OpenVPN and certificates

butche · September 5, 2008, 6:45am

According to the wiki, there is currently no way to implement a full PKI with OpenVPN. Is this something that is coming, or if it has changed, can anyone provide some assistance in getting it working?

I have the following configs (SERVER):

[admin@AWAY-CLIENT] /certificate> print 
Flags: K - decrypted-private-key, Q - private-key, R - rsa, D - dsa 
 0  D name="cert1" <MUCH DETAIL DELETED> ca=yes 

 1 KR name="cert2" <MUCH DETAIL DELETED> ca=yes

SERVER CONFIG:

/interface ovpn-server server
set auth=sha1,md5 certificate=cert2 cipher=blowfish128,aes128 \
    default-profile=default-encryption enabled=yes keepalive-timeout=60 \
    mac-address=FE:63:94:F4:15:D2 max-mtu=1500 mode=ip netmask=24 port=1194 \
    require-client-certificate=no

I have created the ppp secrets as well as the client configuration. In the client, I have uploaded and imported both the CA certificate (it shows “D” flag as well) and the key and crt file (“KR” flag). Client config is:

/interface ovpn-client
add add-default-route=no auth=md5 certificate=cert2 cipher=aes128 comment="" \
    connect-to=192.168.50.1 disabled=no mac-address=00:00:00:00:00:00 \
    max-mtu=1500 mode=ip name=ovpn-out1 password=client1 port=1194 profile=\
    default user=client1

The “cert2” certificate is the client cert/key pair with “KR” flag.

This config works, but if I ask the server to require the client certificate (which SHOULD be the CA file with “D” flag above), there is no joy, just as the wiki says.

Is this still the case, or am I doing something wrong to get this working. Is there a way to require the client to present a certificate of trust before allowing authentication to proceed?

mbethers · September 8, 2008, 2:53am

bump

mrz · September 8, 2008, 11:23am

On server you have to import CA certificate and server certificate. In ovpn server configuration set server certificate.

On client you have to import CA certificate and client certificate. In ovpn client configuration set client certificate.

On both routers time must be synchronized, otherwise you will get TLS handshake failed.

butche · September 8, 2008, 2:43pm

ARGH!! I had done this, but mistyped the address for the ntp server on one router (the server). I didn’t notice that the time was off by about 18 years until I saw your post. This is now working, but there is no debug information that will confirm that it is actually using the CA certs for auth (preauth more accurately). Is there a debug topic that is available to see this? I tried ovpn,debug and ppp,debug.

itguru · September 21, 2008, 2:22pm

does open-vpn that is bundeld with Mikrotik 3.x support Compression and acceleration?

mrz · September 22, 2008, 5:49am

No, OVPN compression is not supported in RouterOS.

KimaHg · November 23, 2009, 8:37pm

Hm, so do i understand that correctly:

1 ) username/password is always required
2 ) require-client-certificate can be enabled additionally but user/pw is still mandatory
3 ) udp is not supported
4 ) lzo is not supported
5 ) only CA cert file but not its private key should be imported to RouterOS (flag D, not KR)
6 ) only CA cert file should be set ca=yes
7 ) time synchronisation is required otherwise certs may be invalid
8 ) auth file (auth-user-pass) for client does only work if openvpn was compiled with --enable-password-save

Anyway, i suggest to answers these items clearly in the wiki. Took me a lot of time to find out about these issues.

Btw, if item 2) is true: can several clients connect with the same user/pw?