OpenVPN stop working

thunderos · December 14, 2022, 9:51pm

hello guys , i need help , i had a openvpn working few month ago , i dont use for a time

now when i try to connect i cant … i supuse that is for any update

i attach some config

any ideas?

/ip firewall filter
add action=accept chain=input comment="Allow OpenVPN" connection-state="" dst-port=1443 protocol=tcp
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related disabled=yes
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
add action=accept chain=input comment="Accept DNS - UDP" port=53 protocol=udp
add action=accept chain=input comment="Accept DNS - TCP" port=53 protocol=tcp
add action=add-src-to-address-list address-list=Syn_Flooder address-list-timeout=30m chain=input comment="Add Syn Flood IP to the list" connection-limit=30,32 protocol=tcp tcp-flags=syn
add action=drop chain=input comment="Drop to syn flood list" src-address-list=Syn_Flooder
add action=drop chain=input comment="Drop to port scan list" src-address-list=Port_Scanner
add action=jump chain=input comment="Jump for icmp input flow" jump-target=ICMP protocol=icmp
add action=accept chain=ICMP comment="Echo request - Avoiding Ping Flood" icmp-options=8:0 limit=1,5:packet protocol=icmp
add action=accept chain=ICMP comment="Echo reply" icmp-options=0:0 protocol=icmp
add action=accept chain=ICMP comment="Time Exceeded" icmp-options=11:0 protocol=icmp
add action=accept chain=ICMP comment="Destination unreachable" icmp-options=3:0-1 protocol=icmp
add action=accept chain=ICMP comment=PMTUD icmp-options=3:4 protocol=icmp
add action=drop chain=ICMP comment="Drop to the other ICMPs" protocol=icmp
add action=jump chain=output comment="Jump for icmp output" jump-target=ICMP protocol=icmp
add action=accept chain=forward comment="samsung port" disabled=yes dst-address=192.168.88.213 dst-port=2600 in-interface-list=WAN protocol=tcp

NAT

/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN

PROFIE

/ppp profile
add dns-server=8.8.8.8 local-address=192.168.8.254 name=OpenVPN-profile remote-address=vpn-pool use-encryption=yes
set *FFFFFFFE local-address=192.168.89.1 remote-address=*4

SERVER

/interface ovpn-server server
set auth=sha1 certificate=server-certificate cipher=aes128,aes192,aes256 default-profile=OpenVPN-profile enabled=yes port=1443 require-client-certificate=yes

Here the log , the connection is established , but it client i get timeout

MickeyT · December 16, 2022, 8:00am

You haven’t mentioned what type of OpenVPN client you are using and it would be helpful to know what it is (e.g.: RouterOS, OpenVPN connect, etc.)

The first things that I would check are:

Server certificate expiration date,
Client certificate expiration date,
CRL expiration date (if CRL is configured), and
OpenVPN client configured cipher algorithms and key size (this is the error showing in the log you posted).

I got caught with a similar problem when the CRL had expired but I hadn’t realised and simply updating it fixed the problem.