Community discussions

MikroTik App
 
gsloop
Member Candidate
Member Candidate
Topic Author
Posts: 213
Joined: Wed Jan 04, 2012 11:34 pm
Contact:

OpenVPN and importing certs

Fri Aug 03, 2012 9:41 am

First - can someone re-work the Wiki page - it's horrible! [For "supported" stuff, you'd think a reasonably well done Wiki page for docs would be a good idea.]

I'm having a terrible time "importing" the certs.

I've generated the certs twice and can't get them imported.
I'm creating my own CA and then signing and generating my own certs/keys. [Ubuntu 12.04, and following the docs for generating OpenVPN certs from OpenVPN.net]

So, I build them like this:
./clean-all
./build-ca

Then
./build-key-server ovpnserver
For common name, I use ovpnserver, same for name.
I use no challenge passphrase. [At least the first time, the second time I did.]

I take the three files, ca.crt ovpnserver.crt and ovpnserver.key and get them onto the RB.
Then I try to import them

I can import ca.crt file into the RB
I can import the ovpnserver.crt file
But I can't import the ovpnserver.key file.
It asks for the decryption key [which on the first pass was blank, and entered the correct pass-key the second time, but in both cases it won't import it.]

Again, the first try, I generated server.key without any challenge password.
When it wouldn't import, claiming a wrong passphrase, I started over and generated them with passphrases, but got the same result.

So, obviously if I can't get the certs imported, I'm stuck.

So, any better walk-through for docs, or some *specific* tips on what might be wrong with the certs?
[And I've done searches here and google to see if someone has had similar exp. I did find one post with the exact same problem, but no-one responded to his post and he abandoned Mikrotik and got it working in native Linux - so no go there...]


-Greg
 
burn3r
just joined
Posts: 1
Joined: Thu Aug 09, 2012 9:17 am
Location: Espoo, Finland

Re: OpenVPN and importing certs

Thu Aug 09, 2012 9:22 am

Try converting the .key file to .pem format:
openssl rsa -in filename.key -out filename.pem

It should then import properly, I also had this issue when I first tried to import certificates.
 
gsloop
Member Candidate
Member Candidate
Topic Author
Posts: 213
Joined: Wed Jan 04, 2012 11:34 pm
Contact:

Re: OpenVPN and importing certs

Fri Aug 10, 2012 9:18 pm

Perhaps that will work, but I just copied the text output of the key and crt and then imported those. They imported fine, with no need for a password and all was well.

However, IMO, consider OpenVPN completely DEAD on RouterOS. They can't seem to care enough to do even the most basic things - like produce their own documentation. Instead they "crowd-source" it and pass the buck off to us.

The result is OpenVPN that doesn't have any reasonable and current documentation - and it costs us again, because we spend HOURS trying stuff till something works.

OpenVPN doesn't support LZO compression or UDP either. Both really key features!

So, IMO, it's very misleading to claim that RoS supports OpenVPN. They really don't, and their actions show it.

If you're lucky, you might be able to figure out how to jam the thing together and get it to work, at least a little, in some cases, with very limited interop, [<sarcasm> on Thursdays, in November, if your name is Fritzy </sarcasm>] - but most of the time you're going to be going crazy trying to get it to work - and MikroTik isn't going to do much to help.

[If they can't even be bothered to do docs, how do you think they're going to respond when you have a problem?]

So, for anyone who's trying to generate certs for OpenVPN: Think long and hard. Can you do it without OpenVPN, say IPSec or SSTP [which seems to have problems too, at the time this was written] or L2TP - you'll probably be happier - and you'll almost certainly spend less time doing it.

[I abandoned OpenVPN for my Roadwarrier VPN clients. Really lousy AND erratic throughput performance in my test-bench setup. See: http://forum.mikrotik.com/viewtopic.php?f=2&t=64628

Given everything else, I eventually gave up and tried L2TP, which works, mostly Ok. Perhaps my test bench was screwed, I don't know. Given, again, the horrible OpenVPN docs, it's really hard to know. But that same test-bed setup produced vastly better/solid L2TP benchmarks, along with IPSec and PPTP.]

If you just *MUST* use OpenVPN and are still trying to get your certs imported, just realize that my solution was to dump the cert/key out to text and create a new crt and key from that text and import that into RB. [And by dumping the key out to text, you lose any protection on that key-file - which is bad. So, if the PEM idea works, then that would be better.]

That worked. Perhaps using PEM will work too, I just don't know. [And RB certainly doesn't give you a lot of feedback on what's wrong - which would be mighty helpful in the case where no good docs exist.]

-Greg

Who is online

Users browsing this forum: Amazon [Bot], godel0914, mbovenka, toffline and 74 guests