10936 questions

13039 answers

20337 comments

27545 members

0 votes
79 views 9 comments
by

Hallo,

i would like to ask for some help.

I have a Mikrotik router and RUT950 (FW: 0.6.9.2)

When i connect RUT via OpenVPN on the router it shows what IP is it comming from (caller IP) and what IP has the router assignet to RUT.

Also in "network" - "openVPN" in RUT it shows the assignet IP.

I can access devices that are in router LAN but i can not access RUT from Routers side (from my PC). A have enabled remote access and as far as i tested with router Wifi as WAN for RUT i have noticed that RUT did not change it's IP. It is accessessable from it's first IP and not from the IP given by the router.

Example:
If RTU is connected to routers WiFi as WAN it gets assigned DHCP IP... 192.168.1.137
After it connects with VPN it gets IP: 192.168.1.72 on same wifi..

But the problem is that the RUT cant be accessed via VPN IP but still over it's first WAN IP.

Could anyone tell me what could be the problem?

Thanks.

1 Answer

0 votes
by

Hello,

If I understand correctly, you are using your Mikrotik router as the OpenVPN server and your RUT955 as the OpenVPN client. If not, please provide us with a topology diagram to understand better the scenario.

You can check a configuration example for a similar scenario on the following wikipage:

Setting up an OpenVPN tunnel between RUT and Mikrotik device - Teltonika Networks Wiki (teltonika-networks.com)

To make sure you can access the webUI, you should check the option System > Administration > Access Control > WebUI and enable the following options:

Make sure you reboot the VPN tunnel or the device after making any configuration change. If the problem persists after this, please recreate the issue, and share the Troubleshoot file (System > Administration > Troubleshoot > Troubleshoot file) so we can check the logs.

We do recommend to upgrade the firmware to the latest available version (RUT9_R_00.07.02.3) if possible.

Kind regards.

by

Yes. Mikrotik router is server/host and the RUT950 is client.

I have full access to teltonika webUI.
I had upgraded it to 0.7. version but did not like the new WebUI interface so downgraded it.

I have set up OpenVPN and also L2TP (both work the same way). It can connect to mikrotik (also mikrotik shows it's connected.
In network under OpenVPN it shows that ist connected and what IP it gets.. but i can't access RUT via that IP but it still works on old IP (if it's connected via Wifi of the router it's still active via give DHCP IP).

by

Hello,

From your topology diagram, I can see you OpenVPN network is 192.168.1.0 and your Mikrotik’s LAN network is also 192.168.1.0. I would recommend changing any of these networks to a different one (like 192.168.10.0) since it can create a conflict.

Make sure you reboot the VPN tunnel or the device after making any configuration change. If the issue persists after this, please recreate the issue, and share the Troubleshoot file (System > Administration > Troubleshoot > Troubleshoot file) so we can check the logs. To share the file, you can edit your first post and attach it.

Additionally, is there a reason you need to access the webUI though the VPN? Since you can access it through the WAN or LAN interface, you should be able do any configuration you require and share the password only with authorized personnel.

Regards.

by

Hallo,

I have set that the Open VPN assigned IPs are in same LAN as other devices on router.. but i have set that DHCP is only from .100 to .150.. so it should not cause any conflict. OpenVPN IPs are assigned from .70 to .75 for  "users"..

Did you mean to change mask to 255.255.252.0 and have other subnet for VPN?

I need VPN because my RUT is approx 400km away from my router and mobile data provider can't give me static IP or radius so i need a way to connect to it from distance. About other users.. the users are 70+ years old and need it only to access internet and watch TV.

by

Hi,

I see, in that case, you should change the netmask like you are saying or change the networks altogether, so they are separated and don’t overlap at all. Since you are trying to access from a PC on your mikrotik’s LAN, the gateway configuration might create confusion on the route.

Did you check the scenario I shared? This shows a configuration scheme where the OpenVPN pool is a different network than the LAN’s.

Setting up an OpenVPN tunnel between RUT and Mikrotik device - Teltonika Networks Wiki (teltonika-networks.com)

If the issue persists after rebooting and testing this, please recreate the failure scenario, and share the Troubleshoot file.

Best regards. 

by
I Have tried configured as in this link. i have also changed LAN on RUT to 10.3.100.0/24 but still the same problems..
by

Hello,

The recommendation was to change the networks of the OpenVPN network or the Mikrotik’s LAN, since those are the ones overlapping. Are you able to ping the RUT950’s OpenVPN IP from your Mikrotik’s LAN device?

It’s a bit hard to see what could be the issue without the troubleshoot file. But if you are unable to share it, I would recommend checking the firewall zone forwarding. You can go to option Network > Firewall > Zone Forwarding and verify that the rule form openvpn zone to LAN zone has “forward” as Default forwarding action:

RUT950 Firewall (legacy WebUI) - Teltonika Networks Wiki (teltonika-networks.com)

Kind regards.

by
My logs:

Fri Jul 22 19:59:09 2022 daemon.warn openvpn(client_VPN)[4548]: DEPRECATED OPTION: --cipher set to 'AES-256-CBC' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM). Future OpenVPN version will ignore --cipher for cipher negotiations. Add 'AES-256-CBC' to --data-ciphers or change --cipher 'AES-256-CBC' to --data-ciphers-fallback 'AES-256-CBC' to silence this warning.
Fri Jul 22 19:59:09 2022 daemon.notice openvpn(client_VPN)[4548]: OpenVPN 2.5.2 mips-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD]
Fri Jul 22 19:59:09 2022 daemon.notice openvpn(client_VPN)[4548]: library versions: OpenSSL 1.1.1k  25 Mar 2021, LZO 2.10
Fri Jul 22 19:59:09 2022 daemon.warn openvpn(client_VPN)[4548]: WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
Fri Jul 22 19:59:09 2022 daemon.warn openvpn(client_VPN)[4548]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Fri Jul 22 19:59:09 2022 daemon.notice openvpn(client_VPN)[4548]: Control Channel MTU parms [ L:1623 D:1210 EF:40 EB:0 ET:0 EL:3 ]
Fri Jul 22 19:59:09 2022 daemon.notice openvpn(client_VPN)[4548]: Data Channel MTU parms [ L:1623 D:1450 EF:123 EB:406 ET:0 EL:3 ]
Fri Jul 22 19:59:09 2022 daemon.notice openvpn(client_VPN)[4548]: Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1559,tun-mtu 1500,proto TCPv4_CLIENT,cipher AES-256-CBC,auth SHA1,keysize 256,key-method 2,tls-client'
Fri Jul 22 19:59:09 2022 daemon.notice openvpn(client_VPN)[4548]: Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1559,tun-mtu 1500,proto TCPv4_SERVER,cipher AES-256-CBC,auth SHA1,keysize 256,key-method 2,tls-server'
Fri Jul 22 19:59:09 2022 daemon.notice openvpn(client_VPN)[4548]: TCP/UDP: Preserving recently used remote address: [AF_INET]xxx.xxx.xxx.xxx:1194
Fri Jul 22 19:59:09 2022 daemon.notice openvpn(client_VPN)[4548]: Socket Buffers: R=[87380->87380] S=[16384->16384]
Fri Jul 22 19:59:09 2022 daemon.notice openvpn(client_VPN)[4548]: Attempting to establish TCP connection with [AF_INET]xxx.xxx.xxx.xxx:1194 [nonblock]
Fri Jul 22 19:59:09 2022 daemon.notice openvpn(client_VPN)[4548]: TCP connection established with [AF_INET]xxx.xxx.xxx.xxx:1194
Fri Jul 22 19:59:09 2022 daemon.notice openvpn(client_VPN)[4548]: TCP_CLIENT link local: (not bound)
Fri Jul 22 19:59:09 2022 daemon.notice openvpn(client_VPN)[4548]: TCP_CLIENT link remote: [AF_INET]xxx.xxx.xxx.xxx:1194
Fri Jul 22 19:59:09 2022 daemon.notice openvpn(client_VPN)[4548]: TLS: Initial packet from [AF_INET]xxx.xxx.xxx.xxx:1194, sid=23ac167c 76390999
Fri Jul 22 19:59:10 2022 daemon.notice openvpn(client_VPN)[4548]: VERIFY OK: depth=1, CN=ca
Fri Jul 22 19:59:10 2022 daemon.notice openvpn(client_VPN)[4548]: VERIFY OK: depth=0, CN=server
Fri Jul 22 19:59:11 2022 user.notice root: Warning: this sim get method (gpio.sh get SIM) is deprecated. Consider usin    g ubus interface instead.
Fri Jul 22 19:59:12 2022 daemon.notice openvpn(client_VPN)[4548]: Control Channel: TLSv1.2, cipher TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, peer certificate: 2048 bit RSA, signature: RSA-SHA256
Fri Jul 22 19:59:12 2022 daemon.notice openvpn(client_VPN)[4548]: [server] Peer Connection Initiated with [AF_INET]xxx.xxx.xxx.xxx:1194

Fri Jul 22 19:59:13 2022 daemon.notice openvpn(client_VPN)[4548]: SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)

Fri Jul 22 19:59:24 2022 daemon.notice openvpn(client_VPN)[4548]: SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
Fri Jul 22 19:59:24 2022 daemon.notice openvpn(client_VPN)[4548]: PUSH: Received control message: 'PUSH_REPLY,ping 20,ping-restart 60,topology subnet,route-gateway 192.168.1.1,ifconfig 192.168.1.72 255.255.255.0'
Fri Jul 22 19:59:24 2022 daemon.notice openvpn(client_VPN)[4548]: OPTIONS IMPORT: timers and/or timeouts modified
Fri Jul 22 19:59:24 2022 daemon.notice openvpn(client_VPN)[4548]: OPTIONS IMPORT: --ifconfig/up options modified
Fri Jul 22 19:59:24 2022 daemon.notice openvpn(client_VPN)[4548]: OPTIONS IMPORT: route-related options modified
Fri Jul 22 19:59:24 2022 daemon.notice openvpn(client_VPN)[4548]: Using peer cipher 'AES-256-CBC'
Fri Jul 22 19:59:24 2022 daemon.notice openvpn(client_VPN)[4548]: Outgoing Data Channel: Cipher 'AES-256-CBC' initialized with 256 bit key
Fri Jul 22 19:59:24 2022 daemon.notice openvpn(client_VPN)[4548]: Outgoing Data Channel: Using 160 bit message hash 'SHA1' for HMAC authentication
Fri Jul 22 19:59:24 2022 daemon.notice openvpn(client_VPN)[4548]: Incoming Data Channel: Cipher 'AES-256-CBC' initialized with 256 bit key
Fri Jul 22 19:59:24 2022 daemon.notice openvpn(client_VPN)[4548]: Incoming Data Channel: Using 160 bit message hash 'SHA1' for HMAC authentication
Fri Jul 22 19:59:24 2022 daemon.notice openvpn(client_VPN)[4548]: net_route_v4_best_gw query: dst 0.0.0.0
Fri Jul 22 19:59:24 2022 daemon.notice openvpn(client_VPN)[4548]: net_route_v4_best_gw result: via 0.0.0.0 dev wwan0
Fri Jul 22 19:59:24 2022 daemon.notice openvpn(client_VPN)[4548]: /etc/openvpn/updown_dns tun_c_VPN 1500 1623 192.168.1.72 255.255.255.0 init
Fri Jul 22 19:59:25 2022 daemon.notice openvpn(client_VPN)[4548]: net_route_v4_add: 192.168.1.0/24 via 192.168.1.1 dev [NULL] table 0 metric -1
Fri Jul 22 19:59:25 2022 daemon.notice openvpn(client_VPN)[4548]: Initialization Sequence Completed
by

If i connect rut via wifi to mikrotiks wifi i can ping it to the DHCP IP that it gets.. when it connects with open VPN it gets another IP.. but i can still ping it to old ip and can't ping it to the IP it gets on VPN...

by

Hello,

It’s natural that you can still ping the RUT950’s wifi IP even after you connect to the VPN, if your wireless interface is still enabled. If you wish to disable this interface, you can go to option Network > Wireless and disable the interface.

I was under the impression that you could at least ping the Open VPN RUT955 IP from your mikrotik’s LAN. If that step is not completed, then the access to webUI also won't be possible. This process would be easier with the troubleshoot file to see the actual status of the VPN, the routes and firewall policies. If it’s not possible to share it, please share some screenshots of the VPN status (Service > VPN > OpenVPN), the tunnel routes (Status > Routes > Active IP Routes) and the firewall rule about port 1194 (Network > Firewall > Traffic Rules).

Did you change the network IP addresses of either the OpenVPN Network or the Mikrotik’s LAN?

Regards.