require-client-certificate was the problem. That doesn’t seem to work yet. Once set to “no”, both Linux and RouterOS clients will connect.
Bugger. Anyhow, I’ve updated the Wiki article at http://wiki.mikrotik.com/wiki/OpenVPN, so it should cover all angles and hopefully also the potholes now.
/Martin
acidbits : How do you get openvpn to work with usernames & passwords?
Currently i have a working solution that lets clients connect with their certificates only.
However it seems MT doesnt allow you to NOT specify a username!
Hi!
I have the Linux server oVPN working fine. Linux and Windows clients are connecting succesfully. I’m not able to connect with the ROS client. Please cen you give me a short walk-through on how to make it work? I know there are more ppl that would be happy to read it.
Thank you for help.
I still cannot get openvpn client connecting to a unix/linux openvpn server.
It seems i still cannot create a client without specifying a user-name!
I don’t use user names/passwords, only certificates.
yesss, only username+password, no certificates
or
username+password+certificate
Unfortunately that would require a redo of the server and loss of current clients…
These updates are now out of date and I have corrected one obvious mistake I found. However…
The command ‘/interface ovpn-server server [name] cipher=none’ is invalid as on the server, ‘none’ is not a valid option for ‘cipher’ in ROS 3.29 or 3.30. It is a valid option on the client though, so I assume that this is a bug and have e-mailed support accordingly.
I’ve followed the WIKI and I’m having similar problems when I try to get my ROS OVPN Client (v3.30) to speak to my ROS OVPN Server (v3.30).
I get the following error: terminating … TLS Handshake Failed
I don’t understand where I’m going wrong. PLEASE HELP !!!
Kindly see my configuration below:
SERVER SIDE CONFIGURATION
/ip pool add name=ovpn-pool ranges=10.15.32.34-10.15.32.38
/ppp profile add change-tcp-mss=default comment=“” local-address=10.15.32.33
name=“PROFILE” only-one=default remote-address=ovpn-pool
use-compression=default use-encryption=required use-vj-compression=default
/ppp secret add caller-id=“” comment=“” disabled=no limit-bytes-in=0
limit-bytes-out=0 name=“username” password=“password”
routes=“” service=ovpn
/interface ovpn-server server set auth=sha1,md5
cipher=blowfish128,aes128,aes192,aes256 default-profile=PROFILE
enabled=yes keepalive-timeout=disabled max-mtu=1500 mode=ip netmask=29
port=443 require-client-certificate=no
FIREWALL RULE TO ALLOW ACCESS:
ip firewall filter add action=accept chain=input comment=“OpenVPN” disabled=no dst-port=443 protocol=tcp
CLIENT CONFIGURATION:
/interface ovpn-client
add name=“ovpn-out1” connect-to=W.X.Y.Z port=443 mode=ip user=“username” password=“password” profile=default
certificate=none cipher=aes256 add-default-route=no
Default profile on client side is no encryption. You are requiring encryption on the server side. Cant negotiate encryption if one side isnt configured to use it.
Thatd be my guess..
As far as I understand the “cipher= xxxx” is where we would enable encryption or not.
I have encryption on both the Server and Client side:
/interface ovpn-server server set auth=sha1,md5
cipher=blowfish128,aes128,aes192,aes256 default-profile=PROFILE
enabled=yes keepalive-timeout=disabled max-mtu=1500 mode=ip netmask=29
port=443 require-client-certificate=no
FIREWALL RULE TO ALLOW ACCESS:
ip firewall filter add action=accept chain=input comment=“OpenVPN” disabled=no dst-port=443 protocol=tcp
CLIENT CONFIGURATION:
/interface ovpn-client
add name=“ovpn-out1” connect-to=W.X.Y.Z port=443 mode=ip user=“username” password=“password” profile=default
certificate=none cipher=aes256 add-default-route=no
Yeah, I just tried it. It doesnt matter for OVPN.
Did you try putting a cert in on the server? I never have run w/o a cert on the server before.
On a server you need CA and “server” certificates, otherwise OVPN will not work.
I’ve put a cert on the server, and on the client and still nothing.
Can someone show me their working config, I don’t know what I’m doing wrong here.
Additionally, I have an L2TP server running on the same box without any issues: clients are able to connect via L2TP without a problem. Just having a problem with OpenVPN.
PLEASE HELP, I’m getting my butt handed to me by this Mikrotik box … lol
Do you have a cert installed and assigned to the openvpn server AND the CA cert that signed it?
Yup, I used EASY-RSA Method prescribed in the Wiki.
This is what I have:
Kindly see below:
SERVER
ppp secret:
name=“username” service=ovpn caller-id=“” password=“password” profile=default routes=“” limit-bytes-in=0 limit-bytes-out=0
Ovpn Pool:
2 ovpn-pool 10.15.32.34-10.15.32.38
PPP Profile:
ppp profile print
Flags: * - default
0 * name=“default” use-compression=default use-vj-compression=default use-encryption=default only-one=default change-tcp-mss=yes
1 name=“Beya_Voip” local-address=10.15.32.33 remote-address=ovpn-pool use-compression=default use-vj-compression=default
use-encryption=required only-one=default change-tcp-mss=default
Ovpn-Server Server:
interface ovpn-server server print
enabled: yes
port: 443
mode: ip
netmask: 29
mac-address: FE:50:A6:C5:67:B9
max-mtu: 1500
keepalive-timeout: disabled
default-profile: Beya_Voip
certificate: cert1
require-client-certificate: yes
auth: sha1,md5
cipher: blowfish128,aes128,aes192,aes256
CLIENT
interface ovpn-client print detail
Flags: X - disabled, R - running
0 name=“ovpn-out1” mac-address=FE:84:A8:9E:19:43 max-mtu=1500 connect-to=172.16.0.1 port=443 mode=ip user=“username”
password=“password” profile=default certificate=cert1 auth=sha1 cipher=aes256 add-default-route=no
LOG
21:43:01 ovpn,info TCP connection established from W.X.Y.Z
21:43:02 ovpn,info TCP connection established from W.X.Y.Z
21:43:05 ovpn,info TCP connection established from W.X.Y.Z
21:43:05 ovpn,info TCP connection established from W.X.Y.Z
PING from Client:
ping 10.15.32.33
10.15.32.33 ping timeout
10.15.32.33 ping timeout
10.15.32.33 ping timeout
10.15.32.33 ping timeout
10.15.32.33 ping timeout
10.15.32.33 ping timeout
10.15.32.33 ping timeout
Your user is assigned to the default profile and the default profile doesnt have an ip pools. Assign the user to the Beya_voip profile.
Ok, I've set my client profile to: Beya_Voip
ppp profile print
name="username" service=ovpn caller-id="" password="password" profile=Beya_Voip routes="" limit-bytes-in=0 limit-bytes-out=0
Still not working:
Can you post a working example.
CLIENT:
interface ovpn-client print detail
Flags: X - disabled, R - running
0 name="ovpn-out1" mac-address=FE:84:A8:9E:19:43 max-mtu=1500 connect-to=172.16.0.1 port=443 mode=ip user="username"
password="password" profile=default certificate=cert1 auth=none cipher=blowfish128 add-default-route=no
Client Logs:
16:24:28 ovpn,info TCP connection established from 172.16.0.254
16:24:28 ovpn,info TCP connection established from 172.16.0.254
16:24:31 ovpn,info TCP connection established from 172.16.0.254
16:24:31 ovpn,info TCP connection established from 172.16.0.254
16:24:33 ovpn,info TCP connection established from 172.16.0.254
Server Logs:
16:24:28 ovpn,info TCP connection established from 172.16.0.254
16:24:28 ovpn,info TCP connection established from 172.16.0.254
16:24:31 ovpn,info TCP connection established from 172.16.0.254
16:24:31 ovpn,info TCP connection established from 172.16.0.254
16:24:33 ovpn,info TCP connection established from 172.16.0.254
SERVER CONFIG
ppp profile print
Flags: * - default
0 * name="default" use-compression=default use-vj-compression=default use-encryption=default only-one=default change-tcp-mss=yes
1 name="Beya_Voip" local-address=10.15.32.33 remote-address=ovpn-pool use-compression=default use-vj-compression=default
use-encryption=required only-one=default change-tcp-mss=default
\
ppp secret print
Flags: X - disabled
6 username ovpn password Beya_Voip
\
ip pool print
2 ovpn-pool 10.15.32.34-10.15.32.38
\
interface ovpn-server server print
enabled: yes
port: 443
mode: ip
netmask: 29
mac-address: FE:50:A6:C5:67:B9
max-mtu: 1500
keepalive-timeout: disabled
default-profile: Beya_Voip
certificate: cert1
require-client-certificate: yes
auth: sha1,md5
cipher: blowfish128,aes128,aes192,aes256
Default profile is “Customer” which is for people authenticated via RADIUS. Irrelevant here, but I included it just so it made sense.
/ppp profile
add change-tcp-mss=no comment=“” local-address=10.0.0.1 name=PSGVPN only-one=
no use-compression=no use-encryption=required use-vj-compression=no
add change-tcp-mss=no comment=“” local-address=10.16.128.1 name=Customer
only-one=no use-compression=no use-encryption=required
use-vj-compression=no
/interface ovpn-server server
set auth=sha1 certificate=fw-1 cipher=aes128,aes192,aes256 default-profile=
Customer enabled=yes keepalive-timeout=60 mac-address=FE:1D:10:11:78:AB
max-mtu=1500 mode=ip netmask=32 port=1194 require-client-certificate=yes
/ppp secret
add caller-id=“” comment=“” disabled=no limit-bytes-in=0 limit-bytes-out=0
name=someone password=something profile=PSGVPN remote-address=
10.0.0.2 routes=“” service=ovpn
And for the client:
/ppp profile
set default-encryption change-tcp-mss=default comment=“” name=
default-encryption only-one=default use-compression=default
use-encryption=required use-vj-compression=default
/interface ovpn-client
add add-default-route=no auth=sha1 certificate=usercert cipher=aes256
comment=“” connect-to=1.2.3.4 disabled=no mac-address=
00:00:00:00:00:00 max-mtu=1500 mode=ip name=ovpn-out1 password=
somepass port=1194 profile=default-encryption user=someuser
Following your example it worked !!!
I had to reboot my RB450 (not too sure why) before it started working.
I now have two clients configured for it.
Thanks a million.
For a second there I was loosing hope in this forum … 
Thanks again.