Community discussions

MikroTik App
  4. RouterOS
  5. General

OpenVPN cannot ping Mikrotik

Post Reply
 
nhenderson
just joined
Topic Author
Posts: 7
Joined: Sat May 26, 2018 10:43 pm

OpenVPN cannot ping Mikrotik

Thu Jan 14, 2021 7:56 pm

Hi, I have configured OpenVPN server on a Netmetal 5 firmware 6.48 and OpenVPN client on Ubuntu. This is point-to-point, single client. I don't want user/password authentication but I do need both client and server certificates authenticated and that is working.

The Linux client authenticates with the Mikrotik server.

Both Mikrotik and Linux can ping the Linux (client) endpoint of the tunnel, but neither can ping the Mikrotik (server) endpoint of the tunnel.

The Mikrotik had no "ip addr" for the tunnel, it allowed me to add one but it shows as invalid.

The Linux OpenVPN log looks like everything is fine, except it disconnects periodically for inactivity. The Mikrotik log shows events "duplicate packet, dropping" with topics ovpn,debug,error,l2tp,info,debug, and a number of others as far as I can see "unknown".

Linux end (client):
Code: Select all
dev tun2
# 10.20.0.165 is our local VPN endpoint (client).
ifconfig 10.20.0.165 10.20.0.166
proto tcp-client
local 10.1.15.254
remote 10.1.15.1
port 1194
topology p2p
ca /etc/openvpn/keys2048/ca.crt
cert /etc/openvpn/keys2048/cem05sim06-client.crt
key /etc/openvpn/keys2048/cem05sim06-client.key
ns-cert-type server
cipher AES-256-CBC
auth none
tls-client
comp-noadapt
passtos
ping 15
ping-restart 45
persist-tun
persist-key
resolv-retry infinite
Mikrotik end:
Code: Select all
/ppp profile add  local-address=10.20.0.166 name=cem05sim06 remote-address=10.20.0.165 use-comp=no use-encryp=required change-tcp-mss=yes bridge=bridge-local
/int ovpn-server server pr
                     enabled: yes
                        port: 1194
                        mode: ip
                     netmask: 30
                 mac-address: FE:E7:A9:68:04:C8
                     max-mtu: 1500
           keepalive-timeout: 60
             default-profile: cem05sim06
                 certificate: cem05sim06-server.crt_0
  require-client-certificate: yes
                        auth: null
                      cipher: aes256
/int ovpn-sever add name=cem05sim06 disabled=no user=

/ip addr add int=cem05sim06 address=10.20.0.166/30
(the above succeeds, but the address shows as invalid in
Code: Select all
/ip addr pr
)

In the Web GUI, cem05sim06 shows up in PPP-Interface and in Interfaces.

I tried
Code: Select all
/ip route add dst-address=10.20.0.164/30 gateway=cem05sim06
which succeeded but shows in [code/ip route pr[/code] as unreachable.

Help Please!
Top
 
User avatar
sindy
Forum Guru
Forum Guru
Posts: 11381
Joined: Mon Dec 04, 2017 9:19 pm

Re: OpenVPN cannot ping Mikrotik

Thu Jan 14, 2021 8:57 pm

You cannot assign a /30 address to an L3 interface (you use mode: ip for the openvpn server), and there is no need to assign that address using /ip address add as the local-address in the /ppp profile should do the trick. However, I'm not sure you can do without a /ppp secret row at the server side, as an individual virtual L3 interface is dynamically created for each client based on that row.
Top
 
nhenderson
just joined
Topic Author
Posts: 7
Joined: Sat May 26, 2018 10:43 pm

Re: OpenVPN cannot ping Mikrotik

Fri Jan 15, 2021 3:15 pm

Thanks very much sindy. I have tried the following:

I removed the manually added ip addr and ip route then:
Code: Select all
int ovpn-server server set auth=sha1
plus the equivalent on the linux client side,
Code: Select all
auth sha1
And on the Mikrotik (server):
Code: Select all
ppp secret add local-address=10.20.0.166 remote-address=10.20.0.165 disabled=no name=ovpnuser password=xxx
Then on the linux (client):
Code: Select all
auth-user-pass cem05sim06-pass
pull
with the ovpnuser and the password in the password file cem05sim06-pass.

The behavior has changed, each end can now ping its own endpoint but not the opposite endpoint.
A dynamic IP and a dynamic route have been created but the subnet and network address are wrong:
# ADDRESS NETWORK INTERFACE
...
3 D 10.20.0.166/32 10.20.0.165 cem05sim06
...
# DST-ADDRESS PREF-SRC GATEWAY DISTANCE
...
4 ADC 10.20.0.165/32 10.20.0.166 cem05sim06 0
There are two things I don't understand.
1) Since I am using client and server certificates I don't see why I would need, or want a username and password?
2) You said I can't use a /30 but I don't understand why. This is point-to-point (openvpn
Code: Select all
topology p2p
) and all I need are Network, 2 endpoints, and Broadcast addresses.
Linux OpenVPN picks up the configured local and remote addresses and assigns an address to the tunnel interface as follows:
inet 10.20.0.165/30 brd 10.20.0.167 scope global tun2
Actually, in the Mikrotik config I don't see a way to specify the equivalent of
Code: Select all
topology ppp
nor any way to specify the subnet length and suspect that is the root of my problem...

Looking forward to further comments, thanks very much!
Top
 
User avatar
sindy
Forum Guru
Forum Guru
Posts: 11381
Joined: Mon Dec 04, 2017 9:19 pm

Re: OpenVPN cannot ping Mikrotik

Fri Jan 15, 2021 10:38 pm

There are two things I don't understand.
1) Since I am using client and server certificates I don't see why I would need, or want a username and password?
Because gents in Riga have accommodated the OpenVPN configuration structure to match the one of the various flavors of PPP, so the possibility to represent the client identity by the certificate alone is not implemented.

2) You said I can't use a /30 but I don't understand why. This is point-to-point (openvpn topology p2p ) and all I need are Network, 2 endpoints, and Broadcast addresses.
An L3 tunnel transports no L2 headers, so there is no need to use ARP to determine a MAC address, the L3 address alone is enough. Hence the IP address of the remote end of the tunnel is only necessary if you want to indicate the gateway of a route as an IP address rather than an interface name. Assigning anything larger than a /32 to the local end has no practical sense. And the address of the local and remote end may be completely unrelated, there is no need that they were from the same subnet, so there is also no need for the network address and the broadcast address.

OpenVPN on Linux may have a different approach to this, but this is how it works for normal PPP.

Actually, in the Mikrotik config I don't see a way to specify the equivalent of topology ppp nor any way to specify the subnet length and suspect that is the root of my problem...
I don't think there is any as ppp is the only L3 topology in the RouterOS implementation. Even with ethernet (TAP) mode, the L3 settings are somehow pushed through to the client.
Top
Post Reply
  4. RouterOS
  5. General