Community discussions

MUM Europe 2020
 
wsgtrsys
newbie
Topic Author
Posts: 36
Joined: Sat Dec 25, 2004 2:22 pm

ovpn can't support lzo compress?

Sat Sep 22, 2007 2:48 pm

i install openvpn on freebsd, openvpn config file is:
port 443
proto tcp
dev tun
ca /vpn/keys/ca.crt
cert /vpn/keys/server.crt
key /vpn/keys/server.key
dh /vpn/keys/dh1024.pem
server 10.97.0.0 255.255.0.0
ifconfig-pool-persist /vpn/ipp.txt
keepalive 10 60
ping-timer-rem
comp-lzo
persist-key
persist-tun
status /vpn/log/status.log
log /vpn/log/openvpn.log
verb 3
mute 20
daemon
writepid /vpn/log/server.pid
push "redirect-gateway def1"
plugin /vpn/simple.so /vpn/pass.txt
client-cert-not-required
fast-io
username-as-common-name
client-to-client
cipher none
push "dhcp-option DNS 208.67.222.222"
i use openvpn-client connect to openvpn-server is work fine!
but i use routeros ovpn connect to openvpn server, can't link. error log is:
Sat Sep 22 19:44:28 2007 TCP connection established with 61.160.79.182:46679
Sat Sep 22 19:44:28 2007 TCPv4_SERVER link remote: 61.160.79.182:46679
Sat Sep 22 19:44:28 2007 61.160.79.182:46679 TLS: Initial packet from 61.160.79.182:46679, sid=855ad979 e1ff0488
Sat Sep 22 19:44:31 2007 61.160.79.182:46679 PLUGIN_CALL: POST /vpn/simple.so/PLUGIN_AUTH_USER_PASS_VERIFY status=0
Sat Sep 22 19:44:31 2007 61.160.79.182:46679 TLS: Username/Password authentication succeeded for username 'jJbs0' [CN SET]
Sat Sep 22 19:44:31 2007 61.160.79.182:46679 WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1528', remote='link-mtu 1527'
Sat Sep 22 19:44:31 2007 61.160.79.182:46679 WARNING: 'comp-lzo' is present in local config but missing in remote config, local='comp-lzo'
Sat Sep 22 19:44:31 2007 61.160.79.182:46679 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Sat Sep 22 19:44:31 2007 61.160.79.182:46679 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Sat Sep 22 19:44:31 2007 61.160.79.182:46679 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA
Sat Sep 22 19:44:31 2007 61.160.79.182:46679 [jJbs0] Peer Connection Initiated with 61.160.79.182:46679
Sat Sep 22 19:44:31 2007 jJbs0/61.160.79.182:46679 MULTI: Learn: 10.97.0.46 -> jJbs0/61.160.79.182:46679
Sat Sep 22 19:44:31 2007 jJbs0/61.160.79.182:46679 MULTI: primary virtual IP for jJbs0/61.160.79.182:46679: 10.97.0.46
Sat Sep 22 19:44:31 2007 jJbs0/61.160.79.182:46679 PUSH: Received control message: 'PUSH_REQUEST'
Sat Sep 22 19:44:31 2007 jJbs0/61.160.79.182:46679 SENT CONTROL [jJbs0]: 'PUSH_REPLY,redirect-gateway def1,dhcp-option DNS 208.67.222.222,route 172.18.0.0 255.255.0.0 net_gateway,route 240.39.240.0 255.255.255.0 net_gateway,route 10.97.0.0 255.255.0.0,ping 10,ping-restart 60,ifconfig 10.97.0.46 10.97.0.45' (status=1)
Sat Sep 22 19:44:32 2007 jJbs0/61.160.79.182:46679 Bad LZO decompression header byte: 96
Sat Sep 22 19:44:37 2007 jJbs0/61.160.79.182:46679 Bad LZO decompression header byte: 96
Sat Sep 22 19:44:51 2007 jJbs0/61.160.79.182:46679 3 variation(s) on previous 20 message(s) suppressed by --mute
Sat Sep 22 19:44:51 2007 jJbs0/61.160.79.182:46679 Bad LZO decompression header byte: 42
Sat Sep 22 19:45:02 2007 jJbs0/61.160.79.182:46679 Bad LZO decompression header byte: 42
Sat Sep 22 19:45:12 2007 jJbs0/61.160.79.182:46679 Bad LZO decompression header byte: 42
Sat Sep 22 19:45:22 2007 jJbs0/61.160.79.182:46679 Bad LZO decompression header byte: 42
Sat Sep 22 19:45:32 2007 jJbs0/61.160.79.182:46679 Bad LZO decompression header byte: 42
Sat Sep 22 19:45:42 2007 jJbs0/61.160.79.182:46679 Bad LZO decompression header byte: 42
Sat Sep 22 19:45:52 2007 jJbs0/61.160.79.182:46679 Bad LZO decompression header byte: 42
Sat Sep 22 19:46:02 2007 jJbs0/61.160.79.182:46679 Bad LZO decompression header byte: 42
Sat Sep 22 19:46:12 2007 jJbs0/61.160.79.182:46679 Bad LZO decompression header byte: 42
seems ovpn can't support lzo compress?
 
wsgtrsys
newbie
Topic Author
Posts: 36
Joined: Sat Dec 25, 2004 2:22 pm

Re: ovpn can't support lzo compress?

Sat Sep 22, 2007 2:54 pm

ovpn also can't support udp protocol !
 
Lorzelek
newbie
Posts: 34
Joined: Tue Nov 09, 2004 7:38 pm

Re: ovpn can't support lzo compress?

Sun Sep 23, 2007 10:14 pm

Hi,
how to generate good certificates for openvpn on MT 3.0?
I created certificates for OpenVPN on Linux box and they worked fine (based on openvpn howto page).
In MT when I tried to enable openvpn client interface with selected cert I have error:
couldn't add new interface - no ceritificate found (6).
Is there any special method to generate certs for MT's ovpn?

Peter
 
uldis
MikroTik Support
MikroTik Support
Posts: 3428
Joined: Mon May 31, 2004 2:55 pm

Re: ovpn can't support lzo compress?

Mon Sep 24, 2007 12:28 pm

import those certificates and derypt them (/certificate menu), after that specify them in the openvpn configuration.
 
Lorzelek
newbie
Posts: 34
Joined: Tue Nov 09, 2004 7:38 pm

Re: ovpn can't support lzo compress?

Mon Sep 24, 2007 4:17 pm

ok, the .key file was missing to decrypt

It is working now.

thank you
Peter
 
User avatar
thavinci
Member
Member
Posts: 334
Joined: Sat Aug 04, 2007 4:40 pm
Location: Johannessburg
Contact:

Re: ovpn can't support lzo compress?

Fri May 02, 2008 1:27 pm

wsgtrsys : How do you get openvpn to use usernames & passwords?
Currently i also have a working setup on FreeBSD for existing clients, however MT forces you to enter a username
and i don't use usernames/passwords on my Openvpn server , only certificates.


Thank You!
http://www.thavinci.za.net

echo "Demo license expired!"
echo "Please reinstall the router."
echo
kill -WINCH 1
exit
 
byteman
just joined
Posts: 17
Joined: Tue May 29, 2007 11:38 pm

Re: ovpn can't support lzo compress?

Fri May 02, 2008 11:27 pm

thavinci, i'm trying the same: ovpn without name&password, only with certificates.
Please let me know if you get how
 
User avatar
thavinci
Member
Member
Posts: 334
Joined: Sat Aug 04, 2007 4:40 pm
Location: Johannessburg
Contact:

Re: ovpn can't support lzo compress?

Sat May 03, 2008 12:12 am

I just found out MT doesn't support that yet....
:cry:
http://www.thavinci.za.net

echo "Demo license expired!"
echo "Please reinstall the router."
echo
kill -WINCH 1
exit
 
aproetz
just joined
Posts: 14
Joined: Mon Jul 21, 2008 8:38 pm

Re: ovpn can't support lzo compress?

Mon Oct 20, 2008 9:46 am

Anybody have an idea if Mikrotik is working on adding support for lzo-comp and using udp protocol. If so when will it be available?

We have a client that needs to connect to a linux server with lzo-comp. We can establish a connection, but if you try and communicate to the server it just replies with no route. Seems the communication level is broken.

Thanks
 
User avatar
mrz
MikroTik Support
MikroTik Support
Posts: 5960
Joined: Wed Feb 07, 2007 12:45 pm
Location: Latvia
Contact:

Re: ovpn can't support lzo compress?

Mon Oct 20, 2008 11:15 am

RouterOS OpenVPN does not support LZO and UDP and most likely support for them will not be added in near future.
 
User avatar
thavinci
Member
Member
Posts: 334
Joined: Sat Aug 04, 2007 4:40 pm
Location: Johannessburg
Contact:

Re: ovpn can't support lzo compress?

Mon Oct 20, 2008 11:41 am

How come?! It seems there is a need!

Thanks.
http://www.thavinci.za.net

echo "Demo license expired!"
echo "Please reinstall the router."
echo
kill -WINCH 1
exit
 
ayufan
Member
Member
Posts: 331
Joined: Sun Jun 03, 2007 9:35 pm
Contact:

Re: ovpn can't support lzo compress?

Mon Oct 20, 2008 1:54 pm

[quote="mrz"]RouterOS OpenVPN does not support LZO and UDP and most likely support for them will not be added in near future.[/quote]

and it looks like I'll have to setup external openvpn server... :/
hAP AC, TP-Link Archer C7 v2, RB951G, RB450G, RPI2, RPI zero
 
User avatar
mrz
MikroTik Support
MikroTik Support
Posts: 5960
Joined: Wed Feb 07, 2007 12:45 pm
Location: Latvia
Contact:

Re: ovpn can't support lzo compress?

Mon Oct 20, 2008 2:09 pm

If you need UDP you can use L2TP tunnels.
 
User avatar
thavinci
Member
Member
Posts: 334
Joined: Sat Aug 04, 2007 4:40 pm
Location: Johannessburg
Contact:

Re: ovpn can't support lzo compress?

Mon Oct 20, 2008 2:32 pm

That doesn't solve the problem.

We are currently using a Unix VPN server and do not intend to change and too long down line to change setup of openVPN.

Also we get the best performance out of the setup as is.


Just interested in why MT won't support these features long term.
http://www.thavinci.za.net

echo "Demo license expired!"
echo "Please reinstall the router."
echo
kill -WINCH 1
exit
 
aproetz
just joined
Posts: 14
Joined: Mon Jul 21, 2008 8:38 pm

Re: ovpn can't support lzo compress?

Mon Oct 20, 2008 7:09 pm

RouterOS OpenVPN does not support LZO and UDP and most likely support for them will not be added in near future.
I really think MT should address the problem. We were under the impression ROS can support ovpn. As far as I am concerned, the lzo-comp is a standard used often on linux machines. So the need to incorporate it into ROS do exist.
 
tierpath
newbie
Posts: 47
Joined: Wed Oct 22, 2008 5:24 am

Re: ovpn can't support lzo compress?

Wed Oct 22, 2008 5:38 am

Unfortunately we have to read the fine print, and the manual. Mikrotiks position on this is They added OpenVPN TCP support because it could get through proxies and firewalls easily, and if we want UDP, use L2TP because their version doesn't utilize the IP-SEC Auth portion, and is UDP only. They are focusing on other features and openvpn udp support is not a priority, and won't be in ROS 4 most likely.

I didn't even think to ask about Lzo compression, now that i know it's not in thats makes it even more crippled.

The only recourse I got from them to remedy this is to vote the feature in via the Wiki, so if you want it please go to the wiki and vote it in. Otherwise you can build OpenVPN box from *BSD/Linu* or you can use PFSense like i do for OpenVPN.
 
User avatar
thavinci
Member
Member
Posts: 334
Joined: Sat Aug 04, 2007 4:40 pm
Location: Johannessburg
Contact:

Re: ovpn can't support lzo compress?

Mon Oct 27, 2008 12:09 am

Apologies on extremely slow response!

Been Busy :p

Image

Could you post the link to the section where one can vote on these features?


Thanks
http://www.thavinci.za.net

echo "Demo license expired!"
echo "Please reinstall the router."
echo
kill -WINCH 1
exit
 
tierpath
newbie
Posts: 47
Joined: Wed Oct 22, 2008 5:24 am

Re: ovpn can't support lzo compress?

Mon Oct 27, 2008 7:34 pm

 
User avatar
thavinci
Member
Member
Posts: 334
Joined: Sat Aug 04, 2007 4:40 pm
Location: Johannessburg
Contact:

Re: ovpn can't support lzo compress?

Mon Oct 27, 2008 7:40 pm

ThankX Mate.
http://www.thavinci.za.net

echo "Demo license expired!"
echo "Please reinstall the router."
echo
kill -WINCH 1
exit
 
User avatar
thavinci
Member
Member
Posts: 334
Joined: Sat Aug 04, 2007 4:40 pm
Location: Johannessburg
Contact:

Re: ovpn can't support lzo compress?

Tue Jul 07, 2009 11:59 am

RouterOS OpenVPN does not support LZO and UDP and most likely support for them will not be added in near future.

Has this by any chance been done yet?



Regards
http://www.thavinci.za.net

echo "Demo license expired!"
echo "Please reinstall the router."
echo
kill -WINCH 1
exit
 
User avatar
mrz
MikroTik Support
MikroTik Support
Posts: 5960
Joined: Wed Feb 07, 2007 12:45 pm
Location: Latvia
Contact:

Re: ovpn can't support lzo compress?

Tue Jul 07, 2009 12:39 pm

Not yet
 
carus
just joined
Posts: 16
Joined: Sat Mar 12, 2005 11:49 pm

Re: ovpn can't support lzo compress?

Tue Jul 07, 2009 6:14 pm

I too am in need of LZO compression over UDP.

I went to the Feature Request page - http://wiki.mikrotik.com/wiki/MikroTik_ ... e_Requests

But the only OpenVPN request I see is: (Votes: 18) OpenVPN support (with virtual Ethernet interface and support TCP transport support)

Which doesn't sound like what I/we need.

Which is the request to vote for for the above LZO and UDP features?

Thanks
 
carus
just joined
Posts: 16
Joined: Sat Mar 12, 2005 11:49 pm

Re: ovpn can't support lzo compress?

Wed Jul 15, 2009 4:29 pm

Hi MRZ,

So when you say "not yet," do you mean Not Yet we're putting into one of the next revisions? Or do you mean Not Yet, we don't really have this on the table and probably wont? :)

Just curious.

Our problem is that we have about 60 locations already deployed with OpenVPN using DD-WRT. But those boxes, not the OS just the hardware, are kind of buggy. I've used Mikrotik quite a bit and have convinced my bosses to try it out. So we'd like to start replacing those 60 sites with Mikrotik boxes, but we can't change the whole infrastructure of the VPN right now. Plus there are some locations that tunnel through other company's internet, ie. it's not our internet, so UDP allows us to do so without having to ask them to open ports, etc.

Right now the only thing holding us up is the implementation of OpenVPN with LZO and UDP.

I know 60 itself isn't that huge of a number, but we have that many, there must be others with quite a few sites that are just waiting for this one hurdle to get jumped.

Feedback?

Thanks
 
cdiggity
newbie
Posts: 31
Joined: Fri Oct 31, 2008 12:40 pm

Re: ovpn can't support lzo compress?

Thu Jul 16, 2009 2:47 am

added my vote for complete openvpn server support on the wiki.
I wouldn't have thought it would be all that difficult seeing how it is all open source but as I can see from the request list there is a lot of work for mikrotik programmers to do.

When people say UDP isn't supported, do they mean openVPN connections on mikrotik can't carry UDP packets, or openVPN connections can't use UDP as the transport layer?
 
User avatar
mrz
MikroTik Support
MikroTik Support
Posts: 5960
Joined: Wed Feb 07, 2007 12:45 pm
Location: Latvia
Contact:

Re: ovpn can't support lzo compress?

Thu Jul 16, 2009 10:51 am

You definitely will not see UDP and LZO support in v3.x
If UDP tunnels are needed then L2TP can be used instead.
 
cdiggity
newbie
Posts: 31
Joined: Fri Oct 31, 2008 12:40 pm

Re: ovpn can't support lzo compress?

Fri Jul 17, 2009 10:32 am

does this mean UDP can't be tunneled over openVPN or that openVPN tunnels can carry both TCP and UDP traffic but that openVPN can only use TCP as the transport and not UDP?
 
User avatar
mrz
MikroTik Support
MikroTik Support
Posts: 5960
Joined: Wed Feb 07, 2007 12:45 pm
Location: Latvia
Contact:

Re: ovpn can't support lzo compress?

Fri Jul 17, 2009 10:41 am

You can carry any type of ip packets over OVPN tunnel.
 
User avatar
thavinci
Member
Member
Posts: 334
Joined: Sat Aug 04, 2007 4:40 pm
Location: Johannessburg
Contact:

Re: ovpn can't support lzo compress?

Wed Jul 22, 2009 5:26 pm

You definitely will not see UDP and LZO support in v3.x
If UDP tunnels are needed then L2TP can be used instead.

Why not? What would be the reason too this?
UDP and LZO is the default option for openVPN on Linux, therefore that is the way we have it set up. Now we cannot join any customers choosing to use Mikrotik to our existing infrastructure.
http://www.thavinci.za.net

echo "Demo license expired!"
echo "Please reinstall the router."
echo
kill -WINCH 1
exit
 
User avatar
mrz
MikroTik Support
MikroTik Support
Posts: 5960
Joined: Wed Feb 07, 2007 12:45 pm
Location: Latvia
Contact:

Re: ovpn can't support lzo compress?

Thu Jul 23, 2009 11:26 am

We can't add these features right now.
If you really need OVPN with UDP and LZO support on mikrotik router, then one option is to add virtual router running other os that supports these ovpn features, for example
http://wiki.mikrotik.com/wiki/Metaroute ... al_machine
 
yahel
just joined
Posts: 2
Joined: Sun Aug 02, 2009 10:55 pm

Random Number Generator problems under MetaRouter !

Mon Aug 03, 2009 3:33 am

I agree - OpenVPN over TCP is rather pointless, moreover without LZO, hemm... Better remove OpenVPN from the list of features..
Anyways - running OpenWRT inside MetaRouter seems like a good direction...

However - using the pre-made by Mikrotik, OpenWRT image and the pre-compiled packages with it...
I get this error when running OpenVPN under Metarouter:
"ERROR: Random number generator cannot obtain entropy for PRNG."

This is RouterOS v3.27 on RB493

I suspect some Xen configuration errors in the RouterOS...
FWIW - /dev/random does not produce anything... (/dev/urandom does seem ok).

Ideas ?

Thanks,

Yahel.
root@OpenWrt:~# uname -a
Linux OpenWrt 2.6.27.21 #1 Thu Jun 11 17:02:37 EEST 2009 mips unknown
root@OpenWrt:~# cat /proc/cpuinfo 
system type             : Mikrotik MetaROUTER
processor               : 0
cpu model               : MIPS 4Kc V0.10
BogoMIPS                : 198.65
wait instruction        : yes
microsecond timers      : yes
tlb_entries             : 16
extra interrupt vector  : yes
hardware watchpoint     : yes
ASEs implemented        : mips16
shadow register sets    : 1
core                    : 0
VCED exceptions         : not available
VCEI exceptions         : not available

root@OpenWrt:~# openvpn --config /etc/openvpn/airjaldi-1.conf 
Mon Aug  3 00:31:56 2009 us=66611 OpenVPN 2.1_rc18 mips-openwrt-linux [SSL] [LZO2] built on Jul 17 2009
Mon Aug  3 00:31:56 2009 us=75097 IMPORTANT: OpenVPN's default port number is now 1194, based on an official port number assignment by IANA.  OpenVPN 2.0-beta16 and earlier used 5000 as the default port.
Mon Aug  3 00:31:56 2009 us=77613 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Mon Aug  3 00:31:56 2009 us=185913 ERROR: Random number generator cannot obtain entropy for PRNG
Mon Aug  3 00:31:56 2009 us=189398 Exiting
root@OpenWrt:~# 
 
User avatar
thavinci
Member
Member
Posts: 334
Joined: Sat Aug 04, 2007 4:40 pm
Location: Johannessburg
Contact:

Re: ovpn can't support lzo compress?

Tue Aug 04, 2009 1:04 pm

None here, haven't got XEN working for me yet.
http://www.thavinci.za.net

echo "Demo license expired!"
echo "Please reinstall the router."
echo
kill -WINCH 1
exit
 
jasejames
Frequent Visitor
Frequent Visitor
Posts: 63
Joined: Fri Jun 26, 2009 11:04 am

Re: ovpn can't support lzo compress?

Wed Aug 19, 2009 1:13 am

I think that the OVPN could do with DHCP push options to be manually settable.

Some options (route gateway, DNS server, WINS server) are already available. So surely adding arbitrary values should be a simple addition?

Who is online

Users browsing this forum: Bing [Bot], jose21 and 93 guests