I have a number of Ubiquiti and OpenWRT routers connected to this server and I’m trying to add this Mikrotik router but getting this error, any ideas?
Router will be a “client” connecting to a remote server and I’m providing a *.ovpn file from that server.
Import Log info;
config ‘ovpn-import1751399681’ import completed with warnings, please see system log
warn; unsupported configuration parameter ‘remote-cert-eku’
warn; configuration does not specify auth, using default
info; device added by (*8 = /interface ovpn-client add auth=null certificate=cert_ovpn-import17681 cipher=aes256-gcm connect-to=mgmt.example.com disabled=yes disconnect-notify=yes max-mtu=1500 mode=ip name=ovpn-import175181 port=1194 protocol=udp route-nopull=no tls-version=any use-peer-dns=yes user=ovpnuser verify-server-certificate=no)
VPN connect log info (repeats)
ovpn-import1751399681: disconnected
ovpn-import1751399681: terminating… - could not detect tls-auth digest type
RB750gr3 with routeros 7.19.1
Warning auth concerns me a little too, these keys are no password; “easyrsa build-server-full server nopass” and “easyrsa build-client-full clientXX nopass” for example. But that doesn’t seem to be what the error is alluding to.
My first failure was mikrotik didn’t know what OpenVPN protocol “udp4” is, changed to “udp” got past that.
How did you generate the OpenVPN static key?
If you use the OpenVPN software itself you can use one of these commands (depending on your exact configuration):
openvpn --genkey tls-crypt shared.keyopenvpn --genkey tls-auth shared.keyopenvpn --genkey tls-crypt-v2-server v2crypt-server.keyopenvpn --tls-crypt-v2 v2crypt-server.key --genkey tls-crypt-v2-client v2crypt-client-1.key
Here are a couple of pages that show you how to generate the required keys in other ways:
–
Backups are your friend. Always make a backup!
/system backup save encryption=aes-sha256 name=MyBackup
Please, export and attach your current config to your post if you want help with a config issue:
RouterOS v6: /export hide-sensitive file=MyConfig
RouterOS v7: /export file=MyConfig
Interesting, I’m quite familiar with that OpenVPN HowTo article from years in the past but it’s changed quite a bit now, seems tincantech has published Easy-TLS which I’ve never used. My OpenVPN servers are built on windows with easyrsa command;
openvpn --genkey secret ta.key
Edit; this particular server is using the older “tls-auth” but my newer ones use “tls-crypt”, but the generated key command is the same on both.
This wouldn’t be the first time I’ve had to change my procedure in response to how OpenVPN has evolved but in this case I’ve got almost thirty routers attached to this server and re-keying them all just to use mikrotik is going to be a big PITA.
MyConfig.rsc (4.1 KB)
This doc seems to indicate the different switches in generating the key you mentioned are just aliases for “secret” that I used so presumably output the same type of file?
Valid keytype arguments are:
secret Standard OpenVPN shared secret keys
tls-crypt Alias for secret
tls-auth Alias for secret
auth-token Key used for --auth-gen-token-key
tls-crypt-v2-server TLS Crypt v2 server key
tls-crypt-v2-client TLS Crypt v2 client key
This server uses the older “tls-auth” but my newer ones use “tls-crypt”. I’ve kept the same key generation across all for this item. I have no crypt-v2 servers yet.
OK so in Mikrotik GUI section; Dial Out, Auth was set to Null. Looking in my server logs everyone is using “Control Channel Authentication: Using 160 bit message hash ‘SHA1’ for HMAC authentication”
Changed Auth in Mikrotik to SHA1 and now it connects.
From the VPN server I can ping the OpenVPN virtual IP that I assigned this connecting client in my OpenVPN CCD file; Good.
I can’t load the mikrotik web GUI from the server for this router though, which is different from Ubiquiti and OpenWRT routers I’ve worked with in the past. I assume some firewall or other setting preventing that, I’ll work on that next.
I think the VPN part is fixed though.
I glad to hear you’ve got your VPN working.
You will need to adjust his line:
/tool mac-server mac-winbox set allowed-interface-list=LAN
to allow the VPN connection to access the web GUI. Alternatively you can add the VPN to the LAN list.
I’m not well versed with Mikrotik CLI at all. Also the rule I added was more crude than what you are referring to but this worked.
