Hi

couple of years I use this settings when I setup openvpn server on mikrotik. This configuration work with OpenVpn client version (OpenVPN 2.3.18 (old stable) -- released on 2017.09.26 ) fine.
But after release new version of OpenVPN Client I cannot connect to VPN Servers. Any idea? THANK YOU!

Log from OpenVPN 2.3.18 - no problem, no issue
Mon May 28 17:03:33 2018 TLS: Initial packet from [AF_INET]####################:1194, sid=c33827a9 1af84c39
Mon May 28 17:03:34 2018 VERIFY OK: depth=0, CN=ca
Mon May 28 17:03:35 2018 Data Channel Encrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Mon May 28 17:03:35 2018 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Mon May 28 17:03:35 2018 Data Channel Decrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Mon May 28 17:03:35 2018 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Mon May 28 17:03:35 2018 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 DHE-RSA-AES256-GCM-SHA384, 2048 bit RSA

Log from OpenVPN 2.4.6 - UNABLE TO CONNECT
Mon May 28 16:47:41 2018 Attempting to establish TCP connection with [AF_INET]#############:1194 [nonblock]
Mon May 28 16:47:41 2018 MANAGEMENT: >STATE:1527518861,TCP_CONNECT,,,,,,
Mon May 28 16:47:42 2018 TCP connection established with [AF_INET]#############:1194
Mon May 28 16:47:42 2018 TCP_CLIENT link local: (not bound)
Mon May 28 16:47:42 2018 TCP_CLIENT link remote: [AF_INET]#############:1194
Mon May 28 16:47:42 2018 MANAGEMENT: >STATE:1527518862,WAIT,,,,,,
Mon May 28 16:47:42 2018 MANAGEMENT: >STATE:1527518862,AUTH,,,,,,
Mon May 28 16:47:42 2018 TLS: Initial packet from [AF_INET]#############:1194, sid=2bd5d2ac b49cfdcd
Mon May 28 16:47:43 2018 VERIFY ERROR: depth=0, error=unsupported certificate purpose: CN=ca
Mon May 28 16:47:43 2018 OpenSSL: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed
Mon May 28 16:47:43 2018 TLS_ERROR: BIO read tls_read_plaintext error
Mon May 28 16:47:43 2018 TLS Error: TLS object -> incoming plaintext read error
Mon May 28 16:47:43 2018 TLS Error: TLS handshake failed
Mon May 28 16:47:43 2018 Fatal TLS error (check_tls_errors_co), restarting


Configuration

My ovpn setup:
/certificate
add name=ca-template common-name=ca key-usage=key-cert-sign,crl-sign
add name=server-template common-name=server
add name=client-template common-name=client
sign ca-template name=ca
sign server-template ca=ca name=server
sign client-template ca=ca name=client
set ca trusted=yes
set server trusted=yes
export-certificate ca
export-certificate client export-passphrase=#######

All of certificates are: 2048

Ovpn server
Auth: sha1 (other options unchecked)
Cipher: aes 256 (other options unchecked)
Mode IP

PPP Profile
Use Encryption: yes

ovpn client config
dev tun
proto tcp-client
remote ############# 1194
ca ca.crt
cert client.crt
key client.key
tls-client
port 1194
ping 15
ping-restart 45
ping-timer-rem
persist-tun
persist-key
mute-replay-warnings
verb 3
cipher AES-256-CBC
auth SHA1
pull
auth-user-pass
route 192.168.5.0 255.255.255.0

reup

Not using OpenVPN on MT, nor v2.3 but the error seems to be triggered by the ExtendedKeyUsage extension.
If i got it right then OpenVPN2.4 is doing some checks on the certificate and yours is not generated the right way.

Hi

I generated certificated in routeros.
https://wiki.mikrotik.com/wiki/Manual:C ... rtificates

are you recomended generate crt with openssl?

BTW
Enhanced key usage is:
Server Authentication (1.3.6.1.5.5.7.3.1)
Client Authentication (1.3.6.1.5.5.7.3.2)

Wouldn't it make more sense to ask on the OpenVPN forum? Since it was an OpenVPN update that broke it anyway.
Here: https://forums.openvpn.net/viewforum.php?f=6

I had an issue with the upgrading from OpenVPN 2.3.10 to 2.3.11 a couple of years ago, and that was fixed in a RouterOS update.
See: https://forums.openvpn.net/viewtopic.php?f=6&t=22290
I guess it is not the same issue since you went from OpenVPN 2.3.18 to 2.4.6, but knowing your RouterOS version might help too.

More information about your OpenVPN server on the router would be useful:
Also make sure your server certificate has the "tls server" key usage, I believe that was an issue I had once too. But maybe that is because I use "remote-cert-tls server" in my client config.

Hi,
I think, you are using "ca" certificate in OVPN server. Instead, you have to use "server" certificate.

I am using 2.4.6 too, but I don't have any problem to connect my ovpn server which is running on hap ac2 ver 6.42.6

Hello filipkcz

Was this solved?