Hello everyone!

I'm struggling with configuring the client part of a Site-2-Site OVPN.
For the same person i have already configured a Site-2-Client (same server) which works properly.

I have only one file available : The windows client .ovpn file
From that, i was able to extract the ca.crt, the client.crt, the client.key and one more key, the client_tls.key (the .ovpn has a "tls-crypt" parameter)
I was able to import the ca.crt, the client.crt, and the two keys succesfully,
- either by importing them one by one

- or by importing the .ovpn as it is (it detected and seperated the two certs automatically)


Now, as you can see from the .ovpn file below, the client uses udp and also compression I had no problem with udp, since ROS 7.1.1 gives the option to use it.
I also guess that i should be ok with compression because i have set a ppp profile with "Use Compression" = Yes (am i really ???)

The problem is that - as you saw above - the client config from the .ovpn file doesn't provide me with any username or password.
Without knowing what to do, I just used a random username and no password
My Ovpn link seemed to be established :



I was very happy at first.
But then i got this on my Logs :


So i think i got two problems, one with encryption and another with authentication.
Even if i figure out something about TLS, how can i implement this on Mikrotik without using credentials ?
The client keeps claiming that he have been told this is possible......

What did you do with "tls-crypt new-test.key"? AFAIK RouterOS doesn't support this. And compression may be a problem too (I know that RouterOS doesn't have LZO, but I'm not sure if it supports anything else).

What did you do with "tls-crypt new-test.key"? AFAIK RouterOS doesn't support this. And compression may be a problem too (I know that RouterOS doesn't have LZO, but I'm not sure if it supports anything else).

Thank you very much Sob for taking the time to answer me.

I'm not sure at all about that..... but what i did was to combine the real private key and the tls key in one .key file like this : I just thought of it because that's how it goes for the .ovpn file used for the windows client :
Without the tls key in the end the Windows client does not connect, so i thought to give it a try.


After importing the combined file as a .key file, the ROS accepted it, and i got a KT flag.
But again..it may accept this because it reads only the first part of it (the private key)...


Regarding the compression, i just read on the log file of the Windows client that it connected using "lz4"

If you import certificates or keys in PEM format (the readable kind you have), system looks for data in known blocks (----BEGIN/END CERTIFICATE/PRIVATE KEY-----) and everything else is ignored as comments. So you didn't get any error, but neither you imported static key. I don't think you can succeed with this config and current RouterOS.

i'm usually never enable compression, even i do, there is no graph to check whether is working on now.
Also i'm stuck with v6.There is too early to run udp on v7

Thank you both for your replies!
At least now i am more confident on the fact that it's not gonna work.
Have a good day!

Not sure if it's the issue. But what is the OpenVPN server/concentrator? Another Mikrotik?

It's strange you have this in OVPN client config then cause all Mikrotik boxes I ever had supports just Auth mechanism SHA1 or MD5.
So I have this in OVPN config file Maybe you have some more fancy box like CloudCore or someting...
But if your VPN server is not Mikrotik, I believe the problem coul be in that AUTH mechanism. Maybe server requires SHA512 and Mikrotik as a client does not support that. Solution could be simply enabling SHA1 auth mechanism on server side.

There's sha512 in 7.2rc, first only in CLI, but latest one added it to WinBox too.

There's sha512 in 7.2rc, first only in CLI, but latest one added it to WinBox too.

That would be great!

Not sure if it's the issue. But what is the OpenVPN server/concentrator? Another Mikrotik?

It's strange you have this in OVPN client config then

Code: Select all

cipher AES-256-GCM
auth SHA512

cause all Mikrotik boxes I ever had supports just Auth mechanism SHA1 or MD5.
So I have this in OVPN config file

Code: Select all

cipher AES-256-CBC
auth SHA1

Maybe you have some more fancy box like CloudCore or someting...
But if your VPN server is not Mikrotik, I believe the problem coul be in that AUTH mechanism. Maybe server requires SHA512 and Mikrotik as a client does not support that. Solution could be simply enabling SHA1 auth mechanism on server side.

Good suggestion.
Unfortunatelly, the only thing i know about the server side, is that there is a Linux-based machine.
This VPN regards connecting to organization that receives and automatically analyzes data sent from the client side.
I suppose that the organization offers the ".ovpn" file for any clients that want to connect.
Neither me or the customer have any access there.