Hi, I’m trying to create openVPN. The mikrotik router is replacing existing Linux router (computer) which serves as OpenVPN gateway. Since there are only two users of VPN there’s no need to import existing settings I can generate new certificates.
Also the Linux server will be shut down after migration so there will be no CRL for old CA where self signed certificates are generated.
I have set up RB 2011 and internet is working fine, forwarded ports are working fine - there might be some finesse to add to config.
I’m using two approaches (i have two RB2011 so I can use one to test) and whichever I get to work first is fine
- One RB 2011 on site is running 5.24 I have created free certificates on StartSSL. I get connection from openVPN client (OpenVPN on Win XP) but the error I get is that there is no way to verify certificate.
The net there is PPPoE from ISP with static IP
Mon Mar 11 16:06:38 2013 VERIFY ERROR: depth=2, error=certificate signature failure: /C=IL/O=StartCom_Ltd./OU=Secure_Digital_Certificate_Signing/CN=StartCom_Certification_Authority
Mon Mar 11 16:06:38 2013 TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
Mon Mar 11 16:06:38 2013 TLS Error: TLS object -> incoming plaintext read error
Mon Mar 11 16:06:38 2013 TLS Error: TLS handshake failed
Mon Mar 11 16:06:38 2013 Fatal TLS error (check_tls_errors_co), restarting
Here error is probably with verification of certificates though I have imported ca cert to mikrotik router, on client i’m using pkcs12. If I try to convert keys to pem I get no connection at all.
Anyone has any idea - I’ll try verifying certificates on a Linux machine
- I tried also the 2nd approach - I installed RC 6.11 on another same routerboard and I set it up in almost same way (DHCP, local network, routes) and here I’d like to try to generate self signed certificates on mikrotik router itself for OPVN server and 2-4 users.
The network here is DHCP but it’s not a problem since it’s easy to change from DHCP to PPPoE. IP is not static but doesn’t change for the time of testing, so default static route to internet should work.
Questions
What is with CRL if I use CA on router -where is the CRL accessible? Do I have to punch any holes in firewall?
Does CRL matter for open VPN are certificates checked at all?
Do I have to use any special stuff in certificate requests?
How do I import certificate CA has generated so that I can then assign it to OpenVPN server?
I have learned really a lot during this procedure but it’s taking a bit long and the higher ups want it complete soon.