dev tun
proto udp
remote <server IP> 1433
cipher AES-128-CBC
auth SHA1
resolv-retry infinite
nobind
persist-key
persist-tun
client
verb 3
auth-user-pass
<ca>
-----BEGIN CERTIFICATE-----
<Removed for the server owner security>
-----END CERTIFICATE-----
</ca>
###############################################################################
# Client certificate and key.
#
# A pair of client certificate and private key is required in case you want to
# use the certificate authentication.
#
# To enable it, uncomment the lines below.
# Paste your certificate in the <cert> block and the key in the <key> one.
<cert>
-----BEGIN CERTIFICATE-----
<Removed for the server owner security>
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN PRIVATE KEY-----
<Removed for the server owner security>
-----END PRIVATE KEY-----
</key>
In Windows, it works fine with the OpenVPN Client
but: it won't in the Mikrotik... also It wouldn't even establish the connection, until I upgrade router OS to 7.x to allow UDP connection
I'm using Winbox... and I'm doing:
** NOTE: I can not understand the detail of the OVPN file
PPP -> Profile > Add Profie:
General
Name: ovpn...
bridge learning: default
Change TCP MSS: default
Protocols
IP v6: no
MPLS: no
Compression: no
Encryption: yes
System -> Certificates -> Certificates -> import:
name: ovpn...
(it does contain the three keys as I put above)
passpharase:
Interface -> ADD OVPN:
General
Name: ovpn-out1
Dial Out
Connect To:
Port: 1433
Mode: ip
Protocol: udp
User & Pass:
Profile: ovpn...
Certificate: ovpn...
Verify Server Cerificate: false
TLS Version: any
Auth: SHA1
Cipher: AES 128
Use Peer DNS: yes
Add Default Route: false
It says: status: link established... but it won't change to connected...
Device Logs:
Topics | Message
ovpn, info | initializing ...
ovpn, info | connecting ...
ovpn, info | disconnected
ovpn, info | terminating ... could not negotiate TLS in time
ovpn, info | disconnected
There’s nothing clearly incompatible. How about certificates? After importing them, you should have two, one with T flag (trusted) without key, and another also with K flag (has private key). In OVPN client, did you select the one with key?
You should also have Verify Server Cerificate enabled, but it’s not breaking the connection if not.
First time I did import it from the *.ovpn file...
second time, I seperate each cert section in its file...
then import them manually...
all merged into one file even though I choose different name for them...
The cert contained the code: KAT
EDIT:
An hour ago I update to 7.6rc3
and I noticed the improvement in certificate management
So I delete the certificate, and tried to reimport... it didn't create the certificate for it...
You have three things (two certificates and one key):
- certificate of CA (certificate authority) that issues other certificates, you need this for Verify Server Certificate option to work
- your client certificate, this is presented to server, so that it can verify that you have access; this is the one that you must select in OVPN client; did you do this?
- key for your certificate
That’s sad I hope Mikrotik works more on their connectivity… but if certificate are issue, it would throw error faster, and before nothing about negotiating tls in time, it would just said tls failed or something…
It won’t help you, but I tried with Linux OpenVPN server and RouterOS client (CHR 7.6), with one self-signed certificate used for everything (server certificate, client certificate), and it worked on first try without any problem.
I don’t know why it doesn’t work for you. Is the server yours or someone else’s? If yours, can you share how exactly you created certificate (or certificates in case server has different one)? Maybe it’s something related to that, even though it wouldn’t explain why only RouterOS has problem with it.
It’s for the company I work for, and I do not have access to the direct creator… and even if I do, I’m not sure due to the recent condition of my country, we have many options when running a VPN as many people are cut off from the internet
BTW, thank you very much, reading all my post, staying to debug the issue
Doing it in your country certainly doesn’t help. I don’t know any details, but if they try to block VPNs, maybe that might be it. It shouldn’t be, when it works with Windows client, but RouterOS has own implementation of OpenVPN protocol, so perhaps there could be some tiny difference that doesn’t affect how it works, but might produce some difference that blocking could pick on. Not knowing about protocol details, I can’t tell how likely it is.
It could be tested if you’d have unfiltered access to server, e.g. if it’s in company office, you could try to connect from internal network, and you’d see if it works or not.
Other than that, you could try to run your own SoftEther VPN Server (that’s the software used on server) and test if router is able to connect to that. That would tell you if there’s perhaps some incompatibility. But it can also depend on some options, so unless you’d know exactly what the real server uses, it wouldn’t be enough proof.
Well we work remotely, that’s why the company provides such a server, and after a recent accident, everything getting blocked, including all proxies and VPNs… with few exception that hardly work, the good thing is the server is inside the country and is not checked, while it is placed in a datacenter which provides access to the outside without passing through a filtering system, or that thought version of it
I have the same problem. I tried everything and still stuck LINK ESTABLISHED.
I think the problem is with VPN SERVER, because my Mikrotik connects to another vpn server, but no traffic passes through it.
Sorry my English!
I hope Mikrotik works more on their connectivity… but if certificate are issue, it would throw error faster, and before nothing about negotiating tls in time, it would just said tls failed or something…
