Community discussions

MikroTik App
 
cmkpl
just joined
Topic Author
Posts: 13
Joined: Sat Dec 06, 2014 7:04 pm

OVPN client "TLS failed" on RouterOS 7.6  [SOLVED]

Thu Jan 12, 2023 4:04 am

Hi,

I have heard from other source that RouterOS 7.6 OVPN Client supports UDP, TLS and Compression. But when I try to connect to my Synology NAS OpenVPN Server, it shows "TLS failed". Any idea? Thanks.

Here is my setting
Synology: see attached.

RouterOS 7.6:
/interface ovpn-client
add auth=sha512 certificate=server.crt cipher=aes256 connect-to=xxxxx.synology.me mac-address=\
    XX:XX:XX:XX:XX:XX name="Peer" port=1194 profile=default-encryption protocol=udp use-peer-dns=no user=xxxxx
You do not have the required permissions to view the files attached to this post.
 
tomislav91
Member
Member
Posts: 303
Joined: Fri May 26, 2017 12:47 pm

Re: OVPN client "TLS failed" on RouterOS 7.6

Thu Jan 12, 2023 9:19 am

Hi,

I have heard from other source that RouterOS 7.6 OVPN Client supports UDP, TLS and Compression. But when I try to connect to my Synology NAS OpenVPN Server, it shows "TLS failed". Any idea? Thanks.

Here is my setting
Synology: see attached.

RouterOS 7.6:
/interface ovpn-client
add auth=sha512 certificate=server.crt cipher=aes256 connect-to=xxxxx.synology.me mac-address=\
    XX:XX:XX:XX:XX:XX name="Peer" port=1194 profile=default-encryption protocol=udp use-peer-dns=no user=xxxxx
It appears that the issue may be related to the certificate being used. The error message "TLS failed" suggests that the client is unable to authenticate the server's certificate.

One possible cause is that the client is using a certificate from a different authority than the one used by the server. To verify, check that the certificate being used by the RouterOS client is the same as the one being used by the Synology NAS server.

Another possible cause is that the client is using an outdated certificate. Ensure that the certificate being used by the RouterOS client is up-to-date and has not expired.

Also, make sure you are using the correct "server.crt" file on the RouterOS client.

You can also check the Synology NAS server logs to see if there is any more information about the error.
 
cmkpl
just joined
Topic Author
Posts: 13
Joined: Sat Dec 06, 2014 7:04 pm

Re: OVPN client "TLS failed" on RouterOS 7.6

Thu Jan 12, 2023 10:53 am

Yes, I do know why now. It is the issue I have not imported the private key.

But after that, I encountered another issue. Initiation packets are being resent without the link really established.

Here is the debug log
 16:45:54 ovpn,info Peer: initializing...
 16:45:54 ovpn,info Peer: connecting...
 16:45:54 ovpn,debug,packet sent P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 sid=bfc32e3632ba228 pid=0 DATA len=0
 16:45:54 system,info device changed by admin
 16:45:54 ovpn,debug,packet sent P_CONTROL kid=0 sid=bfc32e3632ba228 pid=1 DATA len=136
 16:45:55 ovpn,debug,packet re-sent P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 sid=bfc32e3632ba228 pid=0 DATA len=0
 16:45:55 ovpn,debug,packet re-sent P_CONTROL kid=0 sid=bfc32e3632ba228 pid=1 DATA len=136
 16:45:56 ovpn,debug,packet re-sent P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 sid=bfc32e3632ba228 pid=0 DATA len=0
 16:45:56 ovpn,debug,packet re-sent P_CONTROL kid=0 sid=bfc32e3632ba228 pid=1 DATA len=136
 16:45:57 ovpn,debug,packet re-sent P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 sid=bfc32e3632ba228 pid=0 DATA len=0
 16:45:57 ovpn,debug,packet re-sent P_CONTROL kid=0 sid=bfc32e3632ba228 pid=1 DATA len=136
 16:45:58 ovpn,debug,packet re-sent P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 sid=bfc32e3632ba228 pid=0 DATA len=0
 16:45:58 ovpn,debug,packet re-sent P_CONTROL kid=0 sid=bfc32e3632ba228 pid=1 DATA len=136
 16:45:59 ovpn,debug,packet re-sent P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 sid=bfc32e3632ba228 pid=0 DATA len=0
 16:45:59 ovpn,debug,packet re-sent P_CONTROL kid=0 sid=bfc32e3632ba228 pid=1 DATA len=136
 16:46:00 ovpn,debug,packet re-sent P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 sid=bfc32e3632ba228 pid=0 DATA len=0
 16:46:00 ovpn,debug,packet re-sent P_CONTROL kid=0 sid=bfc32e3632ba228 pid=1 DATA len=136
 16:46:01 ovpn,debug,packet re-sent P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 sid=bfc32e3632ba228 pid=0 DATA len=0
 16:46:01 ovpn,debug,packet re-sent P_CONTROL kid=0 sid=bfc32e3632ba228 pid=1 DATA len=136
 16:46:02 ovpn,debug,packet re-sent P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 sid=bfc32e3632ba228 pid=0 DATA len=0
 16:46:02 ovpn,debug,packet re-sent P_CONTROL kid=0 sid=bfc32e3632ba228 pid=1 DATA len=136
 16:46:03 ovpn,debug,packet re-sent P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 sid=bfc32e3632ba228 pid=0 DATA len=0
 16:46:03 ovpn,debug,packet re-sent P_CONTROL kid=0 sid=bfc32e3632ba228 pid=1 DATA len=136
 16:46:04 ovpn,debug,packet re-sent P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 sid=bfc32e3632ba228 pid=0 DATA len=0
 16:46:04 ovpn,debug,packet re-sent P_CONTROL kid=0 sid=bfc32e3632ba228 pid=1 DATA len=136
 16:46:05 ovpn,debug,packet re-sent P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 sid=bfc32e3632ba228 pid=0 DATA len=0
 16:46:05 ovpn,debug,packet re-sent P_CONTROL kid=0 sid=bfc32e3632ba228 pid=1 DATA len=136
 16:46:06 ovpn,debug,packet re-sent P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 sid=bfc32e3632ba228 pid=0 DATA len=0
 16:46:06 ovpn,debug,packet re-sent P_CONTROL kid=0 sid=bfc32e3632ba228 pid=1 DATA len=136
 16:46:07 ovpn,debug,packet re-sent P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 sid=bfc32e3632ba228 pid=0 DATA len=0
 16:46:07 ovpn,debug,packet re-sent P_CONTROL kid=0 sid=bfc32e3632ba228 pid=1 DATA len=136
 16:46:08 ovpn,debug,packet re-sent P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 sid=bfc32e3632ba228 pid=0 DATA len=0
 16:46:08 ovpn,debug,packet re-sent P_CONTROL kid=0 sid=bfc32e3632ba228 pid=1 DATA len=136
 16:46:09 ovpn,debug,packet re-sent P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 sid=bfc32e3632ba228 pid=0 DATA len=0
 16:46:09 ovpn,debug,packet re-sent P_CONTROL kid=0 sid=bfc32e3632ba228 pid=1 DATA len=136
........

After a whlle, it shows
16:46:29 ovpn,info Peer: disconnected <TLS failed>
16:46:29 ovpn,info Peer: terminating... - TLS failed
16:46:29 ovpn,info Peer: disconnected
From packet sniffer, I can see the server returns packets, but I am not sure what they are understood by the router,
Last edited by cmkpl on Thu Jan 12, 2023 11:15 am, edited 1 time in total.
 
cmkpl
just joined
Topic Author
Posts: 13
Joined: Sat Dec 06, 2014 7:04 pm

Re: OVPN client "TLS failed" on RouterOS 7.6

Thu Jan 12, 2023 11:09 am

The .ovpn file exported from NAS
dev tun
tls-client

remote xxx 1194


pull

proto udp

script-security 2


comp-lzo

reneg-sec 0

cipher AES-256-CBC

auth SHA512

auth-user-pass
 
tomislav91
Member
Member
Posts: 303
Joined: Fri May 26, 2017 12:47 pm

Re: OVPN client "TLS failed" on RouterOS 7.6

Thu Jan 12, 2023 4:51 pm

It seems that the packets are being repeatedly sent without being acknowledged by the server, which is preventing the link from being established.

Here are a few things you can try to troubleshoot this issue:

Check the server settings to make sure that the server is configured to accept connections from the RouterOS client.
Check the firewall settings on both the RouterOS client and the Synology NAS server to ensure that they are configured to allow the OpenVPN traffic.
Make sure that the RouterOS client is using the correct settings for the OpenVPN server on the Synology NAS.
Check your router settings if it is blocking some ports, this could prevent the connection from being established.
Try disabling the 'Hard reset' option on the RouterOS client configuration.
You can also try to use a different transport protocol (TCP instead of UDP) or try a different cipher algorithm.
Also, you can try to check the OpenVPN server logs on the Synology NAS to see if there are any errors or messages that could provide more information about the issue.
 
cmkpl
just joined
Topic Author
Posts: 13
Joined: Sat Dec 06, 2014 7:04 pm

Re: OVPN client "TLS failed" on RouterOS 7.6

Sun Jan 15, 2023 12:19 pm

Thanks for your help. The connection works after modifying the following settings:
Change to tcp
Disable compression
 
Lukasz85
just joined
Posts: 8
Joined: Wed Jul 28, 2021 10:34 am

Re: OVPN client "TLS failed" on RouterOS 7.6

Mon Jan 16, 2023 1:06 pm

Hi, I'm trying to do the same. How did you configure the certificate ? What part of it did you import ?
 
cmkpl
just joined
Topic Author
Posts: 13
Joined: Sat Dec 06, 2014 7:04 pm

Re: OVPN client "TLS failed" on RouterOS 7.6

Mon Jan 16, 2023 1:13 pm

I imported the ca cert with the private key exported from the nas (I don’t know why private key is required🤔)
 
Lukasz85
just joined
Posts: 8
Joined: Wed Jul 28, 2021 10:34 am

Re: OVPN client "TLS failed" on RouterOS 7.6

Mon Jan 16, 2023 1:23 pm

Yes, But how did you do that. I'm trying to but with no success.
 
cmkpl
just joined
Topic Author
Posts: 13
Joined: Sat Dec 06, 2014 7:04 pm

Re: OVPN client "TLS failed" on RouterOS 7.6

Tue Jan 17, 2023 3:38 am

You may export here. And import the CA pem files including the cert and key in RouterOS
You do not have the required permissions to view the files attached to this post.

Who is online

Users browsing this forum: Amazon [Bot] and 85 guests