Configuring OpenVPN

technog0d · August 14, 2007, 2:53pm

Can someone please post a how-to on configuring th OpenVPN server on routeros and then the client side. Specifically, does the routeros generate the certificate? The whole process would be nice.

Thanks in advance…

sergejs · August 15, 2007, 10:25am

RouterOS router does not generate the certificate, you have to use your own certificate and import it at /certificate and it should be decrypted by ‘certificate decrypt’.

Client mode has teh following configuration options,
(“interface ovpn-client”):
connect-to:
port:
user:
password:
certificate: If server is asking for private certificate.
auth: HMAC alghoritm to use.
cipher: make sure it is matching the server side configuration.
mode: configuration for encapsulation options, also it should match server side configuration.
mac-address: interface mac-address, ja mode=ethernet
profile:
add-default-route:

Note, that currently TCP tunnel is supported only.

technog0d · August 15, 2007, 1:15pm

i am really more interested in the server side for openvpn on Routeros. It does not seem like there is a provision for user auth on the server side. How do you make sure that the openvpn server is only allowing specified users. Is the certificate the only method of authorization?

Thanks Again…

sergejs · August 15, 2007, 1:30pm

As far as I know you may specify clients at ‘ppp profile’, in the same way as for PPTP, L2TP.

OpenVPN server options (“interface ovpn-server server”):
enabled:
port:
mode:
netmask:
mac-address: server interface mac-address
max-mtu:
keepalive-timeout:
default-profile: ppp profile
certificate: server certificate
require-client-certificate: if certificate should be used on client
auth:
cipher:

burkon · September 4, 2007, 2:48pm

Anybody got this Up and running?
When I connect to Router OS 3.0 rc4 in server mode I receive this error:

Tue Sep 04 16:43:29 2007 us=462832 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Tue Sep 04 16:43:29 2007 us=463073 TLS Error: TLS handshake failed

No need to tell you that network connectivity is not the Problem.
For me the main problem is that I actually have no clue how to configure
the server side.

Is there some type of docu out there?

Or at least has anybody out there a working set of Router OS Server and PC Client
Windows or Linux should not be the issue since the config is the same.

Thanks
Ekkehard

sergejs · September 5, 2007, 1:11pm

Ekkehard,
post your configuration here from Open-VPN server,
what OS is used on the client side ?

burkon · September 6, 2007, 6:56am

Hope that is all the relevant stuff.
Client OS is Windows 2000 with OpenVPN 2.0.7

Thanks
Ekkehard

/ip pool
add name=“vpn_pool1” ranges=192.168.224.2-192.168.224.250

/ppp profile
set default change-tcp-mss=yes comment=“” name=“default” only-one=default
use-compression=default use-encryption=default use-vj-compression=default
add change-tcp-mss=yes comment=“” local-address=192.168.224.1 name=“openvpn”
only-one=default remote-address=vpn_pool1 use-compression=default
use-encryption=required use-vj-compression=default

/interface ovpn-server server
set auth=sha1,md5 certificate=home.dev-null.de
cipher=blowfish128,aes128,aes192,aes256 default-profile=openvpn
enabled=yes keepalive-timeout=60 mac-address=FE:F1:BB:9B:A4:AC
max-mtu=1400 mode=ip netmask=32 port=1194 require-client-certificate=yes

marlow · September 17, 2007, 7:00pm

I was looking at this and am getting similar errors. I’ve tried to set things up as Ekkehard and see exact the same issue. Release is Router 3.0rc4.

Could anyone post a working server setup (Mikrotik being the server ?). Might shed a bit more light into things.

In my case the client is Debian and OpenVPN 2.09

/Martin

tschlegel · October 12, 2007, 12:28pm

It seems to be that MT needs TLS, otherwise it will kill the connection after 1 minute.
You have to setup the openvpn at the linux-side with tls.
It seems to be that MT currently only supports pkcs12 certificates for openvpn.

Simple howto (Debian as Server, MT as client):

copy easy-rsa to /etc/openvpn:

cp /usr/share/doc/openvpn/examples/easy-rsa /etc/openvpn
cd /etc/openvpn/easy-rsa

edit the file vars:

vi vars

import vars and build-ca

. ./vars
./clean-all
./build-ca # set "OpenVPN-CA" as common name (or anything else you want as CN)
./build-key-server # set "server" as common name (or anything else you want as CN)
./build-dh

build cert for client1 (MT):

./build-cert-pkcs12 client1 # set "client1" as common name (or anything else you want as CN)

copy keys/client1.* to MT and import the client1.p12

add this to your openvpn config at debian:
cipher BF-CBC
auth SHA1
tls-server
ca /etc/openvpn/easy-rsa/keys/ca.crt
cert /etc/openvpn/easy-rsa/keys/server.crt
key /etc/openvpn/easy-rsa/keys/server.key # This file should be kept secret
dh /etc/openvpn/easy-rsa/keys/dh1024.pem
proto tcp-server # MT currently only supports tcp

MT needs that openvpn assign ip addresses...

server 192.168.10.0 255.255.255.0

At MT set the same cipher and auth as above and set the cert to the first cert

which was created after import (the cert with the flags "KR" at /certificates)

Best regards,
Timo Schlegel

acidbits · October 14, 2007, 4:21pm

I’m testing OpenVPN client on a RB133C with v3.0rc6. I know it’s a beta, and it’s first time I try it. This version is extremely slow, sure it’s a bug. It lasts a lot to boot and establish the OpenVPN connection. Each time I enable/disable OpenVPN client, or try to import a certificate, or whatever, RouterOS crash.

As is the first time I try it, and gone stright forward to try OpenVPN, don’t know if this issue comes from OpenVPN or it’s “normal” for this Beta running on RB133C.

a.

pingus · October 16, 2007, 2:06pm

Did it one the other way around, MT as server and linux as client?

I can open a connection but I can not ping MT and the client doesn’t receive an IP from the router.

acidbits · October 16, 2007, 2:40pm

No, I’ve just tested MK as client and Linux-box as server. and it works.

a.

pingus · October 17, 2007, 7:01am

This is good for you but doesn’t helps me

Here is my linux config:

  dev tun0
  proto tcp-client
  ifconfig 10.10.11.34 10.10.11.33 #because I don't receive an IP address

  remote mt.fqdn.tld 1194

  ca /etc/ssl/certs/root.pem #CAcert root certificate
  cert client.cert
  key  client.key

  tls-client
  tls-remote mt.fqdn.tld

  port 1194

  user nobody
  group nogroup

  comp-lzo

  ping 15
  ping-restart 45
  ping-timer-rem
  persist-tun
  persist-key

  mute-replay-warnings
  verb 3

MT config

/interface ovpn-server 
add comment="" disabled=no name="ovpn-in1" user="" 
/interface ovpn-server server 
set auth=sha1,md5 certificate=rb532 cipher=blowfish128,aes128,aes192,aes256 \
    default-profile=profile1 enabled=yes keepalive-timeout=disabled \
    mac-address=FE:ED:07:A3:D1:17 max-mtu=1500 mode=ip netmask=32 port=1194 \
    require-client-certificate=yes 

/ppp profile 
set default change-tcp-mss=yes comment="" name="default" only-one=default \
    use-compression=default use-encryption=default use-vj-compression=default 
add bridge=lan change-tcp-mss=yes comment="" local-address=10.10.11.33 \
    name="profile1" only-one=default remote-address=10.10.11.34 \
    use-compression=default use-encryption=required use-vj-compression=default 
set default-encryption change-tcp-mss=yes comment="" name="default-encryption" \
    only-one=default use-compression=default use-encryption=yes \
    use-vj-compression=default 

/ip firewall filter
add action=accept chain=input comment="OpenVPN" disabled=no dst-port=1194 \
    protocol=tcp

Hopefully I added all relevant config.

acidbits · October 17, 2007, 5:42pm

Maybe you need to add this to you linux config:

cipher BF-CBC
auth SHA1

I don’t have any rboard at home to test right now, sorry.

pingus · October 25, 2007, 9:03am

How do I have to configure the firewall to get MT as OpenVPN server running?

pingus · October 29, 2007, 10:38am

As I could test with 2 RouterOS the firewall isn’t a problem. Two RouterOS are connecting well.

Is it possible that OpenVPN Server on RouterOS is waiting for a username? Can I send a username from OpenVPN Client running on Linux?

pingus · October 29, 2007, 12:50pm

Finally I got OpenVPN working to the point where I have a registred connection. I also get an IP address. Now I have to find out how to ping across the two routers.

Here are my linux client settings:

dev tun0
  proto tcp-client

  remote example.com 1194

  ca root.pem
  cert client.cert
  key  client.key

  tls-client
  tls-remote example.com

  port 1194

  user nobody
  group nogroup

  comp-lzo

  ping 15
  ping-restart 45
  ping-timer-rem
  persist-tun
  persist-key

  mute-replay-warnings

  verb 3

  cipher AES-256-CBC
  auth SHA1
  pull

  auth-user-pass auth.conf

inside auth.conf you have to enter the username on the first line and on the second line the password of the user you want to login.

I hope this will help someone else.

normis · October 29, 2007, 1:20pm

you can make a wiki article on this, if you are sure it works every time also write the RouterOS config there. go here:

http://wiki.mikrotik.com/wiki/OpenVPN

and hit the Edit button (after logging in)

pingus · October 29, 2007, 1:52pm

Sure, I will do this as soon as I fixed ping issues.

marlow · November 8, 2007, 10:22pm

I’ve tried to get OpenVPN going proper for a while now. RouterOS client to Linux Server no problem. But RouterOS client to RouterOS server always ends up with:

00:08:57 ovpn,info TCP connection established from 192.168.0.2
00:08:57 ovpn,info : dialing…
00:08:58 ovpn,info : terminating… - TLS handshake failed
00:08:58 ovpn,info : disconnected

The same RouterOS client has no problems connecting to a Linux OpenVPN server without configuration change.

I then tried to follow the wiki, that pingus has put together. Still NO GO. Both boxes are now 3.0rc9, still with those issues (were 3.0rc5 before).

Anyhow, I’ve send supout.rif’s of both boxes to support, let’s see, what they come up with.

/Martin