would be no question at all.
Network behind Mikrotik - 192.168.1.0
VPN network - 10.8.0.0
If you ping 10.8.0.1 (server IP via VPN) from a computer behind NAT, the ping passes.
If you ping 10.8.0.6 from the server (the IP of the OpenVPN client, by the way, where is it written? I would change it to 0.2) - the ping passes.
If you ping 192.168.1.1 (IP of the Mikrotik-gateway) from the server, the ping passes.
Here is a graphic, more clear.
d92eeb90f47147f28b7482570b51209b.JPG
It doesn’t go anywhere further, as I understand it, it rests on NAT. I tried to specify src-address !10.8.0.1 in NAT, so that it would not NAT - to no avail.
Some characteristic malfunction (mainly in the hands), where to dig?
Routes on the OpenVPN server:
[email protected]/etc/openvpn# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 185.63.188.1 0.0.0.0 UG 0 0 0 p1p1
10.8.0.0 10.8.0.2 255.255.255.0 UG 0 0 0 tun0
10.8.0.2 0.0.0.0 255.255.255.255 UH 0 0 0 tun0
185.63.188.0 0.0.0.0 255.255.254.0 U 0 0 0 p1p1
192.168.1.0 10.8.0.2 255.255.255.0 UG 0 0 0 tun0
Firewall on Mikrotik:
/ip firewall filter print
Flags: X - disabled, I - invalid, D - dynamic
0 D ;;; special dummy rule to show fasttrack counters
chain=forward action=passthrough
1 ;;; defconf: accept ICMP
chain=input action=accept protocol=icmp
2 ;;; defconf: accept established,related
chain=input action=accept connection-state=established,related
3 XI ​​;;; defconf: drop all from WAN
chain=input action=drop in-interface=ether1
4 ;;; defconf: fasttrack
chain=forward action=fasttrack-connection
connection-state=established,related
5 ;;; defconf: accept established,related
chain=forward action=accept connection-state=established,relate
6 ;;; defconf: drop invalid
chain=forward action=drop connection-state=invalid
7 XI ;;; defconf: drop all from WAN not DSTNATed
chain=forward action=drop connection-state=new
connection-nat-state=!dstnat in-interface=ether1
8 chain=input action=drop in-interface=lte1 log=no

Answer the question

In order to leave comments, you need to log in

2 answer(s)
H
HawK, 2016-12-20
@HawK3D

The OVPN server must have a route 192.168.1.2 with a gateway 10.8.0.6. On MikroTik, there should be no rules in the firewall that prohibit this passing traffic.

D
Der AlSem, 2016-12-20
@DerAlSem

Understood.
Windows Firewall on the client machine allowed pings from Mikrotik, but not from the Server.
Disabled it, everything worked as it should.

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question