Community discussions

MikroTik App
 
filipkcz
just joined
Topic Author
Posts: 3
Joined: Mon May 28, 2018 6:13 pm

OpenVPN client does not work after update to 2.4.6

Mon May 28, 2018 6:29 pm

Hi

couple of years I use this settings when I setup openvpn server on mikrotik. This configuration work with OpenVpn client version (OpenVPN 2.3.18 (old stable) -- released on 2017.09.26 ) fine.
But after release new version of OpenVPN Client I cannot connect to VPN Servers. Any idea? THANK YOU!

Log from OpenVPN 2.3.18 - no problem, no issue
Mon May 28 17:03:33 2018 TLS: Initial packet from [AF_INET]####################:1194, sid=c33827a9 1af84c39
Mon May 28 17:03:34 2018 VERIFY OK: depth=0, CN=ca
Mon May 28 17:03:35 2018 Data Channel Encrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Mon May 28 17:03:35 2018 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Mon May 28 17:03:35 2018 Data Channel Decrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Mon May 28 17:03:35 2018 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Mon May 28 17:03:35 2018 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 DHE-RSA-AES256-GCM-SHA384, 2048 bit RSA

Log from OpenVPN 2.4.6 - UNABLE TO CONNECT
Mon May 28 16:47:41 2018 Attempting to establish TCP connection with [AF_INET]#############:1194 [nonblock]
Mon May 28 16:47:41 2018 MANAGEMENT: >STATE:1527518861,TCP_CONNECT,,,,,,
Mon May 28 16:47:42 2018 TCP connection established with [AF_INET]#############:1194
Mon May 28 16:47:42 2018 TCP_CLIENT link local: (not bound)
Mon May 28 16:47:42 2018 TCP_CLIENT link remote: [AF_INET]#############:1194
Mon May 28 16:47:42 2018 MANAGEMENT: >STATE:1527518862,WAIT,,,,,,
Mon May 28 16:47:42 2018 MANAGEMENT: >STATE:1527518862,AUTH,,,,,,
Mon May 28 16:47:42 2018 TLS: Initial packet from [AF_INET]#############:1194, sid=2bd5d2ac b49cfdcd
Mon May 28 16:47:43 2018 VERIFY ERROR: depth=0, error=unsupported certificate purpose: CN=ca
Mon May 28 16:47:43 2018 OpenSSL: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed
Mon May 28 16:47:43 2018 TLS_ERROR: BIO read tls_read_plaintext error
Mon May 28 16:47:43 2018 TLS Error: TLS object -> incoming plaintext read error
Mon May 28 16:47:43 2018 TLS Error: TLS handshake failed
Mon May 28 16:47:43 2018 Fatal TLS error (check_tls_errors_co), restarting


Configuration

My ovpn setup:
/certificate
add name=ca-template common-name=ca key-usage=key-cert-sign,crl-sign
add name=server-template common-name=server
add name=client-template common-name=client
sign ca-template name=ca
sign server-template ca=ca name=server
sign client-template ca=ca name=client
set ca trusted=yes
set server trusted=yes
export-certificate ca
export-certificate client export-passphrase=#######

All of certificates are: 2048

Ovpn server
Auth: sha1 (other options unchecked)
Cipher: aes 256 (other options unchecked)
Mode IP

PPP Profile
Use Encryption: yes

ovpn client config
dev tun
proto tcp-client
remote ############# 1194
ca ca.crt
cert client.crt
key client.key
tls-client
port 1194
ping 15
ping-restart 45
ping-timer-rem
persist-tun
persist-key
mute-replay-warnings
verb 3
cipher AES-256-CBC
auth SHA1
pull
auth-user-pass
route 192.168.5.0 255.255.255.0
 
filipkcz
just joined
Topic Author
Posts: 3
Joined: Mon May 28, 2018 6:13 pm

Re: OpenVPN client does not work after update to 2.4.6

Sat Jun 02, 2018 11:09 am

reup
 
NEOhidra
just joined
Posts: 8
Joined: Sun Apr 08, 2018 10:01 am

Re: OpenVPN client does not work after update to 2.4.6

Sat Jun 02, 2018 11:20 am

Not using OpenVPN on MT, nor v2.3 but the error seems to be triggered by the ExtendedKeyUsage extension.
If i got it right then OpenVPN2.4 is doing some checks on the certificate and yours is not generated the right way.
 
filipkcz
just joined
Topic Author
Posts: 3
Joined: Mon May 28, 2018 6:13 pm

Re: OpenVPN client does not work after update to 2.4.6

Sun Jun 10, 2018 8:51 pm

Hi

I generated certificated in routeros.
https://wiki.mikrotik.com/wiki/Manual:C ... rtificates

are you recomended generate crt with openssl?

BTW
Enhanced key usage is:
Server Authentication (1.3.6.1.5.5.7.3.1)
Client Authentication (1.3.6.1.5.5.7.3.2)
 
User avatar
Deantwo
Member
Member
Posts: 332
Joined: Tue Sep 30, 2014 4:07 pm

Re: OpenVPN client does not work after update to 2.4.6

Thu Jun 28, 2018 12:09 pm

Wouldn't it make more sense to ask on the OpenVPN forum? Since it was an OpenVPN update that broke it anyway.
Here: https://forums.openvpn.net/viewforum.php?f=6

I had an issue with the upgrading from OpenVPN 2.3.10 to 2.3.11 a couple of years ago, and that was fixed in a RouterOS update.
See: https://forums.openvpn.net/viewtopic.php?f=6&t=22290
I guess it is not the same issue since you went from OpenVPN 2.3.18 to 2.4.6, but knowing your RouterOS version might help too.

More information about your OpenVPN server on the router would be useful:
/interface ovpn-server ex

Also make sure your server certificate has the "tls server" key usage, I believe that was an issue I had once too. But maybe that is because I use "remote-cert-tls server" in my client config.
Last edited by Deantwo on Wed Aug 29, 2018 5:08 pm, edited 3 times in total.
 
Weafyr
just joined
Posts: 2
Joined: Wed Aug 29, 2018 4:14 pm

Re: OpenVPN client does not work after update to 2.4.6

Wed Aug 29, 2018 4:24 pm

Hi,
I think, you are using "ca" certificate in OVPN server. Instead, you have to use "server" certificate.
 
radenli
just joined
Posts: 19
Joined: Tue Apr 04, 2017 10:45 am

Re: OpenVPN client does not work after update to 2.4.6

Thu Aug 30, 2018 8:18 pm

I am using 2.4.6 too, but I don't have any problem to connect my ovpn server which is running on hap ac2 ver 6.42.6
 
dkorzhevin
just joined
Posts: 6
Joined: Mon Jul 22, 2019 2:05 pm

Re: OpenVPN client does not work after update to 2.4.6

Tue Feb 11, 2020 11:11 am

Hello filipkcz

Was this solved?

Who is online

Users browsing this forum: No registered users and 18 guests