Community discussions

MikroTik App
 
su1
just joined
Topic Author
Posts: 1
Joined: Sat Sep 10, 2022 12:16 am

Open VPN Server: Unable to connect (Server poll timeout)

Sat Sep 10, 2022 1:15 am

Hi,

I'm desperately needing to get to my home network via OpenVPN and I have been trying to get this work for a long time. I have followed many guides and scripts. Though they are similar and I have followed the exact steps, nothing seems to work.

I have a Mikrotik 5G router. I'm behind NAT but I do have a public IP. I have also tried wireguard, didn't work either. I use custom DDNS but also enabled built-in DDNS as well while I'm testing this with everything I got.

This is the initial script I followed
https://gist.github.com/SmartFinn/8324a55a2020c56b267b

Also this guide and so many other videos
https://www.linkedin.com/pulse/mikrotik ... _directory

I have reset the config and then tried to get the idea from multiple sources to build a working solution as well, still not conneting.
I feel like this could be due to multiple WAN, firewall config or some NAT issue but I'm not expert on this. I simply want this to work but I have basic idea and this guides seems working for many people.

Here's my config (sensitive hidden)
# sep/10/2022 00:25:26 by RouterOS 7.4
# software id = NBDS-XXXX
#
# model = D53G-5HacD2HnD-TC&RG502Q-EA
# serial number = HCF07XXXXX
/interface bridge
add admin-mac=DC:2C:6E:XX:XX:XX arp=proxy-arp auto-mac=no comment=defconf \
    name=bridge
/interface lte
set [ find ] allow-roaming=no band="" name=lte1 nr-band=""
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX \
    country=latvia disabled=no distance=indoors frequency=auto installation=\
    indoor mode=ap-bridge ssid=XX-2GHz wireless-protocol=802.11 wps-mode=\
    push-button-5s
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=\
    20/40/80mhz-XXXX country=latvia disabled=no distance=indoors frequency=\
    auto installation=indoor mode=ap-bridge skip-dfs-channels=10min-cac ssid=\
    XX-5GHz wireless-protocol=802.11
/interface wireguard
add listen-port=13231 mtu=1420 name=wireguard1
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface lte apn
set [ find default=yes ] apn=internet.lmt.lv ipv6-interface=bridge name=\
    "LMT Internet" use-network-apn=no
add apn=static1.lmt.lv ip-type=ipv4 name=LMT-static1.lmt.lv
add apn=static2.lmt.lv ip-type=ipv4 name=LMT-static2.lmt.lv
add apn=internet1.lmt.lv ip-type=ipv4 name=LMT-internet1.lmt.lv
add apn=static61.lmt.lv ipv6-interface=bridge name=LMT-static61.lmt.lv
add apn=static62.lmt.lv ipv6-interface=bridge name=LMT-static62.lmt.lv
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk mode=\
    dynamic-keys supplicant-identity=LMT
/ip pool
add name=dhcp ranges=192.168.8.10-192.168.8.254
add name=VPN-POOL ranges=192.168.252.128-192.168.252.224
add name=vpn ranges=192.168.89.2-192.168.89.255
/ip dhcp-server
add address-pool=dhcp interface=bridge name=defconf
/ppp profile
add dns-server=192.168.252.1 local-address=192.168.252.1 name=VPN-PROFILE \
    remote-address=VPN-POOL use-encryption=yes use-ipv6=no
set *FFFFFFFE local-address=192.168.89.1 remote-address=vpn
/interface bridge port
add bridge=bridge comment=defconf interface=ether1
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=wlan1
add bridge=bridge comment=defconf interface=wlan2
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ipv6 settings
set disable-ipv6=yes
/interface l2tp-server server
set enabled=yes use-ipsec=yes
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=lte1 list=WAN
/interface ovpn-server server
set auth=sha1 certificate=server@XX.org cipher=aes256 \
    default-profile=VPN-PROFILE enabled=yes port=443 \
    require-client-certificate=yes
/interface pptp-server server
# PPTP connections are considered unsafe, it is suggested to use a more modern VPN protocol instead
set enabled=yes
/ip address
add address=192.168.8.1/24 comment=defconf interface=bridge network=\
    192.168.8.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-server network
add address=192.168.8.0/24 comment=defconf gateway=192.168.8.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.8.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=forward out-interface-list=WAN src-address=\
    192.168.252.0/24
add action=accept chain=forward dst-address=192.168.252.0/24 \
    in-interface-list=WAN
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=accept chain=input comment="allow IPsec NAT" dst-port=4500 \
    protocol=udp
add action=accept chain=input comment="allow IKE" dst-port=500 protocol=udp
add action=accept chain=input comment="allow l2tp" dst-port=1701 protocol=udp
add action=accept chain=input comment="allow pptp" dst-port=1723 protocol=tcp
add action=accept chain=input comment="allow sstp" dst-port=443 protocol=tcp
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input comment="defconf: accept LMT provisioning" \
    dst-port=8081 protocol=tcp src-address=212.93.97.83
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
add action=accept chain=forward out-interface-list=WAN src-address=\
    192.168.252.0/24
add action=masquerade chain=srcnat out-interface-list=WAN src-address=\
    192.168.252.0/24
add action=masquerade chain=srcnat comment="masq. vpn traffic" src-address=\
    192.168.89.0/24
/ip service
set www-ssl certificate=router.lan disabled=no
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
add address=::224.0.0.0/100 comment="defconf: other" list=bad_ipv6
add address=::127.0.0.0/104 comment="defconf: other" list=bad_ipv6
add address=::/104 comment="defconf: other" list=bad_ipv6
add address=::255.0.0.0/104 comment="defconf: other" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
    33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
/ppp secret
add name=XXXX profile=VPN-PROFILE service=ovpn
add name=vpn
/system clock
set time-zone-name=Europe/Riga
/system identity
set name=XXXX.org
/system logging
add topics=ovpn
/system routerboard settings
set cpu-frequency=716MHz
/system routerboard reset-button
set enabled=yes hold-time=5s..10s on-event=reset-configuration
/system scheduler
add comment=DDNS interval=10m name="Dydns Script" on-event=":log info \"Start \
    DDNS Script\";\r\
    \n/tool fetch url=\"https://myip.dnsomatic.com/mypublicip.txt\" mode=https\
    ;\r\
    \n:local currentIP [file get mypublicip.txt contents ];\r\
    \n:log info \"currentIP is \$currentIP\";\r\
    \n:global ddnsuser \"XXX\";\r\
    \n:global ddnspass \"XXXX\";\r\
    \n:global ddnshost \"XXXX.org\";\r\
    \n:global ipddns [:resolve \$ddnshost];\r\
    \n:if (\$ipddns != \$currentIP) do={\r\
    \n:log info \"DynuDDNS: IP-Dynu = \$ipddns\";\r\
    \n:log info \"DynuDDNS: IP-Fresh = \$currentIP\";\r\
    \n:log info \"DynuDDNS: Update IP needed, Sending UPDATE...!\";\r\
    \n:global str \"/nic/update\?hostname=\$ddnshost&myip=\$currentIP\";\r\
    \n:log info \"currentIP is \$currentIP\";\r\
    \n/tool fetch address=api.dynu.com src-path=\$str mode=https user=\$ddnsus\
    er password=\$ddnspass dst-path=(\"/Dynu.\".\$ddnshost)\r\
    \n:delay 1;\r\
    \n:global str [/file find name=\"Dynu.\$ddnshost\"];\r\
    \n/file remove \$str;\r\
    \n:global ipddns \$currentIP;\r\
    \n:log info \"DynuDDNS: IP updated to \$currentIP!\";\r\
    \n} else={\r\
    \n:log info \"DynuDDNS: dont need changes\";\r\
    \n}\r\
    \n:log info \"End DDNS Script\";" policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-date=sep/09/2022 start-time=14:41:03
/system script
add dont-require-permissions=yes name=reset-configuration owner=admin policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source=\
    "/system reset-configuration"
add dont-require-permissions=yes name="DDNS Dydns Script" owner=admin policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source=":\
    log info \"Start DDNS Script\";\r\
    \n/tool fetch url=\"https://myip.dnsomatic.com/mypublicip.txt\" mode=https\
    ;\r\
    \n:local currentIP [file get mypublicip.txt contents ];\r\
    \n:log info \"currentIP is \$currentIP\";\r\
    \n:global ddnsuser \"XXX\";\r\
    \n:global ddnspass \"XXXX\";\r\
    \n:global ddnshost \"XXXX.org\";\r\
    \n:global ipddns [:resolve \$ddnshost];\r\
    \n:if (\$ipddns != \$currentIP) do={\r\
    \n:log info \"DynuDDNS: IP-Dynu = \$ipddns\";\r\
    \n:log info \"DynuDDNS: IP-Fresh = \$currentIP\";\r\
    \n:log info \"DynuDDNS: Update IP needed, Sending UPDATE...!\";\r\
    \n:global str \"/nic/update\?hostname=\$ddnshost&myip=\$currentIP\";\r\
    \n:log info \"currentIP is \$currentIP\";\r\
    \n/tool fetch address=api.dynu.com src-path=\$str mode=https user=\$ddnsus\
    er password=\$ddnspass dst-path=(\"/Dynu.\".\$ddnshost)\r\
    \n:delay 1;\r\
    \n:global str [/file find name=\"Dynu.\$ddnshost\"];\r\
    \n/file remove \$str;\r\
    \n:global ipddns \$currentIP;\r\
    \n:log info \"DynuDDNS: IP updated to \$currentIP!\";\r\
    \n} else={\r\
    \n:log info \"DynuDDNS: dont need changes\";\r\
    \n}\r\
    \n:log info \"End DDNS Script\";"
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tr069-client
set acs-url=https://acs.lmt.lv:8049 check-certificate=no \
    connection-request-port=8081 connection-request-username=p3NnUcwLuhnF \
    enabled=yes periodic-inform-interval=12h username=LMT




The Open VPN client log
[Sep 10, 2022, 24:40:11] OpenVPN core 3.git::d3f8b18b win x86_64 64-bit built on Mar 17 2022 11:42:02
⏎[Sep 10, 2022, 24:40:11] Frame=512/2048/512 mssfix-ctrl=1250
⏎[Sep 10, 2022, 24:40:11] UNUSED OPTIONS
2 [dev-node] [Local] [Area] [Connection]
5 [resolv-retry] [infinite]
6 [nobind]
7 [persist-key]
8 [persist-tun]
14 [verb] [3]
⏎[Sep 10, 2022, 24:40:11] EVENT: RESOLVE ⏎[Sep 10, 2022, 24:40:11] EVENT: WAIT ⏎[Sep 10, 2022, 24:40:11] WinCommandAgent: transmitting bypass route to 212.3.xxx.xxx
{
	"host" : "212.3.xxx.xxx",
	"ipv6" : false
}

⏎[Sep 10, 2022, 24:40:21] Server poll timeout, trying next remote entry...
⏎[Sep 10, 2022, 24:40:21] EVENT: RECONNECTING ⏎[Sep 10, 2022, 24:40:21] EVENT: RESOLVE ⏎[Sep 10, 2022, 24:40:21] EVENT: WAIT ⏎[Sep 10, 2022, 24:40:21] WinCommandAgent: transmitting bypass route to 212.3.xxx.xxx
{
	"host" : "212.3.xxx.xxx",
	"ipv6" : false
}

⏎[Sep 10, 2022, 24:40:31] Server poll timeout, trying next remote entry...
⏎[Sep 10, 2022, 24:40:31] EVENT: RECONNECTING ⏎[Sep 10, 2022, 24:40:31] EVENT: RESOLVE ⏎[Sep 10, 2022, 24:40:31] EVENT: WAIT ⏎[Sep 10, 2022, 24:40:31] WinCommandAgent: transmitting bypass route to 212.3.xxx.xxx
{
	"host" : "212.3.xxx.xxx",
	"ipv6" : false
}

⏎[Sep 10, 2022, 24:40:33] EVENT: DISCONNECTED ⏎


and one of the client config I tried. (but tried a few other variations as well)
client
dev tun
proto tcp-client
persist-key
persist-tun
tls-client
remote-cert-tls server
verb 4
auth-nocache
mute 10
remote xxxx.net
port 443
auth SHA1
cipher AES-256-CBC
redirect-gateway def1
pull
auth-user-pass secret.cfg
ca xxxx.crt
cert xxx@xxxx.crt
key xxx@xxxx.key
I tried default port first but then I thought it might be better with 443 tunnel.

You can notice there are few BS firewall rules but they were just desperate attempts since nothing seems working.

If this is really impossible, can you help me setup the router to port forward to my Raspberry Pi if at least it would work?

or literally any other 4G 5G router I can use to get this thing to work. I am frequently traveling around Europe. I really need to access the Internet via my home network for an essential requirement.

Any help/ solution on this would be highly appreciated. I created this account specifically because I have ran out of solutions but I really need a way to access the Internet via home network

Thank you in advance!
 
AidanAus
Member Candidate
Member Candidate
Posts: 177
Joined: Wed May 08, 2019 7:35 am
Location: Australia
Contact:

Re: Open VPN Server: Unable to connect (Server poll timeout)

Mon Sep 12, 2022 10:08 am

I would suggest dumping all that 3rd party configuration and start from scratch again, Mikrotik help page has an exact road worrier guide that I would suggest trying then posting an updated config if you cant get it working after that :)
https://help.mikrotik.com/docs/display/ ... uardtunnel

Who is online

Users browsing this forum: cmmike, kolinsmk, PBondurant and 51 guests