Hello all,
I'm trying to setup MikroTik as OpenVPN client but with no success. I have done everything as in Wiki, but nothing works. My problems is the same as here http://forum.mikrotik.com/viewtopic.php?f=1&t=21087. No solutions so far. My server is DD-WRT on WRT350N router. Ok, you can tell me that wrong configuration in DD-WRT or I get no support here for DD-WRT, but by using OpenVPN client for Windows I have no problems to connect to DD-WRT. I use OpenVPN client with GUI on Windows. So I think it might be some problem in configuration or comatibility. Can you provide any help ?
Re: MikroTik as OpenVPN client
Did you try smaller than a 7 character password? A known issue, greater than 7 characters does not work, at least with MT-MT OVPN.
Make sure you open TCP 1194 in the firewall. Try to reboot the MikroTik.
Make sure you open TCP 1194 in the firewall. Try to reboot the MikroTik.
Re: MikroTik as OpenVPN client
Hi,
Thank you very much for your reply. Its very important for me to start this VPN connection, but now it seems that it is just not possible
Ok, my password was longer than 7 symbols and I made it shorter - 4 symbols. Restarted MikroTik. Nothing helps. Firewall has rule for VPN and I can see counter running of accepted packets. Furthermore I log all dropped/rejected packets and I didn't see any of VPN packets dropped.
So my config at RoS side is:
In the beginning there was no user/pass at the DD-WRT side, but later I implemented it and again had no problems connecting to it using OpenVPN GUI. Computer from which connect is behind the same MikroTik router and has no problems at all. Here what I get at DD-WRT side:
It seems that there is no problems with authentication. Connection just drops and the reason is not clear to me.
What I have tried:
1. cipher and auth set to none
2. tun and tap devices
3. reboot
4. 4 symbol password
Nothing helps. I get error on MiktoTik:
Please help me solve this problem because I don't sleep at nights 
Thank you very much for your reply. Its very important for me to start this VPN connection, but now it seems that it is just not possible
Ok, my password was longer than 7 symbols and I made it shorter - 4 symbols. Restarted MikroTik. Nothing helps. Firewall has rule for VPN and I can see counter running of accepted packets. Furthermore I log all dropped/rejected packets and I didn't see any of VPN packets dropped.
So my config at RoS side is:
Code: Select all
name="ovpn-out1" mac-address=00:00:00:00:00:00 max-mtu=1500 connect-to=x.x.x.x
port=1194 mode=ip user="user" password="password" profile=default certificate=client
auth=sha1 cipher=aes256 add-default-route=noCode: Select all
Dec 23 22:23:25 xxx daemon.notice openvpn[790]: MULTI: multi_create_instance called
Dec 23 22:23:25 xxx daemon.notice openvpn[790]: Re-using SSL/TLS context
Dec 23 22:23:25 xxx daemon.notice openvpn[790]: Control Channel MTU parms ......
Dec 23 22:23:25 xxx daemon.notice openvpn[790]: Data Channel MTU parms ....
Dec 23 22:23:25 xxx daemon.notice openvpn[790]: TCP connection established with x.x.x.x:60200
Dec 23 22:23:25 xxx daemon.notice openvpn[790]: Socket Buffers: R=[65534->65534] S=[65534->65534]
Dec 23 22:23:25 xxx daemon.notice openvpn[790]: TCPv4_SERVER link local: [undef]
Dec 23 22:23:25 xxx daemon.notice openvpn[790]: TCPv4_SERVER link remote: x.x.x.x:60200
Dec 23 22:23:25 xxx daemon.notice openvpn[790]: x.x.x.x:60200 TLS: Initial packet from x.x.x.x:60200, sid=c142180d 5752099f
Dec 23 22:23:26 xxx daemon.notice openvpn[790]: x.x.x.x:60200 VERIFY OK: depth=1, /C=LT/ST=LT/L=LT/O=home/CN=server/emailAddress=no@mail.com
Dec 23 22:23:26 xxx daemon.notice openvpn[790]: x.x.x.x:60200 VERIFY OK: depth=0, /C=LT/ST=LT/L=LT/O=home/CN=client/emailAddress=no@mail.com
Dec 23 22:23:26 xxx daemon.notice openvpn[790]: x.x.x.x:60200 TLS: Username/Password authentication succeeded for username 'user'
Dec 23 22:23:26 xxx daemon.notice openvpn[790]: x.x.x.x:60200 Data Channel Encrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Dec 23 22:23:26 xxx daemon.notice openvpn[790]: x.x.x.x:60200 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Dec 23 22:23:26 xxx daemon.notice openvpn[790]: x.x.x.x:60200 Data Channel Decrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Dec 23 22:23:26 xxx daemon.notice openvpn[790]: x.x.x.x:60200 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Dec 23 22:23:26 xxx daemon.err openvpn[790]: x.x.x.x:60200 Connection reset, restarting [0]
Dec 23 22:23:26 xxx daemon.notice openvpn[790]: x.x.x.x:60200 SIGUSR1[soft,connection-reset] received, client-instance restarting
Dec 23 22:23:26 xxx daemon.notice openvpn[790]: TCP/UDP: Closing socketWhat I have tried:
1. cipher and auth set to none
2. tun and tap devices
3. reboot
4. 4 symbol password
Nothing helps. I get error on MiktoTik:
Code: Select all
openvpn-out1: initializing...
openvpn-out1: dialing...
openvpn-out1: terminating... - unknown auth alg
openvpn-out1: disconnectedRe: MikroTik as OpenVPN client
Are you logging ovpn at debug level like so:
/system logging add action=memory disabled=no prefix="" topics=ovpn,debug
Unfortunately I have noticed that the OVPN in MikroTik does not have very good debug output. It looks to me like the DD-WRT is proposing cypher and auth and MikroTik rejects it and disconnects.
What does your DD-WRT OVPN config look like?
/system logging add action=memory disabled=no prefix="" topics=ovpn,debug
Unfortunately I have noticed that the OVPN in MikroTik does not have very good debug output. It looks to me like the DD-WRT is proposing cypher and auth and MikroTik rejects it and disconnects.
What does your DD-WRT OVPN config look like?
Re: MikroTik as OpenVPN client
Hi,
I want to mention that I have tried all combinations with cipher and auth. Also I have tested
Results are the same.
Thanks for helping me.
I was using by default. Now I made like you propose.Are you logging ovpn at debug level like so:
/system logging add action=memory disabled=no prefix="" topics=ovpn,debug
Here it is:What does your DD-WRT OVPN config look like?
Code: Select all
proto tcp-server
port 1194
dev tun0
tls-server
keepalive 10 120
tmp-dir /tmp/openvpn
script-security 3
verb 3
cipher AES-256-CBC
auth SHA1
auth-nocache
auth-user-pass-verify /tmp/custom.sh via-file
ifconfig-pool-persist /tmp/ipp.txt
push "route 192.168.60.0 255.255.255.0"
server 192.168.63.0 255.255.255.0
persist-key
persist-tun
status /tmp/openvpn-status.log
ca /tmp/openvpn/ca.crt
dh /tmp/openvpn/dh.pem
cert /tmp/openvpn/cert.pem
key /tmp/openvpn/key.pemCode: Select all
cipher none
auth noneThanks for helping me.
-
-
roadracer96
Forum Veteran
- Posts: 736
- Joined:
Re: MikroTik as OpenVPN client
FWIW, I have about 50 450G/433s connected to a PC/Linux OpenVPN 2.1 server using certificates/radius to authenticate/obtain config.
One thing that I noticed that is different between MT and other clients is how the route lines need to be worded. I cant remember what it was, but there was something different between windows clients connecting and MT clients connecting.
One thing that I noticed that is different between MT and other clients is how the route lines need to be worded. I cant remember what it was, but there was something different between windows clients connecting and MT clients connecting.
Re: MikroTik as OpenVPN client
Hi,
Adding debugging support gave me only one extra line which tells me the same that unknown auth alg. Not much help from this debug info....
Maybe MikroTik support team will also look at this topic and tell at least how to get more debugging information because now I get no clue what is going on.
Adding debugging support gave me only one extra line which tells me the same that unknown auth alg. Not much help from this debug info....
Maybe MikroTik support team will also look at this topic and tell at least how to get more debugging information because now I get no clue what is going on.
Re: MikroTik as OpenVPN client
What do you mean about that ? I have no problems to connect to server from Windows PC. Problem is only from MT. I think route lines in not a problem here. My connection is constantly dropping. It's not about routes.One thing that I noticed that is different between MT and other clients is how the route lines need to be worded.
Re: MikroTik as OpenVPN client
Hello again,
I have even changed Linksys router to newer model and installed the latest firmware with OpenVPN support. Problem is the same, the same error messages. From Windows is again everything ok. I'm totally lost.
I have even changed Linksys router to newer model and installed the latest firmware with OpenVPN support. Problem is the same, the same error messages. From Windows is again everything ok. I'm totally lost.
Re: MikroTik as OpenVPN client
Ensure that the MikroTik's date & time is set correctly. Its best if you could use NTP to automatically obtain the date & time. Without the correct date, the certificates wouldn't be valid.
Re: MikroTik as OpenVPN client
Hi,
Yes data and time are correct and I use NTP. If date and time is not correct error message is different. Anyway I gave up with this as for me its not possible to get even some debug information. Linksys resets connection and MikroTIK just say that auth algo is not supported. Thats just not too much info anyway.
Yes data and time are correct and I use NTP. If date and time is not correct error message is different. Anyway I gave up with this as for me its not possible to get even some debug information. Linksys resets connection and MikroTIK just say that auth algo is not supported. Thats just not too much info anyway.
Re: MikroTik as OpenVPN client
I like mikrotik a lot but the openvpn is *not* stable and it is hard to get it to work with other openvpn daemons on other platforms. I have 2 mikrotiks with openvpn running. One of them is a server for ten users to vpn to the mikrotik router and the other is a mikrotik router that connects to a linux openvpn server. They work once you iron out the kinks but I have found that the mikrotik client disconnects and reconnects a lot because it seems to be ignoring the keep-alive packets from the server. The other issue is I have yet to see any mikrotik with openvpn work for more then a month. I usually have to reboot the router once a month for it to keep working. I would suggest using pptp if you don't mind a little less security.
I can post my configuration but I'm not using dd-wrt so it may not help you at all.
I can post my configuration but I'm not using dd-wrt so it may not help you at all.
-
-
roadracer96
Forum Veteran
- Posts: 736
- Joined:
Re: MikroTik as OpenVPN client
I currently have 14 routers with over 60 days of uptime. Another 20ish with over 30 days as openvpn clients. Until today, they were connected to a linux openvpn server. Just switched them over to connect to a RB1000.
I find it to be completely stable once you finger it all out.
I find it to be completely stable once you finger it all out.
Re: MikroTik as OpenVPN client
Hi,
Thanks for sharing some experience here with us.
@roadracer: I aggree that they work together with each other or with linux machines, but there is some really compatibility issues with OpenVPN implementation on DD-WRT.
Thanks for sharing some experience here with us.
Yes, I think so. I have a lot of different configurations from *working* systems, but still with no luck. I solved my problem by making DD-WRT as OpenVPN server and all clients behind MikroTIK has their own OpenVPN client software. In my case it is ok I think.I can post my configuration but I'm not using dd-wrt so it may not help you at all.
@roadracer: I aggree that they work together with each other or with linux machines, but there is some really compatibility issues with OpenVPN implementation on DD-WRT.
Re: MikroTik as OpenVPN client
alphalt, have you found any solution to the problem?
I am also trying to connect from dd-wrt box (ovpn client) to mikrotik (ovpn server) and got the same "<unknown auth alg>
I am also trying to connect from dd-wrt box (ovpn client) to mikrotik (ovpn server) and got the same "<unknown auth alg>
Re: MikroTik as OpenVPN client
Hello,
I'm sorry, but I haven't found any sollution. And somehow I think its the problem of dd-wrt. Maybe need to wait for newer releases of dd-wrt.
I'm sorry, but I haven't found any sollution. And somehow I think its the problem of dd-wrt. Maybe need to wait for newer releases of dd-wrt.
Re: MikroTik as OpenVPN client
I have tried with tomato as well, the problem remains sameHello,
I'm sorry, but I haven't found any sollution. And somehow I think its the problem of dd-wrt. Maybe need to wait for newer releases of dd-wrt.
I bet it is a routeros problem (openvpn implementation is quite poor here)
Regards
Re: MikroTik as OpenVPN client
Then the only think left is to wait for ROS v5 and check again.
Who is online
Users browsing this forum: hpeters and 29 guests