ovpn-import: disconnected <TLS error: handshake timed out (6)>

sciensys · July 16, 2024, 6:10pm

Model: CCR1009-7G-1C-1S+
Firmware type: tilegx
Current Firmware: 7.15.2

according to the latest information: https://help.mikrotik.com/docs/display/ROS/OpenVPN#OpenVPN-Limitations

OVPN client supports tls authentication. The configuration of tls-auth can be added only by importing .ovpn configuration file. Using tls-auth requires that you generate a shared-secret key, this key should be added to the client configuration file .ovpn.
key-direction 1

#2048 bit OpenVPN static key

-----BEGIN OpenVPN Static key V1-----
-----END OpenVPN Static key V1-----

I successfully loaded ovpn configuration:

config ‘ovpn-import1721152276’ was imported successfully

ovpn client configuration:

сlient
proto udp
explicit-exit-notify
remote xxx 1195
dev tune
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
auth SHA512
cipher AES-256-GCM
tls-client
tls-version-min 1.2
tun-mtu 1500
verb 5
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----

-----BEGIN CERTIFICATE-----

-----END CERTIFICATE-----

-----BEGIN RSA PRIVATE KEY-----
-----END RSA PRIVATE KEY-----

key-direction 1

#2048 bit OpenVPN static key

-----BEGIN OpenVPN Static key V1-----

-----END OpenVPN Static key V1-----

When connecting I get an error:

ovpn-import1721152276: disconnected <TLS error: handshake timed out (6)>
ovpn-import1721152276: terminating… - TLS error: handshake timed out (6)
ovpn-import1721152276: disconnected
ovpn-import1721152276: initializing…
ovpn-import1721152276: connecting…
ovpn-import1721152276: terminating…

So the question is: why the error?

p.s. trying use public server, therefore I can’t change server side.

abbio90 · July 20, 2024, 12:12pm

In the meantime, check that you have correctly set the MTU on the WAN interface

Majongman · July 28, 2024, 9:38am

I have same problem on C53UiG+5HPaxD2HPaxD firmware 7.15.3

mactep09 · August 14, 2024, 8:39pm

Has anyone from Mikrotik Team responded to that?
I’ve imported OVPN file to Mikrotik from command line (as per https://help.mikrotik.com/docs/display/ROS/OpenVPN#OpenVPN-OVPNClient )
It is connecting and in a Log - giving same error - handshake timeout (6).

I have same on RB962UiGS-5HacT2HnT with RouterOS 7.15.3

Loading file to OpenVPN on Windows 11 - works perfectly fine.

The article said “Using tls-auth requires that you generate a shared-secret key, this key should be added to the client configuration file .ovpn”. Where from I can get or generate this shared-secret file? It is Nordsec or Proton VPNs… and again - all working fine on Windows…

hideme VPN works perfectly fine with User Certificate (ca+user public key+user private key imported and assigned in ovpn client profile) but without TLS auth stuff…

ilya7zz · March 13, 2025, 8:59pm

I also can’t configure OpenVPN on Mikrotik hAP ac RB962UiGS-5HacT2HnT (mipsbe)
I tried different firmware from 7.16.2 to 7.18.2 (stable).
Router logs:

Mikrotik disconnected <TLS error: handshake timed out (6)>

Server logs:

$ tail -f /var/log/openvpn/openvpn.log
tls-crypt unwrap error: packet too short
TLS Error: tls-crypt unwrapping failed from [AF_INET]92.238.16.3:13217

…lines appear every second.
The problem is popular, but no solution could be found.

I connect from ancient Asus and Kinetic; from new iOS, Android, Windows, MacOS - it works great everywhere.
Server version OpenVPN 2.4.12 x86_64-redhat-linux-gnu built on Nov 10 2023
Import config.ovpn of course does not work. I did not understand how to import a tls-crypt (tc.key) certificate to Mikrotik.
The client certificate and key have been imported and the status is “KT” (private key, trusted).

Working [ClientConfig.ovpn]

dev tun
client
proto up
explicit-exit-notify 1
remote vpn.server.ru 12345
resolv-retry infinite
nobind
tls-client
remote-cert-tls server
auth SHA256
cipher AES-256-CBC
verb 3
pull
user openvpn
group openvpn
persist-key
persist-tun
explicit-exit-notify
tun-mtu 1420
<ca>
-----BEGIN CERTIFICATE-----
XXXXXX
END CERTIFICATE-----
</ca>
<cert>
-----BEGIN CERTIFICATE-----
XXXXXX
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN PRIVATE KEY-----
XXXXXX
-----END PRIVATE KEY-----
</key>
<tls-crypt>
#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
XXXXXX
-----END OpenVPN Static key V1-----
</tls-crypt>

ver 7.16.2

ilya7zz · March 17, 2025, 1:40am

I found a solution with great difficulty: first I imported the certificate and the client key, the root certificate, then I imported the .ovpn config ignoring the built-in certificates and lo and behold, it worked! When will all the necessary parameters for .ovpn, which RouteOS supports, appear in the web interface?! =)
PS: Words cannot describe how much my eyes hurt from the new 7.17+ web interface! I don’t use WinBox or Windows OS, and the new RouteOS web interface is pain and humiliation…