Community discussions

MikroTik App
 
genki
just joined
Topic Author
Posts: 18
Joined: Fri Oct 23, 2020 4:20 pm

OpenVPN client - MS Teams call drops help?

Sat Apr 02, 2022 6:00 pm

Hi Gurus,

I am having a terrible problem with an OpenVPN connection to ProtonVPN and it's only occuring on Mikrotik routers.
Let me start by saying that I have tested this extensively and it works perfectly on OpenWRT and also on GL.iNet GL-MT1300 (Beryl)

I have configured an OpenVPN connection on my HAP Ac2 to ProtonVPN
The problem that I am seeing is call drops during MS Teams, and again this ONLY occurs when I am running the VPN through the Mikrotik HAP Ac2.

I have engaged ProtonVPN support also, and they suggested lowering the MSS, but this has not fixed the issue.

So I come here to you guys as a last resort.... do you see anything in the configuration that may be causing the MS Teams call drops?
Thanks in advance


/export hide-sensitive
# apr/02/2022 08:56:26 by RouterOS 7.1.3
# model = RBD52G-5HacD2HnD
# serial number = xxxxx
/interface bridge
add admin-mac=48:8F:5A:8E:36:E9 auto-mac=no comment=defconf name=bridge
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n disabled=no distance=indoors frequency=auto mode=ap-bridge ssid=Institute-2g wireless-protocol=802.11
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=20/40/80mhz-Ceee disabled=no distance=indoors frequency=auto mode=ap-bridge ssid=Institute-5g wireless-protocol=802.11
/interface l2tp-client
add add-default-route=yes allow-fast-path=yes connect-to=new-jersey-ubuntu-l2tp.expressprovider.com keepalive-timeout=120 name=Express-VPN-USA use-ipsec=yes use-peer-dns=yes user=r7i3vg
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface lte apn
set [ find default=yes ] ip-type=ipv4
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk mode=dynamic-keys supplicant-identity=MikroTik
add eap-methods="" mode=static-keys-optional name=darren-test supplicant-identity=""
add authentication-types=wpa-psk,wpa2-psk mode=dynamic-keys name=profile supplicant-identity=MikroTik
/ip ipsec mode-config
add connection-mark=under_protonvpn name="ProtonVPN mode config" responder=no
/ip ipsec policy group
add name=ProtonVPN
/ip ipsec profile
add dh-group=modp4096,modp2048,modp1024 dpd-interval=disable-dpd enc-algorithm=aes-256 hash-algorithm=sha256 name="ProtonVPN profile"
/ip ipsec peer
add address=us-ca-25.protonvpn.com disabled=yes exchange-mode=ike2 name="ProtonVPN server" profile="ProtonVPN profile"
/ip ipsec proposal
add auth-algorithms=sha256 disabled=yes enc-algorithms=aes-256-cbc name="ProtonVPN proposal" pfs-group=none
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
add name=dhcp ranges=192.168.88.3-192.168.88.254
/ip dhcp-server
add address-pool=default-dhcp interface=bridge name=defconf
/routing ospf area
add disabled=yes name=backbone-v2
/routing table
add fib name=vpn
/interface bridge port
add bridge=bridge comment=defconf ingress-filtering=no interface=ether2
add bridge=bridge comment=defconf ingress-filtering=no interface=ether3
add bridge=bridge comment=defconf ingress-filtering=no interface=ether4
add bridge=bridge comment=defconf ingress-filtering=no interface=ether5
add bridge=bridge comment=defconf ingress-filtering=no interface=wlan1
add bridge=bridge comment=defconf ingress-filtering=no interface=wlan2
add bridge=bridge disabled=yes ingress-filtering=no interface=ether1
add bridge=bridge ingress-filtering=no interface=*B
add bridge=bridge ingress-filtering=no interface=*C
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ip settings
set max-neighbor-entries=8192
/ipv6 settings
set accept-redirects=no accept-router-advertisements=no disable-ipv6=yes forward=no max-neighbor-entries=8192
/interface list member
add interface=Express-VPN-USA list=WAN
add interface=ether2 list=LAN
add interface=ether3 list=LAN
add interface=ether4 list=LAN
add interface=ether5 list=LAN
add interface=wlan1 list=LAN
add interface=ether1 list=WAN
add interface=bridge list=LAN
/ip address
add address=192.168.88.1/24 interface=bridge network=192.168.88.0
/ip arp
add address=192.168.88.26 interface=bridge mac-address=DC:A6:32:43:27:xx
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add interface=bridge
add default-route-distance=10 interface=ether1 use-peer-dns=no
/ip dhcp-server lease
add address=192.168.88.223 client-id=1:5c:c3:36:24:25:ea mac-address=5C:C3:36:24:25:xx server=defconf
/ip dhcp-server network
add address=0.0.0.0/24 gateway=0.0.0.0 netmask=24
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.26 gateway=192.168.88.1 netmask=24
/ip dns
set servers=192.168.88.26
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall address-list
add address=192.168.88.2-192.168.88.254 list=allowed_to_router
add address=192.168.88.0/24 disabled=yes list=under_protonvpn
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=accept chain=input src-address-list=allowed_to_router
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=input
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall mangle
add action=mark-routing chain=prerouting comment=Expressvpn-mark-test disabled=yes new-routing-mark=vpn passthrough=no src-address=192.168.88.0/24
add action=mark-connection chain=prerouting disabled=yes new-connection-mark=under_protonvpn passthrough=yes src-address=192.168.88.0/24 src-address-list=under_protonvpn
add action=mark-connection chain=prerouting disabled=yes new-connection-mark=under_protonvpn passthrough=yes src-address-list=under_protonvpn
add action=change-mss chain=forward connection-mark=under_protonvpn disabled=yes new-mss=1350 passthrough=yes protocol=tcp tcp-flags=syn tcp-mss=1351-65535
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat comment=portfwdtest dst-port=4311 in-interface-list=WAN protocol=tcp to-addresses=192.168.88.234 to-ports=4311
add action=dst-nat chain=dstnat comment=wireguard dst-port=51820 in-interface-list=WAN protocol=tcp to-addresses=192.168.88.234 to-ports=51820
add action=dst-nat chain=dstnat comment=wireguard dst-port=51820 in-interface-list=WAN protocol=udp to-addresses=192.168.88.234 to-ports=51820
/ip firewall service-port
set ftp disabled=yes
/ip ipsec identity
add auth-method=eap certificate="ProtonVPN CA" disabled=yes eap-methods=eap-mschapv2 generate-policy=port-strict mode-config="ProtonVPN mode config" peer="ProtonVPN server" policy-template-group=ProtonVPN username=xxxx
/ip ipsec policy
add disabled=yes dst-address=0.0.0.0/0 group=ProtonVPN proposal="ProtonVPN proposal" src-address=0.0.0.0/0 template=yes
add disabled=yes dst-address=0.0.0.0/0 group=ProtonVPN proposal="ProtonVPN proposal" src-address=0.0.0.0/0 template=yes
/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=Express-VPN-USA pref-src="" routing-table=vpn suppress-hw-offload=no
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www port=4311
set ssh port=65530
set www-ssl certificate=https-cert disabled=no
set api disabled=yes
set winbox disabled=yes
set api-ssl disabled=yes
/ip ssh
set strong-crypto=yes
/system clock
set time-zone-name=America/Denver
/system identity
set name=Blackbox-rtr
/system routerboard settings
set cpu-frequency=auto
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

Who is online

Users browsing this forum: baragoon, Bing [Bot], sch, xrlls and 104 guests