0

I apologize, if this question had already been asked and answered, but I was looking for an answer to this for a while without any luck.

The background: we have several Mikrotik routers with RouterOS v6.39.2 that are located all over the city; the routers are behind NAT and connected to our OpenVPN server that we use for management and monitoring. The protocol we use for OpenVPN is TCP, since UDP for OpenVPN is not supported by Mikrotik.

The problem: from time to time we observe response delays that occur randomly. There is no specific router or time when the issue occurs; we are constantly monitoring the CPU load and traffic and there are no anomalies on the graphs at the time this is happening, but when we simultaneously ping the OpenVPN server from the Mikrotik via public and private IP address using the Mikrotik ping utility we see that packets drop only inside the tunnel.

Here is the /etc/openvpn/server.conf

dev tun
port 1194
proto tcp
dh .key/dh1024.pem
keepalive 10 120
user nobody
group nogroup
persist-key
persist-tun
status openvpn-status.log
log-append  openvpn.log
verb 3
username-as-common-name
client-config-dir /etc/openvpn/ccd
ifconfig-pool-persist ipp.txt
ca .key/ca.crt
cert .key/server.crt
key .key/server.key
server 10.48.0.0 255.255.128.0
plugin /usr/lib/openvpn/openvpn-plugin-auth-pam.so "login login USERNAME password PASSWORD"
client-cert-not-required
client-to-client
push "route 10.48.0.0 255.255.128.0"
push "route-gateway 10.48.0.1"

And here are the ping results:

Ping to the OpenVPN server's public IP

Ping through the tunnel

Snake
  • 1
  • 1
  • 1
  • UDP isn't supported? That is a *huge* red flag that calls into question Mikrotic's decision-making capabilities. – EEAA Jun 30 '17 at 11:42
  • Do you have fasttrack enabled in your firewall? It messes with VPNs, so that could be the cause. – pilsetnieks Jun 30 '17 at 18:56
  • I have similar situation in terms of needs and usage. I have currently connected 50-70 mikrotiks (most of them are 2011, 951, 962). Those use different firmwares, the oldest is 6.12 and the newest 6.40.4. Fastrack is enabled on some part. The difference in our setups I see are: I'm using tap (layer 2/ISO OSI), certificate authorization and no default gateway. Tunnel speed varies depending on conditions of the WAN link, but CPU with quite high frequency like in rb962 is capable to do ~ 20mpbs easily (simplex, aes-256, sha-1) which is fine for me (sysadmin managing purposes). – Michal Sokolowski Nov 08 '17 at 13:23

2 Answers2

2

The OpenVPN implementation on MikroTik is crippled. It can barely work and its performance is terrible (either on bandwidth or latency), especially on non x86 routers.
People have been asking for UDP and LZO support for ages and MikroTik simply refuses to implement those.
Here's Normis' (MikroTik staff) reply on the subject:

OpenVPN is very very buggy and hard to implement. Our developers almost all committed suicide trying to make it work. It's a big mess, so we can't continue to implement it 100%

This reply is from 2010 and they still haven't implemented those features. So you can draw your own conclusions about MikroTik's OpenVPN implementation.
Here's the whole thread if you are interested https://forum.mikrotik.com/viewtopic.php?f=1&t=26499

If you need better stability/performance (and security) you should look into some other solution like GRE over IPsec, or EoIP over IPsec.
I've been using these protocols for many years and they work flawlessly.

But if you can't get the routers to work without NAT then you could try SSTP, but since this is also TCP based, the performance and latency are not the best. There's also L2TP over IPsec.

In any case, your problem is an implementation one at the MikroTik side, so you can't actually fix it. Only MikroTik can. You can only try other protocols and see what fits your needs better.

Of course there's always the possibility that your configuration is bad (as mentioned in the comments already, FastTrack rules can mess up a lot of stuff in MikroTIk if you don't know what you are doing).

Cha0s
  • 2,432
  • 2
  • 15
  • 26
  • @pilsetnieks We don't use FastTrack, so there must be something else. Thanks for the assumption though! – Snake Jul 05 '17 at 19:28
  • Thank you for the detailed answer; it is much appreciated. I was out of ideas and googling was not helping either, so I decided to seek advice here. We decided to try switching to L2TP + IPsec and see what comes of it. If this helps us get the issue solved, I will get back and leave a comment here. – Snake Jul 05 '17 at 19:28
  • @Snake How did the switch to L2TP + IPsec work out for you? – Jakub Gocławski Feb 19 '18 at 14:38
0

It is possible to use UDP on mikrotik hardware. You can install a WRT instance in the metarouter. Its a buggy implementation. But it is possible to use a meta to get OpenVPN UDP. I had used it before with iPECS phones in "VPN" mode.

I will add to this solution a little more when i dig up my notes, might help someone else in the future.

Scobber
  • 11
  • 1