Mikrotik as OpenVPN client, lan behind mikrotik?

[nickolasm5]

Sorry for a silly question.
I have an ASUS router as an openvpn server (192.168.3.1), and a mikrotik as a client (192.168.7.1)
Mikrtoik successfully connects to ASUS and gets assigned IP 10.8.0.17
Everything can be pinged from the mikrotik and lan behind mikrotik to asus and behind asus (192.168.7.0 > 192.168.3.0)
Yet from the Asus side the network 192.168.7.0 including the mikrotik itself cant be pinged. mikrotik only responses on its VPN ip (10.8.0.17) (192.168.3.0 doesn't go > 192.168.7.0)

What should I do so I can access the LAN behind the mikrotik from the ASUS network?

 

[eibgrad]

I don't use Microtik myself, so I can't speak to the specifics of its GUI, but speaking in general about OpenVPN, it will NOT allow bidirectional access by default. That has to be configured w/ extra steps.

On the OpenVPN server side, you need to define the necessary routing, both for the local routing table (via route directives) and the OpenVPN server itself (via iroute directives).

For the local routing table, you add the following to the OpenVPN server config.

route 192.168.7.0 255.255.255.0 vpn_gateway

That just makes sure that any references by 192.168.3.0/24 to 192.168.7.0/24 are directed at the OpenVPN server itself. However, that is NOT sufficient. Because OpenVPN server can support multiple, simultaneous clients, *internally* it doesn't know specifically which OpenVPN client is the one that needs the routing! That's why you also need to define an iroute directive.

iroute 192.168.7.0 255.255.255.0

This has to be placed in the client's configuration file, NOT the more general location for OpenVPN server directives like route (or ccd below). That file needs to be named the same as the client's Common Name on its cert, and the full path to that file needs to be given to the OpenVPN server using the CCD directive.

ccd <full-path>

So now when the OpenVPN client connects, the server will look for the client configuration file and KNOW that references to 192.168.7.0/24 need to be forwarded over that client's specific connection.

Yeah, it's a bit complicated, but as I said, because the server is multiplexing clients, it has no way to know for sure which client is associated w/ which private network(s) behind that client unless you explicitly tell it!

Some GUIs (e.g., ASUS) make it easier by having a specific section on the OpenVPN server called "Manage Client Specific Options" for this purpose. You simply provide the IP network(s) behind the client and Common Name to the GUI, and it does all the dirty work for you (creates the CCD directory and client config file, adds the iroute(s), adds the routes to the local routing table, etc.). But if you don't have that option, then you probably need to manage it manually as described above, in which case the following documentation might prove helpful.

https://community.openvpn.net/openvpn/wiki/RoutedLans

 

[eibgrad]

P.S. If it's not already obvious, realize that if you intend to access this same OpenVPN server w/ OpenVPN clients from *different* local networks, it would only make sense to have *unique* certs (i.e., w/ different Common Names) for each client so the OpenVPN server doesn't get confused. When you're only initiating client->server connections, it's easy and common enough to share/distribute a single client cert, esp. for home users. But once you initiate server->client connections, NOW the server is dealing w/ potentially different private networks behind each client, so you have to keep that in mind when it comes to configuration, esp. when it comes to managing certs.