OpenVPN server in tap/ethernet mode - netmask handling issue

vovan700i · June 19, 2017, 8:27am

Hello everyone,

I have several MikroTik routers (both hardware and CHR) with the latest stable firmware (currently, 6.39.2). I have set up an OpenVPN server on one of them and clients on the others. For my purposes I want tunnels to be established in tap/ethernet mode with /30 ipv4 netmask. The clients run well as expected, but the server ignores netmask property and assigns /32 to its ovpn-server interfaces.

The server is configured as follows:

/interface ovpn-server server         
set certificate=cert-XXX cipher=blowfish128,aes128,aes192,aes256 \
    default-profile=default-encryption enabled=yes keepalive-timeout=30 \
    mac-address=XX:XX:XX:XX:XX:XX mode=ethernet netmask=30 \
    require-client-certificate=yes
    
/ppp secret
add local-address=10.0.108.25 name=test password=12345 profile=default-encryption remote-address=10.0.108.26 service=ovpn

/interface ovpn-server
add name=ovpns-test user=test

The corresponding client’s config is as follows:

/interface ovpn-client
add certificate=cert-YYY connect-to=ovpn.example.com mac-address=YY:YY:YY:YY:YY:YY
    mode=ethernet name=ovpnc-test user=test password=12345 profile=default-encryption

What I have on the client and it’s completely ok:

/ip address print detail
2 D address=10.0.108.26/30 network=10.0.108.24 interface=ovpnc-test actual-interface=ovpnc-test

What I expect to have on the server:

/ip address print detail
2 D address=10.0.108.25/30 network=10.0.108.24 interface=ovpns-test actual-interface=ovpns-test

What I actually have on the server:

/ip address print detail
2 D address=10.0.108.25/32 network=10.0.108.26 interface=ovpns-test actual-interface=ovpns-test

Has anyone encountered the same issue with OpenVPN server in tap mode? Why does the server incorrectly assign /32 netmask to ovpn-server interfaces instead of /30 defined in its configuration while correctly assigning /30 to clients?

vovan700i · June 21, 2017, 7:28am

Update:

The official comment from Emils, MikroTik support:

The server side will use /32 regardless of what netmask you specify under OVPN server settings so that the router knows which client has which address. There should be no issues in such configuration.

Although I find more logic in applying the netmask defined in the config to both clients and ovpn-server interfaces, there is no point in arguing with the support as they seem unwilling to review the RouterOS internal code to make its behavior more straightforward.

By the way, I suggest modifying the corresponding wiki page (https://wiki.mikrotik.com/wiki/Manual:Interface/OVPN) to make it clear that in tap/ethernet mode OpenVPN server assigns the defined netmask to clients only and ignores it for its own purposes.