Hello Dear Mikrotik Community ,
I’m using ROS v7.17.2 on a domestic and foreign VPS. On the domestic server , there is a L2TP and an OpenVPN server that VPN clients connect to .
Then there is a 6TO4 and Gre6 Tunnel between the domestic and foreign VPSes which send traffic from domestic VPS to foreign VPS and on the foreign VPS , there is a masquerade NAT rule with sends all the traffic to the internet .
I have a problem with OpenVPN server . VPN clients connected to OpenVPN server complain that their VPN speed is slow at some times but those connected to L2TP server don’t face such issues .
I have run a bandwidth test between domestic and foreign servers but there is no issue there and I comfortably get 1500mbps and my VPN clients use 30mbps all together .
I have tried OpenVPN on different UDP and TCP ports but the issue remains the same. With OpenVPN sometimes the speed is good and sometimes speed is really low like 1mbps.
I checked and ran Ubuntu Linux on both domestic and foreign VPS and I ran OpenVPN on Linux and I don’t see that issue on Linux but I have to use Mikrotik for this .
I have checked with my ISP and they have mentioned there are no restrictions on OpenVPN protocol in general and/or on specific UDP or TCP ports. I have checked with some clients and when the issue happens and OpenVPN becomes slow , all clients that are using different ISPs face the problem simultaneously which further proves my theory that there is an issue with ROS configuration indeed.
I will send the export from both domestic and foreign ROS below. Am I doing something wrong? Is something in my configuration causing OpenVPN to be unstable ? Why isn’t L2TP facing the same issue ?
The only thing I tried was to disable Fast Path and test it . Doesn’t make any difference if Fast Path is allowed or not. Same issues happen both ways.
Export of the domestic ROS :
/interface ethernet
set [ find default-name=ether1 ] disable-running-check=no
/interface gre6
add local-address=fc00::1 mtu=1436 name=gre6-tunnel1 remote-address=fc00::9
/interface 6to4
add !keepalive local-address=85.85.85.5 mtu=1480 name=6to4-tunnel1 \
remote-address=88.88.88.143
add comment="Hurricane Electric IPv6 Tunnel Broker" disabled=yes !keepalive \
local-address=85.85.85.5 mtu=1480 name=sit1 remote-address=216.66.80.30
add comment="NetAssist IPv6 Tunnel Broker" disabled=yes !keepalive \
local-address=85.85.85.5 mtu=1480 name=sitnew remote-address=62.205.132.12
/interface ipipv6
add disabled=yes local-address=fc00::1 mtu=1440 name=ipipv6-tunnel1 \
remote-address=fc00::9
/ip pool
add name=l2tp ranges=10.8.0.2-10.8.1.254
add name=openvpn ranges=10.10.0.2-10.10.1.254
/ppp profile
add dns-server=8.8.8.8,1.1.1.1 local-address=10.8.0.1 name=l2tp remote-address=\
l2tp
add change-tcp-mss=yes dns-server=8.8.8.8,1.1.1.1 local-address=10.10.0.1 name=\
openvpn remote-address=openvpn
/routing table
add fib name=to-router2
/ip settings
set allow-fast-path=no
/interface l2tp-server server
set default-profile=l2tp enabled=yes use-ipsec=required
/interface ovpn-server server
add auth=sha1 certificate=server cipher=aes128-cbc,aes192-cbc,aes256-cbc \
default-profile=openvpn disabled=no mac-address=FE:64:04:CC:CC:EB name=\
ovpn-server1 netmask=23 port=1193 redirect-gateway=def1
add auth=sha1 certificate=server cipher=aes128-cbc,aes192-cbc,aes256-cbc \
default-profile=openvpn disabled=no mac-address=FE:C7:4B:F7:7A:34 name=\
ovpn-server2 netmask=23 redirect-gateway=def1
add auth=sha1 certificate=server cipher=aes128-cbc,aes192-cbc,aes256-cbc \
default-profile=openvpn disabled=no mac-address=FE:C7:4B:F7:7A:34 name=\
ovpn-server3 netmask=23 protocol=udp redirect-gateway=def1
add auth=sha1 certificate=server cipher=aes128-cbc,aes192-cbc,aes256-cbc \
default-profile=openvpn disabled=no mac-address=FE:55:56:10:F5:7D name=\
ovpn-server4 netmask=23 port=443 redirect-gateway=def1
/ip address
add address=85.85.85.5/27 interface=ether1 network=85.85.85.0
add address=11.11.11.2/29 interface=gre6-tunnel1 network=11.11.11.0
/ip dhcp-client
add interface=ether1
/ip dns
set servers=8.8.8.8,1.1.1.1
/ip firewall filter
add action=accept chain=input dst-port=500 protocol=udp
add action=accept chain=input dst-port=4500 protocol=udp
/ip ipsec profile
set [ find default=yes ] dpd-interval=2m dpd-maximum-failures=5
/ip route
add gateway=85.85.85.1
add dst-address=0.0.0.0/0 gateway=11.11.11.1 routing-table=to-router2
/ipv6 route
add disabled=no distance=1 dst-address=2000::/3 gateway=2001:470:1f0a:42a::1 \
scope=30 target-scope=10
add disabled=no distance=1 dst-address=2000::/3 gateway=2a01:d0:ffff:2e77::1 \
scope=30 target-scope=10
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set winbox port=5858
set api-ssl disabled=yes
/ipv6 address
add address=fc00::1 interface=6to4-tunnel1
add address=2001:470:1f0a:42a::2 advertise=no interface=sit1
add address=2a01:d0:ffff:2e77::2 interface=sitnew
/ppp aaa
set interim-update=30s use-circuit-id-in-nas-port-id=yes use-radius=yes
/ppp secret
add name=aliali profile=openvpn
/radius
add address=37.202.202.202 require-message-auth=no service=ppp,hotspot
/radius incoming
set accept=yes
/routing rule
add action=lookup src-address=10.8.0.0/23 table=to-router2
add action=lookup src-address=10.10.0.0/23 table=to-router2
/system note
set show-at-login=no
/tool bandwidth-server
set authenticate=no
Export of the foreign ROS :
/interface ethernet
set [ find default-name=ether1 ] disable-running-check=no
/interface gre6
add local-address=fc00::9 mtu=1436 name=gre6-tunnel1 remote-address=fc00::1
/interface 6to4
add !keepalive local-address=88.88.88.143 mtu=1480 name=6to4-tunnel1 \
remote-address=85.85.85.5
/interface ipipv6
add local-address=fc00::9 mtu=1440 name=ipipv6-tunnel1 remote-address=fc00::1
/disk
set slot1 slot=slot1
set slot2 slot=slot2
set slot3 slot=slot3
set slot4 slot=slot4
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip smb users
set [ find default=yes ] disabled=yes
/port
set 0 name=serial0
/ip firewall connection tracking
set udp-timeout=10s
/ip settings
set allow-fast-path=no
/interface ovpn-server server
add mac-address=FE:CB:DD:90:DD:3E name=ovpn-server1
/ip address
add address=11.11.11.1/29 interface=gre6-tunnel1 network=11.11.11.0
/ip dhcp-client
add interface=ether1
/ip firewall filter
add action=drop chain=output disabled=yes dst-address=192.0.0.0/24
add action=drop chain=forward disabled=yes dst-address=192.0.0.0/24
add action=drop chain=output dst-address=141.101.78.0/23
add action=drop chain=output dst-address=173.245.48.0/20
add action=drop chain=forward dst-address=141.101.78.0/23
add action=drop chain=forward dst-address=173.245.48.0/20
add action=drop chain=output dst-address=172.16.0.0/12
add action=drop chain=output disabled=yes dst-address=192.168.0.0/16
add action=drop chain=output dst-address=100.64.0.0/10
add action=drop chain=output dst-address=169.254.0.0/16
add action=drop chain=output dst-address=10.0.0.0/16
add action=drop chain=forward dst-address=172.16.0.0/12
add action=drop chain=forward disabled=yes dst-address=192.168.0.0/16
add action=drop chain=forward dst-address=100.64.0.0/10
add action=drop chain=forward dst-address=169.254.0.0/16
add action=drop chain=forward dst-address=10.0.0.0/16
add action=drop chain=output dst-address=184.105.192.2
add action=drop chain=forward dst-address=184.105.192.2
add action=drop chain=output dst-address=91.207.138.0/23
add action=drop chain=forward dst-address=91.207.138.0/23
add action=drop chain=forward dst-port=70 protocol=tcp
add action=drop chain=output dst-port=70 protocol=tcp
add action=drop chain=forward dst-port=445 protocol=tcp
add action=drop chain=output dst-port=445 protocol=tcp
/ip firewall nat
add action=masquerade chain=srcnat
/ip ipsec profile
set [ find default=yes ] dpd-interval=2m dpd-maximum-failures=5
/ip route
add dst-address=10.8.0.0/23 gateway=11.11.11.2
add dst-address=10.10.0.0/23 gateway=11.11.11.2
/ipv6 route
add disabled=no distance=1 dst-address=2000::/3 gateway=fe80::1%ether1 \
routing-table=main
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set winbox port=5858
set api-ssl disabled=yes
/ip smb shares
set [ find default=yes ] directory=/pub
/ipv6 address
add address=fc00::9 interface=6to4-tunnel1
add address=2a01:4f8:c2c:fff1::1 interface=ether1
/system note
set show-at-login=no
Any help will be appreciated . Thank you.
Kind regards ,