Categories

JavaScriptPHPHTMLCssPythonWordPressWeb developmentLinuxMySQLAndroidWindowsJavaC++ / C#LayoutReactUbuntuYiiDjangoProgramming1C-BitrixLaravelSystem administrationTelegramJSONDebianPostgreSQLIOSGoogleHtaccessWindows ServerGitMacOSGoogle ChromeCMSWooСommerceBootstrapNginxSQLUnityAPI
Make a leaderReport
D
D
Der AlSem2016-12-19 18:58:22
openvpn
Der AlSem, 2016-12-19 18:58:22

How to get from the OpenVPN server to the network behind the Mikrotik client?

Standard link.
OpenVPN server on Ubuntu with external IP.
Mikrotik with LTE with a gray IP, there are two computers behind NAT, a database is running on one of the computers, which you need to access from the OpenVPN server (in the database is a warehouse, you need to take the quantity / cost for buyers from it for the site). If there was RealIP on the modem, there would be no question at all.
Network behind Mikrotik - 192.168.1.0
VPN network - 10.8.0.0
If you ping 10.8.0.1 (server IP via VPN) from a computer behind NAT, the ping passes.
If you ping 10.8.0.6 from the server (the IP of the OpenVPN client, by the way, where is it written? I would change it to 0.2) - the ping passes.
If you ping 192.168.1.1 (IP of the Mikrotik-gateway) from the server, the ping passes.
Here is a graphic, more clear.
d92eeb90f47147f28b7482570b51209b.JPG
It doesn’t go anywhere further, as I understand it, it rests on NAT. I tried to specify src-address !10.8.0.1 in NAT, so that it would not NAT - to no avail.
Some characteristic malfunction (mainly in the hands), where to dig?
Routes on the OpenVPN server:
[email protected]/etc/openvpn# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 185.63.188.1 0.0.0.0 UG 0 0 0 p1p1
10.8.0.0 10.8.0.2 255.255.255.0 UG 0 0 0 tun0
10.8.0.2 0.0.0.0 255.255.255.255 UH 0 0 0 tun0
185.63.188.0 0.0.0.0 255.255.254.0 U 0 0 0 p1p1
192.168.1.0 10.8.0.2 255.255.255.0 UG 0 0 0 tun0
Firewall on Mikrotik:
/ip firewall filter print
Flags: X - disabled, I - invalid, D - dynamic
0 D ;;; special dummy rule to show fasttrack counters
chain=forward action=passthrough
1 ;;; defconf: accept ICMP
chain=input action=accept protocol=icmp
2 ;;; defconf: accept established,related
chain=input action=accept connection-state=established,related
3 XI ​​;;; defconf: drop all from WAN
chain=input action=drop in-interface=ether1
4 ;;; defconf: fasttrack
chain=forward action=fasttrack-connection
connection-state=established,related
5 ;;; defconf: accept established,related
chain=forward action=accept connection-state=established,relate
6 ;;; defconf: drop invalid
chain=forward action=drop connection-state=invalid
7 XI ;;; defconf: drop all from WAN not DSTNATed
chain=forward action=drop connection-state=new
connection-nat-state=!dstnat in-interface=ether1
8 chain=input action=drop in-interface=lte1 log=no

Reply
Answer the question

Answer the question

In order to leave comments, you need to log in

2 answer(s)
Report
H
HawK, 2016-12-20
@HawK3D

The OVPN server must have a route 192.168.1.2 with a gateway 10.8.0.6. On MikroTik, there should be no rules in the firewall that prohibit this passing traffic.

Report
D
Der AlSem, 2016-12-20
@DerAlSem

Understood.
Windows Firewall on the client machine allowed pings from Mikrotik, but not from the Server.
Disabled it, everything worked as it should.

Similar questions
A
Alexander2014-04-14 12:37:52
How to forward a port on cisco 5Reply
A
Alexander2014-04-15 19:03:52
How to setup OpenVPN client on RE75i GPRS/EDGE router? 0Reply
E
elexterem2016-06-06 20:02:16
OpenVpn Access Server+Elastix. Why can't I connect via sip? 2Reply
F
Free0wl2020-09-18 12:19:58
WireGuard - two addresses for one server. as? 0Reply
C
Cyril2016-06-27 23:42:16
DoubleVPN based on OpenVPN how? 0Reply

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question