Community discussions

MikroTik App
  4. RouterOS
  5. General

Router OS 6.44.2 OVPN Setting please help me!

Post Reply
 
LEEHYUNWOO
just joined
Topic Author
Posts: 22
Joined: Tue Aug 28, 2018 4:55 pm

Router OS 6.44.2 OVPN Setting please help me!

Sun Apr 14, 2019 3:01 am

Hello, I am operating version 6.44.2 with router RB1100AHx4.

There is a problem.

A. We have established OPENVPN, but we do not normally communicate with ROUTER DDNS.
B. CA, CLIENT Certificate was created to connect OPENVPN to CLIENT, but the following messenger appears.

CLIENT LOG FILE : client1822100098log

The router's log did not contain any VPN connection log, including errors.

I want to build openvpn while maintaining an "inter-vlan."

I’ll record the router’s settings, judging it as a router’s problem.
And I would appreciate it if you could see the router's settings and tell me the problem.

** Structure vlan **

MGMT-VLAN = 200.168.10.0/24 [ VLAN - IDS = 100 ]
SUPERMICRO-VLAN = 200.168.20.0/24 [ VLAN - IDS = 20 ]
IBM-VLAN = 200.168.30.0/24 [ VLAN - IDS = 30 ]

RB1100AH x4 ROUTER INTER-VLAN Configure!
Code: Select all
##########
# Naming #
##########
# name the device being configured
[cskisa@Router] >/system identity set name=”Router”

#################
# VLAN OverView # 
#################
# 100 = MGMT VLAN [ 200.168.10.0/24 ]
# 20 = SUPERMICRO VLAN [ 200.168.20.0/24 ]
# 30 = IBM VLAN [ 200.168.30.0/24 ]

##########
# Bridge #
##########

# Create one bridge, set VLAN mode off while we configure
[cskisa@Router] >/interface bridge add name=BR1 protocol-mode=none vlan-filtering=no
 
###############
# Trunk Ports #
###############

# ingress behavior
[cskisa@Router] >/interface bridge port

# Purple Trunk. Leave pvid set to default of 1
[cskisa@Router] >/interface bridge port add bridge=BR1 interface=eth2
[cskisa@Router] >/interface bridge port add bridge=BR1 interface=eth3
[cskisa@Router] >/interface bridge port add bridge=BR1 interface=eth4
[cskisa@Router] >/interface bridge port add bridge=BR1 interface=eth5
[cskisa@Router] >/interface bridge port add bridge=BR1 interface=eth6
[cskisa@Router] >/interface bridge port add bridge=BR1 interface=eth7
[cskisa@Router] >/interface bridge port add bridge=BR1 interface=eth8
[cskisa@Router] >/interface bridge port add bridge=BR1 interface=eth9
[cskisa@Router] >/interface bridge port add bridge=BR1 interface=eth10
[cskisa@Router] >/interface bridge port add bridge=BR1 interface=eth11
[cskisa@Router] >/interface bridge port add bridge=BR1 interface=eth12
[cskisa@Router] >/interface bridge port add bridge=BR1 interface=eth13

# egress behavior
[cskisa@Router] >/interface bridge vlan

# Purple Trunk. These need IP Service [ L3 ], so add Bridge as member
[cskisa@Router] >/interface bridge vlan add bridge=BR1 tagged=BR1,eth2 vlan-ids=20
[cskisa@Router] >/interface bridge vlan add bridge=BR1 tagged=BR1,eth2 vlan-ids=30
[cskisa@Router] >/interface bridge vlan add bridge=BR1 tagged=BR1,eth2 untagged=eth3,eth4,eth5,eth6,eth7,eth8,eth9,eth10,eth11,eth12,eth13 vlan-ids=100

###########################
# IP Addressing & Routing #
###########################

# LAN facing router’s IP address on the MGMT-VLAN
[cskisa@Router] >/interface vlan add interface=BR1 name=MGMT-VLAN vlan-id=100
[cskisa@Router] >/ip address add address=200.168.10.1/24 interface=MGMT-VLAN

# DNS server [ QUAD9 DNS ] ,set to cache for LAN
[cskisa@Router] >/ip dns set allow-remote-requests=yes servers=”9.9.9.9”

# ISP to eth interface DHCP setup
[cskisa@Router] >/ip dhcp-client add interface=eth1


# eth1 DHCP Client enable
[cskisa@Router] >/ip dhcp-client enable 0

# SUPERMICRO VLAN interface creation, IP assignment, and DHCP service
[cskisa@Router] >/interface vlan add interface=BR1 name=SUPERMICRO-VLAN vlan-id=20
[cskisa@Router] >/ip address add interface=SUPERMICRO-VLAN address=200.168.20.1/24
[cskisa@Router] >/ip pool add name=SUPERMICRO-POOL ranges=200.168.20.2-200.168.20.254
[cskisa@Router] >/ip dhcp-server add address-pool=SUPERMICRO-POOL interface=SUPERMICRO-VLAN name=SUPERMICRO-DHCP disabled=no
[cskisa@Router] >/ip dhcp-server network add address=200.168.20.0/24 dns-server=200.168.10.1 gateway=200.168.20.1

# IBM VLAN interface creation, IP assignment, and DHCP service
[cskisa@Router] >/interface vlan add interface=BR1 name=IBM-VLAN vlan-id=30
[cskisa@Router] >/ip address add interface=IBM-VLAN address=200.168.30.1/24
[cskisa@Router] >/ip pool add name=IBM-POOL ranges=200.168.30.2-200.168.30.254
[cskisa@Router] >/ip dhcp-server add address-pool=IBM-POOL interface=IBM-VLAN name=IBM-DHCP disabled=no
[cskisa@Router] >/ip dhcp-server network add address=200.168.30.0/24 dns-server=200.168.10.1 gateway=200.168.30.1

# Create a DHCP instance for MGMT-VLAN. Convenience feature for an admin.
[cskisa@Router] >/ip pool add name=MGMT-POOL ranges=200.168.10.100-200.168.10.254
[cskisa@Router] >/ip dhcp-server add address-pool=MGMT-POOL interface=MGMT-VLAN name=MGMT-DHCP disabled=no
[cskisa@Router] >/ip dhcp-server network add address=200.168.10.0/24 dns-server=200.168.10.1 gateway=200.168.10.1

########################################################################
# Firewalling & NAT rule                                                    #
# A good firewall for WAN, Up to you about how you want LAN to behave. #
########################################################################

# Use Mikrotik’s “list” feature for easy rule matchmaking.

[cskisa@Router] >/interface list add name=WAN
[cskisa@Router] >/interface list add name=VLAN
[cskisa@Router] >/interface list add name=MGMT

[cskisa@Router] >/interface list member add interface=eth1 list=WAN
[cskisa@Router] >/interface list member add interface=MGMT-VLAN list=VLAN
[cskisa@Router] >/interface list member add interface=SUPERMICRO-VLAN list=VLAN
[cskisa@Router] >/interface list member add interface=IBM-VLAN list=VLAN
[cskisa@Router] >/interface list member add interface=MGMT-VLAN list=MGMT

 
###############
# INPUT CHAIN #
###############

# VLAN aware firewall. Order is important.
[cskisa@Router] >/ip firewall filter
[cskisa@Router] >/ip firewall filter add chain=input action=accept connection-state=established,related comment=”Allow Estab & Related”

# Allow VLANs to access router services like DNS, Winbox, Naturally, you SHOULD make it more granular.

[cskisa@Router] >/ip firewall filter add chain=input action=accept in-interface-list=VLAN comment=”Allow VLAN”

# Allow MGMT-VLAN full access to the device for Winbox, etc.

[cskisa@Router] >/ip firewall filter add chain=input action=accept in-interface-list=MGMT comment=”Allow MGMT-VLAN Full Access”
[cskisa@Router] >/ip firewall filter add chain=input action=drop comment=”Drop”

# Add rules for VLANs to allow DNS services
[cskisa@Router] >/ip firewall filter add chain=input action=accept in-interface-list=VLAN dst-port=53 protocol=udp connection-state=new
[cskisa@Router] >/ip firewall filter add chain=input action=accept in-interface-list=VLAN dst-port=53 protocol=tcp connection-state=new

# FTP,SSH,Telnet Block access to a drop attacks.
[cskisa@Router] >/ip firewall filter add chain=input action=drop comment=”Drop FTP,SSH,Telnet from inbound” dst-port=21,22,23,137,139,445 protocol=tcp
 
#################
# FORWARD CHAIN #
#################

[cskisa@Router] >/ip firewall filter add chain=forward action=accept connection-state=established,related comment=”Allow Estab & Related”

# Allow all VLANs to access the Internet only, Not each other

[cskisa@Router] >/ip firewall filter add chain=forward action=accept connection-state=new in-interface-list=VLAN out-interface-list=WAN comment=”VLAN Internet Access only”
[cskisa@Router] >/ip firewall filter add chain=forward action=drop comment=”Drop”

#######
# NAT #
#######

[cskisa@Router] >/ip firewall nat add chain=srcnat action=masquerade out-interface-list=WAN comment=”Default masquerade”

#################
# VLAN Security #
#################

[cskisa@Router] >/interface bridge port set bridge=BR1 interface=eth2 ingress-filtering=yes frame-types=admit-only-vlan-tagged
[cskisa@Router] >/interface bridge port set bridge=BR1 interface=eth3 pvid=100 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged
[cskisa@Router] >/interface bridge port set bridge=BR1 interface=eth4 pvid=100 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged
[cskisa@Router] >/interface bridge port set bridge=BR1 interface=eth5 pvid=100 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged
[cskisa@Router] >/interface bridge port set bridge=BR1 interface=eth6 pvid=100 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged
[cskisa@Router] >/interface bridge port set bridge=BR1 interface=eth7 pvid=100 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged
[cskisa@Router] >/interface bridge port set bridge=BR1 interface=eth8 pvid=100 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged
[cskisa@Router] >/interface bridge port set bridge=BR1 interface=eth9 pvid=100 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged
[cskisa@Router] >/interface bridge port set bridge=BR1 interface=eth10 pvid=100 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged
[cskisa@Router] >/interface bridge port set bridge=BR1 interface=eth11 pvid=100 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged
[cskisa@Router] >/interface bridge port set bridge=BR1 interface=eth12 pvid=100 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged
[cskisa@Router] >/interface bridge port set bridge=BR1 interface=eth13 pvid=100 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged

#######################
# MAC Server Settings #
#######################

# Ensure only visibility and availability from MGMT-VLAN, the MGMT network
[cskisa@Router] >/ip neighbor discovery-settings set discover-interface-list=MGMT
[cskisa@Router] >/tool mac-server mac-winbox set allowed-interface-list=MGMT
[cskisa@Router] >/tool mac-server set allowed-interface-list=MGMT

#####################
# Turn on VLAN mode #
#####################
[cskisa@Router] >/interface bridge set BR1 vlan-filtering=yes

And this is the setting for building OPEN VPN
Code: Select all
/certificate add name=CA country="KR" state="KR" locality="ASAN" organization="D16LAB" common-name="CA" key-size=4096 days-valid=3650 key-usage=crl-sign,key-cert-sign
/certificate sign CA name=CA

/certificate add name=SERVER country="KR" state="KR" locality="ASAN" organization="D16LAB" common-name="SERVER" key-size=4096 days-valid=3650 key-usage=digital-signature,key-encipherment,tls-server
/certificate sign SERVER ca="CA" name="SERVER"

/certificate add name="CLIENT" country="KR" state="KR" locality="ASAN" organization="D16LAB" common-name="CLIENT" key-size=4096 days-valid=3650 key-suage=tls-client
/certificate add name=client1822100098 copy-from="CLIENT" common-name="client1822100098"
/certificate sign client1822100098 ca="CA" name="client1822100098"

/certificate export-certificate CA export-passphrase=""
/certificate export-certificate client1822100098 export-passphrase=skylake3926!

/ip pool add name=OVPN-POOL ranges=200.168.10.10-200.168.10.99

/ppp profile add name=openvpn local-address=200.168.10.1 remote-address=OVPN-POOL dns-server=200.168.10.1 use-encryption=required use-compression=default use-mpls=default

/ppp secret add name=client1822100098 password=skylake3926! service=ovpn profile=openvpn

/interface ovpn-server server set enable=yes port=1194 mode=ip netmask=24 default-profile=openvpn certificate=SERVER require-client-certificate=yes auth=sha1 cipher=aes256

/ip firewall filter add chain=input protocol=tcp dst-port=1194 action=accept

client ovpn file configure

client
dev trun
proto tcp
remote [mikrotik ddns address] 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca CA.crt
cert client1822100098.crt
key client1822100098.key
remote-cert-tls server
cipher AES-256-CBC
auth SHA1
auth-user-pass
redirect-gateway def1
verb 3

+ And I drew the system that I wanted. Please watch it.

IMAGE FILE : OPENVPN SYSTEM

Finally, I want VLAN and OPEN VPN to be able to communicate.
You do not have the required permissions to view the files attached to this post.
Last edited by LEEHYUNWOO on Tue Apr 16, 2019 8:30 am, edited 1 time in total.
Top
 
User avatar
sindy
Forum Guru
Forum Guru
Posts: 11333
Joined: Mon Dec 04, 2017 9:19 pm

Re: Router OS 6.44.2 OVPN Setting please help me!

Sun Apr 14, 2019 6:39 pm

A. We have established OPENVPN, but we do not normally communicate with ROUTER DDNS.
Please clarify. Have you just configured the OpenVPN on the 1100AHx4, or really successfully established a connection from some other client?

B. ...
The router's log did not contain any VPN connection log, including errors.
Instead of exporting the complete resulting configuration, you've only posted the settings you have added to some pre-existing one. Your /interface ovpn-server settings look fine, so please post the output of /ip firewall export, because if you've added your rule /ip firewall filter add chain=input protocol=tcp dst-port=1194 action=accept to an existing firewall, it is likely to be shadowed by some other one and thus ineffective.

You can check on your own whether that rule has ever matched a packet by issuing a command
/ip firewall filter print stats where dst-port~"1194"
Top
 
LEEHYUNWOO
just joined
Topic Author
Posts: 22
Joined: Tue Aug 28, 2018 4:55 pm

Re: Router OS 6.44.2 OVPN Setting please help me!

Mon Apr 15, 2019 6:30 am

I'm so sorry.
I'm from ROK. That's why I seem to have inadvertently confused.

A clear problem: The router does not seem to allow OPENVPN communication through port 1194 in the NAT rule or router firewall rule.
Proof : Set ddns and attempt ping test on router from client side failed

I'm trying to find a way to reset the RB1100AHx4 for lunch today.


I'll re-upload the RSC file set when I reconfigure the router..
Top
 
User avatar
sindy
Forum Guru
Forum Guru
Posts: 11333
Joined: Mon Dec 04, 2017 9:19 pm

Re: Router OS 6.44.2 OVPN Setting please help me!

Mon Apr 15, 2019 1:38 pm

I'm from ROK. That's why I seem to have inadvertently confused.
I don't believe in these national specifics :-) But I know how complex it may be to choose the right word in a foreign language out of several similar ones which expresses best the meaning in my native language. So I just asked to be sure I got it right.

A clear problem: The router does not seem to allow OPENVPN communication through port 1194 in the NAT rule or router firewall rule.
Proof : Set ddns and attempt ping test on router from client side failed
Such proof only proves that some layer in the whole arrangement doesn't work, but you need to find out which one in particular.
My analytic steps would be the following:
  1. check on the client that the DNS name of the 1100AHx4 really resolves to the IP currently assigned to the 1100AHx4 (i.e. that the DDNS part of the task works properly)
  2. check that the UDP packets to port 1194 do reach ether1 of the 1100AHx4, using /tool sniffer or /tool torch which look at the incoming traffic before the firewall can eventually drop it. If the packets are not there, something on the route between the client and the server may block them.
  3. check that the firewall rule permitting packets towards UDP port 1194 counts packets - if it doesn't, some rule before it shadows it (and either accepts or drops them, hard to say)
  4. only if all the steps above succeed, it makes sense to start logging the openvpn itself
.
Top
 
LEEHYUNWOO
just joined
Topic Author
Posts: 22
Joined: Tue Aug 28, 2018 4:55 pm

Re: Router OS 6.44.2 OVPN Setting please help me!

Tue Apr 16, 2019 9:08 am

First of all, I want to let you know today that ddns can communicate externally

Why communications are possible.

ip firewall filter rule
[cskeisa@Router]>/ip firewall filter add chain=input action=drop component="Drop" -> remove!

The ddns became an external communication, so I tried to connect to the client with OPENVPN.

Results : Failure

router log content

14:35:42 ovpn,info TCP connection established from 121.152.33.177
14:35:43 ovpn,debug,error,l2tp,25032,58648,25032,31404,58308,25584,l2tp,info,25588,debug duplicate packet, dropping

The obvious thing is that the router detects and deletes duplicate packets.

/ip firewall filter | config

Code: Select all
###############
# INPUT CHAIN #
###############

# VLAN aware firewall. Order is important.
[cskisa@Router] >/ip firewall filter
[cskisa@Router] >/ip firewall filter add chain=input action=accept connection-state=established,related comment=”Allow Estab & Related”

# Allow VLANs to access router services like DNS, Winbox, Naturally, you SHOULD make it more granular.

[cskisa@Router] >/ip firewall filter add chain=input action=accept in-interface-list=VLAN comment=”Allow VLAN”

# Allow MGMT-VLAN full access to the device for Winbox, etc.

[cskisa@Router] >/ip firewall filter add chain=input action=accept in-interface-list=MGMT comment=”Allow MGMT-VLAN Full Access”

# Add rules for VLANs to allow DNS services
[cskisa@Router] >/ip firewall filter add chain=input action=accept in-interface-list=VLAN dst-port=53 protocol=udp connection-state=new
[cskisa@Router] >/ip firewall filter add chain=input action=accept in-interface-list=VLAN dst-port=53 protocol=tcp connection-state=new

# FTP,SSH,Telnet Block access to a drop attacks.
[cskisa@Router] >/ip firewall filter add chain=input action=drop comment=”Drop FTP,SSH,Telnet from inbound” dst-port=21,22,23,137,139,445 protocol=tcp
 
#################
# FORWARD CHAIN #
#################

[cskisa@Router] >/ip firewall filter add chain=forward action=accept connection-state=established,related comment=”Allow Estab & Related”

# Allow all VLANs to access the Internet only, Not each other

[cskisa@Router] >/ip firewall filter add chain=forward action=accept connection-state=new in-interface-list=VLAN out-interface-list=WAN comment=”VLAN Internet Access only”
[cskisa@Router] >/ip firewall filter add chain=forward action=drop comment=”Drop”

#######
# NAT #
#######

[cskisa@Router] >/ip firewall nat add chain=srcnat action=masquerade out-interface-list=WAN comment=”Default masquerade”

In addition, I divided the vlan pool "MGMT" in half and made it OVPN, MGMT POOL.

ex : MGMT POOL = 200.168.10.10-200.168.10.254 -> OVPN-POOL = 200.168.10.10-200.168.10.99 , MGMT POOL = 200.168.10.100-200.168.10.254

Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, B - blackhole, U - unreachable, P - prohibit
# DST-ADDRESS PREF-SRC GATEWAY DISTANCE
0 ADS 0.0.0.0/0 - [secret] 1
1 ADC [secret ] [secret ] eth1 0
2 ADC 200.168.10.0/24 200.168.10.1 MGMT-VLAN 0
3 ADC 200.168.20.0/24 200.168.20.1 SUPERMICRO-VLAN 0
4 ADC 200.168.30.0/24 200.168.30.1 IBM-VLAN 0

I still seem to be looking for stupidity....
You do not have the required permissions to view the files attached to this post.
Top
 
User avatar
sindy
Forum Guru
Forum Guru
Posts: 11333
Joined: Mon Dec 04, 2017 9:19 pm

Re: Router OS 6.44.2 OVPN Setting please help me!

Tue Apr 16, 2019 9:18 am

Please add back the drop rule to exactly the same place in the input chain of filter from where you have removed it, as by removing it you've permitted access to management of your router to the whole internet. I'll write more when I get to PC, this is from mobile as it is urgent.
Top
 
User avatar
sindy
Forum Guru
Forum Guru
Posts: 11333
Joined: Mon Dec 04, 2017 9:19 pm

Re: Router OS 6.44.2 OVPN Setting please help me!

Tue Apr 16, 2019 5:42 pm

So I've had a look at /ip firewall filter in your configuration export, assuming that you've exported it after
ip firewall filter rule
[cskeisa@Router]>/ip firewall filter add chain=input action=drop component="Drop" -> remove!
My assumption is that the rule above was originally the last one in chain=input of your /ip firewall filter, and then you've just added the action=accept chain=input dst-port=1194 protocol=tcp rule without using place-before to insert if before that action=drop rule, so the result was that the OVPN packets got dropped before they could reach the permissive rule.

By removing that action=drop rule, you made all services of the RB1100AHx4 open to the world, except those protected by the very first rule in chain=input, which is the action=drop chain=input comment="Drop FTP,SSH,Telnet from inbound" dst-port=21,22,23,139,445 protocol=tcp one. So http, winbox, api, api-ssl were open for everyone (as by default they are enabled and not restricted to a particular source address range, and there is no /ip service session in your configuration export which means that default settings are active). The reason is that packets which didn't match any rule in their corresponding chain in /ip firewall filter are accepted.

A more detailed explanation of how the firewall works is e.g. here.

Last point to the firewall, the rule action=accept chain=input dst-port=1194 protocol=udp is useless because Mikrotik's implementation of OpenVPN doesn't support UDP as its transport protocol at all (UDP payload can be used).

I doubt that the duplicate packets are the reason why it doesn't work. Your firewall with the "drop all input" rule in place doesn't allow openvpn clients to establish new connections to the RB1100AHx4 because the dynamically created /interface ovpn-server is not a member of /interface list name=MGMT nor of /interface list name=VLAN because the /ppp profile name=OVPN doesn't have an interface-list item to add the dynamically created /interface ovpn-server to the indicated interface list dynamically. But as it didn't work even when the "drop all input" rule was not there, there must be some other reason on top of it.

So please issue the following command:
/system logging add topics=ovpn

Then try to connect the client, and once it connects or reports a failure, do /log print file=ovpn-log where topics~"ovpn", and post here the resulting ovpn-log.txt file. If the client connects successfully, post here also the output of /interface ovpn-server print detail.
Top
 
LEEHYUNWOO
just joined
Topic Author
Posts: 22
Joined: Tue Aug 28, 2018 4:55 pm

Re: Router OS 6.44.2 OVPN Setting please help me!

Tue Apr 16, 2019 9:30 pm

I added the firewall rule "chain=input action=drop" again.

Well, I created ovpn-log.txt and I opened it once.
However, the ovpn-log.txt file only contained the ROUTER OS version, today's version, and ROUTER SIRIAL numbers.

But I think this data can help, so I'm going to give you log.


apr/17 03:06:54 ovpn,info TCP connection established from 121.152.33.177
apr/17 03:06:54 ovpn,debug,packet sent P_CONTROL_HARD_RESET_SERVER_V2 kid=0 sid=352b47eb81bf3ab pid=0 DATA len=0
apr/17 03:06:55 ovpn,debug,packet rcvd P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 sid=e7e5cf6f1d81f4e pid=0 DATA len=0
apr/17 03:06:55 ovpn,debug,packet sent P_ACK kid=0 sid=352b47eb81bf3ab [0 sid=e7e5cf6f1d81f4e] DATA len=0
apr/17 03:06:55 ovpn,debug,packet rcvd P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 sid=e7e5cf6f1d81f4e [0 sid=352b47eb81bf3ab] pid=0 DATA len=0
apr/17 03:06:55 ovpn,debug,error,l2tp,25032,58648,25032,31404,58308,25584,l2tp,info,25588,debug duplicate packet, dropping
apr/17 03:06:55 ovpn,debug,packet rcvd P_CONTROL kid=0 sid=e7e5cf6f1d81f4e pid=1 DATA len=160
apr/17 03:06:55 ovpn,debug,packet sent P_ACK kid=0 sid=352b47eb81bf3ab [1 sid=e7e5cf6f1d81f4e] DATA len=0
apr/17 03:06:56 ovpn,debug,packet sent P_CONTROL kid=0 sid=352b47eb81bf3ab pid=1 DATA len=1400
apr/17 03:06:56 ovpn,debug,packet sent P_CONTROL kid=0 sid=352b47eb81bf3ab pid=2 DATA len=1400
apr/17 03:06:56 ovpn,debug,packet sent P_CONTROL kid=0 sid=352b47eb81bf3ab pid=3 DATA len=1252
apr/17 03:06:56 ovpn,debug,packet rcvd P_ACK kid=0 sid=e7e5cf6f1d81f4e [1 sid=352b47eb81bf3ab] DATA len=0
apr/17 03:06:56 ovpn,debug,packet rcvd P_ACK kid=0 sid=e7e5cf6f1d81f4e [2 sid=352b47eb81bf3ab] DATA len=0
apr/17 03:06:56 ovpn,debug,packet rcvd P_CONTROL kid=0 sid=e7e5cf6f1d81f4e [3 sid=352b47eb81bf3ab] pid=2 DATA len=1170
apr/17 03:06:56 ovpn,debug,packet sent P_ACK kid=0 sid=352b47eb81bf3ab [2 sid=e7e5cf6f1d81f4e] DATA len=0
apr/17 03:06:56 ovpn,debug,packet rcvd P_CONTROL kid=0 sid=e7e5cf6f1d81f4e pid=3 DATA len=1170
apr/17 03:06:56 ovpn,debug,packet sent P_ACK kid=0 sid=352b47eb81bf3ab [3 sid=e7e5cf6f1d81f4e] DATA len=0
apr/17 03:06:56 ovpn,debug,packet rcvd P_CONTROL kid=0 sid=e7e5cf6f1d81f4e pid=4 DATA len=1170
apr/17 03:06:56 ovpn,debug,packet sent P_ACK kid=0 sid=352b47eb81bf3ab [4 sid=e7e5cf6f1d81f4e] DATA len=0
apr/17 03:06:56 ovpn,debug,packet rcvd P_CONTROL kid=0 sid=e7e5cf6f1d81f4e pid=5 DATA len=194
apr/17 03:06:56 ovpn,debug,packet sent P_ACK kid=0 sid=352b47eb81bf3ab [5 sid=e7e5cf6f1d81f4e] DATA len=0
apr/17 03:06:56 ovpn,debug,packet sent P_CONTROL kid=0 sid=352b47eb81bf3ab pid=4 DATA len=51
apr/17 03:06:56 ovpn,debug,packet rcvd P_CONTROL kid=0 sid=e7e5cf6f1d81f4e [4 sid=352b47eb81bf3ab] pid=6 DATA len=470
apr/17 03:06:56 ovpn,debug,packet sent P_ACK kid=0 sid=352b47eb81bf3ab [6 sid=e7e5cf6f1d81f4e] DATA len=0
apr/17 03:06:56 ovpn,debug <121.152.33.177>: disconnected <remote peer uses tap encapsulation while we - tun>
apr/17 03:07:01 ovpn,info TCP connection established from 121.152.33.177
apr/17 03:07:01 ovpn,debug,packet sent P_CONTROL_HARD_RESET_SERVER_V2 kid=0 sid=348729f22b90f7e5 pid=0 DATA len=0
apr/17 03:07:02 ovpn,debug,packet rcvd P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 sid=3cfa4188fe9a12d7 pid=0 DATA len=0
apr/17 03:07:02 ovpn,debug,packet sent P_ACK kid=0 sid=348729f22b90f7e5 [0 sid=3cfa4188fe9a12d7] DATA len=0
apr/17 03:07:02 ovpn,debug,packet rcvd P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 sid=3cfa4188fe9a12d7 [0 sid=348729f22b90f7e5] pid=0 DATA len=0
apr/17 03:07:02 ovpn,debug,error,l2tp,25032,58648,25032,31404,58308,25584,l2tp,info,25588,debug duplicate packet, dropping
apr/17 03:07:02 ovpn,debug,packet rcvd P_CONTROL kid=0 sid=3cfa4188fe9a12d7 pid=1 DATA len=160
apr/17 03:07:02 ovpn,debug,packet sent P_ACK kid=0 sid=348729f22b90f7e5 [1 sid=3cfa4188fe9a12d7] DATA len=0
apr/17 03:07:02 ovpn,debug,packet sent P_CONTROL kid=0 sid=348729f22b90f7e5 pid=1 DATA len=1400
apr/17 03:07:02 ovpn,debug,packet sent P_CONTROL kid=0 sid=348729f22b90f7e5 pid=2 DATA len=1400
apr/17 03:07:02 ovpn,debug,packet sent P_CONTROL kid=0 sid=348729f22b90f7e5 pid=3 DATA len=1252
apr/17 03:07:02 ovpn,debug,packet rcvd P_ACK kid=0 sid=3cfa4188fe9a12d7 [1 sid=348729f22b90f7e5] DATA len=0
apr/17 03:07:02 ovpn,debug,packet rcvd P_ACK kid=0 sid=3cfa4188fe9a12d7 [2 sid=348729f22b90f7e5] DATA len=0
apr/17 03:07:02 ovpn,debug,packet rcvd P_CONTROL kid=0 sid=3cfa4188fe9a12d7 [3 sid=348729f22b90f7e5] pid=2 DATA len=1170
apr/17 03:07:02 ovpn,debug,packet sent P_ACK kid=0 sid=348729f22b90f7e5 [2 sid=3cfa4188fe9a12d7] DATA len=0
apr/17 03:07:02 ovpn,debug,packet rcvd P_CONTROL kid=0 sid=3cfa4188fe9a12d7 pid=3 DATA len=1170
apr/17 03:07:02 ovpn,debug,packet sent P_ACK kid=0 sid=348729f22b90f7e5 [3 sid=3cfa4188fe9a12d7] DATA len=0
apr/17 03:07:02 ovpn,debug,packet rcvd P_CONTROL kid=0 sid=3cfa4188fe9a12d7 pid=4 DATA len=1170
apr/17 03:07:02 ovpn,debug,packet sent P_ACK kid=0 sid=348729f22b90f7e5 [4 sid=3cfa4188fe9a12d7] DATA len=0
apr/17 03:07:02 ovpn,debug,packet rcvd P_CONTROL kid=0 sid=3cfa4188fe9a12d7 pid=5 DATA len=194
apr/17 03:07:02 ovpn,debug,packet sent P_ACK kid=0 sid=348729f22b90f7e5 [5 sid=3cfa4188fe9a12d7] DATA len=0
apr/17 03:07:02 ovpn,debug,packet sent P_CONTROL kid=0 sid=348729f22b90f7e5 pid=4 DATA len=51
apr/17 03:07:02 ovpn,debug,packet rcvd P_CONTROL kid=0 sid=3cfa4188fe9a12d7 [4 sid=348729f22b90f7e5] pid=6 DATA len=470
apr/17 03:07:02 ovpn,debug,packet sent P_ACK kid=0 sid=348729f22b90f7e5 [6 sid=3cfa4188fe9a12d7] DATA len=0
apr/17 03:07:02 ovpn,debug <121.152.33.177>: disconnected <remote peer uses tap encapsulation while we - tun>
apr/17 03:07:15 interface,info eth13 link up (speed 1G, full duplex)
apr/17 03:07:21 system,info,account user cskisa logged in from 80:FA:5B:21:06:46 via winbox
apr/17 03:07:22 system,info,account user cskisa logged in via local
apr/17 03:10:16 system,info log rule added by cskisa
apr/17 03:10:25 interface,info eth13 link down
apr/17 03:10:26 system,info,account user cskisa logged out from 80:FA:5B:21:06:46 via winbox
apr/17 03:10:26 system,info,account user cskisa logged out via local
apr/17 03:10:30 ovpn,info TCP connection established from 121.152.33.177
apr/17 03:10:30 ovpn,debug,packet sent P_CONTROL_HARD_RESET_SERVER_V2 kid=0 sid=4e6da99789dc9ff9 pid=0 DATA len=0
apr/17 03:10:31 ovpn,debug,packet rcvd P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 sid=bfadcfe57fbb7332 pid=0 DATA len=0
apr/17 03:10:31 ovpn,debug,packet sent P_ACK kid=0 sid=4e6da99789dc9ff9 [0 sid=bfadcfe57fbb7332] DATA len=0
apr/17 03:10:31 ovpn,debug,packet rcvd P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 sid=bfadcfe57fbb7332 [0 sid=4e6da99789dc9ff9] pid=0 DATA len=0
apr/17 03:10:31 ovpn,debug,error,l2tp,25032,58648,25032,31404,58308,25584,l2tp,info,25588,debug duplicate packet, dropping
apr/17 03:10:31 ovpn,debug,packet rcvd P_CONTROL kid=0 sid=bfadcfe57fbb7332 pid=1 DATA len=160
apr/17 03:10:31 ovpn,debug,packet sent P_ACK kid=0 sid=4e6da99789dc9ff9 [1 sid=bfadcfe57fbb7332] DATA len=0
apr/17 03:10:32 ovpn,debug,packet sent P_CONTROL kid=0 sid=4e6da99789dc9ff9 pid=1 DATA len=1400
apr/17 03:10:32 ovpn,debug,packet sent P_CONTROL kid=0 sid=4e6da99789dc9ff9 pid=2 DATA len=1400
apr/17 03:10:32 ovpn,debug,packet sent P_CONTROL kid=0 sid=4e6da99789dc9ff9 pid=3 DATA len=1252
apr/17 03:10:32 ovpn,debug,packet rcvd P_ACK kid=0 sid=bfadcfe57fbb7332 [1 sid=4e6da99789dc9ff9] DATA len=0
apr/17 03:10:32 ovpn,debug,packet rcvd P_ACK kid=0 sid=bfadcfe57fbb7332 [2 sid=4e6da99789dc9ff9] DATA len=0
apr/17 03:10:32 ovpn,debug,packet rcvd P_CONTROL kid=0 sid=bfadcfe57fbb7332 [3 sid=4e6da99789dc9ff9] pid=2 DATA len=1170
apr/17 03:10:32 ovpn,debug,packet sent P_ACK kid=0 sid=4e6da99789dc9ff9 [2 sid=bfadcfe57fbb7332] DATA len=0
apr/17 03:10:32 ovpn,debug,packet rcvd P_CONTROL kid=0 sid=bfadcfe57fbb7332 pid=3 DATA len=1170
apr/17 03:10:32 ovpn,debug,packet sent P_ACK kid=0 sid=4e6da99789dc9ff9 [3 sid=bfadcfe57fbb7332] DATA len=0
apr/17 03:10:32 ovpn,debug,packet rcvd P_CONTROL kid=0 sid=bfadcfe57fbb7332 pid=4 DATA len=1170
apr/17 03:10:32 ovpn,debug,packet sent P_ACK kid=0 sid=4e6da99789dc9ff9 [4 sid=bfadcfe57fbb7332] DATA len=0
apr/17 03:10:32 ovpn,debug,packet rcvd P_CONTROL kid=0 sid=bfadcfe57fbb7332 pid=5 DATA len=194
apr/17 03:10:32 ovpn,debug,packet sent P_ACK kid=0 sid=4e6da99789dc9ff9 [5 sid=bfadcfe57fbb7332] DATA len=0
apr/17 03:10:32 ovpn,debug,packet sent P_CONTROL kid=0 sid=4e6da99789dc9ff9 pid=4 DATA len=51
apr/17 03:10:32 ovpn,debug,packet rcvd P_CONTROL kid=0 sid=bfadcfe57fbb7332 [4 sid=4e6da99789dc9ff9] pid=6 DATA len=470
apr/17 03:10:32 ovpn,debug,packet sent P_ACK kid=0 sid=4e6da99789dc9ff9 [6 sid=bfadcfe57fbb7332] DATA len=0
apr/17 03:10:32 ovpn,debug <121.152.33.177>: disconnected <remote peer uses tap encapsulation while we - tun>
apr/17 03:10:37 ovpn,info TCP connection established from 121.152.33.177
apr/17 03:10:37 ovpn,debug,packet sent P_CONTROL_HARD_RESET_SERVER_V2 kid=0 sid=c89b66eab13988a pid=0 DATA len=0
apr/17 03:10:38 ovpn,debug,packet rcvd P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 sid=2642599eaf6421e7 pid=0 DATA len=0
apr/17 03:10:38 ovpn,debug,packet sent P_ACK kid=0 sid=c89b66eab13988a [0 sid=2642599eaf6421e7] DATA len=0
apr/17 03:10:38 ovpn,debug,packet rcvd P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 sid=2642599eaf6421e7 [0 sid=c89b66eab13988a] pid=0 DATA len=0
apr/17 03:10:38 ovpn,debug,error,l2tp,25032,58648,25032,31404,58308,25584,l2tp,info,25588,debug duplicate packet, dropping
apr/17 03:10:38 ovpn,debug,packet rcvd P_CONTROL kid=0 sid=2642599eaf6421e7 pid=1 DATA len=160
apr/17 03:10:38 ovpn,debug,packet sent P_ACK kid=0 sid=c89b66eab13988a [1 sid=2642599eaf6421e7] DATA len=0
apr/17 03:10:38 ovpn,debug,packet sent P_CONTROL kid=0 sid=c89b66eab13988a pid=1 DATA len=1400
apr/17 03:10:38 ovpn,debug,packet sent P_CONTROL kid=0 sid=c89b66eab13988a pid=2 DATA len=1400
apr/17 03:10:38 ovpn,debug,packet sent P_CONTROL kid=0 sid=c89b66eab13988a pid=3 DATA len=1252
apr/17 03:10:38 ovpn,debug,packet rcvd P_ACK kid=0 sid=2642599eaf6421e7 [1 sid=c89b66eab13988a] DATA len=0
apr/17 03:10:38 ovpn,debug,packet rcvd P_ACK kid=0 sid=2642599eaf6421e7 [2 sid=c89b66eab13988a] DATA len=0
apr/17 03:10:38 ovpn,debug,packet rcvd P_CONTROL kid=0 sid=2642599eaf6421e7 [3 sid=c89b66eab13988a] pid=2 DATA len=1170
apr/17 03:10:38 ovpn,debug,packet sent P_ACK kid=0 sid=c89b66eab13988a [2 sid=2642599eaf6421e7] DATA len=0
apr/17 03:10:38 ovpn,debug,packet rcvd P_CONTROL kid=0 sid=2642599eaf6421e7 pid=3 DATA len=1170
apr/17 03:10:38 ovpn,debug,packet sent P_ACK kid=0 sid=c89b66eab13988a [3 sid=2642599eaf6421e7] DATA len=0
apr/17 03:10:38 ovpn,debug,packet rcvd P_CONTROL kid=0 sid=2642599eaf6421e7 pid=4 DATA len=1170
apr/17 03:10:38 ovpn,debug,packet sent P_ACK kid=0 sid=c89b66eab13988a [4 sid=2642599eaf6421e7] DATA len=0
apr/17 03:10:38 ovpn,debug,packet rcvd P_CONTROL kid=0 sid=2642599eaf6421e7 pid=5 DATA len=194
apr/17 03:10:38 ovpn,debug,packet sent P_ACK kid=0 sid=c89b66eab13988a [5 sid=2642599eaf6421e7] DATA len=0
apr/17 03:10:38 ovpn,debug,packet sent P_CONTROL kid=0 sid=c89b66eab13988a pid=4 DATA len=51
apr/17 03:10:38 ovpn,debug,packet rcvd P_CONTROL kid=0 sid=2642599eaf6421e7 [4 sid=c89b66eab13988a] pid=6 DATA len=470
apr/17 03:10:38 ovpn,debug,packet sent P_ACK kid=0 sid=c89b66eab13988a [6 sid=2642599eaf6421e7] DATA len=0
apr/17 03:10:38 ovpn,debug <121.152.33.177>: disconnected <remote peer uses tap encapsulation while we - tun>
apr/17 03:10:43 ovpn,info TCP connection established from 121.152.33.177
apr/17 03:10:43 ovpn,debug,packet sent P_CONTROL_HARD_RESET_SERVER_V2 kid=0 sid=08617295afd3c88 pid=0 DATA len=0
apr/17 03:10:44 ovpn,debug,packet rcvd P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 sid=314ce6a0efe621f1 pid=0 DATA len=0
apr/17 03:10:44 ovpn,debug,packet sent P_ACK kid=0 sid=08617295afd3c88 [0 sid=314ce6a0efe621f1] DATA len=0
apr/17 03:10:44 ovpn,debug,packet rcvd P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 sid=314ce6a0efe621f1 [0 sid=08617295afd3c88] pid=0 DATA len=0
apr/17 03:10:44 ovpn,debug,error,l2tp,25032,58648,25032,31404,58308,25584,l2tp,info,25588,debug duplicate packet, dropping
apr/17 03:10:44 ovpn,debug,packet rcvd P_CONTROL kid=0 sid=314ce6a0efe621f1 pid=1 DATA len=160
apr/17 03:10:44 ovpn,debug,packet sent P_ACK kid=0 sid=08617295afd3c88 [1 sid=314ce6a0efe621f1] DATA len=0
apr/17 03:10:45 ovpn,debug,packet sent P_CONTROL kid=0 sid=08617295afd3c88 pid=1 DATA len=1400
apr/17 03:10:45 ovpn,debug,packet sent P_CONTROL kid=0 sid=08617295afd3c88 pid=2 DATA len=1400
apr/17 03:10:45 ovpn,debug,packet sent P_CONTROL kid=0 sid=08617295afd3c88 pid=3 DATA len=1252
apr/17 03:10:45 ovpn,debug,packet rcvd P_ACK kid=0 sid=314ce6a0efe621f1 [1 sid=08617295afd3c88] DATA len=0
apr/17 03:10:45 ovpn,debug,packet rcvd P_ACK kid=0 sid=314ce6a0efe621f1 [2 sid=08617295afd3c88] DATA len=0
apr/17 03:10:45 ovpn,debug,packet rcvd P_CONTROL kid=0 sid=314ce6a0efe621f1 [3 sid=08617295afd3c88] pid=2 DATA len=1170
apr/17 03:10:45 ovpn,debug,packet sent P_ACK kid=0 sid=08617295afd3c88 [2 sid=314ce6a0efe621f1] DATA len=0
apr/17 03:10:45 ovpn,debug,packet rcvd P_CONTROL kid=0 sid=314ce6a0efe621f1 pid=3 DATA len=1170
apr/17 03:10:45 ovpn,debug,packet sent P_ACK kid=0 sid=08617295afd3c88 [3 sid=314ce6a0efe621f1] DATA len=0
apr/17 03:10:45 ovpn,debug,packet rcvd P_CONTROL kid=0 sid=314ce6a0efe621f1 pid=4 DATA len=1170
apr/17 03:10:45 ovpn,debug,packet sent P_ACK kid=0 sid=08617295afd3c88 [4 sid=314ce6a0efe621f1] DATA len=0
apr/17 03:10:45 ovpn,debug,packet rcvd P_CONTROL kid=0 sid=314ce6a0efe621f1 pid=5 DATA len=194
apr/17 03:10:45 ovpn,debug,packet sent P_ACK kid=0 sid=08617295afd3c88 [5 sid=314ce6a0efe621f1] DATA len=0
apr/17 03:10:45 ovpn,debug,packet sent P_CONTROL kid=0 sid=08617295afd3c88 pid=4 DATA len=51
apr/17 03:10:45 ovpn,debug,packet rcvd P_CONTROL kid=0 sid=314ce6a0efe621f1 [4 sid=08617295afd3c88] pid=6 DATA len=470
apr/17 03:10:45 ovpn,debug,packet sent P_ACK kid=0 sid=08617295afd3c88 [6 sid=314ce6a0efe621f1] DATA len=0
apr/17 03:10:45 ovpn,debug <121.152.33.177>: disconnected <remote peer uses tap encapsulation while we - tun>
apr/17 03:10:50 ovpn,info TCP connection established from 121.152.33.177
apr/17 03:10:50 ovpn,debug,packet sent P_CONTROL_HARD_RESET_SERVER_V2 kid=0 sid=d5d2c79a90a89cc pid=0 DATA len=0
apr/17 03:10:51 ovpn,debug,packet rcvd P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 sid=26bca3524e684b0 pid=0 DATA len=0
apr/17 03:10:51 ovpn,debug,packet sent P_ACK kid=0 sid=d5d2c79a90a89cc [0 sid=26bca3524e684b0] DATA len=0
apr/17 03:10:51 ovpn,debug,packet rcvd P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 sid=26bca3524e684b0 [0 sid=d5d2c79a90a89cc] pid=0 DATA len=0
apr/17 03:10:51 ovpn,debug,error,l2tp,25032,58648,25032,31404,58308,25584,l2tp,info,25588,debug duplicate packet, dropping
apr/17 03:10:51 ovpn,debug,packet rcvd P_CONTROL kid=0 sid=26bca3524e684b0 pid=1 DATA len=160
apr/17 03:10:51 ovpn,debug,packet sent P_ACK kid=0 sid=d5d2c79a90a89cc [1 sid=26bca3524e684b0] DATA len=0
apr/17 03:10:51 ovpn,debug,packet sent P_CONTROL kid=0 sid=d5d2c79a90a89cc pid=1 DATA len=1400
apr/17 03:10:51 ovpn,debug,packet sent P_CONTROL kid=0 sid=d5d2c79a90a89cc pid=2 DATA len=1400
apr/17 03:10:51 ovpn,debug,packet sent P_CONTROL kid=0 sid=d5d2c79a90a89cc pid=3 DATA len=1252
apr/17 03:10:51 ovpn,debug,packet rcvd P_ACK kid=0 sid=26bca3524e684b0 [1 sid=d5d2c79a90a89cc] DATA len=0
apr/17 03:10:51 ovpn,debug,packet rcvd P_ACK kid=0 sid=26bca3524e684b0 [2 sid=d5d2c79a90a89cc] DATA len=0
apr/17 03:10:51 ovpn,debug,packet rcvd P_CONTROL kid=0 sid=26bca3524e684b0 [3 sid=d5d2c79a90a89cc] pid=2 DATA len=1170
apr/17 03:10:51 ovpn,debug,packet sent P_ACK kid=0 sid=d5d2c79a90a89cc [2 sid=26bca3524e684b0] DATA len=0
apr/17 03:10:51 ovpn,debug,packet rcvd P_CONTROL kid=0 sid=26bca3524e684b0 pid=3 DATA len=1170
apr/17 03:10:51 ovpn,debug,packet sent P_ACK kid=0 sid=d5d2c79a90a89cc [3 sid=26bca3524e684b0] DATA len=0
apr/17 03:10:51 ovpn,debug,packet rcvd P_CONTROL kid=0 sid=26bca3524e684b0 pid=4 DATA len=1170
apr/17 03:10:51 ovpn,debug,packet sent P_ACK kid=0 sid=d5d2c79a90a89cc [4 sid=26bca3524e684b0] DATA len=0
apr/17 03:10:51 ovpn,debug,packet rcvd P_CONTROL kid=0 sid=26bca3524e684b0 pid=5 DATA len=194
apr/17 03:10:51 ovpn,debug,packet sent P_ACK kid=0 sid=d5d2c79a90a89cc [5 sid=26bca3524e684b0] DATA len=0
apr/17 03:10:51 ovpn,debug,packet sent P_CONTROL kid=0 sid=d5d2c79a90a89cc pid=4 DATA len=51
apr/17 03:10:51 ovpn,debug,packet rcvd P_CONTROL kid=0 sid=26bca3524e684b0 [4 sid=d5d2c79a90a89cc] pid=6 DATA len=470
apr/17 03:10:51 ovpn,debug,packet sent P_ACK kid=0 sid=d5d2c79a90a89cc [6 sid=26bca3524e684b0] DATA len=0
apr/17 03:10:51 ovpn,debug <121.152.33.177>: disconnected <remote peer uses tap encapsulation while we - tun>
apr/17 03:10:56 ovpn,info TCP connection established from 121.152.33.177
apr/17 03:10:56 ovpn,debug,packet sent P_CONTROL_HARD_RESET_SERVER_V2 kid=0 sid=7bd8f62daa672171 pid=0 DATA len=0
apr/17 03:10:57 ovpn,debug,packet rcvd P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 sid=2623d46adc731c38 pid=0 DATA len=0
apr/17 03:10:57 ovpn,debug,packet sent P_ACK kid=0 sid=7bd8f62daa672171 [0 sid=2623d46adc731c38] DATA len=0
apr/17 03:10:57 ovpn,debug,packet rcvd P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 sid=2623d46adc731c38 [0 sid=7bd8f62daa672171] pid=0 DATA len=0
apr/17 03:10:57 ovpn,debug,error,l2tp,25032,58648,25032,31404,58308,25584,l2tp,info,25588,debug duplicate packet, dropping
apr/17 03:10:57 ovpn,debug,packet rcvd P_CONTROL kid=0 sid=2623d46adc731c38 pid=1 DATA len=160
apr/17 03:10:57 ovpn,debug,packet sent P_ACK kid=0 sid=7bd8f62daa672171 [1 sid=2623d46adc731c38] DATA len=0
apr/17 03:10:57 ovpn,debug,packet sent P_CONTROL kid=0 sid=7bd8f62daa672171 pid=1 DATA len=1400
apr/17 03:10:57 ovpn,debug,packet sent P_CONTROL kid=0 sid=7bd8f62daa672171 pid=2 DATA len=1400
apr/17 03:10:57 ovpn,debug,packet sent P_CONTROL kid=0 sid=7bd8f62daa672171 pid=3 DATA len=1252
apr/17 03:10:57 ovpn,debug,packet rcvd P_ACK kid=0 sid=2623d46adc731c38 [1 sid=7bd8f62daa672171] DATA len=0
apr/17 03:10:57 ovpn,debug,packet rcvd P_ACK kid=0 sid=2623d46adc731c38 [2 sid=7bd8f62daa672171] DATA len=0
apr/17 03:10:58 ovpn,debug,packet rcvd P_CONTROL kid=0 sid=2623d46adc731c38 [3 sid=7bd8f62daa672171] pid=2 DATA len=1170
apr/17 03:10:58 ovpn,debug,packet sent P_ACK kid=0 sid=7bd8f62daa672171 [2 sid=2623d46adc731c38] DATA len=0
apr/17 03:10:58 ovpn,debug,packet rcvd P_CONTROL kid=0 sid=2623d46adc731c38 pid=3 DATA len=1170
apr/17 03:10:58 ovpn,debug,packet sent P_ACK kid=0 sid=7bd8f62daa672171 [3 sid=2623d46adc731c38] DATA len=0
apr/17 03:10:58 ovpn,debug,packet rcvd P_CONTROL kid=0 sid=2623d46adc731c38 pid=4 DATA len=1170
apr/17 03:10:58 ovpn,debug,packet sent P_ACK kid=0 sid=7bd8f62daa672171 [4 sid=2623d46adc731c38] DATA len=0
apr/17 03:10:58 ovpn,debug,packet rcvd P_CONTROL kid=0 sid=2623d46adc731c38 pid=5 DATA len=194
apr/17 03:10:58 ovpn,debug,packet sent P_ACK kid=0 sid=7bd8f62daa672171 [5 sid=2623d46adc731c38] DATA len=0
apr/17 03:10:58 ovpn,debug,packet sent P_CONTROL kid=0 sid=7bd8f62daa672171 pid=4 DATA len=51
apr/17 03:10:58 ovpn,debug,packet rcvd P_CONTROL kid=0 sid=2623d46adc731c38 [4 sid=7bd8f62daa672171] pid=6 DATA len=470
apr/17 03:10:58 ovpn,debug,packet sent P_ACK kid=0 sid=7bd8f62daa672171 [6 sid=2623d46adc731c38] DATA len=0
apr/17 03:10:58 ovpn,debug <121.152.33.177>: disconnected <remote peer uses tap encapsulation while we - tun>
apr/17 03:11:11 interface,info eth13 link up (speed 1G, full duplex)
apr/17 03:11:11 system,info,account user cskisa logged in from 80:FA:5B:21:06:46 via winbox
apr/17 03:11:12 system,info,account user cskisa logged in via local
apr/17 03:18:24 system,error,critical login failure for user cskisa from 200.168.10.252 via web
apr/17 03:18:27 system,info,account user cskisa logged in from 200.168.10.252 via web
apr/17 03:18:28 system,info,account user cskisa logged in via local

And this is the content of /interface openvpn-server server.

[cskisa@Router] /interface ovpn-server server> print
enabled: yes
port: 1194
mode: ip
netmask: 24
mac-address: FE:00:68:88:1E:22
max-mtu: 1500
keepalive-timeout: 60
default-profile: OVPN
certificate: SERVER
require-client-certificate: yes
auth: sha1
cipher: aes256

Oh, and nothing was set in the interface ovpn-server.

I set it up after watching youtube, but now I feel very confused when I see what I have set up.

So I suggested.

I want you to let me know how to build openvpn correctly.
This is because I may be confused in the process of building vlan.

And I want you to know that I'm in the "novice" stage using mikrotik.
Top
 
User avatar
sindy
Forum Guru
Forum Guru
Posts: 11333
Joined: Mon Dec 04, 2017 9:19 pm

Re: Router OS 6.44.2 OVPN Setting please help me!

Tue Apr 16, 2019 10:32 pm

Well, I created ovpn-log.txt and I opened it once.
However, the ovpn-log.txt file only contained the ROUTER OS version, today's version, and ROUTER SIRIAL numbers.
That's weird but I suggest to ignore this as you've managed to obtain the log some other way.

The answer you are looking for is in the log, but I don't understand why Mikrotik guys decided to set its severity level to only debug and not to error:

apr/17 03:07:02 ovpn,debug <121.152.33.177>: disconnected <remote peer uses tap encapsulation while we - tun>

The explanation is that OpenVPN supports two modes of payload encapsulation - an L3 (routed) one, called TUN, and an L2 (bridged) one, called TAP. The TUN and TAP are actually the types of virtual network interfaces created at both ends and connected together using the VPN. Mikrotik's default setting is to use TUN encapsulation, but the corresponding value of parameter mode in /interface openvpn-server server is ip; to choose TAP mode, the value of this parameter has to be changed to ethernet.

So you first have to decide first which mode you want to use, and depending on that, change this setting on the server (Mikrotik) side or on the client side, and adapt the rest of the configuration at Mikrotik side if you choose the bridge (TAP) mode.

I set it up after watching youtube, but now I feel very confused when I see what I have set up.
That's the problem of the current era. People have problems to read written documentation because it requires some understanding of the topic, so they revert to watching Youtube videos with step-by-step instructions, but those videos are often created by someone just slightly less advanced who also doesn't understand exactly what he's doing but he managed to set it up somehow, and it makes him so proud of himself that he creates a video to let the world know. In worst cases you end up with videos instructing people to switch the firewall off because the author didn't understand what it is good for and it was just interfering with his short-term goal.

And I want you to know that I'm in the "novice" stage using mikrotik.
That's quite clear, but a more important question is whether you are also a novice in networking as a whole or not, i.e. whether you understand the consequences of using L3 or L2 mode of the VPN, the difference between "VLAN" and "subnet" etc., as this determines at which level to start eventual further explanations.
Top
 
LEEHYUNWOO
just joined
Topic Author
Posts: 22
Joined: Tue Aug 28, 2018 4:55 pm

Re: Router OS 6.44.2 OVPN Setting please help me!

Sun Apr 21, 2019 11:37 am

After checking the inter-vlan setting, I found that I use L3 for my router and L2 for my switch.

Therefore, the router will maintain and use L3 and the VPN will be considered to be used L3.

And the step I understand is to use inter-vlan as a Cisco device, so I don't know much about mikrotik.

So I don't know how to set up the firewall. If possible, I want you to tell me how to set it up and how to do it.

I just understand the OSI7 class and understand VLAN.

payload encapsulation : TUN MODE <- I will use
Top
 
User avatar
sindy
Forum Guru
Forum Guru
Posts: 11333
Joined: Mon Dec 04, 2017 9:19 pm

Re: Router OS 6.44.2 OVPN Setting please help me!

Mon Apr 22, 2019 5:47 pm

L2 and L3 mode of the OpenVPN are only loosely related to how the rest of your network is organized.

If you use L2 mode of the OpenVPN, your OpenVPN client PC will behave as if its OpenVPN virtual interface was connected to the LAN of the OpenVPN server (the Mikrotik) - it will get the broadcast traffic from the LAN etc. So in this case, you may make the client PC a member of one of your VLANs (20, 30, or 100) and have no L3 firewall between the client PC and the other devices in the same VLAN. To access the subnets in the other two VLANs, you'll still have to add routes at client end, but the existing IP firewall rules for the VLAN to which you'll incorporate the L2 tunnel to the client PC will handle also the traffic of the client PC.

If you use L3 mode, your PC will be connected using a point-to-point L3 tunnel, and to access those subnets from the PC, you'll have to add routes to all your LAN subnets (200.168.x0.0/24) to the client's OpenVPN configuration, and IP firewall rules specific for the client to the server configuration.
Top
Post Reply
  4. RouterOS
  5. General