Loxone home server video stream over OpenVPN on Mikrotek

qbecks · October 27, 2017, 2:31am

Hi,

in our office all devices are in one subnet: 192.168.33.0/24.
Let be 5.5.5.5 our public, static ip address and :
192.168.33.1 - Router Mikrotek with fresh upgraded RouterOS 6.40 and internet on ether1
192.168.33.8 - Loxone Miniserver (home logic) server with unsecured (says browser) login site on port 443
192.168.33.108 - Main server running Windows Server 2008

I’ve set OpenVPN server on router and run into problems. Some clients are Android devices so I have to use tun / ip and not tap / ethernet, right?

I couldn’t set udp as protocol, so I run tcp and it may be a bad idea: I get no video stream from home logic server. I can steer other things, but no video feed. Error says “No picture” and I see video stream address with our external ip: http://5.5.5.5:65003/Streaming/channels/102/httppreview.
I’m almost sure that cameras feed willl be udp packed, how to solve it?

Here my openvpn client config:

client
dev tun
proto tcp
remote 5.5.5.5 1194
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
cipher AES-128-CBC
auth SHA1
auth-user-pass
redirect-gateway def1
verb 3
<ca>...</ca> <cert>..</cert><key>..rsa..</key>

On Mikrotek side in OVPN Server dialog box:
Port: 1194
Mode: ip # it means ‘tun’ and ‘ethernet’ means ‘tap’, right?
Netmask: 24
MaxMTU: 1500
Keepalive Timeout: 60
Require Client Certificate: checked
Auth: sha1
Cipher: aes 128, aes 192, aes 256

PPP Profile:
Local Address: ovpn-pool # defined as 192.168.44.240 - 249
Remote Address: ovpn-pool
DNS Server: 192.168.33.1 # routers ip
Change TCP MSS: default
UsePnP: default
protocols
Use MPLS: default
Use Compresion: default
Use Encryption: yes

Firewall / Filter Rules:
Action: accept, Chain: input, Protocol: 6 (and 17too), Dst. Port: 1194, In Interface: ether1 (WAN)
Not much more here: accept, input, 6(tcp), 1723, ether1 and accept, input, 47(gre), ether1

NAT:
Action: masquarade, Chain: srcnat, Out. Interface: ether1

Any ideas how to solve that riddle?

Bonus problem
Our server is the only device I can’t see when in LAN throu vpn. I can’t see any firewall rules to hide it from vpn.

Regards.

corpse_painted · October 27, 2017, 3:26am

Couple of questions;
1.) Is port forwarding enabled?
2.) Can you ping it on the lan?

(Sorry if sounds obvious)

qbecks · October 27, 2017, 8:07am

thanks for hints.
Ad1) No port forwarding used, as far as I know.
Ad2) If you mean main server then I can’t see it running while going thru VPN (but it’s ok from lan). If you mean home logic server, it works almost fine with VPN, just no video stream.

qbecks · October 27, 2017, 10:44am

Some progress.
After playing around I’ve found working camera. It has our lan address as stream source (192.168.33.8 - loxone server). I have no access to cameras now, but I will try to get it.

If anybody has a clue why I can’t see my server on lan while on vpn, please share. I see filters but maybe I need to look below WinBox GUI?

qbecks · November 5, 2017, 9:13pm

Problem solved, it was misconfigured loxon server. It works now and OpenVPN runs like charm on almost anything.
Thanks for help, @corpse_painted.
I think that thread has no info value and deserves to be deleted.