N2N connection between Mikrotik and IPFire via OpenVPN

Virtual Private Networks OpenVPN
1

I`m trying to setup a VPN tunnel between 2 networks:

  • The first one (192.168.11.0/24), the main network of my organization, connected to the internet via IPFire
  • The second one (192.168.88.0/24), the secondary network, located on another floor of the building. It`s connected to the internet via mikrotik router.
    Topology
    Topology974×374 6.95 KB

I need all the devices from the second network to have a connection to the Active Directory domain system in the first one, including such devices as printers, which can`t use any VPN applications, so I decided to establish a net-to-net connection, using OpenVPN.

Because of lack of experience in VPN tunneling, I started with using host-to-net, and managed to set it without any major issues (pretty much just had to fix “auth-token” problem), but encountered some mysterious problem, when I tried to set a direct connection between IPFire an Mikrotik.

On the surface all the settings appear to be right:

Global OpenVPN settings on IPFire
Global OpenVPN settings on IPFire981×577 7.23 KB

My net-to-net VPN connection's settings on IPFire
My net-to-net VPN connection's settings on IPFire971×551 7.56 KB

Mikrotik`s settings
Mikrotik`s settings1741×869 29.4 KB

And, of course, both IPfire and Mikrotik don’t give any useful information in logs:

Mikrotik logs
Mikrotik logs929×871 16.8 KB

IPFire logs
IPFire logs1200×187 5.55 KB

The problem shouldn’t be in the certificate or it’s private key, as I understand it, because the private key is already included into the certificate by default. Also, all the settings seems to be right, and I can’t see why it doesn’t work.

Is it even possible for IPFire to connect with Mikrotik via OpenVPN? Maybe I just missing something because of my lack of experience?

I’ll be gratefull for any help with that issue.

P.S.
I dont have enough practice of english language, so sorry if there any mistakes in how I’m speaking.

2

A small update

I found out, that Mikrotik uses TCP protocol for OpenVPN connection, which cannot be changed to UDP (at least I don’t know how to do it). I thought it uses UDP, because of MTU = 1500, which is default for UDP in IPFire.

I changed it in IPFire’s VPN server settings:

Changed to TCP protocol
Changed to TCP protocol982×514 7.22 KB

And now some kind of connection establishes, but it still keep on terminating, because of “no IP address provided”

Logs:

Mikrotik logs
Mikrotik logs978×764 16.9 KB

IPfire logs
IPfire logs1401×369 10.8 KB

I guess there must be some kind of DHCP service for VPN? Or do I need to manually set this address somewhere in the Mikrotik’s settings?

3

Solution (probably not the best, but the easiest).

So, answering my own questions:

@shizartistdev

IPfire logs
IPfire logs1401×369 10.8 KB

I guess there must be some kind of DHCP service for VPN? Or do I need to manually set this address somewhere in the Mikrotik’s settings?

There is some kind of DHCP in OVPN server, which is working, when you use Host-To-Net connection. The address pool includes a subnet, which can be configured in global settings:

OVPN subnet address pool
OVPN subnet address pool981×577 7.37 KB

IP addresses from this pool are being used by VPN clients, to communicate with VPN server and each other inside VPN. To use this dynamic addresses you need to choose this function, when you creating a new Host-To-Net client:
Dynamic OVPN address pool
Dynamic OVPN address pool983×465 4.73 KB

If, for some reason, you want to use static addresses, you can create static address pool:
Static OVPN address pool
Static OVPN address pool973×274 3.18 KB

And use it as well:
Static addresses
Static addresses961×369 5.45 KB

In the first case, rented client’s and the server’s addresses are being sent to the client right after authentication, which is usualy shown in corresponding file in /var/ipfire/ovpn/ccd as:

#This client usus the dynamic pool

In the second case, addresses are being force pushed to the client.

ifconfig-push 10.10.10.1 10.10.10.2

But, as I found out, Net-To-Net OVPN server doesn’t push any VPN subnet IP addresses to the client, and just expects them to be there, already configured by client.

Mar 18 15:17:18 LSC-FIREWALL Floor4n2n[18714]: WARNING: 'ifconfig' is present in local config but missing in remote config, local='ifconfig 10.65.253.1 10.65.253.2'

It`s usefull, when you’re trying to connect 2 IPFire servers, but Mikrotik neither doesn’t uderstand the Net-To-Net conception nor can’t be manualy configured to use static VPN address, because of RouterOS design, and expecting IP addresses to be send or pushed to it.

So, there are 2 ways of fixing that:

  • Find a way, to push IP addresses to mikrotik in n2n connection
  • Connect mikrotik as a host, using Host-To-Net connection.

I have no idea if the first method is even possible, so I decided to use an easy way.

The final algorithm of actions looks like this:

  1. Create new Host-To-Net connection
    New connection
    New connection963×883 9.4 KB
  2. Download the .p12 certificate, and add it to the Mikrotik
    Certificate
    Certificate1373×273 20.3 KB
  3. Configure OVPN client interface as usual
    Mikrotik config
    Mikrotik config595×711 33.3 KB

And be advised - Mikrotik can’t use UDP for OVPN, TCP only, so make shure to set TCP as a protocol in general settings.

TCP
TCP968×530 6.23 KB

Hope this will help someone, it took too much of my time.
If someone can come up with a better solution, please share it in this topic.