Community discussions

MikroTik App
 
el berto
Member Candidate
Member Candidate
Topic Author
Posts: 223
Joined: Wed Sep 26, 2007 10:53 am

How to configure OpenVPN client?

Tue Jan 21, 2020 7:36 pm

Hi to all, I open new thread hoping to solve this issue:
I followed OpenVPN guide found on Wiki and these are my (working) OpenVPN settings on MikroTik RB750


- port: 1194
- protocol: TCP
- LZO: disabled
- mode: TUN
- encryption: AES-256/CBC-256
- authentication: TLS+password
- TLS cipher: all
- HMAC authentication algorithm: SHA1

Ok, I'm happy I can connect other MikroTik devices as clients but I can't connect (I mean I don't know how correctly set configuration file) Linux clients with installed OpenVPN on it.

My client.conf is:
client
cipher AES-256-CBC

dev tun
port 1194
tun-mtu 1400
proto tcp-client
remote 2.195.166.15
#resolv-retry infinite
keepalive 5 10
#nobind
remote-cert-tls server
ca /etc/openvpn/ca.crt
cert /etc/openvpn/OpenVPN_Raspberry_test.crt
key /etc/openvpn/OpenVPN_Raspberry_test.key
#comp-lzo yes
persist-key
persist-tun
verb 11
auth-user-pass login.conf



First of all I don't know if it's correct.
Here log:
Mon Jan 20 17:46:14 2020 us=694564 library versions: OpenSSL 1.0.2r 26 Feb 2019, LZO 2.08
Mon Jan 20 17:46:14 2020 us=695472 PKCS#11: pkcs11_initialize - entered
Mon Jan 20 17:46:14 2020 us=696085 PKCS#11: pkcs11_initialize - return 0-'CKR_OK'
Mon Jan 20 17:46:14 2020 us=696286 PO_INIT maxevents=4 flags=0x00000002
Mon Jan 20 17:46:14 2020 us=702112 PKCS#11: __pkcs11h_forkFixup entry pid=31648, activate_slotevent=1
Mon Jan 20 17:46:14 2020 us=702594 PKCS#11: __pkcs11h_forkFixup return
Enter Private Key Password: **********
Mon Jan 20 17:46:18 2020 us=190641 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Mon Jan 20 17:46:18 2020 us=221659 PRNG init md=SHA1 size=36
Mon Jan 20 17:46:18 2020 us=221931 WARNING: normally if you use --mssfix and/or --fragment, you should also set --tun-mtu 1500 (currently it is 1400)
Mon Jan 20 17:46:18 2020 us=222024 TLS: tls_session_init: entry
Mon Jan 20 17:46:18 2020 us=222114 PID packet_id_init seq_backtrack=64 time_backtrack=15
Mon Jan 20 17:46:18 2020 us=222389 PID packet_id_init seq_backtrack=64 time_backtrack=15
Mon Jan 20 17:46:18 2020 us=222576 TLS: tls_session_init: new session object, sid=224bdba2 151f916f
Mon Jan 20 17:46:18 2020 us=222695 TLS: tls_session_init: entry
Mon Jan 20 17:46:18 2020 us=222892 PID packet_id_init seq_backtrack=64 time_backtrack=15
Mon Jan 20 17:46:18 2020 us=223172 PID packet_id_init seq_backtrack=64 time_backtrack=15
Mon Jan 20 17:46:18 2020 us=223300 TLS: tls_session_init: new session object, sid=a0da2e16 ca0b1e92
Mon Jan 20 17:46:18 2020 us=223384 Control Channel MTU parms [ L:1523 D:1210 EF:40 EB:0 ET:0 EL:3 ]
Mon Jan 20 17:46:18 2020 us=223549 MTU DYNAMIC mtu=1450, flags=2, 1523 -> 1450
Mon Jan 20 17:46:18 2020 us=223700 RESOLVE_REMOTE flags=0x0101 phase=1 rrs=0 sig=-1 status=0
Mon Jan 20 17:46:18 2020 us=223806 Data Channel MTU parms [ L:1523 D:1450 EF:123 EB:389 ET:0 EL:3 ]
Mon Jan 20 17:46:18 2020 us=223982 crypto_adjust_frame_parameters: Adjusting frame parameters for crypto by 56 bytes
Mon Jan 20 17:46:18 2020 us=224100 calc_options_string_link_mtu: link-mtu 1523 -> 1459
Mon Jan 20 17:46:18 2020 us=224247 crypto_adjust_frame_parameters: Adjusting frame parameters for crypto by 56 bytes
Mon Jan 20 17:46:18 2020 us=224331 calc_options_string_link_mtu: link-mtu 1523 -> 1459
Mon Jan 20 17:46:18 2020 us=224433 Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1459,tun-mtu 1400,proto TCPv4_CLIENT,cipher AES-256-CBC,auth SHA1,keysize 256,key-method 2,tls-client'
Mon Jan 20 17:46:18 2020 us=224512 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1459,tun-mtu 1400,proto TCPv4_SERVER,cipher AES-256-CBC,auth SHA1,keysize 256,key-method 2,tls-server'
Mon Jan 20 17:46:18 2020 us=224658 STREAM: RESET
Mon Jan 20 17:46:18 2020 us=224747 STREAM: INIT maxlen=1526
Mon Jan 20 17:46:18 2020 us=224838 TCP/UDP: Preserving recently used remote address: [AF_INET]2.195.166.15:1194
Mon Jan 20 17:46:18 2020 us=225003 Socket Buffers: R=[131072->131072] S=[16384->16384]
Mon Jan 20 17:46:18 2020 us=225178 Attempting to establish TCP connection with [AF_INET]2.195.166.15:1194 [nonblock]
Mon Jan 20 17:46:19 2020 us=225818 TCP connection established with [AF_INET]2.195.166.15:1194
Mon Jan 20 17:46:19 2020 us=226080 TCP_CLIENT link local: (not bound)
Mon Jan 20 17:46:19 2020 us=226233 TCP_CLIENT link remote: [AF_INET]2.195.166.15:1194
Mon Jan 20 17:46:19 2020 us=226434 TLS Warning: no data channel send key available: [key#0 state=S_INITIAL id=0 sid=00000000 00000000] [key#1 state=S_UNDEF id=0 sid=00000000 00000000] [key#2 state=S_UNDEF id=0 sid=00000000 00000000]
Mon Jan 20 17:46:19 2020 us=226565 SENT PING
Mon Jan 20 17:46:19 2020 us=226659 TIMER: coarse timer wakeup 1 seconds
Mon Jan 20 17:46:19 2020 us=226812 TLS: tls_multi_process: i=0 state=S_INITIAL, mysid=224bdba2 151f916f, stored-sid=00000000 00000000, stored-ip=[AF_INET]2.195.166.15:1194
Mon Jan 20 17:46:19 2020 us=226914 TLS: tls_process: chg=0 ks=S_INITIAL lame=S_UNDEF to_link->len=0 wakeup=604800
Mon Jan 20 17:46:19 2020 us=226995 ACK mark active outgoing ID 0
Mon Jan 20 17:46:19 2020 us=227080 TLS: Initial Handshake, sid=224bdba2 151f916f
Mon Jan 20 17:46:19 2020 us=227156 ACK reliable_can_send active=1 current=1 : [1] 0
Mon Jan 20 17:46:19 2020 us=227219 ACK reliable_send ID 0 (size=4 to=2)
Mon Jan 20 17:46:19 2020 us=227285 Reliable -> TCP/UDP
Mon Jan 20 17:46:19 2020 us=227358 ACK reliable_send_timeout 2 [1] 0
Mon Jan 20 17:46:19 2020 us=227423 TLS: tls_process: timeout set to 2
Mon Jan 20 17:46:19 2020 us=227529 TLS: tls_multi_process: i=1 state=S_INITIAL, mysid=a0da2e16 ca0b1e92, stored-sid=00000000 00000000, stored-ip=[AF_UNSPEC]
Mon Jan 20 17:46:19 2020 us=227638 TLS: tls_multi_process: i=2 state=S_UNDEF, mysid=00000000 00000000, stored-sid=00000000 00000000, stored-ip=[AF_UNSPEC]
Mon Jan 20 17:46:19 2020 us=227767 RANDOM USEC=219816
Mon Jan 20 17:46:19 2020 us=227861 STREAM: SET NEXT, buf=[516,0] next=[516,1526] len=-1 maxlen=1526
Mon Jan 20 17:46:19 2020 us=227942 PO_CTL rwflags=0x0003 ev=3 arg=0x000ba0dc
Mon Jan 20 17:46:19 2020 us=228037 I/O WAIT T?|T?|SR|SW [1/219816]
Mon Jan 20 17:46:19 2020 us=228139 PO_WAIT[0,0] fd=3 rev=0x00000004 rwflags=0x0002 arg=0x000ba0dc
Mon Jan 20 17:46:19 2020 us=228218 event_wait returned 1
Mon Jan 20 17:46:19 2020 us=228288 I/O WAIT status=0x0002
Mon Jan 20 17:46:19 2020 us=228418 TCP_CLIENT WRITE [14] to [AF_INET]2.195.166.15:1194: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 sid=224bdba2 151f916f [ ] pid=0 DATA
Mon Jan 20 17:46:19 2020 us=228497 STREAM: WRITE 14 offset=30
Mon Jan 20 17:46:19 2020 us=228639 TCP_CLIENT write returned 16
Mon Jan 20 17:46:19 2020 us=228806 TLS: tls_multi_process: i=0 state=S_PRE_START, mysid=224bdba2 151f916f, stored-sid=00000000 00000000, stored-ip=[AF_INET]2.195.166.15:1194
Mon Jan 20 17:46:19 2020 us=228898 TLS: tls_process: chg=0 ks=S_PRE_START lame=S_UNDEF to_link->len=0 wakeup=604800
Mon Jan 20 17:46:19 2020 us=228991 ACK reliable_can_send active=1 current=0 : [1] 0
Mon Jan 20 17:46:19 2020 us=229387 SSL state (connect): before/connect initialization
Mon Jan 20 17:46:19 2020 us=229750 SSL state (connect): SSLv2/v3 write client hello A
Mon Jan 20 17:46:19 2020 us=229976 ACK reliable_send_timeout 2 [1] 0
Mon Jan 20 17:46:19 2020 us=230118 TLS: tls_process: timeout set to 2
Mon Jan 20 17:46:19 2020 us=230279 TLS: tls_multi_process: i=1 state=S_INITIAL, mysid=a0da2e16 ca0b1e92, stored-sid=00000000 00000000, stored-ip=[AF_UNSPEC]
Mon Jan 20 17:46:19 2020 us=230409 TLS: tls_multi_process: i=2 state=S_UNDEF, mysid=00000000 00000000, stored-sid=00000000 00000000, stored-ip=[AF_UNSPEC]
Mon Jan 20 17:46:19 2020 us=230553 STREAM: SET NEXT, buf=[516,0] next=[516,1526] len=-1 maxlen=1526
Mon Jan 20 17:46:19 2020 us=230675 PO_CTL rwflags=0x0001 ev=3 arg=0x000ba0dc
Mon Jan 20 17:46:19 2020 us=230804 I/O WAIT T?|T?|SR|Sw [1/219816]
Mon Jan 20 17:46:20 2020 us=452249 event_wait returned 0
Mon Jan 20 17:46:20 2020 us=452504 I/O WAIT status=0x0020
Mon Jan 20 17:46:20 2020 us=452606 TIMER: coarse timer wakeup 1 seconds
Mon Jan 20 17:46:20 2020 us=452783 TLS: tls_multi_process: i=0 state=S_PRE_START, mysid=224bdba2 151f916f, stored-sid=00000000 00000000, stored-ip=[AF_INET]2.195.166.15:1194
Mon Jan 20 17:46:20 2020 us=452893 TLS: tls_process: chg=0 ks=S_PRE_START lame=S_UNDEF to_link->len=0 wakeup=604800
Mon Jan 20 17:46:20 2020 us=452979 ACK reliable_can_send active=1 current=0 : [1] 0
Mon Jan 20 17:46:20 2020 us=453159 ACK reliable_send_timeout 1 [1] 0
Mon Jan 20 17:46:20 2020 us=453257 TLS: tls_process: timeout set to 1
Mon Jan 20 17:46:20 2020 us=453373 TLS: tls_multi_process: i=1 state=S_INITIAL, mysid=a0da2e16 ca0b1e92, stored-sid=00000000 00000000, stored-ip=[AF_UNSPEC]
Mon Jan 20 17:46:20 2020 us=453490 TLS: tls_multi_process: i=2 state=S_UNDEF, mysid=00000000 00000000, stored-sid=00000000 00000000, stored-ip=[AF_UNSPEC]
Mon Jan 20 17:46:20 2020 us=453598 STREAM: SET NEXT, buf=[516,0] next=[516,1526] len=-1 maxlen=1526
Mon Jan 20 17:46:20 2020 us=453677 PO_CTL rwflags=0x0001 ev=3 arg=0x000ba0dc
Mon Jan 20 17:46:20 2020 us=453764 I/O WAIT T?|T?|SR|Sw [1/219816]
Mon Jan 20 17:46:21 2020 us=675196 event_wait returned 0
Mon Jan 20 17:46:21 2020 us=675478 I/O WAIT status=0x0020
Mon Jan 20 17:46:21 2020 us=675600 TIMER: coarse timer wakeup 1 seconds
Mon Jan 20 17:46:21 2020 us=675758 TLS: tls_multi_process: i=0 state=S_PRE_START, mysid=224bdba2 151f916f, stored-sid=00000000 00000000, stored-ip=[AF_INET]2.195.166.15:1194
Mon Jan 20 17:46:21 2020 us=675855 TLS: tls_process: chg=0 ks=S_PRE_START lame=S_UNDEF to_link->len=0 wakeup=604800
Mon Jan 20 17:46:21 2020 us=675938 ACK reliable_can_send active=1 current=1 : [1] 0
Mon Jan 20 17:46:21 2020 us=676009 ACK reliable_send ID 0 (size=4 to=4)
Mon Jan 20 17:46:21 2020 us=676077 Reliable -> TCP/UDP
Mon Jan 20 17:46:21 2020 us=676138 ACK reliable_send_timeout 4 [1] 0
Mon Jan 20 17:46:21 2020 us=676193 TLS: tls_process: timeout set to 4
Mon Jan 20 17:46:21 2020 us=676284 TLS: tls_multi_process: i=1 state=S_INITIAL, mysid=a0da2e16 ca0b1e92, stored-sid=00000000 00000000, stored-ip=[AF_UNSPEC]
Mon Jan 20 17:46:21 2020 us=676374 TLS: tls_multi_process: i=2 state=S_UNDEF, mysid=00000000 00000000, stored-sid=00000000 00000000, stored-ip=[AF_UNSPEC]
Mon Jan 20 17:46:21 2020 us=676455 STREAM: SET NEXT, buf=[516,0] next=[516,1526] len=-1 maxlen=1526
Mon Jan 20 17:46:21 2020 us=676515 PO_CTL rwflags=0x0003 ev=3 arg=0x000ba0dc
Mon Jan 20 17:46:21 2020 us=676592 I/O WAIT T?|T?|SR|SW [1/219816]
Mon Jan 20 17:46:21 2020 us=676705 PO_WAIT[0,0] fd=3 rev=0x00000004 rwflags=0x0002 arg=0x000ba0dc
Mon Jan 20 17:46:21 2020 us=676804 event_wait returned 1
Mon Jan 20 17:46:21 2020 us=676898 I/O WAIT status=0x0002
Mon Jan 20 17:46:21 2020 us=677093 TCP_CLIENT WRITE [14] to [AF_INET]2.195.166.15:1194: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 sid=224bdba2 151f916f [ ] pid=0 DATA
Mon Jan 20 17:46:21 2020 us=677217 STREAM: WRITE 14 offset=30
Mon Jan 20 17:46:21 2020 us=677363 TCP_CLIENT write returned 16
Mon Jan 20 17:46:21 2020 us=677515 TLS: tls_multi_process: i=0 state=S_PRE_START, mysid=224bdba2 151f916f, stored-sid=00000000 00000000, stored-ip=[AF_INET]2.195.166.15:1194
Mon Jan 20 17:46:21 2020 us=677598 TLS: tls_process: chg=0 ks=S_PRE_START lame=S_UNDEF to_link->len=0 wakeup=604800
Mon Jan 20 17:46:21 2020 us=677683 ACK reliable_can_send active=1 current=0 : [1] 0
Mon Jan 20 17:46:21 2020 us=677891 ACK reliable_send_timeout 4 [1] 0
Mon Jan 20 17:46:21 2020 us=677979 TLS: tls_process: timeout set to 4
Mon Jan 20 17:46:21 2020 us=678079 TLS: tls_multi_process: i=1 state=S_INITIAL, mysid=a0da2e16 ca0b1e92, stored-sid=00000000 00000000, stored-ip=[AF_UNSPEC]
Mon Jan 20 17:46:21 2020 us=678177 TLS: tls_multi_process: i=2 state=S_UNDEF, mysid=00000000 00000000, stored-sid=00000000 00000000, stored-ip=[AF_UNSPEC]
Mon Jan 20 17:46:21 2020 us=678263 STREAM: SET NEXT, buf=[516,0] next=[516,1526] len=-1 maxlen=1526
Mon Jan 20 17:46:21 2020 us=678335 PO_CTL rwflags=0x0001 ev=3 arg=0x000ba0dc
Mon Jan 20 17:46:21 2020 us=678417 I/O WAIT T?|T?|SR|Sw [1/219816]
^CMon Jan 20 17:46:21 2020 us=813946 event_wait returned -1
Mon Jan 20 17:46:21 2020 us=814192 event_wait : Interrupted system call (code=4)
Mon Jan 20 17:46:21 2020 us=814292 I/O WAIT status=0x0010
Mon Jan 20 17:46:21 2020 us=814374 PID packet_id_free
Mon Jan 20 17:46:21 2020 us=814728 PID packet_id_free
Mon Jan 20 17:46:21 2020 us=814852 PID packet_id_free
Mon Jan 20 17:46:21 2020 us=814925 PID packet_id_free
Mon Jan 20 17:46:21 2020 us=815214 PID packet_id_free
Mon Jan 20 17:46:21 2020 us=815351 PID packet_id_free
Mon Jan 20 17:46:21 2020 us=815436 PID packet_id_free
Mon Jan 20 17:46:21 2020 us=815505 PID packet_id_free
Mon Jan 20 17:46:21 2020 us=815959 PKCS#11: __pkcs11h_openssl_ex_data_free entered - parent=0x7b8f30, ptr=(nil), ad=0x7b8f60, idx=0, argl=0, argp=0x76e2b994
Mon Jan 20 17:46:21 2020 us=816195 PKCS#11: __pkcs11h_openssl_ex_data_free entered - parent=0x7b8690, ptr=(nil), ad=0x7b86c0, idx=0, argl=0, argp=0x76e2b994
Mon Jan 20 17:46:21 2020 us=816333 TCP/UDP: Closing socket
May someone more expert than me can find the error?
Thanks.
 
Boka
just joined
Posts: 1
Joined: Wed Jan 22, 2020 6:23 am

Re: How to configure OpenVPN client?

Wed Jan 22, 2020 6:33 am

Hi. I have the same problem. I use the Open VPN server on Debian 10. How to configure OpenVPN client?. My configuration is as follows:
client
proto tcp-client
remote my ip addres server 443
dev tun
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
verify-x509-name server_jeItwcW0t9ilPEx9 name
auth SHA256
auth-nocache
cipher AES-128-CBC
tls-client
tls-version-min 1.2
tls-cipher TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256
setenv opt block-outside-dns # Prevent Windows 10 DNS leak
verb 3
<ca>
Last edited by Boka on Wed Jan 22, 2020 6:40 am, edited 2 times in total.
 
RadimEk
just joined
Posts: 1
Joined: Thu May 21, 2020 2:23 pm

Re: How to configure OpenVPN client?

Thu Apr 01, 2021 11:30 am

Mikrotik v6 doesn't work with SHA256 for authentication.
...
auth SHA256
...

Who is online

Users browsing this forum: No registered users and 9 guests