Route for VPN clients between subnets

Hello! I had two subnets coonected via PPTP. VPN server Router OS subnet 192.168.0.0/24, vpn client OpenWrt subnet 192.168.8.0/24.

Connection is established

Route for Mikrotik

Now I am trying to add route on OpenWrt

But it doesn't work.

Use the correct logical interface name through which the next hop is reachable (vpn in your case).

In this case I have abother problem. When I am trying to ping Mikrotik subnet (192.168.0.0/24) from OpenWrt subnet (192.168.8.0) the specified port is unavailable, if traceroute - the specified protocol is unavailable.

Given the color of the vpn interface, it is not assigned to a firewall zone.

If the MikroTik network is considered trusted, assign the vpn interface to the lan zone.

Otherwise, create a dedicated vpn zone and enable lan=>vpn forwarding.

2 Likes

How should i do it?

And one more question. When I configured pptp client (chapter 2 of this unstruction: https://openwrt.org/docs/guide-user/services/vpn/pptp/client) as I inderstood I have already assign VPN interface to WAN zone. Is it not problem?

The wan zone is appropriate for general Internet access via VPN especially when using a commercial VPN service since (a) you should not trust them and (b) they won't have routes to your LANs. For site to site routing-- after installing a route to your LAN at the other site-- you must use a zone that does not have masquerade (NAT) enabled. The lan zone meets that requirement though it does mean that you can't block any traffic from the other site like you could if you set up a special vpn zone.

Go to the Network-Firewall page and click the Edit button for the lan zone and add vpn as a covered network. Remove vpn from wan or any other zone that you have added it to.

I have done this. Now Milrotik server is avaiable on ip address192.168.0.1, but other computers from this subnet are still unavailable.

This could be several things, all of them on the side with the Mikrotik router and thus out of the scope of this forum.

  • Mikrotik did not forward the packet to its LAN.
  • The machine at 192.168.0.3 is not answering pings. By default, Windows does not answer pings, and its firewall can also be configured to reject packets from private LAN IPs other than the lan that it is directly attached to.
  • Return route is not in place. (I think this would prevent ping 192.168.0.1 from working as well).

Running packet captures at the remote side would help to distinguish the cause.

Oh, sorry. This device was ofline. :man_facepalming:

All is working. Thank you to all

And can I ask one more question? There is subnet 192.168.9.0/24? which is also connected to Mikrotik PPTP server with same configuration.

I was trying to add route from subnet 192.168.8.0/24 to 192.168.9.0/24 over PPTP mikrotik server.

But it doesn't work. Also it is not working when gateway is 192.168.5.1

The next hop "gateway" for that route is actually 192.168.5.1; the far end of your pptp tunnel, the same one you use to reach 192.168.0.0/24. Your router does not directly connect to the other tunnel leaving the Mikrotik to wherever 192.168.9.0 is. When the packet reaches the Mikrotik it will see its .9.X destination address and use the route that it has to forward it into the other pptp tunnel.

A return route may not exist. The device terminating the other tunnel from the Mikrotik and presumably running the 192.168.9 network must route 192.168.8.0 back into its tunnel. Also if it is not the default router for the .9 network the .9 devices need to know how to dispatch packets to .8

1 Like

Yes, you were right, thank you! I have added back route on other subnet and it's working now.

By the way, I have question about ping, but it will be new topic...