Community discussions

 
0blar
just joined
Topic Author
Posts: 22
Joined: Tue Jan 30, 2018 10:43 am

VPN

Sat Apr 27, 2019 11:54 am

Hi

I have a problem with vpn client(mikrotik ) disconnecting from vpn server
Same issue as viewtopic.php?t=53264

I got: terminating... keepalives timed out disconnected pptp-out1: initializing...
mikrotik vpn log.png
Mikrotik router is client and other side i have a VPN server.

The configuration used to work well until few weeks ago i got issues.

Here the configuration of the mikrotik router:
Latest firmware: 6.44.3

[admin@MikroTik] > /ip route print
Flags: X - disabled, A - active, D - dynamic,
C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme,
B - blackhole, U - unreachable, P - prohibit
# DST-ADDRESS PREF-SRC GATEWAY DISTANCE
0 S 0.0.0.0/0 pptp-out1 1
1 A S 0.0.0.0/0 192.168.8.1 1
2 ADC 10.15.2.0/24 10.15.2.1 ether5 0
3 ADC 192.168.8.0/24 192.168.8.2 ether1 0
4 ADC 192.168.88.0/24 192.168.88.1 bridge 0


[admin@MikroTik] > /ip route print
Flags: X - disabled, A - active, D - dynamic,
C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme,
B - blackhole, U - unreachable, P - prohibit
# DST-ADDRESS PREF-SRC GATEWAY DISTANCE
0 S 0.0.0.0/0 pptp-out1 1
1 A S 0.0.0.0/0 192.168.8.1 1
2 ADC 10.15.2.0/24 10.15.2.1 ether5 0
3 ADC 192.168.8.0/24 192.168.8.2 ether1 0
4 ADC 192.168.88.0/24 192.168.88.1 bridge 0


[admin@MikroTik] > /ip firewall nat print
Flags: X - disabled, I - invalid, D - dynamic
0 ;;; defconf: masquerade
chain=srcnat action=masquerade out-interface=ether1


1 chain=dstnat action=dst-nat to-addresses=10.15.2.3 to-ports=465 protocol=tcp
in-interface=ether1 dst-port=12026


2 chain=dstnat action=dst-nat to-addresses=10.15.2.3 to-ports=2195 protocol=tcp
in-interface=ether1 dst-port=2195


3 I ;;; pptp-out1 not ready
chain=srcnat action=masquerade out-interface=pptp-out1 log=no log-prefix=""

when ok:
-> 3 chain=srcnat action=masquerade out-interface=pptp-out1 log=no log-prefix=""

[admin@MikroTik] > /interface pptp-client print
Flags: X - disabled, R - running
0 name="pptp-out1" max-mtu=1490 max-mru=1490 mrru=disabled connect-to=W.X.Y.Z
user="XXXX" password="YYYY" profile=default-encryption
keepalive-timeout=60 add-default-route=yes default-route-distance=1
dial-on-demand=no allow=mschap1,mschap2

During the disconnection, i was able to ping the vpn server public address

Any idea where does the error come from ?
How to troubleshoot that ?

Regards
You do not have the required permissions to view the files attached to this post.
 
McSee
Frequent Visitor
Frequent Visitor
Posts: 67
Joined: Tue Feb 26, 2019 12:49 pm

Re: VPN

Sat Apr 27, 2019 1:06 pm

Add a route to your VPN server if you want to send all traffic there or uncheck "Add Default Route" in the client settings if you don't.
 
sindy
Forum Guru
Forum Guru
Posts: 3964
Joined: Mon Dec 04, 2017 9:19 pm

Re: VPN

Sat Apr 27, 2019 2:18 pm

Add a route to your VPN server if you want to send all traffic there or uncheck "Add Default Route" in the client settings if you don't.
To explain why: if your default route goes via the pptp-out1 interface, the router sends all traffic, including the PPTP transport packets, via that route every time that the interface goes up. So the interface is down, the other default route is used to set up the PPTP tunnel, the pptp-out1 interface goes up, the transport packets start being sent down that interface (so they loop into themselves and never get anywhere), so after the keepalive timeout the interface goes down, so the packets start using the other default route, the PPTP tunnel sets up and the whole cycle repeats.

By setting up an individual route to the VPN server you break the spell because the routing always chooses the route with dst-address most precisely matching the packet's destination address.

It is theoretically possible that Mikrotik had an automagical protection against this to happen in some previous releases but I've seen people falling into this trap also before 6.44.3 so I'd rather assume you've changed something in your configuration and haven't realized it was related.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
0blar
just joined
Topic Author
Posts: 22
Joined: Tue Jan 30, 2018 10:43 am

Re: VPN

Sat Apr 27, 2019 2:22 pm

Thanks for your help

I just uncheck "Add default route" and it seems ok now

no more disconnection
I'm able to ping the remote network (192.168.0.0/24) with no issue now

admin@MikroTik] > /ip route print
Flags: X - disabled, A - active, D - dynamic,
C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme,
B - blackhole, U - unreachable, P - prohibit
# DST-ADDRESS PREF-SRC GATEWAY DISTANCE
0 S 0.0.0.0/0 pptp-out1 1
1 A S 0.0.0.0/0 192.168.8.1 1
2 ADC 10.15.2.0/24 10.15.2.1 ether5 0
3 ADC 192.168.8.0/24 192.168.8.2 ether1 0
4 ADC 192.168.88.0/24 192.168.88.1 bridge 0


How to add a new route ? As for now all is ok from client to server
 
sindy
Forum Guru
Forum Guru
Posts: 3964
Joined: Mon Dec 04, 2017 9:19 pm

Re: VPN

Sat Apr 27, 2019 2:45 pm

If you don't need all your traffic to go through the PPTP connection (various people use VPNs for various purposes and you haven't detailed yours), you may not need to add any route.

But in general, [/font=monospace]/ip route add dst-address=some.ip.prefix/mask_len gateway=interface|ip.add.re.ss[/font] does the trick, the details are in the manual. For example, if 10.11.12.0/24 was another subnet reachable via your PPTP server and you wanted it to be reachable from your client, you would have to add a static route for that:
[/font=monospace]/ip route add dst-address=10.11.12.0/24 gateway=pptp-out1[/font]. It may be necessary to use src-nat at your end or modify routing at the server site to make responses from 10.11.12.0/24 be delivered back to you, but that's another can of worms. This was just an example of practical use of [/font=monospace]/ip route add[/font].
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
0blar
just joined
Topic Author
Posts: 22
Joined: Tue Jan 30, 2018 10:43 am

Re: VPN

Sat Apr 27, 2019 2:51 pm

Sorry for the reply but another errors came up

Now the vpn connexion is ok (i can see the client connecting on the server side)
but now i can't ping anything on the client side (10.15.2.0/24)
nothing is detected

same, i was able to ping 192.168.0.0/24 but now it is also impossible

i added /ip route add dst-address=10.15.2.0/24 gateway=pptp-out1
Here what i get
ping error.png
I check for IP: 104.211.191.173
https://db-ip.com/104.211.191.173
You do not have the required permissions to view the files attached to this post.
 
sindy
Forum Guru
Forum Guru
Posts: 3964
Joined: Mon Dec 04, 2017 9:19 pm

Re: VPN

Sat Apr 27, 2019 3:31 pm

It's time for disclosing your private address plan I'm afraid. If you "can't ping anything on client side", it means that either the ping requests do not make it to client side or the responses to them do not make it to the server side, which can be a routing problem and/or a firewall problem. So if you don't want to draw, give a list of subnets on client side and a list of subnets on server side which need to talk to each other, and export configurations of both the server and the client following the hint in my automatic signature.

As for the unsuccessful login attempts from an address unrelated to you in your log, there's nothing you could do about them if you have exposed your ssh service to the world on purpose. But if you did, leaving the default login name admin is a really bad idea (and even worse idea is to use PPTP, unless you have no other choice because the server doesn't support anything more secure).
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
0blar
just joined
Topic Author
Posts: 22
Joined: Tue Jan 30, 2018 10:43 am

Re: VPN

Sat Apr 27, 2019 3:51 pm

Thanks for your response

I uploaded a previous config that i saved and now it is ok
i can ping the network (10.15.2.0/24, 192.168.8.0/24, 192.168.0.0/24 and 192.168.88.0/24) from client side (10.15.2.100)

Vpn seems working now

Any idea on how to check if someone is connecting on mikrotik router ?
 
sindy
Forum Guru
Forum Guru
Posts: 3964
Joined: Mon Dec 04, 2017 9:19 pm

Re: VPN

Sat Apr 27, 2019 4:29 pm

Any idea on how to check if someone is connecting on mikrotik router ?
The log tells you that, you may send yourself e-mails if that happens, etc., but that's all true only for attacks like this, when the attacker tries to log in using popular user names and passworrds. If they find some vulnerability allowing to bypass user authentication, you may not notice the intrusion. So it is better to have the firewall as tightly closed as possible, and to run the services you need to use on non-standard ports to lower the amount of attackers targeting them. SSH seems to be secure, and so do the VPN protocols, but maybe it only appears to be so because the other vulnerabilities are easier to target so no one really bothers attacking these? I bet the number of Mikrotiks with WinBox exposed to the internet is much higher than the number of Mikrotiks accepting IPsec connections, so as the bad buy, you get more zombies for your botnet per a minute of your time invested if you concentrate on WinBox. That may also be the reason why your server hasn't yet been attacked on PPTP.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
0blar
just joined
Topic Author
Posts: 22
Joined: Tue Jan 30, 2018 10:43 am

Re: VPN

Sat Apr 27, 2019 6:20 pm

send yourself e-mails if that happens
Please tell me how to enable it ?
firewall as tightly closed as possible,
Any basic config to advise me ? what are the commands to do it ?

I enable winbox port because i'm not too familiar with network/mikrotik, should i disable it ?

Any way to see if the router has a sort of backdoor ?

Thanks again
 
sindy
Forum Guru
Forum Guru
Posts: 3964
Joined: Mon Dec 04, 2017 9:19 pm

Re: VPN

Sat Apr 27, 2019 7:24 pm

send yourself e-mails if that happens
Please tell me how to enable it ?
Well, to "enable" it means to add a new logging action using /system logging action add name="mailme" target=email email-to="you@mailserver.tld" and then adding log topics to trigger that action, such as

/system logging add topics=system,error,critical action=mailme
/system logging add topics=system,info,account action=mailme
,

but if you do it this way, your mailbox will explode with each attack (and they come several times an hour), and the usefulness is doubtful. It is good to be notified that someone has broken into your machine but it is much better that no one would actually break in; even worse than that, some of the attacks which succeeded in the past years wouldn't have triggered this kind of notification.

firewall as tightly closed as possible,
Any basic config to advise me ? what are the commands to do it ?
This is my basic introduction into how a firewall works, but you need an even more basic one, explaining the role of input, output, and forward chains in /ip firewall filter. On Mikrotik Wiki there should be an example of a basic firewall, but if you have one of the hXX products (h = targeted for home and soho use), their default firewall rules are pretty safe until someone starts tweaking them without understanding. You can find the default firewall rules in the output of /system default-configuration print, look for
/ip firewall nat add chain=srcnat out-interface-list=WAN ipsec-policy=out,none action=masquerade ...
/ip firewall {
  filter add chain=input ...


I enable winbox port because i'm not too familiar with network/mikrotik, should i disable it ?
You should disable ANY access to your Mikrotik from the WAN side unless you absolutely need it; if you permit access to any management interface from internet, you should restrict it to remote IPs of your other sites (from which you'll be accessing it). If you need to reach your home network from anyhwere in the world, use a VPN like IKEv2.

The Winbox interface was believed to be safe because it uses encrypted communication and the bad guys weren't interested enough in Mikrotik; as its market share grew up, it became an interesting target so now new vulnerabilities get discovered and exploited every now and then.

If you absolutely need a graphical interface for Mikrotik configuration and access from the Internet without settiing up a real VPN (IKEv2 or SSTP or OpenVPN), set up https access (the Mikrotik Wiki tells you how to create a certificate chain and activate the https interface), it may be safer than Winbox at the moment and less targeted by the bad guys. But the effort spent to set up a https access is about the same as the effort spent to set up an SSTP VPN while SSTP VPN allows you to access not only the Mikrotik itself but also the network behind it, so think twice which way to take. IKEv2 is a little more complex to set up but it is currently the most flexible VPN for access from Windows as you can even push routes for access to your home network while the PC bypasses the VPN when reaching the internet, which is something no other VPN type currently provides without need to configure the routes at each connecting PC manually.

Any way to see if the router has a sort of backdoor ?
None, unless you'd want to spend your life reverse-engineering the complete code of the router. Which is what the bad guys essentially do, but for them it is sufficient to find a single one which the vendor doesn't know about yet (so technically it is not a backdoor, which would be something intentional, but a vulnerability, which is a consequence of a mistake or omission), while your would need to find out all of them if you would want to be safe.

So behave as if there was at least one and do the maximum to limit the "attack surface" - the less services are exposed to the world, and the less addresses in the world are allowed to access them, the higher the chance your router will not be broken in.

Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
0blar
just joined
Topic Author
Posts: 22
Joined: Tue Jan 30, 2018 10:43 am

Re: VPN

Sun Apr 28, 2019 1:16 pm

Thanks a lot for your help
I will read the wiki to try to understood

Is it possible to have a script that check the successfull ssh login then send a mail or notification ?

I did it on linux server (command line in bashrc) and it works well, but don't know how to do it in Mikrotik ?

Thanks again
 
0blar
just joined
Topic Author
Posts: 22
Joined: Tue Jan 30, 2018 10:43 am

Re: VPN

Sun Apr 28, 2019 1:59 pm

Hi

Again sorry to disturb you

I just came up with the same issue now,
mikrotik same error.png
II was working well all the night then the issue came up again
For security, I only enable 2 services with ip restriction
You do not have the required permissions to view the files attached to this post.
 
sindy
Forum Guru
Forum Guru
Posts: 3964
Joined: Mon Dec 04, 2017 9:19 pm

Re: VPN

Sun Apr 28, 2019 2:12 pm

Is it possible to have a script that check the successfull ssh login then send a mail or notification ?
As written in my previous post, you don't need scripting (in terms of describing your own algorithm using the script language) to get e-mail notifications about successful logins, the line /system logging add topics=system,info,account action=mailme is enough for that (provided that the /system logging action and /tool e-mail settings exist and are configured properly). You can set this up by clicking in Winbox or WebFig, i.e. you don't need the command line for it.

I just came up with the same issue now,
...
II was working well all the night then the issue came up again
For security, I only enable 2 services with ip restriction
Does it mean that it started failing again after you have enabled the services or these two pieces of information are not related? I.e. the two services were permitted also during the night when the PPTP tunnel was not failing?

What RouterOS version were you running on this box when you've allowed Winbox access from WAN side for the first time ever?
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
0blar
just joined
Topic Author
Posts: 22
Joined: Tue Jan 30, 2018 10:43 am

Re: VPN

Sun Apr 28, 2019 2:39 pm

Hi

RouterOS version was maybe 6.41 or lower
 
sindy
Forum Guru
Forum Guru
Posts: 3964
Joined: Mon Dec 04, 2017 9:19 pm

Re: VPN

Sun Apr 28, 2019 2:58 pm

If so, the first thing I'd do would be to netinstall the machine, as the probability that it has been squatted by some malware is too high. So the chance that the behaviour you observe is a consequence of some activity of that malware is high too.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
0blar
just joined
Topic Author
Posts: 22
Joined: Tue Jan 30, 2018 10:43 am

Re: VPN

Sun Apr 28, 2019 3:07 pm

Hi

The issue is that the router is 2000 km from me

Will it be possible to do it remotely without loosing the configuration ?
 
sindy
Forum Guru
Forum Guru
Posts: 3964
Joined: Mon Dec 04, 2017 9:19 pm

Re: VPN

Sun Apr 28, 2019 3:13 pm

Will it be possible to do it remotely without loosing the configuration ?
No way. The very purpose of netinstall is to erase the flash completely to get rid of anything that might live there. Any chance to buy a new device and mail it there so that a local gardener could just move all connectors one by one from old to new one?
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
0blar
just joined
Topic Author
Posts: 22
Joined: Tue Jan 30, 2018 10:43 am

Re: VPN

Sun Apr 28, 2019 3:17 pm

I'm not lucky, no one there for the moment until 1 month
 
sindy
Forum Guru
Forum Guru
Posts: 3964
Joined: Mon Dec 04, 2017 9:19 pm

Re: VPN

Sun Apr 28, 2019 4:20 pm

There are two points about router security - how much harm a conquered device causes to your own network and how much harm it causes to the rest of the world. The issue with RouterOS is that it is basically a Linux distribution with some proprietary software modules and a configuration wrapper which allows you to do the settings of all these modules in a uniform way. So while the honest user doesn't have access "under the hood" to the Linux CLI, there are inditia that some malware can run undetectable by RouterOS means and even prevent the router from being upgraded remotely. So even if you cannot see anything unusual in the RouterOS configuration, it is not a guarantee that the machine is clean. And the malware can attack the rest of the world as well as the devices in your internal LAN and make them accessible for other kind of malware.

So the first thing I'd be careful about is the access to the rest of your internal network from that machine, i.e. your firewall should treat the VPN interface as link to a 3rd party network and restrict the access from there only to a few services it essentially needs, no services using plaintext passwords (like ftp and telnet) should be routed through the possibly compromised Mikrotik etc.

As for the PPTP outages, you haven't answered my question whether the comeback of the drop-outs was correlated with re-opening the service ports or not, but given that the machine is so far away from you, I assume you have just restricted the access to a list of addresses but there was never a period of time when the access to service ports was disabled completely. And now as I've learned the distance, I can easily imagine network problems in transit not caused by any of your devices - I had myself an outage for a minute or two of access to a device just 1500 km away and when I got back there, the uptime was more than a week so it wasn't an issue of power outage. I know you say that ping works, but did you run a netwatch with 5 seconds interval all the time to be able to say that the pings are responded also during the times when the PPTP tunnel was down? I've seen situations where particular network protocols were not passing through some networks, and GRE (used by PPTP) is one of those protocols whose existence some "network administrators" haven't even noticed. So some network paths between your devices may let it through and some not, and the traffic dynamically switches over between them. So there are too many factors which can affect the outcome, and the same observable result (tunnel falling and coming up) may be a consequence of several mutually unrelated root causes.

BTW, just for curiosity, can you reveal your native language?
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
0blar
just joined
Topic Author
Posts: 22
Joined: Tue Jan 30, 2018 10:43 am

Re: VPN

Sun Apr 28, 2019 6:14 pm

native language is french
regarding
comeback of the drop-outs was correlated with re-opening the service ports or not

Not related
 
sindy
Forum Guru
Forum Guru
Posts: 3964
Joined: Mon Dec 04, 2017 9:19 pm

Re: VPN

Sun Apr 28, 2019 7:13 pm

I have no idea how important the tunnel is and how much time you can spend on it, but running the netwatch in parallel to the tunnel is the minimum to do to find out whether it makes sense to search for error on your own side (both ends) or whether the outages of the tunnel are caused by outages on the path.

The issue is rather not to lose the messages notifying about netwatch state changes - by default everything falls into a single memory buffer which easily overflows (with those attacks to ssh), so the key is to use the logging actions to duplicate important log messages to dedicated files. So do the following:
/system logging action add name=messagesHauteImportance target=disk disk-file-name=log_importante
/system logging add topics=script,warning action=messagesHauteImportance
/tool netwatch add down-script="/log warning message=\"netwatch down\"" host=ip.of.the.server interval=5s up-script="/log warning message=\"netwatch up\""


This will ensure that the messages about netwatch losing responses from the opposite machine will be stored in a dedicated file and thus won't be lost even if they get squeezed out of the basic log in the memory by other garbage. The messages from the pptp can unfortunately not be filtered down to only one message per event so you have to store all of them to the same file like the netwatch messages using
/system logging add topics=pptp action=messagesHauteImportance

Depending on the model, the disk-file-name of /system logging action may need to be prepended with flash/ and you may want to set the disk-lines-per-file and disk-file-count parameters to use the available space of the device.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
0blar
just joined
Topic Author
Posts: 22
Joined: Tue Jan 30, 2018 10:43 am

Re: VPN

Tue Apr 30, 2019 1:18 pm

Thanks for your help

Who is online

Users browsing this forum: Google [Bot] and 120 guests