OVPN disconnect after few seconds

winnerke · March 11, 2019, 11:20am

When connecting from a windows 10 laptop to my OVPN server on the mikrotik it said it’s succesfull on my laptop but still i cannot ping anything or get access to the internet.
I get the ip as configured but that’s it.

Ovpn logs on the mikrotik :

OVPN config :

interface ovpn-server server set certificate=Server-Cert cipher=aes128,aes256 default-profile=openVPN enabled=yes require-client-certificate=yes

Client .ovpn file :

client
dev tun
script-security 3
remote **ip**
resolv-retry infinite
nobind
auth-nocache
auth-user-pass
remote-cert-tls server
reneg-sec 0
cipher AES-256-CBC
proto tcp
explicit-exit-notify 1
<ca>
*********my cert ********
</ca>
<cert>
***-****
</cert>
<key>
***-****
</key>

winnerke · March 12, 2019, 4:43pm

bump ! anyone

bramwittendorp · March 12, 2019, 4:53pm

The subject of your post is it disconnents after a few seconds, but I can see in the log it’s connected for 1 minute at least. So what is your issue? Not being able to ping or getting disconnects?

Are you allowing the traffic coming in from the OVPN trough your firewall?

winnerke · March 12, 2019, 5:06pm

I’m allowing this in the firewall.
Found out i’m not getting a default gateway…
Do i need to hardcode this in the .ovpn file? or where can i config this?

kiaunel · March 12, 2019, 6:17pm

Add this in your vpn client config if you are using windows :

route-method exe
redirect-gateway

winnerke · March 12, 2019, 6:20pm

Added, still no gateway

kiaunel · March 12, 2019, 6:47pm

Post your client connection log

winnerke · March 12, 2019, 9:24pm

Tue Mar 12 22:22:24 2019 Flag 'def1' added to --redirect-gateway (iservice is in use)
Tue Mar 12 22:22:24 2019 OpenVPN 2.4.6 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] built on Apr 26 2018
Tue Mar 12 22:22:24 2019 Windows version 6.2 (Windows 8 or greater) 64bit
Tue Mar 12 22:22:24 2019 library versions: OpenSSL 1.1.0h  27 Mar 2018, LZO 2.10
Enter Management Password:
Tue Mar 12 22:22:26 2019 TCP/UDP: Preserving recently used remote address: [AF_INET]*****my ip*********
Tue Mar 12 22:22:26 2019 Attempting to establish TCP connection with [AF_INET]*****my ip********* [nonblock]
Tue Mar 12 22:22:27 2019 TCP connection established with [AF_INET]*****my ip*********
Tue Mar 12 22:22:27 2019 TCP_CLIENT link local: (not bound)
Tue Mar 12 22:22:27 2019 TCP_CLIENT link remote: [AF_INET]*****my ip*********
Tue Mar 12 22:22:27 2019 [server] Peer Connection Initiated with [AF_INET]*****my ip*********
Tue Mar 12 22:22:39 2019 open_tun
Tue Mar 12 22:22:39 2019 TAP-WIN32 device [Ethernet 2] opened: \\.\Global\{319F348A-FC54-493B-A954-D9B0308654D6}.tap
Tue Mar 12 22:22:39 2019 Set TAP-Windows TUN subnet mode network/local/netmask = 172.16.6.0/172.16.6.10/255.255.255.0 [SUCCEEDED]
Tue Mar 12 22:22:39 2019 Notified TAP-Windows driver to set a DHCP IP/netmask of 172.16.6.10/255.255.255.0 on interface {319F348A-FC54-493B-A954-D9B0308654D6} [DHCP-serv: 172.16.6.254, lease-time: 31536000]
Tue Mar 12 22:22:39 2019 Successful ARP Flush on interface [8] {319F348A-FC54-493B-A954-D9B0308654D6}
Tue Mar 12 22:22:39 2019 do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Tue Mar 12 22:22:44 2019 Warning: route gateway is not reachable on any active network adapters: 172.16.1.1
Tue Mar 12 22:22:44 2019 Initialization Sequence Completed
Tue Mar 12 22:22:58 2019 Connection reset, restarting [-1]
Tue Mar 12 22:22:58 2019 Warning: route gateway is not reachable on any active network adapters: 172.16.1.1

kiaunel · March 12, 2019, 9:34pm

Tue Mar 12 22:22:39 2019 Set TAP-Windows TUN subnet mode network/local/netmask = 172.16.6.0/172.16.6.10/255.255.255.0 [SUCCEEDED]
Tue Mar 12 22:22:39 2019 Notified TAP-Windows driver to set a DHCP IP/netmask of 172.16.6.10/255.255.255.0 on interface {319F348A-FC54-493B-A954-D9B0308654D6} [DHCP-serv: 172.16.6.254, lease-time: 31536000]
Tue Mar 12 22:22:44 2019 Warning: route gateway is not reachable on any active network adapters: 172.16.1.1

172.16.1.1 is not reachable from 172.16.6.10/255.255.255.0
the gateway from vpn should be 172.16.6.1 to be reacheable
Post your device config with :

export hide-sensitive

winnerke · March 12, 2019, 9:42pm

# mar/12/2019 22:41:22 by RouterOS 6.43.7
# software id = KSGP-NXQH
#
# model = RB4011iGS+
# serial number = AAAF0A4F1075
/interface bridge
add name=bridge-vlan10
add name=bridge-vlan20
add name=bridge-vlan30
add name=bridge-vlan40
/interface vlan
add interface=ether10 name=vlan10-eth10 vlan-id=10
add interface=ether10 name=vlan20-eth10 vlan-id=20
add interface=ether10 name=vlan30-eth10 vlan-id=30
add interface=ether10 name=vlan40-eth10 vlan-id=40
add interface=ether10 name=vlan99-eth10 vlan-id=99
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
add name=pool-vlan10 ranges=172.16.1.50-172.16.1.254
add name=pool-vlan20 ranges=172.16.2.50-172.16.2.254
add name=pool-vlan30 ranges=172.16.3.50-172.16.3.254
add name=pool-vlan40 ranges=172.16.4.50-172.16.4.254
add name=pool-openVPN ranges=172.16.6.5-172.16.6.10
/ip dhcp-server
add address-pool=pool-vlan10 disabled=no interface=bridge-vlan10 name=dhcp-vlan10
add address-pool=pool-vlan20 disabled=no interface=bridge-vlan20 name=dhcp-vlan20
add address-pool=pool-vlan30 disabled=no interface=bridge-vlan30 name=dhcp-vlan30
add address-pool=pool-vlan40 disabled=no interface=bridge-vlan40 name=dhcp-vlan40
/ppp profile
add local-address=172.16.6.4 name=openVPN remote-address=pool-openVPN use-encryption=required
/interface bridge port
add bridge=bridge-vlan30 interface=ether5
add bridge=bridge-vlan40 interface=ether3
add bridge=bridge-vlan40 interface=ether4
add bridge=bridge-vlan40 interface=ether2
add bridge=bridge-vlan30 interface=ether6
add bridge=bridge-vlan10 interface=ether8
add bridge=bridge-vlan10 interface=ether9
add bridge=bridge-vlan20 interface=ether7
add bridge=bridge-vlan10 interface=vlan10-eth10
add bridge=bridge-vlan20 interface=vlan20-eth10
add bridge=bridge-vlan30 interface=vlan30-eth10
add bridge=bridge-vlan40 interface=vlan40-eth10
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf list=LAN
add comment=defconf interface=ether1 list=WAN
/interface ovpn-server server
set certificate=server cipher=aes128,aes256 default-profile=openVPN enabled=yes require-client-certificate=yes
/ip address
add address=172.16.1.1/24 interface=bridge-vlan10 network=172.16.1.0
add address=172.16.2.1/24 interface=bridge-vlan20 network=172.16.2.0
add address=172.16.3.1/24 interface=bridge-vlan30 network=172.16.3.0
add address=172.16.4.1/24 interface=bridge-vlan40 network=172.16.4.0
add address=172.16.5.1/24 interface=vlan99-eth10 network=172.16.5.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid disabled=no interface=ether1
/ip dhcp-server lease
add address=172.16.4.254 client-id=1:0:8:9b:eb:cd:d0 mac-address=00:08:9B:EB:CD:D0 server=dhcp-vlan40
add address=172.16.4.252 mac-address=B8:27:EB:6F:21:3F server=dhcp-vlan40
/ip dhcp-server network
add address=172.16.1.0/24 gateway=172.16.1.1
add address=172.16.2.0/24 gateway=172.16.2.1
add address=172.16.3.0/24 gateway=172.16.3.1
add address=172.16.4.0/24 gateway=172.16.4.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 name=router.lan
/ip firewall filter
add action=accept chain=input comment=OVPN dst-address=141.135.130.166 dst-port=1194 protocol=tcp
add action=accept chain=input comment=MGMT dst-address=172.16.5.0/24 dst-port=8291,80,443,22 protocol=tcp src-address=172.16.2.0/24
add action=accept chain=forward comment="TELENET ALLOW ALL OUT" out-interface=ether1 src-address=172.16.3.0/24
add action=drop chain=forward comment="TELENET DROP if outgoing is not WAN" out-interface=!ether1 src-address=172.16.3.0/24
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
/ppp secret
add name=pieterdu profile=openVPN service=ovpn
/system clock
set time-zone-name=Europe/Brussels
/system logging
add topics=firewall
add topics=ovpn
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN