OPENVPN

Chiara · August 11, 2023, 1:23pm

Hi,
I have a PFSENSE 23.05 OPENVPN SERVER these are the LOGS:

 TLS error: Unsupported protocol. This typically indicates that client and server have no common TLS version enabled. This can be caused by mismatched tls-version-min and tls-version-max options on client and server. If your OpenVPN client is between v2.3.6 and v2.3.2 try adding tls-version-min 1.0 to the client configuration to use TLS 1.0+ instead of TLS 1.0 only

 OpenSSL: error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol

When a MIKROTIKROS 7.10.2 OPENVPN CLIENT try to connect:

ovpn-out1: connecting...
ovpn-out1: initializing...
ovpn-out1: using encoding - AES-128-CBC/SHA1
PUSH_REPLY,comp-lzo no,route 192.168.208.0 255.255.255.0>
IV_PROTO=746
warning: recvd <WIV_CIPHERS=AES-128-CBC:AES-128-CFB1:AES-128-CFB8:AES-128-OFB:AES-128-GCM
ovpn-out1: disconnected <peer disconnected>
ovpn-out1: terminating... - peer disconnected

4lphanumeric · August 11, 2023, 4:48pm

Try to match the “Allowed Data Encryption Algorithm” in the PFSense side to a cipher that is supported by Mikrotik, and reflect that changes on the config in client side.

Chiara · August 21, 2023, 10:04am

Thanks with:

custom options on server:
tls-version-min 1.2;
tls-version-max 1.2;

and TLS Version: only v.1.2 on mikrotik

the status goes to connected.

Chiara · August 21, 2023, 10:28am

After the client is connected it get a dinamyc address (6) which is wrong, I expected the (5) as correct:

ip/address/print 
#   ADDRESS           NETWORK      INTERFACE 
6 D 10.7.50.6/32      10.7.50.5    ovpn-out1
5 X 10.7.50.2/32      10.7.50.0    ovpn-out1

I’ve tried an option config on the server to force the correct ip but seems to be ignored:

ifconfig-push 10.7.50.2 255.255.255.0;

Now I get the ROS clients that can access remote LAN and this is fine.

But from main site LAN could it be that server use a wrong route to get to the ROS clients:

Destination Gateway Flags USES
ROSLAN/24 10.7.50.2 ugs 15

Chiara · August 22, 2023, 1:28pm

anyway it’s the server that manage the routes, now on the client I get:

           dest                     gateway           distance 
DAv+ SITEa.a.a.0/24   tunnel.client        1
DAC  tunnel.0/24         ovpn-out              0

and on the server:

tunnel.0/24             link#18 
tunnel.server          link#18
SITEb.b.b.0/24       tunnel.server

and it works!