ovpn can't support lzo compress?

wsgtrsys · September 22, 2007, 11:48am

i install openvpn on freebsd, openvpn config file is:

port 443
proto tcp
dev tun
ca /vpn/keys/ca.crt
cert /vpn/keys/server.crt
key /vpn/keys/server.key
dh /vpn/keys/dh1024.pem
server 10.97.0.0 255.255.0.0
ifconfig-pool-persist /vpn/ipp.txt
keepalive 10 60
ping-timer-rem
comp-lzo
persist-key
persist-tun
status /vpn/log/status.log
log /vpn/log/openvpn.log
verb 3
mute 20
daemon
writepid /vpn/log/server.pid
push “redirect-gateway def1”
plugin /vpn/simple.so /vpn/pass.txt
client-cert-not-required
fast-io
username-as-common-name
client-to-client
cipher none
push “dhcp-option DNS 208.67.222.222”

i use openvpn-client connect to openvpn-server is work fine!
but i use routeros ovpn connect to openvpn server, can’t link. error log is:

Sat Sep 22 19:44:28 2007 TCP connection established with 61.160.79.182:46679
Sat Sep 22 19:44:28 2007 TCPv4_SERVER link remote: 61.160.79.182:46679
Sat Sep 22 19:44:28 2007 61.160.79.182:46679 TLS: Initial packet from 61.160.79.182:46679, sid=855ad979 e1ff0488
Sat Sep 22 19:44:31 2007 61.160.79.182:46679 PLUGIN_CALL: POST /vpn/simple.so/PLUGIN_AUTH_USER_PASS_VERIFY status=0
Sat Sep 22 19:44:31 2007 61.160.79.182:46679 TLS: Username/Password authentication succeeded for username ‘jJbs0’ [CN SET]
Sat Sep 22 19:44:31 2007 61.160.79.182:46679 WARNING: ‘link-mtu’ is used inconsistently, local=‘link-mtu 1528’, remote=‘link-mtu 1527’
Sat Sep 22 19:44:31 2007 61.160.79.182:46679 WARNING: ‘comp-lzo’ is present in local config but missing in remote config, local=‘comp-lzo’
Sat Sep 22 19:44:31 2007 61.160.79.182:46679 Data Channel Encrypt: Using 160 bit message hash ‘SHA1’ for HMAC authentication
Sat Sep 22 19:44:31 2007 61.160.79.182:46679 Data Channel Decrypt: Using 160 bit message hash ‘SHA1’ for HMAC authentication
Sat Sep 22 19:44:31 2007 61.160.79.182:46679 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA
Sat Sep 22 19:44:31 2007 61.160.79.182:46679 [jJbs0] Peer Connection Initiated with 61.160.79.182:46679
Sat Sep 22 19:44:31 2007 jJbs0/61.160.79.182:46679 MULTI: Learn: 10.97.0.46 → jJbs0/61.160.79.182:46679
Sat Sep 22 19:44:31 2007 jJbs0/61.160.79.182:46679 MULTI: primary virtual IP for jJbs0/61.160.79.182:46679: 10.97.0.46
Sat Sep 22 19:44:31 2007 jJbs0/61.160.79.182:46679 PUSH: Received control message: ‘PUSH_REQUEST’
Sat Sep 22 19:44:31 2007 jJbs0/61.160.79.182:46679 SENT CONTROL [jJbs0]: ‘PUSH_REPLY,redirect-gateway def1,dhcp-option DNS 208.67.222.222,route 172.18.0.0 255.255.0.0 net_gateway,route 240.39.240.0 255.255.255.0 net_gateway,route 10.97.0.0 255.255.0.0,ping 10,ping-restart 60,ifconfig 10.97.0.46 10.97.0.45’ (status=1)
Sat Sep 22 19:44:32 2007 jJbs0/61.160.79.182:46679 Bad LZO decompression header byte: 96
Sat Sep 22 19:44:37 2007 jJbs0/61.160.79.182:46679 Bad LZO decompression header byte: 96
Sat Sep 22 19:44:51 2007 jJbs0/61.160.79.182:46679 3 variation(s) on previous 20 message(s) suppressed by --mute
Sat Sep 22 19:44:51 2007 jJbs0/61.160.79.182:46679 Bad LZO decompression header byte: 42
Sat Sep 22 19:45:02 2007 jJbs0/61.160.79.182:46679 Bad LZO decompression header byte: 42
Sat Sep 22 19:45:12 2007 jJbs0/61.160.79.182:46679 Bad LZO decompression header byte: 42
Sat Sep 22 19:45:22 2007 jJbs0/61.160.79.182:46679 Bad LZO decompression header byte: 42
Sat Sep 22 19:45:32 2007 jJbs0/61.160.79.182:46679 Bad LZO decompression header byte: 42
Sat Sep 22 19:45:42 2007 jJbs0/61.160.79.182:46679 Bad LZO decompression header byte: 42
Sat Sep 22 19:45:52 2007 jJbs0/61.160.79.182:46679 Bad LZO decompression header byte: 42
Sat Sep 22 19:46:02 2007 jJbs0/61.160.79.182:46679 Bad LZO decompression header byte: 42
Sat Sep 22 19:46:12 2007 jJbs0/61.160.79.182:46679 Bad LZO decompression header byte: 42

seems ovpn can’t support lzo compress?

wsgtrsys · September 22, 2007, 11:54am

ovpn also can’t support udp protocol !

Lorzelek · September 23, 2007, 7:14pm

Hi,
how to generate good certificates for openvpn on MT 3.0?
I created certificates for OpenVPN on Linux box and they worked fine (based on openvpn howto page).
In MT when I tried to enable openvpn client interface with selected cert I have error:
couldn’t add new interface - no ceritificate found (6).
Is there any special method to generate certs for MT’s ovpn?

Peter

uldis · September 24, 2007, 9:28am

import those certificates and derypt them (/certificate menu), after that specify them in the openvpn configuration.

Lorzelek · September 24, 2007, 1:17pm

ok, the .key file was missing to decrypt

It is working now.

thank you
Peter

thavinci · May 2, 2008, 10:27am

wsgtrsys : How do you get openvpn to use usernames & passwords?
Currently i also have a working setup on FreeBSD for existing clients, however MT forces you to enter a username
and i don’t use usernames/passwords on my Openvpn server , only certificates.

Thank You!

byteman · May 2, 2008, 8:27pm

thavinci, i’m trying the same: ovpn without name&password, only with certificates.
Please let me know if you get how

thavinci · May 2, 2008, 9:12pm

I just found out MT doesn’t support that yet…

aproetz · October 20, 2008, 6:46am

Anybody have an idea if Mikrotik is working on adding support for lzo-comp and using udp protocol. If so when will it be available?

We have a client that needs to connect to a linux server with lzo-comp. We can establish a connection, but if you try and communicate to the server it just replies with no route. Seems the communication level is broken.

Thanks

mrz · October 20, 2008, 8:15am

RouterOS OpenVPN does not support LZO and UDP and most likely support for them will not be added in near future.

thavinci · October 20, 2008, 8:41am

How come?! It seems there is a need!

Thanks.

ayufan · October 20, 2008, 10:54am

and it looks like I’ll have to setup external openvpn server…

mrz · October 20, 2008, 11:09am

If you need UDP you can use L2TP tunnels.

thavinci · October 20, 2008, 11:32am

That doesn’t solve the problem.

We are currently using a Unix VPN server and do not intend to change and too long down line to change setup of openVPN.

Also we get the best performance out of the setup as is.

Just interested in why MT won’t support these features long term.

aproetz · October 20, 2008, 4:09pm

I really think MT should address the problem. We were under the impression ROS can support ovpn. As far as I am concerned, the lzo-comp is a standard used often on linux machines. So the need to incorporate it into ROS do exist.

tierpath · October 22, 2008, 2:38am

Unfortunately we have to read the fine print, and the manual. Mikrotiks position on this is They added OpenVPN TCP support because it could get through proxies and firewalls easily, and if we want UDP, use L2TP because their version doesn’t utilize the IP-SEC Auth portion, and is UDP only. They are focusing on other features and openvpn udp support is not a priority, and won’t be in ROS 4 most likely.

I didn’t even think to ask about Lzo compression, now that i know it’s not in thats makes it even more crippled.

The only recourse I got from them to remedy this is to vote the feature in via the Wiki, so if you want it please go to the wiki and vote it in. Otherwise you can build OpenVPN box from BSD/Linu or you can use PFSense like i do for OpenVPN.

thavinci · October 26, 2008, 10:09pm

Apologies on extremely slow response!

Been Busy

Could you post the link to the section where one can vote on these features?

Thanks

tierpath · October 27, 2008, 5:34pm

http://wiki.mikrotik.com/wiki/MikroTik_RouterOS/Feature_Requests

There it is.

thavinci · October 27, 2008, 5:40pm

ThankX Mate.

thavinci · July 7, 2009, 8:59am

RouterOS OpenVPN does not support LZO and UDP and most likely support for them will not be added in near future.

Has this by any chance been done yet?

Regards