Community discussions

MikroTik App
 
User avatar
tukan
just joined
Topic Author
Posts: 7
Joined: Tue Apr 13, 2021 10:39 am

OpenVPN mikrotik as client connect on demand

Tue Sep 14, 2021 12:52 pm

I have a mikrotik router CCR1009 posing as client connecting to OpenVPN server. The connection itself works. I have currently the 6.48.4 (Stable) installed.

What I would like to achieve is that the Mikrotik client connects only for time there is traffic going through the VPN. After some time (e.g. 10 minutes) it would disconnect and stay disconnected. When new request comes it automagically reconnects again.

What I have tried
I have tried to use the idle and session timeout (limits at ppp profile), but to my surprise it does not work as I was expecting.

I would expect the idle timeout to work as I need, but to my surprise it reconnects immediately after the timeout is reached.

Here is my log from ovpn connection with idle timeout set to 10min:
10:52:34 ovpn,info ovpnconnection: connecting...
10:52:35 ovpn,info ovpnconnection: using encoding - AES-256-CBC/SHA1
10:52:36 ovpn,info ovpnconnection: connected
11:02:36 ovpn,info ovpnconnection: terminating... - link inactive <== here the idle timeout reached
11:02:36 ovpn,info ovpnconnection: disconnected <== correctly disconnects
11:02:36 ovpn,info ovpnconnection: initializing... <== immediate reconnect?! Why it does not stay disconnected? (I see no traffic on the interface)
11:02:36 ovpn,info ovpnconnection: connecting...
11:02:37 ovpn,info ovpnconnection: using encoding - AES-256-CBC/SHA1
11:02:37 ovpn,info ovpnconnection: connected
Here is my log from ovpn connection with session timeout set to 10min:
09:55:38 ovpn,info ovpnconnection: initializing...
09:55:38 ovpn,info ovpnconnection: connecting...
09:55:39 ovpn,info ovpnconnection: using encoding - AES-256-CBC/SHA1
09:55:39 ovpn,info ovpnconnection: connected
10:05:39 ovpn,info ovpnconnection: terminating... - connect time expired <== here the session timeout reached
10:05:39 ovpn,info ovpnconnection: disconnected <== correctly disconnects
10:05:39 ovpn,info ovpnconnection: initializing... <== immediate reconnect?! Why it does not stay disconnected? (I see no traffic on the interface)
10:05:39 ovpn,info ovpnconnection: connecting...
10:05:41 ovpn,info ovpnconnection: using encoding - AES-256-CBC/SHA1
10:05:41 ovpn,info ovpnconnection: connected
The questions
Does anyone know why it is reconnecting the same second it disconnected? How can I debug such situation? How can I prevent the immediate reconnect and connect only on demand?

Edit 15/09/2021 - additional information

From my testing I think it is safe to say there is a regression in the OpenVPN client profile functionality. The `idle-timout` is triggered that means there is no traffic, so there should not be any need to reconnect it. What can cause the reconnection?

The wiki says on User_Profiles:
idle-timeout (time; Default: ) Specifies the amount of time after which the link will be terminated if there are no activity present. Timeout is not set by default
session-timeout (time; Default: ) Maximum time the connection can stay up. By default no time limit is set.
That works, the connection is terminated correctly. Why is it reconnecting the same second after terminating the connection either way?

I would really appreciate if somebody from Mikrotik could shed some light on the issue. How exactly should the idle and session timeout parameters work? Do they work correctly for the latest stable 6.48.4 release? (Taking the reconnection issue into consideration).


I have found similar post from two years ago without any answer - VPN Idle-Timeout (mis)used as Session-Timeout?.

I have tried everything what came into my mind - disable routing, firewall, nat. Even creating profile On up: and on down: rules like:
On Up:

/ip route enable [/ip route find gateway=ovpnconnection];
/ip firewall filter enable [/ip firewall filter find out-interface="ovpnconnection"];
/ip firewall filter enable [/ip firewall filter find in-interface="ovpnconnection"];
/ip firewall nat enable [/ip firewall nat find out-interface="ovpnconnection"];

On Down:

/ip firewall nat disable [/ip firewall nat find out-interface="ovpnconnection"];
/ip firewall filter disable [/ip firewall filter find out-interface="ovpnconnection"];
/ip firewall filter disable [/ip firewall filter find in-interface="ovpnconnection"];
/ip route disable [/ip route find gateway=ovpnconnection];
I have tried to downgrade to previous stable 6.48.3, which did not help either - probably the regression is there for some time already. Nothing worked.

Edit 20/09/2021 - additional information - proof that Idle timeout does not work correctly. I have, out of curiosity, set the idle timeout to 12 hours. Now after 3 days of no traffic and nothing happened!

Image
Last edited by tukan on Mon Sep 20, 2021 10:45 am, edited 3 times in total.

Who is online

Users browsing this forum: No registered users and 52 guests