6.4x OpenVPN + OSPF trouble

mst1711 · March 23, 2018, 6:35pm

Hello.

I want communicate two mikrotik by the OpenVPN and configure OSPF routes, but i get a problem.
== > 6.41.3 Router Server
OpenVPN server:
Local Address 172.16.0.1
Netmask 16
IP pool 172.16.0.2-172.16.254.254

OSPF networks
172.16.0.0/16 backbone

== > 6.41.3 Router Client
OpenVPN Client
Get address 172.16.248.10/16 network 172.16.0.0

OSPF networks
172.16.0.0/16 backbone

OpenVPN connected successfully, but OSPF get errors in log:
route,ospf,info Discarding Hello packet: mismatch in network mask
route,ospf,info mine=255.255.0.0
route,ospf,info remote=255.255.255.255
route,ospf,info source=172.16.0.1

I think this is a bug, because Local Address on ovpn server has netmask /32, at this time Network is /16.
For bugfix is need apply Netmask parameter to Local Address too.

juliokato · March 23, 2018, 9:40pm

Me too.
I have using static routes temporarily as workaround.

mst1711 · March 24, 2018, 4:58am

For me this is not a solution, I have 500+ routes

jrpaz · March 24, 2018, 5:51am

Can confirm this is annoying.

I only have five sites and to get OSPF to work I added each /32 to the network tab, and it’s working.

This seems like an urgently needed fix for larger deployments.

*Make sure to set netmask to 32 on the OVPN server. It’s like the OVPN Server doesn’t respect that setting only the client applies it.

zuku · September 11, 2018, 11:54am

I have the same problem on mikrotik 6.40.9 bugfixes, my other mikrotik routers with older ROS do not have this error, I had to switch to static route to work on this router. Is any way to fix this?

kavehvn · January 11, 2019, 11:06am

Hi
Change netmask in OVPN server to 32 and test it again after a while.
It might solve your problem.

Ape · January 11, 2019, 1:58pm

Hi,

if you only need to connect MT devices, you could use another VPN technology like IPSec/L2TP.
I like MT very much, but their OpenVPN implementation is known to be rudimentary.

Nonetheless, this should be fixed.

Regards,
Ape

tdw · January 12, 2019, 8:06pm

And insecure, the MT OpenVPN client does not check the server certificate, see https://nvd.nist.gov/vuln/detail/CVE-2018-10066 and https://janis-streib.de/post/mikrotik-ovpn-security/, which AFAIK has not been addressed

TheCiscoGuy · January 14, 2019, 8:37am

Just a thought, but there are 2 modes to set openvpn to, ethernet and ip. the ip setting creates a tun interface and will not allow the multicast to forward, ethernet on the otherhand creates a tap which does. If you are in ip mode, try setting the network-type to nbma and specify the peers, or change the openvpn mode from ip to ethernet.

If I am off base let me know as I do have not run into a situation where I need to run OSPF over OpenVPN