Community discussions

MikroTik App
  4. RouterOS
  5. Beginner Basics

OVPN client connects but no reply

Post Reply
 
erdemefe
just joined
Topic Author
Posts: 16
Joined: Fri Oct 21, 2022 12:04 pm

OVPN client connects but no reply

Sun Mar 31, 2024 11:06 pm

Hello everybody,

My company provide a vpn connection for home-office. I know that they use sophos firewall and it uses OpenVpn inside it. They gave me a .ovpn config file. it works fine in windows OpenVpn connect app. I read the file with text editor and applyed the configuration in my mikrotik. I succeeded the connection and got IP. But i can not access the offices LAN network. I fallow the packages but they don't reply. what is the wrong ?
Ekran görüntüsü 2024-03-31 230423.png
Code: Select all
# 2024-03-31 22:54:27 by RouterOS 7.14.2
# software id = WDL2-L484
#
# model = RB4011iGS+
# serial number = B8F30B0E63D6

/interface ovpn-client
add auth=sha256 certificate=Deka_client cipher=aes128-cbc connect-to=xx.xx.xx.xx mac-address=02:28:DF:FA:38:52 name=deka_ovpn_client port=8443 profile=ovpn_client user=username verify-server-certificate=yes


/ppp profile
add local-address=172.90.28.1 name=pppoe_srv_profile remote-address=pppoe_srv_pool
add bridge=bridge change-tcp-mss=yes interface-list=WAN local-address=10.15.15.5 name=ovpn remote-address=ovpn-pool use-encryption=required
add change-tcp-mss=yes interface-list=LAN name=ovpn_client use-ipv6=no

/ip firewall nat
add action=masquerade chain=srcnat comment=Deka out-interface=deka_ovpn_client

/ip route
add comment="Forwarding to Sedef" disabled=no dst-address=172.28.90.0/24 gateway=ovpn-sedef
add comment="Forward Sedef" disabled=no distance=1 dst-address=192.168.10.0/24 gateway=ovpn-sedef pref-src="" routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add comment="Forward Efe Apt." disabled=yes distance=1 dst-address=192.168.2.0/24 gateway=ovpn-asus pref-src="" routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add comment="Route to Deka" disabled=no distance=1 dst-address=10.0.10.0/23 gateway=deka_ovpn_client pref-src="" routing-table=main scope=30 suppress-hw-offload=no target-scope=1
You do not have the required permissions to view the files attached to this post.
Top
 
IlKa
newbie
Posts: 34
Joined: Sun Jan 03, 2021 11:42 pm

Re: OVPN client connects but no reply

Mon Apr 01, 2024 2:45 am

Are you sure that you should use interface as your gateway, and not a gateway address on remote network?
You are using IP mode (the default one) and I think that you should get a gateway address from remove OpenVPN server in the same network your IP sits in.

Then, you ping this address. If it works -- you set it as a gateway for your remote networks.
Top
 
erdemefe
just joined
Topic Author
Posts: 16
Joined: Fri Oct 21, 2022 12:04 pm

Re: OVPN client connects but no reply

Wed Apr 03, 2024 1:59 am

Are you sure that you should use interface as your gateway, and not a gateway address on remote network?
You are using IP mode (the default one) and I think that you should get a gateway address from remove OpenVPN server in the same network your IP sits in.

Then, you ping this address. If it works -- you set it as a gateway for your remote networks.
i did not understand exactly.

i have local IP from remote ovpn server it seen attached SS, and also ping successful for this ip(10.81.234.130). But I can not ping a local ip inside the remote network.
Ekran görüntüsü 2024-04-03 014926.png
You do not have the required permissions to view the files attached to this post.
Top
 
erdemefe
just joined
Topic Author
Posts: 16
Joined: Fri Oct 21, 2022 12:04 pm

Re: OVPN client connects but no reply

Thu Apr 04, 2024 2:03 pm

When i sniff the ping package it goes my ovpn interface transmissions are successful. But no reply.

Please help me
Top
 
rplant
Member
Member
Posts: 322
Joined: Fri Sep 29, 2017 11:42 am

Re: OVPN client connects but no reply

Sun Apr 07, 2024 11:19 am

On the Mikrotik can you ping 10.81.234.129?

On the Mikrotik can you trace route to 10.0.10.119, do you see the intermediate hops?

If so, perhaps 10.0.10.119 doesn't respond to pings (from non local subnet)?
Could you ping this IP when connected via your computer?

You could add openvpn to system/logging for a while and see if the extra logs give any hints.

/system logging action
add action=memory topics=ovpn


Some other thoughts (though low probability of helping)

You could disable your route to 10.0.10.0/23 as it seems to have received one from the server, and the static
one might be causing issues.

You have not shown any firewall rules.

Perhaps add a firewall rule to allow the openvpn traffic in.

If somewhat near default, you may need to make the openvpn interface a member of the WAN interface list.
Top
 
erdemefe
just joined
Topic Author
Posts: 16
Joined: Fri Oct 21, 2022 12:04 pm

Re: OVPN client connects but no reply

Sun Apr 21, 2024 3:39 am

On the Mikrotik can you ping 10.81.234.129?

On the Mikrotik can you trace route to 10.0.10.119, do you see the intermediate hops?

If so, perhaps 10.0.10.119 doesn't respond to pings (from non local subnet)?
Could you ping this IP when connected via your computer?

You could add openvpn to system/logging for a while and see if the extra logs give any hints.

/system logging action
add action=memory topics=ovpn


Some other thoughts (though low probability of helping)

You could disable your route to 10.0.10.0/23 as it seems to have received one from the server, and the static
one might be causing issues.

You have not shown any firewall rules.

Perhaps add a firewall rule to allow the openvpn traffic in.

If somewhat near default, you may need to make the openvpn interface a member of the WAN interface list.
Thanks for your answer,

i can't ping 10.81.234.129 it is OVPN remote ip

trace route does not reply any hop

i can ping 10.81.234.129 from 10.0.10.119 pc but can't ping 10.81.234.130

I said that the ovpn-server did not respond, but I guess it is not transmitted at all. Because I cannot ping the local address of the ovpn-server too.

My firewall like this;
Code: Select all
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid log-prefix=def_drop
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input comment=Winbox disabled=yes dst-port=8291 in-interface-list=WAN protocol=tcp
add action=accept chain=input comment="NAS SSH" disabled=yes dst-port=8022 in-interface-list=WAN protocol=tcp
add action=accept chain=input comment="Gitea SSH" dst-port=22 in-interface-list=WAN protocol=tcp
add action=accept chain=input comment="OpenVpn Server " dst-port=11949 in-interface-list=WAN protocol=tcp
add action=accept chain=input comment=Nginx dst-port=80,443 in-interface-list=WAN protocol=tcp
add action=accept chain=input comment=Mosquitto dst-port=1883 in-interface-list=WAN protocol=tcp
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
Please Help me
Top
Post Reply

Who is online

Users browsing this forum: No registered users and 13 guests
  4. RouterOS
  5. Beginner Basics