Grrrrr I forgot to add 'client-to-client' & 'client-config-dir /mnt/kd/openvpn/ccd' in my Raw Commands. All working fine now. That will teach me for not looking more closely at my notes.
So yes that answers the question about the iroute then. Thanks again for your help. Regards Michael Knill On 12/3/20, 7:34 am, "Michael Knill" <[email protected]> wrote: Thanks Lonnie. So if that's the case then it must be the iroute that determines where to send the traffic destined for this subnet? Regards Michael Knill On 12/3/20, 7:08 am, "Lonnie Abelbeck" <[email protected]> wrote: Michael, The OpenVPN server configuration created that route, and routing to the "server" seems correct. Just as the OpenVPN "client" should route to the server as well. I have an AstLinux OpenVPN client to server pair in my lab ... OpenVPN Server: (using tun0) pbx ~ # ip route show dev tun0 10.8.1.0/24 proto kernel scope link src 10.8.1.1 192.168.222.0/24 via 10.8.1.1 OpenVPN Client: (using tun2) pbx3 ~ # ip route show dev tun2 10.8.1.0/24 proto kernel scope link src 10.8.1.2 192.168.110.0/24 via 10.8.1.1 Ahh BTW, I always use Topology: "[subnet] ..." which should match with server / clients. Lonnie > On Mar 11, 2020, at 2:45 PM, Michael Knill <[email protected]> wrote: > > Thanks Lonnie. Just a question which I'm not sure of. > The Astlinux routing table points 172.16.16.0/24 to its own OpenVPN address (172.16.16.0/24 via 172.28.253.1 dev tun0). Is this correct? > Shouldn't it point to the remote site OpenVPN address or is this how it works? > > Regards > Michael Knill > > On 11/3/20, 11:39 pm, "Lonnie Abelbeck" <[email protected]> wrote: > > Hi Michael, > > If you were using AstLinux instead of the Mikrotik in your home office I would point you to the Firewall tab ... > > Network -> Firewall Configuration -> Firewall Options: > > ___ Allow OpenVPN Client tunnel to the [ 1st ] LAN Interface(s) > > ___ Allow OpenVPN Server tunnel to the [ 1st ] LAN Interface(s) > > > So, for the Mikrotik it may be a similar firewall "forwarding" rule for the OpenVPN 'tun' interface <-> LAN interface. > > BTW, the proper OpenVPN config (your's looks good at a quick glance) will add the needed routes automatically. > > Lonnie > > > >> On Mar 11, 2020, at 6:31 AM, Michael Knill <[email protected]> wrote: >> >> Hi Group >> >> I have been trying out Mikrotik’s RouterOS v7 specifically to test UDP OpenVPN. >> I have set up OpenVPN from my Home Office router (OpenVPN Client) to my hosted Astlinux (OpenVPN Server) for telephony purposes only. >> The connection has come up fine and I can ping the OpenVPN addresses each way from the terminating devices but I cant for the life of me get connectivity working from the Home Office LAN to the Astlinux OpenVPN address. >> OpenVPN Subnet: 172.28.253.0/24. Astlinux gateway .1 >> Home Office LAN: 172.16.16.0/24 >> >> I have set up the iroute file: >> 3000-IPC_Prod-CM1 kd # cat openvpn/ccd/IPC_Home_Office >> iroute 172.16.16.0 255.255.255.0 >> >> 3000-IPC_Prod-CM1 kd # ip route >> default via 221.121.132.145 dev eth0 >> 172.16.16.0/24 via 172.28.253.1 dev tun0 >> 172.28.253.0/24 dev tun0 proto kernel scope link src 172.28.253.1 >> ....... >> >> ### gui.openvpn.conf - start ### >> ### >> ### Auth Method >> OVPN_USER_PASS_VERIFY="no" >> ### Device >> OVPN_DEV="tun0" >> ### Port Number >> OVPN_PORT="1194" >> ### Protocol >> OVPN_PROTOCOL="udp" >> ### Log Verbosity >> OVPN_VERBOSITY="4" >> ### Compression >> OVPN_LZO="no" >> ### QoS Passthrough >> OVPN_QOS="yes" >> ### Cipher >> OVPN_CIPHER="" >> ### Auth HMAC >> OVPN_AUTH="" >> ### Allowed External Hosts >> OVPN_TUNNEL_HOSTS="0/0" >> ### Client Isolation >> OVPN_CLIENT_ISOLATION="no" >> ### Server Hostname >> OVPN_HOSTNAME="30000.ipcaccess.net" >> ### Server IPv4 Network >> OVPN_SERVER="172.28.253.0 255.255.255.0" >> ### Server IPv6 Network >> OVPN_SERVERV6="" >> ### Topology >> OVPN_TOPOLOGY="subnet" >> ### Server Push >> OVPN_PUSH=" >> " >> ### Raw Commands >> OVPN_OTHER=" >> topology p2p >> route-gateway 172.28.253.1 >> route 172.16.16.0 255.255.255.0 >> " >> ### Private Key Size >> OVPN_CERT_KEYSIZE="2048" >> ### Signature Algorithm >> OVPN_CERT_ALGORITHM="sha256" >> ### CA File >> OVPN_CA="/mnt/kd/openvpn/webinterface/keys/ca.crt" >> ### CERT File >> OVPN_CERT="/mnt/kd/openvpn/webinterface/keys/server.crt" >> ### Key File >> OVPN_KEY="/mnt/kd/openvpn/webinterface/keys/server.key" >> ### DH File >> OVPN_DH="/mnt/kd/openvpn/webinterface/dh1024.pem" >> ### TLS-Auth File >> OVPN_TA="" >> ### Valid Clients >> OVPN_VALIDCLIENTS=" >> ........... >> IPC_Home_Office >> " >> ### gui.openvpn.conf - end ### >> >> I have looked at the firewall log on the Mikrotik and nothing comes up as being denied. Any ideas on where to go next? >> Yes I realise it's a Beta version but as I can ping the OpenVPN address each way, it just seems to be a routing problem. >> >> Thanks all. >> >> Regards >> Michael Knill >> _______________________________________________ >> Astlinux-users mailing list >> [email protected] >> https://lists.sourceforge.net/lists/listinfo/astlinux-users >> >> Donations to support AstLinux are graciously accepted via PayPal to [email protected]. > > > > _______________________________________________ > Astlinux-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/astlinux-users > > Donations to support AstLinux are graciously accepted via PayPal to [email protected]. > > > _______________________________________________ > Astlinux-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/astlinux-users > > Donations to support AstLinux are graciously accepted via PayPal to [email protected]. _______________________________________________ Astlinux-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/astlinux-users Donations to support AstLinux are graciously accepted via PayPal to [email protected]. _______________________________________________ Astlinux-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/astlinux-users Donations to support AstLinux are graciously accepted via PayPal to [email protected]. _______________________________________________ Astlinux-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/astlinux-users Donations to support AstLinux are graciously accepted via PayPal to [email protected].
