Hi,

I recently wanted to shift my 200+ VPN connection on my server from L2TP to OpenVPN. Generally in L2tp connection, once I connect the client it will reflect local IP and Remote IP in l2tp client status page. But when I use the same credential for openvpn its getting connected but showing Blank.


Also it creates /24 network in address while l2tp connection simply created the local IP address in IP>Addresses



Same goes for the dynamic entry in IP>route. It creates /24 dyanmic route because of which my static route only works with my sstp connection.




Please help me to identify where I am doing wrong. On my server settings are same for both the VPN.

In the settings of the OpenVPN server, try to set the network mask to 32 bits. But I'm not sure OpenVPN will accept /32 addresses, I've never tried it and now I'm too far from my lab

Anyone. Please help me here.

Anyone. Please help me here.

What was the outcome after changing the mask as I've suggested above?

I checked in open vpn server, which is also mikrotik device. There is no option to assign /32 ip. In open vpn server when i create a user id, i assign one ip for remote client. And local ip as vpn server ip. Still the same problem.

So do /interface ovpn-server server set netmask=32 and see what happens.

Code: Select all

[me@MyTik] > interface ovpn-server server print
                     enabled: no
                        port: 1194
                        mode: ip
                     netmask: 24
                 mac-address: FE:95:7D:1A:08:12
                     max-mtu: 1500
           keepalive-timeout: 60
             default-profile: default
                 certificate: *0
  require-client-certificate: no
                        auth: sha1,md5
                      cipher: blowfish128,aes128

So do /interface ovpn-server server set netmask=32 and see what happens.

Thanks, Sindy. you are a lifesaver. I needed /21 as my netmask and its working like a charm. But one thing is pending. Why client side the IP is not showing in the status tab. Hope you have this answer also.

Why client side the IP is not showing in the status tab.

I'm not sure I understand what you mean. The IP address is not shown in the status tab of ovpn interfaces; all IP addresses of the device are shown in the IP->Address part of the configuration along with the interfaces to which they are linked. So /ip address print where interface=ovpn-out1, or :put [/ip address get [find interface=ovpn-out1] address]] is the way to show the address assigned to the interface on the client side; on the server side, the interface name to use in /ip route print where gateway=<ovpn-username> or :put [/ip route get [find gateway=<ovpn-username>] dst-address]] is <ovpn-username> where username is the name item from the /ppp secret.

Just don't be surprised that at client side, the netmask is the one you have configured in the /interface ovpn-server server settings, whilst at server side, the client's addresses are shown as /32 ones. That's how it has to be to permit proper routing.

OpenVPN doesn't really fit into the standard PPP model so the local and remote interface address show as blank in Winbox on the interface status tab, however if you look under IP > Addresses you see the dynamically assigned address, and a dynamic route is created via the VPN interface.

The local address and remote address must be within the subnet set for /interface ovpn-server server, or the client will not be able to ping the server gateway as the dynamic route created on the client is <client IP>/<server netmask> via the VPN interface.

Static routes with the VPN interface name as the gateway are fine, in your case if the static route is 10.10.8.0/21 via 10.10.10.100, then the route 10.10.10.100 via sstp1-out will be used as the metric is better than 10.10.10.0/24 via ovpn1-out. If you were to disable sstp1-out (when testing always use safe mode if the device is remote), ovpn1-out would be used instead.

I usually mention that the Mikrotik Open VPN client implementation is insecure and vulnerable to man-in-the-middle attacks, hopefully they will fix it one day (along with UDP support).

Edit: sindy beat me to it, changing subnet mask size for more than 256 clients has come up before viewtopic.php?f=2&t=148491

Yes. I can see the assigned IP in IP>addresses. But in winbox if you open the VPN interface it usually shows IP in status tab.



But same is not showing in openVPN.

OpenVPN doesn't really fit into the standard PPP model so the local and remote interface address show as blank in Winbox on the interface status tab, however if you look under IP > Addresses you see the dynamically assigned address, and a dynamic route is created via the VPN interface.

The local address and remote address must be within the subnet set for /interface ovpn-server server, or the client will not be able to ping the server gateway as the dynamic route created on the client is <client IP>/<server netmask> via the VPN interface.

Static routes with the VPN interface name as the gateway are fine, in your case if the static route is 10.10.8.0/21 via 10.10.10.100, then the route 10.10.10.100 via sstp1-out will be used as the metric is better than 10.10.10.0/24 via ovpn1-out. If you were to disable sstp1-out (when testing always use safe mode if the device is remote), ovpn1-out would be used instead.

I usually mention that the Mikrotik Open VPN client implementation is insecure and vulnerable to man-in-the-middle attacks, hopefully they will fix it one day (along with UDP support).

Thanks TDW. that explains the issue.

So if Open VPN is not secure. then what you suggest.

SSTP is secure but slow (I suspect this may be why you are looking at moving away from it), otherwise IPsec

Yes SSTP is slow and I am lookin for alternatives.

But could not find any data on number of SSTP tunnel for level 4 licenseon ROS. Also anyone knows if there is any limit for any VPN tunnels on CHR P1 license.

200 see https://wiki.mikrotik.com/wiki/Manual:License AFAIK the CHR license limits interface speed, not number of services.

I don't see why OpenVPN should be any faster than SSTP if using the same ciphers. IPsec can be faster even if using those same ciphers if you choose ciphers which are supported in hardware at both ends, because Mikrotik's implementation of IPsec can make use of the hardware encryption if present in the CPU but their SSTP and OpenVPN implementations cannot. On contemporary x86 based platforms the hardware encryption is supported.

Thanks Buddy, appreciate your help.

I don't see why OpenVPN should be any faster than SSTP if using the same ciphers.

They will be similar, whilst both OpenVPN and SSTP have a simple packet structure wrapped in TLS, the SSTP data is further wrapped in a PPP layer which has a small additional computational overhead. As you say, the only significant performance gains on a Mikrotik would be to use IPsec with a cipher suite supported by the hardware acceleration on the device in question.