Community discussions

MikroTik App
  4. RouterOS
  5. Beginner Basics

RB5009 OpenVPN doesn't connect from android client

Post Reply
 
azmax623
just joined
Topic Author
Posts: 5
Joined: Sat May 18, 2024 12:15 am

RB5009 OpenVPN doesn't connect from android client

Tue May 21, 2024 5:54 am

I set up OpenVPN according to the guide at https://blog.nmoleosoftware.com/index.p ... outeros-7/

I've created the certs, enabled the OVPN server on port 1194 UPD, created PPP config, created firewall rules, everything in the guide.

I don't see traffic hitting the firewall rule (it's #1 in the list). Nothing in the log files.

I've unplugged the mikrotik from the cable modem, plugged in my Peplink Surf and connected using my old profile on my phone. So UPD 1194 is open on the cox business network.
This has to be my stupidity. What did I do wrong?
Client says

"event: resolve"

"contacting:<ip>:1194 via UDP"

"Event: WAIT"

"connecting to <DNSName>:1194 (<IP>) via UDPv4

"Event: Connection timeout"

client config:
Code: Select all
client

dev tun

proto udp

remote *********.com

port 1194

nobind

persist-key

persist-tun

tls-client

remote-cert-tls server

ca ca-cert.crt

cert client.crt

key client.key

verb 4

mut 10

cipher AES-256-CBC

auth SHA1

auth-nocache

connection-type password-tls

dev-type tun

password-flags 1

username <user1>
Config
Code: Select all
# may/20/2024 19:37:09 by RouterOS 7.8
# software id = ****-****
#
# model = RB5009UG+S+
# serial number = **********
/interface bridge
add admin-mac=78:9A:18:**:**:** arp=proxy-arp auto-mac=no comment=defconf \
    name=bridge vlan-filtering=yes
/interface vlan
add interface=bridge name=DMZ vlan-id=9
add interface=bridge name=Guest vlan-id=8
add interface=bridge name=IOT vlan-id=6
add interface=bridge name=MGT vlan-id=2
add interface=bridge name=PLC vlan-id=10
add interface=bridge name=Servers vlan-id=3
add interface=bridge name=Workstations vlan-id=4
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.88.10-192.168.88.254
add name=dhcp_pool1 ranges=10.90.1.50-10.90.1.100
add name=dhcp_pool2 ranges=10.90.2.10-10.90.2.100
add name=dhcp_pool3 ranges=10.90.40.10-10.90.40.100
add name=dhcp_pool4 ranges=10.90.10.100-10.90.10.150
add name=dhcp_pool5 ranges=10.90.60.10-10.90.60.100
add name=dhcp_pool6 ranges=10.90.80.10-10.90.80.20
add name=dhcp_pool7 ranges=10.250.1.10-10.250.1.20
add name=vpn ranges=192.168.89.2-192.168.89.255
/ip dhcp-server
add address-pool=dhcp_pool1 interface=bridge lease-time=5h name=dhcp1
add address-pool=dhcp_pool2 interface=MGT lease-time=5h name=dhcp2
add address-pool=dhcp_pool3 interface=Workstations lease-time=5h name=dhcp3
add address-pool=dhcp_pool4 interface=Servers lease-time=5h name=dhcp4
add address-pool=dhcp_pool5 interface=IOT lease-time=5h name=dhcp5
add address-pool=dhcp_pool6 interface=Guest lease-time=5h name=dhcp6
add address-pool=dhcp_pool7 interface=PLC lease-time=5h name=dhcp7
/ppp profile
add bridge=bridge dns-server=10.90.1.101 local-address=10.90.1.101 name=\
    vpn-profile remote-address=vpn use-encryption=yes use-ipv6=no
set *FFFFFFFE local-address=192.168.89.1 remote-address=vpn
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3 pvid=4
add bridge=bridge comment=defconf interface=ether4 pvid=3
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=ether6
add bridge=bridge comment=defconf interface=ether7
add bridge=bridge comment=defconf interface=ether8
add bridge=bridge comment=defconf interface=sfp-sfpplus1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface bridge vlan
add bridge=bridge tagged=bridge,ether5,ether7,ether8,ether6 untagged=ether2 \
    vlan-ids=2
add bridge=bridge tagged=bridge,ether6,ether7,ether8,ether5 vlan-ids=3
add bridge=bridge tagged=bridge,ether5,ether8,ether7,ether6 untagged=ether3 \
    vlan-ids=4
add bridge=bridge tagged=bridge,ether5,ether6,ether7,ether8 vlan-ids=6
add bridge=bridge tagged=ether8,bridge,ether7,ether6,ether5 vlan-ids=8
add bridge=bridge tagged=bridge,ether8,ether7,ether6,ether5 vlan-ids=9
add bridge=bridge tagged=bridge,ether8,ether7,ether6,ether5 vlan-ids=10
/interface l2tp-server server
set enabled=yes use-ipsec=yes
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=DMZ list=LAN
add interface=Guest list=LAN
add interface=IOT list=LAN
add interface=MGT list=LAN
add interface=PLC list=LAN
add interface=Workstations list=LAN
/interface ovpn-server server
set certificate=Server-cert cipher=\
    aes128-cbc,aes256-cbc,aes128-gcm,aes192-gcm,aes256-gcm default-profile=\
    vpn-profile enabled=yes protocol=udp require-client-certificate=yes
/ip address
add address=10.90.1.101/24 comment=defconf interface=bridge network=10.90.1.0
add address=10.90.40.1/24 interface=Workstations network=10.90.40.0
add address=10.90.10.1/24 interface=Servers network=10.90.10.0
add address=10.90.2.1/24 interface=MGT network=10.90.2.0
add address=10.90.80.1/24 interface=Guest network=10.90.80.0
add address=10.90.90.1/24 interface=DMZ network=10.90.90.0
add address=10.90.60.1/24 interface=IOT network=10.90.60.0
add address=10.250.1.1/24 interface=PLC network=10.250.1.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server network
add address=10.90.1.0/24 dns-server=10.90.1.101,8.8.8.8 domain=domain.com \
    gateway=10.90.1.101
add address=10.90.2.0/24 dns-server=10.90.1.101,8.8.8.8 domain=domain.com \
    gateway=10.90.2.1
add address=10.90.10.0/24 dns-server=10.90.1.101,8.8.8.8 domain=\
    domain.com gateway=10.90.10.1
add address=10.90.40.0/24 dns-server=10.90.1.101,8.8.8.8 domain=\
    domain.com gateway=10.90.40.1
add address=10.90.60.0/24 dns-server=8.8.8.8,10.90.1.101 domain=\
    domain.com gateway=10.90.60.1
add address=10.90.80.0/24 dns-server=8.8.8.8 domain=domain.com gateway=\
    10.90.80.1
add address=10.250.1.0/24 dns-server=10.90.1.101,8.8.8.8 domain=\
    domain.com gateway=10.250.1.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,4.4.4.4
/ip dns static
add address=192.168.88.1 comment=defconf name=inside.domain.com
add address=10.90.2.11 name=wlan
add address=10.90.2.11 name=wlan.domain.com
/ip firewall filter
add action=accept chain=input dst-port=1194 in-interface=bridge log=yes \
    protocol=udp
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=accept chain=input comment="allow IPsec NAT" dst-port=4500 \
    protocol=udp
add action=accept chain=input comment="allow IKE" dst-port=500 protocol=udp
add action=accept chain=input comment="allow l2tp" dst-port=1701 protocol=udp
add action=accept chain=input dst-address=10.90.1.101 dst-port=53 protocol=\
    tcp src-address=0.0.0.0
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat comment="masq. vpn traffic" src-address=\
    192.168.89.0/24
/ip service
set telnet disabled=yes
set ftp disabled=yes
set winbox address=10.90.1.0/32,10.90.40.0/24
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
    33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
/ppp secret
add disabled=yes name=vpn
add name=schoenjo profile=vpn-profile service=ovpn
/system clock
set time-zone-autodetect=no time-zone-name=America/Phoenix
/system logging
add topics=ovpn,debug
add topics=ovpn,info
/system ntp client
set enabled=yes
/system ntp server
set enabled=yes use-local-clock=yes
/system ntp client servers
add address=time.google.com
/system scheduler
add interval=1d name=schedule-noip on-event="# No-IP automatic Dynamic DNS upd\
    ate\r\
    \n\r\
    \n:local noipuser \"zzzz\"\r\
    \n:local noippass \"*****\"\r\
    \n:local noiphost \"*******.domain.com\"\r\
    \n:local inetinterface \"ether1\"\r\
    \n\r\
    \n:global currentIP\r\
    \n:global previousIP\r\
    \n\r\
    \n:if ([/interface get \$inetinterface value-name=running]) do={\r\
    \n :local currentIP [/ip address get [find interface=\"\$inetinterface\" d\
    isabled=no] address]\r\
    \n :for i from=( [:len \$currentIP] - 1) to=0 do={\r\
    \n :if ( [:pick \$currentIP \$i] = \"/\") do={ \r\
    \n :set currentIP [:pick \$currentIP 0 \$i]\r\
    \n } \r\
    \n }\r\
    \n\r\
    \n:if (\$currentIP != \$previousIP) do={\r\
    \n :log info \"No-IP Updater: Current IP address \$currentIP is not equal \
    to previous IP, update needed\"\r\
    \n :set previousIP \$currentIP\r\
    \n\r\
    \n:local url \"http://dynupdate.no-ip.com/nic/update\\3Fmyip=\$currentIP\"\
    \r\
    \n :local noiphostarray\r\
    \n :set noiphostarray [:toarray \$noiphost]\r\
    \n :foreach host in=\$noiphostarray do={\r\
    \n :log info \"No-IP Updater: Sending update for \$host\"\r\
    \n /tool fetch url=(\$url . \"&hostname=\$host\") user=\$noipuser password\
    =\$noippass mode=http dst-path=(\"no-ip_ddns_update-\" . \$host . \".txt\"\
    )\r\
    \n :log info \"No-IP Updater: Update change requested. Hostname \$host wil\
    l be updated with \$currentIP\"\r\
    \n }\r\
    \n } else={\r\
    \n :log info \"No-IP Updater: Previous IP address \$previousIP is equal to\
    \_current IP, no update needed\"\r\
    \n }\r\
    \n} else={\r\
    \n :log info \"No-IP Updater: \$inetinterface is not currently running, so\
    \_therefore will not update\"\r\
    \n}" policy=read,write,test start-time=startup
/system script
add dont-require-permissions=no name=Updatte-NoIP owner=admin policy=\
    read,write,test source="# No-IP automatic Dynamic DNS update\r\
    \n\r\
    \n:local noipuser \"***\"\r\
    \n:local noippass \"**\"\r\
    \n:local noiphost \"***.domain.com\"\r\
    \n:local inetinterface \"ether1\"\r\
    \n\r\
    \n:global currentIP\r\
    \n:global previousIP\r\
    \n\r\
    \n:if ([/interface get \$inetinterface value-name=running]) do={\r\
    \n :local currentIP [/ip address get [find interface=\"\$inetinterface\" d\
    isabled=no] address]\r\
    \n :for i from=( [:len \$currentIP] - 1) to=0 do={\r\
    \n :if ( [:pick \$currentIP \$i] = \"/\") do={ \r\
    \n :set currentIP [:pick \$currentIP 0 \$i]\r\
    \n } \r\
    \n }\r\
    \n\r\
    \n:if (\$currentIP != \$previousIP) do={\r\
    \n :log info \"No-IP Updater: Current IP address \$currentIP is not equal \
    to previous IP, update needed\"\r\
    \n :set previousIP \$currentIP\r\
    \n\r\
    \n:local url \"http://dynupdate.no-ip.com/nic/update\\3Fmyip=\$currentIP\"\
    \r\
    \n :local noiphostarray\r\
    \n :set noiphostarray [:toarray \$noiphost]\r\
    \n :foreach host in=\$noiphostarray do={\r\
    \n :log info \"No-IP Updater: Sending update for \$host\"\r\
    \n /tool fetch url=(\$url . \"&hostname=\$host\") user=\$noipuser password\
    =\$noippass mode=http dst-path=(\"no-ip_ddns_update-\" . \$host . \".txt\"\
    )\r\
    \n :log info \"No-IP Updater: Update change requested. Hostname \$host wil\
    l be updated with \$currentIP\"\r\
    \n }\r\
    \n } else={\r\
    \n :log info \"No-IP Updater: Previous IP address \$previousIP is equal to\
    \_current IP, no update needed\"\r\
    \n }\r\
    \n} else={\r\
    \n :log info \"No-IP Updater: \$inetinterface is not currently running, so\
    \_therefore will not update\"\r\
    \n}"
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
Top
 
CGGXANNX
Member Candidate
Member Candidate
Posts: 170
Joined: Thu Dec 21, 2023 6:45 pm

Re: RB5009 OpenVPN doesn't connect from android client

Tue May 21, 2024 7:43 am

This rule in your firewall

Code: Select all
/ip firewall filter
add action=accept chain=input dst-port=1194 in-interface=bridge log=yes \
    protocol=udp

only allows incoming traffic to UDP port 1194 if it came from the "bridge" interface (one of your LAN networks). Traffic from the outside of the LAN list will be blocked by this rule down below:

Code: Select all
/ip firewall filter
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN

Your internet interface (ether1) is of course not part of the LAN list (and shouldn't be part of it). The solution here is to remove in-interface=bridge from your 1st rule. UDP port 1194 will then also be accessible for ether1.

Also, that accept rule doesn't need to be on the 1st spot of your input chain. You can move it down, it just needs to be above the "defconf: drop all not coming from LAN" rule. The top spots of the list for the input chain should be reserved for the rules that will be hit the most, for performance. This rule for example:

Code: Select all
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
Top
 
azmax623
just joined
Topic Author
Posts: 5
Joined: Sat May 18, 2024 12:15 am

Re: RB5009 OpenVPN doesn't connect from android client

Wed May 22, 2024 5:06 am

Thanks, One error down, another to go:

Logs report " username not provided" even though the .ovpn has a username in it and I imported the profile with a pass.txt as the document said to do. Certs seem to be OK.
Top
 
azmax623
just joined
Topic Author
Posts: 5
Joined: Sat May 18, 2024 12:15 am

Re: RB5009 OpenVPN doesn't connect from android client

Thu May 23, 2024 2:33 am

Thanks, One error down, another to go:

Logs report " username not provided" even though the .ovpn has a username in it and I imported the profile with a pass.txt as the document said to do. Certs seem to be OK.
Added:
auth-user-pass pass.txt

deleted and re-added the profile and it connects.
Top
Post Reply

Who is online

Users browsing this forum: No registered users and 14 guests
  4. RouterOS
  5. Beginner Basics