Answer the question
In order to leave comments, you need to log in
K
K
Kubozoa2021-02-18 17:36:16
Kubozoa, 2021-02-18 17:36:16
Connecting an openvpn server to mikrotik behind a tplink router?
Good day, I can’t connect to the ovpn server from an external address
There is an office with a network on tp-link er6020 v1 with the latest firmware version, 2 cables from different providers come to it, both with white ip. From the router there is a cable to a cisco switch from which wires are already scattered throughout the office and mikrotik (6.46.8) rb952ui-5ac2nd into the bridge mode distributing wifi.
At some point, it became necessary to pass vpn, for which openvpn was chosen as the most painless way to pass through the nat tlink. As a result, Mirkrotik set up according to this guide:
https://interface31.ru/tech_it/2020/01/nastroyka-o...
The server is Mikrotik, certificates were created on it, the rules for the firewall are written, all requests from any of the two ip to port 1194 from the tlink are redirected to it. The latter is done through the Virtual server function.
Everything works inside the network, while there is no connection from an external computer / phone. Judging by the logs, the connection reaches the Mikrotik, but for some reason it does not connect, and to be honest, I don’t really understand why.
Mikrotik settings
# feb/16/2021 18:42:05 by RouterOS 6.46.8
# software id = XLWS-7H1N
#
# model = RouterBOARD 952Ui-5ac2nD
# serial number = 7C30074A2CE2
/interface bridge
add name=bridge1
/interface ethernet
set [ find default-name=ether1 ] advertise=\
10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
set [ find default-name=ether2 ] advertise=\
10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
set [ find default-name=ether3 ] advertise=\
10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
set [ find default-name=ether4 ] advertise=\
10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
set [ find default-name=ether5 ] advertise=\
10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
add authentication-types=wpa2-psk comment=LAN eap-methods="" \
management-protection=allowed mode=dynamic-keys name=*** \
supplicant-identity="" wpa-pre-shared-key=*** wpa2-pre-shared-key=\
***
/interface wireless
set [ find default-name=wlan1 ] adaptive-noise-immunity=ap-and-client-mode \
antenna-gain=0 band=2ghz-b/g/n comment=LAN country=russia disabled=no \
distance=indoors frequency=2437 frequency-mode=superchannel mode=\
ap-bridge security-profile=*** ssid=*** station-roaming=\
enabled tx-power=19 tx-power-mode=all-rates-fixed wireless-protocol=\
802.11 wps-mode=disabled
set [ find default-name=wlan2 ] antenna-gain=0 band=5ghz-a/n/ac country=\
russia disabled=no frequency=5280 frequency-mode=superchannel mode=\
ap-bridge security-profile=*** ssid=*** station-roaming=\
enabled tx-power=19 tx-power-mode=all-rates-fixed wireless-protocol=\
802.11
/interface wireless manual-tx-power-table
set wlan1 comment=LAN
/interface wireless nstreme
set wlan1 comment=LAN enable-polling=no
set wlan2 enable-polling=no
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip ipsec policy group
set [ find default=yes ] name=def
add name=ipsec
/ip ipsec profile
set [ find default=yes ] enc-algorithm=aes-256,aes-192,aes-128,3des
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha256,sha1 enc-algorithms=\
aes-256-cbc,aes-256-ctr,aes-192-cbc,aes-128-cbc,3des
/ip pool
add name=dhcp_pool0 ranges=192.168.2.2-192.168.2.12
add name=dhcp_pool1 ranges=192.168.0.140-192.168.0.200
add name=dhcp_pool2 ranges=192.168.0.150-192.168.0.175
add name=dhcp_pool3 ranges=192.168.2.2-192.168.2.254
add name=dhcp_pool4 ranges=192.168.2.2-192.168.2.254
add name=vpnpool ranges=192.168.0.236-192.168.0.240
/ip dhcp-server
add address-pool=dhcp_pool4 disabled=no interface=bridge1 name=dhcp1 relay=\
192.168.2.1
/ppp profile
add bridge=bridge1 local-address=vpnpool name=ovpn remote-address=vpnpool
add change-tcp-mss=yes dns-server=192.168.0.129 local-address=192.168.0.2 \
name=l2tp remote-address=vpnpool use-compression=yes use-encryption=no
add bridge=bridge1 change-tcp-mss=yes local-address=192.168.0.3 name=pptp \
remote-address=vpnpool use-compression=yes use-encryption=yes use-mpls=no \
use-upnp=no
/user group
set full policy="local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,pas\
sword,web,sniff,sensitive,api,romon,dude,tikapp"
/interface bridge port
add bridge=bridge1 interface=ether1
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=ether3
add bridge=bridge1 interface=ether4
add bridge=bridge1 interface=wlan2
add bridge=bridge1 interface=ether5
add bridge=bridge1 interface=wlan1
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/interface l2tp-server server
set authentication=mschap2 default-profile=l2tp ipsec-secret=*** \
use-ipsec=yes
/interface list member
add interface=ether1 list=WAN
add interface=ether2 list=LAN
add interface=ether3 list=LAN
add interface=ether4 list=LAN
add interface=ether5 list=LAN
add interface=wlan2 list=LAN
add interface=wlan1 list=LAN
/interface ovpn-server server
set auth=sha1 certificate=ovpn-server cipher=aes128 default-profile=ovpn \
enabled=yes require-client-certificate=yes
/interface pptp-server server
set authentication=mschap2 default-profile=default
/ip address
add address=192.168.2.1/24 disabled=yes interface=bridge1 network=192.168.2.0
add address=192.168.0.2/24 interface=ether2 network=192.168.0.0
/ip cloud
set update-time=no
/ip dhcp-client
# DHCP client can not run on slave interface!
add disabled=no interface=ether5
/ip dhcp-server network
add address=192.168.0.0/24 gateway=192.168.0.1
add address=192.168.2.0/24 gateway=192.168.2.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.0.2 name=router.lan
/ip firewall filter
add action=accept chain=input comment=L2TP disabled=yes dst-port=\
1701,500,4500 in-interface-list=all protocol=udp
add action=accept chain=input disabled=yes protocol=l2tp
add action=accept chain=input disabled=yes protocol=ipsec-esp
add action=accept chain=input dst-port=1194 in-interface-list=all log=yes \
protocol=tcp
/ip route
add distance=1 dst-address=10.8.10.0/24 gateway=192.168.0.1
/ip ssh
set allow-none-crypto=yes forwarding-enabled=remote
/ppp secret
add name=*** password=*** profile=ovpn service=ovpn
/system clock
set time-zone-autodetect=no time-zone-name=Europe/Moscow
/system ntp client
set enabled=yes primary-ntp=88.147.254.230 secondary-ntp=88.147.254.230 \
server-dns-names=192.168.0.129
# feb/16/2021 18:42:05 by RouterOS 6.46.8
# software id = XLWS-7H1N
#
# model = RouterBOARD 952Ui-5ac2nD
# serial number = 7C30074A2CE2
/interface bridge
add name=bridge1
/interface ethernet
set [ find default-name=ether1 ] advertise=\
10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
set [ find default-name=ether2 ] advertise=\
10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
set [ find default-name=ether3 ] advertise=\
10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
set [ find default-name=ether4 ] advertise=\
10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
set [ find default-name=ether5 ] advertise=\
10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
add authentication-types=wpa2-psk comment=LAN eap-methods="" \
management-protection=allowed mode=dynamic-keys name=*** \
supplicant-identity="" wpa-pre-shared-key=*** wpa2-pre-shared-key=\
***
/interface wireless
set [ find default-name=wlan1 ] adaptive-noise-immunity=ap-and-client-mode \
antenna-gain=0 band=2ghz-b/g/n comment=LAN country=russia disabled=no \
distance=indoors frequency=2437 frequency-mode=superchannel mode=\
ap-bridge security-profile=*** ssid=*** station-roaming=\
enabled tx-power=19 tx-power-mode=all-rates-fixed wireless-protocol=\
802.11 wps-mode=disabled
set [ find default-name=wlan2 ] antenna-gain=0 band=5ghz-a/n/ac country=\
russia disabled=no frequency=5280 frequency-mode=superchannel mode=\
ap-bridge security-profile=*** ssid=*** station-roaming=\
enabled tx-power=19 tx-power-mode=all-rates-fixed wireless-protocol=\
802.11
/interface wireless manual-tx-power-table
set wlan1 comment=LAN
/interface wireless nstreme
set wlan1 comment=LAN enable-polling=no
set wlan2 enable-polling=no
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip ipsec policy group
set [ find default=yes ] name=def
add name=ipsec
/ip ipsec profile
set [ find default=yes ] enc-algorithm=aes-256,aes-192,aes-128,3des
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha256,sha1 enc-algorithms=\
aes-256-cbc,aes-256-ctr,aes-192-cbc,aes-128-cbc,3des
/ip pool
add name=dhcp_pool0 ranges=192.168.2.2-192.168.2.12
add name=dhcp_pool1 ranges=192.168.0.140-192.168.0.200
add name=dhcp_pool2 ranges=192.168.0.150-192.168.0.175
add name=dhcp_pool3 ranges=192.168.2.2-192.168.2.254
add name=dhcp_pool4 ranges=192.168.2.2-192.168.2.254
add name=vpnpool ranges=192.168.0.236-192.168.0.240
/ip dhcp-server
add address-pool=dhcp_pool4 disabled=no interface=bridge1 name=dhcp1 relay=\
192.168.2.1
/ppp profile
add bridge=bridge1 local-address=vpnpool name=ovpn remote-address=vpnpool
add change-tcp-mss=yes dns-server=192.168.0.129 local-address=192.168.0.2 \
name=l2tp remote-address=vpnpool use-compression=yes use-encryption=no
add bridge=bridge1 change-tcp-mss=yes local-address=192.168.0.3 name=pptp \
remote-address=vpnpool use-compression=yes use-encryption=yes use-mpls=no \
use-upnp=no
/user group
set full policy="local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,pas\
sword,web,sniff,sensitive,api,romon,dude,tikapp"
/interface bridge port
add bridge=bridge1 interface=ether1
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=ether3
add bridge=bridge1 interface=ether4
add bridge=bridge1 interface=wlan2
add bridge=bridge1 interface=ether5
add bridge=bridge1 interface=wlan1
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/interface l2tp-server server
set authentication=mschap2 default-profile=l2tp ipsec-secret=*** \
use-ipsec=yes
/interface list member
add interface=ether1 list=WAN
add interface=ether2 list=LAN
add interface=ether3 list=LAN
add interface=ether4 list=LAN
add interface=ether5 list=LAN
add interface=wlan2 list=LAN
add interface=wlan1 list=LAN
/interface ovpn-server server
set auth=sha1 certificate=ovpn-server cipher=aes128 default-profile=ovpn \
enabled=yes require-client-certificate=yes
/interface pptp-server server
set authentication=mschap2 default-profile=default
/ip address
add address=192.168.2.1/24 disabled=yes interface=bridge1 network=192.168.2.0
add address=192.168.0.2/24 interface=ether2 network=192.168.0.0
/ip cloud
set update-time=no
/ip dhcp-client
# DHCP client can not run on slave interface!
add disabled=no interface=ether5
/ip dhcp-server network
add address=192.168.0.0/24 gateway=192.168.0.1
add address=192.168.2.0/24 gateway=192.168.2.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.0.2 name=router.lan
/ip firewall filter
add action=accept chain=input comment=L2TP disabled=yes dst-port=\
1701,500,4500 in-interface-list=all protocol=udp
add action=accept chain=input disabled=yes protocol=l2tp
add action=accept chain=input disabled=yes protocol=ipsec-esp
add action=accept chain=input dst-port=1194 in-interface-list=all log=yes \
protocol=tcp
/ip route
add distance=1 dst-address=10.8.10.0/24 gateway=192.168.0.1
/ip ssh
set allow-none-crypto=yes forwarding-enabled=remote
/ppp secret
add name=*** password=*** profile=ovpn service=ovpn
/system clock
set time-zone-autodetect=no time-zone-name=Europe/Moscow
/system ntp client
set enabled=yes primary-ntp=88.147.254.230 secondary-ntp=88.147.254.230 \
server-dns-names=192.168.0.129
Client config
client
dev tun
proto tcp
remote белый ip 1194
resolv-retry infinite
nobind
persist-key
persist-tun
pkcs12 "C:\\OVPN\\OVL.p12"
auth-user-pass "C:\\OVPN\\auth.cfg"
askpass "C:\\OVPN\\keypass.cfg"
remote-cert-tls server
route 192.168.0.0 255.255.255.0 192.168.0.2
cipher AES-128-CBC
verb 3
client
dev tun
proto tcp
remote белый ip 1194
resolv-retry infinite
nobind
persist-key
persist-tun
pkcs12 "C:\\OVPN\\OVL.p12"
auth-user-pass "C:\\OVPN\\auth.cfg"
askpass "C:\\OVPN\\keypass.cfg"
remote-cert-tls server
route 192.168.0.0 255.255.255.0 192.168.0.2
cipher AES-128-CBC
verb 3
Client log
2021-02-18 17:26:49 DEPRECATED OPTION: --cipher set to 'AES-128-CBC' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM). Future OpenVPN version will ignore --cipher for cipher negotiations. Add 'AES-128-CBC' to --data-ciphers or change --cipher 'AES-128-CBC' to --data-ciphers-fallback 'AES-128-CBC' to silence this warning.
2021-02-18 17:26:49 OpenVPN 2.5.0 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] built on Oct 28 2020
2021-02-18 17:26:49 Windows version 10.0 (Windows 10 or greater) 64bit
2021-02-18 17:26:49 library versions: OpenSSL 1.1.1h 22 Sep 2020, LZO 2.10
Enter Management Password:
2021-02-18 17:26:49 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25340
2021-02-18 17:26:49 Need hold release from management interface, waiting...
2021-02-18 17:26:50 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:25340
2021-02-18 17:26:50 MANAGEMENT: CMD 'state on'
2021-02-18 17:26:50 MANAGEMENT: CMD 'log all on'
2021-02-18 17:26:50 MANAGEMENT: CMD 'echo all on'
2021-02-18 17:26:50 MANAGEMENT: CMD 'bytecount 5'
2021-02-18 17:26:50 MANAGEMENT: CMD 'hold off'
2021-02-18 17:26:50 MANAGEMENT: CMD 'hold release'
2021-02-18 17:26:50 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
2021-02-18 17:26:50 TCP/UDP: Preserving recently used remote address: [AF_INET]айпи офиса:1194
2021-02-18 17:26:50 Socket Buffers: R=[65536->65536] S=[65536->65536]
2021-02-18 17:26:50 Attempting to establish TCP connection with [AF_INET] айпи офиса:1194 [nonblock]
2021-02-18 17:26:50 MANAGEMENT: >STATE:1613658410,TCP_CONNECT,,,,,,
2021-02-18 17:26:59 SIGTERM[hard,init_instance] received, process exiting
2021-02-18 17:26:59 MANAGEMENT: >STATE:1613658419,EXITING,init_instance,,,,,
2021-02-18 17:26:49 OpenVPN 2.5.0 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] built on Oct 28 2020
2021-02-18 17:26:49 Windows version 10.0 (Windows 10 or greater) 64bit
2021-02-18 17:26:49 library versions: OpenSSL 1.1.1h 22 Sep 2020, LZO 2.10
Enter Management Password:
2021-02-18 17:26:49 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25340
2021-02-18 17:26:49 Need hold release from management interface, waiting...
2021-02-18 17:26:50 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:25340
2021-02-18 17:26:50 MANAGEMENT: CMD 'state on'
2021-02-18 17:26:50 MANAGEMENT: CMD 'log all on'
2021-02-18 17:26:50 MANAGEMENT: CMD 'echo all on'
2021-02-18 17:26:50 MANAGEMENT: CMD 'bytecount 5'
2021-02-18 17:26:50 MANAGEMENT: CMD 'hold off'
2021-02-18 17:26:50 MANAGEMENT: CMD 'hold release'
2021-02-18 17:26:50 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
2021-02-18 17:26:50 TCP/UDP: Preserving recently used remote address: [AF_INET]айпи офиса:1194
2021-02-18 17:26:50 Socket Buffers: R=[65536->65536] S=[65536->65536]
2021-02-18 17:26:50 Attempting to establish TCP connection with [AF_INET] айпи офиса:1194 [nonblock]
2021-02-18 17:26:50 MANAGEMENT: >STATE:1613658410,TCP_CONNECT,,,,,,
2021-02-18 17:26:59 SIGTERM[hard,init_instance] received, process exiting
2021-02-18 17:26:59 MANAGEMENT: >STATE:1613658419,EXITING,init_instance,,,,,
An example of a log from the 1194 port of Mikrotik when connected
18:54:21 firewall,info input: in:bridge1 out:(unknown 0), src-mac d4:6e:0e:a3:26:8c, proto TCP (SYN), внешний ip:1233->192.168.0.2:1194, len 48
18:54:22 firewall,info input: in:bridge1 out:(unknown 0), src-mac d4:6e:0e:a3:26:8c, proto TCP (SYN), внешний ip:1233->192.168.0.2:1194, len 48
18:54:24 firewall,info input: in:bridge1 out:(unknown 0), src-mac d4:6e:0e:a3:26:8c, proto TCP (SYN), внешний ip:1233->192.168.0.2:1194, len 48
18:54:28 firewall,info input: in:bridge1 out:(unknown 0), src-mac d4:6e:0e:a3:26:8c, proto TCP (SYN), внешний ip:1233->192.168.0.2:1194, len 48
18:54:21 firewall,info input: in:bridge1 out:(unknown 0), src-mac d4:6e:0e:a3:26:8c, proto TCP (SYN), внешний ip:1233->192.168.0.2:1194, len 48
18:54:22 firewall,info input: in:bridge1 out:(unknown 0), src-mac d4:6e:0e:a3:26:8c, proto TCP (SYN), внешний ip:1233->192.168.0.2:1194, len 48
18:54:24 firewall,info input: in:bridge1 out:(unknown 0), src-mac d4:6e:0e:a3:26:8c, proto TCP (SYN), внешний ip:1233->192.168.0.2:1194, len 48
18:54:28 firewall,info input: in:bridge1 out:(unknown 0), src-mac d4:6e:0e:a3:26:8c, proto TCP (SYN), внешний ip:1233->192.168.0.2:1194, len 48
1 answer(s)
@Kubozoa
K
Kubozoa, 2021-02-21 @Kubozoa
I figured out, specifically, something was wrong with my dns settings, in addition to problems with VPN, Mikrotik also could not download the update and ping any of the external addresses, but at the same time distributed Wi-Fi with Internet access without any problems.
I tried to put automatic configuration instead of a static ip, everything started up, then they registered the statics again and everything seems to be working fine.
Similar questions
A
Andrey Kamynin2016-02-24 20:55:16
[Solved] How to route through another gateway for win station?
4Reply
S
A
Aleksandr2021-10-18 09:40:16
Why, when the last IP is issued from the pool, does it not work?
2Reply
E
E
Didn't find what you were looking for?
Ask your questionAsk a Question
731 491 924 answers to any question