Hi, i'm using mikrotik RB760iGS. The problem is when i configure openvpn server router block itself.
i mean PC is connected to router but unable to ping or ssh the router.
PS: when i added added certificates then run openvpn it begin to drop packet.
There is little info for a diagnostic. First: what is the range of adresses (ipv4 presumably) that the openvpn server is using for its clients? That range must be out the router range (normally in a different subnet). If, for example, ovpn range is 10.0.0.x try pinging 10.0.0.1 to confirm connection.
problem is when i start openvpn server by
/etc/init.d/openvpn start
I lose access to the router.
i don't know what is the actual issue but after loading a new firmware i set server ip to 10.8.0.0/24 and it works fine.
previously i was using ip to 10.0.100.0/24, but this is also a valid ip range. dont why it act weird.
right?
The change may have triggered a series of update that corrected over a bit that had flipped on the wrong side. That happens sometimes, glad it worked!
Hi @papagirafe please help me in configuring firewall rules for openvpn end to end communication.
My network
network behind server(192.168.1.1)---->server(openvpn)<----->Client--->netwrk behind client (192.168.5.1)
Problems:
unable to ping tun IPs.
unable to ping network behind both server and client.
routes on server:
default via 192.168.3.1 dev wan proto static
10.18.0.0/24 via 10.18.0.2 dev tun0
10.18.0.2 dev tun0 proto kernel scope link src 10.18.0.1
192.168.1.0/24 dev br-lan proto kernel scope link src 192.168.1.1
192.168.3.0/24 dev wan proto kernel scope link src 192.168.3.2
192.168.5.0/24 via 10.18.0.2 dev tun0
firewall:
config defaults
option forward 'ACCEPT'
option input 'ACCEPT'
option output 'ACCEPT'
config zone
option name 'lan'
list network 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
config zone
option name 'wan'
list network 'wan'
list network 'wan6'
option output 'ACCEPT'
option mtu_fix '1'
option input 'ACCEPT'
option forward 'ACCEPT'
config zone
list device 'tun0'
option output 'ACCEPT'
option name 'Tun'
option input 'ACCEPT'
option forward 'ACCEPT'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option family 'ipv4'
list icmp_type 'echo-request'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option proto 'udp'
option target 'ACCEPT'
option dest_port '500 4500'
option dest 'lan'
config rule
option name 'VPN_Traffic'
list proto 'udp'
option src 'wan'
option target 'ACCEPT'
option dest_port '2194 1194'
config rule
option name 'Tun traffic'
option target 'ACCEPT'
option dest_port '2194'
list proto 'udp'
option src 'wan'
option dest 'Tun'
server config
config openvpn 'server_multi'
option dev 'tun'
option keepalive '10 60'
option ca '/etc/openvpn/ca.crt'
option dh '/etc/openvpn/dh.pem'
option cert '/etc/openvpn/server.crt'
option key '/etc/openvpn/server.key'
option cipher 'AES-256-CBC'
option auth 'SHA256'
option client_to_client '1'
option tls_version_min '1.3'
option client_config_dir '/etc/openvpn/ccd'
list route '192.168.5.0 255.255.255.0'
option port '2194'
option comp_lzo 'no'
option status '/var/server_multi.status.status'
option verb '3'
option log '/var/log/openvpn.log '
option server '10.18.0.0 255.255.255.0'
option enabled '1'
option duplicate_cn '1'
list push 'route 192.168.1.0 255.255.255.0'
EDIT: i got the problem, on server comp_lzo = no and on client this option is commented out.
so after setting it to no, everything works fine.
At first sight it seems that your routes are circular but most importantly I am not sure what you are trying to acheive and how you are testing it.
- Is it to access LAN ressources (printer, file server, surveillance cameras) when on the road?
- To access internet from your home country whan traveling abroad?
- Make a LAN tunnel between 2 distant sites?
- are you testing it from a distinct internet access? (cell internet to home internet?)
i was just testing openvpn config in simple network without any internet connect.
This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.