OpenVPN tls-auth problem in RouterOS 4.6

leonom · March 22, 2010, 11:47am

Hello all.

After setup ovpn-server, i am trying to connect from Windows client (OpenVPN 2.1.1) and have problem.
auth-user-pass option in Windows not working without recompiling, so i am using “tls-auth ta.key 1” option on client side.
But for successfull connection i need to set parameter “tls-auth ta.key 0” on server side. Without that i have error while connecting: “TLS Error: cannot locate HMAC in incoming packet from <ip.addr>”.

How can i set up this parameter on RouterOS?

mrz · March 23, 2010, 9:35am

You can’t. You need auth-user-pass, so recompile windows client.

leonom · March 23, 2010, 12:19pm

Ok, thanks.
You have plans to add that option in future versions of RouterOS?

risipetillo · March 23, 2010, 5:39pm

I’ve followed the WIKI and I’m having similar problems when I try to get my ROS OVPN Client (v3.30) to speak to my ROS OVPN Server (v3.30).

I get the following error: terminating … TLS Handshake Failed

I don’t understand where I’m going wrong. PLEASE HELP !!!

Kindly see my configuration below:

SERVER SIDE CONFIGURATION

/ip pool add name=ovpn-pool ranges=10.15.32.34-10.15.32.38

/ppp profile add change-tcp-mss=default comment=“” local-address=10.15.32.33
name=“PROFILE” only-one=default remote-address=ovpn-pool
use-compression=default use-encryption=required use-vj-compression=default

/ppp secret add caller-id=“” comment=“” disabled=no limit-bytes-in=0
limit-bytes-out=0 name=“username” password=“password”
routes=“” service=ovpn

/interface ovpn-server server set auth=sha1,md5
cipher=blowfish128,aes128,aes192,aes256 default-profile=PROFILE
enabled=yes keepalive-timeout=disabled max-mtu=1500 mode=ip netmask=29
port=443 require-client-certificate=no

FIREWALL RULE TO ALLOW ACCESS:

ip firewall filter add action=accept chain=input comment=“OpenVPN” disabled=no dst-port=443 protocol=tcp

CLIENT CONFIGURATION:

/interface ovpn-client
add name=“ovpn-out1” connect-to=W.X.Y.Z port=443 mode=ip user=“username” password=“password” profile=default
certificate=none cipher=aes256 add-default-route=no

NB: I’ve posted this previously, however, response was slow in Beta

mrz · March 24, 2010, 6:12am

You need to set server certificate
http://wiki.mikrotik.com/wiki/OpenVPN#Certificates

risipetillo · March 25, 2010, 2:52am

Ok, I’ve entered created and uploaded and imported the server side certificate and client side certificate.

The server is now telling me that a connection is established, however, the OVPN client and server status is disconnected.

I must be missing something really silly here. Please help.

Kindly see below:

SERVER

ppp secret:

name=“username” service=ovpn caller-id=“” password=“password” profile=default routes=“” limit-bytes-in=0 limit-bytes-out=0

Ovpn Pool:

2 ovpn-pool 10.15.32.34-10.15.32.38

PPP Profile:

ppp profile print
Flags: * - default
0 * name=“default” use-compression=default use-vj-compression=default use-encryption=default only-one=default change-tcp-mss=yes

1 name=“Beya_Voip” local-address=10.15.32.33 remote-address=ovpn-pool use-compression=default use-vj-compression=default
use-encryption=required only-one=default change-tcp-mss=default

Ovpn-Server Server:
interface ovpn-server server print

enabled: yes
port: 443
mode: ip
netmask: 29
mac-address: FE:50:A6:C5:67:B9
max-mtu: 1500
keepalive-timeout: disabled
default-profile: Beya_Voip
certificate: cert1
require-client-certificate: yes
auth: sha1,md5
cipher: blowfish128,aes128,aes192,aes256

CLIENT
interface ovpn-client print detail

Flags: X - disabled, R - running
0 name=“ovpn-out1” mac-address=FE:84:A8:9E:19:43 max-mtu=1500 connect-to=172.16.0.1 port=443 mode=ip user=“username”
password=“password” profile=default certificate=cert1 auth=sha1 cipher=aes256 add-default-route=no

LOG

21:43:01 ovpn,info TCP connection established from W.X.Y.Z
21:43:02 ovpn,info TCP connection established from W.X.Y.Z
21:43:05 ovpn,info TCP connection established from W.X.Y.Z
21:43:05 ovpn,info TCP connection established from W.X.Y.Z

PING from Client:

ping 10.15.32.33
10.15.32.33 ping timeout
10.15.32.33 ping timeout
10.15.32.33 ping timeout
10.15.32.33 ping timeout
10.15.32.33 ping timeout
10.15.32.33 ping timeout
10.15.32.33 ping timeout

Stevee · April 2, 2010, 7:22am

i have the same problem with tls, so i created certificate with easy-rsa in linux and when i set up ovpn server a choose certificate for it, mikrotik respond: Couldn´t change ovpn server - no certificate found. I created certificate
./pkitool --initca
./pkitool --pass --server RB450
./pkitool --pass client1
the passpahre is:test

when I import crt, key to mikrotik a write passphare:test, is it okay? The i can view 2 certificate on my mikrotik server, but when i can apply to ovpn server it respond with answer above. Can you tell me please what i do wrong?

Stevee · April 2, 2010, 7:25am

i have the same problem with tls, so i created certificate with easy-rsa in linux and when i set up ovpn server a choose certificate for it, mikrotik respond: Couldn´t change ovpn server - no certificate found. I created certificate
./pkitool --initca
./pkitool --pass --server RB450
./pkitool --pass client1
the passpahre is:test

when I import crt, key to mikrotik a write passphare:test, is it okay? The i can view 2 certificate on my mikrotik server, but when i can apply to ovpn server it respond with answer above. Can you tell me please what i do wrong?

mrz · April 6, 2010, 5:31am

Upload .crt file and upload .key file to the router.
Import .crt file and then import .key file
Certificate should appear with KR flag, only then you will be able to use it.

Stevee · April 10, 2010, 7:45pm

I use manual on http://wiki.mikrotik.com/wiki/OpenVPN - easy-rsa software. I upload, import keys and crt. I can choose cert1 and cert2 on ovpn setup, but when I set up cert1 or cert2 error message will appear: Couldn´t change ovpn server - no certificate found(6). Do you now, what cause the problem? when I import certificate it asked me for passphrahe, but i don´t know it. I didn´t write any passphare, when I create cert with easy-rsa. Can it cause the problem?

Stevee · April 11, 2010, 11:10am

you have right, flag by my cert1,2 is D, which is dsa, but why? I decrypt it, i do everything I can but my cert is always dsa. Can you help me please?

Stevee · April 18, 2010, 8:34pm

I use pkitool in fedora, can be it the problem?

I try x times to generate certificate by manual on mikrotik wiki:
cd easy-rsa
cd 2.0 ------------ it isn´t in manual, but there is pkitool
less README
vi vars
source vars
./clean-all

./pkitool --initca

./pkitool --pass --server mik1 ------name of my mikrotik
pass:test

./pkitool --pass client1
pass:test

on server I import mik1.crt passphrase:test — then one cert1 appers
then mik1.key passphrase:test, nothing appers, i still have there only cert1
then ca.crt passphrase:“”, cert2 appers.
when I print it, both of the certificates are dsa and i dont know why? I try decrpyt etc.

Can anybody help me?

mmv · July 12, 2010, 10:52am

I hawe a same trouble with importing private key.

When I import certificate, its imported successful. With flag D.
When I import private key, nothing happened.

I test on RouterOS 4.6 4.9 4.10. RouterOS 4.10 report about 0 keys imported and 0 errors.

mmv · July 12, 2010, 12:56pm

I redo it once more with easy-rsa-2.0rc1SAN and using --pass option and not empty password.

All Work!

Before, i use empty password.

ispan · September 30, 2010, 11:49pm

I have the same error and the Open VPN server is in production, so I can use easy RSA.

How can we get DSA certs to work?

Eric