Community discussions

MikroTik App
 
Pante90
just joined
Topic Author
Posts: 9
Joined: Mon Jan 18, 2021 9:10 pm

Ovpn-client on proto udp

Tue Mar 16, 2021 8:55 pm

Good morning,
I have a little problem. I subscribed a time with IPSTATICO.ORG to change a public IP with a static IP on my LTE connection. I downloaded a certificate file ***.openvpnm, but when I install an OpenVPN-client on Mikrotik i can't connect because i need to specify a Username and Password but I don't have this. I try to put this file on OpenVPN for windows and in this case with only a file insert the connection has been ok. Now, i ask for help, to configure correctly a ovpn-client on Mikrotik. I know this connection is on UDP protocol!.
Thanks a lot for helping me!
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: Ovpn-client on proto udp

Tue Mar 16, 2021 10:15 pm

At the moment, Mikrotik only supports OpenVPN on UDP in RouterOS 7 which is in a beta stage (7.1beta 4 as of writing this). So if you accept to run a beta, you should be able to connect. The (user)name and password are specified among other parameters on the /interface/ovpn-client row.
 
Pante90
just joined
Topic Author
Posts: 9
Joined: Mon Jan 18, 2021 9:10 pm

Re: Ovpn-client on proto udp

Wed Mar 17, 2021 9:07 pm

Thanks so much. i see now that. i attach a picture about my set interface because doesn't work. i think is wrong User and password because nobody say me somenthig about that from IPSTATICO.ORG.
Interface_ ovpn-out1.PNG
You do not have the required permissions to view the files attached to this post.
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: Ovpn-client on proto udp

Wed Mar 17, 2021 10:16 pm

The certificate you've downloaded has been generated specifically for you?

If not, you should not use it as a client certificate, but as a certificate of a trusted certification authority, which authenticates the certificate presented by the server. So in the client configuration, no certificate should be specified.

If yes, there must be also another certificate for the purpose above (authentication of the certificate presented by the server).
 
Pante90
just joined
Topic Author
Posts: 9
Joined: Mon Jan 18, 2021 9:10 pm

Re: Ovpn-client on proto udp

Wed Mar 17, 2021 11:37 pm

Yes the certificate is on purpose for me. on miktrotik when i update the certificate are two certificate. but i not able to use. how can use they?
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: Ovpn-client on proto udp

Wed Mar 17, 2021 11:46 pm

Show me the output of /certificate print detail.
 
Pante90
just joined
Topic Author
Posts: 9
Joined: Mon Jan 18, 2021 9:10 pm

Re: Ovpn-client on proto udp

Thu Mar 18, 2021 8:21 am

[admin@RBSXRT] > /certificate print detail
Flags: K - private-key; L - crl; C - smart-card-key; A - authority; I - issued, R - revoked; E - expired; T - trusted 
 0       T name="dyn05-10-8-0-75.ovpn_0" issuer=CN=cn_ZkBLKf74XPGpzkCq digest-algorithm=sha256 key-type=ec common-name="cn_ZkBLKf74XPGpzkCq" 
           key-size=prime256v1 subject-alt-name="" days-valid=3650 trusted=yes key-usage=key-cert-sign,crl-sign serial-number="9EEAA4267DF97858" 
           fingerprint="448e536d9501084031496cfbd2f6588d2518fe4293813298f4c730212f8f9e06" akid=4cfe8f1400471406a5a9dca5d8685b30097cee4f 
           skid=4cfe8f1400471406a5a9dca5d8685b30097cee4f invalid-before=feb/27/2020 21:50:03 invalid-after=feb/24/2030 21:50:03 
           expires-after=3138w10h31m29s 

 1 K     T name="dyn05-10-8-0-75.ovpn_1" issuer=CN=cn_ZkBLKf74XPGpzkCq digest-algorithm=sha256 key-type=ec common-name="dyn05-10-8-0-75" 
           key-size=prime256v1 subject-alt-name="" days-valid=1080 trusted=yes key-usage=digital-signature,tls-client 
           serial-number="1C598A64709492032D26EED987C29156" fingerprint="a3376583402597a4cd6d4286d3b6aedf7063bd5cabedfccca4b99d5d0ee21342" 
           akid=4cfe8f1400471406a5a9dca5d8685b30097cee4f skid=b0b2fb1c550150e00b4ca60ffed5c29cd99f0715 invalid-before=jul/21/2020 13:35:33 
           invalid-after=jul/06/2023 13:35:33 expires-after=2791w4d2h16m59s 
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: Ovpn-client on proto udp

Thu Mar 18, 2021 11:21 am

OK. So two points.

First, the certificate you set in the /interface ovpn-client configuration must be the one authenticating your client to the server, which is the one for which you have the private key, i.e. the dyn05-10-8-0-75.ovpn_1 one.

Second, under normal circumstances, you should not need the server certificate itself - instead, you should use the certificate of the authority that has signed it. But the ..._0 certificate is not one of an authority, so it seems to be the one of the server itself. But I am not sure whether Mikrotik's OpenVPN implementation supports server authentication by the server's certificate alone, without having the certificate of the issuing authority. So if the connection still fails after you start using the proper certificate for the client as explained above, the error message should be different. If that is the case, switching off verify-server-certificate could be a way to check this, but not a recommended setting for actual use of the VPN, as without the certificate check, your connection could be redirected to some other server impersonating the real one.

So until the connection finally succeeds, uncheck add-default-route, but that doesn't prevent the username and password from leaking to the rogue server.
 
Pante90
just joined
Topic Author
Posts: 9
Joined: Mon Jan 18, 2021 9:10 pm

Re: Ovpn-client on proto udp

Thu Mar 18, 2021 9:16 pm

Thanks for help. Today i try to change a certificate like your teach but the error now is TLS failed. I don't know why, but i can't connect. and, i don't have any user name and pass for put in the same edit box. I put my login data from the site but i don't know if is correct. Now the connection doesn't work. nothing change
 
User avatar
stek
newbie
Posts: 47
Joined: Fri Jul 11, 2008 6:22 pm
Location: Switzerland

Re: Ovpn-client on proto udp

Tue May 10, 2022 9:07 am

Hi,
do you found a way to configure IPStatico with Mikrotik?

Grazie
Stefano

Who is online

Users browsing this forum: joshnielsen, phascogale and 55 guests