OpenVPN UDP between PFSense and Mikrotik

felipefonsecahy · Wed Aug 02, 2023 1:38 am

Hi!
I try to test a openvpn connection in udp between pfsense (2.6) and mikrotik (7.10). Using TCP the connection works like a charm (the mikrotik is ovpn client).
But when i try udp connection, the log in mikrotik shows:

ovpn-cor: disconnected <TLS error: handshake timed out (6)>

In the pfsense side the log shows:

tls error: unroutable control packet received from [af_inet]

I read many post about this unroutable error, but both devices have same timestamp (one of the possible errors).

Anyone already tested this situation?

Thanks a lot!

MickeyT · Wed Aug 02, 2023 9:47 am

What sort of internet connections do you have at each end (I'm assuming you're trying to do this over the Internet because you didn't say)?

Please provide some more information about your configuration so we can help you properly.

felipefonsecahy · Wed Aug 02, 2023 4:09 pm

The PFSense (openvpn server) get fixed public IP from ISP. And the mikrotik (ovpn client) get internet from Starlink, that is, behind CGNAT.

MickeyT · Fri Aug 04, 2023 11:04 am

On one hand: CG-NAT and UDP do not play nicely together so could be causing your problem but, if you're the only person making a UDP connection to your server, that shouldn't be too much of a problem.

On the other hand: VPNs are sensitive to packet lose and that is more likely to occur with a UDP connection than a TCP one so that could explain the issue.

On the gripping hand: I don't know how StarLink have their CG-NAT configured (which I know they use) or what other network tweaks they have in place.

Is there anyone out there that has direct experience with StarLink connections (especially VPN ones)?

--
Backups are your friend. Always make a backup!

/system backup save encryption=aes-sha256 name=MyBackup

Please, export and attach your current config to your post if you want help with a config issue:

RouterOS v6 code

/export hide-sensitive file=MyConfig

RouterOS v7 code

/export file=MyConfig

felipefonsecahy · Fri Aug 04, 2023 11:15 pm

Exists other UDP connections in my server. I have another openvpn server (in another port) works in UDP for windows clients.

I simulate this situation in eve-ng and i have same errors. I attached my .rsc file

anav · Sat Aug 05, 2023 1:45 am

Setup wireguard on pfsense and wireguard on the mT as client. Should work well.

MickeyT · Mon Aug 07, 2023 10:25 am

Wireguard is a good, fast and secure VPN solution that also runs over UDP and is worth a look if you're interested.

The real issue with UDP and CG-NAT (actually any NAT) is when 2 or more UDP client connections are being bame through NAT to the same destination IP or FQDN.

e.g.: Internet IP <--UDP--> {NAT or CG-NAT} <--UDP--> clients 1 & 2 (or more).

Unless the NAT is set up to handle it properly (most aren't by default) it doesn't know which client the returning UDP packets should be sent to. This is a common problem that doesn't affect TCP because of the way TCP works.

If, however, you only have 1 client connecting to the Internet IP through the NAT then UDP should survive. I have heard of quite a few people having trouble with using a VPN over a StarLink connection so it could be some sort of configuration specific to StarLink causing the problem.

Do any StarLink users have suggestions about fixing this issue?

--Signature--
Backups are your friend. Always make a backup!

/system backup save encryption=aes-sha256 name=MyBackup

Please, export and attach your current config to your post if you want help with a config issue:

RouterOS v6 code

/export hide-sensitive file=MyConfig

RouterOS v7 code

/export file=MyConfig