We are using openVPN several years ago with a growing number of clients. Right now, around ~30-40 clients.
We want to transfer to UDP protocol, we were only using TCP mode because of lack of support in previous RouterOS releases.
I have configured a second openvpn server instance on different port (server is on a plain Linux server with openvpn package), different subnet, changed it to udp mode. Clients can connect and traffic is basically working.
In the logs I can see a lot of warning about bad packet ID:
Code: Select all
Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #3939 ]
However, randomly 1-2 hour one of the clients (not one, but always 1 of all the clients, randomly) starts to spam the same log message rapidly:
Code: Select all
Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #3939 ]
Also, right now the TCP VPN client is configured on some clients as well (next to the UDP client, with different settings / subnet) and it still works even the UDP client is not reachable.
Server config:
Code: Select all
port 8194
proto udp
dev tun
ca ca.crt
cert vps-m02.crt
key vps-m02.key
dh dh.pem
topology subnet
server 172.16.8.0 255.255.248.0 nopool
management 0.0.0.0 7506
ifconfig-pool 172.16.15.1 172.16.15.254
ifconfig-pool-persist /var/log/openvpn/ipp.txt
client-config-dir ccd
route 10.0.0.0 255.255.0.0
route 10.1.0.0 255.255.255.252
push "route 10.0.0.0 255.255.0.0 172.16.8.1 10"
push "route 10.1.0.2 255.255.255.255 172.16.8.3"
keepalive 10 60
data-ciphers AES-256-CBC
auth SHA1
max-clients 100
user nobody
group nogroup
persist-key
persist-tun
status /var/log/openvpn/openvpn-status.log
log-append /var/log/openvpn/openvpn-udp.log
verb 1
explicit-exit-notify 0
crl-verify crl.pem
Code: Select all
add certificate=cert.crt_0 cipher=aes256-cbc comment="Management VPN" connect-to=vpn.example.com mac-address=\
AA:BB:CC:DD:EE:FF name=ovpn_mgmt-udp port=8194 protocol=udp user=mikrotik verify-server-certificate=yes