I’m struggling with configuring the client part of a Site-2-Site OVPN.
For the same person i have already configured a Site-2-Client (same server) which works properly.
I have only one file available : The windows client .ovpn file
From that, i was able to extract the ca.crt, the client.crt, the client.key and one more key, the client_tls.key (the .ovpn has a “tls-crypt” parameter)
I was able to import the ca.crt, the client.crt, and the two keys succesfully,
either by importing them one by one
or by importing the .ovpn as it is (it detected and seperated the two certs automatically)
Now, as you can see from the .ovpn file below, the client uses udp and also compression
client
dev tun
proto udp
remote xxxxxx.xxxxx.xxxx xxxx
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert client.crt
key client.key
remote-cert-tls server
compress
verb 3
cipher AES-256-GCM
auth SHA512
tls-cipher TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384
tls-crypt new-test.key
tls-version-min 1.2
auth-retry nointeract
I had no problem with udp, since ROS 7.1.1 gives the option to use it.
I also guess that i should be ok with compression because i have set a ppp profile with “Use Compression” = Yes (am i really ???)
The problem is that - as you saw above - the client config from the .ovpn file doesn’t provide me with any username or password.
Without knowing what to do, I just used a random username and no password
My Ovpn link seemed to be established :
I was very happy at first.
But then i got this on my Logs :
So i think i got two problems, one with encryption and another with authentication.
Even if i figure out something about TLS, how can i implement this on Mikrotik without using credentials ?
The client keeps claiming that he have been told this is possible…
What did you do with “tls-crypt new-test.key”? AFAIK RouterOS doesn’t support this. And compression may be a problem too (I know that RouterOS doesn’t have LZO, but I’m not sure if it supports anything else).
Without the tls key in the end the Windows client does not connect, so i thought to give it a try.
After importing the combined file as a .key file, the ROS accepted it, and i got a KT flag.
But again..it may accept this because it reads only the first part of it (the private key)…
Regarding the compression, i just read on the log file of the Windows client that it connected using “lz4”
If you import certificates or keys in PEM format (the readable kind you have), system looks for data in known blocks (----BEGIN/END CERTIFICATE/PRIVATE KEY-----) and everything else is ignored as comments. So you didn’t get any error, but neither you imported static key. I don’t think you can succeed with this config and current RouterOS.
i’m usually never enable compression, even i do, there is no graph to check whether is working on now.
Also i’m stuck with v6.There is too early to run udp on v7
Not sure if it’s the issue. But what is the OpenVPN server/concentrator? Another Mikrotik?
It’s strange you have this in OVPN client config then
cipher AES-256-GCM
auth SHA512
cause all Mikrotik boxes I ever had supports just Auth mechanism SHA1 or MD5.
So I have this in OVPN config file
cipher AES-256-CBC
auth SHA1
Maybe you have some more fancy box like CloudCore or someting…
But if your VPN server is not Mikrotik, I believe the problem coul be in that AUTH mechanism. Maybe server requires SHA512 and Mikrotik as a client does not support that. Solution could be simply enabling SHA1 auth mechanism on server side.
Good suggestion.
Unfortunatelly, the only thing i know about the server side, is that there is a Linux-based machine.
This VPN regards connecting to organization that receives and automatically analyzes data sent from the client side.
I suppose that the organization offers the “.ovpn” file for any clients that want to connect.
Neither me or the customer have any access there.
