Hey guys,
I have a Linux client that is unable to connect to my Mikrotik OpenVPN server since upgrading to 6.36. If I downgrade to 6.35.2 the connection works without issue. I can see the following in the logs when running 6.36:
5:22:19 ovpn,info TCP connection established from x.x.x.145
15:22:19 ovpn,debug,packet sent P_CONTROL_HARD_RESET_SERVER_V2 kid=0 sid=32e3c0394924e82b pid=0 DATA len=0
15:22:20 ovpn,debug,packet rcvd P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 sid=c0fe42912c402b82 pid=0 DATA len=0
15:22:20 ovpn,debug,packet sent P_ACK kid=0 sid=32e3c0394924e82b [0 sid=c0fe42912c402b82] DATA len=0
15:22:20 ovpn,debug,packet rcvd P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 sid=c0fe42912c402b82 [0 sid=32e3c0394924e82b] pid=0 DATA len=0
15:22:20 ovpn,debug,error,45980,60104,50991,timer,45980,60152,51153,l2tp,44716,60152,51111,firewall,47572,44704,info,60852,firewall,45976,45976,l2tp,45980,60200,44080,60852,info,60200,1651
,1651,1651,8192,52728,60852,warning,60264,9951,45976,critical,info,32319,1360,60344,info,critical,60260,52728 duplicate packet, dropping
15:22:20 ovpn,debug,packet rcvd P_CONTROL kid=0 sid=c0fe42912c402b82 pid=1 DATA len=100
15:22:20 ovpn,debug,packet sent P_ACK kid=0 sid=32e3c0394924e82b [1 sid=c0fe42912c402b82] DATA len=0
15:22:20 ovpn,debug,packet rcvd P_CONTROL kid=0 sid=c0fe42912c402b82 pid=2 DATA len=100
15:22:20 ovpn,debug,packet sent P_ACK kid=0 sid=32e3c0394924e82b [2 sid=c0fe42912c402b82] DATA len=0
15:22:20 ovpn,debug,packet rcvd P_CONTROL kid=0 sid=c0fe42912c402b82 pid=3 DATA len=3
15:22:20 ovpn,debug,packet sent P_ACK kid=0 sid=32e3c0394924e82b [3 sid=c0fe42912c402b82] DATA len=0
15:22:20 ovpn,debug,packet sent P_CONTROL kid=0 sid=32e3c0394924e82b pid=1 DATA len=1400
15:22:20 ovpn,debug,packet sent P_CONTROL kid=0 sid=32e3c0394924e82b pid=2 DATA len=317
15:22:20 ovpn,debug <x.x.x.145>: disconnected <peer disconnected>
When I look at the changelog for 6.36 I can see the following:
*) ovpn - enable perfect forwarding secrecy support by default;
*) ovpn - fixed compatibility with OpenVPN 2.3.11;
I wonder if pfs support is causing the issue, any idea how to disable it again?
-
-
christopherve7alb
newbie
- Posts: 26
- Joined:
-
-
christopherve7alb
newbie
- Posts: 26
- Joined:
Re: Linux Client unable to connect via OpenVPN since 6.36
Any ideas guys?
Client is running OpenVPN 2.3.2 config is as follows:
client
daemon
auth-user-pass /etc/openvpn/auth.txt
ca /etc/openvpn/ca.txt
dev tun
proto tcp
cipher aes-256-cbc
remote x.x.x.x 1194
tun-mtu 1280
route-delay 2
nobind
persist-key
persist-tun
resolv-retry infinite
pull
keepalive 10 60
Client is running OpenVPN 2.3.2 config is as follows:
client
daemon
auth-user-pass /etc/openvpn/auth.txt
ca /etc/openvpn/ca.txt
dev tun
proto tcp
cipher aes-256-cbc
remote x.x.x.x 1194
tun-mtu 1280
route-delay 2
nobind
persist-key
persist-tun
resolv-retry infinite
pull
keepalive 10 60
Re: Linux Client unable to connect via OpenVPN since 6.36
I would suggest you generate new certificates at 2048 vs 1024. Did that and have not encountered any issues.
-
-
christopherve7alb
newbie
- Posts: 26
- Joined:
Re: Linux Client unable to connect via OpenVPN since 6.36
Thanks for the suggestion. I've generated a new server certificate from my CA of 2048 bits and installed it on the router. After confirming all my OpenVPN connections came up I updated the router to 6.37.1 but am noticing the same issue. Did you have to re-issue new client certificates as well?
Re: Linux Client unable to connect via OpenVPN since 6.36
Just posed a response on something similar
see this post http://forum.mikrotik.com/viewtopic.php?f=1&t=113921
Maybe it helps, maybe it doesn't.
see this post http://forum.mikrotik.com/viewtopic.php?f=1&t=113921
Maybe it helps, maybe it doesn't.