Community discussions

MikroTik App
 
Dylanjoyfm
just joined
Topic Author
Posts: 2
Joined: Thu Feb 25, 2021 5:29 pm

OVPN Server will create Dynamic interfaces on its own

Sun Apr 25, 2021 5:44 pm

So we have a RB1100 on 2 public IP's binding an OVPN connection from each public IP to roughly 160 routers(so 320 OVPN connections on the Server side). Works quite well and CPU's aren't pegged, but every few days some of the OVPN connections drop(assuming on client side and internet route flops or maintenance within the ISP) and when they come back the RB1100 decides to create a dynamic interface for that server binding even though we have static OVPN server bindings made for that user. If I disable and re-enable from the client side it will link back the to the Static OVPN server binding. We have them setup as a backdoor into the routers incase for some reason the main OVPN links to the Core router are not wanting to play nice or certificates get messed up. I am running V6.47.3 on the RB1100 and 90% of the clients are on at least V6.47 or newer.

Anyone know what causes this and or what I can do to stop that from happening? We monitor the interfaces thru Zabbix over SNMP and will show that interface as down even though it's technically up, but using the dynamic interface instead of using the static one already created. No details change on the secrets, so it's not like there is something I have to change prior to the "disable/enable" on the client side routers. Also doesn't seem to be limited to certain models on the client side either as I have models from 450G's up thru CCR 1036's. Probably 8-9 different models of routers calling into the RB1100.
 
DeJoe
newbie
Posts: 33
Joined: Thu May 31, 2018 4:26 pm

Re: OVPN Server will create Dynamic interfaces on its own

Sun May 02, 2021 7:44 pm

Hi,

If a Client connects to the vpn Server, a dynamic Interface ist created. This ist Default behavior. If you created a Static Interface the Static Interface instead ist used. If the Tunnel Breaks, the Client tries to Connect to the Server again. If the Server didnt notice that the Tunnel ist already down, the Static Interface ist still Up and the Server creates an additional dynamic Interface.

I got rid of that behavior by allowing "only one" in the vpn profile. Be aware that every concurrent connection needs is own "secret". Otherwise the server will not allow a new connection.

Who is online

Users browsing this forum: Amazon [Bot], Bing [Bot], Google [Bot], tangent and 30 guests