OVPN can not connect

rbuserdl · October 13, 2020, 2:16pm

Hello everyone!

I just created an OVPN Server in a Mikrotik router, then tried to connect from a Windows outside and get the following log in Mikrotik:

# oct/13/2020 10:57:59 by RouterOS 6.47.1
# software id = 6Q79-08JT
#
10:56:43 ovpn,info TCP connection established from externalIP 
10:56:43 ovpn,debug,packet sent P_CONTROL_HARD_RESET_SERVER_V2 kid=0 sid=c8a25672bf5ba817 pid=0 DATA len=0 
10:56:44 ovpn,debug,packet rcvd P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 sid=02bf969f784e9c52 pid=0 DATA len=0 
10:56:44 ovpn,debug,packet sent P_ACK kid=0 sid=c8a25672bf5ba817 [0 sid=02bf969f784e9c52] DATA len=0 
10:56:44 ovpn,debug,packet rcvd P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 sid=02bf969f784e9c52 [0 sid=c8a25672bf5ba817] pid=0 DATA len=0 
10:56:44 ovpn,debug,error,1380,3184,4180,54544,23876,65356,720,4176,l2tp,info,4180,critical,79,65535,critical,3720,61868,25488,79,65432,28056,28224,4043,64756,65356,42000,65356,pppoe duplicate packet, dropping 
10:56:44 ovpn,debug,packet rcvd P_CONTROL kid=0 sid=02bf969f784e9c52 pid=1 DATA len=277 
10:56:44 ovpn,debug,packet sent P_ACK kid=0 sid=c8a25672bf5ba817 [1 sid=02bf969f784e9c52] DATA len=0 
10:56:44 ovpn,debug,packet sent P_CONTROL kid=0 sid=c8a25672bf5ba817 pid=1 DATA len=1400 
10:56:44 ovpn,debug,packet sent P_CONTROL kid=0 sid=c8a25672bf5ba817 pid=2 DATA len=777 
10:56:44 ovpn,debug,packet rcvd P_ACK kid=0 sid=02bf969f784e9c52 [1 sid=c8a25672bf5ba817] DATA len=0 
10:56:44 ovpn,debug,packet rcvd P_CONTROL kid=0 sid=02bf969f784e9c52 [2 sid=c8a25672bf5ba817] pid=2 DATA len=1170 
10:56:44 ovpn,debug,packet sent P_ACK kid=0 sid=c8a25672bf5ba817 [2 sid=02bf969f784e9c52] DATA len=0 
10:56:44 ovpn,debug,packet rcvd P_CONTROL kid=0 sid=02bf969f784e9c52 pid=3 DATA len=918 
10:56:44 ovpn,debug,packet sent P_ACK kid=0 sid=c8a25672bf5ba817 [3 sid=02bf969f784e9c52] DATA len=0 
10:56:44 ovpn,debug,packet sent P_CONTROL kid=0 sid=c8a25672bf5ba817 pid=3 DATA len=51 
10:56:44 ovpn,debug,packet rcvd P_CONTROL kid=0 sid=02bf969f784e9c52 [3 sid=c8a25672bf5ba817] pid=4 DATA len=494 
10:56:44 ovpn,debug,packet sent P_ACK kid=0 sid=c8a25672bf5ba817 [4 sid=02bf969f784e9c52] DATA len=0 
10:56:44 ovpn,info : using encoding - AES-256-CBC/SHA1 
10:56:44 ovpn,info,account usuario logged in, 192.168.16.254 from externalIP 
10:56:44 ovpn,debug,packet sent P_CONTROL kid=0 sid=c8a25672bf5ba817 pid=4 DATA len=227 
10:56:44 ovpn,debug,packet rcvd P_ACK kid=0 sid=02bf969f784e9c52 [4 sid=c8a25672bf5ba817] DATA len=0 
10:56:44 ovpn,info <ovpn-usuario>: connected 
10:56:45 ovpn,debug,packet rcvd P_CONTROL kid=0 sid=02bf969f784e9c52 pid=5 DATA len=42 
10:56:45 ovpn,debug,packet sent P_ACK kid=0 sid=c8a25672bf5ba817 [5 sid=02bf969f784e9c52] DATA len=0 
10:56:50 ovpn,debug,packet rcvd P_CONTROL kid=0 sid=02bf969f784e9c52 pid=6 DATA len=42 
10:56:50 ovpn,debug,packet sent P_ACK kid=0 sid=c8a25672bf5ba817 [6 sid=02bf969f784e9c52] DATA len=0 
10:56:55 ovpn,debug,packet rcvd P_CONTROL kid=0 sid=02bf969f784e9c52 pid=7 DATA len=42 
10:56:55 ovpn,debug,packet sent P_ACK kid=0 sid=c8a25672bf5ba817 [7 sid=02bf969f784e9c52] DATA len=0 
10:56:55 ovpn,debug,packet sent P_CONTROL kid=0 sid=c8a25672bf5ba817 pid=5 DATA len=174 
10:56:56 ovpn,debug <externalIP>: disconnected <peer disconnected> 
10:56:56 ovpn,info <ovpn-usuario>: terminating... - peer disconnected 
10:56:56 ovpn,info,account usuario logged out, 11 0 0 0 0 from externalIP 
10:56:56 ovpn,info <ovpn-usuario>: disconnected 
10:57:45 system,info,account user soportesuryan logged in from externalIP via telnet

This is the error in the Windows ovpn client:
[code1]2020-10-13 10:56:11 DEPRECATED OPTION: --cipher set to ‘AES-256-CBC’ but missing in --data-ciphers (AES-256-GCM:AES-128-GCM). Future OpenVPN version will ignore --cipher for cipher negotiations. Add ‘AES-256-CBC’ to --data-ciphers or change --cipher ‘AES-256-CBC’ to --data-ciphers-fallback ‘AES-256-CBC’ to silence this warning.
2020-10-13 10:56:11 OpenVPN 2.5_rc2 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] built on Sep 30 2020
2020-10-13 10:56:11 Windows version 10.0 (Windows 10 or greater) 64bit
2020-10-13 10:56:11 library versions: OpenSSL 1.1.1h 22 Sep 2020, LZO 2.10
Enter Management Password:
2020-10-13 10:56:11 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25340
2020-10-13 10:56:11 Need hold release from management interface, waiting…
2020-10-13 10:56:11 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:25340
2020-10-13 10:56:11 MANAGEMENT: CMD ‘state on’
2020-10-13 10:56:11 MANAGEMENT: CMD ‘log all on’
2020-10-13 10:56:11 MANAGEMENT: CMD ‘echo all on’
2020-10-13 10:56:11 MANAGEMENT: CMD ‘bytecount 5’
2020-10-13 10:56:11 MANAGEMENT: CMD ‘hold off’
2020-10-13 10:56:11 MANAGEMENT: CMD ‘hold release’
2020-10-13 10:56:11 WARNING: --ns-cert-type is DEPRECATED. Use --remote-cert-tls instead.
2020-10-13 10:56:11 MANAGEMENT: CMD ‘password […]’
2020-10-13 10:56:11 WARNING: this configuration may cache passwords in memory – use the auth-nocache option to prevent this
2020-10-13 10:56:11 TCP/UDP: Preserving recently used remote address: [AF_INET]181.14.193.114:1194
2020-10-13 10:56:11 Socket Buffers: R=[65536->65536] S=[65536->65536]
2020-10-13 10:56:11 Attempting to establish TCP connection with [AF_INET]181.14.193.114:1194 [nonblock]
2020-10-13 10:56:11 MANAGEMENT: >STATE:1602597371,TCP_CONNECT,
2020-10-13 10:56:12 TCP connection established with [AF_INET]181.14.193.114:1194
2020-10-13 10:56:12 TCP_CLIENT link local (bound): [AF_INET][undef]:0
2020-10-13 10:56:12 TCP_CLIENT link remote: [AF_INET]181.14.193.114:1194
2020-10-13 10:56:12 MANAGEMENT: >STATE:1602597372,WAIT,
2020-10-13 10:56:12 MANAGEMENT: >STATE:1602597372,AUTH,
2020-10-13 10:56:12 TLS: Initial packet from [AF_INET]181.14.193.114:1194, sid=c8a25672 bf5ba817
2020-10-13 10:56:13 VERIFY OK: nsCertType=SERVER
2020-10-13 10:56:13 VERIFY OK: depth=0, CN=servidor
2020-10-13 10:56:13 Control Channel: TLSv1.2, cipher TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
2020-10-13 10:56:13 [servidor] Peer Connection Initiated with [AF_INET]181.14.193.114:1194
2020-10-13 10:56:14 MANAGEMENT: >STATE:1602597374,GET_CONFIG,
2020-10-13 10:56:14 SENT CONTROL [servidor]: ‘PUSH_REQUEST’ (status=1)
2020-10-13 10:56:19 SENT CONTROL [servidor]: ‘PUSH_REQUEST’ (status=1)
2020-10-13 10:56:24 SENT CONTROL [servidor]: ‘PUSH_REQUEST’ (status=1)
2020-10-13 10:56:24 PUSH: Received control message: ‘PUSH_REPLY,dhcp-option DNS 192.168.16.1,ping 20,ping-restart 60,topology subnet,route-gateway 192.168.16.1,ifconfig 192.168.16.254 255.255.255.0’
2020-10-13 10:56:24 OPTIONS IMPORT: timers and/or timeouts modified
2020-10-13 10:56:24 OPTIONS IMPORT: --ifconfig/up options modified
2020-10-13 10:56:24 OPTIONS IMPORT: route-related options modified
2020-10-13 10:56:24 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
2020-10-13 10:56:24 Using peer cipher ‘AES-256-CBC’
2020-10-13 10:56:24 Outgoing Data Channel: Cipher ‘AES-256-CBC’ initialized with 256 bit key
2020-10-13 10:56:24 Outgoing Data Channel: Using 160 bit message hash ‘SHA1’ for HMAC authentication
2020-10-13 10:56:24 Incoming Data Channel: Cipher ‘AES-256-CBC’ initialized with 256 bit key
2020-10-13 10:56:24 Incoming Data Channel: Using 160 bit message hash ‘SHA1’ for HMAC authentication
2020-10-13 10:56:24 interactive service msg_channel=888
2020-10-13 10:56:24 ROUTE_GATEWAY 192.168.111.1/255.255.255.0 I=16 HWADDR=f8:75:a4:f1:4a:ce
2020-10-13 10:56:24 open_tun
2020-10-13 10:56:24 tap-windows6 device [OpenVPN TAP-Windows6] opened
2020-10-13 10:56:24 TAP-Windows Driver Version 9.24
2020-10-13 10:56:24 Set TAP-Windows TUN subnet mode network/local/netmask = 192.168.16.0/192.168.16.254/255.255.255.0 [SUCCEEDED]
2020-10-13 10:56:24 MANAGEMENT: Client disconnected
2020-10-13 10:56:24 ERROR: There is a clash between the --ifconfig local address and the internal DHCP server address – both are set to 192.168.16.254 – please use the --ip-win32 dynamic option to choose a different free address from the --ifconfig subnet for the internal DHCP server
2020-10-13 10:56:24 Exiting due to fatal error [/code1]

I see that some one solved the issue by reducing the pool range, but I changed it just for 5 addresses with no luck:
[code2]/ip pool
add name=pool_OVPN ranges=192.168.16.250-192.168.16.254
[/code2]

Any idea?
Thanks in advance
Regards!
Damián

rbuserdl · October 14, 2020, 5:44pm

Hello,

In /system logging, I just added the ovpn topic, is there something else to add to get the error with more details?
I also checked that the connections is going out ussing the same interface where it entered.
Any clue?

Thanks in advance.
Regards,
Damián

Sob · October 14, 2020, 7:23pm

I don’t know what it was exactly, but Windows OpenVPN had some limitation related to addressing, it was something about subnet used for local and remote address. Try to find info about the error on the end of client log and you should find it.

Other than that, posting logs is fine, but posting also configs would be even better, it would give people better chance to spot the problem.

rbuserdl · October 14, 2020, 7:38pm

I just see again the client logs and realice that it pointed to 192.168.16.254, it seems that although the profile is configured with “192.168.16.1” as local address, there is a kind of conflict with the last IP of the pool
I just changed my pool from [192.168.16.250 - 192.168.16.254] to [192.168.16.241 - 192.168.16.250] and started to work
Weird issue.

Thanks
Regards
Damián

1soproni · August 19, 2021, 8:21am

I just had the same issue.
OPVN pool was: 172.16.254.40**/30**
Mikrotik’s IP was: 172.16.254.41
Win client’s IP was: 172.16.254.42

Solution: replace the Local Address with Remote Address on the mikrotik and it will work:
Mikrotik’s IP: 172.16.254.42
Win client’s IP: 172.16.254.41