OVPN in UDP with linux OVPN server

maxpage · Sun Jul 02, 2023 3:49 pm

I have question. Is MT OVPN UDP implementation compatible with openvpn.net implementation ?

I have following configuration on OpenVPN Server (OpenVPN 2.6.3 x86_64-pc-linux-gnu Debian 12)

server 172.16.0.0 255.255.255.0
topology subnet
dev tun
proto tcp
port 1194
keepalive 10 120

ca ca.crt
cert server.crt
key server.key
dh dh.pem

auth SHA256
data-ciphers AES-256-GCM:AES-256-CBC:AES-128-GCM:AES-128-CBC
data-ciphers-fallback AES-256-CBC
engine aesni

On TCP mode woks perfect (with Hardware Acceleration)

ovpn.png

When I simply switch configuration to udp (replacing only one line):

proto udp

Connection to MT OVPN client stopped working:

ovpn1.png

Some logs from server:

2023-07-02 14:37:13 OpenVPN 2.6.3 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] [DCO]
2023-07-02 14:37:13 library versions: OpenSSL 3.0.9 30 May 2023, LZO 2.10
2023-07-02 14:37:13 DCO version: N/A
2023-07-02 14:37:13 TUN/TAP device tun0 opened
2023-07-02 14:37:13 net_iface_mtu_set: mtu 1500 for tun0
2023-07-02 14:37:13 net_iface_up: set tun0 up
2023-07-02 14:37:13 net_addr_v4_add: 172.16.0.1/24 dev tun0
2023-07-02 14:37:13 Could not determine IPv4/IPv6 protocol. Using AF_INET
2023-07-02 14:37:13 UDPv4 link local (bound): [AF_INET][undef]:1194
2023-07-02 14:37:13 UDPv4 link remote: [AF_UNSPEC]
2023-07-02 14:37:13 Initialization Sequence Completed
2023-07-02 14:37:19 0.0.0.0:50847 Note: OpenSSL hardware crypto engine functionality is not available
2023-07-02 14:37:19 0.0.0.0:50847 TLS Error: Unroutable control packet received from [AF_INET]0.0.0.0:50847 (si=3 op=P_CONTROL_V1)
2023-07-02 14:37:19 0.0.0.0:50847 TLS Error: Unroutable control packet received from [AF_INET]0.0.0.0:50847 (si=3 op=P_ACK_V1)
2023-07-02 14:37:20 0.0.0.0:50847 TLS Error: Unroutable control packet received from [AF_INET]0.0.0.0:50847 (si=3 op=P_CONTROL_V1)
2023-07-02 14:37:21 0.0.0.0:50847 TLS Error: Unroutable control packet received from [AF_INET]0.0.0.0:50847 (si=3 op=P_CONTROL_V1)
2023-07-02 14:37:22 0.0.0.0:50847 TLS Error: Unroutable control packet received from [AF_INET]0.0.0.0:50847 (si=3 op=P_CONTROL_V1)
2023-07-02 14:37:23 0.0.0.0:50847 TLS Error: Unroutable control packet received from [AF_INET]0.0.0.0:50847 (si=3 op=P_CONTROL_V1)
2023-07-02 14:37:24 0.0.0.0:50847 TLS Error: Unroutable control packet received from [AF_INET]0.0.0.0:50847 (si=3 op=P_CONTROL_V1)
2023-07-02 14:37:25 0.0.0.0:50847 TLS Error: Unroutable control packet received from [AF_INET]0.0.0.0:50847 (si=3 op=P_CONTROL_V1)
2023-07-02 14:37:26 0.0.0.0:50847 TLS Error: Unroutable control packet received from [AF_INET]0.0.0.0:50847 (si=3 op=P_CONTROL_V1)
2023-07-02 14:37:27 0.0.0.0:50847 TLS Error: Unroutable control packet received from [AF_INET]0.0.0.0:50847 (si=3 op=P_CONTROL_V1)
2023-07-02 14:37:28 0.0.0.0:50847 TLS Error: Unroutable control packet received from [AF_INET]0.0.0.0:50847 (si=3 op=P_CONTROL_V1)
2023-07-02 14:37:29 0.0.0.0:50847 TLS Error: Unroutable control packet received from [AF_INET]0.0.0.0:50847 (si=3 op=P_CONTROL_V1)
2023-07-02 14:37:30 0.0.0.0:50847 TLS Error: Unroutable control packet received from [AF_INET]0.0.0.0:50847 (si=3 op=P_CONTROL_V1)
2023-07-02 14:37:31 0.0.0.0:50847 TLS Error: Unroutable control packet received from [AF_INET]0.0.0.0:50847 (si=3 op=P_CONTROL_V1)
2023-07-02 14:37:32 0.0.0.0:50847 TLS Error: Unroutable control packet received from [AF_INET]0.0.0.0:50847 (si=3 op=P_CONTROL_V1)
2023-07-02 14:37:33 0.0.0.0:50847 TLS Error: Unroutable control packet received from [AF_INET]0.0.0.0:50847 (si=3 op=P_CONTROL_V1)
2023-07-02 14:37:34 0.0.0.0:50847 TLS Error: Unroutable control packet received from [AF_INET]0.0.0.0:50847 (si=3 op=P_CONTROL_V1)
2023-07-02 14:37:35 0.0.0.0:50847 TLS Error: Unroutable control packet received from [AF_INET]0.0.0.0:50847 (si=3 op=P_CONTROL_V1)
2023-07-02 14:37:36 0.0.0.0:50847 TLS Error: Unroutable control packet received from [AF_INET]0.0.0.0:50847 (si=3 op=P_CONTROL_V1)
2023-07-02 14:37:37 0.0.0.0:50847 TLS Error: Unroutable control packet received from [AF_INET]0.0.0.0:50847 (si=3 op=P_CONTROL_V1)
2023-07-02 14:37:38 0.0.0.0:50847 TLS Error: Unroutable control packet received from [AF_INET]0.0.0.0:50847 (si=3 op=P_CONTROL_V1)
2023-07-02 14:37:39 0.0.0.0:50847 TLS Error: Unroutable control packet received from [AF_INET]0.0.0.0:50847 (si=3 op=P_CONTROL_V1)
2023-07-02 14:37:40 0.0.0.0:50847 TLS Error: Unroutable control packet received from [AF_INET]0.0.0.0:50847 (si=3 op=P_CONTROL_V1)
2023-07-02 14:37:41 0.0.0.0:50847 TLS Error: Unroutable control packet received from [AF_INET]0.0.0.0:50847 (si=3 op=P_CONTROL_V1)
2023-07-02 14:37:42 0.0.0.0:50847 TLS Error: Unroutable control packet received from [AF_INET]0.0.0.0:50847 (si=3 op=P_CONTROL_V1)
2023-07-02 14:37:43 0.0.0.0:50847 TLS Error: Unroutable control packet received from [AF_INET]0.0.0.0:50847 (si=3 op=P_CONTROL_V1)
2023-07-02 14:37:44 0.0.0.0:50847 TLS Error: Unroutable control packet received from [AF_INET]0.0.0.0:50847 (si=3 op=P_CONTROL_V1)
2023-07-02 14:37:45 0.0.0.0:50847 TLS Error: Unroutable control packet received from [AF_INET]0.0.0.0:50847 (si=3 op=P_CONTROL_V1)
2023-07-02 14:37:46 0.0.0.0:50847 TLS Error: Unroutable control packet received from [AF_INET]0.0.0.0:50847 (si=3 op=P_CONTROL_V1)
2023-07-02 14:37:47 0.0.0.0:50847 TLS Error: Unroutable control packet received from [AF_INET]0.0.0.0:50847 (si=3 op=P_CONTROL_V1)
2023-07-02 14:37:48 0.0.0.0:50847 TLS Error: Unroutable control packet received from [AF_INET]0.0.0.0:50847 (si=3 op=P_CONTROL_V1)
^C2023-07-02 14:37:51 event_wait : Interrupted system call (fd=-1,code=4)
2023-07-02 14:37:51 net_addr_v4_del: 172.16.0.1 dev tun0
2023-07-02 14:37:51 SIGINT[hard,] received, process exiting

challado · Thu Oct 05, 2023 6:25 pm

Same problem here. And with a linux openvpn client, all works fine on UDP too. Only with mikrotik I have these problem. Did you find any solution?

JMLabs · Thu Dec 21, 2023 7:10 pm

I have the same problem. I haven't been able to win for a week. Please help me if there is a solution.
I checked the date, changed the encryption settings, even changed the OpenVPN version. It's still an error.

TLS Error: Unroutable control packet received from [AF_INET] (si=3 op=P_CONTROL_V1)

RouterOS 7.12.1
OpenVPN server 2.6.1-1ubuntu1.1

neo89skynet · Thu Apr 04, 2024 2:13 pm

Found a solution to the problem? I have exactly the same problem. Who can help?

VictorS · Sun Apr 14, 2024 4:46 pm

I have this problem too, OpenVPN 2.6.3/Debian 12, RouterOS 7.13.4
Are there any ideas anyone?

gheorghe · Tue Jun 04, 2024 5:49 am

TLS Error: Unroutable control packet received from [AF_INET] (si=3 op=P_CONTROL_V1)

I encountered and investigated this error and these are my conclusions

Explanation:
The error, although looks like a TLS error, in fact is not caused directly by TLS and is NOT a routing problem as you might think. As I realised (to my understanding), the error is causes by the way the udp openvpn connection is implemented. Let me explain: udp is a connectionless protocol ( when a udp package is received there is no acknowledge message sent back as in tcp).
The openvpn server has no means to discern if the connection was ended by the client or if the client is still connected and doesn't send anything. This thing happens also to the client when the interface is disabled clicking disable in the Mikrotik interface. The process is still working in the background and assumes that the connection is still valid (only the interface not reachable) and the process does not discard old connection data.

So when you try to reconnect immediateley, the old connection data (negociated connection parameters) are still in memory but the other end doesn't know what to do with the packages he receives and shows the error:
"TLS Error: Unroutable control packet received".

In my case, when this happens, a solution is to wait for at least 30 seconds and then reconnect again. That way, the process clears old data (by timeout) and allows for a new connection to be established. If you keep trying to reconnect immediately (manually or automatically by disabeling/enabeling the interface), you will keep getting this error forever because every time you try to reconnect, the "keep alive" period on the other side is refreshed and the old data is NOT discarded.
If the router has the check mark on the enable, he will try to reconnect automatically and every time it tries will get this error.

In other terms, one ending considers the connection as valid, but the other end assumes that the connection has ended and tries a new connection with the same username. This is the cause of the error.

Solution (work around):
You have to disable auto connect, stop connection, wait at least 30 seconds and then reconnect. Another approach would be to restart the openvpn process and then reconnect (disabeling and enabeling the Mikrotik openvpn interface IS NOT ENOUGH, you have to wait 30 seconds).

Note: in my case the router does not work with tls authentication on udp openvpn. For udp I use certificate+password as a security measure and it works like that. Nevertheless, even if tls-auth is not used, the before mentioned error appears (that's why I think it is a timeout error, not a tls authentication error).

oliee0 · Wed Jun 05, 2024 12:42 pm

Same here between Windows 11 OpenVPN client to Mikrotik OVPN server... Waiting 30 seconds and reconnect works but it isn't solution.

dalersz · Fri Jan 10, 2025 10:00 pm

FIXED

I had the same issue. Fixed by downgrading OpenVPN server from 2.6 to 2.5.11

OVPN in UDP with linux OVPN server

OVPN in UDP with linux OVPN server

Re: OVPN in UDP with linux OVPN server

Re: OVPN in UDP with linux OVPN server

Re: OVPN in UDP with linux OVPN server

Re: OVPN in UDP with linux OVPN server

Re: OVPN in UDP with linux OVPN server

Re: OVPN in UDP with linux OVPN server

Re: OVPN in UDP with linux OVPN server