A strange case in OpenVPN client mode

RouterOS Beginner Basics
1

I have on Debian GNU/Linux 9.13 (stretch) in AWS, OpenVPN 2.4.0 x86_64-pc-linux-gnu. A dozen OpenWrt clients are connected to it, and everything is working perfectly. I configure and connect a device with RouterOS 7.10.1 Everything seems fine, but when I try to check the connection with ping - there is none.

The strange thing is that everything seems correctly configured and when I ping from the server to the client in the client interface sniffer I see traffic from and to the server.

When I ping from the client side to the server on the tun interface on the server side no traffic is received from the client

but I see outgoing traffic in the client interface

Now in summary I will share my configuration:
Server-side

server.conf

port 1194
proto udp
dev tun
ca /etc/openvpn/ca.crt
cert /etc/openvpn/server.crt
key /etc/openvpn/server.key # This file should be kept secret
dh /etc/openvpn/dh.pem
server 10.8.0.0 255.255.240.0
ifconfig-pool-persist ipp.txt
push “route 10.9.0.0 255.255.255.252”
client-config-dir /etc/openvpn/ccd/
route 10.9.0.0 255.255.255.252
keepalive 10 120
cipher AES-256-CBC
auth SHA256
user nobody
group nogroup
persist-key
persist-tun
plugin /etc/openvpn/radius/radiusplugin.so /etc/openvpn/radius/radius.cnf
status openvpn-status.log
log openvpn.log
verb 3
management localhost 7505
tun-mtu 1500
mssfix 1430

server routes

root@vpn1:/home/admin# route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
default ip-172-31-0-1.e 0.0.0.0 UG 0 0 0 eth0
10.8.0.0 ip-10-8-0-2.eu- 255.255.240.0 UG 0 0 0 tun0
ip-10-8-0-2.eu- 0.0.0.0 255.255.255.255 UH 0 0 0 tun0
10.9.0.0 ip-10-8-0-2.eu- 255.255.255.252 UG 0 0 0 tun0
172.31.0.0 0.0.0.0 255.255.240.0 U 0 0 0 eth0

server firewall

root@vpn1:/home/admin# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination

Chain FORWARD (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

Client-side

config

[admin@MikroTik] > interface/ovpn-client/print
Flags: X - disabled; R - running; H - hw-crypto
0 R name=“ovpn-out1” mac-address=02:3F:1F:C9:AB:B0 max-mtu=1500
connect-to=vpn1.xxx.com port=1194 mode=ip protocol=udp
user=“XX-XX-XX-XX-XX-XX” password=“XXXXXXXXXXX” profile=default
certificate=client.crt_0 verify-server-certificate=no tls-version=any
auth=sha256 cipher=aes256-cbc use-peer-dns=yes add-default-route=no
route-nopull=no disconnect-notify=yes
[admin@MikroTik] >

routes

[admin@MikroTik] > ip/route/print
Flags: D - DYNAMIC; A - ACTIVE; c, d, v, y - BGP-MPLS-VPN
Columns: DST-ADDRESS, GATEWAY, DISTANCE
DST-ADDRESS GATEWAY DISTANCE
DAd 0.0.0.0/0 192.168.1.254 1
DAv 10.8.0.1/32 10.8.0.113 1
DAc 10.8.0.113/32 ovpn-out1 0
DAv 10.9.0.0/30 10.8.0.113 1
DAc 192.168.1.0/24 ether1 0
[admin@MikroTik] >

firewall

[admin@MikroTik] /ip/firewall> filter/print
Flags: X - disabled, I - invalid; D - dynamic
0 D ;;; special dummy rule to show fasttrack counters
chain=forward action=passthrough
[admin@MikroTik] /ip/firewall>

The only disturbing thing is in the server logs:

Any help would be greatly appreciated by me.
Nikolay Petrov
P.S. No issues with AWS firewall. Still, there are working clients with OpenWrt!

2

hello nikolay,

this part on your MT router - ovpn client

DAc 10.8.0.113/32 ovpn-out1 0

doesn’t match with any of your ping result output (the second picture) - that is why you don’t see any ovpn interface traffic on your first picture.

maybe you might have missed the client config on your ovpn server?

3

Thank you

Here is a client configuration with Openwrt and in this case it is pinged from the server and the client side.

root@C44BD1901AB1:~# ifconfig

tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:10.8.0.22 P-t-P:10.8.0.21 Mask:255.255.255.255
inet6 addr: fe80:> :2470:> f734:4502:aee8/64 Scope:Link
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
RX packets:52 errors:0 dropped:0 overruns:0 frame:0
TX packets:23 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:2790 (2.7 KiB) TX bytes:4665 (4.5 KiB)




root@C44BD1901AB1:~# route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
default 192.168.1.254 0.0.0.0 UG 0 0 0 eth0.2
10.8.0.1 10.8.0.21 255.255.255.255 UGH 0 0 0 tun0
10.8.0.21 * 255.255.255.255 UH 0 0 0 tun0
10.9.0.0 10.8.0.21 255.255.255.252 UG 0 0 0 tun0
10.128.0.0 * 255.255.248.0 U 0 0 0 tun1
192.168.1.0 * 255.255.255.0 U 0 0 0 eth0.2
192.168.10.0 *

And here are the ip addresses of the mikrotik client, which still have no ping or other traffic

[admin@MikroTik] /ip> address/print
Flags: D - DYNAMIC
Columns: ADDRESS, NETWORK, INTERFACE

ADDRESS NETWORK INTERFACE

0 D 192.168.1.142/24 192.168.1.0 ether1
1 D 10.8.0.114/32 10.8.0.113 ovpn-out1

If I have gaps in the server configuration, wouldn’t that affect the OpenWrt clients that work normally?

4

@ nikolay

have gaps in the server configuration, wouldn’t that affect the OpenWrt clients that work normally?

I don’t have any objections with your openwrt output.

let us just focus on the MT to your server part.

ok. i saw that you have changed your MT client ip

1 D 10.8.0.114/32 10.8.0.113 ovpn-out1

but I don’t see any server ifconfig output for that specific 10.8.0.113 interface.

let us your ping from .114 to .113

5

but I don’t see any server ifconfig output for that specific 10.8.0.113 interface.

root@vpn1:/home/admin# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 172.31.0.1 0.0.0.0 UG 0 0 0 eth0
10.8.0.0 10.8.0.2 255.255.240.0 UG 0 0 0 tun0
10.8.0.2 0.0.0.0 255.255.255.255 UH 0 0 0 tun0
10.9.0.0 10.8.0.2 255.255.255.252 UG 0 0 0 tun0
172.31.0.0 0.0.0.0 255.255.240.0 U 0 0 0 eth0

let us your ping from .114 to .113

[admin@MikroTik] > ping src-address=10.8.0.114 10.8.0.113
SEQ HOST SIZE TTL TIME STATUS
0 10.8.0.113 timeout
1 10.8.0.113 timeout
2 10.8.0.113 timeout
3 10.8.0.113 timeout
sent=4 received=0 packet-loss=100%

there isn’t and I don’t expect there will be. Let’s go back to the working OpenWrt and it’s not there

root@C44BD1901AB1:~# > ping 10.8.0.21
PING 10.8.0.21 (10.8.0.21): 56 data bytes
— 10.8.0.21 ping statistics —
5 packets transmitted, 0 packets received, 100% packet loss
root@C44BD1901AB1:~# > ping 10.8.0.22
PING 10.8.0.22 (10.8.0.22): 56 data bytes
64 bytes from 10.8.0.22: seq=0 ttl=64 time=0.517 ms
64 bytes from 10.8.0.22: seq=1 ttl=64 time=0.395 ms
64 bytes from 10.8.0.22: seq=2 ttl=64 time=0.396 ms
— 10.8.0.22 ping statistics —
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max = 0.395/0.436/0.517 ms
root@C44BD1901AB1:~# > ping 10.8.0.1
PING 10.8.0.1 (10.8.0.1): 56 data bytes
64 bytes from 10.8.0.1: seq=0 ttl=64 time=22.725 ms
64 bytes from 10.8.0.1: seq=1 ttl=64 time=22.638 ms
64 bytes from 10.8.0.1: seq=2 ttl=64 time=23.182 ms
— 10.8.0.1 ping statistics —
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max = 22.638/22.848/23.182 ms

6

Hi,
did you find any solution? I am having the same an issue.

7

I gave up on MikroTik and continue to use OpenWrt in my project.