Actually i use a FritzBox Router with Kable-Internet (in Germany common). Behind this Router i have my Mikrotik RB1100AHx4 Dude Edition.
I have registered a dynds service and this is running. I can ping this service sucessfully.
At the FritzBox Router we use port forwarding of UDP 500, UDP 4500, TCP1194
I generated a p12 certificate and imported this on the iPhone into openvpn sucessfully
When I start on my iPhone the VPN connection, i can see traffic in the firewall for the VPN input.
On the iPhone I receive the the error message
Client exception in transport_recv_excode: OpenSSLContext::SSL::read_cleartext: BIO_read failed, cap=2640 status=-1: error:0A000418:SSL routines::tlsv1 alert unknown ca
The error is telling you that your iPhone doesn’t trust (or even know) the CA certificate used to sign the certificates used in your OpenVPN configuration. You have 2 basic options:
Option 1:
Use a free trusted certificate from someone like Let’s Encrypt. The catch with this is that you’d need to update the certificates every 3 months.
Option 2:
Import the CA certificate to your iPhone and tell the iPhone to trust it. I’ve never done this myself, but here are some pages that give you an idea on how to do it:
/system backup save encryption=aes-sha256 name=MyBackup
Please, export and attach your current config to your post if you want help with a config issue:
/export hide-sensitive file=MyConfig/export file=MyConfig
@mheber I’m connecting to ROS OpenVPN with self signed certificate from iPhone by using official app from Appstore. Needed to add CA certificate exported from ROS into iOS as @MickeyT mentioned, full trust on iOS system level is not needed in my case (maybe OpenVPN app asked me about certificate trust on first connect, I can’t recall).
Export and download CA certificate file from ROS and send it over AirDrop to iPhone and install it. Make sure that certificates used by ROS server side and one in .p12 used by OpenVPN client app are signed with same CA.
Thanks for your answers. Actually I could not find the according settings in this way in my iPhone. During the next weekend I will have more time to check out.
I can’t tell exact from memory, but it think when you send certificate (or provisioning profile) over AirDrop and accept it, in Settings app on top new section will appear to install it, just follow instructions from there.
Check if you have accept firewall rule on input chain for OVPN port and protocol for WAN in interface (list). Also some other rule above it can block connection…
There is also possibility that network where your device is connected is filtering some ports, like some public network, library, etc. Such networks can filter any UDP ports (even QUIC port) or even all non HTTP(S) TCP ports. To avoid issues with such networks, setup OVPN port on TCP 443, if not already used on router, and adjust port in client side config.
Using same subnet for OVPN as for LAN can work, but in such case change ARP setting on LAN bridge to proxy-arp.
First of all, configuring openvpn is not complicated, but not simple. This is not because of what Mikrotik does, it’s just how openvpn is.
Regarding certificates. Usually openvpn is deployed with self-signed certificates (that is: ones that cannot be verified by the public PKI system). The certificate to trust is then included in the .ovpn config file in tags directly. (Usually a self-signed root and separate server cert(s) are issued, but exactly to how to construct PKI systems is a topic in and of itself - feel free to read up on it.)
Openvpn supports two modes: tun and tap (or ip and ethernet, respectivley in Mikrotik lingo.) You should go for tun/ip, especially if you want to connect mobile devices. This means that your connection is routed. The cleanest way to do this is to have a separate subnet for the ovpn clients. Sometimes people like to give out IPs in the same subnet as their home networks, however (one of the reasons this may be sensible is that many systems - including Windows - treat computers in their own subnet as more trustworthy than ones outside it. For example Windows computers don’t even respond to pings from hosts outside their subnet by default.) If you do use the same subnet for your VPN clients, I would suggest to 1. establish a different (and non-intersecting) IP pool for the VPN clients (for example 100-253 for DHCP, 50-99 for VPN) 2. you then have to enable arp=proxy-arp mode on the (local) interface.
Assuming the default firewall config, you will also have to add the ovon server interface to your LAN interface list for correct processing in the firewall.
Then you have to decide if you a. want to route all client traffic through your tunnel or b. only want to route connections to your home network, and let traffic to the general internet go from your client (phone) through its normal internet connection. In the openvpn world this can be specified in your .ovpn config file, or - more commonly - it is “pushed” from the server side. Both “redirect def1” (the option to have all traffic directed through the tunnel) and distinct routes (if you only want to direct traffic into the tunnel selectively) can be pushed from the Mikrotik side.
Also, there were some significant changes in openvpn server handling in version 7.17 of RouterOS, so you should probably upgrade to the current stable 7.17.2, if you haven’t already, before going forward.