Hello,
I created an OpenVpn server on RB4011iGS+ (I attached the file with settings) I created the settings for OpenVPN as follows:
dev tun
proto udp
remote xxx.xx.xxx 1194
tun-mtu 1500
tls-client
remote-cert-tls server
nobind
cipher AES-256-GCM
ping 15
ping-restart 45
persist-key
persist-tun
mute-replay-warnings
ca ca.crt
cert OpenVpncClient.crt
key OpenVpncClient.key
auth SHA1
auth-user-pass secret.key
pull
auth-nocache
verb 3
mute 10
topology subnet
connect-retry 1
reneg-sec 3600


I received these errors from VPN Client: Can you please help me find what mistake I'm making?
It's my second day of trying.

Thanks in advance!

2024-04-08 15:15:38 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
2024-04-08 15:15:38 TLS Error: TLS handshake failed

cipher AES-256-GCM
auth SHA1

cipher AES-256-GCM
data-ciphers AES-256-GCM
auth none

2024-04-08 15:15:38 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
2024-04-08 15:15:38 TLS Error: TLS handshake failed

cipher AES-256-GCM
auth SHA1

cipher AES-256-GCM
data-ciphers AES-256-GCM
auth none

Thanks for your help!
Unfortunately, the problem with TLS remains. please see the log: Settings
dev tun
proto udp
remote MyPublicIP 1194
tun-mtu 1500
tls-client
remote-cert-tls server
nobind
cipher AES-256-GCM
data-ciphers AES-256-GCM
auth none
ping 15
ping-restart 45
persist-key
persist-tun
mute-replay-warnings
ca ca.crt
cert OpenVpncClient.crt
key OpenVpncClient.key
auth-user-pass secret.key
pull
auth-nocache
verb 3
mute 10
topology subnet
connect-retry 1
reneg-sec 3600

This should be fixed at the OVPN server too.

This should be fixed at the OVPN server too.

Hello,

I have tried this scenario:
https://prnt.sc/lr473eFF2ouE
and i got these error TLS: also i tried this scenario:
https://prnt.sc/h6Vy7vshCnnm
and i got these error TLS: Do I need to change anything else?

Well, it seems as if your ROS is an older version that supports TCP protocol only. It doesn't support GCM as your client profile.

Well, it seems as your ROS is an older version which supports TCP protocol only. It doesn't support GCM as you client profile.

if I use TCP then I get this error on my Mikrotik:
ovpn, debug, error, l2tp,l2tp, info Message: duplicate packet, dropping
https://prnt.sc/1hfDBBTK4lxW

and these errors on the client:
2024-04-09 14:49:04 OpenVPN 2.6.10 [git:v2.6.10/ba0f62fb950c56a0] Windows [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] [DCO] built on Mar 20 2024
2024-04-09 14:49:04 Windows version 10.0 (Windows 10 or greater), amd64 executable
2024-04-09 14:49:04 library versions: OpenSSL 3.2.1 30 Jan 2024, LZO 2.10
2024-04-09 14:49:04 DCO version: 1.0.1
2024-04-09 14:49:04 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25341
2024-04-09 14:49:04 Need hold release from management interface, waiting...
2024-04-09 14:49:04 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:52067
2024-04-09 14:49:04 MANAGEMENT: CMD 'state on'
2024-04-09 14:49:04 MANAGEMENT: CMD 'log on all'
2024-04-09 14:49:04 MANAGEMENT: CMD 'echo on all'
2024-04-09 14:49:04 NOTE: --mute triggered...
2024-04-09 14:49:04 5 variation(s) on previous 10 message(s) suppressed by --mute
2024-04-09 14:49:04 MANAGEMENT: >STATE:1712666944,RESOLVE,,,,,,
2024-04-09 14:49:04 TCP/UDP: Preserving recently used remote address: [AF_INET]MyPublicAddress:1194
2024-04-09 14:49:04 ovpn-dco device [OpenVPN Data Channel Offload] opened
2024-04-09 14:49:04 TCP_CLIENT link local: (not bound)
2024-04-09 14:49:04 TCP_CLIENT link remote: [AF_INET]MyPublicAddress:1194
2024-04-09 14:49:04 MANAGEMENT: >STATE:1712666944,WAIT,,,,,,
2024-04-09 14:49:05 MANAGEMENT: >STATE:1712666945,AUTH,,,,,,
2024-04-09 14:49:05 TLS: Initial packet from [AF_INET]MyPublicAddress:1194, sid=04e62d9d e3263d40
2024-04-09 14:49:05 VERIFY OK: depth=1, C=se, ST=ups, L=Creta, O=Grf, OU=skase, CN=CA
2024-04-09 14:49:05 VERIFY KU OK
2024-04-09 14:49:05 NOTE: --mute triggered...
2024-04-09 14:49:32 4 variation(s) on previous 10 message(s) suppressed by --mute
2024-04-09 14:49:32 Closing DCO interface
2024-04-09 14:49:32 SIGTERM[hard,] received, process exiting
2024-04-09 14:49:32 MANAGEMENT: >STATE:1712666972,EXITING,SIGTERM,,,,,

Protocol TCP Auth sha1 Cipher AES-CBC with any key size. This setting must be the same on the server and the client profile.

Protocol TCP Auth sha1 Cipher AES-CBC with any key size. This setting must be the same on the server and the client profile.

Hello,

I tried this way:
Server: https://prnt.sc/sL8eirZp4Ima
Client:
auth sha1
cipher AES-CBC
data-ciphers AES-CBC
I get this error:
2024-04-10 07:35:55 Unsupported cipher in --data-ciphers: AES-CBC
Options error: --data-ciphers list contains unsupported ciphers or is too long.
Use --help for more information.


I tried and this way:
dev tun
--proto tcp-client
remote Myip 1194
tun-mtu 1500
tls-client
remote-cert-tls server
nobind
auth sha1
cipher AES-256-GCM
data-ciphers AES-256-GCM
ping 15
ping-restart 45
persist-key
persist-tun
mute-replay-warnings
ca ca.crt
cert OpenVpncClient.crt
key OpenVpncClient.key
auth-user-pass secret.key
pull
auth-nocache
verb 3
mute 10
topology subnet
connect-retry 1
reneg-sec 3600

I get this TLC error:

Bro,
The version you are running doesn't support GCM ciphering. You could use CBC. However, you are missing the Key size.

Protocol TCP Auth sha1 Cipher AES-CBC with any key size. This setting must be the same on the server and the client profile.

Wrong: cipher AES-CBC [ at client profile]
Correct: cipher AES-256-CBC

Wrong: null [at OVPN server]

Here is a screenshot from a newer OVPN server that supports GCM ciphering and UDP protocol. I know for a fact that the implementation of OVPN in older ROS versions has some issues that will be fixed with an upgrade to newer releases if your device has enough resources for that.