Mikrotik as OpenVPN Client for PFSense

zzserg · August 28, 2013, 10:57am

Hi!
Today i set up Mikrotik device as OpenVPN client for PFSense gateway.
All is ok, but i have one trouble - tls-auth.
When i choose “Enable authentication of TLS packets.” in PFSense, Mikrotik not connecting.
What wrong?

Mikrotik config:

/interface ovpn-client print
Flags: X - disabled, R - running
 0  R name="ovpn-out1" mac-address=02:F5:F7:FA:XX:XX max-mtu=1500
      connect-to=83.X.X.X port=1194 mode=ip user="superman"
      password="blablabla" profile=default certificate=superman auth=sha1
      cipher=aes128 add-default-route=no

PFSense log:

Aug 28 14:53:34	openvpn[55144]: 1.8.14.2:47861 Fatal TLS error (check_tls_errors_co), restarting
Aug 28 14:53:34	openvpn[55144]: 1.8.14.2:47861 TLS Error: cannot locate HMAC in incoming packet from [AF_INET]1.8.14.2:47861

How i can use PFSense tls.key?

jollyr · September 3, 2013, 4:07pm

Hi ZZerg,

Can you share your settings on Pfsense and mikrotik with just dummy ip address and will try to resolve your problem. we can exchange email : jollyrecto@gmail.com…I have experience on pfsense wiht openvpn but none on mikrotik..

thanks.

//jollyr

ryandenis · July 6, 2015, 4:14pm

I am also trying to do this, I have quite a few pfsense VPN’s that use IPSEC and I’d like to switch them all over to open vpn and connect the mikrotik vpn’s to the main pfsense as well.

hexsoap · October 9, 2015, 2:50pm

This might come a little late but …

Things that got me up and running(on the microtik hAPs):

Import certificate is relatively standard (.crt) I also imported CA, not sure it’s needed.
Import key should be done in pem format “openssl rsa -in cert-key.key -out cert-key.pem” + import is necessary not automated, you should see KT in front of cert after successful import.
compression(no pref) on pf.
tcp not udp.
match crypto params AES-128 + SHA1 or anything else.
last but not least profile with local + remote IP in PPP menu.

Hope this helps

Kind regards

ryandenis · October 13, 2015, 2:08pm

Thank you for the advise! I’ll give it a call when I get things setup again, I gave up a while ago due to lack of success.

hammy559 · December 12, 2015, 11:40pm

I have a working Mikrotik to pfSense tunnel via OpenVPN working. This is not a full guide but here are some steps to help you:

You must set up the VPN server on pfSense’s side using the “Remote Access (User Auth)” Server Mode. The reason for this is that Mikrotik requires usernames/passwords for OpenVPN operation. So you will need to add VPN users to pfSense’s side and use the login(s) from the Mikrotik device. Im not going to cover SSL + User Auth as that will just add complexity right now.

TLS authentication (Static keys) is not supported in RouterOS right now. Unfortuantely this restricts from being able to use the peer-to-peer modes directly You need to ensure the “Enable authentication of TLS packets” is unchecked on pfSense.

Due to constraints in this mode, you must use /29 for your ipv4 tunnel network. Make sure you check “Allocate only one IP per client” in the topology section

You will need to ensure the CA cert generated (if one doesnt exist you will need it for Remote Access mode) is imported into your Mikrotik device. Note, you do NOT set this as the certificate in the Mikrotik OpenVPN client interface