Community discussions

MikroTik App
 
xt22
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 75
Joined: Tue Jul 14, 2015 1:16 pm

ROS7 destroying ovpn server - TLS failed?

Thu Apr 13, 2023 2:30 am

Hello,

I have issues with ovpn server running on Mikrotik - like tons of other people here as I saw, but here it was a perfectly working ovpn server for years, while running ROS6 up to 6.48.6. Unfortunately I thought it was safe to upgrade now and I have updated it to ROS 7.8 a few days ago - well, it was not.
OVPN server:
		     enabled: yes
                        port: 1194
                        mode: ip
                    protocol: tcp
                     netmask: 24
                 mac-address: xxx
                     max-mtu: 1500
           keepalive-timeout: 60
             default-profile: profile1-ovpn
                 certificate: xxx.crt_0
  require-client-certificate: yes
                 tls-version: any
                        auth: sha1
                      cipher: aes256-cbc
                   reneg-sec: 3600
            redirect-gateway: disabled
             enable-tun-ipv6: no
             tun-server-ipv6: ::
             ipv6-prefix-len: 64

ovpn config file:
client
dev tun
proto tcp-client
remote xx.xx.xx.xx 1194
resolv-retry infinite
nobind
persist-key
persist-tun
mute-replay-warnings
ca xx.crt
cert xx.crt
key xx,key
remote-cert-tls server
tls-client

cipher AES-256-CBC
auth SHA1
auth-user-pass xx.conf

pull
verb 5

auth-nocache

remote-cert-eku "TLS Web Server Authentication"
tls-version-min 1.2

certificates:
Flags: K - PRIVATE-KEY; T - TRUSTED
Columns: NAME, COMMON-NAME, FINGERPRINT
# NAME COMMON-NAME FINGERPRINT
0 KT xx.crt_0
1 T xxx.crt_0
log errors:
<xx.xx.xx.xx>: disconnected <TLS failed>
It was pretty common V6 setup with SHA1/AES-256-cbc, tcp, working like a charm. First, after the upgrade to 7.8, I received "TLS error: ssl: unsupported certificate algo (6)". If I enable sha256 in ovpn settings, it changes to "TLS failed" - but still no luck. I tried to allow all auth/cipher options except the gcm versions, but it is the same.

Now the important question - what the hell has happened in ROS7, that it destroyed a working ovpn server? Mikrotik ignores all the ovpn posts.. thank you for any suggestions
 
peich1
just joined
Posts: 5
Joined: Mon Dec 11, 2017 9:43 am

Re: ROS7 destroying ovpn server - TLS failed?

Tue Apr 18, 2023 4:15 pm

I had to tinker around with a lot of the settings, create new certificates, etc. but in the end I got it "kinda" working. I say "kinda" because it's really unstable in 7.8 and the router reboots quite often because of OVPN not correctly closing the connections. I would recommend to revert back to ros 6, if you have the possibility.
 
xt22
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 75
Joined: Tue Jul 14, 2015 1:16 pm

Re: ROS7 destroying ovpn server - TLS failed?

Thu Apr 27, 2023 1:17 am

yes. I really hate Mikrotik at these moments and want to give all the hundreds of our tiks to my kids as toy bricks :-/

I'd love to go back to ROS6, I really like it and I'll keep it on our devices as long as possible, especially when I see the quality of ROS7 (8 or how many years was not enough for a fully working version yet?), but ovpn there is crap too - it is working at least, but 1, tcp meltdown 2, no SHA2 and 3, no ovpn 2FA (although I made it work on ROS6 during the tests on CCR1009).

Btw - there seems to be some stability update ( (*) ovpn - improved system stability for Tile devices; ) in 7.9rc4 (2023-Apr-24 16:34), which is good, although now I'm gonna hate Mikrotik the second time, because I'll have to become their tester and deploy RC in a production environment and try it - and I do hate this :-/


Anyway, for future readers - I was not able to use any of my easy-rsa generated certificates (so your openvpn servers with these will not work after upgrading to ROS7), I was not able to use rb-generated 4096B certificate, i was able to generate & use 2048B certificate. With that, SHA1,SHA256,SHA512 were working with AES256CBC
 
Marro
just joined
Posts: 2
Joined: Thu Apr 27, 2023 9:47 pm

Re: ROS7 destroying ovpn server - TLS failed?

Fri Apr 28, 2023 1:54 pm

Hello,
in our company we are fighting the same problem after updating to ROS7. Im not deep expert in this area so sorry if i am not accurate in my thoughts. Our VPN is unstable and disconnects quite often. It throws this TLS ERROR:
2023-03-13 08:33:09 TLS: tls_process: killed expiring key
2023-03-13 08:33:10 TLS: soft reset sec=3600/3600 bytes=92699156/-1 pkts=195620/0
2023-03-13 08:33:11 TLS ERROR: local/remote key IDs out of sync (2/3) ID:  [key#0 state=S_SENT_KEY id=2 sid=cf7e3da7 f66604b0] [key#1 state=S_ACTIVE id=1 sid=cf7e3da7 f66604b0] [key#2 state=S_UNDEF id=0 sid=00000000 00000000]
2023-03-13 08:33:11 Fatal TLS error (check_tls_errors_co), restarting
That TLS process:killing expiring key happens in 1 hour interval but NOT always it disconnects VPN whith that error. I get disconnected about 2-3 times per 10 hours workday.
Here is our OpenVPN client settings:
client
dev tun
proto udp
remote x.x.x.80
port xxxxx
nobind
remote-cert-tls server
ca x.crt
cert x.crt
key x.key

cipher AES-256-CBC
data-ciphers AES-256-CBC

auth SHA1
auth-nocache
auth-user-pass backupfile

verb 3
mute 20
We are running ROS7.8 on our MK CCR1009. Here is server settings:
MK_VPN.png
We tried both TCP and UDP protocols, UDP seems to be little bit better but definitely not good. Thanks for any advice.
You do not have the required permissions to view the files attached to this post.
 
oberdansoares
just joined
Posts: 4
Joined: Mon Feb 15, 2021 1:04 pm

Re: ROS7 destroying ovpn server - TLS failed?

Tue May 09, 2023 2:54 pm

Hi, have you had any progress? I have the same symptom on a CHR v7.9 and an client OpenSUSE (15.3)
Hello,
in our company we are fighting the same problem after updating to ROS7. Im not deep expert in this area so sorry if i am not accurate in my thoughts. Our VPN is unstable and disconnects quite often. It throws this TLS ERROR:
2023-03-13 08:33:09 TLS: tls_process: killed expiring key
2023-03-13 08:33:10 TLS: soft reset sec=3600/3600 bytes=92699156/-1 pkts=195620/0
2023-03-13 08:33:11 TLS ERROR: local/remote key IDs out of sync (2/3) ID:  [key#0 state=S_SENT_KEY id=2 sid=cf7e3da7 f66604b0] [key#1 state=S_ACTIVE id=1 sid=cf7e3da7 f66604b0] [key#2 state=S_UNDEF id=0 sid=00000000 00000000]
2023-03-13 08:33:11 Fatal TLS error (check_tls_errors_co), restarting
That TLS process:killing expiring key happens in 1 hour interval but NOT always it disconnects VPN whith that error. I get disconnected about 2-3 times per 10 hours workday.
Here is our OpenVPN client settings:
client
dev tun
proto udp
remote x.x.x.80
port xxxxx
nobind
remote-cert-tls server
ca x.crt
cert x.crt
key x.key

cipher AES-256-CBC
data-ciphers AES-256-CBC

auth SHA1
auth-nocache
auth-user-pass backupfile

verb 3
mute 20
We are running ROS7.8 on our MK CCR1009. Here is server settings:

MK_VPN.png

We tried both TCP and UDP protocols, UDP seems to be little bit better but definitely not good. Thanks for any advice.
 
Marro
just joined
Posts: 2
Joined: Thu Apr 27, 2023 9:47 pm

Re: ROS7 destroying ovpn server - TLS failed?

Tue May 16, 2023 1:18 pm

Unfortunately, there has been no progress on our side. We upgraded our ROS to 7.9, everything remains the same. We have tried quite a lot of different things. Our conclusion is that something is wrong on the MikroTik side. In my mind, the solution would be to set the TLS certificate to "static" and manually copy it to all clients (this has some drawbacks, but stability is more important to me). However, I don't know how to do that right now.
Hi, have you had any progress? I have the same symptom on a CHR v7.9 and an client OpenSUSE (15.3)
Hello,
in our company we are fighting the same problem after updating to ROS7. Im not deep expert in this area so sorry if i am not accurate in my thoughts. Our VPN is unstable and disconnects quite often. It throws this TLS ERROR:
2023-03-13 08:33:09 TLS: tls_process: killed expiring key
2023-03-13 08:33:10 TLS: soft reset sec=3600/3600 bytes=92699156/-1 pkts=195620/0
2023-03-13 08:33:11 TLS ERROR: local/remote key IDs out of sync (2/3) ID:  [key#0 state=S_SENT_KEY id=2 sid=cf7e3da7 f66604b0] [key#1 state=S_ACTIVE id=1 sid=cf7e3da7 f66604b0] [key#2 state=S_UNDEF id=0 sid=00000000 00000000]
2023-03-13 08:33:11 Fatal TLS error (check_tls_errors_co), restarting
That TLS process:killing expiring key happens in 1 hour interval but NOT always it disconnects VPN whith that error. I get disconnected about 2-3 times per 10 hours workday.
Here is our OpenVPN client settings:


We are running ROS7.8 on our MK CCR1009. Here is server settings:

MK_VPN.png

We tried both TCP and UDP protocols, UDP seems to be little bit better but definitely not good. Thanks for any advice.
 
patrickmkt
Member Candidate
Member Candidate
Posts: 200
Joined: Sat Jul 28, 2012 5:21 pm

Re: ROS7 destroying ovpn server - TLS failed?

Thu May 25, 2023 5:12 am

I have the same OVPN <TLS error: ssl: unsupported certificate algo (6)>

I also still have the crl verification problem described viewtopic.php?t=189545&e=1&view=unread#unread

Who is online

Users browsing this forum: No registered users and 66 guests