Page 1 of 1

6.4x OpenVPN + OSPF trouble

Posted: Fri Mar 23, 2018 8:35 pm
by mst1711
Hello.

I want communicate two mikrotik by the OpenVPN and configure OSPF routes, but i get a problem.
== > 6.41.3 Router Server
OpenVPN server:
Local Address 172.16.0.1
Netmask 16
IP pool 172.16.0.2-172.16.254.254

OSPF networks
172.16.0.0/16 backbone

== > 6.41.3 Router Client
OpenVPN Client
Get address 172.16.248.10/16 network 172.16.0.0

OSPF networks
172.16.0.0/16 backbone

OpenVPN connected successfully, but OSPF get errors in log:
route,ospf,info Discarding Hello packet: mismatch in network mask
route,ospf,info mine=255.255.0.0
route,ospf,info remote=255.255.255.255
route,ospf,info source=172.16.0.1

I think this is a bug, because Local Address on ovpn server has netmask /32, at this time Network is /16.
For bugfix is need apply Netmask parameter to Local Address too.

Re: 6.4x OpenVPN + OSPF trouble

Posted: Fri Mar 23, 2018 11:40 pm
by juliokato
Me too.
I have using static routes temporarily as workaround. :( :(

Re: 6.4x OpenVPN + OSPF trouble

Posted: Sat Mar 24, 2018 6:58 am
by mst1711
Me too.
I have using static routes temporarily as workaround. :( :(
For me this is not a solution, I have 500+ routes :-(

Re: 6.4x OpenVPN + OSPF trouble

Posted: Sat Mar 24, 2018 7:51 am
by jrpaz
Can confirm this is annoying.

I only have five sites and to get OSPF to work I added each /32 to the network tab, and it's working.

This seems like an urgently needed fix for larger deployments.

*Make sure to set netmask to 32 on the OVPN server. It's like the OVPN Server doesn't respect that setting only the client applies it.

Re: 6.4x OpenVPN + OSPF trouble

Posted: Tue Sep 11, 2018 2:54 pm
by zuku
I have the same problem on mikrotik 6.40.9 bugfixes, my other mikrotik routers with older ROS do not have this error, I had to switch to static route to work on this router. Is any way to fix this?

Re: 6.4x OpenVPN + OSPF trouble

Posted: Fri Jan 11, 2019 1:06 pm
by kavehvn
Hi
Change netmask in OVPN server to 32 and test it again after a while.
It might solve your problem.

Re: 6.4x OpenVPN + OSPF trouble

Posted: Fri Jan 11, 2019 3:58 pm
by Ape
Hi,

if you only need to connect MT devices, you could use another VPN technology like IPSec/L2TP.
I like MT very much, but their OpenVPN implementation is known to be rudimentary.

Nonetheless, this should be fixed.

Regards,
Ape

Re: 6.4x OpenVPN + OSPF trouble

Posted: Sat Jan 12, 2019 10:06 pm
by tdw
but their OpenVPN implementation is known to be rudimentary.
And insecure, the MT OpenVPN client does not check the server certificate, see https://nvd.nist.gov/vuln/detail/CVE-2018-10066 and https://janis-streib.de/post/mikrotik-ovpn-security/, which AFAIK has not been addressed

Re: 6.4x OpenVPN + OSPF trouble

Posted: Mon Jan 14, 2019 10:37 am
by TheCiscoGuy
Just a thought, but there are 2 modes to set openvpn to, ethernet and ip. the ip setting creates a tun interface and will not allow the multicast to forward, ethernet on the otherhand creates a tap which does. If you are in ip mode, try setting the network-type to nbma and specify the peers, or change the openvpn mode from ip to ethernet.

If I am off base let me know as I do have not run into a situation where I need to run OSPF over OpenVPN