openvpn routeros version 6.49.5 keeps reconnecting

shadowhawk3000 · April 19, 2022, 9:09pm

I have a RB750Gr3 with 6.49.5.
I am testing the router to replace the pfsense of my office, and to do that I need a vpn.
I followed this guide:

https://www.medo64.com/2016/12/simple-openvpn-server-on-mikrotik/

I got the vpn working, I got ping however the vpn keeps disconnecting and reconnecting

this is the log from the routerboard:

15:52:31 ovpn,info TCP connection established from 192.168.1.111
15:52:31 ovpn,debug,error,65320,43040,60940,60064,22284,17212,59728,60936,l2tp,info,60940,debug,update,65535,critical,34624,62096,21392,16704,17288,24008,43040,4043,16612,17212,43040,17212,warning duplicate packet, dropping
15:52:32 ovpn,info : using encoding - AES-128-CBC/SHA1
15:52:32 ovpn,info,account clave logged in, 192.168.8.42 from 192.168.1.111
15:52:32 ovpn,info : connected
15:53:12 ovpn,info : terminating… - nothing received for a while
15:53:12 ovpn,info,account clave logged out, 102 20974 23986 188 93 from 192.168.1.111
15:53:12 ovpn,info : disconnected
15:53:32 ovpn,info TCP connection established from 192.168.1.111
15:53:32 ovpn,debug,error,65320,43040,60940,60064,22284,17212,59728,60936,l2tp,info,60940,debug,update,65535,critical,34624,62096,21392,16704,17288,24008,43040,4043,16612,17212,43040,17212,warning duplicate packet, dropping
15:53:33 ovpn,info : using encoding - AES-128-CBC/SHA1
15:53:33 ovpn,info,account clave logged in, 192.168.8.43 from 192.168.1.111
15:53:33 ovpn,info : connected
15:54:13 ovpn,info : terminating… - nothing received for a while
15:54:13 ovpn,info,account clave logged out, 101 26701 27620 198 99 from 192.168.1.111
15:54:13 ovpn,info : disconnected
15:54:33 ovpn,info TCP connection established from 192.168.1.111
15:54:34 ovpn,debug,error,65320,43040,60940,60064,22284,17212,59728,60936,l2tp,info,60940,debug,update,65535,critical,34624,62096,21392,16704,17288,24008,43040,4043,16612,17212,43040,17212,warning duplicate packet, dropping
15:54:34 ovpn,info : using encoding - AES-128-CBC/SHA1
15:54:34 ovpn,info,account clave logged in, 192.168.8.42 from 192.168.1.111
15:54:34 ovpn,info : connected
15:54:42 ovpn,info : terminating… - peer disconnected
15:54:42 ovpn,info,account clave logged out, 8 0 0 0 0 from 192.168.1.111

any idea?

it is getting me crazy

shadowhawk3000 · April 20, 2022, 12:41pm

I checked more and found something interesting.
The active connection gets up, after some seconds the ping works. however some seconds later ping stops.

After a second connections gets active the old connection closes.

And the cycle repeats.

this is the client.ovpn:

client
dev tun
proto tcp-client
persist-key
persist-tun
tls-client
remote-cert-tls server
verb 4
auth-nocache
mute 10
remote 192.168.1.245
port 1194
auth SHA1
cipher AES-256-CBC
redirect-gateway def1
push “route 192.168.88.0 255.255.255.0 192.168.1.245 1”
auth-user-pass credentials.txt
ca [inline]
cert [inline]
key [inline]

-----BEGIN CERTIFICATE-----

…
…

shadowhawk3000 · April 22, 2022, 9:54pm

I got it working better now.

I changed the client software:
“openvpn connect”

same certificates, now I got ping to the mikrotik, all the interfaces from the openvpn client.

And the windows client dhcp can ping to the ovpn.

However the client openvpn cannot ping to the clients dhcp of the mikrotik.

shadowhawk3000 · April 26, 2022, 1:32pm

solved.the solution was the ovpn file and using the application in windows and android, “openvpn connect”.

the openvpn is as follows:

client
dev tun
proto tcp-client
remote 192.168.1.245
port 1194
nobind
persist-key
persist-tun
tls-client
remote-cert-tls server
verb 4
mute 10
cipher AES-256-CBC
auth SHA1
auth-user-pass credentials.txt
auth-nocache

;redirect-gateway def1

route-nopull
route 192.168.8.0 255.255.255.0
route 192.168.88.0 255.255.255.0
route 192.168.6.0 255.255.255.0

-----BEGIN CERTIFICATE----- . . . . -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- . . -----END CERTIFICATE----- -----BEGIN RSA PRIVATE KEY----- . .

-----END RSA PRIVATE KEY-----

something additional:

if your connected to a network and your mikrotik is not the gateway:

/ip firewall nat add chain=srcnat dst-address=192.168.6.0/24 action=masquerade

this will change the address coming from the vpn. so they will look like they come from the router instead.