Hello,
We have one RB2011 and behind this router we have a hAP Lite, with seperate network.
Setting up OpenVPN works, i’ve also forward port 1194 to the hAP Lite. But when connection we receive Certificate-errors. See below.
Is it even possible to use OpenVPN behind NAT?
Mon May 22 12:02:30 2023 VERIFY OK: depth=1, CN=CA
Mon May 22 12:02:30 2023 VERIFY KU OK
Mon May 22 12:02:30 2023 Validating certificate extended key usage
Mon May 22 12:02:30 2023 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Mon May 22 12:02:30 2023 VERIFY EKU OK
Mon May 22 12:02:30 2023 VERIFY OK: depth=0, CN=Server
Mon May 22 12:02:30 2023 Connection reset, restarting [-1]
Best regards,
Joost Lauwen
Short answer: Yes, you can put the OpenVPN server behind a NAT.
The 2 things I would check first are:
- Is the OpenVPN server turned on in the RB2011 (I assume it has the option. I don’t know since I don’t have one). This needs to be turned off.
- Are you using the correct certificates on the hAP lite (both CA and server certs)? The public certificates on the hAP lite are the ones needed by the OpenVPN client.
You’ve probably checked these settings but I just want to be sure.
–
Backups are your friend. Always make a backup!
/system backup save encryption=aes-sha256 name=MyBackup
Please, export and attach your current config to your post if you want help with a config issue:
/export hide-sensitive file=MyConfig/export file=MyConfig
Hi.
I’ve managed to get OpenVPN running. But you need to use OpenVPN version 2.5.8. Newer versions will give a TLS Handshake error.
How can I downgrade OpenVPN? I did an upgrade to 6.48.8 and no OpenVPN is coming up 
Niels
@spiketechnics is refering to the OpenVPN client you download from the OpenVPN website (Download page here) not the one built in to RouterOS. If you are trying to connect 2 RouterOS units then just matching the RoS versions will be enough.