V6.10 and openVPN

manuelm · Tue Feb 18, 2014 9:19 am

Hi everyone,

I haven't been able to use openVPN with the latest version 6.10. My configuration only works if I downgrade the router to version 5.26
Has anyone been able to set this up?
the certificate menu has more options now, maybe I'm missing a step. Could any one help me with the setup?

I already enable openVPN server, setup the firewall rule, setup a user and profile.
The VPN starts working if I downgrade to v5.26

Thank you!

nerdtron · Tue Feb 18, 2014 11:34 am

What particular settings are you having problems?
I'm using openvpn and routerOS version 6.10 with no issues so far. I'm using certificates too.

Also, try to look at the logs of your OpenVPN server.

manuelm · Thu Feb 27, 2014 7:21 pm

I just can't connect. If I downgrade to 5.26 it works fine, but as soon as I upgrade to 6.10. I get the following

On the VPN server
opvn,info TCP connection established from 70.36.130.100

On the VPN log

Thu Feb 27 09:18:34 2014 OpenVPN 2.3.2 i686-w64-mingw32 [SSL (OpenSSL)] [LZO] [PKCS11] [eurephia] [IPv6] built on Aug 22 2013
Enter Management Password:
Thu Feb 27 09:18:34 2014 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25350
Thu Feb 27 09:18:34 2014 Need hold release from management interface, waiting...
Thu Feb 27 09:18:35 2014 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:25350
Thu Feb 27 09:18:35 2014 MANAGEMENT: CMD 'state on'
Thu Feb 27 09:18:35 2014 MANAGEMENT: CMD 'log all on'
Thu Feb 27 09:18:35 2014 MANAGEMENT: CMD 'hold off'
Thu Feb 27 09:18:35 2014 MANAGEMENT: CMD 'hold release'
Thu Feb 27 09:18:39 2014 MANAGEMENT: CMD 'username "Auth" "Jose"'
Thu Feb 27 09:18:39 2014 MANAGEMENT: CMD 'password [...]'
Thu Feb 27 09:18:39 2014 WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
Thu Feb 27 09:18:39 2014 Socket Buffers: R=[8192->8192] S=[8192->8192]
Thu Feb 27 09:18:39 2014 Attempting to establish TCP connection with [AF_INET]51.185.136.58:62337
Thu Feb 27 09:18:39 2014 MANAGEMENT: >STATE:1393521519,TCP_CONNECT,,,
Thu Feb 27 09:18:39 2014 TCP connection established with [AF_INET]51.185.136.58:62337
Thu Feb 27 09:18:39 2014 TCPv4_CLIENT link local: [undef]
Thu Feb 27 09:18:39 2014 TCPv4_CLIENT link remote: [AF_INET]51.185.136.58:62337
Thu Feb 27 09:18:39 2014 MANAGEMENT: >STATE:1393521519,WAIT,,,
Thu Feb 27 09:18:39 2014 MANAGEMENT: >STATE:1393521519,AUTH,,,
Thu Feb 27 09:18:39 2014 TLS: Initial packet from [AF_INET]51.185.136.58:62337, sid=b38aedfa 8c5291c4
Thu Feb 27 09:18:40 2014 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Thu Feb 27 09:18:40 2014 VERIFY OK: depth=0, C=YS, ST=CA, L=SF, O=asdf.asdf, OU=ITt, CN=wlrer.ljwer, emailAddress=lkjwe@ljwer.com
Thu Feb 27 09:18:40 2014 Connection reset, restarting [0]
Thu Feb 27 09:18:40 2014 SIGUSR1[soft,connection-reset] received, process restarting
Thu Feb 27 09:18:40 2014 MANAGEMENT: >STATE:1393521520,RECONNECTING,connection-reset,,
Thu Feb 27 09:18:40 2014 Restart pause, 5 second(s)
Thu Feb 27 09:18:45 2014 WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
Thu Feb 27 09:18:45 2014 Socket Buffers: R=[8192->8192] S=[8192->8192]
Thu Feb 27 09:18:45 2014 Attempting to establish TCP connection with [AF_INET]51.185.136.58:62337
Thu Feb 27 09:18:45 2014 MANAGEMENT: >STATE:1393521525,TCP_CONNECT,,,
Thu Feb 27 09:18:45 2014 TCP connection established with [AF_INET]51.185.136.58:62337
Thu Feb 27 09:18:45 2014 TCPv4_CLIENT link local: [undef]
Thu Feb 27 09:18:45 2014 TCPv4_CLIENT link remote: [AF_INET]51.185.136.58:62337
Thu Feb 27 09:18:45 2014 MANAGEMENT: >STATE:1393521525,WAIT,,,
Thu Feb 27 09:18:45 2014 MANAGEMENT: >STATE:1393521525,AUTH,,,
Thu Feb 27 09:18:45 2014 TLS: Initial packet from [AF_INET]51.185.136.58:62337, sid=57fa376b dfd986bc
Thu Feb 27 09:18:46 2014 VERIFY OK: depth=0, C=YS, ST=CA, L=SF, O=asdf.asdf, OU=ITt, CN=wlrer.ljwer, emailAddress=lkjwe@ljwer.com
Thu Feb 27 09:18:46 2014 Connection reset, restarting [0]
Thu Feb 27 09:18:46 2014 SIGUSR1[soft,connection-reset] received, process restarting
Thu Feb 27 09:18:46 2014 MANAGEMENT: >STATE:1393521526,RECONNECTING,connection-reset,,
Thu Feb 27 09:18:46 2014 Restart pause, 5 second(s)

Sob · Thu Feb 27, 2014 9:46 pm

Did you customize the list of server ciphers? If you did and removed Blowfish without forcing another cipher on client, it won't connect, because it uses Blowfish by default.

DogHead · Sun Mar 02, 2014 12:28 pm

As far as I can tell the entire certificate management infrastructure of ROS is completely broken.

We had routers running from 4.x to 5.26 that all could easily import certificates, configure OVPN, PPTP and L2TP. In 6.x nothing seems to work and it is impossible to diagnose.

As a start, there appears to be no way to import CA certificates. Have tried importing root certs from StartSSL and CACert, as well as self signed certs and none appear to be recognized or flagged as CA. So I am guessing that crypto may not be working because of this. I checked the certs with openssl -purpose and they are all correct. I can make OpenVPN work on windows with these certs.

The interface in ROS for certificates is not documented anywhere. There is no reference point for anyone to use. How can we use the product when the manual is completely out of date and not related at all to current interface.

Winbox seems to be out of sync with command line. You can look at one and get a completely different result than the other.

Version 6 just seems to be a complete mess. I think our best bet is to go back to 5.26 or use OpenWRT.

This has got to get fixed...

V6.10 and openVPN

V6.10 and openVPN

Re: V6.10 and openVPN

Re: V6.10 and openVPN

Re: V6.10 and openVPN

Re: V6.10 and openVPN

Who is online