Community discussions

 
fct
just joined
Topic Author
Posts: 3
Joined: Tue Jun 05, 2018 3:57 pm

[SOLVED] MikroTik OpenVPN server assigning wrong network, mask on virtual interface to client? Client can't connect

Tue May 14, 2019 7:17 pm

SOLVED, thanks tdw !

We have an OVPN server in a MikroTik router with RouterOS 6.43.7, with several non-MikroTik OVPN clients. The clients are assigned addresses in the
172.17.0.0/22
range, with the server in
172.17.0.1
. The older clients we assigned, in
172.17.0.0/24
, connected successfully to the server, but once the assignments rolled into
172.17.1.0/24
the newer ones can't complete the connection. We have deliberately skipped
172.17.0.253
through
172.17.1.4
.

[UPDATE]: The server was configured to send the clients a /24 mask by default, and we weren't finding where to set it. Set the netmask to the largest pool size you are serving:
/interface ovpn-server server set netmask=22
[/update]

The router configuration is as follows:
/ppp profile
add local-address=172.17.0.1 name=the-ovpn-profile remote-address=the-ovpn-pool use-compression=no use-encryption=required
#...
/ip pool
add name=the-ovpn-pool ranges=172.17.0.17-172.17.3.239
#...
/ppp secret
# This is one of the older clients that work
add name=ovpn-client-30 profile=the-ovpn-profile remote-address=172.17.0.30 service=ovpn
# This is one of the newer clients that doesn't work
add name=ovpn-client-285 profile=the-ovpn-profile remote-address=172.17.1.30 service=ovpn
We became aware of the problem when we tried a sample of the newer client on a Windows 10 machine with OpenVPN 2.4.6 :
[...] Initialization Sequence Completed With Errors ( see http://openvpn.net/faq.html#dhcpclientserv )
[...] MANAGEMENT: >STATE:1557844498,CONNECTED,ERROR,[...]
The server believes both clients connect correctly:
/ip address print where network~"^172\\..*\\.30"
Flags: X - disabled, I - invalid, D - dynamic
 #   ADDRESS            NETWORK         INTERFACE
 0 D 172.17.0.1/32      172.17.0.30     <ovpn-client-30>
 1 D 172.17.0.1/32      172.17.1.30     <ovpn-client-285>
 /interface ovpn-server print
Flags: X - disabled, D - dynamic, R - running
 #     NAME                                            USER              [...]
[...] 
[...]  DR <ovpn-client-30>                             ovpn-client-30    [...]
[...]
[...]  DR <ovpn-client-285>                            ovpn-client-285   [...]
On searching further up the log file, we saw the MikroTik OVPN server was assigning a wrong, shorter network mask of /24 :
UPDATE: It wasn't wrong, we hadn't changed the default
[...]
[...] SENT CONTROL [dgt-ovpn-server]: 'PUSH_REQUEST' (status=1)
[...] PUSH: Received control message: 'PUSH_REPLY,ping 100,ping-restart 300,topology subnet,route-gateway 172.17.0.1,ifconfig 172.17.1.30 255.255.255.0'
[...]
[...] Set TAP-Windows TUN subnet mode network/local/netmask = 172.17.1.0/172.17.1.30/255.255.255.0 [SUCCEEDED]
[...] Notified TAP-Windows driver to set a DHCP IP/netmask of 172.17.1.30/255.255.255.0 on interface [...] [DHCP-serv: 172.17.1.254, lease-time: 31536000]
Understandably, afterwards, the client at
172.17.1.30
can't talk with the router at
172.17.0.1
, and even less address (and get addressed by) other equipment behind the router.

We would expect the server to assign each client a single address, either on a /22 network to
172.17.0.0
or on a /32 network to
172.17.0.1
as point to point. Apparently, the router instead impersonates the but-last address of the client's /24 range to send a DHCP response assigning a /24 network. We have checked the
/ip dhcp-server
configuration and there's no rules for this network, either
172.17.0.0/22
or /24 (or these point-to-point networks).

On comparing with the older clients, the corresponding rules are also "wrong", but not wrong enough to stop those clients from connecting:
[...]
[...] SENT CONTROL [dgt-ovpn-server]: 'PUSH_REQUEST' (status=1)
[...] PUSH: Received control message: 'PUSH_REPLY,ping 100,ping-restart 300,topology subnet,route-gateway 172.17.0.1,ifconfig 172.17.0.30 255.255.255.0'
[...]
[...] Set TAP-Windows TUN subnet mode network/local/netmask = 172.17.0.0/172.17.0.30/255.255.255.0 [SUCCEEDED]
[...] Notified TAP-Windows driver to set a DHCP IP/netmask of 172.17.0.30/255.255.255.0 on interface [...] [DHCP-serv: 172.17.0.254, lease-time: 31536000]
[...]
[...] MANAGEMENT: >STATE:1557842580,CONNECTED,SUCCESS,[...]
We have reproduced the issue with a Linux OpenVPN 2.4.0.6 client with similar results.

[update 2019-05-16]
We have tried setting the pool to a /22, but it didn't help either:
/ip pool set the-ovpn-pool ranges=172.17.0.0/22
[/update]

We could "fix" it by splitting the server into four servers, each with the clients in separate /24's, but it would be more of a workaround. We may proceed with that as a stopgap. Am I missing some option to configure the client netmask? Is it a bug already fixed in long-term?

Update: we were missing the option
/interface ovpn-server server set netmask
(Note: some fields have been anonymized)
Last edited by fct on Sat Jun 08, 2019 9:11 pm, edited 3 times in total.
 
fct
just joined
Topic Author
Posts: 3
Joined: Tue Jun 05, 2018 3:57 pm

Re: MikroTik OpenVPN server assigning wrong network, mask on virtual interface to client? Client can't connect successfu

Thu May 16, 2019 5:53 pm

Bump? Updated
 
tdw
Member Candidate
Member Candidate
Posts: 190
Joined: Sat May 05, 2018 11:55 am

Re: MikroTik OpenVPN server assigning wrong network, mask on virtual interface to client? Client can't connect successfu

Thu May 16, 2019 6:13 pm

You haven't posted all of your VPN server configuration. What is netmask set to in /interface ovpn-server server?
 
fct
just joined
Topic Author
Posts: 3
Joined: Tue Jun 05, 2018 3:57 pm

Re: MikroTik OpenVPN server assigning wrong network, mask on virtual interface to client? Client can't connect successfu

Thu May 16, 2019 6:43 pm

You haven't posted all of your VPN server configuration. What is netmask set to in /interface ovpn-server server?
/interface ovpn-server server print
[...]
                     netmask: 24
[...]

/facepalm
bad command name facepalm (line 1 column 2)
/interface ovpn-server server set netmask=22
That fixed it. Curiously, it is router-wide, while we would expect that to be in
/ppp profile
for each server address. Is there (or will there be) an option to set that for each
/ppp profile
?

Marking as solved, thanks!

Who is online

Users browsing this forum: No registered users and 6 guests