OpenVPN only reaching other OpenVPN connected clients

The connection to the OpenVPN server running on the MikroTik is working fine for months on iPhone, Android and Apple Mac. Now i reinstalled Windows 11 and a connection is established, routes are learned though unable to reach any internal servers. When using the same profile on iPhone, Android and Mac then all is good.

So we can rule out routing issues on the server side. Weird thing is that i can reach other clients connected to the OpenVPN server and ping them. Hence data is passed and received.

I’m seeking some advice on how to troubleshoot this issue as it seems to be a specific Windows machine / os related issue. Routing tables are checked and correct.
When using a windows SSTP VPN connection it connects fine and data is passed, though SSTP is not using UDP and hence notorious slow when using high latency internet connections.

I ruled out the openvpn client install as i have a second profile to a Unifi device and that works just fine, though this is also a TCP based solution.

Tested already without Windows Firewall enabled;
Tested with ‘redirect-gateway def1’ to pass all traffic;
Tested with my iPhone on the same WiFi and that worked fine - can access internal resources;
I can ping from the windows machine with the openvpn connected to the iPhone vpn address without issues;

Who might have a suggestion where to look?

On the OpenVPN server do you push the correct routes with the correct mask ?
And on the Windows 11, what internal ip do you have and what mask ?
Also suggest you to do a drawing with your all equipment and there ip's, for more problems solving.

Windows Log:

[Nov 11, 2025, 16:30:54] START CONNECTION

[Nov 11, 2025, 16:30:54] ----- OpenVPN Start -----
OpenVPN core 3.11.1 ios arm64 64-bit

[Nov 11, 2025, 16:30:54] OpenVPN core 3.11.1 ios arm64 64-bit

[Nov 11, 2025, 16:30:54] Frame=512/2112/512 mssfix-ctrl=1250

[Nov 11, 2025, 16:30:54] NOTE: This configuration contains options that were not used:

[Nov 11, 2025, 16:30:54] Unsupported option (ignored)

[Nov 11, 2025, 16:30:54] 0 [user] [nobody]

[Nov 11, 2025, 16:30:54] 1 [group] [nogroup]

[Nov 11, 2025, 16:30:54] 2 [persist-tun]

[Nov 11, 2025, 16:30:54] 3 [persist-key]

[Nov 11, 2025, 16:30:54] 4 [connect-retry] [1]

[Nov 11, 2025, 16:30:54] 5 [explicit-exit-notify] [1]

[Nov 11, 2025, 16:30:54] Unused options, probably specified multiple times in the configuration file

[Nov 11, 2025, 16:30:54] 0 [client]

[Nov 11, 2025, 16:30:54] EVENT: RESOLVE

[Nov 11, 2025, 16:30:54] Contacting a.b.c.d:1194 via UDP

[Nov 11, 2025, 16:30:54] EVENT: WAIT

[Nov 11, 2025, 16:30:54] Connecting to [vpn.hidden.com]:1194 (a.b.c.d) via UDP

[Nov 11, 2025, 16:30:54] EVENT: CONNECTING

[Nov 11, 2025, 16:30:54] Tunnel Options:V4,dev-type tun,link-mtu 1521,tun-mtu 1500,proto UDPv4,cipher AES-256-GCM,auth [null-digest],keysize 256,key-method 2,tls-client

[Nov 11, 2025, 16:30:54] Creds: Username/Password

[Nov 11, 2025, 16:30:54] Sending Peer Info:
IV_VER=3.11.1
IV_PLAT=ios
IV_NCP=2
IV_TCPNL=1
IV_PROTO=8094
IV_MTU=1600
IV_CIPHERS=AES-128-CBC:AES-192-CBC:AES-256-CBC:AES-128-GCM:AES-192-GCM:AES-256-GCM:CHACHA20-POLY1305
IV_SSO=webauth,crtext

[Nov 11, 2025, 16:30:55] SSL Handshake: peer certificate: CN=OpenVPN_MT, 2048 bit RSA, cipher: ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=RSA Enc=AESGCM(256) Mac=AEAD

[Nov 11, 2025, 16:30:55] Session is ACTIVE

[Nov 11, 2025, 16:30:55] EVENT: GET_CONFIG

[Nov 11, 2025, 16:30:55] Sending PUSH_REQUEST to server...

[Nov 11, 2025, 16:30:55] OPTIONS:
0 [redirect-gateway] [def1]
1 [ping] [20]
2 [ping-restart] [60]
3 [topology] [subnet]
4 [route-gateway] [192.168.1.252]
5 [route] [10.0.0.0/8]
6 [route] [172.16.0.0/12]
7 [route] [192.168.0.0/16]
8 [ifconfig] [172.31.32.251] [255.255.255.0]
9 [redirect-gateway] [def1]
10 [peer-id] [5]

[Nov 11, 2025, 16:30:55] PROTOCOL OPTIONS:
key-derivation: OpenVPN PRF
data channel: cipher AES-256-GCM, peer-id 5

[Nov 11, 2025, 16:30:55] EVENT: ASSIGN_IP

[Nov 11, 2025, 16:30:55] NIP: preparing TUN network settings

[Nov 11, 2025, 16:30:55] NIP: init TUN network settings with endpoint: a.b.c.d

[Nov 11, 2025, 16:30:55] NIP: adding IPv4 address to network settings 172.31.32.251/255.255.255.0

[Nov 11, 2025, 16:30:55] NIP: adding (included) IPv4 route 172.31.32.0/24

[Nov 11, 2025, 16:30:55] NIP: adding (included) IPv4 route 10.0.0.0/8

[Nov 11, 2025, 16:30:55] NIP: adding (included) IPv4 route 172.16.0.0/12

[Nov 11, 2025, 16:30:55] NIP: adding (included) IPv4 route 192.168.0.0/16

[Nov 11, 2025, 16:30:55] NIP: redirecting all IPv4 traffic to TUN interface

[Nov 11, 2025, 16:30:55] NIP: allowFamily(AF_INET, 1)

[Nov 11, 2025, 16:30:55] NIP: allowFamily(AF_INET6, 1)

[Nov 11, 2025, 16:30:55] NIP: Setting DNS options

[Nov 11, 2025, 16:30:55] NIP: No DNS search domains provided.

[Nov 11, 2025, 16:30:55] NIP: No DNS match domains provided.

[Nov 11, 2025, 16:30:55] NIP: adding DNS 8.8.8.8

[Nov 11, 2025, 16:30:55] NIP: adding DNS 8.8.4.4

[Nov 11, 2025, 16:30:55] NIP: setting MTU to 1500

[Nov 11, 2025, 16:30:55] Connected via NetworkExtensionTUN

[Nov 11, 2025, 16:30:55] EVENT: CONNECTED MySecretName@vpn.hidden.com:1194 (a.b.c.d) via /UDP on NetworkExtensionTUN/172.31.32.251/ gw=[/] mtu=(default)

[Nov 11, 2025, 16:31:09] EVENT: DISCONNECTED

[Nov 11, 2025, 16:31:09] EVENT: CORE_THREAD_DONE

[Nov 11, 2025, 16:31:09] EVENT: DISCONNECT_PENDING

[Nov 11, 2025, 16:31:09] Raw stats on disconnect:
BYTES_IN : 92086
BYTES_OUT : 58735
PACKETS_IN : 183
PACKETS_OUT : 193
TUN_BYTES_IN : 50814
TUN_BYTES_OUT : 84814
TUN_PACKETS_IN : 182
TUN_PACKETS_OUT : 171

[Nov 11, 2025, 16:31:09] Performance stats on disconnect:
CPU usage (microseconds): 109645
Tunnel compression ratio (uplink): 1.15588
Tunnel compression ratio (downlink): 1.08574
Network bytes per CPU second: 1375539
Tunnel bytes per CPU second: 1236973

iPhone Log:

[Nov 11, 2025, 16:33:42] EVENT: DISCONNECTED
[Nov 11, 2025, 16:33:42] SetupClient: signaling tun destroy event
[Nov 11, 2025, 16:33:28] EVENT: CONNECTED MySecretName@vpn.hidden.com:1194 (a.b.c.d) via /UDP on TUN_WIN/172.31.32.247/ gw=[192.168.1.252/] mtu=(default)
[Nov 11, 2025, 16:33:28] Connected via TUN_WIN
[Nov 11, 2025, 16:33:28] SetupClient: transmitting tun setup list to \.\pipe\agent_ovpnconnect
{
"allow_local_dns_resolvers" : false,
"confirm_event" : "2c12000000000000",
"destroy_event" : "6012000000000000",
"tun" :
{
"add_routes" :
[
{
"address" : "10.0.0.0",
"gateway" : "",
"ipv6" : false,
"metric" : -1,
"net30" : false,
"prefix_length" : 8
},
{
"address" : "172.16.0.0",
"gateway" : "",
"ipv6" : false,
"metric" : -1,
"net30" : false,
"prefix_length" : 12
},
{
"address" : "192.168.0.0",
"gateway" : "",
"ipv6" : false,
"metric" : -1,
"net30" : false,
"prefix_length" : 16
}
],
"block_ipv6" : false,
"block_outside_dns" : false,
"dns_options" :
{
"from_dhcp_options" : true,
"servers" :
{
"0" :
{
"addresses" :
[
{
"address" : "102.168.1.6"
},
{
"address" : "192.168.1.16"
}
]
}
}
},
"layer" : 3,
"mtu" : 1500,
"remote_address" :
{
"address" : "a.b.c.d",
"ipv6" : false
},
"reroute_gw" :
{
"flags" : 275,
"ipv4" : true,
"ipv6" : false
},
"route_metric_default" : -1,
"session_name" : "vpn.hidden.com",
"tunnel_address_index_ipv4" : 0,
"tunnel_address_index_ipv6" : -1,
"tunnel_addresses" :
[
{
"address" : "172.31.32.247",
"gateway" : "192.168.1.252",
"ipv6" : false,
"metric" : -1,
"net30" : false,
"prefix_length" : 24
}
]
},
"tun_type" : 0
}
POST np://[\.\pipe\agent_ovpnconnect]/tun-setup : 200 OK
TAP ADAPTERS:
guid='{D2251AD2-FA8D-418D-81B9-B8E21E413128}' index=10 name='Local Area Connection'
Open TAP device "Local Area Connection" PATH="\.\Global{D2251AD2-FA8D-418D-81B9-B8E21E413128}.tap" SUCCEEDED
TAP-Windows Driver Version 9.27
ActionDeleteAllRoutesOnInterface iface_index=10
netsh interface ip set interface 10 metric=9000
Ok.
netsh interface ip set address 10 static 172.31.32.247 255.255.255.0 gateway=192.168.1.252 store=active
IPHelper: add route 10.0.0.0/8 10 192.168.1.252 metric=-1
IPHelper: add route 172.16.0.0/12 10 192.168.1.252 metric=-1
IPHelper: add route 192.168.0.0/16 10 192.168.1.252 metric=-1
netsh interface ip add route a.b.c.d/32 14 10.198.50.159 store=active
The object already exists.
netsh interface ip add route 0.0.0.0/1 10 192.168.1.252 store=active
Ok.
netsh interface ip add route 128.0.0.0/1 10 192.168.1.252 store=active
Ok.
netsh interface ip set dnsservers 10 static 102.168.1.6 register=primary validate=no
netsh interface ip add dnsservers 10 192.168.1.16 2 validate=no
NRPT::ActionCreate pid=[2220] domains= dns_servers=[102.168.1.6,192.168.1.16] dnssec=[0] id=[OpenVPNDNSRouting-2220]
DNS::ActionApply: successful
ActionBase openvpn_app_path=C:\Program Files\OpenVPN Connect\OpenVPNConnect.exe tap_index=10 enable=1
permit IPv4 requests from OpenVPN app
permit IPv6 requests from OpenVPN app
block IPv4 DNS requests from other apps
block IPv6 DNS requests from other apps
allow IPv4 traffic from TAP
allow IPv6 traffic from TAP
block IPv4 DNS requests to loopback from other apps
block IPv6 DNS requests to loopback from other apps
ipconfig /flushdns
Windows IP Configuration
Successfully flushed the DNS Resolver Cache.
TAP: ARP flush succeeded
TAP handle: 900f000000000000
[Nov 11, 2025, 16:33:27] CAPTURED OPTIONS:
Session Name: vpn.hidden.com
Layer: OSI_LAYER_3
MTU: 1500
Remote Address: a.b.c.d
Tunnel Addresses:
172.31.32.247/24 -> 192.168.1.252
Reroute Gateway: IPv4=1 IPv6=0 flags=[ ENABLE REROUTE_GW DEF1 IPv4 ]
Block IPv4: no
Block IPv6: no
Block local DNS: no
Add Routes:
10.0.0.0/8
172.16.0.0/12
192.168.0.0/16
Exclude Routes:
DNS Servers:
Priority: 0
Addresses:
102.168.1.6
192.168.1.16
Values from dhcp-options: true
[Nov 11, 2025, 16:33:27] EVENT: ASSIGN_IP
[Nov 11, 2025, 16:33:27] PROTOCOL OPTIONS:
key-derivation: OpenVPN PRF
data channel: cipher AES-256-GCM, peer-id 11
[Nov 11, 2025, 16:33:27] OPTIONS:
0 [redirect-gateway] [def1]
1 [dhcp-option] [DNS] [102.168.1.6]
2 [dhcp-option] [DNS] [192.168.1.16]
3 [ping] [20]
4 [ping-restart] [60]
5 [topology] [subnet]
6 [route-gateway] [192.168.1.252]
7 [route] [10.0.0.0/8]
8 [route] [172.16.0.0/12]
9 [route] [192.168.0.0/16]
10 [ifconfig] [172.31.32.247] [255.255.255.0]
11 [redirect-gateway] [def1]
12 [peer-id] [11]
[Nov 11, 2025, 16:33:26] Sending PUSH_REQUEST to server...
[Nov 11, 2025, 16:33:26] EVENT: GET_CONFIG
[Nov 11, 2025, 16:33:26] Session is ACTIVE
[Nov 11, 2025, 16:33:26] SSL Handshake: peer certificate: CN=OpenVPN_MT, 2048 bit RSA, cipher: ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=RSA Enc=AESGCM(256) Mac=AEAD
[Nov 11, 2025, 16:33:25] Sending Peer Info:
IV_VER=3.11.3
IV_PLAT=win
IV_NCP=2
IV_TCPNL=1
IV_PROTO=8094
IV_MTU=1600
IV_CIPHERS=none:AES-128-CBC:AES-192-CBC:AES-256-CBC:DES-CBC:DES-EDE3-CBC:BF-CBC:AES-128-GCM:AES-192-GCM:AES-256-GCM:CHACHA20-POLY1305
IV_GUI_VER=OCWindows_3.8.0-4528
IV_SSO=webauth,crtext
[Nov 11, 2025, 16:33:25] Creds: Username/Password
[Nov 11, 2025, 16:33:25] Tunnel Options:V4,dev-type tun,link-mtu 1521,tun-mtu 1500,proto UDPv4,cipher AES-256-GCM,auth [null-digest],keysize 256,key-method 2,tls-client
[Nov 11, 2025, 16:33:25] EVENT: CONNECTING
[Nov 11, 2025, 16:33:25] Connecting to [vpn.hidden.com]:1194 (a.b.c.d) via UDP
[Nov 11, 2025, 16:33:25] WinCommandAgent: transmitting bypass route to a.b.c.d
{
"host" : "a.b.c.d",
"ipv6" : false
}
[Nov 11, 2025, 16:33:25] EVENT: WAIT
[Nov 11, 2025, 16:33:25] Contacting a.b.c.d:1194 via UDP
[Nov 11, 2025, 16:33:25] EVENT: RESOLVE
[Nov 11, 2025, 16:33:25] 0 [client]
[Nov 11, 2025, 16:33:25] Unused options, probably specified multiple times in the configuration file
[Nov 11, 2025, 16:33:25] 5 [explicit-exit-notify] [1]
[Nov 11, 2025, 16:33:25] 4 [connect-retry] [1]
[Nov 11, 2025, 16:33:25] 3 [persist-key]
[Nov 11, 2025, 16:33:25] 2 [persist-tun]
[Nov 11, 2025, 16:33:25] 1 [group] [nogroup]
[Nov 11, 2025, 16:33:25] 0 [user] [nobody]
[Nov 11, 2025, 16:33:25] Unsupported option (ignored)
[Nov 11, 2025, 16:33:25] NOTE: This configuration contains options that were not used:
[Nov 11, 2025, 16:33:25] Frame=512/2112/512 mssfix-ctrl=1250
[Nov 11, 2025, 16:33:25] OpenVPN core 3.11.3 win x86_64 64-bit OVPN-DCO built on Sep 16 2025 15:58:53

Menu

You asked 1 more question which is the internal network IP address used on the client side:
Wireless LAN adapter Wi-Fi:

Connection-specific DNS Suffix . :
Link-local IPv6 Address . . . . . : fe80::6b93:5841:3f80:9840%14
IPv4 Address. . . . . . . . . . . : 10.198.50.232
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 10.198.50.159

As our network is 192.168.0.0/23 this should not pose an issue. As the iPhone is connected to the same hotel wifi and is able to connect to internal resources, we can rule out routing and metric issues.

why on the windows machine we can reach the vpn ip of the iPhone is strange though shows traffic somehow gets passed over the vpn.

We push: 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16

image595×877 21.4 KB

Though that is not the issue. We have been running without routes for a long time and just push all through using the ‘redirect-gateway def1’ in the profile.

Setup is as following:

Windows 11 → Internet (hotel / 5g tethering) → KPN 4Gbps fiber (routed subnet) → Mikrotik CCR2116-12G-4S+ → internal network (192.168.0.0/23)

internally there are 2 more break outs for redundancy, 1 Ziggo Cable modem 1Gbps/100Mbps, 5g modem dial-out. In the network there is a Cisco ASA for Ziggo and a Unifi Pro connected to the mikrotik on a different public IP. All of this is just FYI as they are not really part of the communication flows. Just merely to sketch that networking is something we know. Cisco Any Connect is available on the ASA with a different private range, unifi has also an openvpn server with a different private range. So we can pick and choose depending on what is needed. Remainder of the connections are all IPSEC towards our customers.

As the iPhone uses the same profile and can reach internal hosts, and we have been using this for months without issues on non-windows machines, we can rule out anything routing on the network side. Otherwise the iPhone would not be able to reach internal resources as well.

And that is what makes this strange.

Forgot to mention we also used an older openvpn client but that made no difference.