openvpn client from router board

horuck · April 8, 2014, 10:42am

I’m having a openVPN account at a VPN Provider with the following openvpn config:

client
dev tap
proto tcp
remote xxxx 443
comp-lzo
pull
tls-client
ca ca.crt
auth-user-pass
verb 3
mute 10
cipher AES-256-CBC
script-security 2

this works fine with a openvpn client on my pc.
I only need the CA.crt & login & password. The connection also works without the lzo compression (because this is the only incompatibility with routerboard openVPN).
All other “features” should work, (TCP, TAP/(ethernet), AES256) etc.

I can conntect using the PPTP-client also and tunnel specific prerouted traffic, masqueraded traffic for specific clients (P2P etc) through that tunnel, but goal is to use the better 256bit encryptet openvpn client connection.

What I don’t understand: OpenVPN clients are “satisfied” with the ca.crt, login and password for succesful authentification.

If I try to implement the same logon procedure (importet ca under certificates & username & password) routerboard verions 6.7 show up error "could’t change inferfae <ovpn.out1> no cerficate found (6) if I select the certificate cert_1 which is the importet ca.crt as cert_1

RB 6.11 is accepting this configuration, but when I enable the openvpn connection, it is terminating… - TLS failed. in the log.
I successful connect to that server (with no certificate enabled = none) but then I can’t even ping the server gateway on the other side..
System time is proper set on my routerboard (I checked already)

Here is the config on my RB (6.11):
/interface ovpn-client
add add-default-route=no auth=sha1 certificate=cert_1 cipher=aes256
connect-to=xxx.xxx.xxx.xxx disabled=no mac-address=XX:XX:XX:XX:XX:XX
max-mtu=1500 mode=ethernet name=xxxvpn password=xxx port=443
profile=xxx user=xxx

My question is now, how can I setup a running openvpn client to that server/provider?
Do I definitely neeed a client certificate & client key (like RB 6.7 asks for, but don’t need that on “real” openvpn clients since the ca.crt only works?
Or ist there something wrong in my config what I didn’t set right…?

Looking forward for inputs from other (client) openvpn experienced users!

mrz · April 8, 2014, 2:14pm

comp lzo is unsupported.

You do not need to specify in ovpn client config CA certificate, just import it to certificate store. That certificate field is used for client certificate with decrypted private key.

horuck · April 9, 2014, 4:59am

comp lzo ist not the problem, since I can run a successful connection on openvpn client (on pc/mac) with forced lzo to OFF.

concerning CA cert:
Either if I have imported the VPN providers CA or not to the certificate store (system/certificates/) I can build up a AES256bit connection to the provider, receive an IP Address but can’t even ping the providers gateway.
Same happens without the CA importer (connection with ip address). How is that possible?
The certificate field for clients certificate with private key makes now very much sense…

Router OS Version 5.26 shows me when importing the CA in the CA field YES, while router board 6.11 doesn’t show me CA = Yes. I do get a T (trusted) next to this certificate. (i tried several CA from different CA providers, does happen for all of them).

So there still must be somewhere defined which CA to use for that specific openvpn client connection!
What if I have more than one CA imported to the routerboards certificate store. How can then distinguished which one to choose?

Hope to get a running open vpn client connection.
thanks!