Ovpn unsupported auth digest

gotchagomez · March 24, 2023, 2:40pm

Hello,
i’m trying to connect a hAP ac^3 to an OpenVPN. I can see the client authenticated at the server but the automatically get disconnected showing this at the log:

ovpn-IMDPruebas: initializing...
ovpn-IMDPruebas: connecting...
ovpn-IMDPruebas: disconnected <unsupported auth digest>
ovpn-IMDPruebas: terminating... - unsupported auth digest

I tried with tcp and udp, with the same result.

The Ovpn server config is:

local 192.168.1.250
port 1194
proto tcp
dev tun
ca "C:\\Program Files\\OpenVPN\\config-auto\\ca.crt"
cert "C:\\Program Files\\OpenVPN\\config-auto\\servidor.crt"
key "C:\\Program Files\\OpenVPN\\config-auto\\servidor.key"  # This file should be kept secret
dh "C:\\Program Files\\OpenVPN\\config-auto\\dh.pem"
topology subnet
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "route 192.168.1.0 255.255.255.0"
script-security 3
auth-user-pass-verify 'C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\powershell.exe -ExecutionPolicy Bypass -File "C:\\Program Files\\OpenVPN\\config-auto\\adauth.ps1"' via-file
username-as-common-name
push "dhcp-option DNS 192.168.1.250"
keepalive 10 120
cipher AES-256-GCM
data-ciphers AES-256-GCM
auth SHA256
persist-key
persist-tun
log         "C:\\Program Files\\OpenVPN\\log\\openvpn.log"
verb 6
mute 20
explicit-exit-notify 1

the mikrotik ovpn client is:

 0 X   name="ovpn-IMDPruebas" mac-address=02:1F:8E:9F:DA:CD max-mtu=1500 
       connect-to=192.168.0.3 port=1194 mode=ip protocol=tcp 
       user="XXXXXX" password="XXXXXX" profile=default-encryption 
       certificate=imdoficina verify-server-certificate=yes tls-version=any 
       auth=sha256 cipher=aes256-gcm use-peer-dns=yes add-default-route=no 
       route-nopull=yes

The Ovpn Server says:

OpenVPN CLIENT LIST
Updated,2023-03-24 13:32:09
Common Name,Real Address,Bytes Received,Bytes Sent,Connected Since
imdoficina,192.168.1.1:32835,2969,2614,2023-03-24 13:31:58
ROUTING TABLE
Virtual Address,Common Name,Real Address,Last Ref
10.8.0.3,imdoficina,192.168.1.1:32835,2023-03-24 13:31:59
GLOBAL STATS
Max bcast/mcast queue length,2
END

OpenVPN Server Log:

2023-03-24 14:09:15 us=812000 MULTI: multi_create_instance called
2023-03-24 14:09:15 us=812000 Re-using SSL/TLS context
2023-03-24 14:09:15 us=812000 Control Channel MTU parms [ mss_fix:0 max_frag:0 tun_mtu:1250 tun_max_mtu:0 headroom:126 payload:1600 tailroom:126 ET:0 ]
2023-03-24 14:09:15 us=812000 Data Channel MTU parms [ mss_fix:0 max_frag:0 tun_mtu:1500 tun_max_mtu:1600 headroom:136 payload:1768 tailroom:562 ET:0 ]
2023-03-24 14:09:15 us=812000 TCP connection established with [AF_INET]192.168.1.1:39930
2023-03-24 14:09:15 us=812000 TCPv4_SERVER link local: (not bound)
2023-03-24 14:09:15 us=812000 TCPv4_SERVER link remote: [AF_INET]192.168.1.1:39930
2023-03-24 14:09:15 us=812000 192.168.1.1:39930 TCPv4_SERVER READ [14] from [AF_INET]192.168.1.1:39930: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 [ ] pid=0 DATA len=0
2023-03-24 14:09:15 us=812000 192.168.1.1:39930 TLS: Initial packet from [AF_INET]192.168.1.1:39930, sid=7a36cabe 4d0ec405
2023-03-24 14:09:15 us=812000 192.168.1.1:39930 TCPv4_SERVER WRITE [26] to [AF_INET]192.168.1.1:39930: P_CONTROL_HARD_RESET_SERVER_V2 kid=0 [ 0 ] pid=0 DATA len=0
2023-03-24 14:09:15 us=828000 192.168.1.1:39930 TCPv4_SERVER READ [22] from [AF_INET]192.168.1.1:39930: P_ACK_V1 kid=0 [ 0 ] DATA len=0
2023-03-24 14:09:15 us=843000 192.168.1.1:39930 TCPv4_SERVER READ [150] from [AF_INET]192.168.1.1:39930: P_CONTROL_V1 kid=0 [ ] pid=1 DATA len=136
2023-03-24 14:09:15 us=843000 192.168.1.1:39930 TCPv4_SERVER WRITE [1222] to [AF_INET]192.168.1.1:39930: P_CONTROL_V1 kid=0 [ 1 0 ] pid=1 DATA len=1192
2023-03-24 14:09:15 us=843000 192.168.1.1:39930 TCPv4_SERVER WRITE [982] to [AF_INET]192.168.1.1:39930: P_CONTROL_V1 kid=0 [ 1 0 ] pid=2 DATA len=952
2023-03-24 14:09:15 us=843000 192.168.1.1:39930 TCPv4_SERVER READ [22] from [AF_INET]192.168.1.1:39930: P_ACK_V1 kid=0 [ 1 ] DATA len=0
2023-03-24 14:09:15 us=875000 192.168.1.1:39930 NOTE: --mute triggered...
2023-03-24 14:09:16 us=109000 192.168.1.1:39930 4 variation(s) on previous 20 message(s) suppressed by --mute
2023-03-24 14:09:16 us=109000 192.168.1.1:39930 VERIFY OK: depth=1, CN=CA
2023-03-24 14:09:16 us=109000 192.168.1.1:39930 VERIFY OK: depth=0, CN=imdoficina
2023-03-24 14:09:16 us=109000 192.168.1.1:39930 TCPv4_SERVER WRITE [89] to [AF_INET]192.168.1.1:39930: P_CONTROL_V1 kid=0 [ 3 2 1 0 ] pid=3 DATA len=51
2023-03-24 14:09:16 us=109000 192.168.1.1:39930 TCPv4_SERVER READ [22] from [AF_INET]192.168.1.1:39930: P_ACK_V1 kid=0 [ 3 ] DATA len=0
2023-03-24 14:09:16 us=140000 192.168.1.1:39930 TCPv4_SERVER READ [319] from [AF_INET]192.168.1.1:39930: P_CONTROL_V1 kid=0 [ ] pid=4 DATA len=305
2023-03-24 14:09:16 us=140000 192.168.1.1:39930 env_block: add PATH=C:\WINDOWS\System32;C:\WINDOWS;C:\WINDOWS\System32\Wbem
2023-03-24 14:09:17 us=312000 192.168.1.1:39930 TLS: Username/Password authentication succeeded for username 'imdoficina' 
2023-03-24 14:09:17 us=312000 192.168.1.1:39930 TLS: move_session: dest=TM_ACTIVE src=TM_INITIAL reinit_src=1
2023-03-24 14:09:17 us=312000 192.168.1.1:39930 TLS: tls_multi_process: initial untrusted session promoted to trusted
2023-03-24 14:09:17 us=312000 192.168.1.1:39930 TCPv4_SERVER WRITE [280] to [AF_INET]192.168.1.1:39930: P_CONTROL_V1 kid=0 [ 4 3 2 1 ] pid=4 DATA len=242
2023-03-24 14:09:17 us=312000 192.168.1.1:39930 TCPv4_SERVER READ [319] from [AF_INET]192.168.1.1:39930: P_CONTROL_V1 kid=0 [ ] pid=4 DATA len=305
2023-03-24 14:09:17 us=312000 192.168.1.1:39930 TCPv4_SERVER WRITE [38] to [AF_INET]192.168.1.1:39930: P_ACK_V1 kid=0 [ 4 3 2 1 0 ] DATA len=0
2023-03-24 14:09:17 us=312000 192.168.1.1:39930 TCPv4_SERVER READ [22] from [AF_INET]192.168.1.1:39930: P_ACK_V1 kid=0 [ 4 ] DATA len=0
2023-03-24 14:09:17 us=312000 192.168.1.1:39930 Control Channel: TLSv1.2, cipher TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, peer certificate: 2048 bit RSA, signature: RSA-SHA256
2023-03-24 14:09:17 us=312000 192.168.1.1:39930 [imdoficina] Peer Connection Initiated with [AF_INET]192.168.1.1:39930
2023-03-24 14:09:17 us=312000 imdoficina/192.168.1.1:39930 MULTI_sva: pool returned IPv4=10.8.0.3, IPv6=(Not enabled)
2023-03-24 14:09:17 us=312000 imdoficina/192.168.1.1:39930 MULTI: Learn: 10.8.0.3 -> imdoficina/192.168.1.1:39930
2023-03-24 14:09:17 us=312000 imdoficina/192.168.1.1:39930 MULTI: primary virtual IP for imdoficina/192.168.1.1:39930: 10.8.0.3
2023-03-24 14:09:17 us=312000 imdoficina/192.168.1.1:39930 Data Channel MTU parms [ mss_fix:1389 max_frag:0 tun_mtu:1500 tun_max_mtu:1600 headroom:136 payload:1768 tailroom:562 ET:0 ]
2023-03-24 14:09:17 us=312000 imdoficina/192.168.1.1:39930 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
2023-03-24 14:09:17 us=312000 imdoficina/192.168.1.1:39930 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
2023-03-24 14:09:17 us=312000 imdoficina/192.168.1.1:39930 Connection reset, restarting [0]
2023-03-24 14:09:17 us=312000 imdoficina/192.168.1.1:39930 SIGUSR1[soft,connection-reset] received, client-instance restarting
2023-03-24 14:09:17 us=312000 TCP/UDP: Closing socket

A windows Client connect without problems. I also tried with a custom profile at PPP but the result is the same.
The Script at the Ovpn server is for authenticate users from the AD. Also the script log show the client authenticate correctly.

[03/24/2023 02:09:17 ] [info ] [imdoficina] Authentication successful
[03/24/2023 02:09:05 ] [info ] [imdoficina] Authentication successful
[03/24/2023 02:08:54 ] [info ] [imdoficina] Authentication successful
[03/24/2023 02:08:42 ] [info ] [imdoficina] Authentication successful

Can anyone give me a clue of the issue?

pe1chl · March 24, 2023, 3:00pm

MikroTik “ovpn” is not the same as “OpenVPN”… sometimes the two can connect to eachother, but often not. It depends on exact settings.

optio · March 24, 2023, 3:12pm

Did you try with duplicate-cn in OpenVPN client configuration?

gotchagomez · March 24, 2023, 4:48pm

Duplicate-cn is to allow more than one client with the same certificate.
I have just tried it anyway but I get the same error.

optio · March 24, 2023, 4:58pm

Hard to tell then, try to enable log debug topic for ovpn on ROS and see what it shows.

gotchagomez · March 27, 2023, 6:11pm

For me, nonsense:

 20:09:09 ovpn,info ovpn-IMDPruebas: initializing...
 20:09:09 ovpn,info ovpn-IMDPruebas: connecting...
 20:09:09 ovpn,debug,packet sent P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 sid=ca9a9edc29df42e pid=0 DATA len=0
 20:09:09 ovpn,debug,packet rcvd P_CONTROL_HARD_RESET_SERVER_V2 kid=0 sid=f88ff89db79bdd92 [0 sid=ca9a9edc29df42e] pid=0 DATA len=0
 20:09:09 ovpn,debug,packet sent P_ACK kid=0 sid=ca9a9edc29df42e [0 sid=f88ff89db79bdd92] DATA len=0
 20:09:09 ovpn,debug,packet sent P_CONTROL kid=0 sid=ca9a9edc29df42e pid=1 DATA len=136
 20:09:09 ovpn,debug,packet rcvd P_CONTROL kid=0 sid=f88ff89db79bdd92 [1 sid=ca9a9edc29df42e] pid=1 DATA len=1196
 20:09:09 ovpn,debug,packet sent P_ACK kid=0 sid=ca9a9edc29df42e [1 sid=f88ff89db79bdd92] DATA len=0
 20:09:09 ovpn,debug,packet rcvd P_CONTROL kid=0 sid=f88ff89db79bdd92 [1 sid=ca9a9edc29df42e] pid=2 DATA len=948
 20:09:09 ovpn,debug,packet sent P_ACK kid=0 sid=ca9a9edc29df42e [2 sid=f88ff89db79bdd92] DATA len=0
 20:09:09 ovpn,debug,packet sent P_CONTROL kid=0 sid=ca9a9edc29df42e pid=2 DATA len=1400
 20:09:09 ovpn,debug,packet sent P_CONTROL kid=0 sid=ca9a9edc29df42e pid=3 DATA len=643
 20:09:09 ovpn,debug,packet rcvd P_ACK kid=0 sid=f88ff89db79bdd92 [2,1 sid=ca9a9edc29df42e] DATA len=0
 20:09:09 ovpn,debug,packet rcvd P_CONTROL kid=0 sid=f88ff89db79bdd92 [3,2,1 sid=ca9a9edc29df42e] pid=3 DATA len=51
 20:09:09 ovpn,debug,packet sent P_ACK kid=0 sid=ca9a9edc29df42e [3 sid=f88ff89db79bdd92] DATA len=0
 20:09:09 ovpn,debug,packet sent P_CONTROL kid=0 sid=ca9a9edc29df42e pid=4 DATA len=305
 20:09:10 ovpn,debug,packet re-sent P_CONTROL kid=0 sid=ca9a9edc29df42e pid=4 DATA len=305
 20:09:10 ovpn,debug,packet rcvd P_CONTROL kid=0 sid=f88ff89db79bdd92 [4,3,2,1 sid=ca9a9edc29df42e] pid=4 DATA len=235
 20:09:10 ovpn,debug,packet sent P_ACK kid=0 sid=ca9a9edc29df42e [4 sid=f88ff89db79bdd92] DATA len=0
 20:09:10 ovpn,debug,packet rcvd P_ACK kid=0 sid=f88ff89db79bdd92 [4,3,2,1 sid=ca9a9edc29df42e] DATA len=0
 20:09:10 ovpn,info ovpn-IMDPruebas: disconnected <unsupported auth digest>
 20:09:10 ovpn,info ovpn-IMDPruebas: terminating... - unsupported auth digest
 20:09:10 ovpn,info ovpn-IMDPruebas: disconnected

optio · March 27, 2023, 6:47pm

From documentation https://help.mikrotik.com/docs/display/ROS/OpenVPN:

cipher (null | aes128-cbc | aes128-gcm | aes192-cbc | aes192-gcm | aes256-cbc | aes256-gcm | blowfish128; Default: blowfish128)
Allowed ciphers. In order to use GCM type ciphers, the “auth” parameter must be set to “null”, because GCM cipher is also responsible for “auth”, if used.

You have in config:

auth=sha256

which is causing problem for cipher you have set (aes256-gcm), check also if other config and client parameters are aligned with doc…

gotchagomez · March 27, 2023, 9:50pm

Thanks so much Optio.
That was the problem. I have just tested and now is conected.
I can’t remember how many times I had read the documentation and I didnt take notice of this line. I just asumed that auth is auth.