Configuring OpenVPN

technog0d · Tue Aug 14, 2007 5:53 pm

Can someone please post a how-to on configuring th OpenVPN server on routeros and then the client side. Specifically, does the routeros generate the certificate? The whole process would be nice.

Thanks in advance...

Wed Aug 15, 2007 1:25 pm

RouterOS router does not generate the certificate, you have to use your own certificate and import it at /certificate and it should be decrypted by 'certificate decrypt'.

Client mode has teh following configuration options,
("interface ovpn-client"):
connect-to:
port:
user:
password:
certificate: If server is asking for private certificate.
auth: HMAC alghoritm to use.
cipher: make sure it is matching the server side configuration.
mode: configuration for encapsulation options, also it should match server side configuration.
mac-address: interface mac-address, ja mode=ethernet
profile:
add-default-route:

Note, that currently TCP tunnel is supported only.

technog0d · Wed Aug 15, 2007 4:15 pm

i am really more interested in the server side for openvpn on Routeros. It does not seem like there is a provision for user auth on the server side. How do you make sure that the openvpn server is only allowing specified users. Is the certificate the only method of authorization?

Thanks Again...

Wed Aug 15, 2007 4:30 pm

As far as I know you may specify clients at 'ppp profile', in the same way as for PPTP, L2TP.

OpenVPN server options ("interface ovpn-server server"):
enabled:
port:
mode:
netmask:
mac-address: server interface mac-address
max-mtu:
keepalive-timeout:
default-profile: ppp profile
certificate: server certificate
require-client-certificate: if certificate should be used on client
auth:
cipher:

burkon · Tue Sep 04, 2007 5:48 pm

Anybody got this Up and running?
When I connect to Router OS 3.0 rc4 in server mode I receive this error:

Tue Sep 04 16:43:29 2007 us=462832 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Tue Sep 04 16:43:29 2007 us=463073 TLS Error: TLS handshake failed

No need to tell you that network connectivity is not the Problem.
For me the main problem is that I actually have no clue how to configure
the server side.

Is there some type of docu out there?

Or at least has anybody out there a working set of Router OS Server and PC Client
Windows or Linux should not be the issue since the config is the same.

Thanks
Ekkehard

Wed Sep 05, 2007 4:11 pm

Ekkehard,
post your configuration here from Open-VPN server,
what OS is used on the client side ?

burkon · Thu Sep 06, 2007 9:56 am

Ekkehard,
post your configuration here from Open-VPN server,
what OS is used on the client side ?

Hope that is all the relevant stuff.
Client OS is Windows 2000 with OpenVPN 2.0.7

Thanks
Ekkehard

/ip pool
add name="vpn_pool1" ranges=192.168.224.2-192.168.224.250

/ppp profile
set default change-tcp-mss=yes comment="" name="default" only-one=default \
use-compression=default use-encryption=default use-vj-compression=default
add change-tcp-mss=yes comment="" local-address=192.168.224.1 name="openvpn" \
only-one=default remote-address=vpn_pool1 use-compression=default \
use-encryption=required use-vj-compression=default

/interface ovpn-server server
set auth=sha1,md5 certificate=home.dev-null.de \
cipher=blowfish128,aes128,aes192,aes256 default-profile=openvpn \
enabled=yes keepalive-timeout=60 mac-address=FE:F1:BB:9B:A4:AC \
max-mtu=1400 mode=ip netmask=32 port=1194 require-client-certificate=yes

marlow · Mon Sep 17, 2007 10:00 pm

I was looking at this and am getting similar errors. I've tried to set things up as Ekkehard and see exact the same issue. Release is Router 3.0rc4.

Could anyone post a working server setup (Mikrotik being the server ?). Might shed a bit more light into things.

In my case the client is Debian and OpenVPN 2.09

/Martin

tschlegel · Fri Oct 12, 2007 3:28 pm

It seems to be that MT needs TLS, otherwise it will kill the connection after 1 minute.
You have to setup the openvpn at the linux-side with tls.
It seems to be that MT currently only supports pkcs12 certificates for openvpn.

Simple howto (Debian as Server, MT as client):
# copy easy-rsa to /etc/openvpn:
cp /usr/share/doc/openvpn/examples/easy-rsa /etc/openvpn
cd /etc/openvpn/easy-rsa
# edit the file vars:
vi vars
# import vars and build-ca
. ./vars
./clean-all
./build-ca # set "OpenVPN-CA" as common name (or anything else you want as CN)
./build-key-server # set "server" as common name (or anything else you want as CN)
./build-dh
# build cert for client1 (MT):
./build-cert-pkcs12 client1 # set "client1" as common name (or anything else you want as CN)
### copy keys/client1.* to MT and import the client1.p12

add this to your openvpn config at debian:
cipher BF-CBC
auth SHA1
tls-server
ca /etc/openvpn/easy-rsa/keys/ca.crt
cert /etc/openvpn/easy-rsa/keys/server.crt
key /etc/openvpn/easy-rsa/keys/server.key # This file should be kept secret
dh /etc/openvpn/easy-rsa/keys/dh1024.pem
proto tcp-server # MT currently only supports tcp

# MT needs that openvpn assign ip addresses...
server 192.168.10.0 255.255.255.0

## At MT set the same cipher and auth as above and set the cert to the first cert
## which was created after import (the cert with the flags "KR" at /certificates)

Best regards,
Timo Schlegel

acidbits · Sun Oct 14, 2007 7:21 pm

I'm testing OpenVPN client on a RB133C with v3.0rc6. I know it's a beta, and it's first time I try it. This version is extremely slow, sure it's a bug. It lasts a lot to boot and establish the OpenVPN connection. Each time I enable/disable OpenVPN client, or try to import a certificate, or whatever, RouterOS crash.

As is the first time I try it, and gone stright forward to try OpenVPN, don't know if this issue comes from OpenVPN or it's "normal" for this Beta running on RB133C.

a.

pingus · Tue Oct 16, 2007 5:06 pm

Did it one the other way around, MT as server and linux as client?

I can open a connection but I can not ping MT and the client doesn't receive an IP from the router.

acidbits · Tue Oct 16, 2007 5:40 pm

Did it one the other way around, MT as server and linux as client?

I can open a connection but I can not ping MT and the client doesn't receive an IP from the router.

No, I've just tested MK as client and Linux-box as server. and it works.

a.

pingus · Wed Oct 17, 2007 10:01 am

This is good for you but doesn't helps me

Here is my linux config:

  dev tun0
  proto tcp-client
  ifconfig 10.10.11.34 10.10.11.33 #because I don't receive an IP address

  remote mt.fqdn.tld 1194

  ca /etc/ssl/certs/root.pem #CAcert root certificate
  cert client.cert
  key  client.key

  tls-client
  tls-remote mt.fqdn.tld

  port 1194

  user nobody
  group nogroup

  comp-lzo

  ping 15
  ping-restart 45
  ping-timer-rem
  persist-tun
  persist-key

  mute-replay-warnings
  verb 3

MT config

/interface ovpn-server 
add comment="" disabled=no name="ovpn-in1" user="" 
/interface ovpn-server server 
set auth=sha1,md5 certificate=rb532 cipher=blowfish128,aes128,aes192,aes256 \
    default-profile=profile1 enabled=yes keepalive-timeout=disabled \
    mac-address=FE:ED:07:A3:D1:17 max-mtu=1500 mode=ip netmask=32 port=1194 \
    require-client-certificate=yes 

/ppp profile 
set default change-tcp-mss=yes comment="" name="default" only-one=default \
    use-compression=default use-encryption=default use-vj-compression=default 
add bridge=lan change-tcp-mss=yes comment="" local-address=10.10.11.33 \
    name="profile1" only-one=default remote-address=10.10.11.34 \
    use-compression=default use-encryption=required use-vj-compression=default 
set default-encryption change-tcp-mss=yes comment="" name="default-encryption" \
    only-one=default use-compression=default use-encryption=yes \
    use-vj-compression=default 

/ip firewall filter
add action=accept chain=input comment="OpenVPN" disabled=no dst-port=1194 \
    protocol=tcp

Hopefully I added all relevant config.

acidbits · Wed Oct 17, 2007 8:42 pm

Maybe you need to add this to you linux config:

cipher BF-CBC
auth SHA1

I don't have any rboard at home to test right now, sorry.

pingus · Thu Oct 25, 2007 12:03 pm

How do I have to configure the firewall to get MT as OpenVPN server running?

pingus · Mon Oct 29, 2007 12:38 pm

As I could test with 2 RouterOS the firewall isn't a problem. Two RouterOS are connecting well.

Is it possible that OpenVPN Server on RouterOS is waiting for a username? Can I send a username from OpenVPN Client running on Linux?

pingus · Mon Oct 29, 2007 2:50 pm

Finally I got OpenVPN working to the point where I have a registred connection. I also get an IP address. Now I have to find out how to ping across the two routers.

Here are my linux client settings:

dev tun0
  proto tcp-client

  remote example.com 1194

  ca root.pem
  cert client.cert
  key  client.key

  tls-client
  tls-remote example.com

  port 1194

  user nobody
  group nogroup

  comp-lzo

  ping 15
  ping-restart 45
  ping-timer-rem
  persist-tun
  persist-key

  mute-replay-warnings

  verb 3

  cipher AES-256-CBC
  auth SHA1
  pull

  auth-user-pass auth.conf

inside auth.conf you have to enter the username on the first line and on the second line the password of the user you want to login.

I hope this will help someone else.

Mon Oct 29, 2007 3:20 pm

you can make a wiki article on this, if you are sure it works every time

also write the RouterOS config there. go here:

http://wiki.mikrotik.com/wiki/OpenVPN

and hit the Edit button (after logging in)

pingus · Mon Oct 29, 2007 3:52 pm

Sure, I will do this as soon as I fixed ping issues.

marlow · Fri Nov 09, 2007 12:22 am

I've tried to get OpenVPN going proper for a while now. RouterOS client to Linux Server no problem. But RouterOS client to RouterOS server always ends up with:

00:08:57 ovpn,info TCP connection established from 192.168.0.2
00:08:57 ovpn,info <ovpn-0>: dialing...
00:08:58 ovpn,info <ovpn-0>: terminating... - TLS handshake failed
00:08:58 ovpn,info <ovpn-0>: disconnected

The same RouterOS client has no problems connecting to a Linux OpenVPN server without configuration change.

I then tried to follow the wiki, that pingus has put together. Still NO GO. Both boxes are now 3.0rc9, still with those issues (were 3.0rc5 before).

Anyhow, I've send supout.rif's of both boxes to support, let's see, what they come up with.

/Martin

marlow · Sun Nov 11, 2007 2:29 am

require-client-certificate was the problem. That doesn't seem to work yet. Once set to "no", both Linux and RouterOS clients will connect.

Bugger. Anyhow, I've updated the Wiki article at http://wiki.mikrotik.com/wiki/OpenVPN, so it should cover all angles and hopefully also the potholes now.

/Martin

thavinci · Fri May 02, 2008 1:19 pm

acidbits : How do you get openvpn to work with usernames & passwords?
Currently i have a working solution that lets clients connect with their certificates only.

However it seems MT doesnt allow you to NOT specify a username!

venoushcz · Sat Nov 01, 2008 7:02 pm

I've tried to get OpenVPN going proper for a while now. RouterOS client to Linux Server no problem. But RouterOS client to RouterOS server always ends up with:

00:08:57 ovpn,info TCP connection established from 192.168.0.2
00:08:57 ovpn,info <ovpn-0>: dialing...
00:08:58 ovpn,info <ovpn-0>: terminating... - TLS handshake failed
00:08:58 ovpn,info <ovpn-0>: disconnected

The same RouterOS client has no problems connecting to a Linux OpenVPN server without configuration change.

I then tried to follow the wiki, that pingus has put together. Still NO GO. Both boxes are now 3.0rc9, still with those issues (were 3.0rc5 before).

Anyhow, I've send supout.rif's of both boxes to support, let's see, what they come up with.

/Martin

Hi!
I have the Linux server oVPN working fine. Linux and Windows clients are connecting succesfully. I'm not able to connect with the ROS client. Please cen you give me a short walk-through on how to make it work? I know there are more ppl that would be happy to read it.

Thank you for help.

thavinci · Tue Jul 07, 2009 12:11 pm

I still cannot get openvpn client connecting to a unix/linux openvpn server.

It seems i still cannot create a client without specifying a user-name!
I don't use user names/passwords, only certificates.

Chupaka · Tue Jul 07, 2009 2:34 pm

yesss, only username+password, no certificates

mrz · Tue Jul 07, 2009 2:58 pm

or
username+password+certificate

thavinci · Tue Jul 07, 2009 3:08 pm

Unfortunately that would require a redo of the server and loss of current clients....

NAB · Sun Oct 04, 2009 11:34 pm

Anyhow, I've updated the Wiki article at http://wiki.mikrotik.com/wiki/OpenVPN, so it should cover all angles and hopefully also the potholes now.

These updates are now out of date and I have corrected one obvious mistake I found. However...

The command '/interface ovpn-server server [name] cipher=none' is invalid as on the server, 'none' is not a valid option for 'cipher' in ROS 3.29 or 3.30. It is a valid option on the client though, so I assume that this is a bug and have e-mailed support accordingly.

risipetillo · Mon Mar 22, 2010 5:25 am

I've followed the WIKI and I'm having similar problems when I try to get my ROS OVPN Client (v3.30) to speak to my ROS OVPN Server (v3.30).

I get the following error: terminating ... TLS Handshake Failed

I don't understand where I'm going wrong. PLEASE HELP !!!

Kindly see my configuration below:

SERVER SIDE CONFIGURATION

/ip pool add name=ovpn-pool ranges=10.15.32.34-10.15.32.38

/ppp profile add change-tcp-mss=default comment="" local-address=10.15.32.33 \
name="PROFILE" only-one=default remote-address=ovpn-pool \
use-compression=default use-encryption=required use-vj-compression=default

/ppp secret add caller-id="" comment="" disabled=no limit-bytes-in=0 \
limit-bytes-out=0 name="username" password="password" \
routes="" service=ovpn

/interface ovpn-server server set auth=sha1,md5 \
cipher=blowfish128,aes128,aes192,aes256 default-profile=PROFILE\
enabled=yes keepalive-timeout=disabled max-mtu=1500 mode=ip netmask=29 \
port=443 require-client-certificate=no

FIREWALL RULE TO ALLOW ACCESS:

ip firewall filter add action=accept chain=input comment="OpenVPN" disabled=no dst-port=443 protocol=tcp

CLIENT CONFIGURATION:

/interface ovpn-client \
add name="ovpn-out1" connect-to=W.X.Y.Z port=443 mode=ip user="username" password="password" profile=default \
certificate=none cipher=aes256 add-default-route=no

roadracer96 · Tue Mar 23, 2010 1:34 am

Default profile on client side is no encryption. You are requiring encryption on the server side. Cant negotiate encryption if one side isnt configured to use it.

Thatd be my guess..

risipetillo · Tue Mar 23, 2010 7:12 pm

As far as I understand the "cipher= xxxx" is where we would enable encryption or not.

I have encryption on both the Server and Client side:

/interface ovpn-server server set auth=sha1,md5 \
cipher=blowfish128,aes128,aes192,aes256 default-profile=PROFILE\
enabled=yes keepalive-timeout=disabled max-mtu=1500 mode=ip netmask=29 \
port=443 require-client-certificate=no

FIREWALL RULE TO ALLOW ACCESS:

ip firewall filter add action=accept chain=input comment="OpenVPN" disabled=no dst-port=443 protocol=tcp

CLIENT CONFIGURATION:

/interface ovpn-client \
add name="ovpn-out1" connect-to=W.X.Y.Z port=443 mode=ip user="username" password="password" profile=default \
certificate=none cipher=aes256 add-default-route=no

roadracer96 · Wed Mar 24, 2010 5:47 am

Yeah, I just tried it. It doesnt matter for OVPN.

Did you try putting a cert in on the server? I never have run w/o a cert on the server before.

mrz · Wed Mar 24, 2010 8:08 am

On a server you need CA and "server" certificates, otherwise OVPN will not work.

risipetillo · Thu Mar 25, 2010 4:47 pm

I've put a cert on the server, and on the client and still nothing.

Can someone show me their working config, I don't know what I'm doing wrong here.

Additionally, I have an L2TP server running on the same box without any issues: clients are able to connect via L2TP without a problem. Just having a problem with OpenVPN.

PLEASE HELP, I'm getting my butt handed to me by this Mikrotik box ... lol

roadracer96 · Thu Mar 25, 2010 6:26 pm

Do you have a cert installed and assigned to the openvpn server AND the CA cert that signed it?

risipetillo · Thu Mar 25, 2010 6:35 pm

Yup, I used EASY-RSA Method prescribed in the Wiki.

This is what I have:

Kindly see below:

SERVER

ppp secret:

name="username" service=ovpn caller-id="" password="password" profile=default routes="" limit-bytes-in=0 limit-bytes-out=0

Ovpn Pool:

2 ovpn-pool 10.15.32.34-10.15.32.38

PPP Profile:

ppp profile print
Flags: * - default
0 * name="default" use-compression=default use-vj-compression=default use-encryption=default only-one=default change-tcp-mss=yes

1 name="Beya_Voip" local-address=10.15.32.33 remote-address=ovpn-pool use-compression=default use-vj-compression=default
use-encryption=required only-one=default change-tcp-mss=default

Ovpn-Server Server:
interface ovpn-server server print

enabled: yes
port: 443
mode: ip
netmask: 29
mac-address: FE:50:A6:C5:67:B9
max-mtu: 1500
keepalive-timeout: disabled
default-profile: Beya_Voip
certificate: cert1
require-client-certificate: yes
auth: sha1,md5
cipher: blowfish128,aes128,aes192,aes256

CLIENT

interface ovpn-client print detail

Flags: X - disabled, R - running
0 name="ovpn-out1" mac-address=FE:84:A8:9E:19:43 max-mtu=1500 connect-to=172.16.0.1 port=443 mode=ip user="username"
password="password" profile=default certificate=cert1 auth=sha1 cipher=aes256 add-default-route=no

LOG

21:43:01 ovpn,info TCP connection established from W.X.Y.Z
21:43:02 ovpn,info TCP connection established from W.X.Y.Z
21:43:05 ovpn,info TCP connection established from W.X.Y.Z
21:43:05 ovpn,info TCP connection established from W.X.Y.Z

PING from Client:

ping 10.15.32.33
10.15.32.33 ping timeout
10.15.32.33 ping timeout
10.15.32.33 ping timeout
10.15.32.33 ping timeout
10.15.32.33 ping timeout
10.15.32.33 ping timeout
10.15.32.33 ping timeout

roadracer96 · Thu Mar 25, 2010 9:22 pm

Your user is assigned to the default profile and the default profile doesnt have an ip pools. Assign the user to the Beya_voip profile.

risipetillo · Thu Mar 25, 2010 11:26 pm

Ok, I've set my client profile to: Beya_Voip

> ppp profile print
name="username" service=ovpn caller-id="" password="password" profile=Beya_Voip routes="" limit-bytes-in=0 limit-bytes-out=0

Still not working:

Can you post a working example.

CLIENT:

> interface ovpn-client print detail
Flags: X - disabled, R - running
0 name="ovpn-out1" mac-address=FE:84:A8:9E:19:43 max-mtu=1500 connect-to=172.16.0.1 port=443 mode=ip user="username"
password="password" profile=default certificate=cert1 auth=none cipher=blowfish128 add-default-route=no

Client Logs:

16:24:28 ovpn,info TCP connection established from 172.16.0.254
16:24:28 ovpn,info TCP connection established from 172.16.0.254
16:24:31 ovpn,info TCP connection established from 172.16.0.254
16:24:31 ovpn,info TCP connection established from 172.16.0.254
16:24:33 ovpn,info TCP connection established from 172.16.0.254

Server Logs:

16:24:28 ovpn,info TCP connection established from 172.16.0.254
16:24:28 ovpn,info TCP connection established from 172.16.0.254
16:24:31 ovpn,info TCP connection established from 172.16.0.254
16:24:31 ovpn,info TCP connection established from 172.16.0.254
16:24:33 ovpn,info TCP connection established from 172.16.0.254

SERVER CONFIG

> ppp profile print
Flags: * - default
0 * name="default" use-compression=default use-vj-compression=default use-encryption=default only-one=default change-tcp-mss=yes

1 name="Beya_Voip" local-address=10.15.32.33 remote-address=ovpn-pool use-compression=default use-vj-compression=default
use-encryption=required only-one=default change-tcp-mss=default

> ppp secret print
Flags: X - disabled
# NAME SERVICE CALLER-ID PASSWORD PROFILE REMOTE-ADDRESS
6 username ovpn password Beya_Voip

> ip pool print
# NAME RANGES
2 ovpn-pool 10.15.32.34-10.15.32.38

> interface ovpn-server server print
enabled: yes
port: 443
mode: ip
netmask: 29
mac-address: FE:50:A6:C5:67:B9
max-mtu: 1500
keepalive-timeout: disabled
default-profile: Beya_Voip
certificate: cert1
require-client-certificate: yes
auth: sha1,md5
cipher: blowfish128,aes128,aes192,aes256

roadracer96 · Fri Mar 26, 2010 12:59 am

Default profile is "Customer" which is for people authenticated via RADIUS. Irrelevant here, but I included it just so it made sense.

/ppp profile
add change-tcp-mss=no comment="" local-address=10.0.0.1 name=PSGVPN only-one=\
no use-compression=no use-encryption=required use-vj-compression=no
add change-tcp-mss=no comment="" local-address=10.16.128.1 name=Customer \
only-one=no use-compression=no use-encryption=required \
use-vj-compression=no

/interface ovpn-server server
set auth=sha1 certificate=fw-1 cipher=aes128,aes192,aes256 default-profile=\
Customer enabled=yes keepalive-timeout=60 mac-address=FE:1D:10:11:78:AB \
max-mtu=1500 mode=ip netmask=32 port=1194 require-client-certificate=yes

/ppp secret
add caller-id="" comment="" disabled=no limit-bytes-in=0 limit-bytes-out=0 \
name=someone password=something profile=PSGVPN remote-address=\
10.0.0.2 routes="" service=ovpn

And for the client:

/ppp profile
set default-encryption change-tcp-mss=default comment="" name=\
default-encryption only-one=default use-compression=default \
use-encryption=required use-vj-compression=default
/interface ovpn-client
add add-default-route=no auth=sha1 certificate=usercert cipher=aes256 \
comment="" connect-to=1.2.3.4 disabled=no mac-address=\
00:00:00:00:00:00 max-mtu=1500 mode=ip name=ovpn-out1 password=\
somepass port=1194 profile=default-encryption user=someuser

risipetillo · Fri Mar 26, 2010 6:03 pm

Following your example it worked !!!!

I had to reboot my RB450 (not too sure why) before it started working.

I now have two clients configured for it.

Thanks a million.

For a second there I was loosing hope in this forum ....

Thanks again.

Pada · Fri Sep 23, 2011 1:16 am

risipetillo: you're my saviour!

I had to reboot my RouterOS v5.2 x86 before the MikroTik OpenVPN server worked with my RHEL v6 OpenVPN client.

theprism · Sun Jan 27, 2013 10:49 pm

Hello,

Does anyone knows how to generate the certificates without having a real domain and without having a root/admin/etc. mail (e.g. root@bla-bla.bla.com)?

Thank you,
Alex C.

Pada · Sun Jan 27, 2013 10:58 pm

Have a look at OpenVPN's Easy RSA stuff: http://openvpn.net/index.php/open-sourc ... ement.html

Alternatively you can create certificates with OpenSSL command line application.

metalcated · Thu May 02, 2013 5:42 pm

I followed the Wiki page and mostly feel I have VPN working minus being able to actually connect outside of my network. I am new to MikroTik and RouterOS but have background with similar setup's.

When I try to connect .. client -> server -->

Thu May 02 10:33:09 2013 OpenVPN 2.3.1 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [PKCS11] [eurephia] [IPv6] built on Mar 28 2013
Enter Management Password:
Thu May 02 10:33:09 2013 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25340
Thu May 02 10:33:09 2013 Need hold release from management interface, waiting...
Thu May 02 10:33:09 2013 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:25340
Thu May 02 10:33:09 2013 MANAGEMENT: CMD 'state on'
Thu May 02 10:33:09 2013 MANAGEMENT: CMD 'log all on'
Thu May 02 10:33:09 2013 MANAGEMENT: CMD 'hold off'
Thu May 02 10:33:09 2013 MANAGEMENT: CMD 'hold release'
Thu May 02 10:33:09 2013 WARNING: --ping should normally be used with --ping-restart or --ping-exit
Thu May 02 10:33:09 2013 WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
Thu May 02 10:33:09 2013 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Thu May 02 10:33:09 2013 Socket Buffers: R=[516096->516096] S=[172032->172032]
Thu May 02 10:33:09 2013 MANAGEMENT: >STATE:1367505189,RESOLVE,,,
Thu May 02 10:33:10 2013 Attempting to establish TCP connection with [AF_INET]1.2.3.4:1194
Thu May 02 10:33:10 2013 MANAGEMENT: >STATE:1367505190,TCP_CONNECT,,,
Thu May 02 10:33:10 2013 TCP connection established with [AF_INET]1.2.3.4:1194
Thu May 02 10:33:10 2013 TCPv4_CLIENT link local: [undef]
Thu May 02 10:33:10 2013 TCPv4_CLIENT link remote: [AF_INET]1.2.3.4:1194
Thu May 02 10:33:10 2013 MANAGEMENT: >STATE:1367505190,WAIT,,,
Thu May 02 10:33:10 2013 MANAGEMENT: >STATE:1367505190,AUTH,,,
Thu May 02 10:33:10 2013 TLS: Initial packet from [AF_INET]1.2.3.4:1194, sid=2f7c2caf b8722829
Thu May 02 10:33:10 2013 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Thu May 02 10:33:11 2013 VERIFY OK: depth=1, C=US, ST=ST, L=City, O=Company, OU=changeme, CN=changeme, name=changeme, emailAddress=mgomon@myemail.com
Thu May 02 10:33:11 2013 VERIFY OK: depth=0, C=US, ST=ST, L=City, O=Company, OU=changeme, CN=changeme, name=changeme, emailAddress=mgomon@myemail.com
Thu May 02 10:33:13 2013 Connection reset, restarting [0]
Thu May 02 10:33:13 2013 SIGUSR1[soft,connection-reset] received, process restarting
Thu May 02 10:33:13 2013 MANAGEMENT: >STATE:1367505193,RECONNECTING,connection-reset,,
Thu May 02 10:33:13 2013 Restart pause, 5 second(s)

1.2.3.4 = WAN IP

here is my setup -->

/interface ovpn-client> print
 0    name="ovpn-mgomon1" mac-address=FE:26:1F:6C:D3:14 max-mtu=1500 connect-to=1.2.3.1 por
      user="mgomon" password="mypassword" profile=GNSYR certificate=mgomon1 auth=sha1 cipher=
      add-default-route=no

/interface ovpn-server> print
0     ovpn-username           mgomon

/interface ovpn-server server> print
                     enabled: yes
                        port: 1194
                        mode: ip
                     netmask: 29
                 mac-address: FE:39:12:7E:5B:72
                     max-mtu: 1500
           keepalive-timeout: disabled
             default-profile: GNSYR
                 certificate: gnsyrap01
  require-client-certificate: no
                        auth: sha1,md5
                      cipher: blowfish128,aes128,aes192,aes256

These are just test certificates -->

/certificate> print
Flags: K - decrypted-private-key, Q - private-key, R - rsa, D - dsa, C - crl 
 0 KR  name="gnsyrap01" subject=C=US,ST=ST,L=City,O=Company,OU=changeme,CN=changeme,name=changeme,
        emailAddress=mgomon@myemail.com
       issuer=C=US,ST=ST,L=City,O=Company,OU=changeme,CN=changeme,name=changeme,
       emailAddress=mgomon@myemail.com
       serial-number="01" email=mgomon@myemail.com invalid-before=may/01/2013 21:19:01 
       invalid-after=apr/29/2023 21:19:01 trusted=yes 

 2 KR  name="mgomon1" subject=C=US,ST=ST,L=City,O=Company,OU=changeme,CN=changeme,name=changeme,
        emailAddress=mgomon@myemail.com
       issuer=C=US,ST=ST,L=City,O=Company,OU=changeme,CN=changeme,name=changeme,
       emailAddress=mgomon@myemail.com
       serial-number="02" email=mgomon@myemail.com invalid-before=may/01/2013 21:28:03 
       invalid-after=apr/29/2023 21:28:03 trusted=yes

/ip address> print
Flags: X - disabled, I - invalid, D - dynamic 
 #   ADDRESS            NETWORK         INTERFACE                                                                        
 0   ;;; default wifi configuration
     10.0.0.1/24        10.0.0.0        lan-wireless-bgn                                                                 
 1 X ;;; default server configuration
     10.0.1.1/24        10.0.1.0        lan-servers-e5                                                                   
 2   ;;; default lan configuration
     10.0.0.1/24        10.0.0.0        lan-e2                                                                           
 3   ;;; default lan-vpn configuration
     10.15.30.31/24     10.15.30.0      lan-e2                                                                           
 4 D 1.2.3.4/20   1.2.3.0     wan-e1

/ip pool> print         
 3 ovpn-private                                                                           10.15.32.34-10.15.32.38

/ip route> print
 0 ADS  0.0.0.0/0                          1.2.3.1               0
 1 ADC  10.0.0.0/24        10.0.0.1        wan-lan-bridge            0
                                           wan-lan-bridge    
 2 X S  10.0.1.1/32                        10.0.1.1                  1
 3 ADC  10.15.30.0/24      10.15.30.31     wan-lan-bridge            0
 4 ADC  1.2.3.0/20     1.2.3.4   wan-e1                    0

/ip firewall nat> print
 0   ;;; default configuration
     chain=srcnat action=masquerade to-addresses=0.0.0.0 out-interface=wan-e1

/ppp profile> print
 1   name="GNSYR" local-address=10.15.32.33 remote-address=ovpn-private use-mpls=default use-compression=default 
     use-vj-compression=default use-encryption=required only-one=default change-tcp-mss=default address-list=""

[mgomon@gnsyrap01] /ppp secret> print 
 #   NAME                 SERVICE CALLER-ID                PASSWORD                PROFILE                REMOTE-ADDRESS 
 0   mgomon               any                             mypass           default

For this test I disabled Rule 3

/ip firewall filter> print
 0   ;;; default configuration
     chain=input action=accept protocol=icmp 

 1   ;;; default configuration
     chain=input action=accept connection-state=established 

 2   ;;; default configuration
     chain=input action=accept connection-state=related 

 3 X ;;; default configuration
     chain=input action=drop in-interface=wan-e1 

 4   ;;; OpenVPN
     chain=input action=accept protocol=tcp dst-port=1194

Client Config -->

proto tcp-client

remote my.wan_hostname.com 1194
dev tap

route add 10.20.30.0 mask 255.255.255.0 10.15.30.31

nobind
persist-key

tls-client
ca ca.crt # Root certificate in the same directory as this configuration file.
cert mgomon1.crt
key  mgomon1.key
ping 10
verb 3

cipher AES-256-CBC
auth SHA1
pull

auth-user-pass auth.cfg

Any help in the right direction would be appreciated! Thanks.

felted67 · Thu May 02, 2013 11:46 pm

Hi !

Just a small question (not to complicate that stuff at all):

Did someone got openVPN-Server running in conjunction with PPPoE-Client ?

(Here´s my posting about that: http://forum.mikrotik.com/viewtopic.php?f=1&t=72072)

Thanks

Greetz.......Detlef