My first openVPN setup, and it just disconnects

ocgltd · Mon Sep 03, 2012 11:28 pm

I am setting up my first MikroTik router, with ovpn. (Also setup a CA on linux, generated certificates for windows client, generated CA cert and client cert, extract client private key)....wow!

I when I initiate the connection on windows client, it just diconnects and retries like this:

Mon Sep 03 16:21:22 2012 Control Channel MTU parms [ L:1544 D:140 EF:40 EB:0 ET:0 EL:0 ]
Mon Sep 03 16:21:22 2012 Socket Buffers: R=[8192->8192] S=[8192->8192]
Mon Sep 03 16:21:22 2012 Data Channel MTU parms [ L:1544 D:1450 EF:44 EB:135 ET:0 EL:0 AF:3/1 ]
Mon Sep 03 16:21:22 2012 Local Options hash (VER=V4): '69109d17'
Mon Sep 03 16:21:22 2012 Expected Remote Options hash (VER=V4): 'c0103fa8'
Mon Sep 03 16:21:22 2012 Attempting to establish TCP connection with 173.239.164.xx:1194
Mon Sep 03 16:21:24 2012 TCP connection established with 173.239.164.xx:1194
Mon Sep 03 16:21:24 2012 TCPv4_CLIENT link local: [undef]
Mon Sep 03 16:21:24 2012 TCPv4_CLIENT link remote: 173.239.164.xx:1194
Mon Sep 03 16:21:24 2012 TLS: Initial packet from 173.239.164.xx:1194, sid=0ee41446 a6490035
Mon Sep 03 16:21:25 2012 VERIFY OK: depth=1, /C=CA/O=xx/CN=XX_Certificate_Authority
Mon Sep 03 16:21:25 2012 VERIFY OK: depth=0, /C=CA/ST=ON/O=xx/CN=secure.XXX.ca
Mon Sep 03 16:21:26 2012 Connection reset, restarting [0]
Mon Sep 03 16:21:26 2012 TCP/UDP: Closing socket
Mon Sep 03 16:21:26 2012 SIGUSR1[soft,connection-reset] received, process restarting
Mon Sep 03 16:21:26 2012 Restart pause, 5 second(s)

On the RB450g there is no clue in the log, just this:

16:16:46 ovpn,info TCP connection established from 184.151.61.242 
16:16:46 ovpn,info <ovpn-0>: dialing... 
16:16:48 ovpn,info <ovpn-0>: using encoding - BF-128-CBC/SHA1 
16:16:54 ovpn,info TCP connection established from 184.151.61.242 
16:16:54 ovpn,info <ovpn-0>: dialing... 
16:16:57 ovpn,info <ovpn-0>: using encoding - BF-128-CBC/SHA1

On my Windows laptop running OpenVPN client I have this config:

client
dev tun
dev-node openVPNtap
proto tcp
remote 173.239.164.xx 1194
resolv-retry infinite
nobind
persist-key
persist-tun
cert "C:\\Data\\Certificates\\lt-ds.ca-cert.pem"
ca "C:\\Data\\Certificates\\DOMAIN-cacert.pem"
key "C:\\Data\\Certificates\\lt-ds-privatekey.pem"
cipher BF-CBC
verb 3

For approx 1 second I see the <ovpn-0> appear in WinBox|PPP|Interfaces. As if it were working! Then it disconnects.

Can someone tell me what is going wrong here? I am new to a LOT of things here...so massive learning curve! Thanks
Michelle

ocgltd · Tue Sep 04, 2012 12:21 am

Ok, I figured out that I needed auth-user-pass since MT doesn't support client based certificates to authenticate. Now, the connection stays up and the interface <ovpn-username> appears and stays up! YAY

The next problem is that traffic will not go to from my client! The problem relates to client and server must be on same 255.255.255.252 subnet (a limitation of Windows OpenVPN client)

Anyone solved how to have mikrotik work with this limitation for 20+ remote users.

Thanks!

gsloop · Tue Sep 04, 2012 12:44 am

Yes, as soon as I saw the "soft reset" I was pretty sure that was the problem. Sorry I wasn't here earlier to help.

Have you looked at the "print routes" results?

Generally you'll get a route to the FW via that assigned IP. [It's a /32 route]
You need a command like this in your ovpn config file on Windows.

route 10.1.2.0 255.255.255.0 10.1.2.1 1
[Meaning, for the /24 in this network 10.1.2.0, send packets to 10.1.2.1 with a metric of 1]
Looking at your other posts, you probably already know that, but just in case.

Perhaps that's not your problem, I haven't looked really closely, but I suspect it might be.

-Greg

gsloop · Tue Sep 04, 2012 12:47 am

Oh, reading what you wrote more carefully - it doesn't seem that the route is likely your problem.

What does the logging on the ovpn client on Windows say?

-Greg

ocgltd · Tue Sep 04, 2012 6:42 am

For anyone else facing this problem, cause was:

1. OpenVPN client for Windows demands /32 for local and remote addresses (on same subnet). So setup lots of pairs in the pool and chain one to the next.
2. Need to force client to use connection as default gateway (in openvpn config on client)

Now working!
Thanks

gsloop · Tue Sep 04, 2012 7:09 pm

If you use TAP mode [ethernet mode on RoS] you don't have to do that.

I wasn't clear you were using Tunnel mode. [Since it eats so many addresses [two for every client] I decided to use TAP mode which doesn't. [If you're not using Windows, either will work fine.]

-Greg

ocgltd · Tue Sep 04, 2012 8:16 pm

I tried using TAP mode, but one end didn't support it (I think Windows OpenVPN complained)...

gsloop · Tue Sep 04, 2012 9:40 pm

I know it works. [tested on XP-SP3 and Win7P]

I can give more feedback if you'd like.

I just find tun mode unusable. If I have 20 RW clients, I'll have to drop a block of 40 addresses to support them. Not happening. really small installations, perhaps it could work.

However, I can't find any problems with TAP mode that cause me issues.

-Greg
[If you need something quick, email me, rather than forum. I might not be back today.]

ocgltd · Wed Sep 05, 2012 1:14 am

Perhaps its a Vista issue...but it the message onscreen showed only TUN support...

My first openVPN setup, and it just disconnects

My first openVPN setup, and it just disconnects

Re: My first openVPN setup, and it just disconnects

Re: My first openVPN setup, and it just disconnects

Re: My first openVPN setup, and it just disconnects

Re: My first openVPN setup, and it just disconnects

Re: My first openVPN setup, and it just disconnects

Re: My first openVPN setup, and it just disconnects

Re: My first openVPN setup, and it just disconnects

Re: My first openVPN setup, and it just disconnects

Who is online