1

Here's the setup:

[OpenVPN server]    --- WAN --- [RouterOS client]   --- [Local subnet client]
10.5.0.0                        10.5.0.14               10.10.10.2

$ route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         123.45.128.1    0.0.0.0         UG    0      0        0 eth0
10.5.0.0        10.5.0.2        255.255.255.0   UG    0      0        0 tun0
10.5.0.2        0.0.0.0         255.255.255.255 UH    0      0        0 tun0
10.18.0.0       0.0.0.0         255.255.0.0     U     0      0        0 eth0
123.45.128.0    0.0.0.0         255.255.240.0   U     0      0        0 eth0

$ ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 123.45.67.89  netmask 255.255.240.0  broadcast 123.45.123.255
        inet6 fe80::b47f:49ff:fe42:8567  prefixlen 64  scopeid 0x20<link>
        ether b6:7f:49:42:85:67  txqueuelen 1000  (Ethernet)
        RX packets 106602  bytes 58005294 (58.0 MB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 129890  bytes 57533013 (57.5 MB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 1000  (Local Loopback)
        RX packets 296  bytes 89008 (89.0 KB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 296  bytes 89008 (89.0 KB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

tun0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST>  mtu 1500
        inet 10.5.0.1  netmask 255.255.255.255  destination 10.5.0.2
        inet6 fe80::8d8b:2759:671:2327  prefixlen 64  scopeid 0x20<link>
        unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  txqueuelen 100  (UNSPEC)
        RX packets 1015  bytes 69353 (69.3 KB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 2248  bytes 325055 (325.0 KB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

$sudo ufw status
OpenSSH                    ALLOW       Anywhere
OpenSSH (v6)               ALLOW       Anywhere (v6)

$ ping 10.5.0.14
reachable, 0% packet loss

❔ How can I make route from [OpenVPN server] to [Local subnet]? e.g. ping 10.10.10.2

Improve this question
1
  • Do the routing statically on the RouterOS. Better choose another VPN. OpenVPN support on RouterOS is cursed as much as it could be, it is better not having any support, than having this.
    – Nikita Kipriyanov
    Feb 2, 2021 at 15:21

2 Answers 2

Reset to default
0

If you want to reach a subnet which is behind an openvpn client, you need two things (this applies only for routing-based (tun device) VPNs):

  • activate client specific configuration (--client-config-dir)
  • inside the configuration of the correct client, use the --iroute switch to tell openvpn that it shall route the subnet inside the tunnel

after that, you need to activate ip forwarding on the client - and adapt the firewall. That should be it...

Here is a detailed description of the switches which I mentioned.

Hope it helps!

Improve this answer
0

An active route needs configuring both ends to identify the node that let them access the other side network addresses, besides the firewall rules to let the traffic pass.

I suppose that the info corresponds to the the OpenVPN server; its end says that to reach 10.5.0.0/24 should go thru the node 10.5.0.2, and that to reach 10.18.0.0/16 should to the default gateway (eth0). There is no route going to 10.10.10.0/24, then you should add it:

ip route add 10.10.10.0/24 via 10.5.0.14

then the first half of the path is

openvpn(10.5.0.1)-->10.5.0.2-->10.5.0.14(RouterOS)-->10.10.10.x

In the other end, RouterOS is in the vpn network segment 10.5.0.0 so it should already have a route to reach the server at 10.5.0.1 with path:

RouterOS(10.5.0.14)-->10.5.0.1(openvpn)

But any clients 10.10.10.x have also to know how to reach 10.5.0.1; if RouterOS is the default gateway for they, maybe with addresses 10.10.10.254 or 10.10.10.1, this is enough and we have the following return path:

client 10.10.10.2-->10.10.10.1(RouterOS)10.5.0.14-->10.5.0.1(openvpn)

If RouterOS is not the default gateway, then is necessary to add a rule in that gateway (so any client could connect) or else in EACH desired client. So, if 10.10.10.2 is Linux, you need to indicate where is the next step of the path:

 ip route add 10.5.0.0/24 via 10.5.0.14

In case of 10.10.10.2 also connected to the VPN as a client and having a 10.5.0.x address, it should already have the route to 10.5.0.x as has RouterOS, and also to be capable of traverse the shown path without more routes.

I hope this exposition clarifies the needed routing concepts: "I know how to reach you and you know how to reach me, let's talk." :)

Improve this answer

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .