Something is causing either the client or the server side to disconnect, then it immediately retries, in an endless loop. I can't see what's causing this.
I'd be grateful for any advice on how I might resolve this. I've included what I hope are the relevant logs and configs.
Client invocation from command line produces these messages, which end with the error message when I disconnect the client from another command prompt:
Code: Select all
openvpn3 session-start --config temp/OpenVPNetc/PHVPN.ovpn
Using configuration profile from file: temp/OpenVPNetc/PHVPN.ovpn
Session path: /net/openvpn/v3/sessions/73a32ca6s5715s476bs8771s3121992010e6
session-start: ** ERROR ** Failed to start session
Code: Select all
$ openvpn3 log --log-level 6 --config temp/OpenVPNetc/PHVPN.ovpn
Waiting for session to start ... Done
Attaching to session /net/openvpn/v3/sessions/73a32ca6s5715s476bs8771s3121992010e6
2022-09-11 16:30:01 [STATUS] Connection, Configuration OK: config_path=/net/openvpn/v3/configuration/caca0248x641ax4a9axabd7xf9e4f639d7ed
2022-09-11 16:30:01 Client INFO: Starting connection
2022-09-11 16:30:01 [STATUS] Connection, Client connecting
2022-09-11 16:30:01 Client VERB1: Waiting for server response
2022-09-11 16:30:02 Client INFO: Connecting
2022-09-11 16:30:02 [STATUS] Connection, Client connecting
2022-09-11 16:30:05 Client VERB1: Waiting for server response
2022-09-11 16:30:05 Client INFO: Connecting
2022-09-11 16:30:05 [STATUS] Connection, Client connecting
2022-09-11 16:30:09 Client VERB1: Waiting for server response
2022-09-11 16:30:09 Client INFO: Connecting
2022-09-11 16:30:09 [STATUS] Connection, Client connecting
2022-09-11 16:30:13 Client VERB1: Waiting for server response
2022-09-11 16:30:13 Client INFO: Connecting
2022-09-11 16:30:13 [STATUS] Connection, Client connecting
2022-09-11 16:30:17 Client VERB1: Waiting for server response
2022-09-11 16:30:17 Client INFO: Connecting
2022-09-11 16:30:17 [STATUS] Connection, Client connecting
2022-09-11 16:30:18 Client INFO: Stopping connection
2022-09-11 16:30:18 [STATUS] Connection, Client disconnecting
2022-09-11 16:30:18 [STATUS] Connection, Client disconnected
2022-09-11 16:30:18 Client INFO: Disconnected
2022-09-11 16:30:18 [STATUS] Connection, Client process exited
Session closed
Code: Select all
dev tun
proto tcp-client
remote **.**.**.**
port 1194
nobind
persist-key
persist-tun
tls-client
remote-cert-tls server
ca CA.crt
cert PHClient.crt
key PHClient.key
verb 6
mute 10
cipher AES-256-CBC
auth SHA1
auth-user-pass secret
auth-nocache
Code: Select all
16:29:06 ovpn,info TCP connection established from <source ip>
16:29:06 firewall,info OpenVPN input: in:pppoe-out1 out:(unknown 0), proto TCP (SYN), <source ip>:35426-><router ip>:1194, len 60
16:29:06 ovpn,info : using encoding - AES-256-CBC/SHA1
16:29:06 ovpn,info,account mark logged in, 172.28.16.202 from <source ip>
16:29:06 ovpn,info <ovpn-mark>: connected
16:29:08 ovpn,info <ovpn-mark>: terminating... - peer disconnected
16:29:08 ovpn,info,account mark logged out, 2 0 0 0 0 from <source ip>
16:29:08 ovpn,info <ovpn-mark>: disconnected
16:29:10 ovpn,info TCP connection established from <source ip>
16:29:10 firewall,info OpenVPN input: in:pppoe-out1 out:(unknown 0), proto TCP (SYN), <source ip>:35428-><router ip>:1194, len 60
16:29:10 ovpn,info : using encoding - AES-256-CBC/SHA1
16:29:10 ovpn,info,account mark logged in, 172.28.16.202 from <source ip>
16:29:11 ovpn,info <ovpn-mark>: connected
16:29:12 ovpn,info <ovpn-mark>: terminating... - peer disconnected
16:29:12 ovpn,info,account mark logged out, 1 0 0 0 0 from <source ip>
16:29:12 ovpn,info <ovpn-mark>: disconnected
16:29:14 ovpn,info TCP connection established from <source ip>
16:29:14 firewall,info OpenVPN input: in:pppoe-out1 out:(unknown 0), proto TCP (SYN), <source ip>:35430-><router ip>:1194, len 60
16:29:14 ovpn,info : using encoding - AES-256-CBC/SHA1
16:29:14 ovpn,info,account mark logged in, 172.28.16.202 from <source ip>
16:29:14 ovpn,info <ovpn-mark>: connected
16:29:16 ovpn,info <ovpn-mark>: terminating... - peer disconnected
16:29:16 ovpn,info,account mark logged out, 1 0 0 0 0 from <source ip>
16:29:16 ovpn,info <ovpn-mark>: disconnected
16:29:18 ovpn,info TCP connection established from <source ip>
16:29:18 firewall,info OpenVPN input: in:pppoe-out1 out:(unknown 0), proto TCP (SYN), <source ip>:35432-> :1194, len 60
16:29:18 ovpn,info : using encoding - AES-256-CBC/SHA1
16:29:18 ovpn,info,account mark logged in, 172.28.16.202 from <source ip>
16:29:18 ovpn,info <ovpn-mark>: connected
16:29:19 ovpn,info <ovpn-mark>: terminating... - peer disconnected
16:29:19 ovpn,info,account mark logged out, 1 0 0 0 0 from <source ip>
16:29:19 ovpn,info <ovpn-mark>: disconnected
16:29:21 ovpn,info TCP connection established from <source ip>
16:29:21 firewall,info OpenVPN input: in:pppoe-out1 out:(unknown 0), proto TCP (SYN), <source ip>:35434-><router ip>:1194, len 60
16:29:21 ovpn,info : using encoding - AES-256-CBC/SHA1
16:29:21 ovpn,info,account mark logged in, 172.28.16.202 from <source ip>
16:29:22 ovpn,info <ovpn-mark>: connected
16:29:23 ovpn,info <ovpn-mark>: terminating... - peer disconnected
16:29:23 ovpn,info,account mark logged out, 1 0 0 0 0 from <source ip>
16:29:23 ovpn,info <ovpn-mark>: disconnected
Code: Select all
# sep/12/2022 14:11:57 by RouterOS 6.48.3
# software id = GIY1-UQIH
#
# model = RB962UiGS-5HacT2HnT
# serial number = BEC60BFB9663
/interface bridge
add admin-mac=C4:AD:34:09:62:32 arp=proxy-arp auto-mac=no comment=defconf \
name=bridge
/interface ethernet
set [ find default-name=sfp1 ] disabled=yes
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1 name=pppoe-out1 user=\
****@****.****
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX \
country="united kingdom" disabled=no distance=indoors frequency=auto \
mode=ap-bridge ssid=PoplarHouse station-roaming=enabled \
wireless-protocol=802.11 wps-mode=disabled
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=\
20/40/80mhz-XXXX country="united kingdom" disabled=no distance=indoors \
frequency=auto mode=ap-bridge ssid=PoplarHouse station-roaming=enabled \
wireless-protocol=802.11 wps-mode=disabled
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk mode=dynamic-keys \
supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=172.28.16.64-172.28.16.199
add comment="for use by openvpn" name=vpnpool ranges=\
172.28.16.200-172.28.16.210
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge lease-time=1h name=defconf
/ppp profile
set *0 idle-timeout=20m
add dns-server=1.1.1.1,172.28.16.24 local-address=172.28.16.1 name=ovpn \
remote-address=vpnpool use-encryption=yes
set *FFFFFFFE idle-timeout=20m
/user group
set full policy="local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,pas\
sword,web,sniff,sensitive,api,romon,dude,tikapp"
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=sfp1
add bridge=bridge comment=defconf interface=wlan1
add bridge=bridge comment=defconf interface=wlan2
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=pppoe-out1 list=WAN
/interface ovpn-server server
set auth=sha1 certificate=PHServer cipher=aes256 default-profile=ovpn \
enabled=yes require-client-certificate=yes
/interface pptp-server server
set enabled=yes
/ip address
add address=172.28.16.1/24 comment=defconf interface=ether2 network=\
172.28.16.0
/ip dhcp-client
add comment=defconf interface=ether1 use-peer-dns=no
/ip dhcp-server network
add address=172.28.16.0/24 comment=defconf dns-server=172.28.16.24 domain=\
POPLARHOUSE gateway=172.28.16.1 netmask=24
/ip dns
set allow-remote-requests=yes servers=1.1.1.1,8.8.8.8
/ip dns static
add address=172.28.16.1 name=router.lan
/ip firewall address-list
add address=172.28.16.2-172.28.16.254 list=allowed-local
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=accept chain=input comment="Source IP is on local LAN" log-prefix=\
LocalIP src-address-list=allowed-local
add action=accept chain=input comment="Allow OpenVPN" dst-port=1194 log=yes \
log-prefix=OpenVPN protocol=tcp
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid log-prefix=Invalid-dropped
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
/ip firewall mangle
add action=mark-connection chain=prerouting new-connection-mark=openvpn \
passthrough=yes protocol=tcp src-port=1194
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat comment="remote access to birdbox" disabled=\
yes dst-port=7175 log=yes protocol=tcp to-addresses=172.28.16.22 \
to-ports=8082
add action=masquerade chain=srcnat connection-mark=openvpn
/ppp secret
add name=anna profile=ovpn service=ovpn
add name=mark profile=ovpn
add name=msx1 profile=ovpn
/system clock
set time-zone-name=Europe/London
/system identity
set name=PoplarAP1
/system leds
set 2 disabled=yes
/tool graphing interface
add
/tool graphing resource
add
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN