Community discussions

MikroTik App
 
kissge83
just joined
Topic Author
Posts: 8
Joined: Mon Jan 23, 2023 11:53 am

OVPN server interesting behaviour

Mon Jan 23, 2023 12:11 pm

Dear All,

I would like to ask for your kind help, I'm facing a problem which made me mad and is very frustrating.

I have an RB1100AHx2 router which runs RouterOS 7.7 (stable).I'm running an OVPN server on this device, which used to work perfectly. My certificate was expired so I needed to create and sign another one. The only interesting part is that my "ca" cert is not shown an active flag for CRL (L), but it was OK previously as I remembered. I do not give a CA CRL HOST IP address during the sing process of the ca, due to I have dynamic IP and use DynDNS (noIP.com).
My problem is that I am able to connect to my network via OVPN service at once ... Everything is perfect, I can connect and use my network, but once I disconnect and I would like to reconnect it is not working. The client log says that the server actively refused the connection. I do not see any attempt in the Mikrotik log either. Once I change any settings in OVPN server section like MTU size for example, I can connect again without a problem and I clearly see the actions in the log, but once I disconnect, it happens again. I need to change again something there... The simple disabling and re-enabling of the OVPN service is not doing the trick... So, it seems everything is fine, but only for one time...

Please see below my settings:

CERTS:
Flags: K - private-key; L - crl; C - smart-card-key; A - authority; I - issued, R - revoked; E - expired; T - trusted
0 K A T name="ca" digest-algorithm=sha256 key-type=rsa common-name="ca" key-size=2048 subject-alt-name="" days-valid=365 trusted=yes key-usage=key-cert-sign,crl-sign
serial-number="6A720B12D9C3CC01" fingerprint="2bf0aae16366a5b8a25563dd99daef3a1a1e6838cef8ea292550c2a1cf76c8ff" akid=""
skid=0e959c192fc24b673602500cafbbbe3fd3bbcc4f invalid-before=jan/23/2023 10:05:20 invalid-after=jan/23/2024 10:05:20 expires-after=52w23h5m7s

1 K I T name="server" digest-algorithm=sha256 key-type=rsa common-name="server" key-size=2048 subject-alt-name="" days-valid=365 trusted=yes
key-usage=digital-signature,key-encipherment,tls-server ca=ca serial-number="2F8480F9E1367177"
fingerprint="6cc943945bdc1fb0c3fb7af4d6321fd464c7f7dab8ec75bc02d24c3116feb07c" akid=0e959c192fc24b673602500cafbbbe3fd3bbcc4f
skid=3fea2f6946f7e20664e9feb6d4c31313551802fc invalid-before=jan/23/2023 10:05:48 invalid-after=jan/23/2024 10:05:48 expires-after=52w23h5m35s

2 K I name="client" digest-algorithm=sha256 key-type=rsa common-name="client" key-size=2048 subject-alt-name="" days-valid=365 trusted=no key-usage=tls-client ca=ca
serial-number="055867AC93251CF5" fingerprint="99943f9f81574444bdfe7ec2d877e63d5bac5ad40234da8843c390ad05e4fe1a"
akid=0e959c192fc24b673602500cafbbbe3fd3bbcc4f skid=f70ec81109b99af260023b05dfdf43bb5409471c invalid-before=jan/23/2023 10:06:09
invalid-after=jan/23/2024 10:06:09 expires-after=52w23h5m56s

OVPN Server:
enabled: yes
port: 1194
mode: ip
protocol: tcp
netmask: 24
mac-address: FE:A5:57:72:9D:EC
max-mtu: 1492
keepalive-timeout: 60
default-profile: openvpn_profile
certificate: server
require-client-certificate: yes
tls-version: any
auth: sha1
cipher: aes256
redirect-gateway: disabled
enable-tun-ipv6: no
tun-server-ipv6: ::
ipv6-prefix-len: 64

Log during the successful connection:
11:11:11 ovpn,info connection established from 10.1.1.196, port: 50538 to 82.131.230.177
11:11:11 ovpn,info : using encoding - AES-256-CBC/SHA1
11:11:11 ovpn,info,account kissge logged in, 10.8.0.10 from 10.1.1.196
11:11:11 ovpn,info <ovpn-kissge>: connected

Do you have an idea what can cause this? :(

Many thanks and Kind Regards,
Gergely

Who is online

Users browsing this forum: ccrsxx, GoogleOther [Bot], nichky, nickhoulton, onnyloh, outtahere and 62 guests