Hi all
I am using ROS 7.15.3 on a RB912UAG-2HPnD with LTE connection.
(also tried the same on a PowerBOX)
The OVPN Server sent me a config.ovpn file which have imported.
We are using TLS-AUTH for authentication/handshake (so username and passwords should not be required)
Import (using PPP | Import .ovpn) appears to be OK with some minor warnings, image attached below.
I can ping and resolve the OVPN Server Name, and all the imported settings are as expected.
NOTE: We initially used the same ovpn client config file on a windows PC and the OpenVPN connection worked as expected - so we know:
a) the OVPN Server is valid
b) the OVPN Client configuration file is valid
However on the MikroTik the ovpn client interface is not connecting (it tries, but drops)- example logs
ovpn-client: initialising…
ovpn-client: connecting…
ovpn-client: disconnected
ovpn-client: terminating…- peer disconnected
ovpn-client: disconnected
…repeat…
The MikroTik documentation in regards to all of this is very light (and I feel a bit vague) in any real useful substance in regards to TLS-AUTH (and no USER and PW requirements)
https://help.mikrotik.com/docs/display/ROS/OpenVPN
Has anyone out there managed to successfully setup an OVPN MikroTik Client using TLS-AUTH (no USER and no PW)?
- I’m not convinced MikroTik are correctly support this…
- thanks in advance to anyone willing to respond.
I have similar issues with the ROS OVPN Client connecting to an ovpn server which I do not control (so cannot change the server side).
I keep getting TLS Handshake timed out messages in the logs.
Also I dound that common configurations are considered faulty by ROS when it come to sha-256-cgm
It won’t work with the auth digest set to sha-256 and will switch to “null” even though that is a very common aetting in ovpn profiles.
Connecting to a site where I do control the server also did only work after turning off the TLS auth.
This is clearly an issue with ROS since other clients work correctly just out of the box with same profile.
TLS-AUTH is not supported inside RouterOS 7.
But tls-auth is mandatory for some VPN providers.
See here for exemple :
http://forum.mikrotik.com/t/feature-request-openvpn-tls-control-channel-security-options-for-ovpn-client/165685/1
The problem with OpenVPN is the code base :
“Can I just once again state my love for it [WireGuard] and hope it gets merged soon? Maybe the code isn’t perfect, but I’ve skimmed it, and compared to the horrors that are OpenVPN and IPSec, it’s a work of art.”
— Linus Torvalds, Principal developer of the Linux kernel, August 2018
As a side note :
The tls-auth directive adds an additional HMAC signature to all SSL/TLS handshake packets for integrity verification. Any UDP packet not bearing the correct HMAC signature can be dropped without further processing. The tls-auth HMAC signature provides an additional level of security above and beyond that provided by SSL/TLS. It can protect against:
DoS attacks or port flooding on the OpenVPN UDP port.
Port scanning to determine which server UDP ports are in a listening state.
Buffer overflow vulnerabilities in the SSL/TLS implementation.
SSL/TLS handshake initiations from unauthorized machines (while such handshakes would ultimately fail to authenticate, tls-auth can cut them off at a much earlier point).