OVPN client connects but no reply

erdemefe · Sun Mar 31, 2024 11:06 pm

Hello everybody,

My company provide a vpn connection for home-office. I know that they use sophos firewall and it uses OpenVpn inside it. They gave me a .ovpn config file. it works fine in windows OpenVpn connect app. I read the file with text editor and applyed the configuration in my mikrotik. I succeeded the connection and got IP. But i can not access the offices LAN network. I fallow the packages but they don't reply. what is the wrong ?

Ekran görüntüsü 2024-03-31 230423.png

# 2024-03-31 22:54:27 by RouterOS 7.14.2
# software id = WDL2-L484
#
# model = RB4011iGS+
# serial number = B8F30B0E63D6

/interface ovpn-client
add auth=sha256 certificate=Deka_client cipher=aes128-cbc connect-to=xx.xx.xx.xx mac-address=02:28:DF:FA:38:52 name=deka_ovpn_client port=8443 profile=ovpn_client user=username verify-server-certificate=yes


/ppp profile
add local-address=172.90.28.1 name=pppoe_srv_profile remote-address=pppoe_srv_pool
add bridge=bridge change-tcp-mss=yes interface-list=WAN local-address=10.15.15.5 name=ovpn remote-address=ovpn-pool use-encryption=required
add change-tcp-mss=yes interface-list=LAN name=ovpn_client use-ipv6=no

/ip firewall nat
add action=masquerade chain=srcnat comment=Deka out-interface=deka_ovpn_client

/ip route
add comment="Forwarding to Sedef" disabled=no dst-address=172.28.90.0/24 gateway=ovpn-sedef
add comment="Forward Sedef" disabled=no distance=1 dst-address=192.168.10.0/24 gateway=ovpn-sedef pref-src="" routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add comment="Forward Efe Apt." disabled=yes distance=1 dst-address=192.168.2.0/24 gateway=ovpn-asus pref-src="" routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add comment="Route to Deka" disabled=no distance=1 dst-address=10.0.10.0/23 gateway=deka_ovpn_client pref-src="" routing-table=main scope=30 suppress-hw-offload=no target-scope=1

IlKa · Mon Apr 01, 2024 2:45 am

Are you sure that you should use interface as your gateway, and not a gateway address on remote network?
You are using IP mode (the default one) and I think that you should get a gateway address from remove OpenVPN server in the same network your IP sits in.

Then, you ping this address. If it works -- you set it as a gateway for your remote networks.

erdemefe · Wed Apr 03, 2024 1:59 am

Are you sure that you should use interface as your gateway, and not a gateway address on remote network?
You are using IP mode (the default one) and I think that you should get a gateway address from remove OpenVPN server in the same network your IP sits in.

Then, you ping this address. If it works -- you set it as a gateway for your remote networks.

i did not understand exactly.

i have local IP from remote ovpn server it seen attached SS, and also ping successful for this ip(10.81.234.130). But I can not ping a local ip inside the remote network.

Ekran görüntüsü 2024-04-03 014926.png

erdemefe · Thu Apr 04, 2024 2:03 pm

When i sniff the ping package it goes my ovpn interface transmissions are successful. But no reply.

Please help me

rplant · Sun Apr 07, 2024 11:19 am

On the Mikrotik can you ping 10.81.234.129?

On the Mikrotik can you trace route to 10.0.10.119, do you see the intermediate hops?

If so, perhaps 10.0.10.119 doesn't respond to pings (from non local subnet)?
Could you ping this IP when connected via your computer?

You could add openvpn to system/logging for a while and see if the extra logs give any hints.

/system logging action
add action=memory topics=ovpn

Some other thoughts (though low probability of helping)

You could disable your route to 10.0.10.0/23 as it seems to have received one from the server, and the static
one might be causing issues.

You have not shown any firewall rules.

Perhaps add a firewall rule to allow the openvpn traffic in.

If somewhat near default, you may need to make the openvpn interface a member of the WAN interface list.

erdemefe · Sun Apr 21, 2024 3:39 am

On the Mikrotik can you ping 10.81.234.129?

On the Mikrotik can you trace route to 10.0.10.119, do you see the intermediate hops?

If so, perhaps 10.0.10.119 doesn't respond to pings (from non local subnet)?
Could you ping this IP when connected via your computer?

You could add openvpn to system/logging for a while and see if the extra logs give any hints.

/system logging action
add action=memory topics=ovpn

Some other thoughts (though low probability of helping)

You could disable your route to 10.0.10.0/23 as it seems to have received one from the server, and the static
one might be causing issues.

You have not shown any firewall rules.

Perhaps add a firewall rule to allow the openvpn traffic in.

If somewhat near default, you may need to make the openvpn interface a member of the WAN interface list.

Thanks for your answer,

i can't ping 10.81.234.129 it is OVPN remote ip

trace route does not reply any hop

i can ping 10.81.234.129 from 10.0.10.119 pc but can't ping 10.81.234.130

I said that the ovpn-server did not respond, but I guess it is not transmitted at all. Because I cannot ping the local address of the ovpn-server too.

My firewall like this;

add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid log-prefix=def_drop
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input comment=Winbox disabled=yes dst-port=8291 in-interface-list=WAN protocol=tcp
add action=accept chain=input comment="NAS SSH" disabled=yes dst-port=8022 in-interface-list=WAN protocol=tcp
add action=accept chain=input comment="Gitea SSH" dst-port=22 in-interface-list=WAN protocol=tcp
add action=accept chain=input comment="OpenVpn Server " dst-port=11949 in-interface-list=WAN protocol=tcp
add action=accept chain=input comment=Nginx dst-port=80,443 in-interface-list=WAN protocol=tcp
add action=accept chain=input comment=Mosquitto dst-port=1883 in-interface-list=WAN protocol=tcp
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN

Please Help me

oliverlexis · Fri Jun 14, 2024 6:55 pm

Hi,

was it solved meanwhile?

I have a similar issue here. Trying to connect to a OpenVPN Server running on a remote Synology.
OVPN Windows Client works without any problems, Mikrotik OVPN-Client says connected, I get all IP addresses and routes, I see that a ping packet is sent to the remote server, but no reply at all.

KR
Oliver.

erdemefe · Sat Jun 15, 2024 10:12 pm

No I couldn’t not solve the problem. I’m using OpenVPN connect on windows

OVPN client connects but no reply

OVPN client connects but no reply

Re: OVPN client connects but no reply

Re: OVPN client connects but no reply

Re: OVPN client connects but no reply

Re: OVPN client connects but no reply

Re: OVPN client connects but no reply

Re: OVPN client connects but no reply

Re: OVPN client connects but no reply