UDP OpenVPN on Mikrotik 7

Despite UDP being ubiquitous on pretty much any other OpenVPN platform, for a long while Mikrotik only supported TCP variant. With Mikrotik RouterOS 7 finally being released earlier this year, we at last got an UDP support for OpenVPN.

For some people UDP/TCP difference might not matter much. If you have a stable connection chances are you really don't need to care - OpenVPN via TCP will serve you without any issues.

But, if you are dealing with multiple connections over a high latency and/or lossy network, UDP will be much faster as lost packets for one connection will not impact the other. How big the difference is? Well, I have a connection between USA and Croatia and it leaks like a sieve. My speed went from about 400 Kbps to 1000 Kbps just due to this change (tested using 2 parallel connections). I would say switching to UDP was well worth the effort for my use case.

Getting UDP enabled for OpenVPN server once you get Mikrotik 7.1 or higher running is trivial assuming you have OpenVPN via TCP already configured. You just change Protocol value to udp, update your client side with the same change (albeit for proto field) and you're done.

But, in the interest of completeness, let's see how one would create such config from scratch.

First we create all the certificate templates (give it at least 10 years validity):

Certificate templates
/certificate
add name=ca-template common-name=example.com days-valid=3650 \
key-size=2048 key-usage=crl-sign,key-cert-sign
add name=server-template common-name=*.example.com days-valid=3650 \
key-size=2048 key-usage=digital-signature,key-encipherment,tls-server
add name=client-template common-name=client.example.com days-valid=3650 \
key-size=2048 key-usage=tls-client

As far as OpenVPN server is concerned, you can use whatever you want for certificate's common name. Since some other VPNs are not as forgiving (yes SSTP, I am looking at you), I made it a habit to use either external IP or the host name here.

Once we have templates sorted out, we can do the signing:

Certificate signing
/certificate
sign ca-template name=ca-certificate
sign server-template name=server-certificate ca=ca-certificate
sign client-template name=client-certificate ca=ca-certificate

And then exporting certificate material:

Certificate export
/certificate
export-certificate ca-certificate export-passphrase=""
export-certificate client-certificate export-passphrase=12345678

This should give you three files: cert_export_ca-certificate.crt, cert_export_client-certificate.crt, and cert_export_client-certificate.key. After copying these files to the computer for later I like to rename them to ca.crt, client.crt, and client.key respectively. It just makes everything a bit tidier.

Next we need a separate pool of IP addresses for clients. I will assume you have your clients in some other network (e.g. 192.168.1.x) and this new network is just for VPN:

DHCP pool
/ip
pool add name="vpn-pool" ranges=192.168.8.10-192.168.8.99

Instead of editing the default encrypted profile, we can create a new one. If you use different DNS server, do change it here, and while at it, you should really use a bit more imaginative user/password pair:

VPN profile
/ppp
profile add name="vpn-profile" use-encryption=yes idle-timeout=10m \
local-address=192.168.8.250 dns-server=1.1.1.1 remote-address=vpn-pool \
secret add name=user profile=vpn-profile password=password

Finally, we can enable OpenVPN server interface:

OpenVPN server
/interface ovpn-server server
set default-profile=vpn-profile certificate=server-certificate require-client-certificate=yes \
auth=sha1 cipher=aes128,aes192,aes256 enabled=yes protocol=udp

Assuming you're using Windows, you can copy both ca.crt and client.crt to C:\Program Files\OpenVPN\config\ directory alongside client.ovpn. On Linux, one would do the same, just in the /etc/openvpn/client directory.

You don't have client.ovpn? Well, one is in sample-config directory and we just need to change/add the highlighted items. And since we're finally using UDP, we can leave proto as it is.

clinet.ovpn
client
dev tun
proto udp
remote example.com 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert client.crt
key client.key
remote-cert-tls server
cipher AES-128-CBC
auth SHA1
auth-user-pass
redirect-gateway def1
verb 3

A bit annoying step is being asked for the private key passphrase (in the addition to the username/password pair). Mikrotik doesn't allow export without it but fortunately we can use OpenSSL to change that:

OpenSSL key adjustments
> openssl.exe rsa -in client.key -out client.key
Enter pass phrase for client.key: 12345678
writing RSA key

With this, your VPN connection should work like a charm.

PS: Do not forget to adjust firewall if necessary (TCP port 1194).

Firewall
/ip firewall filter
add chain=input protocol=udp dst-port=1194 action=accept place-before=0 comment="Allow OpenVPN"

22 thoughts to “UDP OpenVPN on Mikrotik 7”

  1. Consider switching to wireguard! That’s a lot faster.
    AVM I going to support this soon, a few others already do. There is a solution for a raspberry if needed.

    1. I did consider it but frankly its not there yet for me. I am playing with Wireguard between two Mikrotik routers a few countries apart and NAT issues make it unworkable for me. I’m not sure if this is something Mikrotik-related or my personal setup though. Either way, I haven’t found fool-proof configuration for Wireguard on Mikrotik yet.

      In my experience SSTP is actually protocol that causes the least amount of problems when it comes to traversing unfriendly networks as it gets detected as HTTPS most of the time. Albeit SSTP has it’s own issues…

  2. Dear Josip,

    thanks for your great post. My scenario is that I have working OpenVpn service on MT through TCP and for the throughput reason, I would like to change (try) it to UDP. And so far without success. I followed your tutorial, surfed, and tried almost every google hit and documentation without a working solution. In UDP setup my OpenVPN does not connect.

    Would you be so kind and give me a hint about what would I need to try differently?

    Many Thanks,
    Samo


    GCM:AES-128-GCM). Future OpenVPN version will ignore –cipher for cipher negotiations. Add ‘AES-256-CBC’ to –data-ciphers or change –cipher ‘AES-256-CBC’ to –data-ciphers-fallback ‘AES-256-CBC’ to silence this warning.
    Wed Jan 12 23:33:35 2022 Flag ‘def1’ added to –redirect-gateway (iservice is in use)
    Wed Jan 12 23:33:35 2022 OpenVPN 2.5.5 Windows-MSVC [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] built on Dec 15 2021
    Wed Jan 12 23:33:35 2022 Windows version 10.0 (Windows 10 or greater) 64bit
    Wed Jan 12 23:33:35 2022 library versions: OpenSSL 1.1.1l 24 Aug 2021, LZO 2.10
    Wed Jan 12 23:33:35 2022 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25341
    Wed Jan 12 23:33:35 2022 Need hold release from management interface, waiting…
    Wed Jan 12 23:33:35 2022 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:25341
    Wed Jan 12 23:33:36 2022 MANAGEMENT: CMD ‘state on’
    Wed Jan 12 23:33:36 2022 MANAGEMENT: CMD ‘log all on’
    Wed Jan 12 23:33:36 2022 MANAGEMENT: CMD ‘echo all on’
    Wed Jan 12 23:33:36 2022 MANAGEMENT: CMD ‘bytecount 5’
    Wed Jan 12 23:33:36 2022 MANAGEMENT: CMD ‘hold off’
    Wed Jan 12 23:33:36 2022 MANAGEMENT: CMD ‘hold release’
    Wed Jan 12 23:33:41 2022 MANAGEMENT: CMD ‘password […]’
    Wed Jan 12 23:33:41 2022 TCP/UDP: Preserving recently used remote address: [AF_INET]8x.1×9.x7.2×4:1194
    Wed Jan 12 23:33:41 2022 Socket Buffers: R=[65536->65536] S=[65536->65536]
    Wed Jan 12 23:33:41 2022 UDP link local: (not bound)
    Wed Jan 12 23:33:41 2022 UDP link remote: [AF_INET]8x.1×9.x7.2×4:1194
    Wed Jan 12 23:33:41 2022 MANAGEMENT: >STATE:1642026821,WAIT,,,,,,
    Wed Jan 12 23:34:41 2022 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
    Wed Jan 12 23:34:41 2022 TLS Error: TLS handshake failed


    client

    client
    dev tun
    proto udp
    remote x.y.z.w 1194
    nobind
    persist-key
    persist-tun
    tls-client
    remote-cert-tls server
    ca CA_Doma_Exprt.crt
    cert CLI_Doma_Exprt.crt
    key CLI_Doma_Exprt.key
    verb 3
    mute 10
    cipher AES-256-CBC
    auth SHA1
    auth-user-pass secret
    auth-nocache
    redirect-gateway autolocal


    Firewall I copied your command. Arp proxy on LAN Bridge.

    1. Hard to say frankly. Based on your log, packets are simply not coming back. To me this smells as either firewall or routing issue. Since you have the same server serving TCP OpenVPN without issues, I would think firewall.
      First thing I would try is to move filter higher up – it could be a deny above that’s blocking the packets.

    2. We had same problem. For some reason UDP packets are getting lost causing TLS handshake failure or connection timeouts at random. We switched back to TCP. Btw, we have CCR2004-16G-2S+ router running 7.1.3 RouterOS. I bet it is a bug in RouterOS. We are now considering using IPSec VPN instead of OVPN. OVPN is a bit neglected by Mikrotik.

    1. Dear Josip, Roberto,

      many thanks for your kind reply, sorry for my late reply.
      I have Mikrotik OpenVPN (all on the same device), the client is indeed Windows (11). This same setup works like a charm with the TCP configuration. But it is kind of slow(ish).
      I have two Synology servers to synchronize over the night so I would benefit from extra bandwidth that is why I consider at least test with the UDP.

      My scenario:
      – on mikrotik 7.1.1 , PPP; Interface, openvpn – change to UDP protokol (only change)
      – on Mikrotik 7.1.1, IP, firewall, filter rules – change from TCP to UDP (Chain-input, protocol UDP 17, dstport 1194, action-accept
      – /no NAT user configuration beside default masquerade/
      – on windows client – change proto from TCP to UDP (the only change). The same behavior is on my iPhone on wifi and LTE (A1).
      /- ISP does not block me in some way as I have my modem in Bridge /

      Thank you, wish you all the best,
      Samo

      1. Hello,

        as per my call to my ISP they enabled UDP (openvpn) traffic for my bridge and reboot – so it is finally working now!!! Thank you for your energy and good will, stay safe.

        Br, Samo

      2. bump.

        Perhaps anyone found something new regarding the issue?

        (I think I am suffering from the same symptoms:
        everything works with TCP, but when just changing the protocol to UDP on both sides i get messages flooding the log on routeros 7.5, and tls timeout on the client)

  3. # Config OVPN v2.5
    client
    dev tun
    proto udp
    remote example.com 1194
    route 192.168.1.0 255.255.255.0
    cipher AES-256-CBC
    data-ciphers AES-256-CBC
    auth SHA1
    resolv-retry infinite
    nobind
    persist-key
    persist-tun
    remote-cert-tls server
    auth-user-pass
    auth-nocache
    verb 3

    1. I know that there must be certificates in the file. I only provided config. As for the route, it must be entered, because if I do not enter it, I have access to devices in the local network, but I do not have the Internet.

    2. I know that there must be certificates in the file. I only provided config. As for the route, it must be entered, because if I do not enter it, I have access to devices in the local network, but I do not have the Internet.

  4. But you need to add certificates to the koinfig file or like external files. Set the route under the remote network. OVPN 2.5 doesn’t crash any bugs.

  5. Hi Medo,

    is it possible to have just one .ovpn file with all information in it so that I can use it in thirdparty apps?
    It`s possible when I have freeovpn server on ubuntu but with mikrotik I haven`t had luck..
    Thanks,
    Matija

  6. Can you explain better about certificate creation. I do not understand how to get the .key file as stated above. I only get the .crl files.

  7. Hi, I followed your guide, but I am not able to set up the vpn from my Windows10 PC. After I have entered the Private Key Passphrase I get an error “read UDP: Unknown error (code=10054)”.
    I paused my firewall protection in the PC, but the fault remains.
    In the Mikrotik server is in the firewall a rule: chain=input action=accept protocol=udp dst-port=1194 log=yes log-prefix=”openvpn”. There are no drop rules with a lower line number.

    This my log:
    2023-04-19 16:58:56 Restart pause, 5 second(s)
    2023-04-19 16:59:01 TCP/UDP: Preserving recently used remote address: [AF_INET]x.x.x.x:1194
    2023-04-19 16:59:01 Socket Buffers: R=[65536->65536] S=[65536->65536]
    2023-04-19 16:59:01 UDP link local: (not bound)
    2023-04-19 16:59:01 UDP link remote: [AF_INET]x.x.x.x:1194
    2023-04-19 16:59:01 MANAGEMENT: >STATE:1681916341,WAIT,,,,,,
    2023-04-19 16:59:01 read UDP: Unknown error (code=10054)
    2023-04-19 16:59:03 read UDP: Unknown error (code=10054)
    2023-04-19 16:59:07 read UDP: Unknown error (code=10054)
    2023-04-19 16:59:15 read UDP: Unknown error (code=10054)
    2023-04-19 16:59:31 read UDP: Unknown error (code=10054)
    2023-04-19 17:00:01 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
    2023-04-19 17:00:01 TLS Error: TLS handshake failed
    2023-04-19 17:00:01 SIGUSR1[soft,tls-error] received, process restarting
    2023-04-19 17:00:01 MANAGEMENT: >STATE:1681916401,RECONNECTING,tls-error,,,,,
    2023-04-19 17:00:01 Restart pause, 5 second(s)
    2023-04-19 17:00:06 SIGTERM[hard,init_instance] received, process exiting
    2023-04-19 17:00:06 MANAGEMENT: >STATE:1681916406,EXITING,init_instance,,,,,
    —————————————————
    And this is my config:
    # Configuration for Windows OpenVPN client
    # use char ; to comment line

    client
    dev tun

    # We can replace TCP with UDP since Mikrotik RouterOS version 7.1
    proto udp

    remote x.x.x.x 1194
    resolv-retry infinite
    nobind
    persist-key
    persist-tun

    # Copy files to C:\Program Files\OpenVPN\config.
    ca myCa_Mariadonk.crt
    cert clientLT.crt
    key clientLT.key

    remote-cert-tls server
    cipher AES-128-CBC

    # We must use data-ciphers otherwise we get TLS key negotiation failed – TLS handshake failed from Mikrotik
    data-ciphers AES-128-CBC

    auth SHA512

    # User authentication
    # provide credentials for user in secret.cfg
    auth-user-pass
    ;auth-user-pass secret.cfg

    # Push a default route to a client so Internet traffic flows via Mikrotik
    redirect-gateway def1

    # Add route to reach PC on primary subnet 192.168.88.0/24. This is required only when we do not push a default route with “redirect-gateway def1”
    ;route 192.168.88.0 255.255.255.0 192.168.100.1

    verb 3
    auth-nocache
    —————————————————
    Do you have any suggestions?

  8. Hi, thanks for the guide, it works perfectly! a question, if I wanted a split tunnel what should I do? I would like to avoid internet traffic on the VPN… Thanks

Leave a Reply

Your email address will not be published. Required fields are marked *