OpenVPN Server on RouterOS, mode=ip (tun) and Windows client

KimaHg · Wed Nov 25, 2009 5:36 pm

Hello all,

short version:
Is it possible to use Router OS as OpenVPN server with mode=ip
and have several Windows clients connect simultaneously ?

long version:
I managed to setup OpenVPN server on RouterOS 4.2:

                     enabled: yes
                        port: 1196
                        mode: ip
                     netmask: 27
                 mac-address: FE:92:EF:66:F1:92
                     max-mtu: 1450
           keepalive-timeout: disabled
             default-profile: ovpn-profile
                 certificate: ovpn
  require-client-certificate: yes
                        auth: sha1,md5
                      cipher: blowfish128,aes128,aes192,aes256

0 name="ovpn-pool" ranges=10.10.10.2-10.10.10.30

2 Linux clients can connect simultaneously using same user/pw as in /ppp secrets but with different client certificates.
The problem occurs with windows clients. The connection aborts with:

[...]
Wed Nov 25 15:30:04 2009 [RB450_1B5C01E0965C] Peer Connection Initiated with 213.135.21.86:1196
Wed Nov 25 15:30:06 2009 SENT CONTROL [RB450_1B5C01E0965C]: 'PUSH_REQUEST' (status=1)
Wed Nov 25 15:30:06 2009 PUSH: Received control message: 'PUSH_REPLY,route 10.10.10.0 255.255.255.224,ifconfig 10.10.10.29 10.10.10.1'
Wed Nov 25 15:30:06 2009 OPTIONS IMPORT: --ifconfig/up options modified
Wed Nov 25 15:30:06 2009 OPTIONS IMPORT: route options modified
Wed Nov 25 15:30:06 2009 ROUTE: default_gateway=UNDEF
Wed Nov 25 15:30:06 2009 There is a problem in your selection of --ifconfig endpoints [local=10.10.10.29, remote=10.10.10.1].  The local and remote VPN endpoints must exist within the same 255.255.255.252 subnet.  This is a limitation of --dev tun when used with the TAP-WIN32 driver.  Try 'openvpn --show-valid-subnets' option for more info.
Wed Nov 25 15:30:06 2009 Exiting

I don't understand that. Does it only work with an ip pool ranges=10.10.10.2 ?
But then only one client works at one time. Is there any solution except using mode=ethernet ?

KimaHg · Sat Nov 28, 2009 12:46 am

Well, meanwhile i can answer myself: Yes it is possible.
The trick is:

/ip pool print detail
 0 name="lnx0" ranges=10.10.10.70-10.10.10.90 next-pool=(unknown)
 1 name="win1" ranges=10.10.10.1-10.10.10.2 next-pool=win2
 2 name="win2" ranges=10.10.10.5-10.10.10.6 next-pool=win3
 3 name="win3" ranges=10.10.10.9-10.10.10.10 next-pool=win4
 4 name="win4" ranges=10.10.10.13-10.10.10.14 next-pool=win5
 5 name="win5" ranges=10.10.10.17-10.10.10.18 next-pool=win6
 6 name="win6" ranges=10.10.10.21-10.10.10.22

 /ppp profile print
2   name="ovpn-cli" local-address=win1 remote-address=win1 use-compression=default
     use-vj-compression=default use-encryption=required only-one=no change-tcp-mss=yes

/ppp secret print detail
Flags: X - disabled
 0   name="winUser" service=ovpn caller-id="" password="xxx" profile=ovpn-cli routes=""
     limit-bytes-in=0 limit-bytes-out=0

This way the requirement for windows tun emulation of tap device is fullfilled.

lcx · Mon Nov 30, 2009 11:29 pm

thanks a lot, you just saved my night.

qinshaoyou · Wed Mar 06, 2013 7:30 am

解决了The local and remote VPN endpoints must exist within the same 255.255.255.252 subnet的问题，非常感谢！

Volans · Mon Nov 11, 2013 3:18 pm

The trick with several IP Pools works for me, too.

But now there is another problem.

I want to connect with the latest OpenVPN Client for Windows and thats my client.ovpn:

proto tcp-client
remote server.org 1195
dev tun
nobind
persist-key
tls-client
ns-cert-type server
ping 10
verb 4
cipher AES-256-CBC
auth SHA1
pull
auth-user-pass
script-security 2 system
route-up "route add 192.168.10.0 mask 255.255.255.0 10.10.0.1"
<ca>
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
</ca>

I think that I've to use the "route up.."-command in the client.ovpn because the "push route.."-command from the server doesnt work with the windows clients.
The problem is that due to the "IP pool"-trick a static route in the client.ovpn doenst work anymore, because the server IP (gateway for the static route) could change for every connection.

I can't find a way to set the "push route.."-command in the RouterOS OpenVPN server, anyway. Is there a way to?

Or maybe I'm to blind to see the solution?

//Edit:

It was the RouterOS OpenVPN-Server that doesn't support the "push route.."-command: http://wiki.mikrotik.com/wiki/MikroTik_ ... e_Requests

So without this feature I dont know how to handle the routing with changing gateways.

sanitycheck · Wed Nov 20, 2013 10:30 pm

I think I found a solution to the route-up problem mentioned by Volans.

Don't do the multiple pool setup mentioned earlier in the post; it's not part of this solution. Make each Windows user log in using a secrets listing unique to them, not a generic VPN user for use with many clients (e.g make a PPP secret called paul just for Windows user Paul). You may do that already. Also, in this unique secrets listing for the Windows user, hard code a local address and remote address from those in the 255.255.255.252 range (a convenient list is given when you run openvpn --show-valid-subnets at the command line on the Windows OpenVPN client machine.

For the hard-coded addresses in the Windows user's secrets profile, use an address pair outside of whatever existing VPN pool you might have (e.g. if your existing pool is 10.10.10.10-10.10.10.30, use a pair of numbers higher such as 10.10.10.53 and 10.10.10.54. Specify a unique address pair for each unique Windows user secret listing (I'm sure you could also use address pairs outside of your /24 generic pool as well). The other settings can stay the same as those used in a generic user's secret (if you have one), this includes the same PPP profile. The local and remote address hard-coded in the Windows user's secret listing will override the remote address setting from the profile you specify, but the client will still get the DNS servers from the profile.

On the Windows client side, you still have to set a route in the client.ovpn file because Mikrotik OpenVPN server can't push a route (thanks patrickmkt for simpler method). If the server-side LAN uses 192.168.76.0 for a subnet, use this line in the client.ovpn file.

route 192.168.76.0 255.255.255.0

This configuration is no more complex than the multi-pool setup mentioned earlier, and the routes can be made to work using the route command in the client.ovpn file. Plus, you can still have a generic user, larger VPN-specific address pool, and profile to use with Linux and Mikrotik ip/tun clients.

patrickmkt · Thu Nov 21, 2013 7:48 pm

just put in your client .ovpn config file something like

route 192.168.100.0 255.255.255.0

sanitycheck · Thu Nov 21, 2013 8:05 pm

That works. Thanks. Now the .bat file is not needed, and the client.ovpn can be generic instead of client-specific. I'll adjust my post. I wonder why so many references show the route set up through route-up instead?

OpenVPN Server on RouterOS, mode=ip (tun) and Windows client

OpenVPN Server on RouterOS, mode=ip (tun) and Windows client

Re: OpenVPN Server on RouterOS, mode=ip (tun) and Windows client

Re: OpenVPN Server on RouterOS, mode=ip (tun) and Windows client

Re: OpenVPN Server on RouterOS, mode=ip (tun) and Windows cl

Re: OpenVPN Server on RouterOS, mode=ip (tun) and Windows cl

Re: OpenVPN Server on RouterOS, mode=ip (tun) and Windows cl

Re: OpenVPN Server on RouterOS, mode=ip (tun) and Windows cl

Re: OpenVPN Server on RouterOS, mode=ip (tun) and Windows cl