OpenVPN Server error: TLS failed

apteixeira · August 22, 2014, 3:31pm

Hello MikroTik,

I am pretty sure there is a problem with OpenVPN Server running on RouterOS when you choose “require-client-certificate”.

I tested several times using different chain of certificates.

The weird thing is that if you try the same configuration and certificates on version 5.26 (OpenVPN Server) it works, but when you do the same on version 6.18 it does not work.

Error: “TLS failed”.

I test with two types of OpenVPN clients: RouterOS and Windows. The result is the same.

The certificates are signed by the same CA.

I imported the CA, the client and server certificate (including the private keys of each one) to each RouterOS and make sure that the NTP client was updated correctly. But the result is the same: TLS failed.

I tested with:

My own certificates
CACert
GoDaddy

None of them works.

All the necessary files are here (rif included): https://www.dropbox.com/sh/6kjzx50yfgg8rsw/AAAljGTAMCA_KMgPNhvn50ina

Any advice?, someone test it?, maybe I am doing something wrong with de certificates.

Best regards.

apteixeira · August 22, 2014, 3:39pm

Note:

If I uncheck “require-client-certificate” it works.

Best regards.

Etz · August 22, 2014, 3:52pm

If I were you I wouldnt share private key files publicly…

Hence, they are called private keys…

apteixeira · August 22, 2014, 5:35pm

There are just for test. I will generate then again. Thanks you for your suggestion.

patrickmkt · August 22, 2014, 8:55pm

Yes I have the same problem since v6.9+.

see http://forum.mikrotik.com/t/openvpn-ios-tls-failed/78752/1
http://forum.mikrotik.com/t/ovpn-and-certificates/79262/1

but so far no answer to this problem

sanitycheck · August 25, 2014, 5:52pm

New OpenVPN server configured in 6.18 router confirmed working here with Require Client Certificate checked, using self-signed certificates generated by XCA in Ubuntu. Testing client was OpenVPN GUI software client for Windows (OpenVPN.net).

This might not be your problem, but make sure your certificates (both CA and server) are present, and show status KAT for CA, and KT for server. The TLS error will occur at the client if the certificates have been imported into the server router but the associated key (PEM) files have not been imported/applied. In that case you don’t see the K in the certificate status line.

I find the verbose output of the OpenVPN client for Windows running in a terminal window (instead of using the GUI) helpful for troubleshooting.

apteixeira · August 26, 2014, 2:56pm

Hello sanitycheck,

Thank you for your answer.

I just follow this steps and it works: http://wiki.mikrotik.com/wiki/Manual:Create_Certificates

There must something with the certificate chain or the CRL.

Best regards.

apteixeira · August 26, 2014, 3:46pm

Hello,

Another problem: after successful implementation generating the certificates on one RouterOS, when I try to use the exported certificates with OVPN (require-client-certificate checked) in another RouterOS (including all the private keys) the error appear again: “TLS FAILED”.

I follow this link to create then: http://wiki.mikrotik.com/wiki/Manual:Create_Certificates

Any idea?.

Best regards.

apteixeira · August 26, 2014, 4:16pm

Hello,

Found the problem. When set the CRL it does not work. If skip the CRL then it works.

Tested on several RouterBoards and x86.

Best regards.

apteixeira · August 26, 2014, 4:50pm

Hello,

Confirmed. The problem happened when you set the CRL on the certificates.

Tested on several RouterBoards and it works without using CRL.

The certificates were generated by: OpenSSL and RouterOS (with bought works)

Best regards.

arturw · October 1, 2014, 3:09pm

I can confirm that problem. In my environment RB2011 works as OVPN server, windows clients. Certificates were generated in Microsoft CA (Windows Server 2008 R2) and in second environment on OpenSSL.
If CRL is defined and option require-client-certificate is set then clients can not establish connection.

I tried to develop problem two times when I found it after upgrade (from 6.1 to 6.15) and after that when I’ve build from scratch separate clean environment for this test. So it is not bad luck.
I checked that CRL file is downloaded from my CRL distribution point.
If I generate certificate without CRL option it works with option: require-client-certificate.
For now I’ve tested RouterOS: 6.15, 6.18, 6.19

Problem was send to Mikrotik:
[Ticket#2014082766000625]

If anyone have any idea how to develop this problem i can do more tests.

EDIT:
For now I’ve tested RouterOS: 6.15, 6.18, 6.19, 6.20

alexac · October 13, 2014, 5:56am

I use RB750GL as OVPN server. I try to make certificates with openssl (follow the wiki) and want to use its with “required client sertificate” option check, and always got “TSL handshake failed” error. What’s the problem?
I have two moments to understand:

do I need to import ca.key or just ca.crt only to my router?
if I have to create certificates with CRL option disabled, how can I do this with openssl?

alexac · October 13, 2014, 5:58am

I use RB750GL as OVPN server. I try to make certificates with openssl (follow the wiki) and want to use its with “required client sertificate” option check, and always got “TSL handshake failed” error. What’s the problem?
I have two moments to understand:

do I need to import ca.key or just ca.crt only to my router?
if I have to create certificates with CRL option disabled, how can I do this with openssl?

Ambul · October 14, 2014, 2:10am

Guys, this is my first time trying to get OpenVPN setup on my Mikrotik.
I’ve read through the Wiki and I find the information vague and haven’t had success.
Can someone provide me a concise guide to setting up OpenVPN?

The Mikrotik router is 10.0.10.1.

I’m confused about generating certificates. Can I just create them on the router?

I’ve also found this thread and am thinking to myself “Oh great, I can’t tell if it’s my unfamiliarity with RouterOS or a bug in the software.”

apteixeira · October 14, 2014, 11:19am

Hello,

Using RouterOS 6.20 you can execute the following commands on the MikroTik server:

We will create two client certificates at this time (you can add more lately)

/certificate
add name=ca-template common-name=myCa key-usage=key-cert-sign,crl-sign
add name=server-template common-name=server
add name=client1-template common-name=client1
add name=client2-template common-name=client2

/certificate
sign ca-template name=myCa
sign ca=myCa server-template name=server
sign ca=myCa client1-template name=client1
sign ca=myCa client2-template name=client2

/certificate
set myCa trusted=yes
set server trusted=yes

At this time you have all you need at your server. Now you have to export the CA and the client certificates that you need to import to the client:

/certificate export-certificate myCa
/certificate export-certificate client1 export-passphrase=xxxxxxxx
/certificate export-certificate client2 export-passphrase=xxxxxxxx

Go to /files and download the files just exported.

Best regards.

alexac · October 17, 2014, 11:21am

/certificate sign ca-template name=myCa
error: couldn’t perfom action - timeout(13)
?

apteixeira · October 17, 2014, 11:26am

Which version are you using?
I use version 6.20. In version 6.19 is different.

Best regards.

alexac · October 17, 2014, 11:34am

v6.20, RB750G
but why this info is not in wiki?
that’s the third way I try to create certificates - openvpn(easy-rsa), openssl and in RouterOS.
and no one works

apteixeira · October 17, 2014, 11:50am

Here is a video: http://youtu.be/93__PLZgebE

Best regards.

alexac · October 20, 2014, 7:19am

ok, I can create certificates with my rb750gl (without any load, espessially torrents, timeout is gone ),
but I still got tls error about 60 sec timout - connection failed.
crl on my certificate is absent.