Hi,
I have connected 3 localities to site2site VPN using Mikrotik routers using OpenVPN for years.
I have this setup:
1 locality acts as VPN Concentrator running OpenVPN server. 2 other localities are connecting as OpenVPN clients.
For years I used OpenVPN over TCP with ethernet/tap interface mode.
Now when RouterOS7 finally came out, I found it supports UDP transport (which should be better suitable for VPN).
So I switched VPN to UDP transport. This works fine when I keep OpenVPN mode tap/ethernet.
I also tried to switch whole configuration to tun/ip mode.
Which works, when I connect to the OpenVPN server (mikrotik) from PC (Linux) or mobile phone (Android - finally I am able to connect from Android which is impossible when using tap/ethernet).
I believe that this is working because this in OVPN config file on client side:
ping 15
ping-restart 45
But unfortunately, when client is another Mikrotik, vpn connection keeps disconnecting and then reconnecting in a second - which leads to doubled sessions on VPN concentrator side and not wowking VPN (until I remove duplicated session).
I identified problem on the client side. When routerboard is acting as a OpenVPN client, it is constantly disconnecting from VPN when there is no traffic. Example log from client:
10:37:32 ovpn,info VPN-Interface: initializing...
10:37:32 ovpn,info VPN-Interface: connecting...
10:37:33 ovpn,info VPN-Interface: using encoding - BF-128-CBC/SHA1
10:37:33 ovpn,info VPN-Interface: connected
10:38:23 ovpn,info VPN-Interface: terminating... - nothing received for a while
10:38:23 ovpn,info VPN-Interface: disconnected
10:38:23 ovpn,info VPN-Interface: initializing...
10:38:23 ovpn,info VPN-Interface: connecting...
10:38:24 ovpn,info VPN-Interface: using encoding - BF-128-CBC/SHA1
10:38:24 ovpn,info VPN-Interface: connected
10:38:54 ovpn,info VPN-Interface: terminating... - nothing received for a while
10:38:54 ovpn,info VPN-Interface: disconnected
10:38:54 ovpn,info VPN-Interface: initializing...
10:38:54 ovpn,info VPN-Interface: connecting...
10:38:55 ovpn,info VPN-Interface: using encoding - BF-128-CBC/SHA1
10:38:55 ovpn,info VPN-Interface: connected
10:41:10 ovpn,info VPN-Interface: terminating... - nothing received for a while
10:41:10 ovpn,info VPN-Interface: disconnected
10:41:10 ovpn,info VPN-Interface: initializing...
10:41:10 ovpn,info VPN-Interface: connecting...
10:41:10 ovpn,info VPN-Interface: using encoding - BF-128-CBC/SHA1
10:41:10 ovpn,info VPN-Interface: connected
10:49:41 ovpn,info VPN-Interface: terminating... - nothing received for a while
10:49:41 ovpn,info VPN-Interface: disconnected
When I create some constant traffic between 2 specified sites, it keeps working (opened Winbox session is enough to keep connection stable) like a charm.
So my question is: Is there any solution to be able to use OpenVPN in tun/ip mode when clients are Mikrotiks? Obvious solution/WA would be same as on Linux/Android side to tell those clients to send some keep-alive traffic (ping for example). Not sure if I am just blind, or there are not any settings in RouterOS (not even in PPP profile) to do some keep-alive ping.
And of course there is a sub-question: Why is Mikrotik as client acting like that? Why closing the session (where is no traffic) just to immediately open another one? It does not make any sense.
From my point of view it seems that configuration I am happily using for years is working “by mistake” - cause only think which keeps connection stable when in ethernet/tap mode is there is always some traffic (probably some muticasts or whatever)
I am currently on RouterOS 7.1.1 on all 3 boxes.
Will of course to try new options like WireGuard for site2site and keep OpenVPN in tun mode only for mobile clients (I think this could work, but not able to use Wireguard for clients, because it does not support radius). This is just something I thought is worth reporting. Cause if this would work, finally OpenVPN on Mikrotik would be perfect solution (well, almost, since push routes is not implemented, but this can be easily bypassed by putting routes to OVPN config file for client).