Environment:
-
RouterOS: 7.22.2 (tested also on 7.16.2)
-
Hardware: MikroTik hEX (RB750Gr3)
-
OpenVPN server: pfSense 2.8.1 running OpenVPN 2.6.14
-
Protocol: TCP and UDP (tested both)
-
Cipher: AES-256-CBC / Auth: SHA1
Problem:
The RouterOS OpenVPN client (/interface ovpn-client) fails to establish a working tunnel when connecting to an OpenVPN 2.6.x server. The TLS handshake completes successfully on the server side ("Initialization Sequence Completed"), but the MikroTik client never reaches the "connected" state and disconnects after ~60 seconds.
RouterOS log shows:
ovpn,info ovpn-out1: connecting...
ovpn,info ovpn-out1: using encoding - AES-256-CBC/SHA1
ovpn,error warning: recvd <%IV_CIPHERS=AES-256-CBC
ovpn,error IV_PROTO=746
ovpn,error 00PUSH_REPLY,route 192.168.1.0 255.255.255.0>
[60 seconds later]
ovpn,info ovpn-out1: disconnected <peer disconnected>
Root cause analysis:
OpenVPN 2.6 introduced mandatory bidirectional NCP (Negotiable Crypto Parameters) — the server now sends its own IV_CIPHERS and IV_PROTO back to the client as part of the P2P NCP handshake. The RouterOS OpenVPN client does not expect or handle this, causing it to misparse the PUSH_REPLY message that follows (note the garbled 00PUSH_REPLY prefix and > suffix in the log).
As a result, the MikroTik never applies the pushed routes, never transitions to "connected" state, and the server disconnects due to keepalive timeout.
Workarounds attempted on the server (pfSense 2.8.1 / OpenVPN 2.6.14):
-
data-ciphers AES-256-CBC— does not prevent IV_CIPHERS from being sent -
data-ciphers-fallback AES-256-CBC— same result -
compat-mode 2.4.0— confirmed present in generated config, but does not suppress the P2P NCP exchange in OpenVPN 2.6.14 -
ncp-disable— removed in OpenVPN 2.6, not available -
Switching between TCP and UDP — no difference
Context:
The same RouterOS version (7.22.2) connects successfully to a pfSense 2.6.0 server running OpenVPN 2.5.x, where the server does not send IV_CIPHERS to the client. The issue is exclusively with OpenVPN 2.6.x servers.
We have 100+ MikroTik routers operating as OpenVPN clients against a pfSense 2.6.0 server. Upgrading pfSense to 2.8.1 (which ships OpenVPN 2.6.x) breaks all of them simultaneously, making the pfSense upgrade impossible until this is resolved.
Request:
Please update the RouterOS OpenVPN client to properly handle incoming IV_CIPHERS and IV_PROTO peer-info messages from OpenVPN 2.6 servers, and correctly parse the PUSH_REPLY that follows — either by ignoring unknown peer-info fields gracefully or by implementing basic NCP support on the client side.
This is a significant blocker for any infrastructure running MikroTik routers as OpenVPN clients against modern OpenVPN 2.6 servers.