Hi ,

I have a problem with enabling VPN connection to cyberghostvpn :

1 - OpenVPN client is not possible to use as cyberghost need AUTH=AES256. Unfortunatelly I can use only unsuported SHA1 or MD5 auth types.
I consider this as more critical in comparison to not supported UDP on OpenVPN protocol. I would be happy with TCP too, but simply I can't connect
Is there any plans to add this AUTH types to Router OS ? All major VPN providers are moving to AES256 or highier.

2 - I tried to create L2TP/IPSEC connection but this doesn't work too. In the log file I can see attempt to connect, but then its terminated.

09:59:08 ipsec,debug 85.9.20.148 notify: NO-PROPOSAL-CHOSEN
09:59:08 ipsec 85.9.20.148 fatal NO-PROPOSAL-CHOSEN notify messsage, phase1 should be deleted

The same L2TP/IPSEC works on windows or android devices without problem. These protocols are outdated too, but still better than PPTP. I have tried to enable IPSEC proposals , disable IPsec policies, change auth mechanisms but without success... Please help, I would like to use at least these protocols

3 - PPTP is the only protocol which is working on cyberghost for me.

Don't expect much from MikroTik's OpenVPN. Sha256 is something they will most likely add. And one day, maybe other missing features too. But they kept the whole thing in unfinished state for over ten years, so it's clearly not their priority.

IPSec should work, you just need to find right parameters, because server doesn't like current ones. Try to examine Windows or Android, if there's some info about used algorithms.

Thanks ! someone has experience with setting up L2TP/IPSEC connection to cyberghost ? Thanks again

I used Cybeghost for a while till ~6 month ago, so below should work (but my notes are old... )

Add interface L2TP client
In DIAL out add connect to Cybeghost server, IP address etc.
Profile - default encryption
select correct cypher type
Now interface state should say " connected"

mangle: in pre-routing mangle the IP address range to be sent over VPN with action mark-routing for cyberghost (+ enable passthrough)

Route: New route: GW your CyberghostVPN, routing mark yourcyberghostvpnmark

Hope it is clear... again, old notes...

Thanks , but still I have a problem with this.

I have tried to use trial on safervpn where mikrotik seems to be supported quite well , and I have created connection without problem. It must be something on cyberghost servers , or I have some wrong settings somewhere but hard to say where as I have tried near everything.

Seems that I would need to change my VPN provider soon

Is the VPN interface showing up as "connected"?

If not make sure you created the right Cyberghost service credentials and server name
and also enabled it in your Cyberghost user interface.

PS: I think about signing up with NordVPN, seems they have native support for Raspberry as well and
works on Mikrotik quit well.
(I could never made Cyberghost work on Raspberry without leakage...)

no, vpn is not connected...

Just digged out my set-up on an old box. Sorry it was PPTP not L2TP...(hmm strange) I can't really say if that worked on it's one, as its just an old config file of one of my routers...
But in theory it should immediately show "connected".

yes but PPTP is working for me also. Problem is that PPTP is too old and insecure. L2TP/IPSEC is more or less acceptable, but its not working with cyberghost. At least not for me

You're looking in wrong place. Maybe someone in MikroTik forum knows what exact settings some random VPN provider uses, but it would be pure luck.

Other than that, you can either:

a) Ask VPN provider about correct settings. After all, you're paying customer, it's in their interest to make you happy. IPSec has many options. They know what their servers use. If they support the protocol, they should tell you what you should use.

b) If you are able to connect from Windows or Android, then look for some status info about established connection and try to find correct parameters there. In Windows, something should be in "Windows firewall with advanced security" (I'm not sure about exact name, I don't have English Windows) and then in the left tree at the bottom. I don't know anything about Android.

c) Trial & error, try all options until you succeed. But it's not the best for IPsec, because there's quite a lot of them. But if it works with Windows, it won't be anything special, probably sha1, aes 128 or 256 cbc, modp1024 or 2048 or none for phase 2.

Hi hicawa8339,
I have the same problem.
How do you solve it?
Thanks.

Any news on the issue? Have you been able to hide Mikrotik and Cyberghost vpn lately?
In 7.2rc2 added SHA256 and SHA512 "Auth" values for OVPN menu's, but still can not establish a connection.

ovpn-out1: terminating... - unsupported auth digest

Any ideas?

+1, unable to make it working,

I've tried with IKEv2 but same problem :/

If someone can tell me what are good configuration for phase1&phase2.

Thank you in advance,

Why not use cyberghost wireguard VPN?

Why not use cyberghost wireguard VPN?

Hello anav
Can you do an example with cyberghost and wireguard?

Well I have no clue what cyberghost provides you for client information????
In terms of information
They provide you with your wireguard IP address
They provide you with a public key from them which you stick into your router wireguard peer settings for the hostcyberguard
They provide you with and endtpoint address and endpoint port
They should provide you with the DNS to use........
They may provide an MTU setting (rare).,

The only tricky part is how to handle the public key your router wireguard interface (give it a name=wg-interface) generates from the random private key the router generates as well.
they may ask you for this public key, but more commonly,
they will give you the private key to stick into the wireguard interface you need to create (vice just hitting apply and letting the router generate one).
Thus they will already have your public key so to speak.

On your router take whatever IP address they gave you typically xx.yy.zz.tt/30 and assign the following
add address=xx.yy.zz.tt/24 interface=wg-interface network=xx.yy.zz.0

On the peer interface settings for them you will need to indicate the endpoint address and port, (and their public key) and importantly
allowed IPs----> 0.0.0.0/0
persistent keep alive=35 seconds for example.....

One key config requirement is to ensure you sourcnat all your users to the wg Ip address
add chain=srcnat action=masquerade out-interface=wg-interface