Community discussions

MikroTik App
 
KeitaroBR
just joined
Topic Author
Posts: 2
Joined: Wed Oct 26, 2022 3:56 pm

OpenVPN server not working - no default route

Wed Oct 26, 2022 4:31 pm

Dear all,

I'm evaluating CHR with RouterOS 7.6 as a VPN Server (IKEv2 and OVPN).

I've configure an OpenVPNServer but the clients are unable to connect when their config request all traffic through the VPN (redirect-gateway def1).

Server config:
/interface ovpn-server server
set certificate=xxxx cipher=aes256 default-profile=PPP enabled=yes

/ppp profile
add dns-server=x.x.x.x,y.y.y.y local-address=z.z.z.z name=PPP only-one=no remote-address=Pool-VPN-Backup remote-ipv6-prefix-pool=VPN-ipv6 use-encryption=yes

/ip pool
add name=Pool-VPN-Backup ranges=a.a.a.1-a.a.a.249,b.b.b.1-b.b.b.249

/ipv6 pool
add name=VPN-ipv6 prefix=xx:zz:yy::/48 prefix-length=64

/ppp aaa
set use-radius=yes

/radius
add address=k.k.k.k comment=Freeradius service=ppp,ipsec
Firewall rules:
/ip firewall filter
add action=accept chain=input comment=PPTP-TCP dst-port=1723 protocol=tcp
add action=accept chain=input comment=PPTP-GRE protocol=gre
add action=accept chain=input comment=DNS src-address-list=DNS
add action=accept chain=input comment=ICMP protocol=icmp
add action=accept chain=input comment=L2TP-UDP dst-port=500,4500,1701 protocol=udp
add action=accept chain=input comment=L2TP-IPSec-ESP protocol=ipsec-esp
add action=accept chain=input comment=L2TP-IPSEC-AH protocol=ipsec-ah
add action=accept chain=input comment="Traffic from VPN client remote network" src-address=l.l.l.0/24
add action=accept chain=input comment="TCP Established" connection-state=established
add action=drop chain=input comment="Block"
Client config:
client
dev tun
proto tcp-client
remote z.z.z.z
persist-key
persist-tun
port 1194
auth SHA1
verb 4
mute 10 
auth-user-pass
tls-client
remote-cert-tls server
cipher AES-256-CBC
redirect-gateway def1
<ca>
xxxxxx
</ca>
OVPN client log is:
Wed Oct 26 10:01:32 2022 DEPRECATED OPTION: --cipher set to 'AES-256-CBC' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM). Future OpenVPN version will ignore --cipher for cipher negotiations. Add 'AES-256-CBC' to --data-ciphers or change --cipher 'AES-256-CBC' to --data-ciphers-fallback 'AES-256-CBC' to silence this warning.
Wed Oct 26 10:01:32 2022 Current Parameter Settings:
Wed Oct 26 10:01:32 2022   config = 'Client.ovpn'
Wed Oct 26 10:01:32 2022   mode = 0
Wed Oct 26 10:01:32 2022   show_ciphers = DISABLED
Wed Oct 26 10:01:32 2022   show_digests = DISABLED
Wed Oct 26 10:01:32 2022   show_engines = DISABLED
Wed Oct 26 10:01:32 2022   genkey = DISABLED
Wed Oct 26 10:01:32 2022   genkey_filename = '[UNDEF]'
Wed Oct 26 10:01:32 2022   key_pass_file = '[UNDEF]'
Wed Oct 26 10:01:32 2022   show_tls_ciphers = DISABLED
Wed Oct 26 10:01:32 2022 NOTE: --mute triggered...
Wed Oct 26 10:01:32 2022 292 variation(s) on previous 10 message(s) suppressed by --mute
Wed Oct 26 10:01:32 2022 OpenVPN 2.5.7 Windows-MSVC [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] built on May 27 2022
Wed Oct 26 10:01:32 2022 Windows version 10.0 (Windows 10 or greater) 64bit
Wed Oct 26 10:01:32 2022 library versions: OpenSSL 1.1.1o  3 May 2022, LZO 2.10
Wed Oct 26 10:01:32 2022 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25341
Wed Oct 26 10:01:32 2022 Need hold release from management interface, waiting...
Wed Oct 26 10:01:32 2022 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:25341
Wed Oct 26 10:01:33 2022 MANAGEMENT: CMD 'state on'
Wed Oct 26 10:01:33 2022 MANAGEMENT: CMD 'log all on'
Wed Oct 26 10:01:33 2022 MANAGEMENT: CMD 'echo all on'
Wed Oct 26 10:01:33 2022 MANAGEMENT: CMD 'bytecount 5'
Wed Oct 26 10:01:33 2022 MANAGEMENT: CMD 'hold off'
Wed Oct 26 10:01:33 2022 MANAGEMENT: CMD 'hold release'
Wed Oct 26 10:01:36 2022 MANAGEMENT: CMD 'username "Auth" "xxxxx"'
Wed Oct 26 10:01:36 2022 MANAGEMENT: CMD 'password [...]'
Wed Oct 26 10:01:36 2022 Control Channel MTU parms [ L:1623 D:1210 EF:40 EB:0 ET:0 EL:3 ]
Wed Oct 26 10:01:36 2022 MANAGEMENT: >STATE:1666789296,RESOLVE,,,,,,
Wed Oct 26 10:01:36 2022 Data Channel MTU parms [ L:1623 D:1450 EF:123 EB:406 ET:0 EL:3 ]
Wed Oct 26 10:01:36 2022 Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1559,tun-mtu 1500,proto TCPv4_CLIENT,cipher AES-256-CBC,auth SHA1,keysize 256,key-method 2,tls-client'
Wed Oct 26 10:01:36 2022 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1559,tun-mtu 1500,proto TCPv4_SERVER,cipher AES-256-CBC,auth SHA1,keysize 256,key-method 2,tls-server'
Wed Oct 26 10:01:36 2022 TCP/UDP: Preserving recently used remote address: [AF_INET]z.z.z.z:1194
Wed Oct 26 10:01:36 2022 Socket Buffers: R=[65536->65536] S=[65536->65536]
Wed Oct 26 10:01:36 2022 Attempting to establish TCP connection with [AF_INET]z.z.z.z:1194 [nonblock]
Wed Oct 26 10:01:36 2022 MANAGEMENT: >STATE:1666789296,TCP_CONNECT,,,,,,
Wed Oct 26 10:01:36 2022 TCP connection established with [AF_INET]z.z.z.z:1194
Wed Oct 26 10:01:36 2022 TCP_CLIENT link local: (not bound)
Wed Oct 26 10:01:36 2022 TCP_CLIENT link remote: [AF_INET]z.z.z.z:1194
Wed Oct 26 10:01:36 2022 MANAGEMENT: >STATE:1666789296,WAIT,,,,,,
Wed Oct 26 10:01:36 2022 MANAGEMENT: >STATE:1666789296,AUTH,,,,,,
Wed Oct 26 10:01:36 2022 TLS: Initial packet from [AF_INET]z.z.z.z:1194, sid=c3fb5479 ddfb427e
Wed Oct 26 10:01:36 2022 VERIFY OK: depth=3, OU=GlobalSign Root CA - R3, O=GlobalSign, CN=GlobalSign
Wed Oct 26 10:01:36 2022 VERIFY OK: depth=2, C=BE, O=GlobalSign nv-sa, CN=Trusted Root TLS CA SHA256 G3
Wed Oct 26 10:01:36 2022 VERIFY OK: depth=1, C=BR, O=xxxxxxxxxxxxx
Wed Oct 26 10:01:36 2022 VERIFY KU OK
Wed Oct 26 10:01:36 2022 Validating certificate extended key usage
Wed Oct 26 10:01:36 2022 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Wed Oct 26 10:01:36 2022 VERIFY EKU OK
Wed Oct 26 10:01:36 2022 VERIFY OK: depth=0, C=..............
Wed Oct 26 10:01:36 2022 Control Channel: TLSv1.2, cipher TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, peer certificate: 2048 bit RSA, signature: RSA-SHA256
Wed Oct 26 10:01:36 2022 [z.z.z.z] Peer Connection Initiated with [AF_INET]z.z.z.z:1194
Wed Oct 26 10:01:37 2022 Key [AF_INET]z.z.z.z:1194 [0] not initialized (yet), dropping packet.
Wed Oct 26 10:01:37 2022 MANAGEMENT: >STATE:1666789297,GET_CONFIG,,,,,,
Wed Oct 26 10:01:37 2022 SENT CONTROL [z.z.z.z]: 'PUSH_REQUEST' (status=1)
Wed Oct 26 10:01:37 2022 Key [AF_INET]z.z.z.z:1194 [0] not initialized (yet), dropping packet.
Wed Oct 26 10:01:38 2022 Key [AF_INET]z.z.z.z:1194 [0] not initialized (yet), dropping packet.
Wed Oct 26 10:01:38 2022 Key [AF_INET]z.z.z.z:1194 [0] not initialized (yet), dropping packet.
Wed Oct 26 10:01:42 2022 SENT CONTROL [z.z.z.z]: 'PUSH_REQUEST' (status=1)
Wed Oct 26 10:01:48 2022 SENT CONTROL [z.z.z.z]: 'PUSH_REQUEST' (status=1)
Wed Oct 26 10:01:48 2022 PUSH: Received control message: 'PUSH_REPLY,dhcp-option DNS x.x.x.x,dhcp-option DNS y.y.y.y,ping 20,ping-restart 60,topology subnet,route-gateway z.z.z.z,ifconfig a.a.a.239 255.255.255.0'
Wed Oct 26 10:01:48 2022 OPTIONS IMPORT: timers and/or timeouts modified
Wed Oct 26 10:01:48 2022 OPTIONS IMPORT: --ifconfig/up options modified
Wed Oct 26 10:01:48 2022 OPTIONS IMPORT: route-related options modified
Wed Oct 26 10:01:48 2022 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Wed Oct 26 10:01:48 2022 Using peer cipher 'AES-256-CBC'
Wed Oct 26 10:01:48 2022 Outgoing Data Channel: Cipher 'AES-256-CBC' initialized with 256 bit key
Wed Oct 26 10:01:48 2022 Outgoing Data Channel: Using 160 bit message hash 'SHA1' for HMAC authentication
Wed Oct 26 10:01:48 2022 Incoming Data Channel: Cipher 'AES-256-CBC' initialized with 256 bit key
Wed Oct 26 10:01:48 2022 Incoming Data Channel: Using 160 bit message hash 'SHA1' for HMAC authentication
Wed Oct 26 10:01:48 2022 interactive service msg_channel=780
Wed Oct 26 10:01:48 2022 open_tun
Wed Oct 26 10:01:48 2022 tap-windows6 device [OpenVPN TAP-Windows6] opened
Wed Oct 26 10:01:48 2022 TAP-Windows Driver Version 9.24 
Wed Oct 26 10:01:48 2022 TAP-Windows MTU=1500
Wed Oct 26 10:01:48 2022 Set TAP-Windows TUN subnet mode network/local/netmask = a.a.a.0/a.a.a.239/255.255.255.0 [SUCCEEDED]
Wed Oct 26 10:01:48 2022 Notified TAP-Windows driver to set a DHCP IP/netmask of a.a.a.239/255.255.255.0 on interface {32077BDB-F0CF-47A5-99B3-5B2E6726A8F4} [DHCP-serv: a.a.a.0, lease-time: 31536000]
Wed Oct 26 10:01:48 2022 DHCP option string: 060896a2 010196a2 0202
Wed Oct 26 10:01:48 2022 Successful ARP Flush on interface [7] {32077BDB-F0CF-47A5-99B3-5B2E6726A8F4}
Wed Oct 26 10:01:48 2022 do_ifconfig, ipv4=1, ipv6=0
Wed Oct 26 10:01:48 2022 MANAGEMENT: >STATE:1666789308,ASSIGN_IP,,a.a.a.239,,,,
Wed Oct 26 10:01:48 2022 IPv4 MTU set to 1500 on interface 7 using service
Wed Oct 26 10:01:53 2022 TEST ROUTES: 0/1 succeeded len=0 ret=0 a=0 u/d=up
Wed Oct 26 10:01:53 2022 Route: Waiting for TUN/TAP interface to come up...
Wed Oct 26 10:01:58 2022 TEST ROUTES: 0/1 succeeded len=0 ret=0 a=0 u/d=up
Wed Oct 26 10:01:58 2022 Route: Waiting for TUN/TAP interface to come up...
Wed Oct 26 10:01:59 2022 TEST ROUTES: 0/1 succeeded len=0 ret=0 a=0 u/d=up
Wed Oct 26 10:01:59 2022 Route: Waiting for TUN/TAP interface to come up...
Wed Oct 26 10:02:00 2022 TEST ROUTES: 0/1 succeeded len=0 ret=0 a=0 u/d=up
Wed Oct 26 10:02:00 2022 Route: Waiting for TUN/TAP interface to come up...
Wed Oct 26 10:02:01 2022 TEST ROUTES: 0/1 succeeded len=0 ret=0 a=0 u/d=up
Wed Oct 26 10:02:01 2022 Route: Waiting for TUN/TAP interface to come up...
Wed Oct 26 10:02:02 2022 TEST ROUTES: 0/1 succeeded len=0 ret=0 a=0 u/d=up
Wed Oct 26 10:02:02 2022 Route: Waiting for TUN/TAP interface to come up...
Wed Oct 26 10:02:03 2022 TEST ROUTES: 0/1 succeeded len=0 ret=0 a=0 u/d=up
Wed Oct 26 10:02:03 2022 Route: Waiting for TUN/TAP interface to come up...
Wed Oct 26 10:02:04 2022 TEST ROUTES: 0/1 succeeded len=0 ret=0 a=0 u/d=up
Wed Oct 26 10:02:04 2022 Route: Waiting for TUN/TAP interface to come up...
Wed Oct 26 10:02:05 2022 TEST ROUTES: 0/1 succeeded len=0 ret=0 a=0 u/d=up
Wed Oct 26 10:02:05 2022 Route: Waiting for TUN/TAP interface to come up...
Wed Oct 26 10:02:06 2022 TEST ROUTES: 0/1 succeeded len=0 ret=0 a=0 u/d=up
Wed Oct 26 10:02:06 2022 Route: Waiting for TUN/TAP interface to come up...
Wed Oct 26 10:02:07 2022 TEST ROUTES: 0/1 succeeded len=0 ret=0 a=0 u/d=up
Wed Oct 26 10:02:07 2022 Route: Waiting for TUN/TAP interface to come up...
Wed Oct 26 10:02:08 2022 TEST ROUTES: 0/1 succeeded len=0 ret=0 a=0 u/d=up
Wed Oct 26 10:02:08 2022 Route: Waiting for TUN/TAP interface to come up...
Wed Oct 26 10:02:09 2022 TEST ROUTES: 0/1 succeeded len=0 ret=0 a=0 u/d=up
Wed Oct 26 10:02:09 2022 Route: Waiting for TUN/TAP interface to come up...
Wed Oct 26 10:02:10 2022 TEST ROUTES: 0/1 succeeded len=0 ret=0 a=0 u/d=up
Wed Oct 26 10:02:10 2022 Route: Waiting for TUN/TAP interface to come up...
Wed Oct 26 10:02:11 2022 TEST ROUTES: 0/1 succeeded len=0 ret=0 a=0 u/d=up
Wed Oct 26 10:02:11 2022 Route: Waiting for TUN/TAP interface to come up...
Wed Oct 26 10:02:12 2022 TEST ROUTES: 0/1 succeeded len=0 ret=0 a=0 u/d=up
Wed Oct 26 10:02:12 2022 Route: Waiting for TUN/TAP interface to come up...
Wed Oct 26 10:02:13 2022 TEST ROUTES: 0/1 succeeded len=0 ret=0 a=0 u/d=up
Wed Oct 26 10:02:13 2022 Route: Waiting for TUN/TAP interface to come up...
Wed Oct 26 10:02:14 2022 TEST ROUTES: 0/1 succeeded len=0 ret=0 a=0 u/d=up
Wed Oct 26 10:02:14 2022 Route: Waiting for TUN/TAP interface to come up...
Wed Oct 26 10:02:15 2022 TEST ROUTES: 0/1 succeeded len=0 ret=0 a=0 u/d=up
Wed Oct 26 10:02:15 2022 Route: Waiting for TUN/TAP interface to come up...
Wed Oct 26 10:02:16 2022 TEST ROUTES: 0/1 succeeded len=0 ret=0 a=0 u/d=up
Wed Oct 26 10:02:16 2022 Route: Waiting for TUN/TAP interface to come up...
Wed Oct 26 10:02:17 2022 TEST ROUTES: 0/1 succeeded len=0 ret=0 a=0 u/d=up
Wed Oct 26 10:02:17 2022 Route: Waiting for TUN/TAP interface to come up...
Wed Oct 26 10:02:18 2022 TEST ROUTES: 0/1 succeeded len=0 ret=0 a=0 u/d=up
Wed Oct 26 10:02:18 2022 Route: Waiting for TUN/TAP interface to come up...
Wed Oct 26 10:02:19 2022 TEST ROUTES: 0/1 succeeded len=0 ret=0 a=0 u/d=up
Wed Oct 26 10:02:19 2022 Route: Waiting for TUN/TAP interface to come up...
Wed Oct 26 10:02:20 2022 TEST ROUTES: 0/1 succeeded len=0 ret=0 a=0 u/d=up
Wed Oct 26 10:02:20 2022 Route: Waiting for TUN/TAP interface to come up...
Wed Oct 26 10:02:21 2022 TEST ROUTES: 0/1 succeeded len=0 ret=0 a=0 u/d=up
Wed Oct 26 10:02:21 2022 Route: Waiting for TUN/TAP interface to come up...
Wed Oct 26 10:02:22 2022 TEST ROUTES: 0/1 succeeded len=0 ret=0 a=0 u/d=up
Wed Oct 26 10:02:22 2022 Route: Waiting for TUN/TAP interface to come up...
Wed Oct 26 10:02:23 2022 TEST ROUTES: 0/1 succeeded len=0 ret=0 a=0 u/d=up
Wed Oct 26 10:02:23 2022 C:\WINDOWS\system32\route.exe ADD z.z.z.z MASK 255.255.255.255 l.l.l.254
Wed Oct 26 10:02:23 2022 Route addition via service succeeded
Wed Oct 26 10:02:23 2022 C:\WINDOWS\system32\route.exe ADD 0.0.0.0 MASK 128.0.0.0 z.z.z.z
Wed Oct 26 10:02:23 2022 Warning: route gateway is not reachable on any active network adapters: z.z.z.z
Wed Oct 26 10:02:23 2022 Route addition via service failed
Wed Oct 26 10:02:23 2022 C:\WINDOWS\system32\route.exe ADD 128.0.0.0 MASK 128.0.0.0 z.z.z.z
Wed Oct 26 10:02:23 2022 Warning: route gateway is not reachable on any active network adapters: z.z.z.z
Wed Oct 26 10:02:23 2022 Route addition via service failed
Wed Oct 26 10:02:23 2022 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Wed Oct 26 10:02:23 2022 SYSTEM ROUTING TABLE
Wed Oct 26 10:02:23 2022 0.0.0.0 0.0.0.0 l.l.l.254 p=0 i=10 t=4 pr=3 a=2726 h=0 m=25/0/0/0/0
Wed Oct 26 10:02:23 2022 127.0.0.0 255.0.0.0 127.0.0.1 p=0 i=1 t=3 pr=2 a=2952 h=0 m=331/0/0/0/0
Wed Oct 26 10:02:23 2022 127.0.0.1 255.255.255.255 127.0.0.1 p=0 i=1 t=3 pr=2 a=2952 h=0 m=331/0/0/0/0
Wed Oct 26 10:02:23 2022 127.255.255.255 255.255.255.255 127.0.0.1 p=0 i=1 t=3 pr=2 a=2952 h=0 m=331/0/0/0/0
Wed Oct 26 10:02:23 2022 z.z.z.z 255.255.255.255 l.l.l.254 p=0 i=10 t=4 pr=3 a=0 h=0 m=281/0/0/0/0
....
Wed Oct 26 10:02:23 2022 a.a.a.0 255.255.255.0 a.a.a.239 p=0 i=7 t=3 pr=2 a=35 h=0 m=281/0/0/0/0
Wed Oct 26 10:02:23 2022 a.a.a.239 255.255.255.255 a.a.a.239 p=0 i=7 t=3 pr=2 a=35 h=0 m=281/0/0/0/0
Wed Oct 26 10:02:23 2022 a.a.a.255 255.255.255.255 a.a.a.239 p=0 i=7 t=3 pr=2 a=35 h=0 m=281/0/0/0/0
...
Wed Oct 26 10:02:23 2022 SYSTEM ADAPTER LIST
Wed Oct 26 10:02:23 2022 Microsoft Hyper-V Network Adapter #2
Wed Oct 26 10:02:23 2022   Index = 10
Wed Oct 26 10:02:23 2022   GUID = {560F93A1-A3DB-4910-8EC4-2FAC201DBF14}
Wed Oct 26 10:02:23 2022   IP = l.l.l.40/255.255.255.0 
Wed Oct 26 10:02:23 2022   MAC = 00:15:5d:f8:49:0a
Wed Oct 26 10:02:23 2022   GATEWAY = l.l.l.254/255.255.255.255 
Wed Oct 26 10:02:23 2022   DHCP SERV = xxxxx
Wed Oct 26 10:02:23 2022   DHCP LEASE OBTAINED = 2022-10-26 10:01:57
Wed Oct 26 10:02:23 2022   DHCP LEASE EXPIRES  = 2022-10-26 10:06:57
Wed Oct 26 10:02:23 2022   DNS SERV = yyyyy
Wed Oct 26 10:02:23 2022 Wintun Userspace Tunnel
Wed Oct 26 10:02:23 2022   Index = 17
Wed Oct 26 10:02:23 2022   GUID = {EC2350B6-0D63-4C60-8FB1-5FEDB20DEA70}
Wed Oct 26 10:02:23 2022   IP = 0.0.0.0/0.0.0.0 
Wed Oct 26 10:02:23 2022   MAC = 
Wed Oct 26 10:02:23 2022   GATEWAY = 0.0.0.0/255.255.255.255 
Wed Oct 26 10:02:23 2022   DNS SERV =  
Wed Oct 26 10:02:23 2022 TAP-Windows Adapter V9
Wed Oct 26 10:02:23 2022   Index = 7
Wed Oct 26 10:02:23 2022   GUID = {32077BDB-F0CF-47A5-99B3-5B2E6726A8F4}
Wed Oct 26 10:02:23 2022   IP = a.a.a.239/255.255.255.0 
Wed Oct 26 10:02:23 2022   MAC = 00:ff:32:07:7b:db
Wed Oct 26 10:02:23 2022   GATEWAY = 0.0.0.0/255.255.255.255 
Wed Oct 26 10:02:23 2022   DHCP SERV = a.a.a.0/255.255.255.255 
Wed Oct 26 10:02:23 2022   DHCP LEASE OBTAINED = 2022-10-26 10:01:48
Wed Oct 26 10:02:23 2022   DHCP LEASE EXPIRES  = 2023-10-26 10:01:48
Wed Oct 26 10:02:23 2022   DNS SERV = x.x.x.x/255.255.255.255 y.y.y.y/255.255.255.255 
Wed Oct 26 10:02:23 2022 Initialization Sequence Completed With Errors ( see http://openvpn.net/faq.html#dhcpclientserv )
Wed Oct 26 10:02:23 2022 MANAGEMENT: >STATE:1666789343,CONNECTED,ERROR,a.a.a.239,z.z.z.z,1194,l.l.l.l.40,49958

Any ideas what may be happening?

Who is online

Users browsing this forum: GoogleOther [Bot] and 75 guests