New OpenVPN community client (version 2.6) cannot connect to Mikrotik OpenVPN server

yaig · February 7, 2023, 7:52pm

OpenVPN client version 2.5.8 successfully connected, after updateing client to 2.6,
it cannot connect.

config on client:
client
dev tap
proto tcp-client
remote ********** 11948
resolv-retry infinite
nobind
persist-key
tls-client
ca *****.crt
cert ******.crt
key ******.key
verb 3
data-ciphers AES-256-CBC
auth-user-pass

Mikrotik router version: 7.7.
According to routers log:
unknown cipher alg or key size

What is the correct config file on the client?

nellson · February 9, 2023, 9:53am

I can confirm this, we have the same issue with the 2.6 openvpn clients. I will post here, if I find a solution.

aoakeley · February 12, 2023, 10:54am

Can also confirm this.
I have tried a few options to resolve it, but other than to use an earlier version of the OpenVPN Client I can’t see a solution right now.
Have either of you created a ticket? if it is important to you I suggest you bring it to the attention if the development team by creating a ticket with Mikrotik.

ivn · February 12, 2023, 8:24pm

Try to add

data-ciphers-fallback AES-256-CBC

to your client config.

anav · February 12, 2023, 8:27pm

use wireguard and join the 21st century/Third Millenium/Decade of 2020-2030.

aoakeley · February 13, 2023, 1:42am

Well bugger me… I am sure I tested that yesterday and it did not work.
But tested again now with 2.6 and it worked fine.

Thanks

Andrew

yaig · February 15, 2023, 8:28am

Thanks for the great tip! It works with this setting!

certinet · February 24, 2023, 4:45pm

In fact, in OpenVPN 2.6, CBC is deprecated. We need to change this but does Mikrotik support another one?

Nikolyo · March 15, 2023, 4:23pm

I had the same problem in the following setup:
Server: Mikrotik Open VPN server (RouterOS 6.49.7)
Clienti: Windows OpenVPN 2.6.1

In the Mikrotik:
OpenVPN Server config disable the Auth = SHA1 algorithms (nothing shoud be selected for a Auth)
In the Open VPN Client:
#cipher AES-256-CBC
data-ciphers AES-256-GCM:AES-128-GCM:AES-256-CBC
data-ciphers-fallback AES-256-CBC
#auth SHA1

Unfortunately all of the clients have to be upgraded to OpenVPN 2.6.1
I could get it to run simultaneously for Open VPN client 2.5 and 2.6

BR

likedi · March 25, 2023, 3:01pm

THIS is the answer. Thanks!

zvekyf · March 30, 2023, 7:04pm

Server: Mikrotik Open VPN server (RouterOS 7.8 )
Clienti: Windows OpenVPN 2.6.2

If I set next it still connect with AES-256-CBC and without auth part I get error [unsupported auth digest]
data-ciphers AES-256-GCM:AES-128-GCM:AES-256-CBC
data-ciphers-fallback AES-256-CBC
auth SHA512

But if I set next connection is working.
cipher AES-256-GCM
disable-dco

Looks like data-ciphers parameter is ignored or something.