OVPN Connection fails

bahman · December 31, 2019, 4:19pm

Hi
I try to set up an OVPN connection on RouterOS but the connection fails all the time
it has been 48 hours I’m working on it and seems unsolvable to me!

I tried OVPN client on windows, and OVPN client on another RouterOS, and it’s unsuccessful on both.

I tried every possible way that came to my mind.

creating multiple certificates
checking and unchecking options on server config
changing client config file
trying different versions of OVPN client software on windows
and so on..

but as I said, even Mikrotik router as client can’t connect to server. so the problem isn’t about client software and windows config file. it seems something more general

My server config:

/interface ovpn-server server
set certificate=server-template cipher=blowfish128,aes128,aes192,aes256 \
    default-profile=vpn enabled=yes port=80 require-client-certificate=yes

Server log:

19:00:23 ovpn,info TCP connection established from Y.Y.Y.Y 
19:00:23 ovpn,info OVPN: TCP connection established from Y.Y.Y.Y 
19:00:23 ovpn,debug,packet OVPN: sent P_CONTROL_HARD_RESET_SERVER_V2 kid=0 sid=4ac49dba6da5ea6e pid=0 DATA len=0 
19:00:42 ovpn,debug OVPN: <Y.Y.Y.Y>: disconnected <could not negotiate TLS in time>

OVPN client config file on windows:

client
dev tun
proto tcp-client
remote X.X.X.X
port 80
nobind
persist-key
persist-tun
tls-client
remote-cert-tls server
ca ca-template.crt
cert client-template.crt
key client-template.key
verb 4
mute 10
cipher AES-256-CBC
auth SHA1
auth-user-pass secret.txt
auth-nocache
;redirect-gateway def1

OVPN client log on windows:

Tue Dec 31 18:53:13 2019 Restart pause, 10 second(s)
Tue Dec 31 18:53:23 2019 Re-using SSL/TLS context
Tue Dec 31 18:53:23 2019 Control Channel MTU parms [ L:1623 D:1210 EF:40 EB:0 ET:0 EL:3 ]
Tue Dec 31 18:53:23 2019 Data Channel MTU parms [ L:1623 D:1450 EF:123 EB:406 ET:0 EL:3 ]
Tue Dec 31 18:53:23 2019 Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1559,tun-mtu 1500,proto TCPv4_CLIENT,cipher AES-256-CBC,auth SHA1,keysize 256,key-method 2,tls-client'
Tue Dec 31 18:53:23 2019 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1559,tun-mtu 1500,proto TCPv4_SERVER,cipher AES-256-CBC,auth SHA1,keysize 256,key-method 2,tls-server'
Tue Dec 31 18:53:23 2019 TCP/UDP: Preserving recently used remote address: [AF_INET]X.X.X.X:80
Tue Dec 31 18:53:23 2019 Socket Buffers: R=[65536->65536] S=[65536->65536]
Tue Dec 31 18:53:23 2019 Attempting to establish TCP connection with [AF_INET]X.X.X.X:80 [nonblock]
Tue Dec 31 18:53:23 2019 MANAGEMENT: >STATE:1577805803,TCP_CONNECT,,,,,,
Tue Dec 31 18:53:24 2019 TCP connection established with [AF_INET]X.X.X.X:80
Tue Dec 31 18:53:24 2019 TCP_CLIENT link local: (not bound)
Tue Dec 31 18:53:24 2019 TCP_CLIENT link remote: [AF_INET]X.X.X.X:80
Tue Dec 31 18:53:24 2019 MANAGEMENT: >STATE:1577805804,WAIT,,,,,,
Tue Dec 31 18:53:24 2019 MANAGEMENT: >STATE:1577805804,AUTH,,,,,,
Tue Dec 31 18:53:24 2019 TLS: Initial packet from [AF_INET]X.X.X.X:80, sid=44310810 c1ebc1ca
Tue Dec 31 18:53:50 2019 read TCP_CLIENT: Unknown error (code=10060)
Tue Dec 31 18:53:50 2019 Connection reset, restarting [-1]
Tue Dec 31 18:53:50 2019 TCP/UDP: Closing socket
Tue Dec 31 18:53:50 2019 SIGUSR1[soft,connection-reset] received, process restarting
Tue Dec 31 18:53:50 2019 MANAGEMENT: >STATE:1577805830,RECONNECTING,connection-reset,,,,,

And I should say I read other topics related to this problem, but none of theme were helpful.

bahman · January 3, 2020, 9:54pm

Any ideas would be appreciated …

Sob · January 3, 2020, 10:31pm

Did you try another port, to see if something could be interfering? Some nosy firewall, antivirus or whatever. Port 80 is usually http and what you’re sending there definitely won’t look like http.

bahman · January 4, 2020, 6:43pm

Yes I tried it on default 1194 and even 80 and 443. none of theme worked.
I disabled all of the firewall rules and tried. but nothing happened
I checked all Enc and Auth types on OVPN server setup.
I played with CN name and Sign options on CA and Server Certificates to see if it helps.

by he way, This is irrelevant but I managed to run SSTP and PPTP on this RouterOS easily

Sob · January 5, 2020, 5:28pm

For certificates, you can check either RouterOS way:

https://wiki.mikrotik.com/wiki/Manual:Create_Certificates

I’m sure I tried it in the past and it did work, only it’s good idea to add correct subject name (subject-alt-name=DNS: or subject-alt-name=IP: if you don’t have DNS).

Correct key usage is listed here:

https://openvpn.net/community-resources/how-to/#important-note-on-possible-man-in-the-middle-attack-if-clients-do-not-verify-the-certificate-of-the-server-they-are-connecting-to

Or you can create them with OpenVPN scripts:

https://openvpn.net/community-resources/setting-up-your-own-certificate-authority-ca/

bahman · January 9, 2020, 4:00pm

When I didn’t manage to run OVPN Server at that point, I removed RouterOS from my VPS and installed linux. so for now I can’t check it out again on a server. but locally on my home router, I managed it. thanks to you Sob.
it seems that what you have pointed is something mandatory.

I’m sure I tried it in the past and it did work, only it’s good idea to add correct subject name (subject-alt-name=DNS: or subject-alt-name=IP: if you don’t have DNS).