Community discussions

MikroTik App
  4. RouterOS
  5. General

openvpn connect issues

Post Reply
 
giulianoz
newbie
Topic Author
Posts: 27
Joined: Sat Apr 08, 2017 6:44 pm

openvpn connect issues

Sat May 20, 2017 2:06 pm

Hello,
I'm stuck with an openvpn connection problem. It seems not to be a client issue (O tried bothopenvpn connect for android and ios and I get the same issue)

ROS version is 6.39.1

What I've done is using easy-rse3 to generate my ca/server/client certs. I imported the server cert and key + ca cert in ros (ca is flagged T, server cert is flagged TK, so this should be ok)
The ovpn server is configured to use the server certificate I've created
Code: Select all
set auth=sha1 certificate=xxx.crt_0 cipher=aes256 default-profile=openvpn enabled=yes require-client-certificate=yes
I tried with and without require-client-certificate

In the ovpn config file I've used ca cert and client cert+key

config.ovpn
Code: Select all
proto tcp-client
remote XXX.XXX.XXX.XXX 1194
dev tun
nobind
persist-key

tls-client
ping 10
verb 3

ciphet AES-256-CBC
auth SHA1
pull

auth-user-pass
route XXX.XXX.XXX.XXX 255.255.255.0


<ca>
-----BEGIN CERTIFICATE-----
[...]
<-----END CERTIFICATE-----
</ca>

<cert>
-----BEGIN CERTIFICATE-----
[...]
-----END CERTIFICATE-----
</cert>

<key>
-----BEGIN ENCRYPTED PRIVATE KEY-----
[...]
-----END ENCRYPTED PRIVATE KEY-----
</key>

error
Code: Select all
2017-05-20 12:44:57 EVENT: RESOLVE
2017-05-20 12:44:58 Contacting XXX.XXX.XXX:1194 via TCP
2017-05-20 12:44:58 EVENT: WAIT
2017-05-20 12:44:58 SetTunnelSocket returned 1
2017-05-20 12:44:58 Connecting to [XXX.XXX.XXX]:1194 (XXX.XXX.XXX) via TCPv4
2017-05-20 12:44:58 EVENT: CONNECTING
2017-05-20 12:44:58 Tunnel Options:V4,dev-type tun,link-mtu 1543,tun-mtu 1500,proto TCPv4_CLIENT,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-client
2017-05-20 12:44:58 Creds: Username/Password
2017-05-20 12:44:58 Peer Info:
IV_GUI_VER=net.openvpn.connect.ios 1.1.1-212
IV_VER=3.1.2
IV_PLAT=ios
IV_NCP=2
IV_TCPNL=1
IV_PROTO=2
IV_BS64DL=1

2017-05-20 12:44:59 VERIFY FAIL CERT_NOT_TRUSTED : depth=1
cert. version    : 3
serial number    : AB:5A:BE:86:B9:C3:61:33
issuer name      : CN=Easy-RSA CA
subject name      : CN=Easy-RSA CA
issued  on        : 2017-05-19 15:01:36
expires on        : 2027-05-17 15:01:36
signed using      : RSA with SHA-256
RSA key size      : 2048 bits
basic constraints : CA=true
key usage        : Key Cert Sign, CRL Sign

2017-05-20 12:44:59 VERIFY OK: depth=0
cert. version    : 3
serial number    : 03
issuer name      : CN=Easy-RSA CA
subject name      : CN=XXX.XXX.XXX
issued  on        : 2017-05-20 10:18:42
expires on        : 2027-05-18 10:18:42
signed using      : RSA with SHA-256
RSA key size      : 2048 bits
basic constraints : CA=false
key usage        : Digital Signature, Key Encipherment
ext key usage    : TLS Web Server Authentication

2017-05-20 12:44:59 Transport Error: PolarSSL: SSL read error : X509 - Certificate verification failed, e.g. CRL, CA or signature check failed
2017-05-20 12:44:59 EVENT: CERT_VERIFY_FAIL PolarSSL: SSL read error : X509 - Certificate verification failed, e.g. CRL, CA or signature check failed [ERR]
2017-05-20 12:44:59 EVENT: DISCONNECTED
2017-05-20 12:44:59 Raw stats on disconnect:
 BYTES_IN : 2731
 BYTES_OUT : 244
 PACKETS_IN : 6
 PACKETS_OUT : 4
 SSL_ERROR : 1
 CERT_VERIFY_FAIL : 1
2017-05-20 12:44:59 Performance stats on disconnect:
 CPU usage (microseconds): 19273
 Network bytes per CPU second: 154361
 Tunnel bytes per CPU second: 0
2017-05-20 12:44:59 EVENT: DISCONNECT_PENDING
2017-05-20 12:44:59 ----- OpenVPN Stop -----
It seems to me that the CA cert is not valid for some reason, but I can't find one. Clock is correct on both client and ROS
ROS logs
Code: Select all
12:44:58 ovpn,info TCP connection established from 31.157.13.136 
12:44:58 ovpn,debug,packet sent P_CONTROL_HARD_RESET_SERVER_V2 kid=0 sid=d54c9d4cfe99b7 pid=0 DATA len=0 
12:44:58 ovpn,debug,packet rcvd P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 sid=70d5b26da2d0e286 pid=0 DATA len=0 
12:44:58 ovpn,debug,packet sent P_ACK kid=0 sid=d54c9d4cfe99b7 [0 sid=70d5b26da2d0e286] DATA len=0 
12:44:58 ovpn,debug,packet rcvd P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 sid=70d5b26da2d0e286 [0 sid=d54c9d4cfe99b7] pid=1 DATA len=0 
12:44:58 ovpn,debug,packet sent P_ACK kid=0 sid=d54c9d4cfe99b7 [1 sid=70d5b26da2d0e286] DATA len=0 
12:44:58 ovpn,debug,packet rcvd P_CONTROL kid=0 sid=70d5b26da2d0e286 pid=2 DATA len=160 
12:44:58 ovpn,debug,packet sent P_ACK kid=0 sid=d54c9d4cfe99b7 [2 sid=70d5b26da2d0e286] DATA len=0 
12:44:59 ovpn,debug,packet sent P_CONTROL kid=0 sid=d54c9d4cfe99b7 pid=1 DATA len=1400 
12:44:59 ovpn,debug,packet sent P_CONTROL kid=0 sid=d54c9d4cfe99b7 pid=2 DATA len=1211 
12:44:59 ovpn,debug,packet rcvd P_ACK kid=0 sid=70d5b26da2d0e286 [1 sid=d54c9d4cfe99b7] DATA len=0 
12:44:59 ovpn,debug <31.157.13.136>: disconnected <peer disconnected>
thanks for any advice !

giuliano
Top
 
shkiperon
just joined
Posts: 2
Joined: Sun Feb 11, 2018 5:37 pm

Re: openvpn connect issues

Sun Feb 11, 2018 6:01 pm

Hi
I had the same problem, but I found the solution (to be honest I was surprised) - OVPN server ROS can not work without authorization by login and password. You must at least use a username with an empty password, otherwise the connection will not be established.
As a result, you get a two-factor authorization - login-password + certificate.
Top
Post Reply
  4. RouterOS
  5. General