N2N connection between Mikrotik and IPFire via OpenVPN

I`m trying to setup a VPN tunnel between 2 networks:

  • The first one (192.168.11.0/24), the main network of my organization, connected to the internet via IPFire
  • The second one (192.168.88.0/24), the secondary network, located on another floor of the building. It`s connected to the internet via mikrotik router.

I need all the devices from the second network to have a connection to the Active Directory domain system in the first one, including such devices as printers, which can`t use any VPN applications, so I decided to establish a net-to-net connection, using OpenVPN.

Because of lack of experience in VPN tunneling, I started with using host-to-net, and managed to set it without any major issues (pretty much just had to fix “auth-token” problem), but encountered some mysterious problem, when I tried to set a direct connection between IPFire an Mikrotik.

On the surface all the settings appear to be right:

And, of course, both IPfire and Mikrotik don’t give any useful information in logs:

The problem shouldn’t be in the certificate or it’s private key, as I understand it, because the private key is already included into the certificate by default. Also, all the settings seems to be right, and I can’t see why it doesn’t work.

Is it even possible for IPFire to connect with Mikrotik via OpenVPN? Maybe I just missing something because of my lack of experience?

I’ll be gratefull for any help with that issue.

P.S.
I dont have enough practice of english language, so sorry if there any mistakes in how I’m speaking.

A small update

I found out, that Mikrotik uses TCP protocol for OpenVPN connection, which cannot be changed to UDP (at least I don’t know how to do it). I thought it uses UDP, because of MTU = 1500, which is default for UDP in IPFire.

I changed it in IPFire’s VPN server settings:

And now some kind of connection establishes, but it still keep on terminating, because of “no IP address provided”

Logs:

I guess there must be some kind of DHCP service for VPN? Or do I need to manually set this address somewhere in the Mikrotik’s settings?

Solution (probably not the best, but the easiest).

So, answering my own questions:

@shizartistdev


I guess there must be some kind of DHCP service for VPN? Or do I need to manually set this address somewhere in the Mikrotik’s settings?

There is some kind of DHCP in OVPN server, which is working, when you use Host-To-Net connection. The address pool includes a subnet, which can be configured in global settings:


IP addresses from this pool are being used by VPN clients, to communicate with VPN server and each other inside VPN. To use this dynamic addresses you need to choose this function, when you creating a new Host-To-Net client:

If, for some reason, you want to use static addresses, you can create static address pool:

And use it as well:

In the first case, rented client’s and the server’s addresses are being sent to the client right after authentication, which is usualy shown in corresponding file in /var/ipfire/ovpn/ccd as:

#This client usus the dynamic pool

In the second case, addresses are being force pushed to the client.

ifconfig-push 10.10.10.1 10.10.10.2

But, as I found out, Net-To-Net OVPN server doesn’t push any VPN subnet IP addresses to the client, and just expects them to be there, already configured by client.

Mar 18 15:17:18 LSC-FIREWALL Floor4n2n[18714]: WARNING: 'ifconfig' is present in local config but missing in remote config, local='ifconfig 10.65.253.1 10.65.253.2'

It`s usefull, when you’re trying to connect 2 IPFire servers, but Mikrotik neither doesn’t uderstand the Net-To-Net conception nor can’t be manualy configured to use static VPN address, because of RouterOS design, and expecting IP addresses to be send or pushed to it.

So, there are 2 ways of fixing that:

  • Find a way, to push IP addresses to mikrotik in n2n connection
  • Connect mikrotik as a host, using Host-To-Net connection.

I have no idea if the first method is even possible, so I decided to use an easy way.

The final algorithm of actions looks like this:

  1. Create new Host-To-Net connection
  2. Download the .p12 certificate, and add it to the Mikrotik
  3. Configure OVPN client interface as usual

And be advised - Mikrotik can’t use UDP for OVPN, TCP only, so make shure to set TCP as a protocol in general settings.

Hope this will help someone, it took too much of my time.
If someone can come up with a better solution, please share it in this topic.