After a long time i tried MikroTik OpenVPN client implementation since i saw support for tls-crypt was added. I am on v7.19.
I successfully imported config. I use ca, cert, key and tls-crypt. I see “tls crypt” when inspecting ovpn interface through winbox, so it seems it is imported.
As said in documentation (https://help.mikrotik.com/docs/spaces/ROS/pages/2031655/OpenVPN#OpenVPN-Tls-crypt,tls-cryptv2) i added “key-direction 1” and set “auth SHA256” to vpn.ovpn before import for tls-crypt to work.
With these settings VPN does not connect in MikroTik (but it does connect successfully if i try similar config on computer with OpenVPN app) as seein in log:
The OpenVPN client seems to be fairly well behaved on Mikrotik lately. I never tried using the import .ovpn part, because it’s practically impossible to replicate behavior/default/idiosyncrasy that the official OpenVPN software has accumulated over the years.
Your problem is obviously that you have auth=sha256 in your client config, but the server only offers sha512. Change it. Do yourself a favor and this time change it directly in the Mikrotik config.
Import works ok from what i tried.
In original test I did check what it produced in Winbox, and it seemed correct. I also successfully tested “auth SHA256” in normal OpenVPN client with “key-direction 1” as i unsuccessfully explained in original post, so server accepts those settings ok.
I now deleted everything and added ca, cert, key by hand. tls-crypt can not be added by hand, so i stripped almost everything from .ovpn file. According to documentation link i posted earlier tls-crypt can only be imported. So final vpn.ovpn file looks like this:
client
dev tun
remote x.x.x.x x
auth SHA256
key-direction 1
<tls-crypt>
-----BEGIN OpenVPN Static key V1-----
...
-----END OpenVPN Static key V1-----
</tls-crypt>
Import went successfully. In winbox i just fixed protocol, certificate and fired it up. Same result as in original post.
So… you tried everything except what I suggested You are getting the error because the server wants to speak sha512. Mikrotik (according to the documentation) doesn’t support sha512. tls-crypt fully supports asymmetric algorithm choices, apparently Mikrotik doesn’t like that. It would be worth a try with sha512. Maybe it will be rejected, maybe it will work. (A quick google on my part revealed a few cases where people were only able to connect with sha512. Maybe it’s server dependent, maybe it’s a quirk.)
You can always try tls-auth where no such limitation is disclosed.
Upon a bit of inspection, the provider supports Wireguard as well. For that the MT implementation is totally standard and it’s much easier to configure.
I tried changing auth to sha512 (did try this before as well but did not write about it as documentation specifically said that it supports sha256) in both aes-256-gcm and aes-256-cbc, and tried setting tls version. in all cases where auth=sha512 it gave me:
ovpn-import: disconnected <TLS error: handshake timed out (6)>
ovpn-import: terminating... - TLS error: handshake timed out (6)
You are right, there is also Wireguard implementation that works. But i wanted to see if OpenVPN is viable option as MikroTik is giving it some love lately.
Just something to clafiy, i did try “auth SHA256” on computer via OpenVPN client, and it connected without problems, so server works with that as well.
Not trying to defend Mikrotik, the tls-crype support seems mildly not up to par. What I was referring to was the fact that with key-direction 1 it is fully allowed for one direction of the channel to use a different set of crypto parameters than the other direction. It seems that even though they accept that the client will use sha256, they are still initializing their side to sha512 (which they’re allowed to do) and this is what the Mikrotik side complains about and then fails to correctly interpret the received data.
So… at least the documentation is consistent. After reading it I didn’t have high hopes. Oh well, check back in 5 years
You are getting the error because the server wants to speak sha512. Mikrotik (according to the documentation) doesn’t support sha512. tls-crypt fully supports asymmetric algorithm choices, apparently Mikrotik doesn’t like that. It would be worth a try with sha512. Maybe it will be rejected, maybe it will work. (A quick google on my part revealed a few cases where people were only able to connect with sha512. Maybe it’s server dependent, maybe it’s a quirk.)