Unale to get OpenVPN to work on RBD52G-5HacD2HnD (Firmware: 6.49.17)

I followed the document @ https://www.bgocloud.com/knowledgebase/73/mikrotik-chr-how-to-set-up-openvpn-server-for-your-iot-devices-video.html to setup a VPN connection. Any help appreciated.

The setup is as follows: Client ---- [[[ Internet ]]] ---- Fixed IP on [ISP Provided Modem] — Static IP 192.168.0.6 of Mikrotik Router.

The OpenVPN config file (adapted from bfocloud) is the following:

client
dev tun
proto tcp-client
remote xx.xx.xx.xx
port 1194
nobind
persist-key
persist-tun
tls-client
remote-cert-tls server
ca ca.crt #CA certificate file
cert client.crt #CLIENT certificate file
key  client.key #CLIENT certificate key
verb 4
mute 10
cipher AES-256-CBC
data-ciphers AES-256-CBC
auth SHA1
auth-user-pass secret #File with user/password for VPN
auth-nocache
;redirect-gateway def1 #remove semicolon for full redirect

When I attempt to connect the connection fails. Below is the OVPN log:

2024-12-19 15:54:03 DEPRECATED OPTION: --cipher set to 'AES-256-CBC' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305). OpenVPN ignores --cipher for cipher negotiations. 
2024-12-19 15:54:03 OpenVPN 2.6.12 [git:v2.6.12/038a94bae57a446c] Windows [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] [DCO] built on Jul 18 2024
2024-12-19 15:54:03 Windows version 10.0 (Windows 10 or greater), amd64 executable
2024-12-19 15:54:03 library versions: OpenSSL 3.3.1 4 Jun 2024, LZO 2.10
2024-12-19 15:54:03 DCO version: 1.2.1
2024-12-19 15:54:03 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25340
2024-12-19 15:54:03 Need hold release from management interface, waiting...
2024-12-19 15:54:04 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:52539
2024-12-19 15:54:04 MANAGEMENT: CMD 'state on'
2024-12-19 15:54:04 MANAGEMENT: CMD 'log on all'
2024-12-19 15:54:04 MANAGEMENT: CMD 'echo on all'
2024-12-19 15:54:04 MANAGEMENT: CMD 'bytecount 5'
2024-12-19 15:54:04 MANAGEMENT: CMD 'state'
2024-12-19 15:54:04 MANAGEMENT: CMD 'hold off'
2024-12-19 15:54:04 MANAGEMENT: CMD 'hold release'
2024-12-19 15:54:07 MANAGEMENT: CMD 'username "Auth" "chribonn"'
2024-12-19 15:54:07 MANAGEMENT: CMD 'password [...]'
2024-12-19 15:54:07 MANAGEMENT: CMD 'password [...]'
2024-12-19 15:54:07 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
2024-12-19 15:54:07 TCP/UDP: Preserving recently used remote address: [AF_INET]xx.xx.xx.xx:1194
2024-12-19 15:54:07 ovpn-dco device [OpenVPN Data Channel Offload] opened
2024-12-19 15:54:07 TCP_CLIENT link local: (not bound)
2024-12-19 15:54:07 TCP_CLIENT link remote: [AF_INET]xx.xx.xx.xx:1194
2024-12-19 15:54:07 MANAGEMENT: >STATE:1734620047,WAIT,,,,,,
2024-12-19 15:54:07 MANAGEMENT: >STATE:1734620047,AUTH,,,,,,
2024-12-19 15:54:07 TLS: Initial packet from [AF_INET]xx.xx.xx.xx:1194, sid=5f8879c2 2cc8f0b5
2024-12-19 15:54:08 VERIFY OK: depth=1, C=MT, ST=MT, L=qwert, O=acbd, OU=IT, CN=ca
2024-12-19 15:54:08 VERIFY KU OK
2024-12-19 15:54:08 Validating certificate extended key usage
2024-12-19 15:54:08 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
2024-12-19 15:54:08 VERIFY EKU OK
2024-12-19 15:54:08 VERIFY OK: depth=0, C=MT, ST=MT, L=qwert, O=acbd, OU=IT, CN=xx.xx.xx.xx
2024-12-19 15:54:08 Connection reset, restarting [-1]
2024-12-19 15:54:08 Closing DCO interface
2024-12-19 15:54:08 SIGUSR1[soft,connection-reset] received, process restarting
2024-12-19 15:54:08 MANAGEMENT: >STATE:1734620048,RECONNECTING,connection-reset,,,,,
2024-12-19 15:54:08 Restart pause, 1 second(s)
2024-12-19 15:54:09 TCP/UDP: Preserving recently used remote address: [AF_INET]xx.xx.xx.xx:1194
2024-12-19 15:54:09 ovpn-dco device [OpenVPN Data Channel Offload] opened
2024-12-19 15:54:09 TCP_CLIENT link local: (not bound)
2024-12-19 15:54:09 TCP_CLIENT link remote: [AF_INET]xx.xx.xx.xx:1194
2024-12-19 15:54:09 MANAGEMENT: >STATE:1734620049,WAIT,,,,,,
2024-12-19 15:54:09 MANAGEMENT: >STATE:1734620049,AUTH,,,,,,
2024-12-19 15:54:09 TLS: Initial packet from [AF_INET]xx.xx.xx.xx:1194, sid=aeea0c64 ccc6d509
2024-12-19 15:54:09 VERIFY OK: depth=1, C=MT, ST=MT, L=qwert, O=acbd, OU=IT, CN=ca
2024-12-19 15:54:09 VERIFY KU OK
2024-12-19 15:54:09 Validating certificate extended key usage
2024-12-19 15:54:09 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
2024-12-19 15:54:09 VERIFY EKU OK
2024-12-19 15:54:09 VERIFY OK: depth=0, C=MT, ST=MT, L=qwert, O=acbd, OU=IT, CN=xx.xx.xx.xx
2024-12-19 15:54:10 Connection reset, restarting [-1]
2024-12-19 15:54:10 Closing DCO interface
2024-12-19 15:54:10 SIGUSR1[soft,connection-reset] received, process restarting

First line from your log:

2024-12-19 15:54:03 DEPRECATED OPTION: --cipher set to 'AES-256-CBC' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305). OpenVPN ignores --cipher for cipher negotiations.

You are using unsupported cipher AES-256-CBC for your client OpenVPN version (2.6.12), see more at https://community.openvpn.net/openvpn/wiki/CipherNegotiation

In ROS OVPN Server settings set “Cipher” to AES-256-GCM or AES-128-GCM and “Auth” to null, same in your client config. Also you can downgrade OpenVPN client to version which supports such cipher if you don’t have control over ROS or for other reasons you don’t want more secure connection.

I don’t think Router OS v6 has these Ciphers. I will try with an older version of OpenVPN and report back.

Ah v6… https://wiki.mikrotik.com/Manual:Interface/OVPN#Server_configuration, they are all CBC ciphers… Then yes, only OpenVPN client downgrade can help if ROS upgrade to v7 is not an option. I have device with similar specs, Chateau LTE12, and ROS v7 works fine, but depends which packages are needed because of 16MB storage.

When I check for upgrades I only get shown the v6 ROS yet from https://mikrotik.com/product/hap_ac2#fndtn-downloads It seems the router can handle v7.

Is v7 operational on the hAP ac2 and does it break anything? Furthermore, if it is OK to upgrade to v7, how do I go about it – I normally press the upgrade button from within Winbox.

Thanks

hAP ac2 can run v7 pretty fine. But: its 16MB flash is tiny and it’s very likely it’ll get full (and then all sorts of funny things start to happen). Base routeros v7 uses around 13MB of it, any wireless (legacy or new wifi) another 2MB or slightly more … so not much free for config and/or additional stuff.

The But (and explanation) helped explain a lot

This is on my device with wifi-qcom-ac and container packages + large configuration with many scripts:

 free-hdd-space: 360.0KiB
total-hdd-space: 16.0MiB

free space is stable, but I’m using additional thumb drive attached to USB for other files, nothing is saved on flash from my side.

Regarding ROS v7 stability, since I’m using new wifi drivers (wifi-qcom-ac) occasionally after startup I have same issue described here: http://forum.mikrotik.com/t/v7-16-2-stable-is-released/178911/1 and I need to reboot again if it happens, never experienced twice in a row after reboot but still I hope it will get fixed.

Regarding config migration from v6 to v7, you will probably need to change something, depends on configuration, never done it to tell it more. I know for sure you need to set up wifi from scratch when switching from legacy to new wifi drivers, but this is not mandatory since legacy drivers (wireless package) are still working on v7.

Can someone suggest the version of OpenVPN community that should work.

From this note in tutorial https://openvpn.net/as-docs/tutorials/tutorial--change-encryption-cipher.html#step-1--determine-what-ciphers-to-allow_body - OpenVPN 2.3 and older.