Answer the question
In order to leave comments, you need to log in
S
S
Shamil2018-04-26 09:43:44
Shamil, 2018-04-26 09:43:44
Why does the ovpn mikrotik connection drop?
There is Mikrotik, 99% of connections from clients in it go via pptp, but unfortunately some providers block pptp connections if the subscriber does not have an external IP.
I decided to raise ovpn on it - I found the most recent of those that have a manual - https://www.youtube.com/channel/UCHBLOecDJKY2ICvjP...
did everything like him, i.e. I generated a root certificate, a server certificate, a user certificate - uploaded it and installed it in Mikrotik.
configured ovpn profile on the client.
and now it seems to be connected, and it works. But no - after a minute and a half (sometimes more) the connection is broken, in the logs Mikrotik writes:
ovpn,debug,error,l2tp,45288,46360,45288,19116,46020,poe-out,l2tp,info,76,debug duplicate packet, droppingI thought the problem was with the new version of openvpn - I downloaded the stable version 2.3.18
the problem did not disappear. even recreated the key and re-uploaded it to the server/client
ovpn client log
Thu Apr 26 09:35:19 2018 OpenVPN 2.3.18 i686-w64-mingw32 [SSL (OpenSSL)] [LZO] [PKCS11] [IPv6] built on Oct 26 2017
Thu Apr 26 09:35:19 2018 Windows version 6.1 (Windows 7) 64bit
Thu Apr 26 09:35:19 2018 library versions: OpenSSL 1.0.2l 25 May 2017, LZO 2.10
Enter Management Password:
Thu Apr 26 09:35:20 2018 WARNING: --ping should normally be used with --ping-restart or --ping-exit
Thu Apr 26 09:35:20 2018 WARNING: --ns-cert-type is DEPRECATED. Use --remote-cert-tls instead.
Thu Apr 26 09:35:20 2018 Attempting to establish TCP connection with [AF_INET]xxx.xxx.xxx.xxx:1194 [nonblock]
Thu Apr 26 09:35:21 2018 TCP connection established with [AF_INET]xxx.xxx.xxx.xxx:1194
Thu Apr 26 09:35:21 2018 TCPv4_CLIENT link local: [undef]
Thu Apr 26 09:35:21 2018 TCPv4_CLIENT link remote: [AF_INET]xxx.xxx.xxx.xxx:1194
Thu Apr 26 09:35:21 2018 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Thu Apr 26 09:35:21 2018 VERIFY OK: depth=1, C=RU, ST=RD, L=mkala, O=mycompany, OU=OvpnVHall, CN=ca, name=ca, [email protected]
Thu Apr 26 09:35:21 2018 VERIFY OK: nsCertType=SERVER
Thu Apr 26 09:35:21 2018 VERIFY OK: depth=0, C=RU, ST=RD, L=mkala, O=mycompany, OU=OvpnVHall, CN=server, name=server, [email protected]
Thu Apr 26 09:35:22 2018 Data Channel Encrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Thu Apr 26 09:35:22 2018 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Thu Apr 26 09:35:22 2018 Data Channel Decrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Thu Apr 26 09:35:22 2018 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Thu Apr 26 09:35:22 2018 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 DHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
Thu Apr 26 09:35:22 2018 [server] Peer Connection Initiated with [AF_INET]xxx.xxx.xxx.xxx:1194
Thu Apr 26 09:35:35 2018 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Thu Apr 26 09:35:35 2018 open_tun, tt->ipv6=0
Thu Apr 26 09:35:35 2018 TAP-WIN32 device [Подключение по локальной сети] opened: \\.\Global\{F21F8EC5-8E15-466B-81D9-AB2552870E0F}.tap
Thu Apr 26 09:35:35 2018 Notified TAP-Windows driver to set a DHCP IP/netmask of 172.30.0.2/255.255.255.0 on interface {F21F8EC5-8E15-466B-81D9-AB2552870E0F} [DHCP-serv: 172.30.0.0, lease-time: 31536000]
Thu Apr 26 09:35:35 2018 Successful ARP Flush on interface [19] {F21F8EC5-8E15-466B-81D9-AB2552870E0F}
Thu Apr 26 09:35:37 2018 env_block: add PATH=C:\Windows\System32;C:\Windows;C:\Windows\System32\Wbem
Thu Apr 26 09:35:37 2018 Initialization Sequence Completed
Thu Apr 26 09:36:53 2018 Connection reset, restarting [-1]
Thu Apr 26 09:36:53 2018 env_block: add PATH=C:\Windows\System32;C:\Windows;C:\Windows\System32\Wbem
Thu Apr 26 09:36:53 2018 Closing TUN/TAP interface
Thu Apr 26 09:36:53 2018 SIGUSR1[soft,connection-reset] received, process restarting
Thu Apr 26 09:36:58 2018 WARNING: --ns-cert-type is DEPRECATED. Use --remote-cert-tls instead.
Thu Apr 26 09:36:58 2018 Attempting to establish TCP connection with [AF_INET]xxx.xxx.xxx.xxx:1194 [nonblock]
Thu Apr 26 09:36:59 2018 TCP connection established with [AF_INET]xxx.xxx.xxx.xxx:1194
Thu Apr 26 09:36:59 2018 TCPv4_CLIENT link local: [undef]
Thu Apr 26 09:36:59 2018 TCPv4_CLIENT link remote: [AF_INET]xxx.xxx.xxx.xxx:1194
Thu Apr 26 09:37:00 2018 VERIFY OK: depth=1, C=RU, ST=RD, L=mkala, O=mycompany, OU=OvpnVHall, CN=ca, name=ca, [email protected]
Thu Apr 26 09:37:00 2018 VERIFY OK: nsCertType=SERVER
Thu Apr 26 09:37:00 2018 VERIFY OK: depth=0, C=RU, ST=RD, L=mkala, O=mycompany, OU=OvpnVHall, CN=server, name=server, [email protected]
Thu Apr 26 09:37:00 2018 Data Channel Encrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Thu Apr 26 09:37:00 2018 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Thu Apr 26 09:37:00 2018 Data Channel Decrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Thu Apr 26 09:37:00 2018 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Thu Apr 26 09:37:00 2018 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 DHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
Thu Apr 26 09:37:00 2018 [server] Peer Connection Initiated with [AF_INET]xxx.xxx.xxx.xxx:1194
Thu Apr 26 09:37:13 2018 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Thu Apr 26 09:37:13 2018 open_tun, tt->ipv6=0
Thu Apr 26 09:37:13 2018 TAP-WIN32 device [Подключение по локальной сети] opened: \\.\Global\{F21F8EC5-8E15-466B-81D9-AB2552870E0F}.tap
Thu Apr 26 09:37:13 2018 Notified TAP-Windows driver to set a DHCP IP/netmask of 172.30.0.10/255.255.255.0 on interface {F21F8EC5-8E15-466B-81D9-AB2552870E0F} [DHCP-serv: 172.30.0.0, lease-time: 31536000]
Thu Apr 26 09:37:13 2018 Successful ARP Flush on interface [19] {F21F8EC5-8E15-466B-81D9-AB2552870E0F}
Thu Apr 26 09:37:15 2018 env_block: add PATH=C:\Windows\System32;C:\Windows;C:\Windows\System32\Wbem
Thu Apr 26 09:37:15 2018 Initialization Sequence Completed
Thu Apr 26 09:37:27 2018 env_block: add PATH=C:\Windows\System32;C:\Windows;C:\Windows\System32\Wbem
Thu Apr 26 09:37:27 2018 Closing TUN/TAP interface
Thu Apr 26 09:37:27 2018 SIGTERM[hard,] received, process exiting
Thu Apr 26 09:35:19 2018 Windows version 6.1 (Windows 7) 64bit
Thu Apr 26 09:35:19 2018 library versions: OpenSSL 1.0.2l 25 May 2017, LZO 2.10
Enter Management Password:
Thu Apr 26 09:35:20 2018 WARNING: --ping should normally be used with --ping-restart or --ping-exit
Thu Apr 26 09:35:20 2018 WARNING: --ns-cert-type is DEPRECATED. Use --remote-cert-tls instead.
Thu Apr 26 09:35:20 2018 Attempting to establish TCP connection with [AF_INET]xxx.xxx.xxx.xxx:1194 [nonblock]
Thu Apr 26 09:35:21 2018 TCP connection established with [AF_INET]xxx.xxx.xxx.xxx:1194
Thu Apr 26 09:35:21 2018 TCPv4_CLIENT link local: [undef]
Thu Apr 26 09:35:21 2018 TCPv4_CLIENT link remote: [AF_INET]xxx.xxx.xxx.xxx:1194
Thu Apr 26 09:35:21 2018 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Thu Apr 26 09:35:21 2018 VERIFY OK: depth=1, C=RU, ST=RD, L=mkala, O=mycompany, OU=OvpnVHall, CN=ca, name=ca, [email protected]
Thu Apr 26 09:35:21 2018 VERIFY OK: nsCertType=SERVER
Thu Apr 26 09:35:21 2018 VERIFY OK: depth=0, C=RU, ST=RD, L=mkala, O=mycompany, OU=OvpnVHall, CN=server, name=server, [email protected]
Thu Apr 26 09:35:22 2018 Data Channel Encrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Thu Apr 26 09:35:22 2018 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Thu Apr 26 09:35:22 2018 Data Channel Decrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Thu Apr 26 09:35:22 2018 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Thu Apr 26 09:35:22 2018 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 DHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
Thu Apr 26 09:35:22 2018 [server] Peer Connection Initiated with [AF_INET]xxx.xxx.xxx.xxx:1194
Thu Apr 26 09:35:35 2018 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Thu Apr 26 09:35:35 2018 open_tun, tt->ipv6=0
Thu Apr 26 09:35:35 2018 TAP-WIN32 device [Подключение по локальной сети] opened: \\.\Global\{F21F8EC5-8E15-466B-81D9-AB2552870E0F}.tap
Thu Apr 26 09:35:35 2018 Notified TAP-Windows driver to set a DHCP IP/netmask of 172.30.0.2/255.255.255.0 on interface {F21F8EC5-8E15-466B-81D9-AB2552870E0F} [DHCP-serv: 172.30.0.0, lease-time: 31536000]
Thu Apr 26 09:35:35 2018 Successful ARP Flush on interface [19] {F21F8EC5-8E15-466B-81D9-AB2552870E0F}
Thu Apr 26 09:35:37 2018 env_block: add PATH=C:\Windows\System32;C:\Windows;C:\Windows\System32\Wbem
Thu Apr 26 09:35:37 2018 Initialization Sequence Completed
Thu Apr 26 09:36:53 2018 Connection reset, restarting [-1]
Thu Apr 26 09:36:53 2018 env_block: add PATH=C:\Windows\System32;C:\Windows;C:\Windows\System32\Wbem
Thu Apr 26 09:36:53 2018 Closing TUN/TAP interface
Thu Apr 26 09:36:53 2018 SIGUSR1[soft,connection-reset] received, process restarting
Thu Apr 26 09:36:58 2018 WARNING: --ns-cert-type is DEPRECATED. Use --remote-cert-tls instead.
Thu Apr 26 09:36:58 2018 Attempting to establish TCP connection with [AF_INET]xxx.xxx.xxx.xxx:1194 [nonblock]
Thu Apr 26 09:36:59 2018 TCP connection established with [AF_INET]xxx.xxx.xxx.xxx:1194
Thu Apr 26 09:36:59 2018 TCPv4_CLIENT link local: [undef]
Thu Apr 26 09:36:59 2018 TCPv4_CLIENT link remote: [AF_INET]xxx.xxx.xxx.xxx:1194
Thu Apr 26 09:37:00 2018 VERIFY OK: depth=1, C=RU, ST=RD, L=mkala, O=mycompany, OU=OvpnVHall, CN=ca, name=ca, [email protected]
Thu Apr 26 09:37:00 2018 VERIFY OK: nsCertType=SERVER
Thu Apr 26 09:37:00 2018 VERIFY OK: depth=0, C=RU, ST=RD, L=mkala, O=mycompany, OU=OvpnVHall, CN=server, name=server, [email protected]
Thu Apr 26 09:37:00 2018 Data Channel Encrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Thu Apr 26 09:37:00 2018 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Thu Apr 26 09:37:00 2018 Data Channel Decrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Thu Apr 26 09:37:00 2018 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Thu Apr 26 09:37:00 2018 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 DHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
Thu Apr 26 09:37:00 2018 [server] Peer Connection Initiated with [AF_INET]xxx.xxx.xxx.xxx:1194
Thu Apr 26 09:37:13 2018 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Thu Apr 26 09:37:13 2018 open_tun, tt->ipv6=0
Thu Apr 26 09:37:13 2018 TAP-WIN32 device [Подключение по локальной сети] opened: \\.\Global\{F21F8EC5-8E15-466B-81D9-AB2552870E0F}.tap
Thu Apr 26 09:37:13 2018 Notified TAP-Windows driver to set a DHCP IP/netmask of 172.30.0.10/255.255.255.0 on interface {F21F8EC5-8E15-466B-81D9-AB2552870E0F} [DHCP-serv: 172.30.0.0, lease-time: 31536000]
Thu Apr 26 09:37:13 2018 Successful ARP Flush on interface [19] {F21F8EC5-8E15-466B-81D9-AB2552870E0F}
Thu Apr 26 09:37:15 2018 env_block: add PATH=C:\Windows\System32;C:\Windows;C:\Windows\System32\Wbem
Thu Apr 26 09:37:15 2018 Initialization Sequence Completed
Thu Apr 26 09:37:27 2018 env_block: add PATH=C:\Windows\System32;C:\Windows;C:\Windows\System32\Wbem
Thu Apr 26 09:37:27 2018 Closing TUN/TAP interface
Thu Apr 26 09:37:27 2018 SIGTERM[hard,] received, process exiting
client.ovpn
proto tcp-client
remote xxx.xxx.xxx.xxx
dev tap
nobind
persist-key
tls-client
ca ca.crt
cert client1.crt
key client1.key
ping 10
verb 2
ns-cert-type server
cipher AES-256-CBC
auth SHA1
pull
auth-user-pass auth.cfg
route-method exe
route-delay 2
route 192.168.0.0 255.255.255.0 172.30.0.1
proto tcp-client
remote xxx.xxx.xxx.xxx
dev tap
nobind
persist-key
tls-client
ca ca.crt
cert client1.crt
key client1.key
ping 10
verb 2
ns-cert-type server
cipher AES-256-CBC
auth SHA1
pull
auth-user-pass auth.cfg
route-method exe
route-delay 2
route 192.168.0.0 255.255.255.0 172.30.0.1
openvpn profile
name="openvpn" local-address=172.30.0.1
remote-address=ovpn-pool use-mpls=default
use-compression=no use-encryption=required
only-one=default change-tcp-mss=no use-upnp=no
address-list="" on-up="" on-down=""
remote-address=ovpn-pool use-mpls=default
use-compression=no use-encryption=required
only-one=default change-tcp-mss=no use-upnp=no
address-list="" on-up="" on-down=""
interface ovpn-server server print
/interface ovpn-server server print
enabled: yes
port: 1194
mode: ethernet
netmask: 24
mac-address: FE:D7:03:B1:B8:8E
max-mtu: 1500
keepalive-timeout: 60
default-profile: openvpn
certificate: server.crt_0
require-client-certificate: yes
auth: sha1,md5
cipher: blowfish128,aes128,aes192,
aes256
enabled: yes
port: 1194
mode: ethernet
netmask: 24
mac-address: FE:D7:03:B1:B8:8E
max-mtu: 1500
keepalive-timeout: 60
default-profile: openvpn
certificate: server.crt_0
require-client-certificate: yes
auth: sha1,md5
cipher: blowfish128,aes128,aes192,
aes256
2 answer(s)
@jawakharlal
@selivanov_pavel
S
Shamil, 2018-04-27 @jawakharlal
Pavel Selivanov , in general, tried this and that in the morning, and decided to change cipher in the config instead of AES-256-CBC, he used AES-128-CBC. I do not know if it is connected with this - but for 10 minutes now. flight normal
P
Pavel Selivanov, 2018-04-26 @selivanov_pavel
In the client config, ping is 10, and in the mikrotik config, keepalive-timeout is 60. You can try temporarily turning it off both there and there. And put verb 5 on the client, see what happens.
Well, you should try to take the configs from the official documentation: https://wiki.mikrotik.com/wiki/OpenVPN
Similar questions
S
B
V
7
I
Didn't find what you were looking for?
Ask your questionAsk a Question
731 491 924 answers to any question