Page 1 of 1

OpenVPN Server error: TLS failed

Posted: Fri Aug 22, 2014 6:31 pm
by apteixeira
Hello MikroTik,

I am pretty sure there is a problem with OpenVPN Server running on RouterOS when you choose "require-client-certificate".

I tested several times using different chain of certificates.

The weird thing is that if you try the same configuration and certificates on version 5.26 (OpenVPN Server) it works, but when you do the same on version 6.18 it does not work.

Error: "TLS failed".

I test with two types of OpenVPN clients: RouterOS and Windows. The result is the same.

The certificates are signed by the same CA.

I imported the CA, the client and server certificate (including the private keys of each one) to each RouterOS and make sure that the NTP client was updated correctly. But the result is the same: TLS failed.

I tested with:
- My own certificates
- CACert
- GoDaddy

None of them works.

All the necessary files are here (rif included): https://www.dropbox.com/sh/6kjzx50yfgg8 ... PNhvn50ina

Any advice?, someone test it?, maybe I am doing something wrong with de certificates.

Best regards.

Re: OpenVPN Server error: TLS failed

Posted: Fri Aug 22, 2014 6:39 pm
by apteixeira
Note:

If I uncheck "require-client-certificate" it works.

Best regards.

Re: OpenVPN Server error: TLS failed

Posted: Fri Aug 22, 2014 6:52 pm
by Etz
If I were you I wouldnt share private key files publicly... :shock:

Hence, they are called private keys... :idea:

Re: OpenVPN Server error: TLS failed

Posted: Fri Aug 22, 2014 8:35 pm
by apteixeira
There are just for test. I will generate then again. Thanks you for your suggestion.

Re: OpenVPN Server error: TLS failed

Posted: Fri Aug 22, 2014 11:55 pm
by patrickmkt
Yes I have the same problem since v6.9+.

see http://forum.mikrotik.com/viewtopic.php?f=2&t=86739
http://forum.mikrotik.com/viewtopic.php?f=2&t=87297

but so far no answer to this problem

Re: OpenVPN Server error: TLS failed

Posted: Mon Aug 25, 2014 8:52 pm
by sanitycheck
New OpenVPN server configured in 6.18 router confirmed working here with Require Client Certificate checked, using self-signed certificates generated by XCA in Ubuntu. Testing client was OpenVPN GUI software client for Windows (OpenVPN.net).

This might not be your problem, but make sure your certificates (both CA and server) are present, and show status KAT for CA, and KT for server. The TLS error will occur at the client if the certificates have been imported into the server router but the associated key (PEM) files have not been imported/applied. In that case you don't see the K in the certificate status line.

I find the verbose output of the OpenVPN client for Windows running in a terminal window (instead of using the GUI) helpful for troubleshooting.

Re: OpenVPN Server error: TLS failed

Posted: Tue Aug 26, 2014 5:56 pm
by apteixeira
Hello sanitycheck,

Thank you for your answer.

I just follow this steps and it works: http://wiki.mikrotik.com/wiki/Manual:Cr ... rtificates

There must something with the certificate chain or the CRL.

Best regards.

Re: OpenVPN Server error: TLS failed

Posted: Tue Aug 26, 2014 6:46 pm
by apteixeira
Hello,

Another problem: after successful implementation generating the certificates on one RouterOS, when I try to use the exported certificates with OVPN (require-client-certificate checked) in another RouterOS (including all the private keys) the error appear again: "TLS FAILED".

I follow this link to create then: http://wiki.mikrotik.com/wiki/Manual:Cr ... rtificates

Any idea?.

Image

Best regards.

Re: OpenVPN Server error: TLS failed

Posted: Tue Aug 26, 2014 7:16 pm
by apteixeira
Hello,

Found the problem. When set the CRL it does not work. If skip the CRL then it works.

Tested on several RouterBoards and x86.

Best regards.

Re: OpenVPN Server error: TLS failed

Posted: Tue Aug 26, 2014 7:50 pm
by apteixeira
Hello,

Confirmed. The problem happened when you set the CRL on the certificates.

Tested on several RouterBoards and it works without using CRL.

The certificates were generated by: OpenSSL and RouterOS (with bought works)

Best regards.

Re: OpenVPN Server error: TLS failed

Posted: Wed Oct 01, 2014 6:09 pm
by arturw
I can confirm that problem. In my environment RB2011 works as OVPN server, windows clients. Certificates were generated in Microsoft CA (Windows Server 2008 R2) and in second environment on OpenSSL.
If CRL is defined and option require-client-certificate is set then clients can not establish connection.

I tried to develop problem two times when I found it after upgrade (from 6.1 to 6.15) and after that when I've build from scratch separate clean environment for this test. So it is not bad luck.
I checked that CRL file is downloaded from my CRL distribution point.
If I generate certificate without CRL option it works with option: require-client-certificate.
For now I've tested RouterOS: 6.15, 6.18, 6.19

Problem was send to Mikrotik:
[Ticket#2014082766000625]

If anyone have any idea how to develop this problem i can do more tests.

EDIT:
For now I've tested RouterOS: 6.15, 6.18, 6.19, 6.20

Re: OpenVPN Server error: TLS failed

Posted: Mon Oct 13, 2014 8:56 am
by alexac
I use RB750GL as OVPN server. I try to make certificates with openssl (follow the wiki) and want to use its with "required client sertificate" option check, and always got "TSL handshake failed" error. What's the problem?
I have two moments to understand:
- do I need to import ca.key or just ca.crt only to my router?
- if I have to create certificates with CRL option disabled, how can I do this with openssl?

Re: OpenVPN Server error: TLS failed

Posted: Mon Oct 13, 2014 8:58 am
by alexac
I use RB750GL as OVPN server. I try to make certificates with openssl (follow the wiki) and want to use its with "required client sertificate" option check, and always got "TSL handshake failed" error. What's the problem?
I have two moments to understand:
- do I need to import ca.key or just ca.crt only to my router?
- if I have to create certificates with CRL option disabled, how can I do this with openssl?

Re: OpenVPN Server error: TLS failed

Posted: Tue Oct 14, 2014 5:10 am
by Ambul
Guys, this is my first time trying to get OpenVPN setup on my Mikrotik.
I've read through the Wiki and I find the information vague and haven't had success.
Can someone provide me a concise guide to setting up OpenVPN?

The Mikrotik router is 10.0.10.1.

I'm confused about generating certificates. Can I just create them on the router?

I've also found this thread and am thinking to myself "Oh great, I can't tell if it's my unfamiliarity with RouterOS or a bug in the software."

Re: OpenVPN Server error: TLS failed

Posted: Tue Oct 14, 2014 2:19 pm
by apteixeira
Hello,

Using RouterOS 6.20 you can execute the following commands on the MikroTik server:

We will create two client certificates at this time (you can add more lately)

/certificate
add name=ca-template common-name=myCa key-usage=key-cert-sign,crl-sign
add name=server-template common-name=server
add name=client1-template common-name=client1
add name=client2-template common-name=client2


/certificate
sign ca-template name=myCa
sign ca=myCa server-template name=server
sign ca=myCa client1-template name=client1
sign ca=myCa client2-template name=client2


/certificate
set myCa trusted=yes
set server trusted=yes


At this time you have all you need at your server. Now you have to export the CA and the client certificates that you need to import to the client:

/certificate export-certificate myCa
/certificate export-certificate client1 export-passphrase=xxxxxxxx
/certificate export-certificate client2 export-passphrase=xxxxxxxx


Go to /files and download the files just exported.

Best regards.

Re: OpenVPN Server error: TLS failed

Posted: Fri Oct 17, 2014 2:21 pm
by alexac
/certificate sign ca-template name=myCa
error: couldn't perfom action - timeout(13)
?

Re: OpenVPN Server error: TLS failed

Posted: Fri Oct 17, 2014 2:26 pm
by apteixeira
/certificate sign ca-template name=myCa
error: couldn't perfom action - timeout(13)
?
Which version are you using?
I use version 6.20. In version 6.19 is different.

Best regards.

Re: OpenVPN Server error: TLS failed

Posted: Fri Oct 17, 2014 2:34 pm
by alexac
v6.20, RB750G
but why this info is not in wiki?
that's the third way I try to create certificates - openvpn(easy-rsa), openssl and in RouterOS.
and no one works

Re: OpenVPN Server error: TLS failed

Posted: Fri Oct 17, 2014 2:50 pm
by apteixeira
v6.20, RB750G
but why this info is not in wiki?
that's the third way I try to create certificates - openvpn(easy-rsa), openssl and in RouterOS.
and no one works
Here is a video: http://youtu.be/93__PLZgebE

Best regards.

Re: OpenVPN Server error: TLS failed

Posted: Mon Oct 20, 2014 10:19 am
by alexac
ok, I can create certificates with my rb750gl (without any load, espessially torrents, timeout is gone ),
but I still got tls error about 60 sec timout - connection failed.
crl on my certificate is absent.

Re: OpenVPN Server error: TLS failed

Posted: Mon Oct 20, 2014 2:22 pm
by apteixeira
ok, I can create certificates with my rb750gl (without any load, espessially torrents, timeout is gone ),
but I still got tls error about 60 sec timout - connection failed.
crl on my certificate is absent.
Are you following the instructions?
Are you using your own certificates?
Can you post what are you doing and error?

Best regards.

Re: OpenVPN Server error: TLS failed

Posted: Tue Oct 21, 2014 2:32 pm
by alexac
i create certificates in my rb750gl using your post and follow instructions by wiki "openvpn in mikrotik"
that's my settings

Re: OpenVPN Server error: TLS failed

Posted: Tue Oct 21, 2014 2:40 pm
by alexac
that is openvpn client log

Tue Oct 21 15:36:16 2014 OpenVPN 2.3.4 i686-w64-mingw32 [SSL (OpenSSL)] [LZO] [PKCS11] [IPv6] built on Aug 7 2014
Tue Oct 21 15:36:16 2014 library versions: OpenSSL 1.0.1i 6 Aug 2014, LZO 2.05
Enter Management Password:
Tue Oct 21 15:36:16 2014 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25341
Tue Oct 21 15:36:16 2014 Need hold release from management interface, waiting...
Tue Oct 21 15:36:16 2014 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:25341
Tue Oct 21 15:36:16 2014 MANAGEMENT: CMD 'state on'
Tue Oct 21 15:36:16 2014 MANAGEMENT: CMD 'log all on'
Tue Oct 21 15:36:16 2014 MANAGEMENT: CMD 'hold off'
Tue Oct 21 15:36:16 2014 MANAGEMENT: CMD 'hold release'
Tue Oct 21 15:36:16 2014 WARNING: --ping should normally be used with --ping-restart or --ping-exit
Tue Oct 21 15:36:16 2014 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Tue Oct 21 15:36:22 2014 MANAGEMENT: CMD 'password [...]'
Tue Oct 21 15:36:22 2014 Socket Buffers: R=[8192->8192] S=[8192->8192]
Tue Oct 21 15:36:22 2014 Attempting to establish TCP connection with [AF_INET]10.32.0.150:3128
Tue Oct 21 15:36:22 2014 MANAGEMENT: >STATE:1413891382,TCP_CONNECT,,,
Tue Oct 21 15:36:22 2014 TCP connection established with [AF_INET]10.32.0.150:3128
Tue Oct 21 15:36:22 2014 Send to HTTP proxy: 'CONNECT xxxxxxxxxx:1194 HTTP/1.0'
Tue Oct 21 15:36:23 2014 HTTP proxy returned: 'HTTP/1.0 200 Connection established'
Tue Oct 21 15:36:23 2014 TCPv4_CLIENT link local: [undef]
Tue Oct 21 15:36:23 2014 TCPv4_CLIENT link remote: [AF_INET]10.32.0.150:3128
Tue Oct 21 15:36:23 2014 MANAGEMENT: >STATE:1413891383,WAIT,,,
Tue Oct 21 15:36:23 2014 MANAGEMENT: >STATE:1413891383,AUTH,,,
Tue Oct 21 15:36:23 2014 TLS: Initial packet from [AF_INET]10.32.0.150:3128, sid=753f7c6c e4852c1c
Tue Oct 21 15:36:23 2014 VERIFY OK: depth=1, CN=myCa
Tue Oct 21 15:36:23 2014 VERIFY OK: depth=0, CN=server
Tue Oct 21 15:37:23 2014 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Tue Oct 21 15:37:23 2014 TLS Error: TLS handshake failed
Tue Oct 21 15:37:23 2014 Fatal TLS error (check_tls_errors_co), restarting
Tue Oct 21 15:37:23 2014 SIGUSR1[soft,tls-error] received, process restarting
Tue Oct 21 15:37:23 2014 MANAGEMENT: >STATE:1413891443,RECONNECTING,tls-error,,
Tue Oct 21 15:37:23 2014 Restart pause, 5 second(s)
Tue Oct 21 15:37:26 2014 MANAGEMENT: Client disconnected

Re: OpenVPN Server error: TLS failed

Posted: Tue Oct 21, 2014 2:51 pm
by apteixeira
Here is my OVPN Client configuration for Windows:

remote xxx.xxx.xxx.xxx 443
proto tcp-client
#client
tls-client
#ns-cert-type server
#remote-cert-tls server
ca cert_export_myCa.crt
cert cert_export_client1.crt
key cert_export_client1.key
cipher AES-256-CBC
auth SHA1
dev tap
resolv-retry infinite
nobind
persist-key
ping 10
ping-restart 45
verb 4
auth-user-pass
#auth-nocache
route-method exe
route-delay 2
pull
#redirect-gateway def1
route 10.0.0.0 255.0.0.0
route 172.16.0.0 255.240.0.0
route 192.168.0.0 255.255.0.0

I created some test certificates for you: www.mkx.cl/crt/crt_alexac.zip

Please test it and tell me if works.

Best regards

Re: OpenVPN Server error: TLS failed

Posted: Thu Oct 23, 2014 8:10 am
by alexac
ok, i find the problem)
i haven't "auth-user-pass" in my client config.
i still use my certs created in routeros.
now i can connect to mikrotik, ping server from my local network, but can't ssh to it.
do i need add some forward rules for it on mikrotik?

that's my ovpn client config
-------------
# OpenVPN Client conf
# client

nobind
persist-key
persist-tun

http-proxy-retry
http-proxy 10.32.0.150 3128

tls-client
# tls-remote xxxxxxxxxxxxxxxxxxxxxxxxx

ca myCa.crt
cert client.crt
key client.key

remote xxxxxxxxxxxxxxxxxxxx 1194
dev tun
# dev tap
proto tcp-client
# proto udp

cipher AES-256-CBC
auth SHA1
verb 4
ping 10
ping-restart 45
# ns-cert-type server
# comp-lzo

auth-user-pass auth.cfg
# auth-nocache

pull
route-method exe
route-delay 2
route 192.168.101.0 255.255.255.0

Re: OpenVPN Server error: TLS failed

Posted: Thu Oct 23, 2014 2:21 pm
by alexac
add openvpn client ip -> internal server ip to forward chain - works fine!
thanks for your attention to my problem, apteixeira! )

Re: OpenVPN Server error: TLS failed

Posted: Thu Oct 23, 2014 5:43 pm
by apteixeira
add openvpn client ip -> internal server ip to forward chain - works fine!
thanks for your attention to my problem, apteixeira! )
I'm glad I could help

Re: OpenVPN Server error: TLS failed

Posted: Mon Oct 27, 2014 4:12 pm
by 0chi0
Hello,
apteixeira thank you for your help.
I have a question about generating certificates by OpenSSL. Generated by the user http://wiki.mikrotik.com/wiki/Manual:Cr ... rtificates and I can not join it. I do not have a flag KR, only KT.

Can I somehow get rid of the password on the certificate? In addition to the username / password I have to enter the password for the certificate yet :)

Taking this opportunity I have a question about the fairly slow connection, the suspension at this step:
Mon Oct 27, 2014 9:07:01 us = 163063 SENT CONTROL [Mikrotik]: 'PUSH_REQUEST' (status = 1)
Mon Oct 27, 2014 9:07:06 us = 277356 SENT CONTROL [Mikrotik]: 'PUSH_REQUEST' (status = 1)
Mon Oct 27, 2014 9:07:11 us = 460652 SENT CONTROL [Mikrotik]: 'PUSH_REQUEST' (status = 1)
Mon Oct 27, 2014 9:07:11 us = 721667 PUSH: Received control message: 'PUSH_REPLY, route 172.20.0.0 255.255.255.252, ifconfig 172.20.0.2 172.20.0.1'
Is it possible to get rid of this message?
Mon Oct 27, 2014 9:06:44 us = 703122 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.

Re: OpenVPN Server error: TLS failed

Posted: Wed Oct 29, 2014 5:18 pm
by apteixeira
Hello 0chi0,

The possible reason for "do not have a flag KR, only KT" may be because you are not importing the key of the certificate. On the server you need to install de complete chain and the server key.

To avoid "enter the password for the certificate" you have to decrypt the rsa private key.

To avoid Man-in-the-Middle (no server certificate verification method has been enabled) you have to implement some kind of server certificate verification by clients. You can find information bout it here: http://openvpn.net/index.php/open-sourc ... .html#mitm

There is nothing wrong here:
Mon Oct 27, 2014 9:07:01 us = 163063 SENT CONTROL [Mikrotik]: 'PUSH_REQUEST' (status = 1)
Mon Oct 27, 2014 9:07:06 us = 277356 SENT CONTROL [Mikrotik]: 'PUSH_REQUEST' (status = 1)
Mon Oct 27, 2014 9:07:11 us = 460652 SENT CONTROL [Mikrotik]: 'PUSH_REQUEST' (status = 1)
Mon Oct 27, 2014 9:07:11 us = 721667 PUSH: Received control message: 'PUSH_REPLY, route 172.20.0.0 255.255.255.252, ifconfig 172.20.0.2 172.20.0.1'
Best regards.

Re: OpenVPN Server error: TLS failed

Posted: Wed Oct 29, 2014 6:06 pm
by 0chi0
Hello,
Thanks for the quick reply.
I imported the files:
ca.crt
server.crt
server.key
Is using OpenSSL I can remove the password from the certificate and upload them again?

Re: OpenVPN Server error: TLS failed

Posted: Wed Oct 29, 2014 6:12 pm
by apteixeira
Is using OpenSSL I can remove the password from the certificate and upload them again?
The files are you using are ok for the server.

Yes you can decrypt the rsa private key using openssl. Here is an example: https://support.citrix.com/article/CTX122930/

Best regards.

Re: OpenVPN Server error: TLS failed

Posted: Wed Nov 05, 2014 5:31 pm
by patrickmkt
ROS 6.21.1 certificate and CRL handling corrections seem to have fixed my problem with the TLS error. :)

Re: OpenVPN Server error: TLS failed

Posted: Wed Nov 12, 2014 9:12 pm
by 0chi0
I would also combine two Mikrotik by OVPN using a key (without certificates). How can I do when on MikrotikSrv-OVPN asking me a certificate? In the tab key import certificate (openvpn --genkey --secret static.key) is nothing added.
Where I make a mistake?

Re: OpenVPN Server error: TLS failed

Posted: Sun Jan 24, 2016 8:30 pm
by kiaunel
Hello,
I try to set up an openvpn server on microtik and after i fallowed all in this topic i get tls error.
I will post my configs and logs maybe someone can point me where i`m wrong.

Microtik Log :


20:20:38 ovpn,debug,error,20076,29312,60348,61328,27884,20684,58064,60344,l2tp,info,60348,debug,79,65535,critical,8976,62372,29584,20008,20760,31112,29312,20148,20144,20684,
41904,20684,packet duplicate packet, dropping
20:20:38 ovpn,debug,packet rcvd P_CONTROL kid=0 sid=35e032ad92ca5c6b pid=1 DATA len=293
20:20:38 ovpn,debug,packet sent P_ACK kid=0 sid=9a7e849ce3139b68 [1 sid=35e032ad92ca5c6b] DATA len=0
20:20:38 ovpn,debug,packet sent P_CONTROL kid=0 sid=9a7e849ce3139b68 pid=1 DATA len=933
20:20:38 ovpn,debug <10.10.10.3>: disconnected <peer disconnected>
20:20:43 ovpn,info TCP connection established from 10.10.10.3
20:20:43 ovpn,debug,packet sent P_CONTROL_HARD_RESET_SERVER_V2 kid=0 sid=156fd32f2dee8e68 pid=0 DATA len=0
20:20:44 ovpn,debug,packet rcvd P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 sid=effd2eb77764ddc4 pid=0 DATA len=0
20:20:44 ovpn,debug,packet sent P_ACK kid=0 sid=156fd32f2dee8e68 [0 sid=effd2eb77764ddc4] DATA len=0
20:20:44 ovpn,debug,packet rcvd P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 sid=effd2eb77764ddc4 [0 sid=156fd32f2dee8e68] pid=0 DATA len=0
20:20:44 ovpn,debug,error,20076,29312,60348,61328,27884,20684,58064,60344,l2tp,info,60348,debug,79,65535,critical,8976,62372,29584,20008,20760,31112,29312,20148,20144,20684,
41904,20684,packet duplicate packet, dropping
20:20:44 ovpn,debug,packet rcvd P_CONTROL kid=0 sid=effd2eb77764ddc4 pid=1 DATA len=293
20:20:44 ovpn,debug,packet sent P_ACK kid=0 sid=156fd32f2dee8e68 [1 sid=effd2eb77764ddc4] DATA len=0
20:20:44 ovpn,debug,packet sent P_CONTROL kid=0 sid=156fd32f2dee8e68 pid=1 DATA len=933
20:20:44 ovpn,debug <10.10.10.3>: disconnected <peer disconnected>
20:20:49 ovpn,info TCP connection established from 10.10.10.3
20:20:49 ovpn,debug,packet sent P_CONTROL_HARD_RESET_SERVER_V2 kid=0 sid=e91b8bfe5da9ee27 pid=0 DATA len=0
20:20:50 ovpn,debug,packet rcvd P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 sid=35efaf7d447f6c7 pid=0 DATA len=0
20:20:50 ovpn,debug,packet sent P_ACK kid=0 sid=e91b8bfe5da9ee27 [0 sid=35efaf7d447f6c7] DATA len=0
20:20:50 ovpn,debug,packet rcvd P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 sid=35efaf7d447f6c7 [0 sid=e91b8bfe5da9ee27] pid=0 DATA len=0
20:20:50 ovpn,debug,error,20076,29312,60348,61328,27884,20684,58064,60344,l2tp,info,60348,debug,79,65535,critical,8976,62372,29584,20008,20760,31112,29312,20148,20144,20684,
41904,20684,packet duplicate packet, dropping
20:20:50 ovpn,debug,packet rcvd P_CONTROL kid=0 sid=35efaf7d447f6c7 pid=1 DATA len=293
20:20:50 ovpn,debug,packet sent P_ACK kid=0 sid=e91b8bfe5da9ee27 [1 sid=35efaf7d447f6c7] DATA len=0
20:20:50 ovpn,debug,packet sent P_CONTROL kid=0 sid=e91b8bfe5da9ee27 pid=1 DATA len=933
20:20:50 ovpn,debug <10.10.10.3>: disconnected <peer disconnected>
20:20:56 ovpn,info TCP connection established from 10.10.10.3
20:20:56 ovpn,debug,packet sent P_CONTROL_HARD_RESET_SERVER_V2 kid=0 sid=9986814ecf7f806a pid=0 DATA len=0
20:20:56 ovpn,debug,packet rcvd P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 sid=d899584ffaf3574 pid=0 DATA len=0
20:20:56 ovpn,debug,packet sent P_ACK kid=0 sid=9986814ecf7f806a [0 sid=d899584ffaf3574] DATA len=0
20:20:56 ovpn,debug,packet rcvd P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 sid=d899584ffaf3574 [0 sid=9986814ecf7f806a] pid=0 DATA len=0
20:20:56 ovpn,debug,error,20076,29312,60348,61328,27884,20684,58064,60344,l2tp,info,60348,debug,79,65535,critical,8976,62372,29584,20008,20760,31112,29312,20148,20144,20684,
41904,20684,packet duplicate packet, dropping
20:20:56 ovpn,debug,packet rcvd P_CONTROL kid=0 sid=d899584ffaf3574 pid=1 DATA len=293
20:20:56 ovpn,debug,packet sent P_ACK kid=0 sid=9986814ecf7f806a [1 sid=d899584ffaf3574] DATA len=0
20:20:56 ovpn,debug,packet sent P_CONTROL kid=0 sid=9986814ecf7f806a pid=1 DATA len=933
20:20:57 ovpn,debug <10.10.10.3>: disconnected <peer disconnected>


Windows client config

##############################################
# Sample client-side OpenVPN 2.0 config file #
# for connecting to multi-client server. #
# #
# This configuration can be used by multiple #
# clients, however each client should have #
# its own cert and key files. #
# #
# On Windows, you might want to rename this #
# file so it has a .ovpn extension #
##############################################

# Specify that we are a client and that we
# will be pulling certain config file directives
# from the server.
client

# Use the same setting as you are using on
# the server.
# On most systems, the VPN will not function
# unless you partially or fully disable
# the firewall for the TUN/TAP interface.
;dev tap
dev tun

# Windows needs the TAP-Win32 adapter name
# from the Network Connections panel
# if you have more than one. On XP SP2,
# you may need to disable the firewall
# for the TAP adapter.
dev-node MyTap

# Are we connecting to a TCP or
# UDP server? Use the same setting as
# on the server.
proto tcp
;proto udp

# The hostname/IP and port of the server.
# You can have multiple remote entries
# to load balance between the servers.
remote kiaunel.fiberdatatelecom.ro 1194
;remote my-server-2 1194

# Choose a random host from the remote
# list for load-balancing. Otherwise
# try hosts in the order specified.
;remote-random

# Keep trying indefinitely to resolve the
# host name of the OpenVPN server. Very useful
# on machines which are not permanently connected
# to the internet such as laptops.
resolv-retry infinite

# Most clients don't need to bind to
# a specific local port number.
nobind

# Downgrade privileges after initialization (non-Windows only)
;user nobody
;group nobody

# Try to preserve some state across restarts.
persist-key
persist-tun

# If you are connecting through an
# HTTP proxy to reach the actual OpenVPN
# server, put the proxy server/IP and
# port number here. See the man page
# if your proxy server requires
# authentication.
;http-proxy-retry # retry on connection failures
;http-proxy [proxy server] [proxy port #]

# Wireless networks often produce a lot
# of duplicate packets. Set this flag
# to silence duplicate packet warnings.
;mute-replay-warnings

# SSL/TLS parms.
# See the server config file for more
# description. It's best to use
# a separate .crt/.key file pair
# for each client. A single ca
# file can be used for all clients.
ca myCa.crt
cert client.crt
key client.key

# Verify server certificate by checking that the
# certicate has the correct key usage set.
# This is an important precaution to protect against
# a potential attack discussed here:
# http://openvpn.net/howto.html#mitm
#
# To use this feature, you will need to generate
# your server certificates with the keyUsage set to
# digitalSignature, keyEncipherment
# and the extendedKeyUsage to
# serverAuth
# EasyRSA can do this for you.
remote-cert-tls server

# If a tls-auth key is used on the server
# then every client must also have the key.
;tls-auth ta.key 1

# Select a cryptographic cipher.
# If the cipher option is used on the server
# then you must also specify it here.
;cipher AES 128

# Enable compression on the VPN link.
# Don't enable this unless it is also
# enabled in the server config file.
;comp-lzo

# Set log file verbosity.
verb 5

# Silence repeating messages
;mute 20

Windows client log :


Sun Jan 24 20:20:31 2016 us=64211 Current Parameter Settings:
Sun Jan 24 20:20:31 2016 us=64211 config = 'client.ovpn'
Sun Jan 24 20:20:31 2016 us=64211 mode = 0
Sun Jan 24 20:20:31 2016 us=64211 show_ciphers = DISABLED
Sun Jan 24 20:20:31 2016 us=64211 show_digests = DISABLED
Sun Jan 24 20:20:31 2016 us=64211 show_engines = DISABLED
Sun Jan 24 20:20:31 2016 us=64211 genkey = DISABLED
Sun Jan 24 20:20:31 2016 us=64211 key_pass_file = '[UNDEF]'
Sun Jan 24 20:20:31 2016 us=64211 show_tls_ciphers = DISABLED
Sun Jan 24 20:20:31 2016 us=64211 Connection profiles [default]:
Sun Jan 24 20:20:31 2016 us=64211 proto = tcp-client
Sun Jan 24 20:20:31 2016 us=64211 local = '[UNDEF]'
Sun Jan 24 20:20:31 2016 us=64211 local_port = 0
Sun Jan 24 20:20:31 2016 us=64211 remote = 'kiaunel.fiberdatatelecom.ro'
Sun Jan 24 20:20:31 2016 us=64211 remote_port = 1194
Sun Jan 24 20:20:31 2016 us=64211 remote_float = DISABLED
Sun Jan 24 20:20:31 2016 us=64211 bind_defined = DISABLED
Sun Jan 24 20:20:31 2016 us=64211 bind_local = DISABLED
Sun Jan 24 20:20:31 2016 us=64211 connect_retry_seconds = 5
Sun Jan 24 20:20:31 2016 us=64211 connect_timeout = 10
Sun Jan 24 20:20:31 2016 us=64211 connect_retry_max = 0
Sun Jan 24 20:20:31 2016 us=64211 socks_proxy_server = '[UNDEF]'
Sun Jan 24 20:20:31 2016 us=64211 socks_proxy_port = 0
Sun Jan 24 20:20:31 2016 us=64211 socks_proxy_retry = DISABLED
Sun Jan 24 20:20:31 2016 us=64211 tun_mtu = 1500
Sun Jan 24 20:20:31 2016 us=64211 tun_mtu_defined = ENABLED
Sun Jan 24 20:20:31 2016 us=64211 link_mtu = 1500
Sun Jan 24 20:20:31 2016 us=64211 link_mtu_defined = DISABLED
Sun Jan 24 20:20:31 2016 us=64211 tun_mtu_extra = 0
Sun Jan 24 20:20:31 2016 us=64211 tun_mtu_extra_defined = DISABLED
Sun Jan 24 20:20:31 2016 us=64211 mtu_discover_type = -1
Sun Jan 24 20:20:31 2016 us=64211 fragment = 0
Sun Jan 24 20:20:31 2016 us=64211 mssfix = 1450
Sun Jan 24 20:20:31 2016 us=64211 explicit_exit_notification = 0
Sun Jan 24 20:20:31 2016 us=64211 Connection profiles END
Sun Jan 24 20:20:31 2016 us=64211 remote_random = DISABLED
Sun Jan 24 20:20:31 2016 us=64211 ipchange = '[UNDEF]'
Sun Jan 24 20:20:31 2016 us=64211 dev = 'tun'
Sun Jan 24 20:20:31 2016 us=64211 dev_type = '[UNDEF]'
Sun Jan 24 20:20:31 2016 us=64211 dev_node = 'MyTap'
Sun Jan 24 20:20:31 2016 us=64211 lladdr = '[UNDEF]'
Sun Jan 24 20:20:31 2016 us=64211 topology = 1
Sun Jan 24 20:20:31 2016 us=64211 tun_ipv6 = DISABLED
Sun Jan 24 20:20:31 2016 us=64211 ifconfig_local = '[UNDEF]'
Sun Jan 24 20:20:31 2016 us=64211 ifconfig_remote_netmask = '[UNDEF]'
Sun Jan 24 20:20:31 2016 us=64211 ifconfig_noexec = DISABLED
Sun Jan 24 20:20:31 2016 us=64211 ifconfig_nowarn = DISABLED
Sun Jan 24 20:20:31 2016 us=64211 ifconfig_ipv6_local = '[UNDEF]'
Sun Jan 24 20:20:31 2016 us=64211 ifconfig_ipv6_netbits = 0
Sun Jan 24 20:20:31 2016 us=64211 ifconfig_ipv6_remote = '[UNDEF]'
Sun Jan 24 20:20:31 2016 us=64211 shaper = 0
Sun Jan 24 20:20:31 2016 us=64211 mtu_test = 0
Sun Jan 24 20:20:31 2016 us=64211 mlock = DISABLED
Sun Jan 24 20:20:31 2016 us=64211 keepalive_ping = 0
Sun Jan 24 20:20:31 2016 us=64211 keepalive_timeout = 0
Sun Jan 24 20:20:31 2016 us=64211 inactivity_timeout = 0
Sun Jan 24 20:20:31 2016 us=64211 ping_send_timeout = 0
Sun Jan 24 20:20:31 2016 us=64211 ping_rec_timeout = 0
Sun Jan 24 20:20:31 2016 us=64211 ping_rec_timeout_action = 0
Sun Jan 24 20:20:31 2016 us=64211 ping_timer_remote = DISABLED
Sun Jan 24 20:20:31 2016 us=64211 remap_sigusr1 = 0
Sun Jan 24 20:20:31 2016 us=64211 persist_tun = ENABLED
Sun Jan 24 20:20:31 2016 us=64211 persist_local_ip = DISABLED
Sun Jan 24 20:20:31 2016 us=64211 persist_remote_ip = DISABLED
Sun Jan 24 20:20:31 2016 us=64211 persist_key = ENABLED
Sun Jan 24 20:20:31 2016 us=64211 passtos = DISABLED
Sun Jan 24 20:20:31 2016 us=64211 resolve_retry_seconds = 1000000000
Sun Jan 24 20:20:31 2016 us=64211 username = '[UNDEF]'
Sun Jan 24 20:20:31 2016 us=64211 groupname = '[UNDEF]'
Sun Jan 24 20:20:31 2016 us=64211 chroot_dir = '[UNDEF]'
Sun Jan 24 20:20:31 2016 us=64211 cd_dir = '[UNDEF]'
Sun Jan 24 20:20:31 2016 us=64211 writepid = '[UNDEF]'
Sun Jan 24 20:20:31 2016 us=64211 up_script = '[UNDEF]'
Sun Jan 24 20:20:31 2016 us=64211 down_script = '[UNDEF]'
Sun Jan 24 20:20:31 2016 us=64211 down_pre = DISABLED
Sun Jan 24 20:20:31 2016 us=64211 up_restart = DISABLED
Sun Jan 24 20:20:31 2016 us=64211 up_delay = DISABLED
Sun Jan 24 20:20:31 2016 us=64211 daemon = DISABLED
Sun Jan 24 20:20:31 2016 us=64211 inetd = 0
Sun Jan 24 20:20:31 2016 us=64211 log = ENABLED
Sun Jan 24 20:20:31 2016 us=64211 suppress_timestamps = DISABLED
Sun Jan 24 20:20:31 2016 us=64211 nice = 0
Sun Jan 24 20:20:31 2016 us=64211 verbosity = 5
Sun Jan 24 20:20:31 2016 us=64211 mute = 0
Sun Jan 24 20:20:31 2016 us=64211 gremlin = 0
Sun Jan 24 20:20:31 2016 us=64211 status_file = '[UNDEF]'
Sun Jan 24 20:20:31 2016 us=64211 status_file_version = 1
Sun Jan 24 20:20:31 2016 us=64211 status_file_update_freq = 60
Sun Jan 24 20:20:31 2016 us=64211 occ = ENABLED
Sun Jan 24 20:20:31 2016 us=64211 rcvbuf = 0
Sun Jan 24 20:20:31 2016 us=64211 sndbuf = 0
Sun Jan 24 20:20:31 2016 us=64211 sockflags = 0
Sun Jan 24 20:20:31 2016 us=64211 fast_io = DISABLED
Sun Jan 24 20:20:31 2016 us=64211 lzo = 0
Sun Jan 24 20:20:31 2016 us=64211 route_script = '[UNDEF]'
Sun Jan 24 20:20:31 2016 us=64211 route_default_gateway = '[UNDEF]'
Sun Jan 24 20:20:31 2016 us=64211 route_default_metric = 0
Sun Jan 24 20:20:31 2016 us=64211 route_noexec = DISABLED
Sun Jan 24 20:20:31 2016 us=64211 route_delay = 5
Sun Jan 24 20:20:31 2016 us=64211 route_delay_window = 30
Sun Jan 24 20:20:31 2016 us=64211 route_delay_defined = ENABLED
Sun Jan 24 20:20:31 2016 us=64211 route_nopull = DISABLED
Sun Jan 24 20:20:31 2016 us=64211 route_gateway_via_dhcp = DISABLED
Sun Jan 24 20:20:31 2016 us=64211 max_routes = 100
Sun Jan 24 20:20:31 2016 us=64211 allow_pull_fqdn = DISABLED
Sun Jan 24 20:20:31 2016 us=64211 management_addr = '127.0.0.1'
Sun Jan 24 20:20:31 2016 us=64211 management_port = 25340
Sun Jan 24 20:20:31 2016 us=64211 management_user_pass = 'stdin'
Sun Jan 24 20:20:31 2016 us=64211 management_log_history_cache = 250
Sun Jan 24 20:20:31 2016 us=64211 management_echo_buffer_size = 100
Sun Jan 24 20:20:31 2016 us=64211 management_write_peer_info_file = '[UNDEF]'
Sun Jan 24 20:20:31 2016 us=64211 management_client_user = '[UNDEF]'
Sun Jan 24 20:20:31 2016 us=64211 management_client_group = '[UNDEF]'
Sun Jan 24 20:20:31 2016 us=64211 management_flags = 6
Sun Jan 24 20:20:31 2016 us=64211 shared_secret_file = '[UNDEF]'
Sun Jan 24 20:20:31 2016 us=64211 key_direction = 0
Sun Jan 24 20:20:31 2016 us=64211 ciphername_defined = ENABLED
Sun Jan 24 20:20:31 2016 us=64211 ciphername = 'BF-CBC'
Sun Jan 24 20:20:31 2016 us=64211 authname_defined = ENABLED
Sun Jan 24 20:20:31 2016 us=64211 authname = 'SHA1'
Sun Jan 24 20:20:31 2016 us=64211 prng_hash = 'SHA1'
Sun Jan 24 20:20:31 2016 us=64211 prng_nonce_secret_len = 16
Sun Jan 24 20:20:31 2016 us=64211 keysize = 0
Sun Jan 24 20:20:31 2016 us=64211 engine = DISABLED
Sun Jan 24 20:20:31 2016 us=64211 replay = ENABLED
Sun Jan 24 20:20:31 2016 us=64211 mute_replay_warnings = DISABLED
Sun Jan 24 20:20:31 2016 us=64211 replay_window = 64
Sun Jan 24 20:20:31 2016 us=64211 replay_time = 15
Sun Jan 24 20:20:31 2016 us=64211 packet_id_file = '[UNDEF]'
Sun Jan 24 20:20:31 2016 us=64211 use_iv = ENABLED
Sun Jan 24 20:20:31 2016 us=64211 test_crypto = DISABLED
Sun Jan 24 20:20:31 2016 us=64211 tls_server = DISABLED
Sun Jan 24 20:20:31 2016 us=64211 tls_client = ENABLED
Sun Jan 24 20:20:31 2016 us=64211 key_method = 2
Sun Jan 24 20:20:31 2016 us=64211 ca_file = 'myCa.crt'
Sun Jan 24 20:20:31 2016 us=64211 ca_path = '[UNDEF]'
Sun Jan 24 20:20:31 2016 us=64211 dh_file = '[UNDEF]'
Sun Jan 24 20:20:31 2016 us=64211 cert_file = 'client.crt'
Sun Jan 24 20:20:31 2016 us=64211 extra_certs_file = '[UNDEF]'
Sun Jan 24 20:20:31 2016 us=64211 priv_key_file = 'client.key'
Sun Jan 24 20:20:31 2016 us=64211 pkcs12_file = '[UNDEF]'
Sun Jan 24 20:20:31 2016 us=64211 cryptoapi_cert = '[UNDEF]'
Sun Jan 24 20:20:31 2016 us=64211 cipher_list = '[UNDEF]'
Sun Jan 24 20:20:31 2016 us=64211 tls_verify = '[UNDEF]'
Sun Jan 24 20:20:31 2016 us=64211 tls_export_cert = '[UNDEF]'
Sun Jan 24 20:20:31 2016 us=64211 verify_x509_type = 0
Sun Jan 24 20:20:31 2016 us=64211 verify_x509_name = '[UNDEF]'
Sun Jan 24 20:20:31 2016 us=64211 crl_file = '[UNDEF]'
Sun Jan 24 20:20:31 2016 us=64211 ns_cert_type = 0
Sun Jan 24 20:20:31 2016 us=64211 remote_cert_ku = 160
Sun Jan 24 20:20:31 2016 us=64211 remote_cert_ku = 136
Sun Jan 24 20:20:31 2016 us=64211 remote_cert_ku = 0
Sun Jan 24 20:20:31 2016 us=64211 remote_cert_ku = 0
Sun Jan 24 20:20:31 2016 us=64211 remote_cert_ku = 0
Sun Jan 24 20:20:31 2016 us=64211 remote_cert_ku = 0
Sun Jan 24 20:20:31 2016 us=64211 remote_cert_ku = 0
Sun Jan 24 20:20:31 2016 us=64211 remote_cert_ku = 0
Sun Jan 24 20:20:31 2016 us=64211 remote_cert_ku = 0
Sun Jan 24 20:20:31 2016 us=64211 remote_cert_ku = 0
Sun Jan 24 20:20:31 2016 us=64211 remote_cert_ku[i] = 0
Sun Jan 24 20:20:31 2016 us=64211 remote_cert_ku[i] = 0
Sun Jan 24 20:20:31 2016 us=64211 remote_cert_ku[i] = 0
Sun Jan 24 20:20:31 2016 us=64211 remote_cert_ku[i] = 0
Sun Jan 24 20:20:31 2016 us=64211 remote_cert_ku[i] = 0
Sun Jan 24 20:20:31 2016 us=64211 remote_cert_ku[i] = 0
Sun Jan 24 20:20:31 2016 us=64211 remote_cert_eku = 'TLS Web Server Authentication'
Sun Jan 24 20:20:31 2016 us=64211 ssl_flags = 0
Sun Jan 24 20:20:31 2016 us=64211 tls_timeout = 2
Sun Jan 24 20:20:31 2016 us=64211 renegotiate_bytes = 0
Sun Jan 24 20:20:31 2016 us=64211 renegotiate_packets = 0
Sun Jan 24 20:20:31 2016 us=64211 renegotiate_seconds = 3600
Sun Jan 24 20:20:31 2016 us=64211 handshake_window = 60
Sun Jan 24 20:20:31 2016 us=64211 transition_window = 3600
Sun Jan 24 20:20:31 2016 us=64211 single_session = DISABLED
Sun Jan 24 20:20:31 2016 us=64211 push_peer_info = DISABLED
Sun Jan 24 20:20:31 2016 us=64211 tls_exit = DISABLED
Sun Jan 24 20:20:31 2016 us=64211 tls_auth_file = '[UNDEF]'
Sun Jan 24 20:20:31 2016 us=64211 pkcs11_protected_authentication = DISABLED
Sun Jan 24 20:20:31 2016 us=64211 pkcs11_protected_authentication = DISABLED
Sun Jan 24 20:20:31 2016 us=64211 pkcs11_protected_authentication = DISABLED
Sun Jan 24 20:20:31 2016 us=64211 pkcs11_protected_authentication = DISABLED
Sun Jan 24 20:20:31 2016 us=64211 pkcs11_protected_authentication = DISABLED
Sun Jan 24 20:20:31 2016 us=64211 pkcs11_protected_authentication = DISABLED
Sun Jan 24 20:20:31 2016 us=64211 pkcs11_protected_authentication = DISABLED
Sun Jan 24 20:20:31 2016 us=64211 pkcs11_protected_authentication = DISABLED
Sun Jan 24 20:20:31 2016 us=64211 pkcs11_protected_authentication = DISABLED
Sun Jan 24 20:20:31 2016 us=64211 pkcs11_protected_authentication = DISABLED
Sun Jan 24 20:20:31 2016 us=64211 pkcs11_protected_authentication = DISABLED
Sun Jan 24 20:20:31 2016 us=64211 pkcs11_protected_authentication = DISABLED
Sun Jan 24 20:20:31 2016 us=64211 pkcs11_protected_authentication = DISABLED
Sun Jan 24 20:20:31 2016 us=64211 pkcs11_protected_authentication = DISABLED
Sun Jan 24 20:20:31 2016 us=64211 pkcs11_protected_authentication = DISABLED
Sun Jan 24 20:20:31 2016 us=64211 pkcs11_protected_authentication = DISABLED
Sun Jan 24 20:20:31 2016 us=64211 pkcs11_private_mode = 00000000
Sun Jan 24 20:20:31 2016 us=64211 pkcs11_private_mode = 00000000
Sun Jan 24 20:20:31 2016 us=64211 pkcs11_private_mode = 00000000
Sun Jan 24 20:20:31 2016 us=64211 pkcs11_private_mode = 00000000
Sun Jan 24 20:20:31 2016 us=64211 pkcs11_private_mode = 00000000
Sun Jan 24 20:20:31 2016 us=64211 pkcs11_private_mode = 00000000
Sun Jan 24 20:20:31 2016 us=64211 pkcs11_private_mode = 00000000
Sun Jan 24 20:20:31 2016 us=64211 pkcs11_private_mode = 00000000
Sun Jan 24 20:20:31 2016 us=64211 pkcs11_private_mode = 00000000
Sun Jan 24 20:20:31 2016 us=64211 pkcs11_private_mode = 00000000
Sun Jan 24 20:20:31 2016 us=64211 pkcs11_private_mode = 00000000
Sun Jan 24 20:20:31 2016 us=64211 pkcs11_private_mode = 00000000
Sun Jan 24 20:20:31 2016 us=64211 pkcs11_private_mode = 00000000
Sun Jan 24 20:20:31 2016 us=64211 pkcs11_private_mode = 00000000
Sun Jan 24 20:20:31 2016 us=64211 pkcs11_private_mode = 00000000
Sun Jan 24 20:20:31 2016 us=64211 pkcs11_private_mode = 00000000
Sun Jan 24 20:20:31 2016 us=64211 pkcs11_cert_private = DISABLED
Sun Jan 24 20:20:31 2016 us=64211 pkcs11_cert_private = DISABLED
Sun Jan 24 20:20:31 2016 us=64211 pkcs11_cert_private = DISABLED
Sun Jan 24 20:20:31 2016 us=64211 pkcs11_cert_private = DISABLED
Sun Jan 24 20:20:31 2016 us=64211 pkcs11_cert_private = DISABLED
Sun Jan 24 20:20:31 2016 us=64211 pkcs11_cert_private = DISABLED
Sun Jan 24 20:20:31 2016 us=64211 pkcs11_cert_private = DISABLED
Sun Jan 24 20:20:31 2016 us=64211 pkcs11_cert_private = DISABLED
Sun Jan 24 20:20:31 2016 us=64211 pkcs11_cert_private = DISABLED
Sun Jan 24 20:20:31 2016 us=64211 pkcs11_cert_private = DISABLED
Sun Jan 24 20:20:31 2016 us=64211 pkcs11_cert_private = DISABLED
Sun Jan 24 20:20:31 2016 us=64211 pkcs11_cert_private = DISABLED
Sun Jan 24 20:20:31 2016 us=64211 pkcs11_cert_private = DISABLED
Sun Jan 24 20:20:31 2016 us=64211 pkcs11_cert_private = DISABLED
Sun Jan 24 20:20:31 2016 us=64211 pkcs11_cert_private = DISABLED
Sun Jan 24 20:20:31 2016 us=64211 pkcs11_cert_private = DISABLED
Sun Jan 24 20:20:31 2016 us=64211 pkcs11_pin_cache_period = -1
Sun Jan 24 20:20:31 2016 us=64211 pkcs11_id = '[UNDEF]'
Sun Jan 24 20:20:31 2016 us=64211 pkcs11_id_management = DISABLED
Sun Jan 24 20:20:31 2016 us=64211 server_network = 0.0.0.0
Sun Jan 24 20:20:31 2016 us=64211 server_netmask = 0.0.0.0
Sun Jan 24 20:20:31 2016 us=81850 server_network_ipv6 = ::
Sun Jan 24 20:20:31 2016 us=81850 server_netbits_ipv6 = 0
Sun Jan 24 20:20:31 2016 us=81850 server_bridge_ip = 0.0.0.0
Sun Jan 24 20:20:31 2016 us=81850 server_bridge_netmask = 0.0.0.0
Sun Jan 24 20:20:31 2016 us=81850 server_bridge_pool_start = 0.0.0.0
Sun Jan 24 20:20:31 2016 us=81850 server_bridge_pool_end = 0.0.0.0
Sun Jan 24 20:20:31 2016 us=81850 ifconfig_pool_defined = DISABLED
Sun Jan 24 20:20:31 2016 us=81850 ifconfig_pool_start = 0.0.0.0
Sun Jan 24 20:20:31 2016 us=81850 ifconfig_pool_end = 0.0.0.0
Sun Jan 24 20:20:31 2016 us=81850 ifconfig_pool_netmask = 0.0.0.0
Sun Jan 24 20:20:31 2016 us=81850 ifconfig_pool_persist_filename = '[UNDEF]'
Sun Jan 24 20:20:31 2016 us=81850 ifconfig_pool_persist_refresh_freq = 600
Sun Jan 24 20:20:31 2016 us=81850 ifconfig_ipv6_pool_defined = DISABLED
Sun Jan 24 20:20:31 2016 us=81850 ifconfig_ipv6_pool_base = ::
Sun Jan 24 20:20:31 2016 us=81850 ifconfig_ipv6_pool_netbits = 0
Sun Jan 24 20:20:31 2016 us=81850 n_bcast_buf = 256
Sun Jan 24 20:20:31 2016 us=81850 tcp_queue_limit = 64
Sun Jan 24 20:20:31 2016 us=81850 real_hash_size = 256
Sun Jan 24 20:20:31 2016 us=82351 virtual_hash_size = 256
Sun Jan 24 20:20:31 2016 us=82351 client_connect_script = '[UNDEF]'
Sun Jan 24 20:20:31 2016 us=82351 learn_address_script = '[UNDEF]'
Sun Jan 24 20:20:31 2016 us=82351 client_disconnect_script = '[UNDEF]'
Sun Jan 24 20:20:31 2016 us=82351 client_config_dir = '[UNDEF]'
Sun Jan 24 20:20:31 2016 us=82351 ccd_exclusive = DISABLED
Sun Jan 24 20:20:31 2016 us=82351 tmp_dir = 'C:\Users\kiaunel\AppData\Local\Temp\'
Sun Jan 24 20:20:31 2016 us=82351 push_ifconfig_defined = DISABLED
Sun Jan 24 20:20:31 2016 us=82351 push_ifconfig_local = 0.0.0.0
Sun Jan 24 20:20:31 2016 us=82351 push_ifconfig_remote_netmask = 0.0.0.0
Sun Jan 24 20:20:31 2016 us=82351 push_ifconfig_ipv6_defined = DISABLED
Sun Jan 24 20:20:31 2016 us=82351 push_ifconfig_ipv6_local = ::/0
Sun Jan 24 20:20:31 2016 us=82351 push_ifconfig_ipv6_remote = ::
Sun Jan 24 20:20:31 2016 us=82351 enable_c2c = DISABLED
Sun Jan 24 20:20:31 2016 us=82351 duplicate_cn = DISABLED
Sun Jan 24 20:20:31 2016 us=82351 cf_max = 0
Sun Jan 24 20:20:31 2016 us=82351 cf_per = 0
Sun Jan 24 20:20:31 2016 us=82351 max_clients = 1024
Sun Jan 24 20:20:31 2016 us=82351 max_routes_per_client = 256
Sun Jan 24 20:20:31 2016 us=82351 auth_user_pass_verify_script = '[UNDEF]'
Sun Jan 24 20:20:31 2016 us=82351 auth_user_pass_verify_script_via_file = DISABLED
Sun Jan 24 20:20:31 2016 us=82351 client = ENABLED
Sun Jan 24 20:20:31 2016 us=82351 pull = ENABLED
Sun Jan 24 20:20:31 2016 us=82351 auth_user_pass_file = '[UNDEF]'
Sun Jan 24 20:20:31 2016 us=82351 show_net_up = DISABLED
Sun Jan 24 20:20:31 2016 us=82351 route_method = 0
Sun Jan 24 20:20:31 2016 us=82351 block_outside_dns = DISABLED
Sun Jan 24 20:20:31 2016 us=82351 ip_win32_defined = DISABLED
Sun Jan 24 20:20:31 2016 us=82351 ip_win32_type = 3
Sun Jan 24 20:20:31 2016 us=82351 dhcp_masq_offset = 0
Sun Jan 24 20:20:31 2016 us=82351 dhcp_lease_time = 31536000
Sun Jan 24 20:20:31 2016 us=82351 tap_sleep = 0
Sun Jan 24 20:20:31 2016 us=82351 dhcp_options = DISABLED
Sun Jan 24 20:20:31 2016 us=82351 dhcp_renew = DISABLED
Sun Jan 24 20:20:31 2016 us=82351 dhcp_pre_release = DISABLED
Sun Jan 24 20:20:31 2016 us=82351 dhcp_release = DISABLED
Sun Jan 24 20:20:31 2016 us=82351 domain = '[UNDEF]'
Sun Jan 24 20:20:31 2016 us=82351 netbios_scope = '[UNDEF]'
Sun Jan 24 20:20:31 2016 us=82351 netbios_node_type = 0
Sun Jan 24 20:20:31 2016 us=82351 disable_nbt = DISABLED
Sun Jan 24 20:20:31 2016 us=82351 OpenVPN 2.3.10 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [PKCS11] [IPv6] built on Jan 4 2016
Sun Jan 24 20:20:31 2016 us=82851 Windows version 6.2 (Windows 8 or greater)
Sun Jan 24 20:20:31 2016 us=82851 library versions: OpenSSL 1.0.1q 3 Dec 2015, LZO 2.09
Enter Management Password:
Sun Jan 24 20:20:31 2016 us=82851 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25340
Sun Jan 24 20:20:31 2016 us=83351 Need hold release from management interface, waiting...
Sun Jan 24 20:20:31 2016 us=558936 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:25340
Sun Jan 24 20:20:31 2016 us=670061 MANAGEMENT: CMD 'state on'
Sun Jan 24 20:20:31 2016 us=670560 MANAGEMENT: CMD 'log all on'
Sun Jan 24 20:20:31 2016 us=825697 MANAGEMENT: CMD 'hold off'
Sun Jan 24 20:20:31 2016 us=825697 MANAGEMENT: CMD 'hold release'
Sun Jan 24 20:20:37 2016 us=124614 MANAGEMENT: CMD 'password [...]'
Sun Jan 24 20:20:37 2016 us=125117 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Sun Jan 24 20:20:37 2016 us=134123 Control Channel MTU parms [ L:1543 D:1210 EF:40 EB:0 ET:0 EL:3 ]
Sun Jan 24 20:20:37 2016 us=134624 Socket Buffers: R=[65536->65536] S=[65536->65536]
Sun Jan 24 20:20:37 2016 us=134624 MANAGEMENT: >STATE:1453659637,RESOLVE,,,
Sun Jan 24 20:20:37 2016 us=281429 Data Channel MTU parms [ L:1543 D:1450 EF:43 EB:12 ET:0 EL:3 ]
Sun Jan 24 20:20:37 2016 us=281429 Local Options String: 'V4,dev-type tun,link-mtu 1543,tun-mtu 1500,proto TCPv4_CLIENT,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-client'
Sun Jan 24 20:20:37 2016 us=281429 Expected Remote Options String: 'V4,dev-type tun,link-mtu 1543,tun-mtu 1500,proto TCPv4_SERVER,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-server'
Sun Jan 24 20:20:37 2016 us=281429 Local Options hash (VER=V4): 'db02a8f8'
Sun Jan 24 20:20:37 2016 us=281429 Expected Remote Options hash (VER=V4): '7e068940'
Sun Jan 24 20:20:37 2016 us=281429 Attempting to establish TCP connection with [AF_INET]89.137.228.94:1194 [nonblock]
Sun Jan 24 20:20:37 2016 us=281429 MANAGEMENT: >STATE:1453659637,TCP_CONNECT,,,
Sun Jan 24 20:20:38 2016 us=313123 TCP connection established with [AF_INET]89.137.228.94:1194
Sun Jan 24 20:20:38 2016 us=313123 TCPv4_CLIENT link local: [undef]
Sun Jan 24 20:20:38 2016 us=313623 TCPv4_CLIENT link remote: [AF_INET]89.137.228.94:1194
Sun Jan 24 20:20:38 2016 us=314122 MANAGEMENT: >STATE:1453659638,WAIT,,,
Sun Jan 24 20:20:38 2016 us=315124 MANAGEMENT: >STATE:1453659638,AUTH,,,
Sun Jan 24 20:20:38 2016 us=315630 TLS: Initial packet from [AF_INET]89.137.228.94:1194, sid=9a7e849c e3139b68
Sun Jan 24 20:20:38 2016 us=632417 Validating certificate key usage
Sun Jan 24 20:20:38 2016 us=632417 ++ Certificate has key usage 0006, expects 00a0
Sun Jan 24 20:20:38 2016 us=632417 ++ Certificate has key usage 0006, expects 0088
Sun Jan 24 20:20:38 2016 us=632417 VERIFY KU ERROR
Sun Jan 24 20:20:38 2016 us=632417 TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
Sun Jan 24 20:20:38 2016 us=632417 TLS Error: TLS object -> incoming plaintext read error
Sun Jan 24 20:20:38 2016 us=632417 TLS Error: TLS handshake failed
Sun Jan 24 20:20:38 2016 us=632417 Fatal TLS error (check_tls_errors_co), restarting
Sun Jan 24 20:20:38 2016 us=632417 TCP/UDP: Closing socket
Sun Jan 24 20:20:38 2016 us=632417 SIGUSR1[soft,tls-error] received, process restarting
Sun Jan 24 20:20:38 2016 us=632417 MANAGEMENT: >STATE:1453659638,RECONNECTING,tls-error,,
Sun Jan 24 20:20:38 2016 us=632417 Restart pause, 5 second(s)
Sun Jan 24 20:20:43 2016 us=656149 Re-using SSL/TLS context
Sun Jan 24 20:20:43 2016 us=656657 Control Channel MTU parms [ L:1543 D:1210 EF:40 EB:0 ET:0 EL:3 ]
Sun Jan 24 20:20:43 2016 us=657157 Socket Buffers: R=[65536->65536] S=[65536->65536]
Sun Jan 24 20:20:43 2016 us=657157 MANAGEMENT: >STATE:1453659643,RESOLVE,,,
Sun Jan 24 20:20:43 2016 us=658158 Data Channel MTU parms [ L:1543 D:1450 EF:43 EB:12 ET:0 EL:3 ]
Sun Jan 24 20:20:43 2016 us=658658 Local Options String: 'V4,dev-type tun,link-mtu 1543,tun-mtu 1500,proto TCPv4_CLIENT,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-client'
Sun Jan 24 20:20:43 2016 us=659170 Expected Remote Options String: 'V4,dev-type tun,link-mtu 1543,tun-mtu 1500,proto TCPv4_SERVER,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-server'
Sun Jan 24 20:20:43 2016 us=659664 Local Options hash (VER=V4): 'db02a8f8'
Sun Jan 24 20:20:43 2016 us=659664 Expected Remote Options hash (VER=V4): '7e068940'
Sun Jan 24 20:20:43 2016 us=659664 Attempting to establish TCP connection with [AF_INET]89.137.228.94:1194 [nonblock]
Sun Jan 24 20:20:43 2016 us=660165 MANAGEMENT: >STATE:1453659643,TCP_CONNECT,,,
Sun Jan 24 20:20:44 2016 us=672632 TCP connection established with [AF_INET]89.137.228.94:1194
Sun Jan 24 20:20:44 2016 us=673120 TCPv4_CLIENT link local: [undef]
Sun Jan 24 20:20:44 2016 us=673120 TCPv4_CLIENT link remote: [AF_INET]89.137.228.94:1194
Sun Jan 24 20:20:44 2016 us=673120 MANAGEMENT: >STATE:1453659644,WAIT,,,
Sun Jan 24 20:20:44 2016 us=674127 MANAGEMENT: >STATE:1453659644,AUTH,,,
Sun Jan 24 20:20:44 2016 us=674627 TLS: Initial packet from [AF_INET]89.137.228.94:1194, sid=156fd32f 2dee8e68
Sun Jan 24 20:20:44 2016 us=727861 Validating certificate key usage
Sun Jan 24 20:20:44 2016 us=727861 ++ Certificate has key usage 0006, expects 00a0
Sun Jan 24 20:20:44 2016 us=727861 ++ Certificate has key usage 0006, expects 0088
Sun Jan 24 20:20:44 2016 us=727861 VERIFY KU ERROR
Sun Jan 24 20:20:44 2016 us=727861 TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
Sun Jan 24 20:20:44 2016 us=727861 TLS Error: TLS object -> incoming plaintext read error
Sun Jan 24 20:20:44 2016 us=727861 TLS Error: TLS handshake failed
Sun Jan 24 20:20:44 2016 us=727861 Fatal TLS error (check_tls_errors_co), restarting
Sun Jan 24 20:20:44 2016 us=727861 TCP/UDP: Closing socket
Sun Jan 24 20:20:44 2016 us=727861 SIGUSR1[soft,tls-error] received, process restarting
Sun Jan 24 20:20:44 2016 us=727861 MANAGEMENT: >STATE:1453659644,RECONNECTING,tls-error,,
Sun Jan 24 20:20:44 2016 us=727861 Restart pause, 5 second(s)
Sun Jan 24 20:20:49 2016 us=761155 Re-using SSL/TLS context
Sun Jan 24 20:20:49 2016 us=761664 Control Channel MTU parms [ L:1543 D:1210 EF:40 EB:0 ET:0 EL:3 ]
Sun Jan 24 20:20:49 2016 us=761664 Socket Buffers: R=[65536->65536] S=[65536->65536]
Sun Jan 24 20:20:49 2016 us=762162 MANAGEMENT: >STATE:1453659649,RESOLVE,,,
Sun Jan 24 20:20:49 2016 us=762665 Data Channel MTU parms [ L:1543 D:1450 EF:43 EB:12 ET:0 EL:3 ]
Sun Jan 24 20:20:49 2016 us=762665 Local Options String: 'V4,dev-type tun,link-mtu 1543,tun-mtu 1500,proto TCPv4_CLIENT,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-client'
Sun Jan 24 20:20:49 2016 us=763165 Expected Remote Options String: 'V4,dev-type tun,link-mtu 1543,tun-mtu 1500,proto TCPv4_SERVER,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-server'
Sun Jan 24 20:20:49 2016 us=763165 Local Options hash (VER=V4): 'db02a8f8'
Sun Jan 24 20:20:49 2016 us=763165 Expected Remote Options hash (VER=V4): '7e068940'
Sun Jan 24 20:20:49 2016 us=763165 Attempting to establish TCP connection with [AF_INET]89.137.228.94:1194 [nonblock]
Sun Jan 24 20:20:49 2016 us=763666 MANAGEMENT: >STATE:1453659649,TCP_CONNECT,,,
Sun Jan 24 20:20:50 2016 us=777603 TCP connection established with [AF_INET]89.137.228.94:1194
Sun Jan 24 20:20:50 2016 us=778104 TCPv4_CLIENT link local: [undef]
Sun Jan 24 20:20:50 2016 us=778104 TCPv4_CLIENT link remote: [AF_INET]89.137.228.94:1194
Sun Jan 24 20:20:50 2016 us=778605 MANAGEMENT: >STATE:1453659650,WAIT,,,
Sun Jan 24 20:20:50 2016 us=779608 MANAGEMENT: >STATE:1453659650,AUTH,,,
Sun Jan 24 20:20:50 2016 us=780105 TLS: Initial packet from [AF_INET]89.137.228.94:1194, sid=e91b8bfe 5da9ee27
Sun Jan 24 20:20:50 2016 us=822462 Validating certificate key usage
Sun Jan 24 20:20:50 2016 us=822462 ++ Certificate has key usage 0006, expects 00a0
Sun Jan 24 20:20:50 2016 us=822462 ++ Certificate has key usage 0006, expects 0088
Sun Jan 24 20:20:50 2016 us=822462 VERIFY KU ERROR
Sun Jan 24 20:20:50 2016 us=822462 TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
Sun Jan 24 20:20:50 2016 us=822462 TLS Error: TLS object -> incoming plaintext read error
Sun Jan 24 20:20:50 2016 us=822462 TLS Error: TLS handshake failed
Sun Jan 24 20:20:50 2016 us=822462 Fatal TLS error (check_tls_errors_co), restarting
Sun Jan 24 20:20:50 2016 us=822462 TCP/UDP: Closing socket
Sun Jan 24 20:20:50 2016 us=822462 SIGUSR1[soft,tls-error] received, process restarting
Sun Jan 24 20:20:50 2016 us=822462 MANAGEMENT: >STATE:1453659650,RECONNECTING,tls-error,,
Sun Jan 24 20:20:50 2016 us=822462 Restart pause, 5 second(s)
Sun Jan 24 20:20:55 2016 us=877529 Re-using SSL/TLS context
Sun Jan 24 20:20:55 2016 us=877529 Control Channel MTU parms [ L:1543 D:1210 EF:40 EB:0 ET:0 EL:3 ]
Sun Jan 24 20:20:55 2016 us=878032 Socket Buffers: R=[65536->65536] S=[65536->65536]
Sun Jan 24 20:20:55 2016 us=878530 MANAGEMENT: >STATE:1453659655,RESOLVE,,,
Sun Jan 24 20:20:55 2016 us=879528 Data Channel MTU parms [ L:1543 D:1450 EF:43 EB:12 ET:0 EL:3 ]
Sun Jan 24 20:20:55 2016 us=879528 Local Options String: 'V4,dev-type tun,link-mtu 1543,tun-mtu 1500,proto TCPv4_CLIENT,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-client'
Sun Jan 24 20:20:55 2016 us=880025 Expected Remote Options String: 'V4,dev-type tun,link-mtu 1543,tun-mtu 1500,proto TCPv4_SERVER,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-server'
Sun Jan 24 20:20:55 2016 us=880025 Local Options hash (VER=V4): 'db02a8f8'
Sun Jan 24 20:20:55 2016 us=880025 Expected Remote Options hash (VER=V4): '7e068940'
Sun Jan 24 20:20:55 2016 us=880526 Attempting to establish TCP connection with [AF_INET]89.137.228.94:1194 [nonblock]
Sun Jan 24 20:20:55 2016 us=880526 MANAGEMENT: >STATE:1453659655,TCP_CONNECT,,,
Sun Jan 24 20:20:56 2016 us=893345 TCP connection established with [AF_INET]89.137.228.94:1194
Sun Jan 24 20:20:56 2016 us=893842 TCPv4_CLIENT link local: [undef]
Sun Jan 24 20:20:56 2016 us=893842 TCPv4_CLIENT link remote: [AF_INET]89.137.228.94:1194
Sun Jan 24 20:20:56 2016 us=894343 MANAGEMENT: >STATE:1453659656,WAIT,,,
Sun Jan 24 20:20:56 2016 us=895342 MANAGEMENT: >STATE:1453659656,AUTH,,,
Sun Jan 24 20:20:56 2016 us=895843 TLS: Initial packet from [AF_INET]89.137.228.94:1194, sid=9986814e cf7f806a
Sun Jan 24 20:20:56 2016 us=946811 Validating certificate key usage
Sun Jan 24 20:20:56 2016 us=946811 ++ Certificate has key usage 0006, expects 00a0
Sun Jan 24 20:20:56 2016 us=947301 ++ Certificate has key usage 0006, expects 0088
Sun Jan 24 20:20:56 2016 us=947301 VERIFY KU ERROR
Sun Jan 24 20:20:56 2016 us=947796 TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
Sun Jan 24 20:20:56 2016 us=947796 TLS Error: TLS object -> incoming plaintext read error
Sun Jan 24 20:20:56 2016 us=947796 TLS Error: TLS handshake failed
Sun Jan 24 20:20:56 2016 us=948305 Fatal TLS error (check_tls_errors_co), restarting
Sun Jan 24 20:20:56 2016 us=948305 TCP/UDP: Closing socket
Sun Jan 24 20:20:56 2016 us=948305 SIGUSR1[soft,tls-error] received, process restarting
Sun Jan 24 20:20:56 2016 us=948305 MANAGEMENT: >STATE:1453659656,RECONNECTING,tls-error,,
Sun Jan 24 20:20:56 2016 us=948305 Restart pause, 5 second(s)
Sun Jan 24 20:21:01 2016 us=966630 SIGTERM[hard,init_instance] received, process exiting
Sun Jan 24 20:21:01 2016 us=966630 MANAGEMENT: >STATE:1453659661,EXITING,init_instance,,
WRWRWRRWRWRWRRWRWRWRRWRWRWRR


Microtik server configuration

[admin@MikroTik] > cert print
Flags: K - private-key, D - dsa, L - crl, C - smart-card-key, A - authority, I - issued, R - revoked, E - expired, T - trusted
# NAME COMMON-NAME SUBJECT-ALT-NAME FINGERPRINT
0 microtik fiberdatatelecom.ro email:iulian.c@fiberdatatelecom.ro
1 L T certificate-response.pem_0 fiberdatatelecom.ro DNS:fiberdatatelecom.ro b99b3a15fe14c1187543797056d2a...
2 K A T myCa myCa 30ca22675721690a47d731c946570...
3 K A T server server 7604c6b2281305afb208beb35840d...
4 K A T client1 client1 e4956724a5ec3d8b1254ceb6d1ca5...
5 K A T client2 client2 2e9e5c16bbac7bb9388cf10e02247...
[admin@MikroTik] >

I`m using Ros 6.3.33.

Thanks in advance.

Re: OpenVPN Server error: TLS failed

Posted: Sun Jan 24, 2016 9:29 pm
by Sob
It says it does not like your certificate's key usage. This is from your log:
Sun Jan 24 20:20:38 2016 us=632417 Validating certificate key usage
Sun Jan 24 20:20:38 2016 us=632417 ++ Certificate has key usage 0006, expects 00a0
Sun Jan 24 20:20:38 2016 us=632417 ++ Certificate has key usage 0006, expects 0088
Sun Jan 24 20:20:38 2016 us=632417 VERIFY KU ERROR
This helpful comment from your config says how it should be done:
# To use this feature, you will need to generate
# your server certificates with the keyUsage set to
# digitalSignature, keyEncipherment
# and the extendedKeyUsage to
# serverAuth

Re: OpenVPN Server error: TLS failed

Posted: Mon Jan 25, 2016 6:38 am
by kiaunel
Thanks for your quick reply , but i don`t understand how i have to create my certs. I`ve crated with the lines in this topic"

/certificate
add name=ca-template common-name=myCa key-usage=key-cert-sign,crl-sign
add name=server-template common-name=server
add name=client1-template common-name=client1
add name=client2-template common-name=client2

/certificate
sign ca-template name=myCa
sign ca=myCa server-template name=server
sign ca=myCa client1-template name=client1
sign ca=myCa client2-template name=client2

/certificate
set myCa trusted=yes
set server trusted=yes

Should i put some other option when creating certificates?

Thanks

Re: OpenVPN Server error: TLS failed

Posted: Mon Jan 25, 2016 10:38 pm
by Sob
I can't test complete config now, but I did quick test with certificates and I think that in /interface ovpn-server server you have wrong certificate=myCa instead of correct certificate=server. Because the log says that certificate has key usage 0006 and that should be key-cert-sign + crl-sign, i.e. what myCa has.

Edit: On second look, you'll probably just end up with different error, I assume it won't like common name "server" much, it should be correct hostname instead.

Re: OpenVPN Server error: TLS failed

Posted: Wed Jan 27, 2016 10:36 am
by kiaunel
thank you for your reply.
Indeed the was worng placed certificate myca intread of server.
What i tried to do is create new certifiicates , with the name and common name my host name uploaded to client configuration and indeed the errors changes.
Now my server certificate name is kiaunel.fiberdatatelecom.ro and common name the same.
If is disable the line : remote-cert-tls kiaunel.fiberdatatelecom.ro or change the name to anyting i get client logs like this :

Wed Jan 27 10:32:26 2016 us=826048 MANAGEMENT: >STATE:1453883546,TCP_CONNECT,,,
Wed Jan 27 10:32:36 2016 us=862910 TCP: connect to [AF_INET]89.137.228.94:1194 failed, will try again in 5 seconds: The system tried to join a drive to a directory on a joined drive.
Wed Jan 27 10:32:41 2016 us=898028 MANAGEMENT: >STATE:1453883561,RESOLVE,,,
Wed Jan 27 10:32:41 2016 us=900527 MANAGEMENT: >STATE:1453883561,TCP_CONNECT,,,
Wed Jan 27 10:32:51 2016 us=958443 TCP: connect to [AF_INET]89.137.228.94:1194 failed, will try again in 5 seconds: The system tried to join a drive to a directory on a joined drive.
Wed Jan 27 10:32:56 2016 us=972548 MANAGEMENT: >STATE:1453883576,RESOLVE,,,
Wed Jan 27 10:32:56 2016 us=974048 MANAGEMENT: >STATE:1453883576,TCP_CONNECT,,,
Wed Jan 27 10:33:07 2016 us=19363 TCP: connect to [AF_INET]89.137.228.94:1194 failed, will try again in 5 seconds: The system tried to join a drive to a directory on a joined drive.
Wed Jan 27 10:33:12 2016 us=47673 MANAGEMENT: >STATE:1453883592,RESOLVE,,,
Wed Jan 27 10:33:12 2016 us=49180 MANAGEMENT: >STATE:1453883592,TCP_CONNECT,,,
Wed Jan 27 10:33:22 2016 us=74788 TCP: connect to [AF_INET]89.137.228.94:1194 failed, will try again in 5 seconds: The system tried to join a drive to a directory on a joined drive.
Wed Jan 27 10:33:27 2016 us=132638 MANAGEMENT: >STATE:1453883607,RESOLVE,,,
Wed Jan 27 10:33:27 2016 us=133644 MANAGEMENT: >STATE:1453883607,TCP_CONNECT,,,


If i enable the line : remote-cert-tls kiaunel.fiberdatatelecom.ro the client does nothing.... not even tries to connect and nothing in the client logs either.

i can not understant what is wrong... are the certificates bad keys files? or config?
Thanks a lot , i apreciate your support

Re: OpenVPN Server error: TLS failed

Posted: Wed Jan 27, 2016 2:09 pm
by kiaunel
changed the config and now it connect succesful.
now how to push default route?

Re: OpenVPN Server error: TLS failed

Posted: Sat Jun 24, 2017 7:33 pm
by alaa2003
Hello,

Confirmed. The problem happened when you set the CRL on the certificates.

Tested on several RouterBoards and it works without using CRL.

The certificates were generated by: OpenSSL and RouterOS (with bought works)

Best regards.
could you please add full steps / commands

Re: OpenVPN Server error: TLS failed

Posted: Sun Sep 03, 2017 11:44 pm
by lapsio
Sorry for necro bumping but this issue seems to be still relevant. I'm getting TLS failed when require-certificate is set to "on". Without it openvpn works fine. I followed this tutorial:

https://www.medo64.com/2016/12/simple-o ... -mikrotik/

And additionally set certifiacates to trusted but error still occurs. Here are exports:
[lapsio@RB2011SWAG] /certificate> print detail 
Flags: K - private-key, D - dsa, L - crl, C - smart-card-key, A - authority, I - issued, R - revoked, E - expired, T - trusted 
 0 K      T name="RB2011.crt_0" issuer=C=AU,ST=Some-State,O=Internet Widgits Pty Ltd country="AU" state="Some-State" organization="Internet Widgits Pty Ltd" 
common-name="89.72.64.207" 
            key-size=8192 days-valid=3650 trusted=yes serial-number="01" fingerprint="***" 
            invalid-before=apr/09/2016 11:26:53 invalid-after=apr/07/2026 11:26:53 

 1        T name="ca.crt_0" issuer=C=AU,ST=Some-State,O=Internet Widgits Pty Ltd country="AU" state="Some-State" organization="Internet Widgits Pty Ltd" key-size=8192 
days-valid=3650 
            trusted=yes serial-number="9AE7AA4EBFC12841" fingerprint="***" invalid-before=apr/09/2016 11:18:14 
            invalid-after=apr/07/2026 11:18:14 

 2 K      T name="RB2011_local.crt_0" issuer=C=AU,ST=Some-State,O=Internet Widgits Pty Ltd country="AU" state="Some-State" organization="Internet Widgits Pty Ltd" 
common-name="192.168.5.1" 
            key-size=8192 days-valid=3650 trusted=yes serial-number="01" fingerprint="***" 
            invalid-before=apr/09/2016 11:53:26 invalid-after=apr/07/2026 11:53:26 

 3 K   A  T name="ovpn-ca-cert" common-name="bestpony.ml" key-size=4096 days-valid=365 trusted=yes key-usage=key-cert-sign,crl-sign serial-number="7878A9022B21EBD3" 
            fingerprint="***" invalid-before=sep/03/2017 18:07:40 invalid-after=sep/03/2018 18:07:40 

 4 K    I T name="ovpn-server-cert" common-name="*.bestpony.ml" key-size=4096 days-valid=365 trusted=yes key-usage=digital-signature,key-encipherment,tls-server ca=ovpn-ca-cert 
            serial-number="0EAF878877F2B435" fingerprint="***" invalid-before=sep/03/2017 18:13:11 
            invalid-after=sep/03/2018 18:13:11 

 5 K    I T name="ovpn-client-lap-cert" common-name="vpnlap.bestpony.ml" key-size=4096 days-valid=365 trusted=yes key-usage=tls-client ca=ovpn-ca-cert 
serial-number="216B020C08EFB807" 
            fingerprint="***" invalid-before=sep/03/2017 18:16:12 invalid-after=sep/03/2018 18:16:12



[lapsio@RB2011SWAG] > /ppp profile print detail 
Flags: * - default 
 0 * name="default" use-mpls=default use-compression=default use-encryption=default only-one=default change-tcp-mss=yes use-upnp=default address-list="" on-up="" on-down="" 

 1   name="ovpn-profile" local-address=192.168.4.128 remote-address=pool-ovpn bridge=br-primary use-mpls=default use-compression=default use-encryption=yes only-one=default 
     change-tcp-mss=default use-upnp=default address-list="" dns-server=192.168.4.1 on-up="" on-down="" 

 2 * name="default-encryption" use-mpls=default use-compression=default use-encryption=yes only-one=default change-tcp-mss=yes use-upnp=default address-list="" on-up="" on-down="" 


[lapsio@RB2011SWAG] > /ppp secret print detail 
Flags: X - disabled 
 0   name="lapsio-lap" service=ovpn caller-id="" password="***" profile=ovpn-profile routes="" limit-bytes-in=0 limit-bytes-out=0 last-logged-out=sep/03/2017 
20:37:46



[lapsio@RB2011SWAG] > /interface ovpn-server server print    
                     enabled: yes
                        port: 1194
                        mode: ethernet
                     netmask: 24
                 mac-address: FE:D8:74:2C:8F:39
                     max-mtu: 1500
           keepalive-timeout: 60
             default-profile: ovpn-profile
                 certificate: ovpn-server-cert
  require-client-certificate: no
                        auth: sha1
                      cipher: aes256
By following tutorial I kind of did generate certs using this method:
Hello,

Using RouterOS 6.20 you can execute the following commands on the MikroTik server:

We will create two client certificates at this time (you can add more lately)

/certificate
add name=ca-template common-name=myCa key-usage=key-cert-sign,crl-sign
add name=server-template common-name=server
add name=client1-template common-name=client1
add name=client2-template common-name=client2


/certificate
sign ca-template name=myCa
sign ca=myCa server-template name=server
sign ca=myCa client1-template name=client1
sign ca=myCa client2-template name=client2


/certificate
set myCa trusted=yes
set server trusted=yes


At this time you have all you need at your server. Now you have to export the CA and the client certificates that you need to import to the client:

/certificate export-certificate myCa
/certificate export-certificate client1 export-passphrase=xxxxxxxx
/certificate export-certificate client2 export-passphrase=xxxxxxxx


Go to /files and download the files just exported.

Best regards.

however it still throws TLS Failed.

Re: OpenVPN Server error: TLS failed

Posted: Fri Jan 26, 2018 1:38 am
by rocker82
Please HELP ! I have read almost all google. I've treid many tips and still the same...noting.

Here my errors. I just upgraded my MT CRS to 6.41 release and nothing better
Fri Jan 26 00:32:34 2018 us=658038 WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
Fri Jan 26 00:32:34 2018 us=658038 Re-using SSL/TLS context
Fri Jan 26 00:32:34 2018 us=658038 Control Channel MTU parms [ L:1655 D:1210 EF:40 EB:0 ET:0 EL:3 ]
Fri Jan 26 00:32:34 2018 us=658038 Data Channel MTU parms [ L:1655 D:1450 EF:123 EB:411 ET:32 EL:3 ]
Fri Jan 26 00:32:34 2018 us=658038 Local Options String (VER=V4): 'V4,dev-type tap,link-mtu 1591,tun-mtu 1532,proto TCPv4_CLIENT,cipher AES-256-CBC,auth SHA1,keysize 256,key-method 2,tls-client'
Fri Jan 26 00:32:34 2018 us=658038 Expected Remote Options String (VER=V4): 'V4,dev-type tap,link-mtu 1591,tun-mtu 1532,proto TCPv4_SERVER,cipher AES-256-CBC,auth SHA1,keysize 256,key-method 2,tls-server'
Fri Jan 26 00:32:34 2018 us=658038 TCP/UDP: Preserving recently used remote address: [AF_INET]185.170.202.195:1194
Fri Jan 26 00:32:34 2018 us=658038 Socket Buffers: R=[8192->8192] S=[8192->8192]
Fri Jan 26 00:32:34 2018 us=658038 Attempting to establish TCP connection with [AF_INET]185.170.202.195:1194 [nonblock]
Fri Jan 26 00:32:34 2018 us=658038 MANAGEMENT: >STATE:1516923154,TCP_CONNECT,,,,,,
Fri Jan 26 00:32:35 2018 us=658095 TCP connection established with [AF_INET]185.x.x.x :1194
Fri Jan 26 00:32:35 2018 us=658095 TCP_CLIENT link local: (not bound)
Fri Jan 26 00:32:35 2018 us=658095 TCP_CLIENT link remote: [AF_INET]185.x.x.x :1194
Fri Jan 26 00:32:35 2018 us=658095 MANAGEMENT: >STATE:1516923155,WAIT,,,,,,
Fri Jan 26 00:32:35 2018 us=658095 MANAGEMENT: >STATE:1516923155,AUTH,,,,,,
Fri Jan 26 00:32:35 2018 us=658095 TLS: Initial packet from [AF_INET]185.x.x.x :1194, sid=2d860d04 d38dedbf
Fri Jan 26 00:32:36 2018 us=667153 VERIFY ERROR: depth=0, error=certificate is not yet valid: CN=myCa
Fri Jan 26 00:32:36 2018 us=667153 OpenSSL: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed
Fri Jan 26 00:32:36 2018 us=667153 TLS_ERROR: BIO read tls_read_plaintext error
Fri Jan 26 00:32:36 2018 us=667153 TLS Error: TLS object -> incoming plaintext read error
Fri Jan 26 00:32:36 2018 us=667153 TLS Error: TLS handshake failed
Fri Jan 26 00:32:36 2018 us=667153 Fatal TLS error (check_tls_errors_co), restarting
Fri Jan 26 00:32:36 2018 us=667153 TCP/UDP: Closing socket
Fri Jan 26 00:32:36 2018 us=667153 SIGUSR1[soft,tls-error] received, process restarting
Fri Jan 26 00:32:36 2018 us=667153 MANAGEMENT: >STATE:1516923156,RECONNECTING,tls-error,,,,,
Fri Jan 26 00:32:36 2018 us=668153 Restart pause, 5 second(s)
Someone can help ?

Re: OpenVPN Server error: TLS failed

Posted: Fri Jan 26, 2018 2:01 am
by rocker82
Ok, i set the time as on my PC, now I have another problem. Connection is ok, Verify is OK, but...
Fri Jan 26 00:50:31 2018 us=659639 WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
Fri Jan 26 00:50:31 2018 us=659639 Re-using SSL/TLS context
Fri Jan 26 00:50:31 2018 us=659639 Control Channel MTU parms [ L:1655 D:1210 EF:40 EB:0 ET:0 EL:3 ]
Fri Jan 26 00:50:31 2018 us=659639 Data Channel MTU parms [ L:1655 D:1450 EF:123 EB:411 ET:32 EL:3 ]
Fri Jan 26 00:50:31 2018 us=659639 Local Options String (VER=V4): 'V4,dev-type tap,link-mtu 1591,tun-mtu 1532,proto TCPv4_CLIENT,cipher AES-256-CBC,auth SHA1,keysize 256,key-method 2,tls-client'
Fri Jan 26 00:50:31 2018 us=659639 Expected Remote Options String (VER=V4): 'V4,dev-type tap,link-mtu 1591,tun-mtu 1532,proto TCPv4_SERVER,cipher AES-256-CBC,auth SHA1,keysize 256,key-method 2,tls-server'
Fri Jan 26 00:50:31 2018 us=659639 TCP/UDP: Preserving recently used remote address: [AF_INET]185.185.x.x.x:1194
Fri Jan 26 00:50:31 2018 us=660639 Socket Buffers: R=[8192->8192] S=[8192->8192]
Fri Jan 26 00:50:31 2018 us=660639 Attempting to establish TCP connection with [AF_INET]185.185.x.x.x:1194 [nonblock]
Fri Jan 26 00:50:31 2018 us=660639 MANAGEMENT: >STATE:1516924231,TCP_CONNECT,,,,,,
Fri Jan 26 00:50:32 2018 us=660696 TCP connection established with [AF_INET]185.x.x.x:1194
Fri Jan 26 00:50:32 2018 us=660696 TCP_CLIENT link local: (not bound)
Fri Jan 26 00:50:32 2018 us=660696 TCP_CLIENT link remote: [AF_INET]185.185.x.x.x:1194
Fri Jan 26 00:50:32 2018 us=660696 MANAGEMENT: >STATE:1516924232,WAIT,,,,,,
Fri Jan 26 00:50:32 2018 us=660696 MANAGEMENT: >STATE:1516924232,AUTH,,,,,,
Fri Jan 26 00:50:32 2018 us=660696 TLS: Initial packet from [AF_INET]185.x.x.x:1194, sid=1420ae7b cc075861
Fri Jan 26 00:50:33 2018 us=628752 VERIFY OK: depth=0, CN=myCa
Fri Jan 26 00:50:34 2018 us=351793 Connection reset, restarting [0]
Fri Jan 26 00:50:34 2018 us=351793 TCP/UDP: Closing socket
Fri Jan 26 00:50:34 2018 us=351793 SIGUSR1[soft,connection-reset] received, process restarting
Fri Jan 26 00:50:34 2018 us=351793 MANAGEMENT: >STATE:1516924234,RECONNECTING,connection-reset,,,,,
Fri Jan 26 00:50:34 2018 us=351793 Restart pause, 20 second(s)

First question is why it says "WARNING: No server certificate verification method has been enabled." ???

On MT log file it says that: ovpn, info - TCP connection established from MY_IP

Please help..

Re: OpenVPN Server error: TLS failed

Posted: Fri Mar 08, 2019 9:23 pm
by adilsemedo
Same problem here.

I´m having this two state of connection:
Status: link established
status: terminatinf - peer disconnected

Re: OpenVPN Server error: TLS failed

Posted: Fri Dec 06, 2019 8:13 pm
by myke1124
On the OpenVPN server (Mikrotik ver 6.46) I generated keys via the method above in red.

/ip pool add name=ppp ranges=10.0.250.10-10.0.250.250
/ppp profile set [find name="default-encryption"] local-address=10.0.250.1 remote-address=ppp
/ppp secret add name=user password=xxxxxxxxxx profile=default-encryption
/interface ovpn-server server set auth=sha1 certificate=server cipher=aes256 default-profile=default-encryption enabled=yes
/ip firewall filter
add action=accept chain=input connection-state=established,related
add action=drop chain=input connection-state=invalid
add action=accept chain=input dst-port=1194 protocol=tcp
add action=drop chain=input src-address-list=!trusted

/certificate print detail
Flags: K - private-key, L - crl, C - smart-card-key, A - authority, I - issued, R - revoked, E - expired, T - trusted
0 K A T name="myCa" digest-algorithm=sha256 key-type=rsa common-name="myCa" key-size=2048 subject-alt-name="" days-valid=365 trusted=yes key-usage=key-cert-sign,crl-sign serial-number="036F137AC64A9981"
fingerprint="xxx" invalid-before=dec/06/2019 09:56:21 invalid-after=dec/05/2020 09:56:21 expires-after=52w23h2m25s

1 K A T name="server" digest-algorithm=sha256 key-type=rsa common-name="server" key-size=2048 subject-alt-name="" days-valid=365 trusted=yes
key-usage=digital-signature,key-encipherment,data-encipherment,key-cert-sign,crl-sign,tls-server,tls-client ca=myCa serial-number="290CCD6705039A4D"
fingerprint="xxx" invalid-before=dec/06/2019 09:56:33 invalid-after=dec/05/2020 09:56:33 expires-after=52w23h2m37s

2 K A T name="client1" digest-algorithm=sha256 key-type=rsa common-name="client1" key-size=2048 subject-alt-name="" days-valid=365 trusted=yes
key-usage=digital-signature,key-encipherment,data-encipherment,key-cert-sign,crl-sign,tls-server,tls-client ca=myCa serial-number="3EAB4797CE667F13"
fingerprint="xxx" invalid-before=dec/06/2019 09:56:38 invalid-after=dec/05/2020 09:56:38 expires-after=52w23h2m42s

3 K A T name="client2" digest-algorithm=sha256 key-type=rsa common-name="client2" key-size=2048 subject-alt-name="" days-valid=365 trusted=yes
key-usage=digital-signature,key-encipherment,data-encipherment,key-cert-sign,crl-sign,tls-server,tls-client ca=myCa serial-number="6497043F5EE22FCC"
fingerprint="xxx" invalid-before=dec/06/2019 09:56:39 invalid-after=dec/05/2020 09:56:39 expires-after=52w23h2m

I downloaded the exported certificates from the server and imported the ca and client1 certificates fon the OpenVPN client (Mikrotik ver 6.46)

/certificate print detail
Flags: K - private-key, L - crl, C - smart-card-key, A - authority, I - issued, R - revoked, E - expired, T - trusted
0 A T name="cert_export_client1.crt_0" issuer=CN=myCa key-type=rsa common-name="client1" key-size=2048 subject-alt-name="" days-valid=365
trusted=yes key-usage=digital-signature,key-encipherment,data-encipherment,key-cert-sign,crl-sign,tls-server,tls-client
serial-number="3EAB4797CE667F13" fingerprint="xxx"
invalid-before=dec/06/2019 09:56:38 invalid-after=dec/05/2020 09:56:38 expires-after=52w22h45m33s

1 A T name="cert_export_myCa.crt_0" issuer=CN=myCa key-type=rsa common-name="myCa" key-size=2048 subject-alt-name="" days-valid=365 trusted=yes
key-usage=key-cert-sign,crl-sign serial-number="036F137AC64A9981"
fingerprint="xxx" invalid-before=dec/06/2019 09:56:21
invalid-after=dec/05/2020 09:56:21 expires-after=52w22h45m16s
/interface ovpn-client
add certificate=cert_export_client1.crt_0 cipher=aes256 connect-to=xxx.xxx.xxx.xxx mac-address=02:75:54:90:78:F3 name=OVPN password=xxxxxxxxxx \
profile=default-encryption user=user

Client log

11:03:30 ovpn,info OVPN: initializing...
11:03:30 ovpn,info OVPN: connecting...
11:03:30 ovpn,debug,packet sent P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 sid=2220d883b77d19eb pid=0 DATA len=0
11:03:30 ovpn,debug,packet rcvd P_CONTROL_HARD_RESET_SERVER_V2 kid=0 sid=60367ef18de0881f pid=0 DATA len=0
11:03:30 ovpn,debug,packet sent P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 sid=2220d883b77d19eb [0 sid=60367ef18de0881f] pid=1 DATA len=0
11:03:30 ovpn,debug OVPN: disconnected <TLS failed>
11:03:30 ovpn,info OVPN: terminating... - TLS failed
11:03:30 ovpn,info OVPN: disconnected

server log
11:03:30 ovpn,info TCP connection established from xxx.xxx.xxx.xxx
11:03:30 ovpn,debug,packet sent P_CONTROL_HARD_RESET_SERVER_V2 kid=0 sid=60367ef18de0881f pid=0 DATA len=0
11:03:30 ovpn,debug,packet rcvd P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 sid=2220d883b77d19eb pid=0 DATA len=0
11:03:30 ovpn,debug,packet sent P_ACK kid=0 sid=60367ef18de0881f [0 sid=2220d883b77d19eb] DATA len=0
11:03:30 ovpn,debug,packet rcvd P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 sid=2220d883b77d19eb [0 sid=60367ef18de0881f] pid=1 DATA len=0
11:03:30 ovpn,debug,packet sent P_ACK kid=0 sid=60367ef18de0881f [1 sid=2220d883b77d19eb] DATA len=0
11:03:30 ovpn,debug <205.149.8.222>: disconnected <peer disconnected>

If I set on the client side certificate none it connects. What am I missing?

Re: OpenVPN Server error: TLS failed

Posted: Fri Dec 06, 2019 10:20 pm
by myke1124
I figured it out... I generated certificates using openssl based on the instructions found: https://wiki.mikrotik.com/wiki/Manual:C ... rtificates
Apparently Mikrotik devices cant generate certificates that work.