OpenVPN Client connection issues

brendantay · January 27, 2011, 2:19pm

Hey all,

Just wondering if i could get some help setting up my Mikrotik router to connect to my OpenVPN server.

The Basics;
OpenVPN box. US Based, tested working using Windows OpenVPN client, using OpenVPN 2.1.4.

Config:

local ##.##.##.##
port 1194
proto tcp
dev tun
ca ca.crt
cert server.crt
key server.key
dh dh1024.pem
server 10.8.0.0 255.255.255.240
ifconfig-pool-persist ipp.txt
keepalive 10 120
cipher none
#comp-lzo
user nobody
persist-key
persist-tun
log /var/log/openvpn.log
verb 3

Mikrotik Server info RouterOS 3.30
Config:

add add-default-route=no auth=sha1 certificate=client1 cipher=none comment="" connect-to=##.##.##.## disabled=yes mac-address=00:00:00:00:00:00 max-mtu=1500 mode=ip name=\
    ovpn-out1 password=mypass port=1194 profile=default user=MyUser

When I attempt the connection i get the following message (on the OpenVPN log), Followed directly by a disconnection as you can see below.

Thu Jan 27 12:43:08 2011 MULTI: multi_create_instance called
Thu Jan 27 12:43:08 2011 Re-using SSL/TLS context
Thu Jan 27 12:43:08 2011 Control Channel MTU parms [ L:1527 D:140 EF:40 EB:0 ET:0 EL:0 ]
Thu Jan 27 12:43:08 2011 Data Channel MTU parms [ L:1527 D:1450 EF:27 EB:4 ET:0 EL:0 AF:14/27 ]
Thu Jan 27 12:43:08 2011 Local Options hash (VER=V4): '77aaccdd'
Thu Jan 27 12:43:08 2011 Expected Remote Options hash (VER=V4): 'ddaf1b30'
Thu Jan 27 12:43:08 2011 TCP connection established with ##.##.##.##:49706
Thu Jan 27 12:43:08 2011 TCPv4_SERVER link local: [undef]
Thu Jan 27 12:43:08 2011 TCPv4_SERVER link remote: ##.##.##.##:49706
Thu Jan 27 12:43:08 2011 ##.##.##.##:49706 TLS: Initial packet from ##.##.##.##:49706, sid=817d7012 eea4a558
Thu Jan 27 12:43:17 2011 ##.##.##.##:49706 VERIFY OK: depth=1, /C=US/ST=CA/L=SanFrancisco/O=Fort-Funston/CN=Fort-Funston_CA/emailAddress=me@myhost.mydomain
Thu Jan 27 12:43:17 2011 ##.##.##.##:49706 VERIFY OK: depth=0, /C=US/ST=CA/L=SanFrancisco/O=null OU=Private/CN=myuser/name=myuser/emailAddress=myuser@domain.com
Thu Jan 27 12:43:18 2011 ##.##.##.##:49706 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Thu Jan 27 12:43:18 2011 ##.##.##.##:49706 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Thu Jan 27 12:43:19 2011 ##.##.##.##:49706 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Thu Jan 27 12:43:19 2011 ##.##.##.##:49706 [myuser] Peer Connection Initiated with ##.##.##.##:49706
Thu Jan 27 12:43:19 2011 myuser/##.##.##.##:49706 MULTI: Learn: 10.8.0.6 -> myuser/##.##.##.##:49706
Thu Jan 27 12:43:19 2011 myuser/##.##.##.##:49706 MULTI: primary virtual IP for myuser/##.##.##.##:49706: 10.8.0.6
Thu Jan 27 12:43:19 2011 myuser/##.##.##.##:49706 PUSH: Received control message: 'PUSH_REQUEST'
Thu Jan 27 12:43:19 2011 myuser/##.##.##.##:49706 SENT CONTROL [myuser]: 'PUSH_REPLY,route 10.8.0.1,topology net30,ping 10,ping-restart 120,ifconfig 10.8.0.6 10.8.0.5' (status=1)
Thu Jan 27 12:43:21 2011 myuser/##.##.##.##:49706 Connection reset, restarting [0]
Thu Jan 27 12:43:21 2011 myuser/##.##.##.##:49706 SIGUSR1[soft,connection-reset] received, client-instance restarting

Within WinBox i get the following errors/message from the log;

ovpn-out1: initializing...
ovpn-out1: dialing...
ovpn-out1: using encoding - SHA1

Then it disconnects and repeats the same messages.

Am i missing something obvious here? I have looked around alot, using the forums/wiki, tried alot of different things, yet i still have no luck in getting a successful connection..

Any help would be greatly appreciated!

brendantay · January 28, 2011, 5:07am

Nobody have any helpful hints?
Or atleast links to other forum posts/articles that i may have missed? (im pretty sure i exhausted all my googling abilities prior to posting this, however i may have missed a few things).

Sorry if i’m seeming impatient, However my vps which i run my VPN off has 3 days left before renewal, and if i can’t get this working i have no use for it at all.

brendantay · January 29, 2011, 10:25am

Still nothing?
Im sure im not the only one to experience issues with openvpn before so any help would be great.

dgarofalo · June 22, 2011, 11:03am

I've same problem

Linux server
local 192.168.0.105
dev tap
port 1194
cipher none
auth SHA1
tls-server
ca /etc/openvpn/easy-rsa/2.0/keys/ca.crt
cert /etc/openvpn/easy-rsa/2.0/keys/ovpn-server.crt
key /etc/openvpn/easy-rsa/2.0/keys/ovpn-server.key # This file should be kept secret
dh /etc/openvpn/easy-rsa/2.0/keys/dh1024.pem
proto tcp-server
ifconfig 10.10.10.1 255.255.255.0
push "ifconfig 10.10.10.2 255.255.255.0"
verb 3

Mikrotik client
[admin@MikroTik] /interface ovpn-client> add connect-to=192.168.0.105 port=1194 user="username" password="password" auth=sha1 cipher=none certificate=cert2 add-default-route=no disabled=no profile=openvpn-out mode=ethernet name=ovpn-test

openvpn server log
Wed Jun 22 13:00:04 2011 TCP connection established with [AF_INET]192.168.0.102:43295
Wed Jun 22 13:00:04 2011 TCPv4_SERVER link local (bound): [AF_INET]192.168.0.105:1194
Wed Jun 22 13:00:04 2011 TCPv4_SERVER link remote: [AF_INET]192.168.0.102:43295
Wed Jun 22 13:00:04 2011 TLS: Initial packet from [AF_INET]192.168.0.102:43295, sid=077508b6 f09841bc
Wed Jun 22 13:00:05 2011 VERIFY OK: depth=1, /C=IT/ST=TN/L=Trento/O=Futur3/CN=Futur3_CA/emailAddress=d.garofalo@futur3.it
Wed Jun 22 13:00:05 2011 VERIFY OK: depth=0, /C=IT/ST=TN/L=Trento/O=Futur3/CN=client1/emailAddress=d.garofalo@futur3.it
Wed Jun 22 13:00:05 2011 WARNING: 'ifconfig' is present in local config but missing in remote config, local='ifconfig 10.10.10.0 255.255.255.0'
Wed Jun 22 13:00:05 2011 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Wed Jun 22 13:00:05 2011 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Wed Jun 22 13:00:05 2011 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Wed Jun 22 13:00:05 2011 [client1] Peer Connection Initiated with [AF_INET]192.168.0.102:43295
Wed Jun 22 13:00:05 2011 PUSH: Received control message: 'PUSH_REQUEST'
Wed Jun 22 13:00:05 2011 SENT CONTROL [client1]: 'PUSH_REPLY,ifconfig 10.10.10.2 255.255.255.0' (status=1)
Wed Jun 22 13:00:05 2011 Connection reset, restarting [0]
Wed Jun 22 13:00:05 2011 TCP/UDP: Closing socket
Wed Jun 22 13:00:05 2011 Closing TUN/TAP interface
Wed Jun 22 13:00:05 2011 /sbin/ifconfig tap0 0.0.0.0
Wed Jun 22 13:00:05 2011 SIGUSR1[soft,connection-reset] received, process restarting
Wed Jun 22 13:00:05 2011 Restart pause, 1 second(s)

after some retry i've this on log
Wed Jun 22 13:00:08 2011 TCP connection established with [AF_INET]192.168.0.102:43300
Wed Jun 22 13:00:08 2011 TCPv4_SERVER link local (bound): [AF_INET]192.168.0.105:1194
Wed Jun 22 13:00:08 2011 TCPv4_SERVER link remote: [AF_INET]192.168.0.102:43300
Wed Jun 22 13:00:08 2011 TLS: Initial packet from [AF_INET]192.168.0.102:43300, sid=5ebafb6c c973a422
Wed Jun 22 13:00:09 2011 VERIFY OK: depth=1, /C=IT/ST=TN/L=Trento/O=Futur3/CN=Futur3_CA/emailAddress=d.garofalo@futur3.it
Wed Jun 22 13:00:09 2011 VERIFY OK: depth=0, /C=IT/ST=TN/L=Trento/O=Futur3/CN=client1/emailAddress=d.garofalo@futur3.it
Wed Jun 22 13:00:09 2011 WARNING: 'ifconfig' is present in local config but missing in remote config, local='ifconfig 10.10.10.0 255.255.255.0'
Wed Jun 22 13:00:09 2011 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Wed Jun 22 13:00:09 2011 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Wed Jun 22 13:00:09 2011 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Wed Jun 22 13:00:09 2011 [client1] Peer Connection Initiated with [AF_INET]192.168.0.102:43300
Wed Jun 22 13:00:09 2011 PUSH: Received control message: 'PUSH_REQUEST'
Wed Jun 22 13:00:09 2011 SENT CONTROL [client1]: 'PUSH_REPLY,ifconfig 10.10.10.2 255.255.255.0' (status=1)
Wed Jun 22 13:00:10 2011 Initialization Sequence Completed

in mikrotik /ip firewall connection print

Flags: S - seen reply, A - assured

PROTOCOL SRC-ADDRESS DST-ADDRESS TCP-STATE TIMEOUT

0 SA tcp 192.168.88.2:37597 192.168.88.1:23 established 23h59m55s
1 SA tcp 192.168.0.102:43300 192.168.0.105:1194 established 23h59m47s

but i cant' ping mikrotik (10.10.10.2) from my openvpn server (10.10.10.1)

Please help me... help us

dgarofalo · June 22, 2011, 2:38pm

news???

mrz · June 27, 2011, 8:29am

Try latest RouterOS version, we have fixed similar problem.