Community discussions

MikroTik App
 
alphalt
Member Candidate
Member Candidate
Topic Author
Posts: 100
Joined: Sat Aug 01, 2009 1:53 pm
Location: Denmark

MikroTik as OpenVPN client

Wed Dec 23, 2009 5:03 pm

Hello all,

I'm trying to setup MikroTik as OpenVPN client but with no success. I have done everything as in Wiki, but nothing works. My problems is the same as here http://forum.mikrotik.com/viewtopic.php?f=1&t=21087. No solutions so far. My server is DD-WRT on WRT350N router. Ok, you can tell me that wrong configuration in DD-WRT or I get no support here for DD-WRT, but by using OpenVPN client for Windows I have no problems to connect to DD-WRT. I use OpenVPN client with GUI on Windows. So I think it might be some problem in configuration or comatibility. Can you provide any help ?
 
rpress
Member Candidate
Member Candidate
Posts: 113
Joined: Thu May 07, 2009 5:13 am

Re: MikroTik as OpenVPN client

Wed Dec 23, 2009 10:14 pm

Did you try smaller than a 7 character password? A known issue, greater than 7 characters does not work, at least with MT-MT OVPN.

Make sure you open TCP 1194 in the firewall. Try to reboot the MikroTik.
 
alphalt
Member Candidate
Member Candidate
Topic Author
Posts: 100
Joined: Sat Aug 01, 2009 1:53 pm
Location: Denmark

Re: MikroTik as OpenVPN client

Wed Dec 23, 2009 10:41 pm

Hi,

Thank you very much for your reply. Its very important for me to start this VPN connection, but now it seems that it is just not possible :(
Ok, my password was longer than 7 symbols and I made it shorter - 4 symbols. Restarted MikroTik. Nothing helps. Firewall has rule for VPN and I can see counter running of accepted packets. Furthermore I log all dropped/rejected packets and I didn't see any of VPN packets dropped.
So my config at RoS side is:
name="ovpn-out1" mac-address=00:00:00:00:00:00 max-mtu=1500 connect-to=x.x.x.x 
      port=1194 mode=ip user="user" password="password" profile=default certificate=client 
      auth=sha1 cipher=aes256 add-default-route=no
In the beginning there was no user/pass at the DD-WRT side, but later I implemented it and again had no problems connecting to it using OpenVPN GUI. Computer from which connect is behind the same MikroTik router and has no problems at all. Here what I get at DD-WRT side:
Dec 23 22:23:25 xxx daemon.notice openvpn[790]: MULTI: multi_create_instance called
Dec 23 22:23:25 xxx daemon.notice openvpn[790]: Re-using SSL/TLS context
Dec 23 22:23:25 xxx daemon.notice openvpn[790]: Control Channel MTU parms ......
Dec 23 22:23:25 xxx daemon.notice openvpn[790]: Data Channel MTU parms ....
Dec 23 22:23:25 xxx daemon.notice openvpn[790]: TCP connection established with x.x.x.x:60200
Dec 23 22:23:25 xxx daemon.notice openvpn[790]: Socket Buffers: R=[65534->65534] S=[65534->65534]
Dec 23 22:23:25 xxx daemon.notice openvpn[790]: TCPv4_SERVER link local: [undef]
Dec 23 22:23:25 xxx daemon.notice openvpn[790]: TCPv4_SERVER link remote: x.x.x.x:60200
Dec 23 22:23:25 xxx daemon.notice openvpn[790]: x.x.x.x:60200 TLS: Initial packet from x.x.x.x:60200, sid=c142180d 5752099f
Dec 23 22:23:26 xxx daemon.notice openvpn[790]: x.x.x.x:60200 VERIFY OK: depth=1, /C=LT/ST=LT/L=LT/O=home/CN=server/emailAddress=no@mail.com
Dec 23 22:23:26 xxx daemon.notice openvpn[790]: x.x.x.x:60200 VERIFY OK: depth=0, /C=LT/ST=LT/L=LT/O=home/CN=client/emailAddress=no@mail.com
Dec 23 22:23:26 xxx daemon.notice openvpn[790]: x.x.x.x:60200 TLS: Username/Password authentication succeeded for username 'user' 
Dec 23 22:23:26 xxx daemon.notice openvpn[790]: x.x.x.x:60200 Data Channel Encrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Dec 23 22:23:26 xxx daemon.notice openvpn[790]: x.x.x.x:60200 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Dec 23 22:23:26 xxx daemon.notice openvpn[790]: x.x.x.x:60200 Data Channel Decrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Dec 23 22:23:26 xxx daemon.notice openvpn[790]: x.x.x.x:60200 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Dec 23 22:23:26 xxx daemon.err openvpn[790]: x.x.x.x:60200 Connection reset, restarting [0]
Dec 23 22:23:26 xxx daemon.notice openvpn[790]: x.x.x.x:60200 SIGUSR1[soft,connection-reset] received, client-instance restarting
Dec 23 22:23:26 xxx daemon.notice openvpn[790]: TCP/UDP: Closing socket
It seems that there is no problems with authentication. Connection just drops and the reason is not clear to me.
What I have tried:
1. cipher and auth set to none
2. tun and tap devices
3. reboot
4. 4 symbol password

Nothing helps. I get error on MiktoTik:
openvpn-out1: initializing...
openvpn-out1: dialing...
openvpn-out1: terminating... - unknown auth alg
openvpn-out1: disconnected
Please help me solve this problem because I don't sleep at nights :shock:
 
rpress
Member Candidate
Member Candidate
Posts: 113
Joined: Thu May 07, 2009 5:13 am

Re: MikroTik as OpenVPN client

Wed Dec 23, 2009 10:56 pm

Are you logging ovpn at debug level like so:
/system logging add action=memory disabled=no prefix="" topics=ovpn,debug

Unfortunately I have noticed that the OVPN in MikroTik does not have very good debug output. It looks to me like the DD-WRT is proposing cypher and auth and MikroTik rejects it and disconnects.

What does your DD-WRT OVPN config look like?
 
alphalt
Member Candidate
Member Candidate
Topic Author
Posts: 100
Joined: Sat Aug 01, 2009 1:53 pm
Location: Denmark

Re: MikroTik as OpenVPN client

Wed Dec 23, 2009 11:04 pm

Hi,
Are you logging ovpn at debug level like so:
/system logging add action=memory disabled=no prefix="" topics=ovpn,debug
I was using by default. Now I made like you propose.
What does your DD-WRT OVPN config look like?
Here it is:
proto tcp-server
port 1194
dev tun0
tls-server
keepalive 10 120
tmp-dir /tmp/openvpn
script-security 3
verb 3
cipher AES-256-CBC
auth SHA1
auth-nocache
auth-user-pass-verify /tmp/custom.sh via-file

ifconfig-pool-persist /tmp/ipp.txt

push "route 192.168.60.0 255.255.255.0"
server 192.168.63.0 255.255.255.0

persist-key
persist-tun

status /tmp/openvpn-status.log
ca /tmp/openvpn/ca.crt
dh /tmp/openvpn/dh.pem
cert /tmp/openvpn/cert.pem
key /tmp/openvpn/key.pem
I want to mention that I have tried all combinations with cipher and auth. Also I have tested
cipher none
auth none
Results are the same.
Thanks for helping me.
 
roadracer96
Forum Veteran
Forum Veteran
Posts: 730
Joined: Tue Aug 25, 2009 12:01 am

Re: MikroTik as OpenVPN client

Thu Dec 24, 2009 4:11 am

FWIW, I have about 50 450G/433s connected to a PC/Linux OpenVPN 2.1 server using certificates/radius to authenticate/obtain config.

One thing that I noticed that is different between MT and other clients is how the route lines need to be worded. I cant remember what it was, but there was something different between windows clients connecting and MT clients connecting.
 
alphalt
Member Candidate
Member Candidate
Topic Author
Posts: 100
Joined: Sat Aug 01, 2009 1:53 pm
Location: Denmark

Re: MikroTik as OpenVPN client

Thu Dec 24, 2009 12:37 pm

Hi,

Adding debugging support gave me only one extra line which tells me the same that unknown auth alg. Not much help from this debug info....
Maybe MikroTik support team will also look at this topic and tell at least how to get more debugging information because now I get no clue what is going on.
 
alphalt
Member Candidate
Member Candidate
Topic Author
Posts: 100
Joined: Sat Aug 01, 2009 1:53 pm
Location: Denmark

Re: MikroTik as OpenVPN client

Thu Dec 24, 2009 12:40 pm

One thing that I noticed that is different between MT and other clients is how the route lines need to be worded.
What do you mean about that ? I have no problems to connect to server from Windows PC. Problem is only from MT. I think route lines in not a problem here. My connection is constantly dropping. It's not about routes.
 
alphalt
Member Candidate
Member Candidate
Topic Author
Posts: 100
Joined: Sat Aug 01, 2009 1:53 pm
Location: Denmark

Re: MikroTik as OpenVPN client

Thu Dec 24, 2009 3:36 pm

Hello again,

I have even changed Linksys router to newer model and installed the latest firmware with OpenVPN support. Problem is the same, the same error messages. From Windows is again everything ok. I'm totally lost.
 
Pada
Member Candidate
Member Candidate
Posts: 150
Joined: Tue Dec 08, 2009 11:37 pm
Location: South Africa, Stellenbosch

Re: MikroTik as OpenVPN client

Wed Jan 06, 2010 3:20 am

Ensure that the MikroTik's date & time is set correctly. Its best if you could use NTP to automatically obtain the date & time. Without the correct date, the certificates wouldn't be valid.
 
alphalt
Member Candidate
Member Candidate
Topic Author
Posts: 100
Joined: Sat Aug 01, 2009 1:53 pm
Location: Denmark

Re: MikroTik as OpenVPN client

Wed Jan 06, 2010 8:12 am

Hi,

Yes data and time are correct and I use NTP. If date and time is not correct error message is different. Anyway I gave up with this as for me its not possible to get even some debug information. Linksys resets connection and MikroTIK just say that auth algo is not supported. Thats just not too much info anyway.
 
XTLMeth
Frequent Visitor
Frequent Visitor
Posts: 57
Joined: Mon Sep 07, 2009 7:10 am

Re: MikroTik as OpenVPN client

Fri Jan 08, 2010 8:20 am

I like mikrotik a lot but the openvpn is *not* stable and it is hard to get it to work with other openvpn daemons on other platforms. I have 2 mikrotiks with openvpn running. One of them is a server for ten users to vpn to the mikrotik router and the other is a mikrotik router that connects to a linux openvpn server. They work once you iron out the kinks but I have found that the mikrotik client disconnects and reconnects a lot because it seems to be ignoring the keep-alive packets from the server. The other issue is I have yet to see any mikrotik with openvpn work for more then a month. I usually have to reboot the router once a month for it to keep working. I would suggest using pptp if you don't mind a little less security.

I can post my configuration but I'm not using dd-wrt so it may not help you at all.
 
roadracer96
Forum Veteran
Forum Veteran
Posts: 730
Joined: Tue Aug 25, 2009 12:01 am

Re: MikroTik as OpenVPN client

Fri Jan 08, 2010 8:38 am

I currently have 14 routers with over 60 days of uptime. Another 20ish with over 30 days as openvpn clients. Until today, they were connected to a linux openvpn server. Just switched them over to connect to a RB1000.

I find it to be completely stable once you finger it all out.
 
alphalt
Member Candidate
Member Candidate
Topic Author
Posts: 100
Joined: Sat Aug 01, 2009 1:53 pm
Location: Denmark

Re: MikroTik as OpenVPN client

Fri Jan 08, 2010 8:41 am

Hi,

Thanks for sharing some experience here with us.
I can post my configuration but I'm not using dd-wrt so it may not help you at all.
Yes, I think so. I have a lot of different configurations from *working* systems, but still with no luck. I solved my problem by making DD-WRT as OpenVPN server and all clients behind MikroTIK has their own OpenVPN client software. In my case it is ok I think.

@roadracer: I aggree that they work together with each other or with linux machines, but there is some really compatibility issues with OpenVPN implementation on DD-WRT.
 
domadm
just joined
Posts: 11
Joined: Sat Feb 06, 2010 9:48 pm

Re: MikroTik as OpenVPN client

Tue Mar 23, 2010 2:20 am

alphalt, have you found any solution to the problem?
I am also trying to connect from dd-wrt box (ovpn client) to mikrotik (ovpn server) and got the same "<unknown auth alg>
 
alphalt
Member Candidate
Member Candidate
Topic Author
Posts: 100
Joined: Sat Aug 01, 2009 1:53 pm
Location: Denmark

Re: MikroTik as OpenVPN client

Tue Mar 23, 2010 8:18 am

Hello,

I'm sorry, but I haven't found any sollution. And somehow I think its the problem of dd-wrt. Maybe need to wait for newer releases of dd-wrt.
 
domadm
just joined
Posts: 11
Joined: Sat Feb 06, 2010 9:48 pm

Re: MikroTik as OpenVPN client

Fri Mar 26, 2010 2:16 am

Hello,

I'm sorry, but I haven't found any sollution. And somehow I think its the problem of dd-wrt. Maybe need to wait for newer releases of dd-wrt.
I have tried with tomato as well, the problem remains same :(
I bet it is a routeros problem (openvpn implementation is quite poor here)

Regards
 
alphalt
Member Candidate
Member Candidate
Topic Author
Posts: 100
Joined: Sat Aug 01, 2009 1:53 pm
Location: Denmark

Re: MikroTik as OpenVPN client

Fri Mar 26, 2010 8:05 am

Then the only think left is to wait for ROS v5 and check again.

Who is online

Users browsing this forum: andreacar, f008600, GoogleOther [Bot], itsbenlol and 65 guests