Community discussions

MikroTik App
 
blingblouw
Member
Member
Topic Author
Posts: 345
Joined: Wed Aug 25, 2010 9:43 am

OVPN & Linux

Fri Feb 10, 2017 8:37 am

Hi.

I am trying to connect my Linux client to my Mikrotik OVPN server.


To setup the certificates on the Mikrotik i followed this guide (http://wiki.mikrotik.com/wiki/Manual:Cr ... rtificates)
/certificate
add name=ca-template common-name=myCa key-usage=key-cert-sign,crl-sign
add name=server-template common-name=server
add name=client1-template common-name=client1
add name=client2-template common-name=client2
/certificate 
sign ca-template ca-crl-host=10.5.101.16 name=myCa
sign server-template ca=myCa name=server
sign client1-template ca=myCa name=client1
sign client2-template ca=myCa name=client2
/certificate
set myCa trusted=yes
set server trusted=yes
/certificate export-certificate myCa
/certificate export-certificate client1 export-passphrase=xxxxxxxx
/certificate export-certificate client2 export-passphrase=xxxxxxxx
Then on the Mikrotik OVPN configuration it asks for a certificate and I put in myCa

Once that has been done. I take the exported client.crt from the Mikrotik, to the linux client. Setup the OpenVPN connection using Network Manager, it asked for certificate, username & password which is all supplied.

The VPN does not connect, Mikrotik has no relevant logs but Linux does, I have attached a section below, its obviouslly a problem with the certificate but I cannot figure out what to do, any help?





Feb 10 08:14:48 cspace nm-openvpn[59389]: WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
Feb 10 08:14:48 cspace nm-openvpn[59389]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Feb 10 08:14:48 cspace nm-openvpn[59389]: Attempting to establish TCP connection with [AF_INET]41.164.32.77:1194 [nonblock]
Feb 10 08:14:48 cspace pptp[124817]: anon log[decaps_gre:pptp_gre.c:414]: buffering packet 557277 (expecting 557276, lost or reordered)
Feb 10 08:14:49 cspace nm-openvpn[59389]: TCP connection established with [AF_INET]41.164.32.77:1194
Feb 10 08:14:49 cspace nm-openvpn[59389]: TCPv4_CLIENT link local: [undef]
Feb 10 08:14:49 cspace nm-openvpn[59389]: TCPv4_CLIENT link remote: [AF_INET]41.164.32.77:1194
Feb 10 08:14:49 cspace nm-openvpn[59389]: VERIFY ERROR: depth=0, error=self signed certificate: CN=myCa
Feb 10 08:14:49 cspace nm-openvpn[59389]: TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
Feb 10 08:14:49 cspace nm-openvpn[59389]: TLS Error: TLS object -> incoming plaintext read error
Feb 10 08:14:49 cspace nm-openvpn[59389]: TLS Error: TLS handshake failed
Feb 10 08:14:49 cspace nm-openvpn[59389]: Fatal TLS error (check_tls_errors_co), restarting
Feb 10 08:14:49 cspace nm-openvpn[59389]: SIGUSR1[soft,tls-error] received, process restarting
Feb 10 08:14:49 cspace pptp[124817]: anon log[decaps_gre:pptp_gre.c:414]: buffering packet 558283 (expecting 558282, lost or reordered)
 
User avatar
baragoon
Member Candidate
Member Candidate
Posts: 294
Joined: Thu Jan 05, 2017 10:38 am
Location: Kyiv, UA
Contact:

Re: OVPN & Linux

Fri Feb 10, 2017 9:02 am

Here is my working example:
/certificate add name=template-CA country="" state="" locality="" organization="" unit="" common-name="ovpn-ca" key-size=4096 days-valid=3650 key-usage=crl-sign,key-cert-sign
/certificate sign template-CA ca-crl-host=127.0.0.1 name="ovpn-ca"
/certificate add name=template-SRV country="" state="" locality="" organization="" unit="" common-name="ovpn-srv-cert" key-size=4096 days-valid=3650 key-usage=digital-signature,key-encipherment,tls-server
/certificate sign template-SRV ca="ovpn-ca" name="ovpn-srv-cert"

/certificate add name=template-CL country="" state="" locality="" organization="" unit="" common-name="client-ovpn-template" key-size=4096 days-valid=3650 key-usage=tls-client
/certificate add name=template-CL-to-issue copy-from="template-CL" common-name="client1-ovpn"
/certificate sign template-CL-to-issue ca="ovpn-ca" name="client1-ovpn"

/certificate add name=template-CL-to-issue copy-from="template-CL" common-name="client2-ovpn"
/certificate sign template-CL-to-issue ca="ovpn-ca" name="client2-ovpn"

/certificate export-certificate ovpn-ca export-passphrase=""
/certificate export-certificate client1-ovpn export-passphrase=some_password
/certificate export-certificate client2-ovpn export-passphrase=some_password
if you want to disable key passphrase you can made something like this inside you linux box (i don't save whole instruction just made some notes)
openssl rsa -in cert_export_client1-ovpn.key -out cert_export_client-ovpn.nopass.key
/interface ovpn-server server
set certificate=ovpn-srv-cert cipher=blowfish128,aes128,aes192,aes256 default-profile=vpn enabled=yes keepalive-timeout=30 port=1194 require-client-certificate=yes
/ppp profile
add change-tcp-mss=yes dns-server=192.168.88.1 local-address=192.168.55.1 name=vpn remote-address=pool-vpn
/ip pool
add name=pool-vpn ranges=192.168.55.10-192.168.55.100
/ppp secret
add name=client1 password=some_password profile=vpn service=ovpn
add name=client2 password=some_password profile=vpn service=ovpn
openvpn-client.conf in linux
client
dev tun
proto tcp
sndbuf 0
rcvbuf 0
mssfix
remote IP PORT
#askpass /etc/openvpn/client/pass (key passphrase if not disabled)
resolv-retry infinite
tls-cipher DEFAULT
ca /path_to/cert_export_ovpn-ca.crt
cert /path_to/cert_export_client1-ovpn.crt
key /path_to/cert_export_client1-ovpn.key
nobind
persist-key
persist-tun
--auth-user-pass user-pwd.txt
remote-cert-tls server
ping 10
verb 3
redirect-gateway def1
cat /etc/openvpn/client/user-pwd.txt
client1
client1_password
maybe I forgot something... try
 
blingblouw
Member
Member
Topic Author
Posts: 345
Joined: Wed Aug 25, 2010 9:43 am

Re: OVPN & Linux

Fri Feb 10, 2017 10:58 am

I want to high five you through the internet.

Thanks!
 
User avatar
jr0dd
just joined
Posts: 14
Joined: Fri Feb 10, 2017 4:46 am

Re: OVPN & Linux

Fri Feb 10, 2017 8:07 pm

Client 1 and client 2 configs and certs confirmed working on iphone. Not on my linux box or MacBook. Can not seem to figure it out. Any advise would be great. It seems the version on the computers are looking for more than the phone. The log files on the RB3011 just repeat the following after every attempt from an actual computer:
13:02:44 ovpn,info TCP connection established from 10.10.0.39 
13:02:45 ovpn,debug,error,l2tp,12280,50456,12280,23212,50116,13560,l2tp,info,13564,debug duplicate packet, dropping
Client side
2017-02-10 13:02:45 VERIFY ERROR: could not extract CN from X509 subject string ('C=US, ST=FL, O=Storage-Addict, OU=IT') -- note that the username length is limited to 64 characters
2017-02-10 13:02:45 OpenSSL: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed
2017-02-10 13:02:45 TLS_ERROR: BIO read tls_read_plaintext error
2017-02-10 13:02:45 TLS Error: TLS object -> incoming plaintext read error
2017-02-10 13:02:45 TLS Error: TLS handshake failed
I enter credentials and get:
2017-02-10 13:02:48 ERROR: could not read Auth username/password/ok/string from management interface
I am on 6.38.1 btw.

Who is online

Users browsing this forum: GoogleOther [Bot], holvoetn, johnson73, sted, TeWe and 95 guests