Dear All,
I have OpenVPN Server active on Router OS 7.6 and remote clients running OpenVpn Client on Mikrotik Routerboard.
Remote Client all use LTE link to connect to OpenVPN Server.
I configured server to accept only one connection for each client. All run correctly but I have an issue with one remote client. And this issue happens only with this client running the same Routeros Version (7.6) on Mikrotik SXT.
The issue is: the client is correctly connected to OpenVPN server but often the connection goes down also if in Active connection panel it is reported (but when I have issue the coloumn “Encoding” become empty). The log report me that the new connection is not possible because there is always an active connection for that client. Then If I want to reconnect it I must remove manually the connection from “Active connection”.
I configured also parameter like keepalive-timeout in openvpn server configuration and idle-timeout in the profile associated to openvpn server. But nothing.
I suppose there is a degraded LTE link but I don’t understand for which reason remain pending… It should close connection.
Have you any suggestion?
Thanks in advance
Please, in which way Can I manage this issue? Thanks in advance…
UP. I updated to the last firmware both client and server and I have the same issue.
Have you any idea?
You will need to provide more information before anyone will be able to help you. Specifically, it will help if you can attach the (sanitized) config files from the OpenVPN Server MikroTik and from the MikroTik client that is having the problems. Also, you mention that you are using LTE, do you mean that you are using a mobile/cellular Internet connection? If you are, which end has that connection?
–
Backups are your friend. Always make a backup!
/system backup save encryption=aes-sha256 name=MyBackup
Please, export and attach your current config to your post if you want help with a config issue:
/export hide-sensitive file=MyConfig
The title clearly states RouterOS 7.x
Do not propose commands valid only for v6
/export hide-sensitive file=MyConfig
/export file=MyConfig
/export show-sensitive file=MyConfig
Fair call.
I'm still running ROS 6.48.6 long-term so didn't know that MikroTik had changed the command in ROS 7. Do you prefer my amended signature? Do I need to update the backup command too?
\
Backups are your friend. Always make a backup!
/system backup save encryption=aes-sha256 name=MyBackup
Please, export and attach your current config to your post if you want help with a config issue:
RouterOS v6:
/export hide-sensitive file=MyConfig
RouterOS v7:
/export file=MyConfig
I’ve always said that cats are smart 
I have all my network infrastructure with 6.48.6 and only two devices with 7.7 because I’m forced: on the new devices I can not install 6.48.6…
[Client configuratio]
/interface bridge
add name=bridge1
/interface ethernet
set [ find default-name=ether2 ] poe-out=off
/interface list
add name=WAN
add name=LAN
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
add apn=ibox.tim.it ip-type=ipv4
/interface lte
set [ find default-name=lte1 ] allow-roaming=no apn-profiles=ibox.tim.it \
band=""
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/interface ovpn-client
add cipher=aes128-cbc connect-to=xxxxxx.xxxxx.com \
mac-address=xx:xx:xx:xx:xx:xx max-mtu=1460 name=ovpn-out1 port=10443 \
profile=default-encryption tls-version=only-1.2 use-peer-dns=no user=user1
/interface sstp-client
add authentication=mschap2 connect-to=xxx.xxx.xxx.xxx disabled=no http-proxy=\
0.0.0.0 name=sstp-out1 pfs=yes profile=default-encryption user=user1 \
verify-server-certificate=yes
/routing bgp template
set default disabled=no output.network=bgp-networks
/routing ospf instance
add disabled=no name=default-v2
/routing ospf area
add disabled=yes instance=default-v2 name=backbone-v2
/interface bridge port
add bridge=bridge1 ingress-filtering=no interface=ether1
add bridge=bridge1 ingress-filtering=no interface=ether2
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/ip settings
set max-neighbor-entries=8192
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface list member
add interface=lte1 list=WAN
add interface=bridge1 list=LAN
/interface ovpn-server server
set auth=sha1,md5
/ip address
add address=192.168.1.1/24 interface=bridge1 network=192.168.1.0
/ip firewall filter
add action=accept chain=input disabled=yes in-interface=ovpn-out1
add action=accept chain=input in-interface=sstp-out1
add action=accept chain=input in-interface=ovpn-out1
add action=accept chain=input in-interface=bridge1
add action=accept chain=input connection-state=established,related \
in-interface=lte1
add action=drop chain=input
/ip firewall nat
add action=dst-nat chain=dstnat dst-port=8080 in-interface=sstp-out1 \
protocol=tcp to-addresses=192.168.1.2 to-ports=80
add action=dst-nat chain=dstnat dst-port=18000 in-interface=sstp-out1 \
protocol=tcp to-addresses=192.168.1.2 to-ports=18000
add action=dst-nat chain=dstnat dst-port=18000 in-interface=ovpn-out1 \
protocol=tcp to-addresses=192.168.1.2 to-ports=18000
add action=dst-nat chain=dstnat dst-port=21 in-interface=sstp-out1 protocol=\
tcp to-addresses=192.168.1.3 to-ports=21
add action=dst-nat chain=dstnat dst-port=80 in-interface=sstp-out1 protocol=\
tcp to-addresses=192.168.1.3 to-ports=80
add action=dst-nat chain=dstnat dst-port=4000 in-interface=sstp-out1 \
protocol=tcp to-addresses=192.168.1.3 to-ports=4000
add action=dst-nat chain=dstnat dst-port=8000 in-interface=sstp-out1 \
protocol=tcp to-addresses=192.168.1.3 to-ports=8000
add action=dst-nat chain=dstnat dst-port=88 in-interface=sstp-out1 protocol=\
tcp to-addresses=192.168.1.4 to-ports=80
add action=dst-nat chain=dstnat dst-port=9000 in-interface=sstp-out1 \
protocol=tcp to-addresses=192.168.1.4 to-ports=9000
add action=masquerade chain=srcnat
/ip route
add disabled=no dst-address=172.18.0.0/24 gateway=sstp-out1
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/system clock
set time-zone-name=Europe/Rome
/system identity
set name="USER1"
/tool sms
set port=lte1
[SERVER CONFIGURATION]
/interface ethernet
set [ find default-name=ether1 ] disable-running-check=no
set [ find default-name=ether2 ] disable-running-check=no
/disk
set slot1-part1 parent=slot1 partition-offset="1 048 576" partition-size=\
"4 292 870 144"
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/port
set 0 name=serial0
set 1 name=serial1
/ppp profile
set *FFFFFFFE idle-timeout=1m only-one=no use-encryption=required use-ipv6=no
/interface ovpn-server server
set auth=sha1 certificate=cert.crt cipher=aes128,aes256 \
default-profile=default-encryption enabled=yes keepalive-timeout=10 port=\
10443 tls-version=only-1.2
/ip dhcp-client
add interface=ether1
add interface=ether2
/ip firewall nat
add action=dst-nat chain=dstnat dst-port=22 in-interface=ether1 protocol=tcp \
to-addresses=10.0.1.4 to-ports=22
add action=dst-nat chain=dstnat dst-port=18000 in-interface=ether1 protocol=\
tcp to-addresses=10.0.1.4 to-ports=18000
add action=dst-nat chain=dstnat dst-port=80 in-interface=ether1 protocol=tcp \
to-addresses=10.0.1.4 to-ports=80
add action=masquerade chain=srcnat src-address=10.0.1.0/24
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set www-ssl certificate=cert.crt disabled=no \
tls-version=only-1.2
set api disabled=yes
set api-ssl disabled=yes
/ppp secret
add local-address=172.19.0.1 name=user1 profile=default-encryption \
remote-address=172.19.0.42 service=ovpn
add local-address=172.19.0.1 name=user2 profile=default-encryption \
remote-address=172.19.0.43 service=ovpn
add local-address=172.19.0.1 name=user3 profile=default-encryption \
remote-address=172.19.0.44 service=ovpn
/system clock
set time-zone-name=Europe/Amsterdam
/system identity
set name=Mikrotik-GW
/system ntp client
set enabled=yes
/system ntp client servers
add address=0.pool.ntp.org
Please consider that client is connected with 2 different VPN Server (one using SSTP procol and other using OVPN Protocol). All run correctly but very often connection with OVPN Server goes down. When it is down I noticed this one:
- If I check Log output I don’t see attempts to try connection but It seems never try to reconnect.
- If I check ovpn-out1 interface it doesn’t have “R” as RUNNING and then it doesn’t have ip address. But the status is “Connection estabilished”. To reinizialize tunnel I must disable and renable ovpn-out1 interface.
I have checked your server configuration but there are a couple of things that I want to check.
Your OpenVPN Server
/interface ovpn-server server
set auth=sha1 certificate=cert.crt cipher=aes128,aes256 \
default-profile=default-encryption enabled=yes keepalive-timeout=10 port=\
10443 tls-version=only-1.2
When I tried to use this line (with suitable changes for the profile and certificate) it wouldn’t accept the values for cipher. I had to use the following:
My OpenVPN Server (RouterOS 7.9)
/interface ovpn-server server
set auth=sha1 cipher=aes128-cbc,aes128-gcm,aes256-cbc,aes256-gcm \
default-profile="VPN Profile" certificate=MikroTikServer \
require-client-certificate=yes enabled=yes tls-version=only-1.2
Note that I needed to change the ciphers to aes128-cbc,aes128-gcm,aes256-cbc,aes256-gcm. Can you, please, confirm what you have for your OpenVPN server.
The other thing I would like to confirm is the protocol you are using for OpenVPN. RouterOS 6 only supported TCP but support for UDP was introduced in RouterOS 7. Are you using TCP?
If you are using UDP then clients can have trouble when traversing CG-NAT (which is often used by mobile/cellular broadband providers).
Actually, I tried using this command in RouterOS 7.9 and it still works producing exactly the same output as just using:
/export file=MyConfig
My guess is that it is undocumented (it doesn't show when using tab to see available commands) and scheduled for removal in a later RouterOS version.
Sorry the version RouterOS hosting openvpn server is RouterOS 7.7 and I use only openvpn tunnel in TCP mode.
The chiper I think is ok because I have about 50 tunnel running correctly.
I’ve tried the config in RouterOS 7.7 and you’re right about the cipher part. It looks like MikroTik added some more options in the newer version (how nice).
Running in TCP mode means that any NAT or CG-NAT issues shouldn’t be causing the problem.
The Internet connection being unstable can/will cause the VPN connection to fail so I think your best option is to get the server to clear the connection when it goes down (which I know you’ve been trying to do). Your keepalive-alive settings mean that the server should clear the connection after about 20 seconds and the PPP Profile should close the connection after 1 minute idle. You might want to set a timeout on the client-side profile (if you haven’t already done so) but I don’t know if that will help. Take a look at the PPP Secret list and check the “Last Disconnect Reason” for the user having the problem to see if it gives you anything userful.
One thing to be aware of is that, as far as I can tell (someone let me know if I’m wrong), a failed VPN connection will not cause the MikroTik device client to try to reconnect. This feature has been requested but I don’t think it’s been added yet.
As a last resort (on both server and client) you could create scripts that run on a scheduled basis to:
- On the client: restart the connection if it is down, and
- On the server: check for dead connections and delete them.
I’ve pretty much run out of ideas at this stage but, hopefully, someone else can provide some more suggestions/fixes.
Thanks a lot. Now I configured and idle-timeout at client side.
I will monitor it and I will report you.
Dear Mickey,
I want update you about my issue. Please consider the user “amur” that running Mikrotik Router OS 7.8. I configured in it’s PPP profile an “idle timeout” of 20 seconds.
For the moment when a VPN goes down it reconnect correctly. For the moment I don’t have the issue that block definitely VPN connection. But I continue to monitor it.
In the screenshot attached you can see the “amur” VPN connection on server side. As you can see I have a lot of entry. The server doens’t close correctly the vpn connection whene it goes down. If in the profile I configure “only one” the VPN connection became impossible because for the server the user “amur” is already connected.
Nothing to do. I attach you also other screnshot of user “amur”.
As you can see when the problem occour it doesn’t retry to reconnect to openvpn server and the interface ovpn-out1 remain in NOT REGISTERED MODE (fig. 1) without ip address but if you see details it tell “link estabilished” (fig. 2).
In the log file I have no entry related to ovpn but if i manually disable and renable interface it immediatly reconnect to server (Fig. 3)
Any suggestions to resolve this issue without scripts?
Unfortunately, no. Until/unless MikroTik add the ability for the client to reconnect automatically and the server to automatically removed failed/dead connections I think scripts are going to be the only way do resolve your issue.
If someone has any other ideas, please, let me/us know.
–
Backups are your friend. Always make a backup!
/system backup save encryption=aes-sha256 name=MyBackup
Please, export and attach your current config to your post if you want help with a config issue:
/export hide-sensitive file=MyConfig/export file=MyConfig
I think this is a serious bug. The ovpn-out1 interface remain in “link estabilished” status also if in IP->FIREWALL->CONNECTIONS there isn’t a connection to vpn server.
But I’m thinking … Could it be some issues related to ip connection tracking like various tcp timeout or “loose” Tcp tracking …
Is it possible that if if is a bug (I read a lot of similar issues in this forum) mikrotik doesn’t correct it?
Another thing. Is it possible there is some isse with MTU parameteres?
Remote client use lte interface connected to Internet and I read “Actual MTU” to 1480. The MTU of OpenVPN client interface is 1500. I think this is an error it must be lowest than 1500. Right? Then I configured it to 1480 (but I think it must be also lowest that 1480) but at the server side the openvpn-server interface is 1500 because in the openvpn server configuration is configured at 1500.
What is the correct value of MTU to avoid fragmentations ?
I tried on client side with ping at various packet size and obviously if I configure a packet larger that 1480 it will be fragmented but I have another strange things. Also for packets smaller than 1480 it ping correctly but the status reported is “corrupted”. For which reason?