I have a Linux server running an OpenVPN TUN server directly connected to an MX-84, and the MX is directly connected to the open Internet. The MX is almost entirely out of the box, very little configuration. The Linux laptop is on the default 192.168.128.0/24 subnet, vlan0. When a remote client connects to the OpenVPN server it gets a 10.8.0.0/24 address on a TUN interface. If the remote client attempts to connect to the WAN (Internet), it gets blocked by the MX and there's an error in the event log (MAC masked for privacy):
The remote client can access other resources on the Linux laptop, but cannot access the outside Internet. I've tried adding a subnet to the MX so it recognizes the 10.8.0.0/24 network. I've added an explicit outbound firewall rule to permit all outgoing traffic from 10.8.0.0/24 to ANY. I've tried changing the VPN client network so that the client gets a 192.168.128.50 address (not currently in use elsewhere on the MX). No luck on any of those. Is there some setting I'm missing so that the MX will allow outbound traffic from two different subnets from the same source MAC? I didn't want to fiddle with too many settings and risk breaking other things I've got running. this is about the only thing I don't have functional at the moment
Some relevant settings:
Firmware: MX 12.26
Mode = NAT
Client Tracking = Track clients by MAC Address (I tried "track by IP" but it says it's not supported for mixed environments - I also have an MR and MS elsewhere on this network)
VLANs = disabled (use a single LAN)
Unfortunately the Meraki VPN will not suffice, and I can't use a TAP interface either so I can't pass DHCP responsibility through from OpenVPN to Meraki. Happy to provide any other information that may be relevant.