Artyom Brykin2018-09-10 09:09:36
Artyom Brykin, 2018-09-10 09:09:36

A bunch of Miktorik + OpenVPN (ubuntu18) + OpenLDAP authorization?

The situation is this. Previously, there was a Zyxel gateway, there was the following bundle:
-OpenVPN server on Ubuntu 18, located in lan ( Internal VPN subnet - -
authorization via openldap (located on an external VDS server in the cloud).
- route forwarded on zyxel from vpn subnet ( to Ports 1194 are open, forwarding (NAT) is configured to machine 1.50.
The client connected via openvpn client via external IP, port 1194, udp, entered his log\pass and voila! It is online, internal resources are available.
Recently changed zyxel to mikrotik RB3011. Haven't dealt with them before. Set up locale, firewall, internet. Everything is working.
There was a problem with the VPN. In the firewall, I created rules for input ports 1194 (udp), 389 (tcp) - accept. In NAT, I forwarded port 1194 to, I did not forward from 389, because OpanLDAP is on an external server.
As a result, the client starts connecting the VPN, comes to entering a login / password, presses OK, and then such messages appear and the connection is interrupted:

Mon Sep 10 10:48:54 2018 us=144325 read UDP: Unknown error (code=10054)
Mon Sep 10 10:48:56 2018 us=487570 read UDP: Unknown error (code=10054)
Mon Sep 10 10:49 :01 2018 us=64565 read UDP: Unknown error (code=10054)
Mon Sep 10 10:49:08 2018 us=890855 read UDP: Unknown error (code=10054)
Mon Sep 10 10:49:24 2018 us=840523 read UDP: Unknown error (code=10054)
Mon Sep 10 10:49:55 2018 us=99046 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Mon Sep 10 10:49:55 2018 us =99046 TLS Error: TLS handshake failed

I think the problem is in the interaction of OpenVPN with external OpenLDAP and the settings inside the Mikrotik, most likely I did not set up some kind of rule. Please tell me how to solve this problem? Has anyone experienced something similar?
Thanks in advance to everyone who responded!

Answer the question

In order to leave comments, you need to log in

3 answer(s)
Artyom Brykin, 2018-09-10

Actually, I asked myself, I will answer myself:
Firstly, if the forwarding rules are configured in NAT, then there is no need to open anything additionally in the firewall.
Secondly, my mistake was that I forwarded the TCP port instead of the one configured on the OpenVPN server - UDP.
Thirdly, in order to see if requests / packets come to port 1194 from the client to the OpenVPN server - there is an excellent command (runs on the OpenVPN server):
tcpdump -i udp port 1194
Run and see if anything arrives at that moment when you try to connect with the client to the server.
If the packets arrive, then everything is OK, go to the logs of the openvpn server (/var/log/openvpn/openvpn.log) and see what errors there are and why the connection does not occur ... My server cursed at the parameter in the config and because it all went to hell! )

poisons, 2018-09-10

Permissive rules should still be in the forward chain.

Ruslan Fedoseev, 2018-09-10

input - traffic to Mikrotik
forward - traffic via Mikrotik
output - traffic from Mikrotik
PS. Look at the iptables documentation - it's about the same ;)

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question