openvpn set up, but unable to connect

dimm0k · February 2, 2023, 7:32pm

I followed the guide here https://www.medo64.com/2016/12/simple-openvpn-server-on-mikrotik/ to get openvpn set up on my mikrotik, along with a usable config file for the devices I would like to connect with, but getting a showstopper on both a Windows 10 laptop and my Android phone. any suggestions on how to fix this, as it looks to be the same issue on both devices.

[Feb 2, 2023, 14:07:22] OpenVPN core 3.git::d3f8b18b win x86_64 64-bit built on Mar 17 2022 11:42:02
⏎[Feb 2, 2023, 14:07:22] Frame=512/2048/512 mssfix-ctrl=1250
⏎[Feb 2, 2023, 14:07:22] UNUSED OPTIONS
4 [resolv-retry] [infinite]
5 [nobind]
6 [persist-key]
7 [persist-tun]
8 [tls-client]
10 [verb] [4]
11 [mute] [10]
12 [data-ciphers] [AES-256-CBC]
15 [auth-nocache]
⏎[Feb 2, 2023, 14:07:22] EVENT: RESOLVE ⏎[Feb 2, 2023, 14:07:22] EVENT: WAIT ⏎[Feb 2, 2023, 14:07:22] WinCommandAgent: transmitting bypass route to [internet address]
{
	"host" : "[internet address]",
	"ipv6" : false
}

⏎[Feb 2, 2023, 14:07:23] Connecting to [internet address]:1194 ([internet address]) via TCPv4
⏎[Feb 2, 2023, 14:07:23] EVENT: CONNECTING ⏎[Feb 2, 2023, 14:07:23] Tunnel Options:V4,dev-type tun,link-mtu 1543,tun-mtu 1500,proto TCPv4_CLIENT,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-client
⏎[Feb 2, 2023, 14:07:23] Creds: Username/Password
⏎[Feb 2, 2023, 14:07:23] Peer Info:
IV_VER=3.git::d3f8b18b
IV_PLAT=win
IV_NCP=2
IV_TCPNL=1
IV_PROTO=30
IV_CIPHERS=AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305:BF-CBC
IV_GUI_VER=OCWindows_3.3.6-2752
IV_SSO=webauth,openurl,crtext
IV_BS64DL=1

⏎[Feb 2, 2023, 14:07:23] Transport Error: Transport error on 'internet address: NETWORK_EOF_ERROR
⏎[Feb 2, 2023, 14:07:23] EVENT: TRANSPORT_ERROR Transport error on 'internet address: NETWORK_EOF_ERROR⏎[Feb 2, 2023, 14:07:23] Client terminated, restarting in 5000 ms...
⏎[Feb 2, 2023, 14:07:28] EVENT: RECONNECTING ⏎[Feb 2, 2023, 14:07:28] EVENT: RESOLVE ⏎[Feb 2, 2023, 14:07:28] EVENT: WAIT ⏎[Feb 2, 2023, 14:07:28] WinCommandAgent: transmitting bypass route to [internet address in ipv6]
{
	"host" : "[internet address in ipv6]",
	"ipv6" : true
}

⏎[Feb 2, 2023, 14:07:28] Transport Error: socket_protect error (TCPv4)
⏎[Feb 2, 2023, 14:07:28] Client terminated, restarting in 2000 ms...
⏎[Feb 2, 2023, 14:07:30] EVENT: RECONNECTING ⏎[Feb 2, 2023, 14:07:30] EVENT: RESOLVE ⏎[Feb 2, 2023, 14:07:30] EVENT: WAIT ⏎[Feb 2, 2023, 14:07:30] WinCommandAgent: transmitting bypass route to [internet address]
{
	"host" : "[internet address]",
	"ipv6" : false
}

the config I’m using is a unified one that incorporates the certificates generated from the mikrotik as follows

client
dev tun
proto tcp
remote internetaddress 1194
resolv-retry infinite
nobind
persist-key
persist-tun
tls-client
remote-cert-tls server
verb 4
mute 10
data-ciphers AES-256-CBC
auth SHA1
auth-user-pass
auth-nocache
redirect-gateway def1
<ca>
-----BEGIN CERTIFICATE-----

gibberish

-----END CERTIFICATE-----
</ca>
<cert>
-----BEGIN CERTIFICATE-----

gibberish

-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN ENCRYPTED PRIVATE KEY-----

gibberish

-----END ENCRYPTED PRIVATE KEY-----
</key>

anav · February 2, 2023, 7:57pm

My suggestion try wireguard instead.

dimm0k · February 2, 2023, 8:14pm

what’s the reason?

anav · February 2, 2023, 8:54pm

Easier, implementation is fully supported in MT, and faster.

optio · February 4, 2023, 6:59pm

I’m guessing something is not correctly set in gibberish sections.
I have similar configuration except certificates and key are loaded from files, working just fine.

client
dev tun
proto tcp
remote <HOST> <PORT>

resolv-retry infinite
nobind

persist-key
persist-tun

cipher AES-256-CBC

auth SHA1

auth-user-pass
auth-nocache

ca network_ca.crt
cert network_o_client.crt
key network_o_client.key

redirect-gateway def1
dhcp-option DOMAIN lan

Selin · February 7, 2023, 9:28am

Hi
Could you tell, please, what versions of the OpenVPN and Router OS you are using?
Thanks

optio · February 7, 2023, 5:45pm

OpenVPN server: from ROS version 7.4 up to current stable 7.7.
Client on MacOS: Tunnelblick latest version - 3.8.7a, it’s a wrapper application for OpenVPN with several embedded versions, using v2.5.4
Client on iOS and Android: OpenVPN Connect latest version from appstore/play

All clients are able to connect, each client has different user/OVPN Server Binding interface and secret related to same ppp profile.

Selin · February 13, 2023, 8:33pm

Just to share my experience - after upgrading OpenVPN to 2.6 on my server, I had to add the following line to the ovpn config:

data-ciphers AES-256-CBC

to let my old Mikrotiks (6.x) to connect to that upgraded server.