Hi all,

i've a problem qith openvpn. In local network i've my pc (Linux openvpn server) and routerboard 750 v4.9 (openvpn client).

Now i post my server configuration

local 192.168.0.105
dev tap
port 1194
cipher none
auth SHA1
tls-server
ca /etc/openvpn/easy-rsa/2.0/keys/ca.crt
cert /etc/openvpn/easy-rsa/2.0/keys/ovpn-server.crt
key /etc/openvpn/easy-rsa/2.0/keys/ovpn-server.key
dh /etc/openvpn/easy-rsa/2.0/keys/dh1024.pem
proto tcp-server
server 10.10.10.0 255.255.255.0
verb 3

On the mikrotik

[admin@MikroTik] /interface ovpn-client> add connect-to=192.168.0.105 port=1194 user="username" password="password" auth=sha1 cipher=none certificate=cert2 add-default-route=no disabled=no profile=openvpn-out mode=ethernet name=ovpn-test

profile openvpn-out :
name="openvpn-out" use-compression=default use-vj-compression=default use-encryption=default only-one=default change-tcp-mss=default

On the server vpn log i've this:
root@Tablet:/etc/openvpn# openvpn --config server.conf
Wed Jun 22 14:31:57 2011 OpenVPN 2.1.3 i686-pc-linux-gnu [SSL] [LZO2] [EPOLL] [PKCS11] [MH] [PF_INET6] [eurephia] built on Mar 11 2011
Wed Jun 22 14:31:57 2011 WARNING: --keepalive option is missing from server config
Wed Jun 22 14:31:57 2011 NOTE: your local LAN uses the extremely common subnet address 192.168.0.x or 192.168.1.x. Be aware that this might create routing conflicts if you connect to the VPN server from public locations such as internet cafes that use the same subnet.
Wed Jun 22 14:31:57 2011 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Wed Jun 22 14:31:57 2011 Diffie-Hellman initialized with 1024 bit key
Wed Jun 22 14:31:57 2011 ******* WARNING *******: null cipher specified, no encryption will be used
Wed Jun 22 14:31:57 2011 /usr/bin/openssl-vulnkey -q -b 1024 -m
Wed Jun 22 14:31:57 2011 TLS-Auth MTU parms [ L:1559 D:140 EF:40 EB:0 ET:0 EL:0 ]
Wed Jun 22 14:31:57 2011 Socket Buffers: R=[87380->131072] S=[16384->131072]
Wed Jun 22 14:31:57 2011 TUN/TAP device tap0 opened
Wed Jun 22 14:31:57 2011 TUN/TAP TX queue length set to 100
Wed Jun 22 14:31:57 2011 /sbin/ifconfig tap0 10.10.10.1 netmask 255.255.255.0 mtu 1500 broadcast 10.10.10.255
Wed Jun 22 14:31:57 2011 Data Channel MTU parms [ L:1559 D:1450 EF:27 EB:4 ET:32 EL:0 AF:14/27 ]
Wed Jun 22 14:31:57 2011 Listening for incoming TCP connection on [AF_INET]192.168.0.105:1194
Wed Jun 22 14:31:57 2011 TCPv4_SERVER link local (bound): [AF_INET]192.168.0.105:1194
Wed Jun 22 14:31:57 2011 TCPv4_SERVER link remote: [undef]
Wed Jun 22 14:31:57 2011 MULTI: multi_init called, r=256 v=256
Wed Jun 22 14:31:57 2011 IFCONFIG POOL: base=10.10.10.2 size=253
Wed Jun 22 14:31:57 2011 MULTI: TCP INIT maxclients=1024 maxevents=1028
Wed Jun 22 14:31:57 2011 Initialization Sequence Completed


Wed Jun 22 14:32:26 2011 MULTI: multi_create_instance called
Wed Jun 22 14:32:26 2011 Re-using SSL/TLS context
Wed Jun 22 14:32:26 2011 Control Channel MTU parms [ L:1559 D:140 EF:40 EB:0 ET:0 EL:0 ]
Wed Jun 22 14:32:26 2011 Data Channel MTU parms [ L:1559 D:1450 EF:27 EB:4 ET:32 EL:0 AF:14/27 ]
Wed Jun 22 14:32:26 2011 Local Options hash (VER=V4): 'b347aa25'
Wed Jun 22 14:32:26 2011 Expected Remote Options hash (VER=V4): '8f7d9194'
Wed Jun 22 14:32:26 2011 TCP connection established with [AF_INET]192.168.0.102:43288
Wed Jun 22 14:32:26 2011 TCPv4_SERVER link local: [undef]
Wed Jun 22 14:32:26 2011 TCPv4_SERVER link remote: [AF_INET]192.168.0.102:43288
Wed Jun 22 14:32:26 2011 192.168.0.102:43288 TLS: Initial packet from [AF_INET]192.168.0.102:43288, sid=1c533699 aaef2571
Wed Jun 22 14:32:27 2011 192.168.0.102:43288 VERIFY OK: depth=1, /C=IT/ST=TN/L=Trento/O=Futur3/CN=Futur3_CA/emailAddress=d.garofalo@futur3.it
Wed Jun 22 14:32:27 2011 192.168.0.102:43288 VERIFY OK: depth=0, /C=IT/ST=TN/L=Trento/O=Futur3/CN=client1/emailAddress=d.garofalo@futur3.it
Wed Jun 22 14:32:27 2011 192.168.0.102:43288 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Wed Jun 22 14:32:27 2011 192.168.0.102:43288 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Wed Jun 22 14:32:27 2011 192.168.0.102:43288 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Wed Jun 22 14:32:27 2011 192.168.0.102:43288 [client1] Peer Connection Initiated with [AF_INET]192.168.0.102:43288
Wed Jun 22 14:32:27 2011 client1/192.168.0.102:43288 PUSH: Received control message: 'PUSH_REQUEST'
Wed Jun 22 14:32:27 2011 client1/192.168.0.102:43288 SENT CONTROL [client1]: 'PUSH_REPLY,route-gateway 10.10.10.1,ifconfig 10.10.10.2 255.255.255.0' (status=1)
Wed Jun 22 14:32:27 2011 client1/192.168.0.102:43288 Connection reset, restarting [0]
Wed Jun 22 14:32:27 2011 client1/192.168.0.102:43288 SIGUSR1[soft,connection-reset] received, client-instance restarting
Wed Jun 22 14:32:27 2011 TCP/UDP: Closing socket
Wed Jun 22 14:32:27 2011 MULTI: multi_create_instance called
Wed Jun 22 14:32:27 2011 Re-using SSL/TLS context
Wed Jun 22 14:32:27 2011 Control Channel MTU parms [ L:1559 D:140 EF:40 EB:0 ET:0 EL:0 ]
Wed Jun 22 14:32:27 2011 Data Channel MTU parms [ L:1559 D:1450 EF:27 EB:4 ET:32 EL:0 AF:14/27 ]
Wed Jun 22 14:32:27 2011 Local Options hash (VER=V4): 'b347aa25'
Wed Jun 22 14:32:27 2011 Expected Remote Options hash (VER=V4): '8f7d9194'
Wed Jun 22 14:32:27 2011 TCP connection established with [AF_INET]192.168.0.102:43289
Wed Jun 22 14:32:27 2011 TCPv4_SERVER link local: [undef]
Wed Jun 22 14:32:27 2011 TCPv4_SERVER link remote: [AF_INET]192.168.0.102:43289
Wed Jun 22 14:32:27 2011 192.168.0.102:43289 TLS: Initial packet from [AF_INET]192.168.0.102:43289, sid=850f7c18 f3b6c645
Wed Jun 22 14:32:27 2011 192.168.0.102:43289 VERIFY OK: depth=1, /C=IT/ST=TN/L=Trento/O=Futur3/CN=Futur3_CA/emailAddress=d.garofalo@futur3.it
Wed Jun 22 14:32:27 2011 192.168.0.102:43289 VERIFY OK: depth=0, /C=IT/ST=TN/L=Trento/O=Futur3/CN=client1/emailAddress=d.garofalo@futur3.it
Wed Jun 22 14:32:28 2011 192.168.0.102:43289 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Wed Jun 22 14:32:28 2011 192.168.0.102:43289 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Wed Jun 22 14:32:28 2011 192.168.0.102:43289 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Wed Jun 22 14:32:28 2011 192.168.0.102:43289 [client1] Peer Connection Initiated with [AF_INET]192.168.0.102:43289
Wed Jun 22 14:32:28 2011 client1/192.168.0.102:43289 PUSH: Received control message: 'PUSH_REQUEST'
Wed Jun 22 14:32:28 2011 client1/192.168.0.102:43289 SENT CONTROL [client1]: 'PUSH_REPLY,route-gateway 10.10.10.1,ifconfig 10.10.10.2 255.255.255.0' (status=1)
Wed Jun 22 14:32:28 2011 client1/192.168.0.102:43289 Connection reset, restarting [0]
Wed Jun 22 14:32:28 2011 client1/192.168.0.102:43289 SIGUSR1[soft,connection-reset] received, client-instance restarting
Wed Jun 22 14:32:28 2011 TCP/UDP: Closing socket
Wed Jun 22 14:32:28 2011 MULTI: multi_create_instance called
Wed Jun 22 14:32:28 2011 Re-using SSL/TLS context
Wed Jun 22 14:32:28 2011 Control Channel MTU parms [ L:1559 D:140 EF:40 EB:0 ET:0 EL:0 ]
Wed Jun 22 14:32:28 2011 Data Channel MTU parms [ L:1559 D:1450 EF:27 EB:4 ET:32 EL:0 AF:14/27 ]
Wed Jun 22 14:32:28 2011 Local Options hash (VER=V4): 'b347aa25'
Wed Jun 22 14:32:28 2011 Expected Remote Options hash (VER=V4): '8f7d9194'
Wed Jun 22 14:32:28 2011 TCP connection established with [AF_INET]192.168.0.102:43290
Wed Jun 22 14:32:28 2011 TCPv4_SERVER link local: [undef]
Wed Jun 22 14:32:28 2011 TCPv4_SERVER link remote: [AF_INET]192.168.0.102:43290
Wed Jun 22 14:32:28 2011 192.168.0.102:43290 TLS: Initial packet from [AF_INET]192.168.0.102:43290, sid=9cec317f 90f5a3aa
Wed Jun 22 14:32:29 2011 192.168.0.102:43290 VERIFY OK: depth=1, /C=IT/ST=TN/L=Trento/O=Futur3/CN=Futur3_CA/emailAddress=d.garofalo@futur3.it
Wed Jun 22 14:32:29 2011 192.168.0.102:43290 VERIFY OK: depth=0, /C=IT/ST=TN/L=Trento/O=Futur3/CN=client1/emailAddress=d.garofalo@futur3.it
Wed Jun 22 14:32:30 2011 192.168.0.102:43290 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Wed Jun 22 14:32:30 2011 192.168.0.102:43290 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Wed Jun 22 14:32:30 2011 192.168.0.102:43290 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Wed Jun 22 14:32:30 2011 192.168.0.102:43290 [client1] Peer Connection Initiated with [AF_INET]192.168.0.102:43290
Wed Jun 22 14:32:30 2011 client1/192.168.0.102:43290 PUSH: Received control message: 'PUSH_REQUEST'
Wed Jun 22 14:32:30 2011 client1/192.168.0.102:43290 SENT CONTROL [client1]: 'PUSH_REPLY,route-gateway 10.10.10.1,ifconfig 10.10.10.2 255.255.255.0' (status=1)
Wed Jun 22 14:32:30 2011 client1/192.168.0.102:43290 Connection reset, restarting [0]
Wed Jun 22 14:32:30 2011 client1/192.168.0.102:43290 SIGUSR1[soft,connection-reset] received, client-instance restarting
Wed Jun 22 14:32:30 2011 TCP/UDP: Closing socket
Wed Jun 22 14:32:31 2011 MULTI: multi_create_instance called
Wed Jun 22 14:32:31 2011 Re-using SSL/TLS context
Wed Jun 22 14:32:31 2011 Control Channel MTU parms [ L:1559 D:140 EF:40 EB:0 ET:0 EL:0 ]
Wed Jun 22 14:32:31 2011 Data Channel MTU parms [ L:1559 D:1450 EF:27 EB:4 ET:32 EL:0 AF:14/27 ]
Wed Jun 22 14:32:31 2011 Local Options hash (VER=V4): 'b347aa25'
Wed Jun 22 14:32:31 2011 Expected Remote Options hash (VER=V4): '8f7d9194'
Wed Jun 22 14:32:31 2011 TCP connection established with [AF_INET]192.168.0.102:43291
Wed Jun 22 14:32:31 2011 TCPv4_SERVER link local: [undef]
Wed Jun 22 14:32:31 2011 TCPv4_SERVER link remote: [AF_INET]192.168.0.102:43291
Wed Jun 22 14:32:31 2011 192.168.0.102:43291 TLS: Initial packet from [AF_INET]192.168.0.102:43291, sid=e9a62a8d 75acdf7c
Wed Jun 22 14:32:31 2011 192.168.0.102:43291 VERIFY OK: depth=1, /C=IT/ST=TN/L=Trento/O=Futur3/CN=Futur3_CA/emailAddress=d.garofalo@futur3.it
Wed Jun 22 14:32:31 2011 192.168.0.102:43291 VERIFY OK: depth=0, /C=IT/ST=TN/L=Trento/O=Futur3/CN=client1/emailAddress=d.garofalo@futur3.it
Wed Jun 22 14:32:32 2011 192.168.0.102:43291 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Wed Jun 22 14:32:32 2011 192.168.0.102:43291 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Wed Jun 22 14:32:32 2011 192.168.0.102:43291 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Wed Jun 22 14:32:32 2011 192.168.0.102:43291 [client1] Peer Connection Initiated with [AF_INET]192.168.0.102:43291
Wed Jun 22 14:32:32 2011 client1/192.168.0.102:43291 PUSH: Received control message: 'PUSH_REQUEST'
Wed Jun 22 14:32:32 2011 client1/192.168.0.102:43291 SENT CONTROL [client1]: 'PUSH_REPLY,route-gateway 10.10.10.1,ifconfig 10.10.10.2 255.255.255.0' (status=1)


The connection is resetting 3 times and then it blocks on SENT CONTROL [client1]: 'PUSH_REPLY,route-gateway 10.10.10.1,ifconfig 10.10.10.2 255.255.255.0' (status=1)

If i try /ip firewall connection print

[admin@MikroTik] /interface ovpn-client> /ip firewall connection print
Flags: S - seen reply, A - assured

PROTOCOL SRC-ADDRESS DST-ADDRESS TCP-STATE TIMEOUT

0 SA tcp 192.168.0.102:43291 192.168.0.105:1194 established 23h59m38s
1 SA tcp 192.168.88.2:36632 192.168.88.1:23 established 23h59m39s

The connection with server is ok, but my RB750 doesn't get an ip address from the server.....

i've tried to assign an ip address to ovpn-test interface manually on the mikrotik, but it says that it's invalid....

Please Help me..............

From server config it looks like you have not set username/password authentication.

What i’ve to do to set username and password on server.,… i know that it’s possible to set them only on openvpn client configuration…

depends on OVPN version you are using. IF you have latest OVPN version then here is the manual:
http://openvpn.net/index.php/open-source/documentation/howto.html#auth

Hi mrz,
thanks for your support, but i’ve always the same problem

in server configuration add
plugin /usr/lib/openvpn/openvpn-auth-pam.so login

in MT set username=prova password=prova123

the log of vpn server is

Wed Jun 22 15:27:03 2011 MULTI: multi_create_instance called
Wed Jun 22 15:27:03 2011 Re-using SSL/TLS context
Wed Jun 22 15:27:03 2011 Control Channel MTU parms [ L:1559 D:140 EF:40 EB:0 ET:0 EL:0 ]
Wed Jun 22 15:27:03 2011 Data Channel MTU parms [ L:1559 D:1450 EF:27 EB:4 ET:32 EL:0 AF:14/27 ]
Wed Jun 22 15:27:03 2011 Local Options hash (VER=V4): ‘b347aa25’
Wed Jun 22 15:27:03 2011 Expected Remote Options hash (VER=V4): ‘8f7d9194’
Wed Jun 22 15:27:03 2011 TCP connection established with [AF_INET]192.168.0.102:43309
Wed Jun 22 15:27:03 2011 TCPv4_SERVER link local: [undef]
Wed Jun 22 15:27:03 2011 TCPv4_SERVER link remote: [AF_INET]192.168.0.102:43309
Wed Jun 22 15:27:03 2011 192.168.0.102:43309 TLS: Initial packet from [AF_INET]192.168.0.102:43309, sid=c7372a44 c1232e26
Wed Jun 22 15:27:04 2011 192.168.0.102:43309 VERIFY OK: depth=1, /C=IT/ST=TN/L=Trento/O=Futur3/CN=Futur3_CA/emailAddress=d.garofalo@futur3.it
Wed Jun 22 15:27:04 2011 192.168.0.102:43309 VERIFY OK: depth=0, /C=IT/ST=TN/L=Trento/O=Futur3/CN=client1/emailAddress=d.garofalo@futur3.it
Wed Jun 22 15:27:04 2011 192.168.0.102:43309 PLUGIN_CALL: POST /usr/lib/openvpn/openvpn-auth-pam.so/PLUGIN_AUTH_USER_PASS_VERIFY status=0
Wed Jun 22 15:27:04 2011 192.168.0.102:43309 TLS: Username/Password authentication succeeded for username ‘prova’
Wed Jun 22 15:27:04 2011 192.168.0.102:43309 Data Channel Encrypt: Using 160 bit message hash ‘SHA1’ for HMAC authentication
Wed Jun 22 15:27:04 2011 192.168.0.102:43309 Data Channel Decrypt: Using 160 bit message hash ‘SHA1’ for HMAC authentication
Wed Jun 22 15:27:04 2011 192.168.0.102:43309 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Wed Jun 22 15:27:04 2011 192.168.0.102:43309 [client1] Peer Connection Initiated with [AF_INET]192.168.0.102:43309
Wed Jun 22 15:27:04 2011 client1/192.168.0.102:43309 PUSH: Received control message: ‘PUSH_REQUEST’
Wed Jun 22 15:27:04 2011 client1/192.168.0.102:43309 SENT CONTROL [client1]: ‘PUSH_REPLY,route-gateway 10.10.10.1,ifconfig 10.10.10.2 255.255.255.0’ (status=1)
Wed Jun 22 15:27:04 2011 client1/192.168.0.102:43309 Connection reset, restarting [0]
Wed Jun 22 15:27:04 2011 client1/192.168.0.102:43309 SIGUSR1[soft,connection-reset] received, client-instance restarting
Wed Jun 22 15:27:04 2011 TCP/UDP: Closing socket
Wed Jun 22 15:27:05 2011 MULTI: multi_create_instance called
Wed Jun 22 15:27:05 2011 Re-using SSL/TLS context
Wed Jun 22 15:27:05 2011 Control Channel MTU parms [ L:1559 D:140 EF:40 EB:0 ET:0 EL:0 ]
Wed Jun 22 15:27:05 2011 Data Channel MTU parms [ L:1559 D:1450 EF:27 EB:4 ET:32 EL:0 AF:14/27 ]
Wed Jun 22 15:27:05 2011 Local Options hash (VER=V4): ‘b347aa25’
Wed Jun 22 15:27:05 2011 Expected Remote Options hash (VER=V4): ‘8f7d9194’
Wed Jun 22 15:27:05 2011 TCP connection established with [AF_INET]192.168.0.102:43310
Wed Jun 22 15:27:05 2011 TCPv4_SERVER link local: [undef]
Wed Jun 22 15:27:05 2011 TCPv4_SERVER link remote: [AF_INET]192.168.0.102:43310
Wed Jun 22 15:27:05 2011 192.168.0.102:43310 TLS: Initial packet from [AF_INET]192.168.0.102:43310, sid=a4ccd4f0 2c559354
Wed Jun 22 15:27:05 2011 192.168.0.102:43310 VERIFY OK: depth=1, /C=IT/ST=TN/L=Trento/O=Futur3/CN=Futur3_CA/emailAddress=d.garofalo@futur3.it
Wed Jun 22 15:27:05 2011 192.168.0.102:43310 VERIFY OK: depth=0, /C=IT/ST=TN/L=Trento/O=Futur3/CN=client1/emailAddress=d.garofalo@futur3.it
Wed Jun 22 15:27:05 2011 192.168.0.102:43310 PLUGIN_CALL: POST /usr/lib/openvpn/openvpn-auth-pam.so/PLUGIN_AUTH_USER_PASS_VERIFY status=0
Wed Jun 22 15:27:05 2011 192.168.0.102:43310 TLS: Username/Password authentication succeeded for username ‘prova’
Wed Jun 22 15:27:05 2011 192.168.0.102:43310 Data Channel Encrypt: Using 160 bit message hash ‘SHA1’ for HMAC authentication
Wed Jun 22 15:27:05 2011 192.168.0.102:43310 Data Channel Decrypt: Using 160 bit message hash ‘SHA1’ for HMAC authentication
Wed Jun 22 15:27:05 2011 192.168.0.102:43310 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Wed Jun 22 15:27:05 2011 192.168.0.102:43310 [client1] Peer Connection Initiated with [AF_INET]192.168.0.102:43310
Wed Jun 22 15:27:05 2011 client1/192.168.0.102:43310 PUSH: Received control message: ‘PUSH_REQUEST’
Wed Jun 22 15:27:05 2011 client1/192.168.0.102:43310 SENT CONTROL [client1]: ‘PUSH_REPLY,route-gateway 10.10.10.1,ifconfig 10.10.10.2 255.255.255.0’ (status=1)

i don’t know what i’ve to do… if you want i can post all you need for help me…

Thank you very much

i think that doesn’t work the “push” ip address from Linux server to MT client…
after the push_reply it resets the connection…

mah… i don’t know what think about it… it’s 4 days that i work on it, but whitout a solution…

Which version of ROS is installed on the router?

Ok, i’ve solved all my problem, My routerOs was 4.9. Now upgrading to 5.5 all work fine.