OpenVPN server MTU issues

damien · April 7, 2019, 8:21pm

Hi,

I’m running RouterOS v6.42.7 on our router and I’m trying to configure OpenVPN server. The router has the default configuration except for the WLAN and few NAT redirections.

I’ve been through a few articles and here are the steps I’ve taken:

/certificate
add name=ca-template common-name=domain.ltd days-valid=3650 key-size=2048 key-usage=crl-sign,key-cert-sign
add name=server-template common-name=*.domain.ltd days-valid=3650 key-size=2048 key-usage=digital-signature,key-encipherment,tls-server
add name=client-template common-name=client.domain.ltd days-valid=3650 key-size=2048 key-usage=tls-client

sign ca-template name=ca-certificate
sign server-template name=server-certificate ca=ca-certificate
sign client-template name=client-certificate ca=ca-certificate

export-certificate ca-certificate export-passphrase=""
export-certificate client-certificate export-passphrase=strongpassword

/ip
pool add name="vpn-pool" ranges=192.2.1.100-192.2.1.200

/ppp
profile add name="vpn-profile" use-encryption=yes local-address=192.2.1.1 dns-server=192.2.1.1 remote-address=vpn-pool
secret add name=username profile=vpn-profile password=userpassword

/interface ovpn-server server
set default-profile=vpn-profile certificate=server-certificate require-client-certificate=yes auth=sha1 cipher=aes128,aes192,aes256 enabled=yes

/ip firewall filter
add chain=input dst-port=1194 protocol=tcp comment="Allow OpenVPN" place-before=1

If I issue am OpenVPN connection within the router LAN, I works fine.

But if I issue a connection form the router’s public address (behind a crappy router from my ISP), I get this error:

WARNING: Bad encapsulated packet length from peer (12850), which must be > 0 and <= 1626 -- please make sure thath --tun-mtu and --link-mtu is equal on both peers -- this condition could also indicate a possible active attack on the TCP link -- [Attempting a restart...]

OpenVPN server MTU is set to 1500
Crappy ISP modem is set to 1500
router’s ETH1 is set to default 1500 / actual 1500

The firewall rule is on second position after passthrough / forward rule. I can see 0 B and 0 packets on that rule.

What am I missing?

Thanks,
-Damien