I’m new to routeros and have been trying for about 5 days now with no luck.
I’m trying to get my RB750Gr3 to connect to PIA via openvpn and also if the vpn fails all connections are blocked so nothing leaks out and exposes my data.
I’ve got the router working fine with a normal config but once it comes to configuring the vpn I just can not get it to work, managed to import my certificate and created the VPN and routes in multiple ways but I’m pulling my hair out now as I just cant get it sorted, used to do the same with ddwrt fine but I guess my brains dying… it feels like it has anyway.
Can someone please please put up a quick guide or something to show me how to setup the openvpn client for PIA and also how to block all traffic if the VPN fails/disconnects or cycles its connection in any way.
I should also say, this router is literally only going to be sat in between my main router and the outside world so it doesn’t need any per port config or anything fancy, literally just connect VPN and block if it drops connection.
If you want some answers, it’s good idea to share some basic info. For example what’s PIA, if it’s some public service, then what config you got from them, etc..
Hi
yes sorry i completely forgot that.
Its privateinternetaccess vpn im trying to connect to, their config uses udp but can use tcp
ive even tried folowing pia openvpn/routeros tutorials but after days and days ive ended up here
i really would appreciate a guide, as i said ive tried what i know and other peoples info from multiple forums/posts but its just confused me now.
bellow is the top of PIA’s .ovpn file contents which ive used as a reference, i do need to used specific DNS servers 209.222.18.222 and 209.222.18.218.
client
dev tun
proto udp
remote 89.238.150.12 1198
resolv-retry infinite
nobind
persist-key
persist-tun
cipher aes-128-cbc
auth sha1
tls-client
remote-cert-tls server
So it doesn’t even connect, right? Normally the problem would be udp, but if tcp is supported too, it’s ok. Other than that, “dev tun” is mode=ip, and even though “compress” parameter looks possibly problematic, because RouterOS doesn’t support compression, according to manual:
–compress [algorithm]
…
If the algorithm parameter is empty, compression will be turned off, but the packet framing for compression will still be enabled, allowing a different setting to be pushed later.
So it should be probably ok too. The rest is clear.
I’d try to enable more detailed logging, maybe it will show something useful:
/system logging
add topics=ovpn
You can also export your config and post content of resulting myconfig.rsc:
No, OpenVPN is not flexible in negotiating parameters (certainly not old versions, and therefore there are still interoperability problems).
When the other side’s config says “compress”, and you do not support compression, you are out of luck. You would at least need to support compression without it being active.
Hi Sob,
The basic connection to internet works perfectly until i add in the OVPN config and routes, it literally does nothing then. I thought it may be something to do with the certificate
so i tried the config without the certificate but it still fails to even show a single conneciton atempt.
Hi pe1chl,
So if you think at least part of my issue is the compression do you have any suggestions?
Please take a look and if anyone has any advice please let me know, i really just need to get this up and running and have been trying different configs now for the past 7 days still with no luck
It is wellknown that the OpenVPN on RouterOS usually does not work when connecting to other servers that aren’t carefully configured to inter-operate with it.
You can try the v7 beta, the OpenVPN is improved but it probably won’t work anyway.
Only realistic workaround is to get another device, if only a Raspberry Pi, to make the connection for you using standard OpenVPN software.
It would be interesting to try with own OpenVPN server if RouterOS client can connect when server uses empty compress option.
Even if they fail immediatelly, you should definitely see some connection attempts.
RB750Gr3 does have HW accelerated encryption, but so far it’s used only for IPSec. So in case you were looking at product page with over 400 Mbps IPSec throughput, you wouldn’t get that anyway. I don’t know how much can CPU do, but I expect much less.
That’s a good idea, I’ll definitely be doing some more testing and will also export the logs here for advice
I’ll report back in a couple of days.
I wasnt aware that the hardware encryption was designed for IPSec only, that’s a shame I was hoping for some decent speeds off it. I’ll have to see how it goes.
It’s not that it HW encryption is designed for IPsec only … it’s that the rest of encryption SW wasn’t adapted to use HW capabilities (yet). Even when we get that, not everything will be HW offloaded, some algorithms and/or key lengths are not supported in some hardware …
Ah right I understand. Talking of IPSec, I have actually seen an IPSec privateinternetaccess config which is supposed to work fine.
I was just trying to go with OVPN because its obviously more secure and newer.
“obviously more secure”? I don’t think so! Don’t listen to those kiddies that claim their VPN pet project is the best, before you know you are in those queues here that always want the next VPN protocol to be added to RouterOS…
RB750Gr3 has HW support for IPsec so it should be able to transfer at least 100Mbps of IPsec (if suitable algorithm and key length is selected). Without using HW support the achievable throughput will be some 5 times lower …