With certificates for openvpn generated with RouterOS 6.42.9 my openvpn server on Mikrotik router works properly. When certificates are generated with Openssl and imported as per https://wiki.mikrotik.com/wiki/Manual:C ... n_RouterOS Mikrotik openvpn server does not work. Below is log from the openvpn client running under UBUNTU 20.4.
OpenVPN 2.4.7 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Jul 19 2021
library versions: OpenSSL 1.1.1f 31 Mar 2020, LZO 2.10
Control Channel MTU parms [ L:1623 D:1210 EF:40 EB:0 ET:0 EL:3 ]
Data Channel MTU parms [ L:1623 D:1450 EF:123 EB:406 ET:0 EL:3 ]
Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1559,tun-mtu 1500,proto TCPv4_CLIENT,cipher AES-256-CBC,auth SHA1,keysize 256,key-method 2,tls-client'
Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1559,tun-mtu 1500,proto TCPv4_SERVER,cipher AES-256-CBC,auth SHA1,keysize 256,key-method 2,tls-server'
TCP/UDP: Preserving recently used remote address: [AF_INET]62.2.157.138:1194
Socket Buffers: R=[131072->131072] S=[16384->16384]
Attempting to establish TCP connection with [AF_INET]62.2.157.138:1194 [nonblock]
TCP connection established with [AF_INET]62.2.157.138:1194
TCP_CLIENT link local: (not bound)
TCP_CLIENT link remote: [AF_INET]62.2.157.138:1194
TLS: Initial packet from [AF_INET]62.2.157.138:1194, sid=340fa99f 8590a612
ERIFY OK: depth=1, C=CH, ST=Aargau, L=xxx, O=xxx, OU=xxx, CN=xxxxxx, emailAddress=xxxx
Certificate does not have key usage extension
VERIFY KU ERROR
OpenSSL: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed
BIO read tls_read_plaintext error
TLS object -> incoming plaintext read error
TLS Error: TLS handshake failed
Fatal TLS error (check_tls_errors_co), restarting
TCP/UDP: Closing socket
Could you please advice?
Re: openvpn certicates problem
I have same problem. No resulution.
Re: openvpn certicates problem
Can you, please, attach your RouterOS configuration and a sanitized (i.e.: remove all sensitive data) copy of your OpenVPN configuration file. Also, if you can post the specific commands (sanitized) you used when generating the certificate files with OpenSSL that would be helpful.
I have used RoS OpenVPN server with the OpenVPN client (Windows, Mac, Linux and mobile devices) without a problem but there are some specific items that aren't supported by MikroTik routers (yet) so your configuration needs to be adjusted accordingly.
I have used RoS OpenVPN server with the OpenVPN client (Windows, Mac, Linux and mobile devices) without a problem but there are some specific items that aren't supported by MikroTik routers (yet) so your configuration needs to be adjusted accordingly.