OpenVPN firewall rules - unable to connect

andream · June 27, 2025, 2:05pm

Hello! I am trying to setup OpenVPN access on a Microtik hAP ax^3 updated to latest stable version 7.19.2.

When I try to connect, OpenVPN log says:

2025-06-27 15:56:32 VERIFY OK: depth=1, CN=ca.mydomain.ddns.net
2025-06-27 15:56:32 VERIFY KU OK
2025-06-27 15:56:32 Validating certificate extended key usage
2025-06-27 15:56:32 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
2025-06-27 15:56:32 VERIFY EKU OK
2025-06-27 15:56:32 VERIFY OK: depth=0, CN=ovpnserver.mydomain.ddns.net
2025-06-27 15:57:32 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
2025-06-27 15:57:32 TLS Error: TLS handshake failed
2025-06-27 15:57:32 Fatal TLS error (check_tls_errors_co), restarting

on Mikrotik I configured OpenVPN and opened access on port 1194 (I added rules 2 and 3 on the firewall as follow:)

[admin@MikroTik] > /ip firewall filter print
Flags: X - disabled, I - invalid; D - dynamic
0 D ;;; special dummy rule to show fasttrack counters
chain=forward action=passthrough

1 ;;; defconf: accept established,related,untracked
chain=input action=accept connection-state=established,related,untracked

2 chain=input action=accept protocol=tcp in-interface=ether1 dst-port=1194 log=no log-prefix=“”

3 chain=input action=accept protocol=udp in-interface=ether1 dst-port=1194 log=no log-prefix=“”

4 ;;; defconf: drop invalid
chain=input action=drop connection-state=invalid

5 ;;; defconf: accept ICMP
chain=input action=accept protocol=icmp

6 ;;; defconf: accept to local loopback (for CAPsMAN)
chain=input action=accept dst-address=127.0.0.1

7 ;;; defconf: drop all not coming from LAN
chain=input action=drop in-interface-list=!LAN

8 ;;; defconf: accept in ipsec policy
chain=forward action=accept ipsec-policy=in,ipsec

9 ;;; defconf: accept out ipsec policy
chain=forward action=accept ipsec-policy=out,ipsec

10 ;;; defconf: fasttrack
chain=forward action=fasttrack-connection hw-offload=yes connection-state=established,related

11 ;;; defconf: accept established,related, untracked
chain=forward action=accept connection-state=established,related,untracked

12 ;;; defconf: drop invalid
chain=forward action=drop connection-state=invalid

13 ;;; defconf: drop all from WAN not DSTNATed
chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface-list=WAN
[admin@MikroTik] >

I feel I am still missing something, I’ll be grateful for any help!

borg3571 · June 27, 2025, 7:13pm

Looking at your error.. It looks like your OVPN cypher failed, and not your firewall.

Might try looking at your Certificates again, or the settings on your OVPN server.

andream · June 27, 2025, 8:25pm

in my understanding, that is a conseguquence of

TLS key negotiation failed to occur within 60 seconds (check your network connectivity) <<<

in fact, the Open VPN GUI was hanging for 60 seconds before failing. I re-created amnd re-signed my certificates and nothing changed

loloski · June 28, 2025, 1:52am

If you are sure you already re-create and signed it, export the config for the client instead of creating it by hand at least that’s how i fix this last week

andream · July 8, 2025, 4:26pm

keys were correct, protocol not: client was not configured to use cipher AES-cbc rather than AES-gcm (my fault!). For some reason, this ended up with a timeout error rather than with a proper error.