Hi,
in our office all devices are in one subnet: 192.168.33.0/24.
Let be 5.5.5.5 our public, static ip address and :
192.168.33.1 - Router Mikrotek with fresh upgraded RouterOS 6.40 and internet on ether1
192.168.33.8 - Loxone Miniserver (home logic) server with unsecured (says browser) login site on port 443
192.168.33.108 - Main server running Windows Server 2008
I’ve set OpenVPN server on router and run into problems. Some clients are Android devices so I have to use tun / ip and not tap / ethernet, right?
- I couldn’t set udp as protocol, so I run tcp and it may be a bad idea: I get no video stream from home logic server. I can steer other things, but no video feed. Error says “No picture” and I see video stream address with our external ip: http://5.5.5.5:65003/Streaming/channels/102/httppreview.
I’m almost sure that cameras feed willl be udp packed, how to solve it?
Here my openvpn client config:
client
dev tun
proto tcp
remote 5.5.5.5 1194
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
cipher AES-128-CBC
auth SHA1
auth-user-pass
redirect-gateway def1
verb 3
<ca>...</ca> <cert>..</cert><key>..rsa..</key>
On Mikrotek side in OVPN Server dialog box:
Port: 1194
Mode: ip # it means ‘tun’ and ‘ethernet’ means ‘tap’, right?
Netmask: 24
MaxMTU: 1500
Keepalive Timeout: 60
Require Client Certificate: checked
Auth: sha1
Cipher: aes 128, aes 192, aes 256
PPP Profile:
Local Address: ovpn-pool # defined as 192.168.44.240 - 249
Remote Address: ovpn-pool
DNS Server: 192.168.33.1 # routers ip
Change TCP MSS: default
UsePnP: default
protocols
Use MPLS: default
Use Compresion: default
Use Encryption: yes
Firewall / Filter Rules:
Action: accept, Chain: input, Protocol: 6 (and 17too), Dst. Port: 1194, In Interface: ether1 (WAN)
Not much more here: accept, input, 6(tcp), 1723, ether1 and accept, input, 47(gre), ether1
NAT:
Action: masquarade, Chain: srcnat, Out. Interface: ether1
Any ideas how to solve that riddle?
Bonus problem
Our server is the only device I can’t see when in LAN throu vpn. I can’t see any firewall rules to hide it from vpn.
Regards.