Grrrrr
I forgot to add 'client-to-client' & 'client-config-dir /mnt/kd/openvpn/ccd' in
my Raw Commands. All working fine now.
That will teach me for not looking more closely at my notes.
So yes that answers the question about the iroute then.
Thanks again for your help.
Regards
Michael Knill
On 12/3/20, 7:34 am, "Michael Knill" <michael.kn...@ipcsolutions.com.au> wrote:
Thanks Lonnie.
So if that's the case then it must be the iroute that determines where to
send the traffic destined for this subnet?
Regards
Michael Knill
On 12/3/20, 7:08 am, "Lonnie Abelbeck" <li...@lonnie.abelbeck.com> wrote:
Michael,
The OpenVPN server configuration created that route, and routing to the
"server" seems correct. Just as the OpenVPN "client" should route to the
server as well.
I have an AstLinux OpenVPN client to server pair in my lab ...
OpenVPN Server: (using tun0)
pbx ~ # ip route show dev tun0
10.8.1.0/24 proto kernel scope link src 10.8.1.1
192.168.222.0/24 via 10.8.1.1
OpenVPN Client: (using tun2)
pbx3 ~ # ip route show dev tun2
10.8.1.0/24 proto kernel scope link src 10.8.1.2
192.168.110.0/24 via 10.8.1.1
Ahh BTW, I always use Topology: "[subnet] ..." which should match with
server / clients.
Lonnie
> On Mar 11, 2020, at 2:45 PM, Michael Knill
<michael.kn...@ipcsolutions.com.au> wrote:
>
> Thanks Lonnie. Just a question which I'm not sure of.
> The Astlinux routing table points 172.16.16.0/24 to its own OpenVPN
address (172.16.16.0/24 via 172.28.253.1 dev tun0). Is this correct?
> Shouldn't it point to the remote site OpenVPN address or is this how
it works?
>
> Regards
> Michael Knill
>
> On 11/3/20, 11:39 pm, "Lonnie Abelbeck" <li...@lonnie.abelbeck.com>
wrote:
>
> Hi Michael,
>
> If you were using AstLinux instead of the Mikrotik in your home
office I would point you to the Firewall tab ...
>
> Network -> Firewall Configuration -> Firewall Options:
>
> ___ Allow OpenVPN Client tunnel to the [ 1st ] LAN Interface(s)
>
> ___ Allow OpenVPN Server tunnel to the [ 1st ] LAN Interface(s)
>
>
> So, for the Mikrotik it may be a similar firewall "forwarding"
rule for the OpenVPN 'tun' interface <-> LAN interface.
>
> BTW, the proper OpenVPN config (your's looks good at a quick
glance) will add the needed routes automatically.
>
> Lonnie
>
>
>
>> On Mar 11, 2020, at 6:31 AM, Michael Knill
<michael.kn...@ipcsolutions.com.au> wrote:
>>
>> Hi Group
>>
>> I have been trying out Mikrotik’s RouterOS v7 specifically to test
UDP OpenVPN.
>> I have set up OpenVPN from my Home Office router (OpenVPN Client) to
my hosted Astlinux (OpenVPN Server) for telephony purposes only.
>> The connection has come up fine and I can ping the OpenVPN addresses
each way from the terminating devices but I cant for the life of me get
connectivity working from the Home Office LAN to the Astlinux OpenVPN address.
>> OpenVPN Subnet: 172.28.253.0/24. Astlinux gateway .1
>> Home Office LAN: 172.16.16.0/24
>>
>> I have set up the iroute file:
>> 3000-IPC_Prod-CM1 kd # cat openvpn/ccd/IPC_Home_Office
>> iroute 172.16.16.0 255.255.255.0
>>
>> 3000-IPC_Prod-CM1 kd # ip route
>> default via 221.121.132.145 dev eth0
>> 172.16.16.0/24 via 172.28.253.1 dev tun0
>> 172.28.253.0/24 dev tun0 proto kernel scope link src 172.28.253.1
>> .......
>>
>> ### gui.openvpn.conf - start ###
>> ###
>> ### Auth Method
>> OVPN_USER_PASS_VERIFY="no"
>> ### Device
>> OVPN_DEV="tun0"
>> ### Port Number
>> OVPN_PORT="1194"
>> ### Protocol
>> OVPN_PROTOCOL="udp"
>> ### Log Verbosity
>> OVPN_VERBOSITY="4"
>> ### Compression
>> OVPN_LZO="no"
>> ### QoS Passthrough
>> OVPN_QOS="yes"
>> ### Cipher
>> OVPN_CIPHER=""
>> ### Auth HMAC
>> OVPN_AUTH=""
>> ### Allowed External Hosts
>> OVPN_TUNNEL_HOSTS="0/0"
>> ### Client Isolation
>> OVPN_CLIENT_ISOLATION="no"
>> ### Server Hostname
>> OVPN_HOSTNAME="30000.ipcaccess.net"
>> ### Server IPv4 Network
>> OVPN_SERVER="172.28.253.0 255.255.255.0"
>> ### Server IPv6 Network
>> OVPN_SERVERV6=""
>> ### Topology
>> OVPN_TOPOLOGY="subnet"
>> ### Server Push
>> OVPN_PUSH="
>> "
>> ### Raw Commands
>> OVPN_OTHER="
>> topology p2p
>> route-gateway 172.28.253.1
>> route 172.16.16.0 255.255.255.0
>> "
>> ### Private Key Size
>> OVPN_CERT_KEYSIZE="2048"
>> ### Signature Algorithm
>> OVPN_CERT_ALGORITHM="sha256"
>> ### CA File
>> OVPN_CA="/mnt/kd/openvpn/webinterface/keys/ca.crt"
>> ### CERT File
>> OVPN_CERT="/mnt/kd/openvpn/webinterface/keys/server.crt"
>> ### Key File
>> OVPN_KEY="/mnt/kd/openvpn/webinterface/keys/server.key"
>> ### DH File
>> OVPN_DH="/mnt/kd/openvpn/webinterface/dh1024.pem"
>> ### TLS-Auth File
>> OVPN_TA=""
>> ### Valid Clients
>> OVPN_VALIDCLIENTS="
>> ...........
>> IPC_Home_Office
>> "
>> ### gui.openvpn.conf - end ###
>>
>> I have looked at the firewall log on the Mikrotik and nothing comes
up as being denied. Any ideas on where to go next?
>> Yes I realise it's a Beta version but as I can ping the OpenVPN
address each way, it just seems to be a routing problem.
>>
>> Thanks all.
>>
>> Regards
>> Michael Knill
>> _______________________________________________
>> Astlinux-users mailing list
>> Astlinux-users@lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/astlinux-users
>>
>> Donations to support AstLinux are graciously accepted via PayPal to
pay...@krisk.org.
>
>
>
> _______________________________________________
> Astlinux-users mailing list
> Astlinux-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/astlinux-users
>
> Donations to support AstLinux are graciously accepted via PayPal
to pay...@krisk.org.
>
>
> _______________________________________________
> Astlinux-users mailing list
> Astlinux-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/astlinux-users
>
> Donations to support AstLinux are graciously accepted via PayPal to
pay...@krisk.org.
_______________________________________________
Astlinux-users mailing list
Astlinux-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/astlinux-users
Donations to support AstLinux are graciously accepted via PayPal to
pay...@krisk.org.
_______________________________________________
Astlinux-users mailing list
Astlinux-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/astlinux-users
Donations to support AstLinux are graciously accepted via PayPal to
pay...@krisk.org.
_______________________________________________
Astlinux-users mailing list
Astlinux-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/astlinux-users
Donations to support AstLinux are graciously accepted via PayPal to
pay...@krisk.org.
