OpenVPN has been set up, but getting connection refused

mainarx · October 29, 2021, 9:08am

Hello. I’ve set up OpenVPN server on the hEX PoE, but no matter what I try I cannot get through the “connection refused” error.

/interface ovpn-server server
set auth=sha1 certificate=server cipher=aes256 enabled=yes require-client-certificate=yes

PPP config is in default state, except for added user:

/ppp secret
add local-address=192.168.88.1 name=user1 password=password1 service=ovpn

Firewall:

/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN

And I cannot capture any of the OVPN logs at all.

/system logging
add prefix=debug topics=ovpn

I tried adding an explicit allow firewall rule on src port 1194, but I wasn’t getting any traffic at that filter.

Not leaving openvpn client config here as it’s pretty standard, but the things is that I cannot even telnet to 1194, always getting a drop.

This drives me nuts. This just gotta be obvious but I don’t get it, and what’s worse, I have no clue why I’m not seeing any logs. Any guidance will be greatly appreciated!

netvisionip · November 17, 2021, 7:16pm

This is my working config for clients to connect. Just ensure Open VPN server is enabled and the correct certificate for the server has been selected. No firewall rules required to allow it to authenticate and connect.

/certificate
add name=ca-template common-name=remote.yourdomainname.com days-valid=3650 key-size=2048 key-usage=crl-sign,key-cert-sign
add name=server-template common-name=remote.yourdomainname.com days-valid=3650 key-size=2048 key-usage=digital-signature,key-encipherment,tls-server
add name=client-template common-name=client.yourdomainname.com days-valid=3650 key-size=2048 key-usage=tls-client

/certificate
sign ca-template name=ca-certificate
sign server-template name=server-certificate ca=ca-certificate
sign client-template name=client-certificate ca=ca-certificate

export-certificate ca-certificate export-passphrase=“”
export-certificate client-certificate export-passphrase=YourSecretPass

/ip
pool add name=“OpenVPN-pool” ranges=10.1.1.1-10.1.1.200

/ppp
profile add name=“OpenVPN-profile” use-encryption=yes local-address=10.1.1.254 dns-server=10.1.1.254 remote-address=OpenVPN-pool
secret add name=your.username profile=OpenVPN-profile password=your.password