Client cannot connect to Mikrotik VPN

dave12 · November 29, 2021, 3:00pm

So, my Mikrotik router is behind my ISP’s modem. I have set up an OVPN server, enabled Cloud DDNS, but my Android client cannot connect.
No error logs in Mikrotik, nothing, just connection timeout on my phone.

I tried almost everything, tried different ports, tried different configurations in RouterOS, opened ports in the ROS firewall and nothing.

It seems that my ISP’s modem is blocking incoming connections, that aren’t responses initiated by my IP.

I also have a local LAN bridge in ROS, but I am unsure if I can bridge the router and the modem. I do not have access to the modem, but I observed that when I delete the local bridge in ROS, I have differently named LAN connection which is not the same name when I connect directly to the modem via LAN.

Also, my modem is responding to pings, so maybe ICMP tunneling could be setup?

spynappels · November 29, 2021, 3:16pm

Have you got a modem from your ISP or a router?
When you plug in the WAN port of the Mikrotik to the ISP modem/router, how do you get an IP address and is it in the Private IP range?

If the ISP device is a combined modem/router, you’d need to forward the OpenVPN port from the ISP device to the Mikrotik.

If that is not correct, you should probably post your Mikrotik config using

/export  hide-sensitive file=somefilename

dave12 · November 29, 2021, 3:35pm

Spynapples, the ISP device is a modem+router. DHCP is dynamic.

My relevant configuration:

nov/29/2021 16:21:56 by RouterOS 6.49.1
model = RBD52G-5HacD2HnD

/ip pool
add name=dhcp ranges=192.168.88.10-192.168.88.254
add name=vpn ranges=192.168.89.2-192.168.89.255
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
/ppp profile
set *0 local-address=dhcp remote-address=vpn
set *FFFFFFFE local-address=dhcp remote-address=vpn use-compression=yes

/interface ovpn-server server
set auth=sha1 certificate=Server cipher=aes256 default-profile=default-encryption enabled=yes port=\
    1194 require-client-certificate=yes
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=192.168.88.0
/ip cloud
set ddns-enabled=yes ddns-update-interval=1m
/ip dhcp-client
add comment=defconf disabled=no interface=ether1
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan

/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" \
    connection-state=established,related,untracked
add action=accept chain=input comment="allow IPsec NAT" dst-port=4500 protocol=udp
add action=accept chain=input comment="allow IKE" dst-port=500 protocol=udp
add action=accept chain=input comment="allow l2tp" dst-port=1701 protocol=udp
add action=accept chain=input comment="allow pptp" dst-port=1723,47 protocol=tcp
add action=accept chain=input comment="allow sstp" dst-port=443 protocol=tcp
add action=accept chain=input comment="Allow ovpn" dst-port=1194 protocol=udp
add action=accept chain=input comment="Allow ovpn" dst-port=1194 protocol=tcp
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" \
    dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=\
    established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" \
    connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" \
    connection-nat-state=!dstnat connection-state=new in-interface-list=WAN

/ip firewall mangle

/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none \
    out-interface=ether1
# lte1 not ready
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none \
    out-interface=*9
add action=masquerade chain=srcnat comment="masq. vpn traffic" src-address=192.168.89.0/24
/ip route
add distance=1 dst-address=0.0.0.0/32 gateway=192.168.0.1

/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh port=2200
set api disabled=yes
/ip ssh
set strong-crypto=yes
/ppp secret
add name=vpn profile=default-encryption service=ovpn

spynappels · November 29, 2021, 3:37pm

Ok, has port 1194 been forwarded from your ISP router to your Mikrotik?

dave12 · November 29, 2021, 3:58pm

Spynappels, I do not have access to the ISP modem+router device, because the ISP blocked access with a password. I do not know the password. It is a Cisco device.
The port is probably not forwarded.

spynappels · November 29, 2021, 4:15pm

Ok, in that case I’m afraid you are out of luck.

The only option you have if having a VPN connection is required is to create a VPN server on a cloud server, and then connect both your Mikrotik and Android to it and route the traffic from your Android to the Mikrotik via the cloud VPN server.

This would work as you are able to make outbound VPN connections from the Mikrotik, it’s incoming connections that are the problem.

dave12 · November 29, 2021, 4:24pm

I understand, but I did scan my ports, some common UDP ports are open and filtered. TCP ports are filtered.

Can I do something with UDP ports for the VPN to work?

I also tested STUN against a STUN server. For example a response: public_IP:1234 is mapped to 192.168.88.2:1234.

Edit: Maybe SSH reverse tunneling could solve the issue?

spynappels · November 29, 2021, 9:39pm

Normal OpenVPN uses UDP rather than TCP by default, but Mikrotik’s implementation is somewhat lacking.

If you are sure that some ports are forwarded to your private IP you could run the VPN server on some other port, but that may be hit and miss as your IP address will change dynamically everytime your LTE drops and reconnects for any reason.

Reverse tunnelling might be an option but sustaining an SSH tunnel from your Mikrotik to your Android continually for the odd time ou need to reverse access the Mikrotik is probably overkill, especially when you could run a DigitalOcean droplet for $5 per month, have a permanently on Wireguard connection from your Mikrotik to it, and then dial from the Android to it and route through to the Mikrotik when you need to.