UDP OpenVPN on Mikrotik 7

Despite UDP being ubiquitous on pretty much any other OpenVPN platform, for a long while Mikrotik only supported TCP variant. With Mikrotik RouterOS 7 finally being released earlier this year, we at last got an UDP support for OpenVPN.

For some people UDP/TCP difference might not matter much. If you have a stable connection chances are you really don’t need to care – OpenVPN via TCP will serve you without any issues.

But, if you are dealing with multiple connections over a high latency and/or lossy network, UDP will be much faster as lost packets for one connection will not impact the other. How big the difference is? Well, I have a connection between USA and Croatia and it leaks like a sieve. My speed went from about 400 Kbps to 1000 Kbps just due to this change (tested using 2 parallel connections). I would say switching to UDP was well worth the effort for my use case.

Getting UDP enabled for OpenVPN server once you get Mikrotik 7.1 or higher running is trivial assuming you have OpenVPN via TCP already configured. You just change Protocol value to udp, update your client side with the same change (albeit for proto field) and you’re done.

But, in the interest of completeness, let’s see how one would create such config from scratch.

First we create all the certificate templates (give it at least 10 years validity):

Certificate templates
/certificate
add name=ca-template common-name=example.com days-valid=3650 \
key-size=2048 key-usage=crl-sign,key-cert-sign
add name=server-template common-name=*.example.com days-valid=3650 \
key-size=2048 key-usage=digital-signature,key-encipherment,tls-server
add name=client-template common-name=client.example.com days-valid=3650 \
key-size=2048 key-usage=tls-client

As far as OpenVPN server is concerned, you can use whatever you want for certificate’s common name. Since some other VPNs are not as forgiving (yes SSTP, I am looking at you), I made it a habit to use either external IP or the host name here.

Once we have templates sorted out, we can do the signing:

Certificate signing
/certificate
sign ca-template name=ca-certificate
sign server-template name=server-certificate ca=ca-certificate
sign client-template name=client-certificate ca=ca-certificate

This should give you three files: cert_export_ca-certificate.crt, cert_export_client-certificate.crt, and cert_export_client-certificate.key. After copying these files to the computer for later I like to rename them to ca.crt, client.crt, and client.key respectively. It just makes everything a bit tidier.

Next we need a separate pool of IP addresses for clients. I will assume you have your clients in some other network (e.g. 192.168.1.x) and this new network is just for VPN:

DHCP pool
/ip
pool add name="vpn-pool" ranges=192.168.8.10-192.168.8.99

Instead of editing the default encrypted profile, we can create a new one. If you use different DNS server, do change it here, and while at it, you should really use a bit more imaginative user/password pair:

VPN profile
/ppp
profile add name="vpn-profile" use-encryption=yes idle-timeout=10m \
local-address=192.168.8.250 dns-server=1.1.1.1 remote-address=vpn-pool \
secret add name=user profile=vpn-profile password=password

Finally, we can enable OpenVPN server interface:

OpenVPN server
/interface ovpn-server server
set default-profile=vpn-profile certificate=server-certificate require-client-certificate=yes \
auth=sha1 cipher=aes128,aes192,aes256 enabled=yes protocol=udp

Assuming you’re using Windows, you can copy both ca.crt and client.crt to C:\Program Files\OpenVPN\config\ directory alongside client.ovpn. On Linux, one would do the same, just in the /etc/openvpn/client directory.

You don’t have client.ovpn? Well, one is in sample-config directory and we just need to change/add the highlighted items. And since we’re finally using UDP, we can leave proto as it is.

clinet.ovpn
client
dev tun
proto udp
remote example.com 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert client.crt
key client.key
remote-cert-tls server
cipher AES-128-CBC
auth SHA1
auth-user-pass
redirect-gateway def1
verb 3

A bit annoying step is being asked for the private key passphrase (in the addition to the username/password pair). Mikrotik doesn’t allow export without it but fortunately we can use OpenSSL to change that:

OpenSSL key adjustments
> openssl.exe rsa -in client.key -out client.key
Enter pass phrase for client.key: 12345678
writing RSA key

With this, your VPN connection should work like a charm.

PS: Do not forget to adjust firewall if necessary (TCP port 1194).

Firewall
/ip firewall filter
add chain=input protocol=udp dst-port=1194 action=accept place-before=0 comment="Allow OpenVPN"

7 thoughts to “UDP OpenVPN on Mikrotik 7”

  1. Consider switching to wireguard! That’s a lot faster.
    AVM I going to support this soon, a few others already do. There is a solution for a raspberry if needed.

    1. I did consider it but frankly its not there yet for me. I am playing with Wireguard between two Mikrotik routers a few countries apart and NAT issues make it unworkable for me. I’m not sure if this is something Mikrotik-related or my personal setup though. Either way, I haven’t found fool-proof configuration for Wireguard on Mikrotik yet.

      In my experience SSTP is actually protocol that causes the least amount of problems when it comes to traversing unfriendly networks as it gets detected as HTTPS most of the time. Albeit SSTP has it’s own issues…

  2. Dear Josip,

    thanks for your great post. My scenario is that I have working OpenVpn service on MT through TCP and for the throughput reason, I would like to change (try) it to UDP. And so far without success. I followed your tutorial, surfed, and tried almost every google hit and documentation without a working solution. In UDP setup my OpenVPN does not connect.

    Would you be so kind and give me a hint about what would I need to try differently?

    Many Thanks,
    Samo


    GCM:AES-128-GCM). Future OpenVPN version will ignore –cipher for cipher negotiations. Add ‘AES-256-CBC’ to –data-ciphers or change –cipher ‘AES-256-CBC’ to –data-ciphers-fallback ‘AES-256-CBC’ to silence this warning.
    Wed Jan 12 23:33:35 2022 Flag ‘def1’ added to –redirect-gateway (iservice is in use)
    Wed Jan 12 23:33:35 2022 OpenVPN 2.5.5 Windows-MSVC [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] built on Dec 15 2021
    Wed Jan 12 23:33:35 2022 Windows version 10.0 (Windows 10 or greater) 64bit
    Wed Jan 12 23:33:35 2022 library versions: OpenSSL 1.1.1l 24 Aug 2021, LZO 2.10
    Wed Jan 12 23:33:35 2022 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25341
    Wed Jan 12 23:33:35 2022 Need hold release from management interface, waiting…
    Wed Jan 12 23:33:35 2022 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:25341
    Wed Jan 12 23:33:36 2022 MANAGEMENT: CMD ‘state on’
    Wed Jan 12 23:33:36 2022 MANAGEMENT: CMD ‘log all on’
    Wed Jan 12 23:33:36 2022 MANAGEMENT: CMD ‘echo all on’
    Wed Jan 12 23:33:36 2022 MANAGEMENT: CMD ‘bytecount 5’
    Wed Jan 12 23:33:36 2022 MANAGEMENT: CMD ‘hold off’
    Wed Jan 12 23:33:36 2022 MANAGEMENT: CMD ‘hold release’
    Wed Jan 12 23:33:41 2022 MANAGEMENT: CMD ‘password […]’
    Wed Jan 12 23:33:41 2022 TCP/UDP: Preserving recently used remote address: [AF_INET]8x.1×9.x7.2×4:1194
    Wed Jan 12 23:33:41 2022 Socket Buffers: R=[65536->65536] S=[65536->65536]
    Wed Jan 12 23:33:41 2022 UDP link local: (not bound)
    Wed Jan 12 23:33:41 2022 UDP link remote: [AF_INET]8x.1×9.x7.2×4:1194
    Wed Jan 12 23:33:41 2022 MANAGEMENT: >STATE:1642026821,WAIT,,,,,,
    Wed Jan 12 23:34:41 2022 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
    Wed Jan 12 23:34:41 2022 TLS Error: TLS handshake failed


    client

    client
    dev tun
    proto udp
    remote x.y.z.w 1194
    nobind
    persist-key
    persist-tun
    tls-client
    remote-cert-tls server
    ca CA_Doma_Exprt.crt
    cert CLI_Doma_Exprt.crt
    key CLI_Doma_Exprt.key
    verb 3
    mute 10
    cipher AES-256-CBC
    auth SHA1
    auth-user-pass secret
    auth-nocache
    redirect-gateway autolocal


    Firewall I copied your command. Arp proxy on LAN Bridge.

    1. Hard to say frankly. Based on your log, packets are simply not coming back. To me this smells as either firewall or routing issue. Since you have the same server serving TCP OpenVPN without issues, I would think firewall.
      First thing I would try is to move filter higher up – it could be a deny above that’s blocking the packets.

    1. Dear Josip, Roberto,

      many thanks for your kind reply, sorry for my late reply.
      I have Mikrotik OpenVPN (all on the same device), the client is indeed Windows (11). This same setup works like a charm with the TCP configuration. But it is kind of slow(ish).
      I have two Synology servers to synchronize over the night so I would benefit from extra bandwidth that is why I consider at least test with the UDP.

      My scenario:
      – on mikrotik 7.1.1 , PPP; Interface, openvpn – change to UDP protokol (only change)
      – on Mikrotik 7.1.1, IP, firewall, filter rules – change from TCP to UDP (Chain-input, protocol UDP 17, dstport 1194, action-accept
      – /no NAT user configuration beside default masquerade/
      – on windows client – change proto from TCP to UDP (the only change). The same behavior is on my iPhone on wifi and LTE (A1).
      /- ISP does not block me in some way as I have my modem in Bridge /

      Thank you, wish you all the best,
      Samo

      1. Hello,

        as per my call to my ISP they enabled UDP (openvpn) traffic for my bridge and reboot – so it is finally working now!!! Thank you for your energy and good will, stay safe.

        Br, Samo

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.