OVPN Clinet - link established but not connected - RouterOS 7.6

deadManN · Wed Oct 26, 2022 1:32 am

Dear folks,

I have this OVPN configuration:

dev tun
proto udp
remote <server IP> 1433
cipher AES-128-CBC
auth SHA1
resolv-retry infinite
nobind
persist-key
persist-tun
client
verb 3
auth-user-pass

<ca>
-----BEGIN CERTIFICATE-----
<Removed for the server owner security>
-----END CERTIFICATE-----

</ca>


###############################################################################
# Client certificate and key.
#
# A pair of client certificate and private key is required in case you want to
# use the certificate authentication.
#
# To enable it, uncomment the lines below.
# Paste your certificate in the <cert> block and the key in the <key> one.

<cert>
-----BEGIN CERTIFICATE-----
<Removed for the server owner security>
-----END CERTIFICATE-----
</cert>

<key>
-----BEGIN PRIVATE KEY-----
<Removed for the server owner security>
-----END PRIVATE KEY-----
</key>

In Windows, it works fine with the OpenVPN Client
but: it won't in the Mikrotik... also It wouldn't even establish the connection, until I upgrade router OS to 7.x to allow UDP connection

I'm using Winbox... and I'm doing:

** NOTE: I can not understand the detail of the OVPN file

PPP -> Profile > Add Profie:
- General
- - Name: ovpn...
- - bridge learning: default
- - Change TCP MSS: default
- Protocols
- - IP v6: no
- - MPLS: no
- - Compression: no
- - Encryption: yes

System -> Certificates -> Certificates -> import:
- name: ovpn...
- <The actual x.ovpn file> (it does contain the three keys as I put above)
- passpharase: <EMPTY>

Interface -> ADD OVPN:
- General
- - Name: ovpn-out1
- Dial Out
- - Connect To: <Server IP>
- - Port: 1433
- - Mode: ip
- - Protocol: udp
- - User & Pass: <OK>
- - Profile: ovpn...
- - Certificate: ovpn...
- - Verify Server Cerificate: false
- - TLS Version: any
- - Auth: SHA1
- - Cipher: AES 128
- - Use Peer DNS: yes
- - Add Default Route: false

It says: status: link established... but it won't change to connected...

Device Logs:

Topics          | Message
------------------------------
ovpn, info    | initializing ...
ovpn, info    | connecting ...
ovpn, info    | disconnected <could not negotiate TLS in time>
ovpn, info    | terminating ... could not negotiate TLS in time
ovpn, info    | disconnected

deadManN · Wed Oct 26, 2022 7:44 pm

I really need this, could anyone help?

Sob · Fri Oct 28, 2022 12:05 am

There's nothing clearly incompatible. How about certificates? After importing them, you should have two, one with T flag (trusted) without key, and another also with K flag (has private key). In OVPN client, did you select the one with key?

You should also have Verify Server Cerificate enabled, but it's not breaking the connection if not.

deadManN · Fri Oct 28, 2022 12:21 am

There's nothing clearly incompatible. How about certificates? After importing them, you should have two, one with T flag (trusted) without key, and another also with K flag (has private key). In OVPN client, did you select the one with key?

You should also have Verify Server Cerificate enabled, but it's not breaking the connection if not.

First time I did import it from the *.ovpn file...
second time, I seperate each cert section in its file...
then import them manually...
all merged into one file even though I choose different name for them...
The cert contained the code: `KAT`

--------------------
EDIT:
-------------------
An hour ago I update to 7.6rc3
and I noticed the improvement in certificate management

So I delete the certificate, and tried to reimport... it didn't create the certificate for it...

Sob · Fri Oct 28, 2022 1:20 am

You have three things (two certificates and one key):

<ca> - certificate of CA (certificate authority) that issues other certificates, you need this for Verify Server Certificate option to work
<cert> - your client certificate, this is presented to server, so that it can verify that you have access; this is the one that you must select in OVPN client; did you do this?
<key> - key for your certificate

deadManN · Fri Oct 28, 2022 2:03 am

You have three things (two certificates and one key):

<ca> - certificate of CA (certificate authority) that issues other certificates, you need this for Verify Server Certificate option to work
<cert> - your client certificate, this is presented to server, so that it can verify that you have access; this is the one that you must select in OVPN client; did you do this?
<key> - key for your certificate

I rolled back to 7.6
1. empty

1. empty.png

2. import cert

2. import cert .png

cert imported.png

3. cert imported.png

import ca

4. import ca.png

ca imported

5. ca imported.png

import private key

6. import private key.png

private key imported

7. private key imported.png

8. log.png

CERT ONLY

9. cert only.png

deadManN · Fri Oct 28, 2022 2:27 am

i noticed the value of cert and ca are same in *.ovpn file... but the file it self in windows works

Sob · Fri Oct 28, 2022 2:53 am

You have wrong time in router, it thinks that it's 1970, it matters for TLS.

deadManN · Fri Oct 28, 2022 3:55 am

You have wrong time in router, it thinks that it's 1970, it matters for TLS.

Shoud i configure NTP if im not wrong?
Do you know any server I can use?

deadManN · Fri Oct 28, 2022 4:30 am

You have wrong time in router, it thinks that it's 1970, it matters for TLS.

1. Time fixed.png

Sob · Fri Oct 28, 2022 5:26 am

Well, something somewhere is still wrong. But config looks correct. You can try more detailed logging:

/system logging
add topics=ovpn

But I wouldn't expect much useful/understandable info.

deadManN · Fri Oct 28, 2022 3:32 pm

Well, it doesn't seem understandable at all to me
[ LOG FILE REMOVED DUE TO SECURITY REASON ]

Sob · Fri Oct 28, 2022 6:55 pm

It makes two of us. I'm afraid I'm running out of ideas. The only unusual thing is that one certificate for everything, but if it works in Windows...

deadManN · Fri Oct 28, 2022 8:08 pm

That's sad :'( I hope Mikrotik works more on their connectivity... but if certificate are issue, it would throw error faster, and before nothing about negotiating tls in time, it would just said tls failed or something...

deadManN · Fri Oct 28, 2022 8:36 pm

It makes two of us. I'm afraid I'm running out of ideas. The only unusual thing is that one certificate for everything, but if it works in Windows...

profile 1.png

profile 2.png

My last hopes... are my profiles correct?

Sob · Sat Oct 29, 2022 12:16 am

It won't help you, but I tried with Linux OpenVPN server and RouterOS client (CHR 7.6), with one self-signed certificate used for everything (server certificate, client certificate), and it worked on first try without any problem.

/ppp profile
add name=ovpn-test use-compression=no use-encryption=required use-ipv6=no use-mpls=no
/interface ovpn-client
add add-default-route=yes auth=sha1 certificate=ovpn-test cipher=aes128 connect-to=192.168.80.1 \
    disconnect-notify=yes mode=ip name=ovpn-out1 password=test port=1443 profile=ovpn-test protocol=udp \
    tls-version=any use-peer-dns=yes user=tester verify-server-certificate=yes

I don't know why it doesn't work for you. Is the server yours or someone else's? If yours, can you share how exactly you created certificate (or certificates in case server has different one)? Maybe it's something related to that, even though it wouldn't explain why only RouterOS has problem with it.

deadManN · Sat Oct 29, 2022 11:43 am

It's for the company I work for, and I do not have access to the direct creator... and even if I do, I'm not sure due to the recent condition of my country, we have many options when running a VPN as many people are cut off from the internet
BTW, thank you very much, reading all my post, staying to debug the issue

Sob · Sat Oct 29, 2022 6:44 pm

Doing it in your country certainly doesn't help. I don't know any details, but if they try to block VPNs, maybe that might be it. It shouldn't be, when it works with Windows client, but RouterOS has own implementation of OpenVPN protocol, so perhaps there could be some tiny difference that doesn't affect how it works, but might produce some difference that blocking could pick on. Not knowing about protocol details, I can't tell how likely it is.

It could be tested if you'd have unfiltered access to server, e.g. if it's in company office, you could try to connect from internal network, and you'd see if it works or not.

Other than that, you could try to run your own SoftEther VPN Server (that's the software used on server) and test if router is able to connect to that. That would tell you if there's perhaps some incompatibility. But it can also depend on some options, so unless you'd know exactly what the real server uses, it wouldn't be enough proof.

deadManN · Mon Oct 31, 2022 7:53 pm

Well we work remotely, that's why the company provides such a server, and after a recent accident, everything getting blocked, including all proxies and VPNs... with few exception that hardly work, the good thing is the server is inside the country and is not checked, while it is placed in a datacenter which provides access to the outside without passing through a filtering system, or that thought version of it

wilme24 · Tue Nov 01, 2022 10:31 pm

I have the same problem. I tried everything and still stuck LINK ESTABLISHED.
I think the problem is with VPN SERVER, because my Mikrotik connects to another vpn server, but no traffic passes through it.
Sorry my English!

Sob · Wed Nov 02, 2022 6:47 am

I did quick test with SoftEther server (that thing is... interesting) and no luck, I'm seeing exactly the same problem as you do. I wasn't able to find yet if it has any useful logs.

Btw, you may want to remove some screenshots you posted (hint: I was able to find out what software runs on your server).

deadManN · Sun Nov 06, 2022 7:42 am

I have the same problem. I tried everything and still stuck LINK ESTABLISHED.
I think the problem is with VPN SERVER, because my Mikrotik connects to another vpn server, but no traffic passes through it.
Sorry my English!

That was fine for me, I got you

deadManN · Sun Nov 06, 2022 7:43 am

I did quick test with SoftEther server (that thing is... interesting) and no luck, I'm seeing exactly the same problem as you do. I wasn't able to find yet if it has any useful logs.

Btw, you may want to remove some screenshots you posted (hint: I was able to find out what software runs on your server).

Do you mean the log?
OK, Thank you. I removed it, BTW I don't think anyone care in my country, most servers are bought just to bypass filtering or boycotts

Emdad2001 · Fri Nov 11, 2022 12:02 pm

I have the same problem !
I think it most be the server site

https://github.com/SoftEtherVPN/SoftEth ... 7ff7174a7b

deadManN · Tue Nov 22, 2022 11:59 am

I did quick test with SoftEther server (that thing is... interesting) and no luck, I'm seeing exactly the same problem as you do. I wasn't able to find yet if it has any useful logs.

Btw, you may want to remove some screenshots you posted (hint: I was able to find out what software runs on your server).

I think they should start adding the key size processor of devices to the technical info when we buy one :-s

Screenshot 2022-11-22 132912.png

BTW, still this issue is not confirmed yet

Sob · Tue Nov 22, 2022 2:07 pm

That's not it, your server has the usual small 2048 bits key.

deadManN · Tue Nov 22, 2022 2:22 pm

then I hope it won't take another week for support to answer...

Sob · Tue Nov 22, 2022 2:38 pm

Don't forget to mention SoftEther (the software running on your server).

deadManN · Wed Nov 23, 2022 8:00 am

Okay, I'm not so sure about the SoftEther, but since the other server is running on that, and I had the experience of using OpenVPN client with SoftEther server,... I did mention that it may be a SoftEther application.

deadManN · Mon Nov 28, 2022 12:20 pm

Okay, I'm not so sure about the SoftEther, but since the other server is running on that, and I had the experience of using OpenVPN client with SoftEther server,... I did mention that it may be a SoftEther application.

Screenshot 2022-11-28 135014.png

Sob · Mon Nov 28, 2022 7:42 pm

Any chance you could try different router? Or if you don't have any, it's possible to use virtual RouterOS (called Cloud Hosted Router, can be downloaded from https://mikrotik.com/download) and run on your PC in e.g. VirtualBox (https://wiki.mikrotik.com/wiki/Manual:C ... stallation) or VMware Player.

deadManN · Tue Nov 29, 2022 8:25 am

Any chance you could try different router? Or if you don't have any, it's possible to use virtual RouterOS (called Cloud Hosted Router, can be downloaded from https://mikrotik.com/download) and run on your PC in e.g. VirtualBox (https://wiki.mikrotik.com/wiki/Manual:C ... stallation) or VMware Player.

I'll try, but I wonder what starter configuration should I have on a one-way virtual router...
---------------
Edited: I download and installed it, but I got to do the configuration on another free time

deadManN · Tue Nov 29, 2022 12:10 pm

Any chance you could try different router? Or if you don't have any, it's possible to use virtual RouterOS (called Cloud Hosted Router, can be downloaded from https://mikrotik.com/download) and run on your PC in e.g. VirtualBox (https://wiki.mikrotik.com/wiki/Manual:C ... stallation) or VMware Player.
I'll try, but I wonder what starter configuration should I have on a one-way virtual router...
---------------
Edited: I download and installed it, but I got to do the configuration on another free time

ovpn.png

The other was `Could not negotiate TLS in time
This one is `TLS Failed`

deadManN · Sun Dec 04, 2022 12:47 pm

Any chance you could try different router? Or if you don't have any, it's possible to use virtual RouterOS (called Cloud Hosted Router, can be downloaded from https://mikrotik.com/download) and run on your PC in e.g. VirtualBox (https://wiki.mikrotik.com/wiki/Manual:C ... stallation) or VMware Player.

Bought a hAP ac3 today, if the website was reliable and my money didn't disappear into the tin air. after the configuration I'll announce the result... the Architecture is ARM32... hope that works...

--------------
Edited:
--------------
Didn't worked out even in new router....
Although about the older router it seem it also had RAM and CPU issue too... removing all ovpn related stuff, the CPU just backed down, but the memory is still so low...

deadManN · Sat Dec 10, 2022 11:06 am

Any chance you could try different router? Or if you don't have any, it's possible to use virtual RouterOS (called Cloud Hosted Router, can be downloaded from https://mikrotik.com/download) and run on your PC in e.g. VirtualBox (https://wiki.mikrotik.com/wiki/Manual:C ... stallation) or VMware Player.

They said the certificate has some wired flags and usage info...
It seems Mikrotik checks things that even the creator of OVPN didn't care about, leading to this issue for me...
Now I can't make the tunnel provider change the certificate, nor tell the Mikrotik the purpose of the certificate in ovpn is no more than Public/Private Keys...

Sob · Sun Dec 11, 2022 5:10 am

To me, "works with original OpenVPN" is pretty good argument why it should work with RouterOS too...

deadManN · Sun Dec 11, 2022 1:43 pm

To me, "works with original OpenVPN" is pretty good argument why it should work with RouterOS too...

Yeah, that's a good point, that nobody seems to care about...
Like in my cases, in programming there are things that people say hey it's bad practice... but it's bad when something is happening, or it can be good when something is happening, but they are robot people who just understand 0 and 1, and nothing in between

So when they say a certificate should have all kinds of valid flags and information, then it should have it, no matter who and for what purpose uses it...

Sob · Sun Dec 11, 2022 3:51 pm

But it's also true that OpenVPN suggests that certfificates should be created with specific usage:

https://openvpn.net/community-resources ... necting-to

But still, it shouldn't be mandatory when you have Verify Server Certificate disabled. If it's on, then sure, it should do all possible verification. But if not, by which you basically agree with possibility of MITM attacks, who cares about certificate usage.

deadManN · Mon Dec 12, 2022 12:40 pm

But it's also true that OpenVPN suggests that certfificates should be created with specific usage:

https://openvpn.net/community-resources ... necting-to

But still, it shouldn't be mandatory when you have Verify Server Certificate disabled. If it's on, then sure, it should do all possible verification. But if not, by which you basically agree with possibility of MITM attacks, who cares about certificate usage.

Cool you know every aspect of this science, and true... I actually do not care in the first place if it's safe or not as long as I can communicate with the world...
For now I did the dumbest thing ever...

ISP -> TD-LTE Outdoor Modem -> Mikrotik-MainNetwork |---LAN---> PC -> SoftetherVPN --Sharing--> HotspotAdapter ---WLanExternalCard ---> Mikrotik-WirelessStation ---Secondary Network---> ---WLan---> Other Devices
                                                    |---WLAN---> Other Devices

Screenshot 2022-12-13 170458.png

Who is online