Answer the question
In order to leave comments, you need to log in
F
F
Fenghuang2018-10-07 13:17:35
Fenghuang, 2018-10-07 13:17:35
The OpenVpn server cannot reach devices behind the client. What could be the problem?
Hello!
Essence of the question: There is a VDS on Windows Server 2016 on which the OpenVpn server, the Mikrotik client, and the subnet behind the client 192.168.1.0 are raised.
Mikrotik connects to the server, can ping both the server address in the VPN subnet (10.8.0.1) and the subnet behind the server. After creating this:
chain=srcnat action=masquerade out-interface=ovpn-out1 log=no log-prefix=""
devices behind Mikrotik can ping the server address in the VPN subnet (10.8.0.1) and the subnet behind the server.
The server can ping the client's address 10.8.0.2, but cannot ping the subnet behind the client. Please help me figure out what's wrong?
Server config:
spoiler
proto tcp
dev tun
ca "C:\\Program Files\\OpenVPN\\serverKey\\ca.crt"
cert "C:\\Program Files\\OpenVPN\\serverKey\\server.crt"
key "C:\\Program Files\\OpenVPN\\serverKey\\server.key"
dh "C:\\Program Files\\OpenVPN\\serverKey\\dh2048.pem"
topology subnet
server 10.8.0.0 255.255.255.0
client-config-dir "C:\\Program Files\\OpenVPN\\config\\ccd"
route 192.168.1.0 255.255.255.0
client-to-client
keepalive 10 120
tun-mtu 1500
mssfix 1450
cipher AES-256-CBC
auth sha1
persist-key
persist-tun
status openvpn-status.log
log "C:\\Program Files\\OpenVPN\\log\\openvpn.log"
log-append "C:\\Program Files\\OpenVPN\\log\\openvpn.log"
verb 3
mute 10
dev tun
ca "C:\\Program Files\\OpenVPN\\serverKey\\ca.crt"
cert "C:\\Program Files\\OpenVPN\\serverKey\\server.crt"
key "C:\\Program Files\\OpenVPN\\serverKey\\server.key"
dh "C:\\Program Files\\OpenVPN\\serverKey\\dh2048.pem"
topology subnet
server 10.8.0.0 255.255.255.0
client-config-dir "C:\\Program Files\\OpenVPN\\config\\ccd"
route 192.168.1.0 255.255.255.0
client-to-client
keepalive 10 120
tun-mtu 1500
mssfix 1450
cipher AES-256-CBC
auth sha1
persist-key
persist-tun
status openvpn-status.log
log "C:\\Program Files\\OpenVPN\\log\\openvpn.log"
log-append "C:\\Program Files\\OpenVPN\\log\\openvpn.log"
verb 3
mute 10
client config in ccd directory:
spoiler
iroute 192.168.1.0 255.255.255.0
ifconfig-push 10.8.0.2 10.8.0.1
ifconfig-push 10.8.0.2 10.8.0.1
server route print:
spoiler
===========================================================================
Interface List
8...00 15 5d 08 50 37 ......Microsoft Hyper-V Network Adapter #8
3...00 ff 07 42 c7 8a ......TAP-Windows Adapter V9
1...........................Software Loopback Interface 1
2...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter
10...00 00 00 00 00 00 00 e0 Teredo Tunneling Pseudo-Interface
4...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #2
===========================================================================
IPv4 Route Table
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 185.231.58.1 185.231.58.135 281
10.8.0.0 255.255.255.0 On-link 10.8.0.1 291
10.8.0.1 255.255.255.255 On-link 10.8.0.1 291
10.8.0.255 255.255.255.255 On-link 10.8.0.1 291
127.0.0.0 255.0.0.0 On-link 127.0.0.1 331
127.0.0.1 255.255.255.255 On-link 127.0.0.1 331
127.255.255.255 255.255.255.255 On-link 127.0.0.1 331
185.231.58.0 255.255.255.0 On-link 185.231.58.135 281
185.231.58.135 255.255.255.255 On-link 185.231.58.135 281
185.231.58.255 255.255.255.255 On-link 185.231.58.135 281
192.168.1.0 255.255.255.0 10.8.0.2 10.8.0.1 35
224.0.0.0 240.0.0.0 On-link 127.0.0.1 331
224.0.0.0 240.0.0.0 On-link 10.8.0.1 291
224.0.0.0 240.0.0.0 On-link 185.231.58.135 281
255.255.255.255 255.255.255.255 On-link 127.0.0.1 331
255.255.255.255 255.255.255.255 On-link 10.8.0.1 291
255.255.255.255 255.255.255.255 On-link 185.231.58.135 281
===========================================================================
Persistent Routes:
Network Address Netmask Gateway Address Metric
0.0.0.0 0.0.0.0 193.124.0.1 Default
0.0.0.0 0.0.0.0 194.58.69.1 Default
0.0.0.0 0.0.0.0 195.133.144.1 Default
0.0.0.0 0.0.0.0 185.231.58.1 Default
===========================================================================
IPv6 Route Table
===========================================================================
Active Routes:
If Metric Network Destination Gateway
1 331 ::1/128 On-link
1 331 ff00::/8 On-link
===========================================================================
Persistent Routes:
None
Interface List
8...00 15 5d 08 50 37 ......Microsoft Hyper-V Network Adapter #8
3...00 ff 07 42 c7 8a ......TAP-Windows Adapter V9
1...........................Software Loopback Interface 1
2...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter
10...00 00 00 00 00 00 00 e0 Teredo Tunneling Pseudo-Interface
4...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #2
===========================================================================
IPv4 Route Table
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 185.231.58.1 185.231.58.135 281
10.8.0.0 255.255.255.0 On-link 10.8.0.1 291
10.8.0.1 255.255.255.255 On-link 10.8.0.1 291
10.8.0.255 255.255.255.255 On-link 10.8.0.1 291
127.0.0.0 255.0.0.0 On-link 127.0.0.1 331
127.0.0.1 255.255.255.255 On-link 127.0.0.1 331
127.255.255.255 255.255.255.255 On-link 127.0.0.1 331
185.231.58.0 255.255.255.0 On-link 185.231.58.135 281
185.231.58.135 255.255.255.255 On-link 185.231.58.135 281
185.231.58.255 255.255.255.255 On-link 185.231.58.135 281
192.168.1.0 255.255.255.0 10.8.0.2 10.8.0.1 35
224.0.0.0 240.0.0.0 On-link 127.0.0.1 331
224.0.0.0 240.0.0.0 On-link 10.8.0.1 291
224.0.0.0 240.0.0.0 On-link 185.231.58.135 281
255.255.255.255 255.255.255.255 On-link 127.0.0.1 331
255.255.255.255 255.255.255.255 On-link 10.8.0.1 291
255.255.255.255 255.255.255.255 On-link 185.231.58.135 281
===========================================================================
Persistent Routes:
Network Address Netmask Gateway Address Metric
0.0.0.0 0.0.0.0 193.124.0.1 Default
0.0.0.0 0.0.0.0 194.58.69.1 Default
0.0.0.0 0.0.0.0 195.133.144.1 Default
0.0.0.0 0.0.0.0 185.231.58.1 Default
===========================================================================
IPv6 Route Table
===========================================================================
Active Routes:
If Metric Network Destination Gateway
1 331 ::1/128 On-link
1 331 ff00::/8 On-link
===========================================================================
Persistent Routes:
None
Mikrotik routes:
spoiler
Flags: X - disabled, A - active, D - dynamic,
C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme,
B - blackhole, U - unreachable, P - prohibit
# DST-ADDRESS PREF-SRC GATEWAY DISTANCE
0 ADS 0.0.0.0/0 10.7.0.161 1
1 ADC 10.7.0.0/24 10.7.0.162 ether1 0
2 ADC 10.8.0.0/24 10.8.0.2 ovpn-out1 0
3 ADC 192.168.1.0/24 192.168.1.1 bridge 0
C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme,
B - blackhole, U - unreachable, P - prohibit
# DST-ADDRESS PREF-SRC GATEWAY DISTANCE
0 ADS 0.0.0.0/0 10.7.0.161 1
1 ADC 10.7.0.0/24 10.7.0.162 ether1 0
2 ADC 10.8.0.0/24 10.8.0.2 ovpn-out1 0
3 ADC 192.168.1.0/24 192.168.1.1 bridge 0
Mikrotik firewall:
spoiler
Flags: X - disabled, I - invalid, D - dynamic
0 D ;;; special dummy rule to show fasttrack counters
chain=forward action=passthrough
1 ;;; defconf: accept established,related,untracked
chain=input action=accept connection-state=established,rel
2 ;;; defconf: drop invalid
chain=input action=drop connection-state=invalid
3 ;;; defconf: accept ICMP
chain=input action=accept protocol=icmp
4 X ;;; defconf: drop all not coming from LAN
chain=input action=drop in-interface-list=!LAN log=no log-
5 ;;; defconf: accept in ipsec policy
chain=forward action=accept ipsec-policy=in,ipsec
6 ;;; defconf: accept out ipsec policy
chain=forward action=accept ipsec-policy=out,ipsec
7 ;;; defconf: fasttrack
0 D ;;; special dummy rule to show fasttrack counters
chain=forward action=passthrough
1 ;;; defconf: accept established,related,untracked
chain=input action=accept connection-state=established,rel
2 ;;; defconf: drop invalid
chain=input action=drop connection-state=invalid
3 ;;; defconf: accept ICMP
chain=input action=accept protocol=icmp
4 X ;;; defconf: drop all not coming from LAN
chain=input action=drop in-interface-list=!LAN log=no log-
5 ;;; defconf: accept in ipsec policy
chain=forward action=accept ipsec-policy=in,ipsec
6 ;;; defconf: accept out ipsec policy
chain=forward action=accept ipsec-policy=out,ipsec
7 ;;; defconf: fasttrack
Mikrotik Nat:
spoiler
Flags: X - disabled, I - invalid, D - dynamic
0 ;;; defconf: masquerade
chain=srcnat action=masquerade out-interface-list=WAN ipsec-policy=out,none
1 chain=srcnat action=masquerade out-interface=ovpn-out1 log=no log-prefix=""
0 ;;; defconf: masquerade
chain=srcnat action=masquerade out-interface-list=WAN ipsec-policy=out,none
1 chain=srcnat action=masquerade out-interface=ovpn-out1 log=no log-prefix=""
1 answer(s)
@beerchaser
B
beerchaser, 2018-10-07 @beerchaser
Not so - nat. Remove nat for the route to 10.8.0.0/24 , use network-to-network routing and you will be happy.
Similar questions
P
J
A
A
R
Didn't find what you were looking for?
Ask your questionAsk a Question
731 491 924 answers to any question