OVPN Server with ROS 4.11

saphear · May 30, 2011, 5:00pm

Hello everybody,
sorry for posting just another topic today, but I need to solve a few issues / questions, that I kind of delayed for weeks. That’s why I’m working on a few problems today
So here is the deal: I tried to set up openvpn server as described here: http://wiki.mikrotik.com/wiki/OpenVPN
There where a few steps which looked a little confusing or mixed up to me, for example the LAN and IP settings, but anyways.
All I want is a “simple” client to site VPN, windows users using openvpn-gui to connect to the MT, to be able to get into the company VPN behind it.

Here is what I did:

Importing server.crt server.key and ca.crt
Setting up a dhcp pool for vpn users in the same subnet, but different IPs
adding ppp profile
adding vpn user (is this necessary when working with certs?)
configuring the ovpn server
adjusting the firewall.

The corresponding codes:

[admin@MikroTik] /certificate> print
Flags: K - decrypted-private-key, Q - private-key, R - rsa, D - dsa 
 0 KR name="cert1" subject=C=DE,CN=SERVER issuer=C=DE,CN=CA serial-number="01" invalid-before=may/30/2011 14:08:55 invalid-after=may/27/2021 14:08:55 ca=yes 

 1  D name="cert2" subject=C=DE,CN=CA issuer=C=DE,CN=CA serial-number="F76D22FA20DE048E" invalid-before=may/30/2011 14:08:02 invalid-after=may/27/2021 14:08:02 ca=yes

/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.20                                                                                                                                                             
add name=vpnpool ranges=192.168.88.100-192.168.88.111

/ppp profile
set default change-tcp-mss=yes comment="" name=default only-one=default use-compression=default use-encryption=default use-vj-compression=default                                                                    
add change-tcp-mss=default comment=vpn local-address=192.168.88.1 name=ovpn only-one=default remote-address=vpnpool use-compression=default use-encryption=required use-vj-compression=default
set default-encryption change-tcp-mss=yes comment="" name=default-encryption only-one=default use-compression=default use-encryption=yes use-vj-compression=default

add caller-id="" comment="" disabled=no limit-bytes-in=0 limit-bytes-out=0 name=CLIENT password=test03 profile=default routes="" service=ovpn

/interface ovpn-server server
set auth=sha1,md5 certificate=cert1 cipher=blowfish128,aes128,aes192,aes256 default-profile=ovpn enabled=yes keepalive-timeout=disabled mac-address=FE:3E:BD:49:C8:70 max-mtu=1500 mode=ip netmask=29 port=1194 \    
    require-client-certificate=no

add action=accept chain=input comment=OpenVPN disabled=no dst-port=1194 protocol=tcp

That’s what I get on the MT:

18:56:28 ovpn,info <ovpn-0>: dialing... 
18:56:31 ovpn,info <ovpn-0>: using encoding - BF-128-CBC/SHA1 
18:56:36 ovpn,info TCP connection established from 192.168.2.112 
18:56:36 ovpn,info <ovpn-0>: dialing... 
18:56:40 ovpn,info <ovpn-0>: using encoding - BF-128-CBC/SHA1 
18:56:45 ovpn,info TCP connection established from 192.168.2.112 
18:56:45 ovpn,info <ovpn-0>: dialing...

That’s what I get on the client:

#
Mon May 30 17:45:26 2011 us=906000 WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
#
Mon May 30 17:45:26 2011 us=906000 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
#
Mon May 30 17:45:26 2011 us=906000 Re-using SSL/TLS context
#
Mon May 30 17:45:26 2011 us=906000 LZO compression initialized
#
Mon May 30 17:45:26 2011 us=906000 Control Channel MTU parms [ L:1544 D:140 EF:40 EB:0 ET:0 EL:0 ]
#
Mon May 30 17:45:26 2011 us=906000 Socket Buffers: R=[8192->8192] S=[8192->8192]
#
Mon May 30 17:45:26 2011 us=906000 Data Channel MTU parms [ L:1544 D:1450 EF:44 EB:135 ET:0 EL:0 AF:3/1 ]
#
Mon May 30 17:45:26 2011 us=906000 Local Options String: 'V4,dev-type tun,link-mtu 1544,tun-mtu 1500,proto TCPv4_CLIENT,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-client'
#
Mon May 30 17:45:26 2011 us=906000 Expected Remote Options String: 'V4,dev-type tun,link-mtu 1544,tun-mtu 1500,proto TCPv4_SERVER,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-server'
#
Mon May 30 17:45:26 2011 us=906000 Local Options hash (VER=V4): '69109d17'
#
Mon May 30 17:45:26 2011 us=906000 Expected Remote Options hash (VER=V4): 'c0103fa8'
#
Mon May 30 17:45:26 2011 us=906000 Attempting to establish TCP connection with 192.168.2.2:1194
#
Mon May 30 17:45:26 2011 us=906000 TCP connection established with 192.168.2.2:1194
#
Mon May 30 17:45:26 2011 us=906000 TCPv4_CLIENT link local: [undef]
#
Mon May 30 17:45:26 2011 us=906000 TCPv4_CLIENT link remote: 192.168.2.2:1194
#
Mon May 30 17:45:26 2011 us=906000 TLS: Initial packet from 192.168.2.2:1194, sid=964fd4eb 3cdfa088
#
Mon May 30 17:45:29 2011 us=93000 VERIFY OK: depth=1, /C=DE/CN=CA
#
Mon May 30 17:45:29 2011 us=109000 VERIFY OK: depth=0, /C=DE/CN=SERVER
#
Mon May 30 17:45:30 2011 us=828000 Connection reset, restarting [0]
#
Mon May 30 17:45:30 2011 us=828000 TCP/UDP: Closing socket
#
Mon May 30 17:45:30 2011 us=828000 SIGUSR1[soft,connection-reset] received, process restarting
#
Mon May 30 17:45:30 2011 us=828000 Restart pause, 5 second(s)

Any ideas what’s wrong?

glucz · May 30, 2011, 7:24pm

My experience is that OpenVPN doesn’t work properly on ROS releases up to and including 5.2 . If you read the posts you will see a lot discussions ending with a suggestion to turn off openvpn. Not only is it buggy but causes problems to other services and winbox in certain versions.

It may appear to be working, but would stop in hours or days and you would need to restart the router to get it working again. This is what seems to be happening to you too.

I was however suprised to see openvpn working well in 5.3 … and if you look at the changelog, it shows that they indeed fixed something.

Other openvpn problems still linger … like the difficulty in setting the default route in non-ros openvpn clients, but those can be overcome.

GL

saphear · May 30, 2011, 8:14pm

Thanks for your informations.
Perhabs I’ll use L2TP then, although that seems to be a little problematic as well. I don’t want any solution, that includes a lot of administration on the clients, since I’m not able to configure all clients. And it’s always difficult to explain a customer, why he has to change several settings manually to be able to connect to our servers (like changing ip sec policy rules in windows XP).

bburley · June 2, 2011, 5:46am

I have client to network OpenVPN working perfectly on a RB750G (v4.11) and a RB1100 (v4.15).

I can’t be sure what your problem is, but I see some differences from my configuration.

/interface ovpn-server server
set auth=sha1 certificate=cert1 cipher=\
    blowfish128,aes128,aes192,aes256 default-profile=ovpn-in enabled=yes \
    keepalive-timeout=30 mac-address=AA:BB:CC:DD:EE:FF max-mtu=1500 mode=\
    ethernet netmask=24 port=1194 require-client-certificate=yes

I found that the keepalive-timeout was neccessary. My mode is set to ethernet for bridge configuration and my IP pool is the same one used for local clients. Your IP pool is on the same subnet which should be a bridge (layer 2 communication). Your mode is IP which should be for a routed configuration and your addresses in that mode should be on different subnets.

In bridge mode, I needed to create an interface for each OpenVPN user and then add those interfaces to the bridge that includes the local ethernet port(s).

There could be other settings that are wrong. It took me a while to get mine working.

frink · June 6, 2011, 2:13pm

I am having an odd issue with OpenVPN also. I would like to use OpenVPN to bridge 2 Ethernet ports in the same way as Ethernet over IP would work. I have configured the OpenVPN client and server as mode=ethernet and added the interfaces to bridge groups.

When the client connects the complains “could not add address: local address is 0.0.0.0”

From the docs it looks like Layer 2 VPN between Ethernet ports may not be supported and only Layer 2 simple client access with the server handing out IP addresses is supported.

Can I do Layer 2 VPN over OpenVPN to bridge two LANs or will I have to use EthernetOverIP over OpenVPN for security and to break through firewalls?

Thanks!

bburley · June 7, 2011, 3:47pm

When bridging with a PC, the tap interface gets an IP address from the subnet on the other end of the VPN. The layer-2 bridge is on the same subnet while the real NIC on the PC is on a different subnet. If you are trying to bridge two different subnets, they should have different subnet IP’s, so you need IP mode for layer-3 routing.