Newbie and VPN...

catcamstar · Sep 4, 2018

0blar said:
View attachment 32888 View attachment 32888

Nice diagram!

So if I read back 2 posts above, you cannot ping from 192.168.0.1 towards 10.15.2.3, is that correct?

This means that this "FAI box" cannot route ip traffic to that subnet (as the mitrotik should be able to do that). what is the routing table in the FAI box? I suspect only one gateway, and that's towards the WAN interface (blue line in your diagram)? And I also suspect that your VPN red line is going from the mikrotik over the modem3G over the internet towards the FAI box with VPN server? Otherwise you are creating a possible "spanning tree loop" with the VPN.

Last question from my side: if the 10.x network is your private private lan, do you really want your cams/smartpss having access to that LAN?

Thank you!

crw030 · Sep 4, 2018

Not sure for your setup, but when I setup VPN I had to PUSH the supported routes, so that when the VPN connection is made the devices on both ends know which networks are accessible over that tunnel.

in pfSense (so your equipment might require something different) that config was done using a custom config statement: route 192.168.77.0 255.255.255.0 10.0.8.1; push "route 192.168.20.0 255.255.255.0"

Which my beginner network knowledge interpreted as the following (and I might be wrong since I dont do this for a living):

"Route" tells the local router that if any traffic shows up for 192.168.77.X to send it to the remote VPN endpoint (aka send it over the tunnel)
"Push" gets sent to the remote endpoint when the connection is established, and tells the remote endpoint if any traffic is received for 192.168.20.X subnet it needs to come back this way

In my case 192.168.77.X is remote VPN server, on an ASUS router (similar to your FAI Box). In my case the client is where I ended up putting this information, and my client happens to be similar to where you have the Microtik router so I would try configuring something similar in the Microtik OpenVPN client configuration.

Update: Per https://wiki.mikrotik.com/wiki/Manual:Interface/OVPN microtik RouterOS doesnt support route/push, so they recommend manual configuration something like this:

Code:

/interface ovpn-client
  add name=ovpn-client1 connect-to=2.2.2.2 user=client1 password=123 disabled=no
/ip route
  add dst-address=10.5.8.20 gateway=ovpn-client1
  add dst-address=192.168.55.0/24 gateway=ovpn-client1
/ip firewall nat add chain=srcnat action=masquerade out-interface=ovpn-client1

You might need to do some step-by-step testing, because you will probably need something on both ends of the connection for any connection to work, since traffic will have to flow over the VPN to the camera/box/PC and then back and in both directions the route needs to be clear to the endpoints and they need to know the proper gateway (else it will probably end up going out the internet WAN connection to god knows where).

0blar · Sep 4, 2018

Hi
@catcamstar , correct, i cannot ping from 192.168.0.1 towards 10.15.2.3 or any other devices
i don't have routing table in the FAI box, i need to use another router

And I also suspect that your VPN red line is going from the mikrotik over the modem3G over the internet towards the FAI box with VPN server?

Correct

if the 10.x network is your private private lan, do you really want your cams/smartpss having access to that LAN?

Lans are on different place, all cams and nvr are located at the 2nd lan and i need to have access to them via vpn

Actually i'm using P2P from dahua and it works
I prefere using a more secure way

@crw030
Regarding the vpn configuration, i follow Uroš Vovk

catcamstar · Sep 5, 2018

0blar said:
Hi
@catcamstar , correct, i cannot ping from 192.168.0.1 towards 10.15.2.3 or any other devices
i don't have routing table in the FAI box, i need to use another router

Correct

Lans are on different place, all cams and nvr are located at the 2nd lan and i need to have access to them via vpn

Actually i'm using P2P from dahua and it works
I prefere using a more secure way

+1 to investigate a more secure way.

Now from what I understand from your additional information: you are actually not looking for an OpenVPN client-server setup, but a site-to-site VPN setup, which is a little bit different (especially on the routing). The good news is that you have unique subnets left and right. It will enable traffic back and forth in and out each subnet. However take into consideration whether (or not) you want to have your cams in your home-lan (eg. like IOT devices which are better safe and secure in their own lan).

Good luck!

0blar · Sep 5, 2018

hi

you are actually not looking for an OpenVPN client-server setup, but a site-to-site VPN setup,

Yes

thanks again for your help

crw030 · Sep 6, 2018

@0blar on that VPN guide for Microtik can you double check you have done steps 3 & 4 according to your network setup? My guess is you might have followed step 4 literally, when instead you needed to use your router IP and remote subnet information. If you aren't seeing the problem and are willing to post screenshots of those same pages in the linked guide, but from your Microtik maybe someone here can spot the problem.

0blar · Sep 8, 2018

Hi

@crw030
Here more informations

> /ip firewall nat print

Code:

0    ;;; defconf: masquerade
    chain=srcnat action=masquerade out-interface=ether1

1    chain=dstnat action=dst-nat to-addresses=10.15.2.3 to-ports=465
      protocol=tcp in-interface=ether1 dst-port=12026

2    chain=dstnat action=dst-nat to-addresses=10.15.2.3 to-ports=2195
      protocol=tcp in-interface=ether1 dst-port=2195

3    chain=srcnat action=masquerade out-interface=pptp-out1 log=no
      log-prefix=""

> /ip route print

Code:

#      DST-ADDRESS        PREF-SRC        GATEWAY            DISTANCE
 0 A S  0.0.0.0/0                          pptp-out1                 1
 1 ADS  0.0.0.0/0                          pptp-out1                 0
 2   S  0.0.0.0/0                          192.168.8.1               1
 3 ADC  10.15.0.0/24       10.15.0.1       lan                       0
 4 ADC  10.15.1.0/28       10.15.1.1       srv                       0
 5 ADC  10.15.2.0/24       10.15.2.1       ether5                    0
 6 ADS  A.B.C.D/32                         192.168.8.1               0
 7 ADC  192.168.8.0/24     192.168.8.2     ether1                    0
 8 ADC  192.168.88.0/24    192.168.88.1    bridge                    0
 9 ADC  E.F.G.H/32         192.168.27.66   pptp-out1                 0

10.15.2.3 is the NVR ip
192.168.27.66 is the vpn client ip address
A.B.C.D/32 is 1st lan's wan public address
E.F.G.H is 2dn lan's wan public address

Search

Newbie and VPN...

catcamstar

Known around here

crw030

0blar

Getting the hang of it

catcamstar

Known around here

0blar

Getting the hang of it

crw030

0blar

Getting the hang of it