I recently wanted to shift my 200+ VPN connection on my server from L2TP to OpenVPN. Generally in L2tp connection, once I connect the client it will reflect local IP and Remote IP in l2tp client status page. But when I use the same credential for openvpn its getting connected but showing Blank.
Also it creates /24 network in address while l2tp connection simply created the local IP address in IP>Addresses
Same goes for the dynamic entry in IP>route. It creates /24 dyanmic route because of which my static route only works with my sstp connection.
Please help me to identify where I am doing wrong. On my server settings are same for both the VPN.
In the settings of the OpenVPN server, try to set the network mask to 32 bits. But I’m not sure OpenVPN will accept /32 addresses, I’ve never tried it and now I’m too far from my lab
I checked in open vpn server, which is also mikrotik device. There is no option to assign /32 ip. In open vpn server when i create a user id, i assign one ip for remote client. And local ip as vpn server ip. Still the same problem.
Thanks, Sindy. you are a lifesaver. I needed /21 as my netmask and its working like a charm. But one thing is pending. Why client side the IP is not showing in the status tab. Hope you have this answer also.
I’m not sure I understand what you mean. The IP address is not shown in the status tab of ovpn interfaces; all IP addresses of the device are shown in the IP->Address part of the configuration along with the interfaces to which they are linked. So /ip address print where interface=ovpn-out1, or :put [/ip address get [find interface=ovpn-out1] address]] is the way to show the address assigned to the interface on the client side; on the server side, the interface name to use in /ip route print where gateway= or :put [/ip route get [find gateway=] dst-address]] is where username is the name item from the /ppp secret.
Just don’t be surprised that at client side, the netmask is the one you have configured in the /interface ovpn-server server settings, whilst at server side, the client’s addresses are shown as /32 ones. That’s how it has to be to permit proper routing.
OpenVPN doesn’t really fit into the standard PPP model so the local and remote interface address show as blank in Winbox on the interface status tab, however if you look under IP > Addresses you see the dynamically assigned address, and a dynamic route is created via the VPN interface.
The local address and remote address must be within the subnet set for /interface ovpn-server server, or the client will not be able to ping the server gateway as the dynamic route created on the client is / via the VPN interface.
Static routes with the VPN interface name as the gateway are fine, in your case if the static route is 10.10.8.0/21 via 10.10.10.100, then the route 10.10.10.100 via sstp1-out will be used as the metric is better than 10.10.10.0/24 via ovpn1-out. If you were to disable sstp1-out (when testing always use safe mode if the device is remote), ovpn1-out would be used instead.
I usually mention that the Mikrotik Open VPN client implementation is insecure and vulnerable to man-in-the-middle attacks, hopefully they will fix it one day (along with UDP support).
Yes SSTP is slow and I am lookin for alternatives.
But could not find any data on number of SSTP tunnel for level 4 licenseon ROS. Also anyone knows if there is any limit for any VPN tunnels on CHR P1 license.
I don’t see why OpenVPN should be any faster than SSTP if using the same ciphers. IPsec can be faster even if using those same ciphers if you choose ciphers which are supported in hardware at both ends, because Mikrotik’s implementation of IPsec can make use of the hardware encryption if present in the CPU but their SSTP and OpenVPN implementations cannot. On contemporary x86 based platforms the hardware encryption is supported.
They will be similar, whilst both OpenVPN and SSTP have a simple packet structure wrapped in TLS, the SSTP data is further wrapped in a PPP layer which has a small additional computational overhead. As you say, the only significant performance gains on a Mikrotik would be to use IPsec with a cipher suite supported by the hardware acceleration on the device in question.
