Import .ovpn and configure OpenVPN client on Mikrotik LTE

pauldeng · August 7, 2024, 1:25am

Hello all,

Sorry for silly question.

I’m trying to configure an OpenVPN client on the LtAP mini LTE kit ROS 7.15.3 and I have a problem with it.

OpenVPN server is in AWS and other routers are connected to it and working happily.

Here is how I configure the LtAP mini LTE kit 4G router:

Upload the .ovpn file to router file system
In router, PPP → Import .ovpn → select the uploaded .ovpn file → click start button
In router, Interface → ovpn-importxxx → enable Add Default Route → OK
In router, enable this openvpn interface.

Issue

Router log shows connected, but does not show me the Local Address, Remote Address in the openvpn interface status.
Router failed to ping to OpenVPN server IP, 8.8.8.8
Router could not access internet

Questions
The router complains error about “unsupported redirect-gateway flag ‘bypass-dhcp’”.
This is OpenVPN server pushed configuration. I have no idea why router not happy about it and how to fix it.

I notice few rules are dynamically added to IP → Routes when openvpn interface is enabled. It seems ok.
What about firewall? Do I need to manually configure it?
Any configuration I missed out?

Appreciate.

Cheers,
Paul

Lupowsky · August 7, 2024, 3:00pm

Hello all,

Sorry for silly question.

I’m trying to configure an OpenVPN client on the LtAP mini LTE kit ROS 7.15.3 and I have a problem with it.

OpenVPN server is in AWS and other routers are connected to it and working happily.

Here is how I configure the LtAP mini LTE kit 4G router:

Upload the .ovpn file to router file system

In router, PPP → Import .ovpn → select the uploaded .ovpn file → click start button

In router, Interface → ovpn-importxxx → enable Add Default Route → OK

In router, enable this openvpn interface.

Issue

Router log shows connected, but does not show me the Local Address, Remote Address in the openvpn interface status.

Router failed to ping to OpenVPN server IP, 8.8.8.8

Router could not access internet

Questions
The router complains error about “unsupported redirect-gateway flag ‘bypass-dhcp’”.
This is OpenVPN server pushed configuration. I have no idea why router not happy about it and how to fix it.

I notice few rules are dynamically added to IP → Routes when openvpn interface is enabled. It seems ok.
What about firewall? Do I need to manually configure it?
Any configuration I missed out?

Appreciate.

Cheers,
Paul

You checked that the .ovpn config file have the right information ?

p.s. this topic could be usefull http://forum.mikrotik.com/t/mikrotik-as-openvpn-client/34099/1

pauldeng · August 8, 2024, 1:20am

@Lupowsky

Thanks for your reply.

This ovpn file is valid and works in both Windows and Teltonika 4G router.

Imported the same ovpn file and the obvious error router reported is “unsupported redirect-gateway flag ‘bypass-dhcp’”.
By googling that, it is used by Windows and ROS should safely ignore this setting and not reporting error.

The link provided is very old. My ovpn file uses certificate and does not use username/password. I found two confusing MikroTik documents:

https://wiki.mikrotik.com/wiki/Manual:Interface/OVPN: last update 2021, it says “Currently unsupported OpenVPN features: authentication without username/password”. I think this is out of date and not valid anymore.
https://help.mikrotik.com/docs/display/ROS/OpenVPN: last updated July 2024, I think ROS7.15.3 should support authentication with only certificate.

Issue is not resolved

Lupowsky · August 8, 2024, 9:09am

@Lupowsky

Thanks for your reply.

This ovpn file is valid and works in both Windows and Teltonika 4G router.

Imported the same ovpn file and the obvious error router reported is “unsupported redirect-gateway flag ‘bypass-dhcp’”.
By googling that, it is used by Windows and ROS should safely ignore this setting and not reporting error.

The link provided is very old. My ovpn file uses certificate and does not use username/password. I found two confusing MikroTik documents:

https://wiki.mikrotik.com/wiki/Manual:Interface/OVPN: last update 2021, it says “Currently unsupported OpenVPN features: authentication without username/password”. I think this is out of date and not valid anymore.

https://help.mikrotik.com/docs/display/ROS/OpenVPN: last updated July 2024, I think ROS7.15.3 should support authentication with only certificate.

Issue is not resolved

Sorry i though it was from 2019, my bad.

I have some question:

1 - Your router without the vpn can access the internet without problem ?
2 - Can you disable the redirect-gateway flag ‘bypass-dhcp’" in your OpenVPN server and try again ?

pauldeng · August 12, 2024, 2:27am

Yes, the router can access the internet without VPN.
Disabled the redirect-gateway flag ‘bypass-dhcp’" in my OpenVPN server, issue still there. This error is not stopping the router connect to OpenVPN server.

Here is router log:

Line 231, the error
Line 232, connected, no internet
Disabled the redirect-gateway flag ‘bypass-dhcp’" in my OpenVPN server
Line 241 connected, no error, still no internet

pauldeng · August 12, 2024, 2:36am

I have test openvpn server running, if any Mikrotik tester like to try, please send me your email address.

Here is my client ovpn file:

client
dev tun
proto tcp
remote URL PORT
resolv-retry infinite
nobind
persist-key
;persist-tun
remote-cert-tls server
auth SHA512
cipher AES-256-CBC
data-ciphers AES-256-CBC
ignore-unknown-option block-outside-dns
block-outside-dns
auth-nocache
key-direction 1
verb 3
<ca>
-----BEGIN CERTIFICATE-----

-----END CERTIFICATE-----
</ca>
<cert>
-----BEGIN CERTIFICATE-----

-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN PRIVATE KEY-----

-----END PRIVATE KEY-----
</key>
<tls-auth>
-----BEGIN OpenVPN Static key V1-----

-----END OpenVPN Static key V1-----
</tls-auth>

Here is my server conf:

local PUBLIC_IP
port PORT
proto tcp
dev tun
ca ca.crt
cert server.crt
key server.key
dh dh.pem
auth SHA512
tls-auth ta.key 0
topology subnet
server 10.8.0.0 255.255.0.0
push "redirect-gateway def1 bypass-dhcp"
ifconfig-pool-persist ipp.txt
push "dhcp-option DNS DNS_SERVER_IP"
keepalive 10 120
cipher AES-256-CBC
user nobody
group nogroup
persist-key
persist-tun
verb 3
status /var/log/openvpn/openvpn-status.log
machine-readable-output
client-config-dir /etc/openvpn/client
management localhost MANAGE_PORT
status-version 2
tls-version-min 1.2
crl-verify crl.pem

pauldeng · August 23, 2024, 1:53am

After tens of hours of research and try with retailer tech support.

The issue is still there:
LTE router is OpenVPN client, connected to cloud server. No idea what routing rules/firewall need to set on router and router is not using it.
Also tried Wireguard, same again. Connected, but no idea what/how to set other rules.

The Mikrotik documentation is not very helpful. Most documents focus on router as server.
In this forum, a lot of similar question asked but seems no clear answers.

If anyone want to setup the same server environment: