It has been added to 7.12beta. When you need it, test it with that version before it becomes "stable release".
That is really good news, I have just installed it and are testing towards a Netgate OpenVpn server (works like a charm when using Raspberry Pi as client).
I cannot make it work ;-(
This is the normal Linux based OVPN I am trying to import:
verb 3
dev-type tap
dev tap0
writepid /var/run/openvpn_client1.pid
script-security 3
daemon
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
proto udp
cipher AES-128-CBC
auth RSA-SHA256
local 192.168.x.y
tls-client
client
lport 0
remote mynetgateserver.com 1194
ca /etc/openvpn/client/client1.ca
cert /etc/openvpn/client/client1.cert
key /etc/openvpn/client/client1.key
tls-auth /etc/openvpn/client/client1.tls-auth 1
comp-lzo adaptive
resolv-retry infinite
key-direction 1
<ca>
-----BEGIN CERTIFICATE-----
MII....
-----END CERTIFICATE-----
</ca>
<cert>
-----BEGIN CERTIFICATE-----
MII...
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN PRIVATE KEY-----
MII...
-----END PRIVATE KEY-----
</key>
<tls-auth>
-----BEGIN OpenVPN Static key V1-----
-----BEGIN OpenVPN Static key V1-----
94...
-----END OpenVPN Static key V1-----
</tls-auth>
I obviously needed to remove some parameters before the import:
dev-type tap
dev tap0
writepid /var/run/openvpn_client1.pid
auth RSA-SHA256
local 192.168.x.y
tls-client
lport 0
ca /etc/openvpn/client/client1.ca
cert /etc/openvpn/client/client1.cert
key /etc/openvpn/client/client1.key
tls-auth /etc/openvpn/client/client1.tls-auth 1
resolv-retry infinite
With that removed, the file actually imports - YAY!!!!
RESULTING CONFIG IMPORTED (with warnings - but nothing in the log):
-------------------------------------------------------------------------------------------------
ping-timer-rem
persist-tun
persist-key
proto udp
cipher AES-128-CBC
tls-client
client
remote mynetgateserver.com 1194
resolv-retry infinite
key-direction 1
<ca>
-----BEGIN CERTIFICATE-----
MII....
-----END CERTIFICATE-----
</ca>
<cert>
-----BEGIN CERTIFICATE-----
MII...
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN PRIVATE KEY-----
MII...
-----END PRIVATE KEY-----
</key>
<tls-auth>
-----BEGIN OpenVPN Static key V1-----
-----BEGIN OpenVPN Static key V1-----
94...
-----END OpenVPN Static key V1-----
</tls-auth>
-----------------------------------------------------------------------------------------------
Then I have adjusted the missing parameters (auth etc.) and try to connect.
FAIL!!!
Mikrotik Log:
ovpn-import1694759783: terminating... - TLS error: handshake timed out (6)
Netgate Log:
No log entries in OpenVPN and just a notice in IPSEC
Here is the relevant Mikrotik settings after the adjustments
# 2023-09-15 08:41:29 by RouterOS 7.12beta7
#
# model = C52iG-5HaxD2HaxD
# A LOT OF STUFF NOT INCLUDED.
/ip ipsec mode-config
set [ find default=yes ] name=request-only responder=no use-responder-dns=exclusively
/ip ipsec policy group
set [ find default=yes ] name=default
/ip ipsec profile
set [ find default=yes ] dh-group=modp2048,modp1024 dpd-interval=2m dpd-maximum-failures=5 enc-algorithm=aes-128,3des \
hash-algorithm=sha1 lifetime=1d name=default nat-traversal=yes proposal-check=obey
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha1 disabled=no enc-algorithms=aes-256-cbc,aes-192-cbc,aes-128-cbc lifetime=30m \
name=default pfs-group=modp1024
/certificate settings
set crl-download=no crl-store=ram crl-use=no
/interface ovpn-client
add add-default-route=no auth=sha256 certificate=cert_ovpn-import1694759783 cipher=aes128-cbc connect-to=mynetgateserver.com \
disabled=no disconnect-notify=yes mac-address=XX:XX:XX:XX:XX:XX max-mtu=1500 mode=ethernet name=ovpn-import1694759783 \
port=1194 profile=default-encryption protocol=udp route-nopull=no tls-version=any use-peer-dns=yes user=ovpnuser \
verify-server-certificate=no
# EXPORT END - SHOWING CERTS
/certificate> print detail
Flags: K - private-key; L - crl; C - smart-card-key; A - authority; I - issued, R - revoked; E - expired; T - trusted
0 T name="ca_ovpn-import1694759783" issuer=CN=vpn-tunnel-ca digest-algorithm=sha256 key-type=rsa
common-name="vpn-tunnel-ca" key-size=2048 subject-alt-name="" days-valid=3650 trusted=yes
key-usage=key-cert-sign,crl-sign serial-number="00"
fingerprint="...."
akid=id1masked skid=id1masked
invalid-before=2020-08-09 08:13:15 invalid-after=2030-08-07 08:13:15 expires-after=359w4d23h22m45s
1 K T name="cert_ovpn-import1694759783" issuer=CN=vpn-tunnel-ca digest-algorithm=sha256 key-type=rsa
common-name="spain2-bridge-cert" key-size=2048 subject-alt-name=DNS:spain2-bridge-cert days-valid=3650
trusted=yes key-usage=digital-signature,content-commitment,key-encipherment,tls-client serial-number="08"
fingerprint="...."
akid=id1masked skid=id2masked
invalid-before=2021-10-23 10:43:59 invalid-after=2031-10-21 10:43:59 expires-after=422w4d1h53m29s
Thank you anyone that may point me in the right direction - It would be so nice to stop having to use Raspberry Pi's to solve the need for establishing TAP interfaces but simply reuse the Mikrotik routers already there.
TAP (ethernet) is 100% needed and cannot be deselected as the interfaces need to send multicast etc. transparent from devices behind the VPN client via a bridge. So unfortunately this have been the only way to get this working.
/Niels