Community discussions

MUM Europe 2020
 
technog0d
just joined
Topic Author
Posts: 2
Joined: Tue Aug 14, 2007 5:46 pm

Configuring OpenVPN

Tue Aug 14, 2007 5:53 pm

Can someone please post a how-to on configuring th OpenVPN server on routeros and then the client side. Specifically, does the routeros generate the certificate? The whole process would be nice.

Thanks in advance...
 
User avatar
sergejs
MikroTik Support
MikroTik Support
Posts: 6617
Joined: Thu Mar 31, 2005 3:33 pm
Location: Riga, Latvia
Contact:

Re: Configuring OpenVPN

Wed Aug 15, 2007 1:25 pm

RouterOS router does not generate the certificate, you have to use your own certificate and import it at /certificate and it should be decrypted by 'certificate decrypt'.

Client mode has teh following configuration options,
("interface ovpn-client"):
connect-to:
port:
user:
password:
certificate: If server is asking for private certificate.
auth: HMAC alghoritm to use.
cipher: make sure it is matching the server side configuration.
mode: configuration for encapsulation options, also it should match server side configuration.
mac-address: interface mac-address, ja mode=ethernet
profile:
add-default-route:

Note, that currently TCP tunnel is supported only.
 
technog0d
just joined
Topic Author
Posts: 2
Joined: Tue Aug 14, 2007 5:46 pm

Re: Configuring OpenVPN

Wed Aug 15, 2007 4:15 pm

i am really more interested in the server side for openvpn on Routeros. It does not seem like there is a provision for user auth on the server side. How do you make sure that the openvpn server is only allowing specified users. Is the certificate the only method of authorization?

Thanks Again...
 
User avatar
sergejs
MikroTik Support
MikroTik Support
Posts: 6617
Joined: Thu Mar 31, 2005 3:33 pm
Location: Riga, Latvia
Contact:

Re: Configuring OpenVPN

Wed Aug 15, 2007 4:30 pm

As far as I know you may specify clients at 'ppp profile', in the same way as for PPTP, L2TP.

OpenVPN server options ("interface ovpn-server server"):
enabled:
port:
mode:
netmask:
mac-address: server interface mac-address
max-mtu:
keepalive-timeout:
default-profile: ppp profile
certificate: server certificate
require-client-certificate: if certificate should be used on client
auth:
cipher:
 
burkon
newbie
Posts: 37
Joined: Tue Sep 12, 2006 2:57 pm

Re: Configuring OpenVPN

Tue Sep 04, 2007 5:48 pm

Anybody got this Up and running?
When I connect to Router OS 3.0 rc4 in server mode I receive this error:

Tue Sep 04 16:43:29 2007 us=462832 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Tue Sep 04 16:43:29 2007 us=463073 TLS Error: TLS handshake failed

No need to tell you that network connectivity is not the Problem.
For me the main problem is that I actually have no clue how to configure
the server side.

Is there some type of docu out there?

Or at least has anybody out there a working set of Router OS Server and PC Client
Windows or Linux should not be the issue since the config is the same.

Thanks
Ekkehard
 
User avatar
sergejs
MikroTik Support
MikroTik Support
Posts: 6617
Joined: Thu Mar 31, 2005 3:33 pm
Location: Riga, Latvia
Contact:

Re: Configuring OpenVPN

Wed Sep 05, 2007 4:11 pm

Ekkehard,
post your configuration here from Open-VPN server,
what OS is used on the client side ?
 
burkon
newbie
Posts: 37
Joined: Tue Sep 12, 2006 2:57 pm

Re: Configuring OpenVPN

Thu Sep 06, 2007 9:56 am

Ekkehard,
post your configuration here from Open-VPN server,
what OS is used on the client side ?
Hope that is all the relevant stuff.
Client OS is Windows 2000 with OpenVPN 2.0.7

Thanks
Ekkehard


/ip pool
add name="vpn_pool1" ranges=192.168.224.2-192.168.224.250

/ppp profile
set default change-tcp-mss=yes comment="" name="default" only-one=default \
use-compression=default use-encryption=default use-vj-compression=default
add change-tcp-mss=yes comment="" local-address=192.168.224.1 name="openvpn" \
only-one=default remote-address=vpn_pool1 use-compression=default \
use-encryption=required use-vj-compression=default

/interface ovpn-server server
set auth=sha1,md5 certificate=home.dev-null.de \
cipher=blowfish128,aes128,aes192,aes256 default-profile=openvpn \
enabled=yes keepalive-timeout=60 mac-address=FE:F1:BB:9B:A4:AC \
max-mtu=1400 mode=ip netmask=32 port=1194 require-client-certificate=yes
 
User avatar
marlow
Member Candidate
Member Candidate
Posts: 159
Joined: Thu Mar 16, 2006 6:59 pm
Location: Ireland

Re: Configuring OpenVPN

Mon Sep 17, 2007 10:00 pm

I was looking at this and am getting similar errors. I've tried to set things up as Ekkehard and see exact the same issue. Release is Router 3.0rc4.

Could anyone post a working server setup (Mikrotik being the server ?). Might shed a bit more light into things.

In my case the client is Debian and OpenVPN 2.09

/Martin
 
tschlegel
just joined
Posts: 2
Joined: Sun May 27, 2007 10:06 pm

Re: Configuring OpenVPN

Fri Oct 12, 2007 3:28 pm

It seems to be that MT needs TLS, otherwise it will kill the connection after 1 minute.
You have to setup the openvpn at the linux-side with tls.
It seems to be that MT currently only supports pkcs12 certificates for openvpn.

Simple howto (Debian as Server, MT as client):
# copy easy-rsa to /etc/openvpn:
cp /usr/share/doc/openvpn/examples/easy-rsa /etc/openvpn
cd /etc/openvpn/easy-rsa
# edit the file vars:
vi vars
# import vars and build-ca
. ./vars
./clean-all
./build-ca # set "OpenVPN-CA" as common name (or anything else you want as CN)
./build-key-server # set "server" as common name (or anything else you want as CN)
./build-dh
# build cert for client1 (MT):
./build-cert-pkcs12 client1 # set "client1" as common name (or anything else you want as CN)
### copy keys/client1.* to MT and import the client1.p12

add this to your openvpn config at debian:
cipher BF-CBC
auth SHA1
tls-server
ca /etc/openvpn/easy-rsa/keys/ca.crt
cert /etc/openvpn/easy-rsa/keys/server.crt
key /etc/openvpn/easy-rsa/keys/server.key # This file should be kept secret
dh /etc/openvpn/easy-rsa/keys/dh1024.pem
proto tcp-server # MT currently only supports tcp

# MT needs that openvpn assign ip addresses...
server 192.168.10.0 255.255.255.0

## At MT set the same cipher and auth as above and set the cert to the first cert
## which was created after import (the cert with the flags "KR" at /certificates)



Best regards,
Timo Schlegel
 
acidbits
just joined
Posts: 10
Joined: Mon Jun 25, 2007 11:45 pm

Re: Configuring OpenVPN

Sun Oct 14, 2007 7:21 pm

I'm testing OpenVPN client on a RB133C with v3.0rc6. I know it's a beta, and it's first time I try it. This version is extremely slow, sure it's a bug. It lasts a lot to boot and establish the OpenVPN connection. Each time I enable/disable OpenVPN client, or try to import a certificate, or whatever, RouterOS crash.

As is the first time I try it, and gone stright forward to try OpenVPN, don't know if this issue comes from OpenVPN or it's "normal" for this Beta running on RB133C.

a.
 
pingus
newbie
Posts: 34
Joined: Fri Aug 24, 2007 10:04 am

Re: Configuring OpenVPN

Tue Oct 16, 2007 5:06 pm

Did it one the other way around, MT as server and linux as client?

I can open a connection but I can not ping MT and the client doesn't receive an IP from the router.
 
acidbits
just joined
Posts: 10
Joined: Mon Jun 25, 2007 11:45 pm

Re: Configuring OpenVPN

Tue Oct 16, 2007 5:40 pm

Did it one the other way around, MT as server and linux as client?

I can open a connection but I can not ping MT and the client doesn't receive an IP from the router.
No, I've just tested MK as client and Linux-box as server. and it works.

a.
 
pingus
newbie
Posts: 34
Joined: Fri Aug 24, 2007 10:04 am

Re: Configuring OpenVPN

Wed Oct 17, 2007 10:01 am

This is good for you but doesn't helps me :)

Here is my linux config:
  dev tun0
  proto tcp-client
  ifconfig 10.10.11.34 10.10.11.33 #because I don't receive an IP address

  remote mt.fqdn.tld 1194

  ca /etc/ssl/certs/root.pem #CAcert root certificate
  cert client.cert
  key  client.key

  tls-client
  tls-remote mt.fqdn.tld

  port 1194

  user nobody
  group nogroup

  comp-lzo

  ping 15
  ping-restart 45
  ping-timer-rem
  persist-tun
  persist-key

  mute-replay-warnings
  verb 3
MT config
/interface ovpn-server 
add comment="" disabled=no name="ovpn-in1" user="" 
/interface ovpn-server server 
set auth=sha1,md5 certificate=rb532 cipher=blowfish128,aes128,aes192,aes256 \
    default-profile=profile1 enabled=yes keepalive-timeout=disabled \
    mac-address=FE:ED:07:A3:D1:17 max-mtu=1500 mode=ip netmask=32 port=1194 \
    require-client-certificate=yes 

/ppp profile 
set default change-tcp-mss=yes comment="" name="default" only-one=default \
    use-compression=default use-encryption=default use-vj-compression=default 
add bridge=lan change-tcp-mss=yes comment="" local-address=10.10.11.33 \
    name="profile1" only-one=default remote-address=10.10.11.34 \
    use-compression=default use-encryption=required use-vj-compression=default 
set default-encryption change-tcp-mss=yes comment="" name="default-encryption" \
    only-one=default use-compression=default use-encryption=yes \
    use-vj-compression=default 

/ip firewall filter
add action=accept chain=input comment="OpenVPN" disabled=no dst-port=1194 \
    protocol=tcp 
Hopefully I added all relevant config.
 
acidbits
just joined
Posts: 10
Joined: Mon Jun 25, 2007 11:45 pm

Re: Configuring OpenVPN

Wed Oct 17, 2007 8:42 pm

Maybe you need to add this to you linux config:

cipher BF-CBC
auth SHA1

I don't have any rboard at home to test right now, sorry.
 
pingus
newbie
Posts: 34
Joined: Fri Aug 24, 2007 10:04 am

Re: Configuring OpenVPN

Thu Oct 25, 2007 12:03 pm

How do I have to configure the firewall to get MT as OpenVPN server running?
 
pingus
newbie
Posts: 34
Joined: Fri Aug 24, 2007 10:04 am

Re: Configuring OpenVPN

Mon Oct 29, 2007 12:38 pm

As I could test with 2 RouterOS the firewall isn't a problem. Two RouterOS are connecting well.

Is it possible that OpenVPN Server on RouterOS is waiting for a username? Can I send a username from OpenVPN Client running on Linux?
 
pingus
newbie
Posts: 34
Joined: Fri Aug 24, 2007 10:04 am

Re: Configuring OpenVPN

Mon Oct 29, 2007 2:50 pm

Finally I got OpenVPN working to the point where I have a registred connection. I also get an IP address. Now I have to find out how to ping across the two routers.

Here are my linux client settings:
dev tun0
  proto tcp-client

  remote example.com 1194

  ca root.pem
  cert client.cert
  key  client.key

  tls-client
  tls-remote example.com

  port 1194

  user nobody
  group nogroup

  comp-lzo

  ping 15
  ping-restart 45
  ping-timer-rem
  persist-tun
  persist-key

  mute-replay-warnings

  verb 3

  cipher AES-256-CBC
  auth SHA1
  pull

  auth-user-pass auth.conf
inside auth.conf you have to enter the username on the first line and on the second line the password of the user you want to login.

I hope this will help someone else.
Last edited by pingus on Mon Oct 29, 2007 4:28 pm, edited 1 time in total.
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 24317
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: Configuring OpenVPN

Mon Oct 29, 2007 3:20 pm

you can make a wiki article on this, if you are sure it works every time :) also write the RouterOS config there. go here:

http://wiki.mikrotik.com/wiki/OpenVPN

and hit the Edit button (after logging in)
No answer to your question? How to write posts
 
pingus
newbie
Posts: 34
Joined: Fri Aug 24, 2007 10:04 am

Re: Configuring OpenVPN

Mon Oct 29, 2007 3:52 pm

Sure, I will do this as soon as I fixed ping issues.
 
User avatar
marlow
Member Candidate
Member Candidate
Posts: 159
Joined: Thu Mar 16, 2006 6:59 pm
Location: Ireland

Re: Configuring OpenVPN

Fri Nov 09, 2007 12:22 am

I've tried to get OpenVPN going proper for a while now. RouterOS client to Linux Server no problem. But RouterOS client to RouterOS server always ends up with:

00:08:57 ovpn,info TCP connection established from 192.168.0.2
00:08:57 ovpn,info <ovpn-0>: dialing...
00:08:58 ovpn,info <ovpn-0>: terminating... - TLS handshake failed
00:08:58 ovpn,info <ovpn-0>: disconnected

The same RouterOS client has no problems connecting to a Linux OpenVPN server without configuration change.

I then tried to follow the wiki, that pingus has put together. Still NO GO. Both boxes are now 3.0rc9, still with those issues (were 3.0rc5 before).

Anyhow, I've send supout.rif's of both boxes to support, let's see, what they come up with.

/Martin
Communication is the beginning of understanding
-- AT&T
 
User avatar
marlow
Member Candidate
Member Candidate
Posts: 159
Joined: Thu Mar 16, 2006 6:59 pm
Location: Ireland

Re: Configuring OpenVPN

Sun Nov 11, 2007 2:29 am

require-client-certificate was the problem. That doesn't seem to work yet. Once set to "no", both Linux and RouterOS clients will connect.

Bugger. Anyhow, I've updated the Wiki article at http://wiki.mikrotik.com/wiki/OpenVPN, so it should cover all angles and hopefully also the potholes now.

/Martin
Communication is the beginning of understanding
-- AT&T
 
User avatar
thavinci
Member
Member
Posts: 334
Joined: Sat Aug 04, 2007 4:40 pm
Location: Johannessburg
Contact:

Re: Configuring OpenVPN

Fri May 02, 2008 1:19 pm

acidbits : How do you get openvpn to work with usernames & passwords?
Currently i have a working solution that lets clients connect with their certificates only.

However it seems MT doesnt allow you to NOT specify a username!
http://www.thavinci.za.net

echo "Demo license expired!"
echo "Please reinstall the router."
echo
kill -WINCH 1
exit
 
venoushcz
just joined
Posts: 5
Joined: Tue Oct 21, 2008 10:30 am

Re: Configuring OpenVPN

Sat Nov 01, 2008 7:02 pm

I've tried to get OpenVPN going proper for a while now. RouterOS client to Linux Server no problem. But RouterOS client to RouterOS server always ends up with:

00:08:57 ovpn,info TCP connection established from 192.168.0.2
00:08:57 ovpn,info <ovpn-0>: dialing...
00:08:58 ovpn,info <ovpn-0>: terminating... - TLS handshake failed
00:08:58 ovpn,info <ovpn-0>: disconnected

The same RouterOS client has no problems connecting to a Linux OpenVPN server without configuration change.

I then tried to follow the wiki, that pingus has put together. Still NO GO. Both boxes are now 3.0rc9, still with those issues (were 3.0rc5 before).

Anyhow, I've send supout.rif's of both boxes to support, let's see, what they come up with.

/Martin
Hi!
I have the Linux server oVPN working fine. Linux and Windows clients are connecting succesfully. I'm not able to connect with the ROS client. Please cen you give me a short walk-through on how to make it work? I know there are more ppl that would be happy to read it.

Thank you for help.
 
User avatar
thavinci
Member
Member
Posts: 334
Joined: Sat Aug 04, 2007 4:40 pm
Location: Johannessburg
Contact:

Re: Configuring OpenVPN

Tue Jul 07, 2009 12:11 pm

I still cannot get openvpn client connecting to a unix/linux openvpn server.

It seems i still cannot create a client without specifying a user-name!
I don't use user names/passwords, only certificates.



Image
http://www.thavinci.za.net

echo "Demo license expired!"
echo "Please reinstall the router."
echo
kill -WINCH 1
exit
 
User avatar
Chupaka
Forum Guru
Forum Guru
Posts: 8319
Joined: Mon Jun 19, 2006 11:15 pm
Location: Minsk, Belarus
Contact:

Re: Configuring OpenVPN

Tue Jul 07, 2009 2:34 pm

yesss, only username+password, no certificates
Russian-speaking forum: https://forum.mikrotik.by/. Welcome!

For every complex problem, there is a solution that is simple, neat, and wrong.

MikroTik. Your life. Your routing.
 
User avatar
mrz
MikroTik Support
MikroTik Support
Posts: 5950
Joined: Wed Feb 07, 2007 12:45 pm
Location: Latvia
Contact:

Re: Configuring OpenVPN

Tue Jul 07, 2009 2:58 pm

or
username+password+certificate
 
User avatar
thavinci
Member
Member
Posts: 334
Joined: Sat Aug 04, 2007 4:40 pm
Location: Johannessburg
Contact:

Re: Configuring OpenVPN

Tue Jul 07, 2009 3:08 pm

Unfortunately that would require a redo of the server and loss of current clients....
http://www.thavinci.za.net

echo "Demo license expired!"
echo "Please reinstall the router."
echo
kill -WINCH 1
exit
 
User avatar
NAB
Trainer
Trainer
Posts: 503
Joined: Tue Feb 10, 2009 4:08 pm
Location: UK
Contact:

Re: Configuring OpenVPN

Sun Oct 04, 2009 11:34 pm

Anyhow, I've updated the Wiki article at http://wiki.mikrotik.com/wiki/OpenVPN, so it should cover all angles and hopefully also the potholes now.
These updates are now out of date and I have corrected one obvious mistake I found. However...

The command '/interface ovpn-server server [name] cipher=none' is invalid as on the server, 'none' is not a valid option for 'cipher' in ROS 3.29 or 3.30. It is a valid option on the client though, so I assume that this is a bug and have e-mailed support accordingly.
Nicholas Barnes BSc(hons)
Certified Mikrotik Consultant
Certified Mikrotik Trainer

Vitell - Asterisk, Linux and network consultants
Unofficial IRC channel: #routerboard on irc.z.je
 
risipetillo
Frequent Visitor
Frequent Visitor
Posts: 63
Joined: Tue Feb 03, 2009 7:08 pm

Re: Configuring OpenVPN

Mon Mar 22, 2010 5:25 am

I've followed the WIKI and I'm having similar problems when I try to get my ROS OVPN Client (v3.30) to speak to my ROS OVPN Server (v3.30).

I get the following error: terminating ... TLS Handshake Failed

I don't understand where I'm going wrong. PLEASE HELP !!!

Kindly see my configuration below:



SERVER SIDE CONFIGURATION

/ip pool add name=ovpn-pool ranges=10.15.32.34-10.15.32.38

/ppp profile add change-tcp-mss=default comment="" local-address=10.15.32.33 \
name="PROFILE" only-one=default remote-address=ovpn-pool \
use-compression=default use-encryption=required use-vj-compression=default

/ppp secret add caller-id="" comment="" disabled=no limit-bytes-in=0 \
limit-bytes-out=0 name="username" password="password" \
routes="" service=ovpn


/interface ovpn-server server set auth=sha1,md5 \
cipher=blowfish128,aes128,aes192,aes256 default-profile=PROFILE\
enabled=yes keepalive-timeout=disabled max-mtu=1500 mode=ip netmask=29 \
port=443 require-client-certificate=no


FIREWALL RULE TO ALLOW ACCESS:

ip firewall filter add action=accept chain=input comment="OpenVPN" disabled=no dst-port=443 protocol=tcp

CLIENT CONFIGURATION:

/interface ovpn-client \
add name="ovpn-out1" connect-to=W.X.Y.Z port=443 mode=ip user="username" password="password" profile=default \
certificate=none cipher=aes256 add-default-route=no
 
roadracer96
Forum Veteran
Forum Veteran
Posts: 714
Joined: Tue Aug 25, 2009 12:01 am

Re: Configuring OpenVPN

Tue Mar 23, 2010 1:34 am

Default profile on client side is no encryption. You are requiring encryption on the server side. Cant negotiate encryption if one side isnt configured to use it.

Thatd be my guess..
 
risipetillo
Frequent Visitor
Frequent Visitor
Posts: 63
Joined: Tue Feb 03, 2009 7:08 pm

Re: Configuring OpenVPN

Tue Mar 23, 2010 7:12 pm

As far as I understand the "cipher= xxxx" is where we would enable encryption or not.

I have encryption on both the Server and Client side:

/interface ovpn-server server set auth=sha1,md5 \
cipher=blowfish128,aes128,aes192,aes256 default-profile=PROFILE\
enabled=yes keepalive-timeout=disabled max-mtu=1500 mode=ip netmask=29 \
port=443 require-client-certificate=no


FIREWALL RULE TO ALLOW ACCESS:

ip firewall filter add action=accept chain=input comment="OpenVPN" disabled=no dst-port=443 protocol=tcp

CLIENT CONFIGURATION:

/interface ovpn-client \
add name="ovpn-out1" connect-to=W.X.Y.Z port=443 mode=ip user="username" password="password" profile=default \
certificate=none cipher=aes256 add-default-route=no
 
roadracer96
Forum Veteran
Forum Veteran
Posts: 714
Joined: Tue Aug 25, 2009 12:01 am

Re: Configuring OpenVPN

Wed Mar 24, 2010 5:47 am

Yeah, I just tried it. It doesnt matter for OVPN.

Did you try putting a cert in on the server? I never have run w/o a cert on the server before.
 
User avatar
mrz
MikroTik Support
MikroTik Support
Posts: 5950
Joined: Wed Feb 07, 2007 12:45 pm
Location: Latvia
Contact:

Re: Configuring OpenVPN

Wed Mar 24, 2010 8:08 am

On a server you need CA and "server" certificates, otherwise OVPN will not work.
 
risipetillo
Frequent Visitor
Frequent Visitor
Posts: 63
Joined: Tue Feb 03, 2009 7:08 pm

Re: Configuring OpenVPN

Thu Mar 25, 2010 4:47 pm

I've put a cert on the server, and on the client and still nothing.

Can someone show me their working config, I don't know what I'm doing wrong here.

Additionally, I have an L2TP server running on the same box without any issues: clients are able to connect via L2TP without a problem. Just having a problem with OpenVPN.

PLEASE HELP, I'm getting my butt handed to me by this Mikrotik box ... lol
 
roadracer96
Forum Veteran
Forum Veteran
Posts: 714
Joined: Tue Aug 25, 2009 12:01 am

Re: Configuring OpenVPN

Thu Mar 25, 2010 6:26 pm

Do you have a cert installed and assigned to the openvpn server AND the CA cert that signed it?
 
risipetillo
Frequent Visitor
Frequent Visitor
Posts: 63
Joined: Tue Feb 03, 2009 7:08 pm

Re: Configuring OpenVPN

Thu Mar 25, 2010 6:35 pm

Yup, I used EASY-RSA Method prescribed in the Wiki.

This is what I have:

Kindly see below:

SERVER

ppp secret:

name="username" service=ovpn caller-id="" password="password" profile=default routes="" limit-bytes-in=0 limit-bytes-out=0

Ovpn Pool:

2 ovpn-pool 10.15.32.34-10.15.32.38

PPP Profile:

ppp profile print
Flags: * - default
0 * name="default" use-compression=default use-vj-compression=default use-encryption=default only-one=default change-tcp-mss=yes

1 name="Beya_Voip" local-address=10.15.32.33 remote-address=ovpn-pool use-compression=default use-vj-compression=default
use-encryption=required only-one=default change-tcp-mss=default

Ovpn-Server Server:
interface ovpn-server server print

enabled: yes
port: 443
mode: ip
netmask: 29
mac-address: FE:50:A6:C5:67:B9
max-mtu: 1500
keepalive-timeout: disabled
default-profile: Beya_Voip
certificate: cert1
require-client-certificate: yes
auth: sha1,md5
cipher: blowfish128,aes128,aes192,aes256


CLIENT

interface ovpn-client print detail

Flags: X - disabled, R - running
0 name="ovpn-out1" mac-address=FE:84:A8:9E:19:43 max-mtu=1500 connect-to=172.16.0.1 port=443 mode=ip user="username"
password="password" profile=default certificate=cert1 auth=sha1 cipher=aes256 add-default-route=no


LOG

21:43:01 ovpn,info TCP connection established from W.X.Y.Z
21:43:02 ovpn,info TCP connection established from W.X.Y.Z
21:43:05 ovpn,info TCP connection established from W.X.Y.Z
21:43:05 ovpn,info TCP connection established from W.X.Y.Z

PING from Client:

ping 10.15.32.33
10.15.32.33 ping timeout
10.15.32.33 ping timeout
10.15.32.33 ping timeout
10.15.32.33 ping timeout
10.15.32.33 ping timeout
10.15.32.33 ping timeout
10.15.32.33 ping timeout
 
roadracer96
Forum Veteran
Forum Veteran
Posts: 714
Joined: Tue Aug 25, 2009 12:01 am

Re: Configuring OpenVPN

Thu Mar 25, 2010 9:22 pm

Your user is assigned to the default profile and the default profile doesnt have an ip pools. Assign the user to the Beya_voip profile.
 
risipetillo
Frequent Visitor
Frequent Visitor
Posts: 63
Joined: Tue Feb 03, 2009 7:08 pm

Re: Configuring OpenVPN

Thu Mar 25, 2010 11:26 pm

Ok, I've set my client profile to: Beya_Voip

> ppp profile print
name="username" service=ovpn caller-id="" password="password" profile=Beya_Voip routes="" limit-bytes-in=0 limit-bytes-out=0


Still not working:

Can you post a working example.


CLIENT:

> interface ovpn-client print detail
Flags: X - disabled, R - running
0 name="ovpn-out1" mac-address=FE:84:A8:9E:19:43 max-mtu=1500 connect-to=172.16.0.1 port=443 mode=ip user="username"
password="password" profile=default certificate=cert1 auth=none cipher=blowfish128 add-default-route=no



Client Logs:

16:24:28 ovpn,info TCP connection established from 172.16.0.254
16:24:28 ovpn,info TCP connection established from 172.16.0.254
16:24:31 ovpn,info TCP connection established from 172.16.0.254
16:24:31 ovpn,info TCP connection established from 172.16.0.254
16:24:33 ovpn,info TCP connection established from 172.16.0.254



Server Logs:

16:24:28 ovpn,info TCP connection established from 172.16.0.254
16:24:28 ovpn,info TCP connection established from 172.16.0.254
16:24:31 ovpn,info TCP connection established from 172.16.0.254
16:24:31 ovpn,info TCP connection established from 172.16.0.254
16:24:33 ovpn,info TCP connection established from 172.16.0.254



SERVER CONFIG

> ppp profile print
Flags: * - default
0 * name="default" use-compression=default use-vj-compression=default use-encryption=default only-one=default change-tcp-mss=yes

1 name="Beya_Voip" local-address=10.15.32.33 remote-address=ovpn-pool use-compression=default use-vj-compression=default
use-encryption=required only-one=default change-tcp-mss=default


> ppp secret print
Flags: X - disabled
# NAME SERVICE CALLER-ID PASSWORD PROFILE REMOTE-ADDRESS
6 username ovpn password Beya_Voip


> ip pool print
# NAME RANGES
2 ovpn-pool 10.15.32.34-10.15.32.38


> interface ovpn-server server print
enabled: yes
port: 443
mode: ip
netmask: 29
mac-address: FE:50:A6:C5:67:B9
max-mtu: 1500
keepalive-timeout: disabled
default-profile: Beya_Voip
certificate: cert1
require-client-certificate: yes
auth: sha1,md5
cipher: blowfish128,aes128,aes192,aes256
 
roadracer96
Forum Veteran
Forum Veteran
Posts: 714
Joined: Tue Aug 25, 2009 12:01 am

Re: Configuring OpenVPN

Fri Mar 26, 2010 12:59 am

Default profile is "Customer" which is for people authenticated via RADIUS. Irrelevant here, but I included it just so it made sense.


/ppp profile
add change-tcp-mss=no comment="" local-address=10.0.0.1 name=PSGVPN only-one=\
no use-compression=no use-encryption=required use-vj-compression=no
add change-tcp-mss=no comment="" local-address=10.16.128.1 name=Customer \
only-one=no use-compression=no use-encryption=required \
use-vj-compression=no

/interface ovpn-server server
set auth=sha1 certificate=fw-1 cipher=aes128,aes192,aes256 default-profile=\
Customer enabled=yes keepalive-timeout=60 mac-address=FE:1D:10:11:78:AB \
max-mtu=1500 mode=ip netmask=32 port=1194 require-client-certificate=yes

/ppp secret
add caller-id="" comment="" disabled=no limit-bytes-in=0 limit-bytes-out=0 \
name=someone password=something profile=PSGVPN remote-address=\
10.0.0.2 routes="" service=ovpn

And for the client:

/ppp profile
set default-encryption change-tcp-mss=default comment="" name=\
default-encryption only-one=default use-compression=default \
use-encryption=required use-vj-compression=default
/interface ovpn-client
add add-default-route=no auth=sha1 certificate=usercert cipher=aes256 \
comment="" connect-to=1.2.3.4 disabled=no mac-address=\
00:00:00:00:00:00 max-mtu=1500 mode=ip name=ovpn-out1 password=\
somepass port=1194 profile=default-encryption user=someuser
 
risipetillo
Frequent Visitor
Frequent Visitor
Posts: 63
Joined: Tue Feb 03, 2009 7:08 pm

Re: Configuring OpenVPN

Fri Mar 26, 2010 6:03 pm

Following your example it worked !!!!

I had to reboot my RB450 (not too sure why) before it started working.

I now have two clients configured for it.

Thanks a million.

For a second there I was loosing hope in this forum .... ;)

Thanks again.
 
Pada
Member Candidate
Member Candidate
Posts: 150
Joined: Tue Dec 08, 2009 11:37 pm
Location: South Africa, Stellenbosch

Re: Configuring OpenVPN

Fri Sep 23, 2011 1:16 am

risipetillo: you're my saviour!

I had to reboot my RouterOS v5.2 x86 before the MikroTik OpenVPN server worked with my RHEL v6 OpenVPN client.
 
theprism
newbie
Posts: 27
Joined: Sun Sep 16, 2012 4:11 pm

Re: Configuring OpenVPN

Sun Jan 27, 2013 10:49 pm

Hello,

Does anyone knows how to generate the certificates without having a real domain and without having a root/admin/etc. mail (e.g. root@bla-bla.bla.com)?

Thank you,
Alex C.
 
Pada
Member Candidate
Member Candidate
Posts: 150
Joined: Tue Dec 08, 2009 11:37 pm
Location: South Africa, Stellenbosch

Re: Configuring OpenVPN

Sun Jan 27, 2013 10:58 pm

Have a look at OpenVPN's Easy RSA stuff: http://openvpn.net/index.php/open-sourc ... ement.html

Alternatively you can create certificates with OpenSSL command line application.
 
metalcated
just joined
Posts: 4
Joined: Fri Apr 19, 2013 3:07 pm

Re: Configuring OpenVPN

Thu May 02, 2013 5:42 pm

I followed the Wiki page and mostly feel I have VPN working minus being able to actually connect outside of my network. I am new to MikroTik and RouterOS but have background with similar setup's.

When I try to connect .. client -> server -->
Thu May 02 10:33:09 2013 OpenVPN 2.3.1 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [PKCS11] [eurephia] [IPv6] built on Mar 28 2013
Enter Management Password:
Thu May 02 10:33:09 2013 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25340
Thu May 02 10:33:09 2013 Need hold release from management interface, waiting...
Thu May 02 10:33:09 2013 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:25340
Thu May 02 10:33:09 2013 MANAGEMENT: CMD 'state on'
Thu May 02 10:33:09 2013 MANAGEMENT: CMD 'log all on'
Thu May 02 10:33:09 2013 MANAGEMENT: CMD 'hold off'
Thu May 02 10:33:09 2013 MANAGEMENT: CMD 'hold release'
Thu May 02 10:33:09 2013 WARNING: --ping should normally be used with --ping-restart or --ping-exit
Thu May 02 10:33:09 2013 WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
Thu May 02 10:33:09 2013 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Thu May 02 10:33:09 2013 Socket Buffers: R=[516096->516096] S=[172032->172032]
Thu May 02 10:33:09 2013 MANAGEMENT: >STATE:1367505189,RESOLVE,,,
Thu May 02 10:33:10 2013 Attempting to establish TCP connection with [AF_INET]1.2.3.4:1194
Thu May 02 10:33:10 2013 MANAGEMENT: >STATE:1367505190,TCP_CONNECT,,,
Thu May 02 10:33:10 2013 TCP connection established with [AF_INET]1.2.3.4:1194
Thu May 02 10:33:10 2013 TCPv4_CLIENT link local: [undef]
Thu May 02 10:33:10 2013 TCPv4_CLIENT link remote: [AF_INET]1.2.3.4:1194
Thu May 02 10:33:10 2013 MANAGEMENT: >STATE:1367505190,WAIT,,,
Thu May 02 10:33:10 2013 MANAGEMENT: >STATE:1367505190,AUTH,,,
Thu May 02 10:33:10 2013 TLS: Initial packet from [AF_INET]1.2.3.4:1194, sid=2f7c2caf b8722829
Thu May 02 10:33:10 2013 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Thu May 02 10:33:11 2013 VERIFY OK: depth=1, C=US, ST=ST, L=City, O=Company, OU=changeme, CN=changeme, name=changeme, emailAddress=mgomon@myemail.com
Thu May 02 10:33:11 2013 VERIFY OK: depth=0, C=US, ST=ST, L=City, O=Company, OU=changeme, CN=changeme, name=changeme, emailAddress=mgomon@myemail.com
Thu May 02 10:33:13 2013 Connection reset, restarting [0]
Thu May 02 10:33:13 2013 SIGUSR1[soft,connection-reset] received, process restarting
Thu May 02 10:33:13 2013 MANAGEMENT: >STATE:1367505193,RECONNECTING,connection-reset,,
Thu May 02 10:33:13 2013 Restart pause, 5 second(s)
1.2.3.4 = WAN IP

here is my setup -->
/interface ovpn-client> print
 0    name="ovpn-mgomon1" mac-address=FE:26:1F:6C:D3:14 max-mtu=1500 connect-to=1.2.3.1 por
      user="mgomon" password="mypassword" profile=GNSYR certificate=mgomon1 auth=sha1 cipher=
      add-default-route=no
/interface ovpn-server> print
0     ovpn-username           mgomon
/interface ovpn-server server> print
                     enabled: yes
                        port: 1194
                        mode: ip
                     netmask: 29
                 mac-address: FE:39:12:7E:5B:72
                     max-mtu: 1500
           keepalive-timeout: disabled
             default-profile: GNSYR
                 certificate: gnsyrap01
  require-client-certificate: no
                        auth: sha1,md5
                      cipher: blowfish128,aes128,aes192,aes256
These are just test certificates -->
/certificate> print
Flags: K - decrypted-private-key, Q - private-key, R - rsa, D - dsa, C - crl 
 0 KR  name="gnsyrap01" subject=C=US,ST=ST,L=City,O=Company,OU=changeme,CN=changeme,name=changeme,
        emailAddress=mgomon@myemail.com
       issuer=C=US,ST=ST,L=City,O=Company,OU=changeme,CN=changeme,name=changeme,
       emailAddress=mgomon@myemail.com
       serial-number="01" email=mgomon@myemail.com invalid-before=may/01/2013 21:19:01 
       invalid-after=apr/29/2023 21:19:01 trusted=yes 

 2 KR  name="mgomon1" subject=C=US,ST=ST,L=City,O=Company,OU=changeme,CN=changeme,name=changeme,
        emailAddress=mgomon@myemail.com
       issuer=C=US,ST=ST,L=City,O=Company,OU=changeme,CN=changeme,name=changeme,
       emailAddress=mgomon@myemail.com
       serial-number="02" email=mgomon@myemail.com invalid-before=may/01/2013 21:28:03 
       invalid-after=apr/29/2023 21:28:03 trusted=yes
/ip address> print
Flags: X - disabled, I - invalid, D - dynamic 
 #   ADDRESS            NETWORK         INTERFACE                                                                        
 0   ;;; default wifi configuration
     10.0.0.1/24        10.0.0.0        lan-wireless-bgn                                                                 
 1 X ;;; default server configuration
     10.0.1.1/24        10.0.1.0        lan-servers-e5                                                                   
 2   ;;; default lan configuration
     10.0.0.1/24        10.0.0.0        lan-e2                                                                           
 3   ;;; default lan-vpn configuration
     10.15.30.31/24     10.15.30.0      lan-e2                                                                           
 4 D 1.2.3.4/20   1.2.3.0     wan-e1
/ip pool> print         
 3 ovpn-private                                                                           10.15.32.34-10.15.32.38
/ip route> print
 0 ADS  0.0.0.0/0                          1.2.3.1               0
 1 ADC  10.0.0.0/24        10.0.0.1        wan-lan-bridge            0
                                           wan-lan-bridge    
 2 X S  10.0.1.1/32                        10.0.1.1                  1
 3 ADC  10.15.30.0/24      10.15.30.31     wan-lan-bridge            0
 4 ADC  1.2.3.0/20     1.2.3.4   wan-e1                    0
/ip firewall nat> print
 0   ;;; default configuration
     chain=srcnat action=masquerade to-addresses=0.0.0.0 out-interface=wan-e1 
/ppp profile> print
 1   name="GNSYR" local-address=10.15.32.33 remote-address=ovpn-private use-mpls=default use-compression=default 
     use-vj-compression=default use-encryption=required only-one=default change-tcp-mss=default address-list=""
[mgomon@gnsyrap01] /ppp secret> print 
 #   NAME                 SERVICE CALLER-ID                PASSWORD                PROFILE                REMOTE-ADDRESS 
 0   mgomon               any                             mypass           default       
For this test I disabled Rule 3
/ip firewall filter> print
 0   ;;; default configuration
     chain=input action=accept protocol=icmp 

 1   ;;; default configuration
     chain=input action=accept connection-state=established 

 2   ;;; default configuration
     chain=input action=accept connection-state=related 

 3 X ;;; default configuration
     chain=input action=drop in-interface=wan-e1 

 4   ;;; OpenVPN
     chain=input action=accept protocol=tcp dst-port=1194
Client Config -->
proto tcp-client

remote my.wan_hostname.com 1194
dev tap

route add 10.20.30.0 mask 255.255.255.0 10.15.30.31

nobind
persist-key

tls-client
ca ca.crt # Root certificate in the same directory as this configuration file.
cert mgomon1.crt
key  mgomon1.key
ping 10
verb 3

cipher AES-256-CBC
auth SHA1
pull

auth-user-pass auth.cfg

Any help in the right direction would be appreciated! Thanks.
 
felted67
just joined
Posts: 17
Joined: Sat Mar 16, 2013 5:24 pm

Re: Configuring OpenVPN

Thu May 02, 2013 11:46 pm

Hi !

Just a small question (not to complicate that stuff at all):

Did someone got openVPN-Server running in conjunction with PPPoE-Client ?

(Here´s my posting about that: http://forum.mikrotik.com/viewtopic.php?f=1&t=72072)

Thanks

Greetz.......Detlef

Who is online

Users browsing this forum: No registered users and 58 guests