OVPN problem

steinbergs · May 24, 2017, 9:37am

HI! I configured OpenVPN on my Mikrotik ROS v6.39.1.
From my Linux PC everything works fine, but I can’t connect from any windows machine.
Can someone help me with this?

I configured the server as in this tutorial: https://wiki.mikrotik.com/wiki/OpenVPN

OpenVPN config:

proto tcp-client

remote xxx.xxx.xxx.xxx 1194
dev tap

nobind
persist-key

tls-client
ca cert_export_myCa.crt
cert cert_export_client1.crt
key cert_export_client1.key
ping 10
verb 3

cipher AES-256-CBC
auth SHA1
pull

auth-user-pass auth.cfg

Windows OpenVPN error:

Wed May 24 12:23:29 2017 Re-using SSL/TLS context
Wed May 24 12:23:29 2017 Control Channel MTU parms [ L:1655 D:1210 EF:40 EB:0 ET:0 EL:3 ]
Wed May 24 12:23:29 2017 Data Channel MTU parms [ L:1655 D:1450 EF:123 EB:411 ET:32 EL:3 ]
Wed May 24 12:23:29 2017 Local Options String (VER=V4): 'V4,dev-type tap,link-mtu 1591,tun-mtu 1532,proto TCPv4_CLIENT,cipher AES-256-CBC,auth SHA1,keysize 256,key-method 2,tls-client'
Wed May 24 12:23:29 2017 Expected Remote Options String (VER=V4): 'V4,dev-type tap,link-mtu 1591,tun-mtu 1532,proto TCPv4_SERVER,cipher AES-256-CBC,auth SHA1,keysize 256,key-method 2,tls-server'
Wed May 24 12:23:29 2017 TCP/UDP: Preserving recently used remote address: [AF_INET]xxx.xxx.xxx.xxx:1194
Wed May 24 12:23:29 2017 Socket Buffers: R=[65536->65536] S=[65536->65536]
Wed May 24 12:23:29 2017 Attempting to establish TCP connection with [AF_INET]xxx.xxx.xxx.xxx:1194 [nonblock]
Wed May 24 12:23:29 2017 MANAGEMENT: >STATE:1495617809,TCP_CONNECT,,,,,,
Wed May 24 12:23:30 2017 TCP connection established with [AF_INET]xxx.xxx.xxx.xxx:1194
Wed May 24 12:23:30 2017 TCP_CLIENT link local: (not bound)
Wed May 24 12:23:30 2017 TCP_CLIENT link remote: [AF_INET]xxx.xxx.xxx.xxx:1194
Wed May 24 12:23:30 2017 MANAGEMENT: >STATE:1495617810,WAIT,,,,,,
Wed May 24 12:23:30 2017 MANAGEMENT: >STATE:1495617810,AUTH,,,,,,
Wed May 24 12:23:30 2017 TLS: Initial packet from [AF_INET]xxx.xxx.xxx.xxx:1194, sid=13a15ddb c66496d7
Wed May 24 12:23:31 2017 VERIFY OK: depth=1, CN=myCa
Wed May 24 12:23:31 2017 VERIFY KU OK
Wed May 24 12:23:31 2017 Validating certificate extended key usage
Wed May 24 12:23:31 2017 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Wed May 24 12:23:31 2017 VERIFY EKU OK
Wed May 24 12:23:31 2017 VERIFY OK: depth=0, CN=server
Wed May 24 12:23:32 2017 Connection reset, restarting [0]
Wed May 24 12:23:32 2017 TCP/UDP: Closing socket
Wed May 24 12:23:32 2017 SIGUSR1[soft,connection-reset] received, process restarting
Wed May 24 12:23:32 2017 MANAGEMENT: >STATE:1495617812,RECONNECTING,connection-reset,,,,,
Wed May 24 12:23:32 2017 Restart pause, 5 second(s)

matiaszon · May 24, 2017, 9:54am

It would be good to know your OVPN settings on MikroTik…

steinbergs · May 24, 2017, 10:18am

/interface ovpn-server server
set auth=sha1 certificate=server cipher=aes256 default-profile=default-encryption enabled=yes \
    require-client-certificate=yes
/ppp profile
set *0 change-tcp-mss=default use-encryption=required
set *FFFFFFFE local-address=192.168.99.55 remote-address=pool1
/ppp secret
add name=asdasd password=asdasd profile=default-encryption service=ovpn

Mikrotik error:

13:16:19 echo: ovpn,debug,error,,,,,,,,,l2tp,info,,debug,,,critical,,,,,,,,,,,,,warning duplicate packet, dropping

matiaszon · May 24, 2017, 11:20am

Your server settings seem to be fine. I have also set up:
port=1194
mode=ip
netmask=24
mac-address+my_real_mac_address
max-mtu=1500
keep-alive-timeout=60

Don’t worry about the error - it appears even if everything works good.

Here are my settings on Windows 10 & OpenVPN GUI v10 (which version you use?).
You may try to change “tap” to “tun”.

client
dev tun
proto tcp-client
remote xxx.xxx.xxx.xxx
port 1194
nobind
persist-key
persist-tun
tls-client
remote-cert-tls server
ca CA.crt
cert cert.crt
key cert.key
verb 4
mute 10
cipher AES-256-CBC
auth SHA1
auth-user-pass secret
auth-nocache
;redirect-gateway def1

steinbergs · May 24, 2017, 12:10pm

I tried your config bur I get a Fatal TLS error (check_tls_errors_co), restarting

Wed May 24 14:59:17 2017 OpenVPN 2.4.2 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] built on May 11 2017
Wed May 24 14:59:17 2017 Windows version 6.2 (Windows 8 or greater) 64bit
Wed May 24 14:59:17 2017 library versions: OpenSSL 1.0.2k 26 Jan 2017, LZO 2.10
Wed May 24 14:59:18 2017 TCP/UDP: Preserving recently used remote address: [AF_INET]xxx.xxx.xxx.xxx
Wed May 24 14:59:18 2017 Attempting to establish TCP connection with [AF_INET]xxx.xxx.xxx.xxx:1194 [nonblock]
Wed May 24 14:59:19 2017 TCP connection established with [AF_INET]xxx.xxx.xxx.xxx:1194
Wed May 24 14:59:19 2017 TCP_CLIENT link local: (not bound)
Wed May 24 14:59:19 2017 TCP_CLIENT link remote: [AF_INET]xxx.xxx.xxx.xxx:1194
Wed May 24 15:00:19 2017 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Wed May 24 15:00:19 2017 TLS Error: TLS handshake failed
Wed May 24 15:00:19 2017 Fatal TLS error (check_tls_errors_co), restarting
Wed May 24 15:00:19 2017 SIGUSR1[soft,tls-error] received, process restarting

steinbergs · May 24, 2017, 12:38pm

matiaszon
Problem solved! Your config helpt me, just had to add my ‘secret’ file!

client
dev tun
proto tcp-client
remote 1.2.3.4
port 1194
nobind
persist-key
persist-tun
tls-client
remote-cert-tls server
ca cert_export_myCa.crt
cert cert_export_client1.crt
key cert_export_client1.key
[b]auth-user-pass auth.cfg[/b]

matiaszon · May 25, 2017, 10:14pm

You better hide your public IP and change your username and password…