I have followed the Wiki at http://wiki.mikrotik.com/wiki/OpenVPN but no connection is possible.
Description:
I have generated a CA certificate at cacert.org, and imported it on the server.
Mikrotik OVPN Server config:
Code: Select all
[admin@MT] > interface ovpn-server export
# mar/05/2009 11:27:46 by RouterOS 3.20
# software id = XXXX-LTT
#
/interface ovpn-server
add comment="" disabled=yes name=OVPN-server user=anders
/interface ovpn-server server
set auth=sha1,md5 certificate=cert1 cipher=blowfish128,aes128,aes192,aes256 default-profile=VPN_profile enabled=yes keepalive-timeout=disabled \
mac-address=FE:89:4C:C3:9F:77 max-mtu=1500 mode=ethernet netmask=24 port=1194 require-client-certificate=no
[admin@MT] > /ppp profile export
# mar/05/2009 11:28:08 by RouterOS 3.20
# software id = XXXX-LTT
#
/ppp profile
set default change-tcp-mss=yes comment="" name=default only-one=default use-compression=default use-encryption=default use-vj-compression=default
add bridge=bridge1 change-tcp-mss=default comment="" local-address=192.168.1.200 name=VPN_profile only-one=default remote-address=VPN-pool \
use-compression=default use-encryption=required use-vj-compression=default
set default-encryption change-tcp-mss=yes comment="" name=default-encryption only-one=default use-compression=default use-encryption=yes \
use-vj-compression=default
[admin@MT] /certificate pr
Flags: K - decrypted-private-key, Q - private-key, R - rsa, D - dsa
0 KR name="cert1" subject=CN=<domain name> issuer=O=Root CA,OU=http:,,www.cacert.org,CN=CA Cert Signing Authority,emailAddress=support@cacert.org
serial-number="068954" invalid-before=mar/05/2009 06:06:43 invalid-after=sep/01/2009 06:06:43 ca=yes
[admin@MT] >
Mikrotik OVPN client config:
Code: Select all
[admin@MT] > interface ovpn-client export
# mar/05/2009 11:34:01 by RouterOS 3.14
# software id = XXXX-PTT
#
/interface ovpn-client
add add-default-route=no auth=sha1 certificate=cert1 cipher=aes256 comment="" \
connect-to=<OVPN_server_IP> disabled=yes mac-address=FE:67:55:A0:52:E9 \
max-mtu=1500 mode=ethernet name=ovpn-out1 password=<pass> port=1194 \
profile=default user=<user>
[admin@MT] > /certificate pr
Flags: K - decrypted-private-key, Q - private-key, R - rsa, D - dsa
0 KR name="cert1" subject=CN=<domain name>
issuer=O=Root CA,OU=http:,,www.cacert.org,CN=CA Cert Signing Authority,
emailAddress=support@cacert.org
serial-number="068954" invalid-before=mar/05/2009 06:06:43
invalid-after=sep/01/2009 06:06:43 ca=yes
However, when it comes to the XP client I am a little stuck:
Client configuration file on XP computer:
Code: Select all
proto tcp-client
remote <server IP> 1194 # Remote OpenVPN Servername or IP address
dev tap
nobind
persist-key
tls-client
ca ca.crt # Root certificate in the same directory as this configuration file.
#Avoid message that server cert verification method is not enabled: (needed?)
ns-cert-type server
ping 10
verb 3
cipher AES-256-CBC
auth SHA1
pull
auth-user-pass
Code: Select all
Tue Mar 03 14:02:35 2009 OpenVPN 2.0.9 Win32-MinGW [SSL] [LZO] built on Oct 1 2006
Tue Mar 03 14:02:45 2009 IMPORTANT: OpenVPN's default port number is now 1194, based on an official port number assignment by IANA. OpenVPN 2.0-beta16 and earlier used 5000 as the default port.
Tue Mar 03 14:02:45 2009 WARNING: --ping should normally be used with --ping-restart or --ping-exit
Tue Mar 03 14:02:45 2009 Control Channel MTU parms [ L:1591 D:140 EF:40 EB:0 ET:0 EL:0 ]
Tue Mar 03 14:02:45 2009 Data Channel MTU parms [ L:1591 D:1450 EF:59 EB:4 ET:32 EL:0 ]
Tue Mar 03 14:02:45 2009 Local Options hash (VER=V4): 'b60e7885'
Tue Mar 03 14:02:45 2009 Expected Remote Options hash (VER=V4): 'fbeb66e6'
Tue Mar 03 14:02:45 2009 Attempting to establish TCP connection with XX.XXZ.163.44:1194
Tue Mar 03 14:02:45 2009 TCP connection established with XX.XX.163.44:1194
Tue Mar 03 14:02:45 2009 TCPv4_CLIENT link local: [undef]
Tue Mar 03 14:02:45 2009 TCPv4_CLIENT link remote: XX.XX.163.44:1194
Tue Mar 03 14:02:45 2009 TLS: Initial packet from XX.XX.163.44:1194, sid=d7784197 e3689903
Tue Mar 03 14:02:48 2009 VERIFY ERROR: depth=0, error=unable to get local issuer certificate: /CN=<domain name>
Tue Mar 03 14:02:48 2009 TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
Tue Mar 03 14:02:48 2009 TLS Error: TLS object -> incoming plaintext read error
Tue Mar 03 14:02:48 2009 TLS Error: TLS handshake failed
Tue Mar 03 14:02:48 2009 Fatal TLS error (check_tls_errors_co), restarting
Tue Mar 03 14:02:48 2009 TCP/UDP: Closing socket
Tue Mar 03 14:02:48 2009 SIGUSR1[soft,tls-error] received, process restarting
Tue Mar 03 14:02:48 2009 Restart pause, 5 second(s)
Code: Select all
.
.
14:03:18 ovpn,debug OPENVPN: <XXX.XX.148.78>: disconnected <peer
disconnected>
14:03:18 ovpn,debug <XXX.XX.148.78>: disconnected <peer disconnected>
14:03:18 ovpn,info <ovpn-0>: terminating... - peer disconnected
14:03:18 ovpn,info OPENVPN: <ovpn-0>: terminating... - peer disconnected
14:03:18 ovpn,info <ovpn-0>: disconnected
14:03:18 ovpn,info OPENVPN: <ovpn-0>: disconnected
14:03:23 ovpn,info TCP connection established from XXX.XX.148.78
14:03:23 ovpn,info OPENVPN: TCP connection established from XXX.XX.148.78
14:03:23 ovpn,info <ovpn-0>: dialing...
14:03:23 ovpn,info OPENVPN: <ovpn-0>: dialing...
14:03:23 ovpn,debug OPENVPN: <XXX.XX.148.78>: disconnected <peer
disconnected>
14:03:23 ovpn,debug <XXX.XX.148.78>: disconnected <peer disconnected>
.
.
It looks like the "VERIFY ERROR: depth=0, error=unable to get local issuer certificate:" message is where the trouble starts, and I believe that the subsequent error messages are caused by this.
The certificate on the server is renamed to ca.crt and stored in the OpenVPN\COnfig folder on the client. I know it is referred, because if I rename it or edit som part of it, the connection attempt halts at a much earlier stage, complaining about ca.crt.
So what does this "VERIFY ERROR:" message mean?
In a lot of the configs found at the openvpn.org website and elsewhere on the net, the XP config file contains the settings "cert" and "key", referring to a client certificate and a key.
As the wiki example does not include these settings, it should not be necessary to generate any server/client certificates or keys?
The fact that MT-MT works is also a kind of proof that the CA certificate should be enough, or what?
I know that people out there have succeded in what I try to do, so please help me find a way out!