I'm trying to include mikrotik subnet (192.168.88.0/24) into my OpenVPN. I'm able to connect mikrotik device to the VPN, however it does not support TLS auth yet, then I'm authenticating with username/password using radiusplugin.
I really would like to have mikrotik subnet reachable from everywhere. I found the documentation on the OpenVPN site and it says I need to perform internal routing based on the client common name. Considering I can't use client certificate, I found the username-as-common-name feature that seems to fit my requirements however it does not work. Tracerouting the IP first hop is the VPN server, second hop is nothing. (I assume iroute did not work, right?)
Any idea on how can I workaround this?
following my config:
Code: Select all
push "route 192.168.1.0 255.255.255.0"
push "route 10.8.0.0 255.255.255.0"
route 192.168.88.0 255.255.255.0
client-to-client
push "route 192.168.88.0 255.255.255.0"
dev tun
management /var/run/openvpn.sock unix
server 10.8.0.0 255.255.255.0
dh /var/packages/VPNCenter/target/etc/openvpn/keys/dh3072.pem
ca /var/packages/VPNCenter/target/etc/openvpn/keys/ca.crt
cert /var/packages/VPNCenter/target/etc/openvpn/keys/server.crt
key /var/packages/VPNCenter/target/etc/openvpn/keys/server.key
max-clients 10
client-config-dir /PATH_TO_CCD/ccd
persist-tun
persist-key
verb 3
log-append /var/log/openvpn.log
keepalive 10 60
reneg-sec 0
plugin /PATH_TO_PLUGIN/radiusplugin.so /PATH_TO_PLUGIN/radiusplugin.cnf
client-cert-not-required
username-as-common-name
duplicate-cn
status /tmp/ovpn_status_2_result 30
status-version 2
proto tcp6-server
mssfix 1450
port 1194
cipher AES-256-CBC
auth SHA1