A strange case in Mikrotik OpenVPN client mode

Need help configuring your VPN? Just post here and you'll get that help.

Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech

Forum rules
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
Post Reply
RobinHoodDotNetwork
OpenVpn Newbie
Posts: 2
Joined: Thu Jul 13, 2023 6:20 am

A strange case in Mikrotik OpenVPN client mode

Post by RobinHoodDotNetwork » Thu Jul 13, 2023 6:45 am

I have on Debian GNU/Linux 9.13 (stretch) in AWS, OpenVPN 2.4.0 x86_64-pc-linux-gnu. A dozen OpenWrt clients are connected to it, and everything is working perfectly. I configure and connect a device with RouterOS 7.10.1 Everything seems fine, but when I try to check the connection with ping - there is none.
Image
The strange thing is that everything seems correctly configured and when I ping from the server to the client in the client interface sniffer I see traffic from and to the server.
Image
When I ping from the client side to the server on the tun interface on the server side no traffic is received from the client
Image
but I see outgoing traffic in the client interface
Image

Now in summary I will share my configuration:
Server-side

server.conf
port 1194
proto udp
dev tun
ca /etc/openvpn/ca.crt
cert /etc/openvpn/server.crt
key /etc/openvpn/server.key # This file should be kept secret
dh /etc/openvpn/dh.pem
server 10.8.0.0 255.255.240.0
ifconfig-pool-persist ipp.txt
push "route 10.9.0.0 255.255.255.252"
client-config-dir /etc/openvpn/ccd/
route 10.9.0.0 255.255.255.252
keepalive 10 120
cipher AES-256-CBC
auth SHA256
user nobody
group nogroup
persist-key
persist-tun
plugin /etc/openvpn/radius/radiusplugin.so /etc/openvpn/radius/radius.cnf
status openvpn-status.log
log openvpn.log
verb 3
management localhost 7505
tun-mtu 1500
mssfix 1430
server routes
root@vpn1:/home/admin# route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
default ip-172-31-0-1.e 0.0.0.0 UG 0 0 0 eth0
10.8.0.0 ip-10-8-0-2.eu- 255.255.240.0 UG 0 0 0 tun0
ip-10-8-0-2.eu- 0.0.0.0 255.255.255.255 UH 0 0 0 tun0
10.9.0.0 ip-10-8-0-2.eu- 255.255.255.252 UG 0 0 0 tun0
172.31.0.0 0.0.0.0 255.255.240.0 U 0 0 0 eth0
server firewall
root@vpn1:/home/admin# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination

Chain FORWARD (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

Client-side

config
[admin@MikroTik] > interface/ovpn-client/print
Flags: X - disabled; R - running; H - hw-crypto
0 R name="ovpn-out1" mac-address=02:3F:1F:C9:AB:B0 max-mtu=1500
connect-to=vpn1.xxx.com port=1194 mode=ip protocol=udp
user="XX-XX-XX-XX-XX-XX" password="XXXXXXXXXXX" profile=default
certificate=client.crt_0 verify-server-certificate=no tls-version=any
auth=sha256 cipher=aes256-cbc use-peer-dns=yes add-default-route=no
route-nopull=no disconnect-notify=yes
[admin@MikroTik] >
routes
[admin@MikroTik] > ip/route/print
Flags: D - DYNAMIC; A - ACTIVE; c, d, v, y - BGP-MPLS-VPN
Columns: DST-ADDRESS, GATEWAY, DISTANCE
DST-ADDRESS GATEWAY DISTANCE
DAd 0.0.0.0/0 192.168.1.254 1
DAv 10.8.0.1/32 10.8.0.113 1
DAc 10.8.0.113/32 ovpn-out1 0
DAv 10.9.0.0/30 10.8.0.113 1
DAc 192.168.1.0/24 ether1 0
[admin@MikroTik] >
firewall
[admin@MikroTik] /ip/firewall> filter/print
Flags: X - disabled, I - invalid; D - dynamic
0 D ;;; special dummy rule to show fasttrack counters
chain=forward action=passthrough
[admin@MikroTik] /ip/firewall>
The only disturbing thing is in the server logs:
Image

Any help would be greatly appreciated by me.
Nikolay Petrov
P.S. No issues with AWS firewall. Still, there are working clients with OpenWrt!
Top
Post Reply

Return to “Configuration”