OpenVPN clients not connecting

range · February 23, 2023, 8:09pm

Good day to everyone! I’ve got a question about setting of wi-fi router Microtik. hAP ac^2 arm.
Router OS: 7.7 Stable.
My network diagram is:

the provider gave me static ip 185.244.6.34.
internet connection is made with PPPoE protocol.
behind the router is located OpenVPN server (with the help of Pritunl). OS Ubuntu 20.04. I made static IP for OpenVPN server on Microtik 200.151.54.94.
All clients connect by OpenVPN Connect from external internet.
Port for OpenVPN is 9026, and it is opened as in Ubuntu, so in Microtik.
All these I represented on the diagram:

Port was tested with the help of https://ping.eu/port-chk website:

I also checked port through telnet on Windows and android: telnet 185.244.6.34 9026.
Connection successful.
My problem is that none of clients (exept wi-fi router keenetic) can connect to OpenVPN server. Mistake code is approximately like this:

⏎[Feb 23, 2023, 23:02:58] Frame=512/2048/512 mssfix-ctrl=1250
⏎[Feb 23, 2023, 23:02:58] UNUSED OPTIONS
6 [nobind]
7 [persist-tun]
10 [verb] [2]
11 [mute] [3]
18 [sndbuf] [393216]
19 [rcvbuf] [393216]
⏎[Feb 23, 2023, 23:02:58] EVENT: RESOLVE ⏎[Feb 23, 2023, 23:02:58] EVENT: WAIT ⏎[Feb 23, 2023, 23:02:58] WinCommandAgent: transmitting bypass route to 185.244.6.34
{
	"host" : "185.244.6.34",
	"ipv6" : false
}

⏎[Feb 23, 2023, 23:03:00] Transport Error: TCPv4 connect error on '185.244.6.34:9026' (185.244.6.34:9026): No connection could be made because the target machine actively refused it.
⏎[Feb 23, 2023, 23:03:00] Client terminated, restarting in 2000 ms...
⏎[Feb 23, 2023, 23:03:02] EVENT: RECONNECTING ⏎[Feb 23, 2023, 23:03:02] EVENT: RESOLVE ⏎[Feb 23, 2023, 23:03:02] EVENT: WAIT ⏎[Feb 23, 2023, 23:03:02] WinCommandAgent: transmitting bypass route to 185.244.6.34
{
	"host" : "185.244.6.34",
	"ipv6" : false
}

⏎[Feb 23, 2023, 23:03:04] Transport Error: TCPv4 connect error on '185.244.6.34:9026' (185.244.6.34:9026): No connection could be made because the target machine actively refused it.
⏎[Feb 23, 2023, 23:03:04] Client terminated, restarting in 2000 ms...
⏎[Feb 23, 2023, 23:03:05] EVENT: DISCONNECTED ⏎

I attach configuration Microtik (config_bac.rsc).
Also I attach OpenVPN server configuration:

ignore-unknown-option ncp-ciphers
port 9026
proto tcp6-server
dev tun0
server 192.168.222.0 255.255.255.0
management /var/run/pritunl_63f671662f45f66a1cdb6287.sock unix
management-client-auth
auth-user-pass-optional
topology subnet
tls-version-min 1.2
max-clients 2000
ping 10
ping-restart 80
persist-tun
cipher AES-256-CBC
ncp-ciphers AES-256-GCM:AES-256-CBC
auth SHA256
status-version 2
script-security 2
sndbuf 393216
rcvbuf 393216
reneg-sec 2592000
hash-size 1024 1024
txqueuelen 1000
verb 4
mute 8
client-to-client
comp-lzo no
push "comp-lzo no"
push "route 200.151.54.0 255.255.255.0"
push "route 8.8.8.8 255.255.255.255"

I draw your attention, couple of days ago it was wi-fi router Asus N300 instead of Microtik.
OpenVPN worked great for all clients.
What have I done wrong? Thanks in advance.

range · February 24, 2023, 7:03pm

UPD
My connection doesn’t work from local net. But now it works from external net (I didn’t change the rules).
How to configure rules for local net for port to be open?
Command telnet 185.244.6.34 9026 gives an error (timeout) in local net

Sob · February 24, 2023, 7:49pm

Your dstnat rule has options in-interface=pppoe-protocol-intercon and in-interface-list=WAN (both useless) and they limit from where it will work. Drop them and it will be better. And those 200.x.x.x addresses, did you also get them from ISP? If not, you shouldn’t use them and choose some from private ranges instead.

range · February 24, 2023, 8:31pm

I removed in-interface and in-interface-lists. Port ping still doesn’t work from local net:

telnet 185.244.6.34 9026  .... connection refused

. Also, OpenVPN clients do not connect to an OpenVPN server on the local network.

I configured these addresses (DHCP).
In what are they bad?
Updated configuration attach.

Sob · February 24, 2023, 8:49pm

Sorry, one more thing:

/ip firewall nat
add chain=srcnat src-address=200.151.54.0/24 dst-address=200.151.54.0/24 action=masquerade

And about those addresses, it’s just that they belong to someone else and it’s possible (even though not very likely) that some servers you’d want to access could be using the real ones, and you wouldn’t be able to access them. The right ones for private use are any from 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16.

range · February 25, 2023, 6:45am

Thank you so much! This rule works perfectly.

And yeah. I know about reserved addresses. I just thought that you mean something else Of course, I 'l change addresses

salmawisoky · December 1, 2023, 5:04am

How to configure rules for local net for port to be open? Drift Boss

NadiaEira · June 27, 2024, 9:45am

How can I set up rules to allow a specific port to be open for the local network?