OpenVPN in mikrotik 6.10 with build certificates with easy-rsa 2.0 on ubuntu 12.04.4

- install ubuntu 12.04.04 64bit in VirtualBox and start terminal
- make password for root and login as root
sudo passwd root
sudo su

- install openvpn
apt-get install openvpn

- backup easy-rsa for router1 (my ubuntu user = libor)
cp -r /usr/share/doc/openvpn/examples/easy-rsa/2.0 /home/libor/openvpn/router1
cd /home/libor/openvpn/router1

- install nano and edit vars
apt-get install nano
nano ./vars

-- find and repair EASY_RSA= to
EASY_RSA=”/home/libor/openvpn/router1”

-- change safety keys 4096bit
export KEY_SIZE=4096

-- change information in certificates
export KEY_COUNTRY=”CZ”
export KEY_PROVINCE=”Czech Republic”
export KEY_CITY=”Prague”
export KEY_ORG=”company.cz”
export KEY_EMAIL=”info@company.cz”
#export KEY_EMAIL=mail@host.domain (not use)
#export KEY_CN=changeme (will be set when creating the certificate)
export KEY_NAME=”company.cz”
export KEY_OU=”company.cz”

-- save and close ./vars

- change link for openssl.cnf
cd /home/libor/openvpn/router1
ln -s openssl-1.0.0.cnf openssl.cnf

- set vars (alternative source ./vars)
. ./vars

- clean keys directory if exist
./clean-all

- build CA press enter for data from vars
- set Common Name for example vpn-ca
- Sign the certificate? [y/n] press y
- 1 out of 1 certificate requests - certified, comit? [y/n] pres y.
./build-ca

- build certificate for server press enter for data from vars
- Common Name full domain name router1.mydomain.cz
- Sign the certificate? [y/n] press y
- 1 out of 1 certificate requests - certified, comit? [y/n] pres y.
./build-key-server router1

- build certificate for client1 press enter for data from vars
- Common Name we can press enter if name [client1] we want
./build-key client1

- build Diffie-Hellmanovy parametr
./build-dh

- build TLS-AUTH
cd keys
openvpn --genkey -secret ta.key

Than set openvpn client with client1.crt, client1.key and ca.crt (i can put here config client openvpn)

Than copy and import certificate for server router1.crt and key router1.key to mikrotik v6.10 and all work!

My question is why? Why work client certificate if I do NOT set date/time in routerboard v6.10 (clients certificate are out of date) and in version 5 it not work!

Next question why mikrotik v6.10 routerboard OpenVPN server work without ca.crt?

I think that your OpenVPN server in version 6.10 is not secure because it does not validate client certificates!

Now I have to downgrade my mikrotik RB951Ui-2HnD to version 5 and I don't known if this RB can be on v5.

It validates client certificate only when "require-client-certificate" is set.

It validates client certificate only when "require-client-certificate" is set.

If I set require-client-certificate and set time on year 2026 in routerboard, client certificate must by out of date. In Mikrotik v5 it is but in v6.10 it is not.

It validates client certificate only when "require-client-certificate" is set.

In Mikrotik v5.26 with active require-client-certificate if I import server.crt and server.key without ca.crt and connecting to RB in log is terminating - TLS handshake filed, I must import ca.crt to mikrotik for connection successfully! If I than delete ca.crt from mikrotik v5.26 and reboot Mikrotik v5.26 terminating - TLS handshake filed again!

In Mikrotik v6.10 with active require-client-certificate if I import server.crt and server.key connection working without ca.crt!

This is clear evidence that mikrotik v6 does not verify the validity of the client certificate and becomes a potentially dangerous!

It validates client certificate only when "require-client-certificate" is set.

In Mikrotik v5.26 with active require-client-certificate if I import server.crt and server.key without ca.crt and connecting to RB in log is terminating - TLS handshake filed, I must import ca.crt to mikrotik for connection successfully! If I than delete ca.crt from mikrotik v5.26 and reboot Mikrotik v5.26 terminating - TLS handshake filed again!

In Mikrotik v6.10 with active require-client-certificate if I import server.crt and server.key connection working without ca.crt!

This is clear evidence that mikrotik v6 does not verify the validity of the client certificate and becomes a potentially dangerous!

Can I RB951Ui-2HnD downgrade to v5.26 safely? => I downgraded successfully to v5.26. Good luck with v6:)

Alas Openvpn but now does not work and the developers refuse to do it, and that the worst thing that compels me to otdakaztsya from the use of this equipment - what razrabotchikignoriruet letters on the forum is not responsible for foprosy by email!
Such rudeness and disrespect I have not vstrechal.Mozhete browse topics that I supported this is simply the same direction but on two different technologies Openvpn and L2Tpv3