Сжатый конфиг(удалил лишнее):
Код: Выделить всё
/interface ovpn-server
add disabled=no name=ovpn-in-ovpn user=ovpn
add comment="" disabled=no name=ovpn-in-username user=username
/ip pool
add name=dhcp-pool ranges=192.168.30.100-192.168.30.254
add name=vpn-pool ranges=192.168.31.100-192.168.31.254
/ip dhcp-server
add address-pool=dhcp-pool authoritative=yes bootp-support=static disabled=no \
interface=bridge lease-script="" lease-time=1d name=dhcp use-radius=no
/ppp profile
set *0 address-list="" !bridge !bridge-horizon !bridge-path-cost \
!bridge-port-priority change-tcp-mss=yes !dns-server !idle-timeout \
!incoming-filter !insert-queue-before !interface-list !local-address \
name=default on-down="" on-up="" only-one=default !outgoing-filter \
!parent-queue !queue-type !rate-limit !remote-address !session-timeout \
use-compression=default use-encryption=default use-mpls=default use-upnp=\
default !wins-server
add address-list="" !bridge !bridge-horizon !bridge-path-cost \
!bridge-port-priority change-tcp-mss=default comment="" dns-server=192.168.30.1 !idle-timeout !incoming-filter \
!insert-queue-before !interface-list !local-address name=ovpn-in-username \
on-down="" on-up="" only-one=no !outgoing-filter !parent-queue \
!queue-type !rate-limit !remote-address !session-timeout use-compression=\
default use-encryption=required use-mpls=default use-upnp=default \
wins-server=192.168.30.1
set *FFFFFFFE address-list="" !bridge !bridge-horizon !bridge-path-cost \
!bridge-port-priority change-tcp-mss=yes !dns-server !idle-timeout \
!incoming-filter !insert-queue-before !interface-list !local-address \
name=default-encryption on-down="" on-up="" only-one=default \
!outgoing-filter !parent-queue !queue-type !rate-limit !remote-address \
!session-timeout use-compression=default use-encryption=yes use-mpls=\
default use-upnp=default !wins-server
/interface pppoe-client
add ac-name="" add-default-route=no allow=pap,chap,mschap1,mschap2 \
dial-on-demand=no disabled=no interface=ether1 keepalive-timeout=30 \
max-mru=auto max-mtu=auto mrru=disabled name=pppoe-out password=0000000 \
profile=pppoe-out service-name="" use-peer-dns=no user=00000000
/interface ovpn-server server
set auth=sha1 certificate=server cipher=aes256 default-profile=ovpn-in-ovpn \
enabled=yes keepalive-timeout=15 mac-address=000000 max-mtu=\
1500 mode=ip netmask=24 port=*** require-client-certificate=yes
/ip address
add address=192.168.30.1/24 disabled=no interface=bridge network=192.168.30.0
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" !connection-bytes \
!connection-limit !connection-mark !connection-nat-state !connection-rate \
connection-state=established,related,untracked !connection-type !content \
disabled=no !dscp !dst-address !dst-address-list !dst-address-type \
!dst-limit !dst-port !fragment !hotspot !icmp-options !in-bridge-port \
!in-bridge-port-list !in-interface !in-interface-list !ingress-priority \
!ipsec-policy !ipv4-options !layer7-protocol !limit log=no log-prefix="" \
!nth !out-bridge-port !out-bridge-port-list !out-interface \
!out-interface-list !packet-mark !packet-size !per-connection-classifier \
!port !priority !protocol !psd !random !routing-mark !routing-table \
!src-address !src-address-list !src-address-type !src-mac-address \
!src-port !tcp-flags !tcp-mss !time !tls-host !ttl
add action=accept chain=input comment="" \
!connection-bytes !connection-limit !connection-mark \
!connection-nat-state !connection-rate !connection-state !connection-type \
!content disabled=no !dscp !dst-address !dst-address-list \
!dst-address-type !dst-limit dst-port=443 !fragment !hotspot \
!icmp-options !in-bridge-port !in-bridge-port-list in-interface=pppoe-out \
!in-interface-list !ingress-priority !ipsec-policy !ipv4-options \
!layer7-protocol !limit log=no log-prefix="" !nth !out-bridge-port \
!out-bridge-port-list !out-interface !out-interface-list !packet-mark \
!packet-size !per-connection-classifier !port !priority protocol=tcp !psd \
!random !routing-mark !routing-table !src-address !src-address-list \
!src-address-type !src-mac-address !src-port !tcp-flags !tcp-mss !time \
!tls-host !ttl
add action=drop chain=input comment="defconf: drop invalid" !connection-bytes \
!connection-limit !connection-mark !connection-nat-state !connection-rate \
connection-state=invalid !connection-type !content disabled=no !dscp \
!dst-address !dst-address-list !dst-address-type !dst-limit !dst-port \
!fragment !hotspot !icmp-options !in-bridge-port !in-bridge-port-list \
!in-interface !in-interface-list !ingress-priority !ipsec-policy \
!ipv4-options !layer7-protocol !limit log=no log-prefix="" !nth \
!out-bridge-port !out-bridge-port-list !out-interface !out-interface-list \
!packet-mark !packet-size !per-connection-classifier !port !priority \
!protocol !psd !random !routing-mark !routing-table !src-address \
!src-address-list !src-address-type !src-mac-address !src-port !tcp-flags \
!tcp-mss !time !tls-host !ttl
add action=accept chain=input comment="defconf: accept ICMP" \
!connection-bytes !connection-limit !connection-mark \
!connection-nat-state !connection-rate !connection-state !connection-type \
!content disabled=no !dscp !dst-address !dst-address-list \
!dst-address-type !dst-limit !dst-port !fragment !hotspot !icmp-options \
!in-bridge-port !in-bridge-port-list !in-interface !in-interface-list \
!ingress-priority !ipsec-policy !ipv4-options !layer7-protocol !limit \
log=no log-prefix="" !nth !out-bridge-port !out-bridge-port-list \
!out-interface !out-interface-list !packet-mark !packet-size \
!per-connection-classifier !port !priority protocol=icmp !psd !random \
!routing-mark !routing-table !src-address !src-address-list \
!src-address-type !src-mac-address !src-port !tcp-flags !tcp-mss !time \
!tls-host !ttl
add action=drop chain=input comment="defconf: drop all not coming from LAN (\
\C2\D2\D7 \E2\F0\EE\E4\E5 \E7\E0\EA\F0\FB\E2\E0\E5\F2 53 \EF\EE\F0\F2 \C4\
\CD\D1 \ED\E0 \E2\ED\E5\F8\ED\E8\F5 \E8\ED\F2\E5\F0\F4\E5\E9\F1\E0\F5)" \
!connection-bytes !connection-limit !connection-mark \
!connection-nat-state !connection-rate !connection-state !connection-type \
!content disabled=no !dscp !dst-address !dst-address-list \
!dst-address-type !dst-limit !dst-port !fragment !hotspot !icmp-options \
!in-bridge-port !in-bridge-port-list !in-interface in-interface-list=!LAN \
!ingress-priority !ipsec-policy !ipv4-options !layer7-protocol !limit \
log=no log-prefix="" !nth !out-bridge-port !out-bridge-port-list \
!out-interface !out-interface-list !packet-mark !packet-size \
!per-connection-classifier !port !priority !protocol !psd !random \
!routing-mark !routing-table !src-address !src-address-list \
!src-address-type !src-mac-address !src-port !tcp-flags !tcp-mss !time \
!tls-host !ttl
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
!connection-bytes !connection-limit !connection-mark \
!connection-nat-state !connection-rate !connection-state !connection-type \
!content disabled=no !dscp !dst-address !dst-address-list \
!dst-address-type !dst-limit !dst-port !fragment !hotspot !icmp-options \
!in-bridge-port !in-bridge-port-list !in-interface !in-interface-list \
!ingress-priority ipsec-policy=in,ipsec !ipv4-options !layer7-protocol \
!limit log=no log-prefix="" !nth !out-bridge-port !out-bridge-port-list \
!out-interface !out-interface-list !packet-mark !packet-size \
!per-connection-classifier !port !priority !protocol !psd !random \
!routing-mark !routing-table !src-address !src-address-list \
!src-address-type !src-mac-address !src-port !tcp-flags !tcp-mss !time \
!tls-host !ttl
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
!connection-bytes !connection-limit !connection-mark \
!connection-nat-state !connection-rate !connection-state !connection-type \
!content disabled=no !dscp !dst-address !dst-address-list \
!dst-address-type !dst-limit !dst-port !fragment !hotspot !icmp-options \
!in-bridge-port !in-bridge-port-list !in-interface !in-interface-list \
!ingress-priority ipsec-policy=out,ipsec !ipv4-options !layer7-protocol \
!limit log=no log-prefix="" !nth !out-bridge-port !out-bridge-port-list \
!out-interface !out-interface-list !packet-mark !packet-size \
!per-connection-classifier !port !priority !protocol !psd !random \
!routing-mark !routing-table !src-address !src-address-list \
!src-address-type !src-mac-address !src-port !tcp-flags !tcp-mss !time \
!tls-host !ttl
add action=fasttrack-connection chain=forward comment=\
"defconf: fasttrack (disabled as https://habr.com/ru/post/435372/)" \
!connection-bytes !connection-limit !connection-mark \
!connection-nat-state !connection-rate connection-state=\
established,related !connection-type !content disabled=yes !dscp \
!dst-address !dst-address-list !dst-address-type !dst-limit !dst-port \
!fragment !hotspot !icmp-options !in-bridge-port !in-bridge-port-list \
!in-interface !in-interface-list !ingress-priority !ipsec-policy \
!ipv4-options !layer7-protocol !limit log=no log-prefix="" !nth \
!out-bridge-port !out-bridge-port-list !out-interface !out-interface-list \
!packet-mark !packet-size !per-connection-classifier !port !priority \
!protocol !psd !random !routing-mark !routing-table !src-address \
!src-address-list !src-address-type !src-mac-address !src-port !tcp-flags \
!tcp-mss !time !tls-host !ttl
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" !connection-bytes \
!connection-limit !connection-mark !connection-nat-state !connection-rate \
connection-state=established,related,untracked !connection-type !content \
disabled=no !dscp !dst-address !dst-address-list !dst-address-type \
!dst-limit !dst-port !fragment !hotspot !icmp-options !in-bridge-port \
!in-bridge-port-list !in-interface !in-interface-list !ingress-priority \
!ipsec-policy !ipv4-options !layer7-protocol !limit log=no log-prefix="" \
!nth !out-bridge-port !out-bridge-port-list !out-interface \
!out-interface-list !packet-mark !packet-size !per-connection-classifier \
!port !priority !protocol !psd !random !routing-mark !routing-table \
!src-address !src-address-list !src-address-type !src-mac-address \
!src-port !tcp-flags !tcp-mss !time !tls-host !ttl
add action=drop chain=forward comment="defconf: drop invalid" \
!connection-bytes !connection-limit !connection-mark \
!connection-nat-state !connection-rate connection-state=invalid \
!connection-type !content disabled=no !dscp !dst-address \
!dst-address-list !dst-address-type !dst-limit !dst-port !fragment \
!hotspot !icmp-options !in-bridge-port !in-bridge-port-list !in-interface \
!in-interface-list !ingress-priority !ipsec-policy !ipv4-options \
!layer7-protocol !limit log=no log-prefix="" !nth !out-bridge-port \
!out-bridge-port-list !out-interface !out-interface-list !packet-mark \
!packet-size !per-connection-classifier !port !priority !protocol !psd \
!random !routing-mark !routing-table !src-address !src-address-list \
!src-address-type !src-mac-address !src-port !tcp-flags !tcp-mss !time \
!tls-host !ttl
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" !connection-bytes \
!connection-limit !connection-mark connection-nat-state=!dstnat \
!connection-rate connection-state=new !connection-type !content disabled=\
no !dscp !dst-address !dst-address-list !dst-address-type !dst-limit \
!dst-port !fragment !hotspot !icmp-options !in-bridge-port \
!in-bridge-port-list !in-interface in-interface-list=WAN \
!ingress-priority !ipsec-policy !ipv4-options !layer7-protocol !limit \
log=no log-prefix="" !nth !out-bridge-port !out-bridge-port-list \
!out-interface !out-interface-list !packet-mark !packet-size \
!per-connection-classifier !port !priority !protocol !psd !random \
!routing-mark !routing-table !src-address !src-address-list \
!src-address-type !src-mac-address !src-port !tcp-flags !tcp-mss !time \
!tls-host !ttl
/ip firewall nat
add action=masquerade chain=srcnat comment="" \
!connection-bytes !connection-limit !connection-mark !connection-rate \
!connection-type !content disabled=no !dscp !dst-address \
!dst-address-list !dst-address-type !dst-limit !dst-port !fragment \
!hotspot !icmp-options !in-bridge-port !in-bridge-port-list !in-interface \
!in-interface-list !ingress-priority ipsec-policy=out,none !ipv4-options \
!layer7-protocol !limit log=no log-prefix="" !nth !out-bridge-port \
!out-bridge-port-list !out-interface out-interface-list=WAN !packet-mark \
!packet-size !per-connection-classifier !port !priority !protocol !psd \
!random !routing-mark !routing-table !src-address !src-address-list \
!src-address-type !src-mac-address !src-port !tcp-mss !time !tls-host \
!to-addresses !to-ports !ttl
/ip route
add !bgp-as-path !bgp-atomic-aggregate !bgp-communities !bgp-local-pref \
!bgp-med !bgp-origin !bgp-prepend !check-gateway comment="" disabled=no distance=1 dst-address=0.0.0.0/0 \
gateway=pppoe-out !route-tag !routing-mark scope=30 target-scope=10
/ppp secret
add caller-id="" comment="" disabled=no \
limit-bytes-in=0 limit-bytes-out=0 local-address=192.168.31.1 name=ovpn \
password=000000 profile=ovpn-in-ovpn remote-address=192.168.31.2 \
routes="" service=ovpn
интернет PPoE
фаервол заводской defconfig, из дополнении только разрешение на входящий ovpn
в НАТе прописан маскарадинг на внешних интерфейсах (intarface list)
роутинги все на динамике, вручную не правил
Конфиг файл клиентов:
client
dev tun
proto tcp
remote sample.com 443
cipher AES-256-CBC
auth SHA1
resolv-retry infinite
nobind
persist-key
persist-tun
auth-user-pass
remote-cert-tls server
verb 3
<cert>
</cert>
<key>
</key>
<ca>
</ca>