Good morning,
I have a little problem. I subscribed a time with IPSTATICO.ORG to change a public IP with a static IP on my LTE connection. I downloaded a certificate file ***.openvpnm, but when I install an OpenVPN-client on Mikrotik i can't connect because i need to specify a Username and Password but I don't have this. I try to put this file on OpenVPN for windows and in this case with only a file insert the connection has been ok. Now, i ask for help, to configure correctly a ovpn-client on Mikrotik. I know this connection is on UDP protocol!.
Thanks a lot for helping me!
Re: Ovpn-client on proto udp
At the moment, Mikrotik only supports OpenVPN on UDP in RouterOS 7 which is in a beta stage (7.1beta 4 as of writing this). So if you accept to run a beta, you should be able to connect. The (user)name and password are specified among other parameters on the /interface/ovpn-client row.
Re: Ovpn-client on proto udp
Thanks so much. i see now that. i attach a picture about my set interface because doesn't work. i think is wrong User and password because nobody say me somenthig about that from IPSTATICO.ORG.
You do not have the required permissions to view the files attached to this post.
Re: Ovpn-client on proto udp
The certificate you've downloaded has been generated specifically for you?
If not, you should not use it as a client certificate, but as a certificate of a trusted certification authority, which authenticates the certificate presented by the server. So in the client configuration, no certificate should be specified.
If yes, there must be also another certificate for the purpose above (authentication of the certificate presented by the server).
If not, you should not use it as a client certificate, but as a certificate of a trusted certification authority, which authenticates the certificate presented by the server. So in the client configuration, no certificate should be specified.
If yes, there must be also another certificate for the purpose above (authentication of the certificate presented by the server).
Re: Ovpn-client on proto udp
Yes the certificate is on purpose for me. on miktrotik when i update the certificate are two certificate. but i not able to use. how can use they?
Re: Ovpn-client on proto udp
Show me the output of /certificate print detail.
Re: Ovpn-client on proto udp
Code: Select all
[admin@RBSXRT] > /certificate print detail
Flags: K - private-key; L - crl; C - smart-card-key; A - authority; I - issued, R - revoked; E - expired; T - trusted
0 T name="dyn05-10-8-0-75.ovpn_0" issuer=CN=cn_ZkBLKf74XPGpzkCq digest-algorithm=sha256 key-type=ec common-name="cn_ZkBLKf74XPGpzkCq"
key-size=prime256v1 subject-alt-name="" days-valid=3650 trusted=yes key-usage=key-cert-sign,crl-sign serial-number="9EEAA4267DF97858"
fingerprint="448e536d9501084031496cfbd2f6588d2518fe4293813298f4c730212f8f9e06" akid=4cfe8f1400471406a5a9dca5d8685b30097cee4f
skid=4cfe8f1400471406a5a9dca5d8685b30097cee4f invalid-before=feb/27/2020 21:50:03 invalid-after=feb/24/2030 21:50:03
expires-after=3138w10h31m29s
1 K T name="dyn05-10-8-0-75.ovpn_1" issuer=CN=cn_ZkBLKf74XPGpzkCq digest-algorithm=sha256 key-type=ec common-name="dyn05-10-8-0-75"
key-size=prime256v1 subject-alt-name="" days-valid=1080 trusted=yes key-usage=digital-signature,tls-client
serial-number="1C598A64709492032D26EED987C29156" fingerprint="a3376583402597a4cd6d4286d3b6aedf7063bd5cabedfccca4b99d5d0ee21342"
akid=4cfe8f1400471406a5a9dca5d8685b30097cee4f skid=b0b2fb1c550150e00b4ca60ffed5c29cd99f0715 invalid-before=jul/21/2020 13:35:33
invalid-after=jul/06/2023 13:35:33 expires-after=2791w4d2h16m59s
Re: Ovpn-client on proto udp
OK. So two points.
First, the certificate you set in the /interface ovpn-client configuration must be the one authenticating your client to the server, which is the one for which you have the private key, i.e. the dyn05-10-8-0-75.ovpn_1 one.
Second, under normal circumstances, you should not need the server certificate itself - instead, you should use the certificate of the authority that has signed it. But the ..._0 certificate is not one of an authority, so it seems to be the one of the server itself. But I am not sure whether Mikrotik's OpenVPN implementation supports server authentication by the server's certificate alone, without having the certificate of the issuing authority. So if the connection still fails after you start using the proper certificate for the client as explained above, the error message should be different. If that is the case, switching off verify-server-certificate could be a way to check this, but not a recommended setting for actual use of the VPN, as without the certificate check, your connection could be redirected to some other server impersonating the real one.
So until the connection finally succeeds, uncheck add-default-route, but that doesn't prevent the username and password from leaking to the rogue server.
First, the certificate you set in the /interface ovpn-client configuration must be the one authenticating your client to the server, which is the one for which you have the private key, i.e. the dyn05-10-8-0-75.ovpn_1 one.
Second, under normal circumstances, you should not need the server certificate itself - instead, you should use the certificate of the authority that has signed it. But the ..._0 certificate is not one of an authority, so it seems to be the one of the server itself. But I am not sure whether Mikrotik's OpenVPN implementation supports server authentication by the server's certificate alone, without having the certificate of the issuing authority. So if the connection still fails after you start using the proper certificate for the client as explained above, the error message should be different. If that is the case, switching off verify-server-certificate could be a way to check this, but not a recommended setting for actual use of the VPN, as without the certificate check, your connection could be redirected to some other server impersonating the real one.
So until the connection finally succeeds, uncheck add-default-route, but that doesn't prevent the username and password from leaking to the rogue server.
Re: Ovpn-client on proto udp
Thanks for help. Today i try to change a certificate like your teach but the error now is TLS failed. I don't know why, but i can't connect. and, i don't have any user name and pass for put in the same edit box. I put my login data from the site but i don't know if is correct. Now the connection doesn't work. nothing change
Re: Ovpn-client on proto udp
Hi,
do you found a way to configure IPStatico with Mikrotik?
Grazie
Stefano
do you found a way to configure IPStatico with Mikrotik?
Grazie
Stefano