OVPN on ROS 6.6

yaruko · December 16, 2013, 7:47am

Hi everyone,

I’d like to ask for help with OVPN on the current Router OS 6.6. I’ve create a CA, server and client certificates according to easy-rsa scripts provided with ovpn client packages, uploaded and import ca and server certificates to RB450G as cert_20 (server with private key - KT) and cert_21 (ca cert - T), configured Routerboard as follow:

/ppp profile add local-address=192.168.2.1 name=ovpn-cfg-vpn remote-address=adr-vpn
/interface ovpn-server server set certificate=cert_20 cipher=blowfish128,aes128,aes192,aes256 default-profile=ovpn-cfg-vpn enabled=yes
/ppp secret add name=test password=test profile=ovpn-cfg-vpn service=ovpn

and windows client as follow:

dev tap
remote 192.168.2.1 1194
proto tcp-client
tls-client
ca ca.crt
key user.key
cert user.crt
dh dh2048.pem
auth-user-pass
pull
nobind
persist-key
resolv-retry infinite
verb 4

every connection attempt results connection reset:

Mon Dec 16 08:38:40 2013 us=382249 OpenVPN 2.3.2 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [PKCS11] [eurephia] [IPv6] built on Aug 22 2013
Enter Management Password:
Mon Dec 16 08:38:40 2013 us=385249 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25341
Mon Dec 16 08:38:40 2013 us=385249 Need hold release from management interface, waiting...
Mon Dec 16 08:38:40 2013 us=810274 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:25341
Mon Dec 16 08:38:40 2013 us=910279 MANAGEMENT: CMD 'state on'
Mon Dec 16 08:38:40 2013 us=910279 MANAGEMENT: CMD 'log all on'
Mon Dec 16 08:38:41 2013 us=21286 MANAGEMENT: CMD 'hold off'
Mon Dec 16 08:38:41 2013 us=23286 MANAGEMENT: CMD 'hold release'
Mon Dec 16 08:38:41 2013 us=24286 WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
Mon Dec 16 08:38:41 2013 us=383306 Control Channel MTU parms [ L:1575 D:140 EF:40 EB:0 ET:0 EL:0 ]
Mon Dec 16 08:38:41 2013 us=383306 Socket Buffers: R=[8192->8192] S=[8192->8192]
Mon Dec 16 08:38:41 2013 us=383306 Data Channel MTU parms [ L:1575 D:1450 EF:43 EB:4 ET:32 EL:0 ]
Mon Dec 16 08:38:41 2013 us=383306 Local Options String: 'V4,dev-type tap,link-mtu 1575,tun-mtu 1532,proto TCPv4_CLIENT,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-client'
Mon Dec 16 08:38:41 2013 us=383306 Expected Remote Options String: 'V4,dev-type tap,link-mtu 1575,tun-mtu 1532,proto TCPv4_SERVER,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-server'
Mon Dec 16 08:38:41 2013 us=383306 Local Options hash (VER=V4): '10f35004'
Mon Dec 16 08:38:41 2013 us=383306 Expected Remote Options hash (VER=V4): 'a917298a'
Mon Dec 16 08:38:41 2013 us=383306 Attempting to establish TCP connection with [AF_INET]192.168.2.1:1194
Mon Dec 16 08:38:41 2013 us=383306 MANAGEMENT: >STATE:1387179521,TCP_CONNECT,,,
Mon Dec 16 08:38:41 2013 us=386307 TCP connection established with [AF_INET]192.168.2.1:1194
Mon Dec 16 08:38:41 2013 us=386307 TCPv4_CLIENT link local: [undef]
Mon Dec 16 08:38:41 2013 us=386307 TCPv4_CLIENT link remote: [AF_INET]192.168.2.1:1194
Mon Dec 16 08:38:41 2013 us=386307 MANAGEMENT: >STATE:1387179521,WAIT,,,
Mon Dec 16 08:38:41 2013 us=387307 Connection reset, restarting [-1]
Mon Dec 16 08:38:41 2013 us=387307 TCP/UDP: Closing socket
Mon Dec 16 08:38:41 2013 us=387307 SIGUSR1[soft,connection-reset] received, process restarting
Mon Dec 16 08:38:41 2013 us=387307 MANAGEMENT: >STATE:1387179521,RECONNECTING,connection-reset,,
Mon Dec 16 08:38:41 2013 us=387307 Restart pause, 5 second(s)
Mon Dec 16 08:38:43 2013 us=387421 SIGTERM[hard,init_instance] received, process exiting
Mon Dec 16 08:38:43 2013 us=387421 MANAGEMENT: >STATE:1387179523,EXITING,init_instance,,

I’ve tried with enabled and disabled option ‘require client certificate’, with client over nat, client with public ip address and the simplest one - private ip connecting from LAN. Every attempt without result. Firewall is disabled. Certificate were generated on OpenSSL v1.0.1e library (the current one), ovpn client is newest available (v2.3.2).
SSTP tunnels with ca certificate works like a charm.

What I’m missing ?
Maybe there’s a ovpn debug option in Mikrotik to get more info about remote connection attempts ?

mrz · December 16, 2013, 10:35am

According to your exported config server is in “tunnel” mode, but client is “tap”

yaruko · December 17, 2013, 7:26am

Thanks for answer. I tried both tun and tap configurations without results.
Today I’ve found solution which was upgrade to v6.7 because the certificate bug in 6.6. Now I can establish vpn connection but only on blowfish 128. Do you have any advice how to setup aes256/sha1 encryption ? I got ‘unsupported cipher’ log.