Community discussions

MikroTik App
 
Krizoovie
just joined
Topic Author
Posts: 3
Joined: Thu Jul 22, 2021 3:01 pm

Can't establish connection with Open Vpn server on mikrotik outsite LAN

Fri Jul 23, 2021 12:24 am

Hello,

Recently I've bought and configured the hAP ac Mikrotik router. Due to traveling and having a server in LAN i wanted to set up secure VPN connection to my LAN from mobile / hotel internet.

When I'm connecting with my ovpn profile, key and crt everything seems to be fine, unfortunatelly when I'm try to connect via smartphone hotspot I've got timeout.
I've tried to search for similar problems, however i couldn't find same syslog or mikrotik log problems with solution that would fix the problem.

1. I've already checked if I've got public IP, and if ISP doesn't block port 1194 (called my ISP)
2. I've checked numerous times the firewall rules
3. I've tried settings from 3 different tutorials

f.e in this topic main cause was no ppp profile and firewall rule, mine seems to be lower + i've got ppp profile set
viewtopic.php?t=150423

Sample from firewall when try to connect:
openvpn dstnat: in:ether1 out:(unknown 0), src-mac 00:23:ac:2f:cc:00, proto TCP (SYN), 5.173.241.203:17560-><MY PUBLIC IP>:1194, len 60
openvpn dstnat: in:ether1 out:(unknown 0), src-mac 00:23:ac:2f:cc:00, proto TCP (SYN), 5.173.241.203:17542-><MY PUBLIC IP>:1194, len 60
openvpn dstnat: in:ether1 out:(unknown 0), src-mac 00:23:ac:2f:cc:00, proto TCP (SYN), 5.173.241.203:17565-><MY PUBLIC IP>:1194, len 60
openvpn dstnat: in:ether1 out:(unknown 0), src-mac 00:23:ac:2f:cc:00, proto TCP (SYN), 5.173.241.203:17536-><MY PUBLIC IP>:1194, len 60
My mikrotik configuration:
# jul/22/2021 22:35:58 by RouterOS 6.45.9
# software id = H98R-P03T
#
# model = RB962UiGS-5HacT2HnT
# serial number = CC4F0D4D1DC9
/interface bridge
add name="My home network"
/interface wireless
set [ find default-name=wlan1 ] country=poland disabled=no frequency=auto \
    mode=ap-bridge ssid="Some name1"
set [ find default-name=wlan2 ] country=poland disabled=no frequency=auto \
    mode=ap-bridge ssid="Some name2" wireless-protocol=802.11
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk mode=dynamic-keys \
    supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip pool
add name=dhcp ranges=192.168.5.10-192.168.5.254
add name=ovpnpool ranges=192.168.89.2-192.168.89.40
/ip dhcp-server
add address-pool=dhcp disabled=no interface="My home network" lease-time=1w \
    name=dhcp2
/ppp profile
add dns-server=<MY PUBLIC IP> local-address=192.168.89.1 name=open_vpn \
    remote-address=ovpnpool use-compression=no use-encryption=required
/system logging action
set 1 disk-lines-per-file=10000 disk-stop-on-full=yes
add bsd-syslog=yes name=StoreLogsOnNas remote=192.168.5.3 target=remote
/interface bridge port
add bridge="My home network" interface=ether2
add bridge="My home network" interface=wlan1
add bridge="My home network" interface=ether3
add bridge="My home network" interface=wlan2
/interface detect-internet
set detect-interface-list=LAN
/interface list member
add interface=ether1 list=WAN
add list=LAN
add interface="My home network" list=LAN
/interface ovpn-server server
set auth=sha1 certificate=server cipher=aes256 default-profile=open_vpn \
    enabled=yes require-client-certificate=yes
/ip address
add address=192.168.5.1/24 interface=ether2 network=192.168.5.0
/ip dhcp-client
add dhcp-options=hostname,clientid disabled=no interface=ether1
/ip dhcp-server lease
add address=192.168.5.3 client-id=1:0:11:32:d0:f7:e1 mac-address=\
    00:11:32:D0:F7:E1 server=dhcp2
/ip dhcp-server network
add address=192.168.5.0/24 gateway=192.168.5.1 netmask=24
/ip firewall filter
add action=accept chain=input protocol=icmp
add action=accept chain=input connection-state=established
add action=accept chain=input connection-state=related
add action=accept chain=input comment=VPN dst-port=1194 log-prefix=VPN \
    protocol=tcp
add action=drop chain=input in-interface-list=!LAN
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN
add action=dst-nat chain=dstnat comment=OpenVPN_NAT dst-port=1194 \
    in-interface=ether1 log=yes log-prefix=openvpn protocol=tcp to-addresses=\
    192.168.5.3 to-ports=1194
/ip service
set telnet disabled=yes
set ssh disabled=yes
/ppp secret
add name=client1 profile=open_vpn service=ovpn
/system clock
set time-zone-name=Europe/Warsaw
/system logging
add action=StoreLogsOnNas topics=info
add topics=ovpn,debug
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

Sample of syslog when I try to connect from Ubuntu using openvpn3. Internet from smartphone hotspot.
In this case I've read that it's possible the server doesn't know if use IPv4/IPv6 - i've tied to use tcp4 in .ovpn file to specify it, effect was same.
Link: https://serverfault.com/questions/97126 ... ng-af-inet
Jul 21 17:47:48 TommyWisseau net.openvpn.v3.log[8028]: {tag:13536799875885226585} Network Configuration VERB1: Redirect method: host-route
Jul 21 17:47:49 TommyWisseau net.openvpn.v3.log[8028]: {tag:13536799875885226585} Network Configuration INFO: Cleaning up resources for PID 9387.
Jul 21 17:47:49 TommyWisseau net.openvpn.v3.log[8028]: {tag:11212960311964532105} Client INFO: Starting connection
Jul 21 17:47:49 TommyWisseau net.openvpn.v3.log[8028]: {tag:11212960311964532105} Client VERB1: Waiting for server response
Jul 21 17:47:49 TommyWisseau net.openvpn.v3.log[8028]: {tag:13536799875885226585} Network Configuration INFO: Socket protect called for socket 8, remote: '192.168.88.2', tun: '', ipv6: no
Jul 21 17:47:54 TommyWisseau net.openvpn.v3.log[8028]: Logger VERB2: Detached: {tag:10669309729533879747}  [:1.188/net.openvpn.v3.backends]
Jul 21 17:47:59 TommyWisseau net.openvpn.v3.log[8028]: {tag:11212960311964532105} Client INFO: Reconnecting
Jul 21 17:47:59 TommyWisseau net.openvpn.v3.log[8028]: {tag:11212960311964532105} Client VERB1: Waiting for server response
Jul 21 17:47:59 TommyWisseau net.openvpn.v3.log[8028]: {tag:13536799875885226585} Network Configuration INFO: Socket protect called for socket 8, remote: '192.168.88.2', tun: '', ipv6: no
Jul 21 17:48:09 TommyWisseau net.openvpn.v3.log[8028]: {tag:11212960311964532105} Client INFO: Reconnecting
Jul 21 17:48:09 TommyWisseau net.openvpn.v3.log[8028]: {tag:11212960311964532105} Client VERB1: Waiting for server response
Jul 21 17:48:09 TommyWisseau net.openvpn.v3.log[8028]: {tag:13536799875885226585} Network Configuration INFO: Socket protect called for socket 8, remote: '192.168.88.2', tun: '', ipv6: no
Jul 21 17:48:19 TommyWisseau net.openvpn.v3.log[8028]: {tag:11212960311964532105} Client INFO: Reconnecting
Jul 21 17:48:19 TommyWisseau net.openvpn.v3.log[8028]: {tag:11212960311964532105} Client VERB1: Waiting for server response
Jul 21 17:48:19 TommyWisseau net.openvpn.v3.log[8028]: {tag:13536799875885226585} Network Configuration INFO: Socket protect called for socket 8, remote: '192.168.88.2', tun: '', ipv6: no
Jul 21 17:48:20 TommyWisseau net.openvpn.v3.log[8028]: {tag:11212960311964532105} Client INFO: Stopping connection
Jul 21 17:48:20 TommyWisseau net.openvpn.v3.log[8028]: {tag:11212960311964532105} Client INFO: Disconnected
Jul 21 17:48:20 TommyWisseau net.openvpn.v3.log[8028]: Logger VERB2: Detached: {tag:11212960311964532105}  [:1.189/net.openvpn.v3.backends]
Jul 21 17:48:20 TommyWisseau net.openvpn.v3.log[8028]: Logger VERB2: Detached: {tag:3253356226085057175}  [:1.189/net.openvpn.v3.sessions]
Jul 21 17:48:20 TommyWisseau net.openvpn.v3.log[8028]: {tag:13536799875885226585} Network Configuration INFO: Cleaning up resources for PID 9387.
Jul 21 17:48:22 TommyWisseau net.openvpn.v3.log[8028]: {tag:6091168827960353666} Session Manager VERB1: Session is closing

Sample of my OpenVpn client profile (.ovpn)
client
dev tun
proto tcp4
remote <MY PUBLIC IP> 1194
nobind
persist-key
persist-tun
ca CA.crt
cert client1.crt
key client1.key
remote-cert-tls server
cipher AES-256-CBC
auth SHA1
auth-user-pass auth.cfg
redirect-gateway def1
verb 3

Linux version
NAME="Ubuntu"
VERSION="20.04.2 LTS (Focal Fossa)"
ID=ubuntu
ID_LIKE=debian
PRETTY_NAME="Ubuntu 20.04.2 LTS"
VERSION_ID="20.04"
HOME_URL="https://www.ubuntu.com/"
SUPPORT_URL="https://help.ubuntu.com/"
BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/"
PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy"
VERSION_CODENAME=focal
UBUNTU_CODENAME=focal

OpenVpn3 version:
OpenVPN 3/Linux v15_beta (openvpn3)
OpenVPN core 3.git:HEAD:fce979ec linux x86_64 64-bit
Copyright (C) 2012-2020 OpenVPN Inc. All rights reserved.
 
Krizoovie
just joined
Topic Author
Posts: 3
Joined: Thu Jul 22, 2021 3:01 pm

Re: Can't establish connection with Open Vpn server on mikrotik outsite LAN

Thu Sep 23, 2021 1:22 pm

I've found a problem, everything works just fine.
It was very silly thing - before OVPN server hosted on mirkotik I've hosted it on Synology NAS.
Due to that fact, I've added dst-nat chain into my NAS IP static address and forgot to delete/disable it.
add action=dst-nat chain=dstnat comment=OpenVPN_NAT dst-port=1194 \
    in-interface=ether1 log=yes log-prefix=openvpn protocol=tcp to-addresses=\
    192.168.5.3 to-ports=1194
After disabling that rule, everything seems to be working! :D

Who is online

Users browsing this forum: almdandi, baragoon, Bing [Bot], GoogleOther [Bot], johnson73, loloski, miravic and 76 guests