Michael, The OpenVPN server configuration created that route, and routing to the "server" seems correct. Just as the OpenVPN "client" should route to the server as well.
I have an AstLinux OpenVPN client to server pair in my lab ... OpenVPN Server: (using tun0) pbx ~ # ip route show dev tun0 10.8.1.0/24 proto kernel scope link src 10.8.1.1 192.168.222.0/24 via 10.8.1.1 OpenVPN Client: (using tun2) pbx3 ~ # ip route show dev tun2 10.8.1.0/24 proto kernel scope link src 10.8.1.2 192.168.110.0/24 via 10.8.1.1 Ahh BTW, I always use Topology: "[subnet] ..." which should match with server / clients. Lonnie > On Mar 11, 2020, at 2:45 PM, Michael Knill > <michael.kn...@ipcsolutions.com.au> wrote: > > Thanks Lonnie. Just a question which I'm not sure of. > The Astlinux routing table points 172.16.16.0/24 to its own OpenVPN address > (172.16.16.0/24 via 172.28.253.1 dev tun0). Is this correct? > Shouldn't it point to the remote site OpenVPN address or is this how it works? > > Regards > Michael Knill > > On 11/3/20, 11:39 pm, "Lonnie Abelbeck" <li...@lonnie.abelbeck.com> wrote: > > Hi Michael, > > If you were using AstLinux instead of the Mikrotik in your home office I > would point you to the Firewall tab ... > > Network -> Firewall Configuration -> Firewall Options: > > ___ Allow OpenVPN Client tunnel to the [ 1st ] LAN Interface(s) > > ___ Allow OpenVPN Server tunnel to the [ 1st ] LAN Interface(s) > > > So, for the Mikrotik it may be a similar firewall "forwarding" rule for > the OpenVPN 'tun' interface <-> LAN interface. > > BTW, the proper OpenVPN config (your's looks good at a quick glance) will > add the needed routes automatically. > > Lonnie > > > >> On Mar 11, 2020, at 6:31 AM, Michael Knill >> <michael.kn...@ipcsolutions.com.au> wrote: >> >> Hi Group >> >> I have been trying out Mikrotik’s RouterOS v7 specifically to test UDP >> OpenVPN. >> I have set up OpenVPN from my Home Office router (OpenVPN Client) to my >> hosted Astlinux (OpenVPN Server) for telephony purposes only. >> The connection has come up fine and I can ping the OpenVPN addresses each >> way from the terminating devices but I cant for the life of me get >> connectivity working from the Home Office LAN to the Astlinux OpenVPN >> address. >> OpenVPN Subnet: 172.28.253.0/24. Astlinux gateway .1 >> Home Office LAN: 172.16.16.0/24 >> >> I have set up the iroute file: >> 3000-IPC_Prod-CM1 kd # cat openvpn/ccd/IPC_Home_Office >> iroute 172.16.16.0 255.255.255.0 >> >> 3000-IPC_Prod-CM1 kd # ip route >> default via 221.121.132.145 dev eth0 >> 172.16.16.0/24 via 172.28.253.1 dev tun0 >> 172.28.253.0/24 dev tun0 proto kernel scope link src 172.28.253.1 >> ....... >> >> ### gui.openvpn.conf - start ### >> ### >> ### Auth Method >> OVPN_USER_PASS_VERIFY="no" >> ### Device >> OVPN_DEV="tun0" >> ### Port Number >> OVPN_PORT="1194" >> ### Protocol >> OVPN_PROTOCOL="udp" >> ### Log Verbosity >> OVPN_VERBOSITY="4" >> ### Compression >> OVPN_LZO="no" >> ### QoS Passthrough >> OVPN_QOS="yes" >> ### Cipher >> OVPN_CIPHER="" >> ### Auth HMAC >> OVPN_AUTH="" >> ### Allowed External Hosts >> OVPN_TUNNEL_HOSTS="0/0" >> ### Client Isolation >> OVPN_CLIENT_ISOLATION="no" >> ### Server Hostname >> OVPN_HOSTNAME="30000.ipcaccess.net" >> ### Server IPv4 Network >> OVPN_SERVER="172.28.253.0 255.255.255.0" >> ### Server IPv6 Network >> OVPN_SERVERV6="" >> ### Topology >> OVPN_TOPOLOGY="subnet" >> ### Server Push >> OVPN_PUSH=" >> " >> ### Raw Commands >> OVPN_OTHER=" >> topology p2p >> route-gateway 172.28.253.1 >> route 172.16.16.0 255.255.255.0 >> " >> ### Private Key Size >> OVPN_CERT_KEYSIZE="2048" >> ### Signature Algorithm >> OVPN_CERT_ALGORITHM="sha256" >> ### CA File >> OVPN_CA="/mnt/kd/openvpn/webinterface/keys/ca.crt" >> ### CERT File >> OVPN_CERT="/mnt/kd/openvpn/webinterface/keys/server.crt" >> ### Key File >> OVPN_KEY="/mnt/kd/openvpn/webinterface/keys/server.key" >> ### DH File >> OVPN_DH="/mnt/kd/openvpn/webinterface/dh1024.pem" >> ### TLS-Auth File >> OVPN_TA="" >> ### Valid Clients >> OVPN_VALIDCLIENTS=" >> ........... >> IPC_Home_Office >> " >> ### gui.openvpn.conf - end ### >> >> I have looked at the firewall log on the Mikrotik and nothing comes up as >> being denied. Any ideas on where to go next? >> Yes I realise it's a Beta version but as I can ping the OpenVPN address each >> way, it just seems to be a routing problem. >> >> Thanks all. >> >> Regards >> Michael Knill >> _______________________________________________ >> Astlinux-users mailing list >> Astlinux-users@lists.sourceforge.net >> https://lists.sourceforge.net/lists/listinfo/astlinux-users >> >> Donations to support AstLinux are graciously accepted via PayPal to >> pay...@krisk.org. > > > > _______________________________________________ > Astlinux-users mailing list > Astlinux-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/astlinux-users > > Donations to support AstLinux are graciously accepted via PayPal to > pay...@krisk.org. > > > _______________________________________________ > Astlinux-users mailing list > Astlinux-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/astlinux-users > > Donations to support AstLinux are graciously accepted via PayPal to > pay...@krisk.org. _______________________________________________ Astlinux-users mailing list Astlinux-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/astlinux-users Donations to support AstLinux are graciously accepted via PayPal to pay...@krisk.org.
