OpenVPN Client Issues

RouterOS Beginner Basics
1

Hi all,
I’m a Mikrotik noob but have been working in networking for a long time, and have a lot of experience with Ubiquiti. I’m moving some of the systems away from them and this is causing me some issues.

OpenVPN with Cert Based Auth is easy on EdgeRouters and USG but I now want to connect a remote hEX router to an existing deployment.
This has caused issues as I needed to run a different OpenVPN server set up to allow password auth, but I have this OpenVPN server running on the USG and can connect to it from an OpenVPN client on a laptop without issues.

However, the Mikrotik router will not connect, it simply shows the following in a loop in the log:

09:28:52 ovpn,info ovpn-DoraAve: initializing... 
09:28:52 ovpn,info ovpn-DoraAve: connecting... 
09:28:53 ovpn,info ovpn-DoraAve: terminating... - could not connect 
09:28:53 ovpn,info ovpn-DoraAve: disconnected 
09:29:03 ovpn,info ovpn-DoraAve: initializing... 
09:29:03 ovpn,info ovpn-DoraAve: connecting... 
09:29:03 ovpn,info ovpn-DoraAve: terminating... - could not connect 
09:29:03 ovpn,info ovpn-DoraAve: disconnected 
09:29:13 ovpn,info ovpn-DoraAve: initializing... 
09:29:13 ovpn,info ovpn-DoraAve: connecting... 
09:29:13 ovpn,info ovpn-DoraAve: terminating... - could not connect 
09:29:13 ovpn,info ovpn-DoraAve: disconnected 
09:29:23 ovpn,info ovpn-DoraAve: initializing... 
09:29:23 ovpn,info ovpn-DoraAve: connecting... 
09:29:24 ovpn,info ovpn-DoraAve: terminating... - could not connect 
09:29:24 ovpn,info ovpn-DoraAve: disconnected

I can ping the OpenVPN server IP from the terminal on the router, and the config looks correct as far as I can tell:

[admin@MikroTik] > interface ovpn-client print
Flags: X - disabled, R - running 
 0    name="ovpn-DoraAve" mac-address=02:84:0F:3E:FF:1E max-mtu=1500 connect-to=82.69.xxx.yyy port=1194 
      mode=ip user="XXXX" password="XXXX" profile=default certificate=XXXXX 
      verify-server-certificate=no auth=sha1 cipher=aes128 use-peer-dns=no add-default-route=no 
[admin@MikroTik] >

The IP and username/password are definitely correct and work when used in the Laptop client.
How can I work out what is happening? I’ve tried to set the ovpn logs on the Mikrotik to debug but that didn’t give me anything.

On the server, the logs show nothing, not even a connection attempt from the Mikrotik, but do give me output when the laptop connects.

Ideally I’d like a verbose log of a connection attempt, or at least some sort of clue what is actually going on here to allow me to deploy the Mikrotik to the remote site. All testing has been done with the Mikrotik on a different network to the USG, with a different WAN provider, so it’s not a hairpin NAT type of issue.

Can anyone give me some pointers?
Stefan

2

Anyone any ideas?
I don’t want to have to rethink my entire VPN strategy, the VPN is only used for remote access of the router from a central location, to make config changes etc. and isn’t used to carry all remote Internet traffic. OpenVPN has worked perfectly to date, it’s the move to Mikrotik routers at present that is presenting me with some problems.

I suspect it’s something very simple, but without more verbose logging, I have no idea where to start looking, without getting packet captures to see what is actually happening on the wire.

3

I read about a month ago that ROS does not support Cert only authentication, not sure if this applies to your situation .
If this has changed since, I can’t say either

4

I am using user/password auth, and it’s still not working, I’ve included the cert as I believe you still need to have the cert available for the encryption, you just can’t use it for authentication.

Even so, with a known good user/pass combo it’s still not working although on an OpenVPN client on a laptop the same details do work fine.

Any ideas on increasing the verbosity of the logging?

5

The client does not require a certificate for encryption, the certificate on the server is sufficient. You have to import the root and any intermediate certificates on the client device and set verify-server-certificate=yes to prevent man-in-the-middle attacks.

Do you see an entry under IP > Firewall > Connections appear when the client attempts to connnect?

6

So if the OpenVPN server has both a CA cert and a server cert, both of these need to be imported on the Mikrotik (the CA signed the server cert directly, it’s all self signed)?
In this case, do they need to be chained or concatenated together into a single cert, or is the router clever enough to know which CA cert and server cert go together?

I’m more used to doing this using cert auth, which seems a lot easier to me. I’ll check the firewall connection log though, that’s a good shout.

7

Just the CA cert is sufficient

8

Even with the CA cert set I wasn’t getting anywhere. I ended up using a packet sniffer and found it’s trying to connect to TCP port 1194 instead of UDP. Looks like I need to upgrade to the v7 Beta to get UDP as an option.

I’ll update when I’ve tried this.

9

It has been a long-standing limitation in RouterOS that their home-grown OpenVPN implementation does not support UDP mode, LZO compression, TLS authentication or authentication without username/password

10

Yeah, I had to upgrade the remote router to v7, and it was still not playing ball.
I figured that as I was on v7, I may as well use Wireguard, and that is working well.

I’ll have to keep an eye on the stability of v7 as it’s a Beta, but this may give me a working solution, so at least I’m unblocked for now.

Thanks for the replies.