Community discussions

MikroTik App
 
arisk
newbie
Topic Author
Posts: 27
Joined: Wed Aug 01, 2018 12:56 pm

Site-2-Site OpenVPN -- TLS failed

Tue Jan 25, 2022 9:44 pm

Hello everyone!

I'm struggling with configuring the client part of a Site-2-Site OVPN.
For the same person i have already configured a Site-2-Client (same server) which works properly.

I have only one file available : The windows client .ovpn file
From that, i was able to extract the ca.crt, the client.crt, the client.key and one more key, the client_tls.key (the .ovpn has a "tls-crypt" parameter)
I was able to import the ca.crt, the client.crt, and the two keys succesfully,
- either by importing them one by one
Image
- or by importing the .ovpn as it is (it detected and seperated the two certs automatically)
Image

Now, as you can see from the .ovpn file below, the client uses udp and also compression
client
dev tun
proto udp
remote xxxxxx.xxxxx.xxxx xxxx
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert client.crt
key client.key
remote-cert-tls server
compress
verb 3
cipher AES-256-GCM
auth SHA512
tls-cipher TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384
tls-crypt new-test.key
tls-version-min 1.2
auth-retry nointeract
I had no problem with udp, since ROS 7.1.1 gives the option to use it.
I also guess that i should be ok with compression because i have set a ppp profile with "Use Compression" = Yes (am i really ???)

The problem is that - as you saw above - the client config from the .ovpn file doesn't provide me with any username or password.
Without knowing what to do, I just used a random username and no password
My Ovpn link seemed to be established :
Image


I was very happy at first.
But then i got this on my Logs :
Image

So i think i got two problems, one with encryption and another with authentication.
Even if i figure out something about TLS, how can i implement this on Mikrotik without using credentials ?
The client keeps claiming that he have been told this is possible...... :?
You do not have the required permissions to view the files attached to this post.
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: Site-2-Site OpenVPN -- TLS failed

Tue Jan 25, 2022 11:35 pm

What did you do with "tls-crypt new-test.key"? AFAIK RouterOS doesn't support this. And compression may be a problem too (I know that RouterOS doesn't have LZO, but I'm not sure if it supports anything else).
 
arisk
newbie
Topic Author
Posts: 27
Joined: Wed Aug 01, 2018 12:56 pm

Re: Site-2-Site OpenVPN -- TLS failed

Wed Jan 26, 2022 12:20 am

What did you do with "tls-crypt new-test.key"? AFAIK RouterOS doesn't support this. And compression may be a problem too (I know that RouterOS doesn't have LZO, but I'm not sure if it supports anything else).
Thank you very much Sob for taking the time to answer me.

I'm not sure at all about that..... but what i did was to combine the real private key and the tls key in one .key file like this :
-----BEGIN PRIVATE KEY-----
...
...
-----END PRIVATE KEY-----
#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
...
...
-----END OpenVPN Static key V1-----
I just thought of it because that's how it goes for the .ovpn file used for the windows client :
<ca>
-----BEGIN CERTIFICATE-----
.....
-----END CERTIFICATE-----
</ca>
<cert>
-----BEGIN CERTIFICATE-----
.....
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN PRIVATE KEY-----
....
-----END PRIVATE KEY-----
</key>
<tls-crypt>
#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
.....
-----END OpenVPN Static key V1-----
</tls-crypt>
Without the tls key in the end the Windows client does not connect, so i thought to give it a try.


After importing the combined file as a .key file, the ROS accepted it, and i got a KT flag.
But again..it may accept this because it reads only the first part of it (the private key)...


Regarding the compression, i just read on the log file of the Windows client that it connected using "lz4"
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: Site-2-Site OpenVPN -- TLS failed

Wed Jan 26, 2022 1:14 am

If you import certificates or keys in PEM format (the readable kind you have), system looks for data in known blocks (----BEGIN/END CERTIFICATE/PRIVATE KEY-----) and everything else is ignored as comments. So you didn't get any error, but neither you imported static key. I don't think you can succeed with this config and current RouterOS.
 
User avatar
nichky
Forum Guru
Forum Guru
Posts: 1275
Joined: Tue Jun 23, 2015 2:35 pm

Re: Site-2-Site OpenVPN -- TLS failed

Wed Jan 26, 2022 2:18 am

i'm usually never enable compression, even i do, there is no graph to check whether is working on now.
Also i'm stuck with v6.There is too early to run udp on v7 :)
 
arisk
newbie
Topic Author
Posts: 27
Joined: Wed Aug 01, 2018 12:56 pm

Re: Site-2-Site OpenVPN -- TLS failed

Wed Jan 26, 2022 2:38 pm

Thank you both for your replies!
At least now i am more confident on the fact that it's not gonna work.
Have a good day!
 
KisukeCZE
just joined
Posts: 7
Joined: Sat Jan 29, 2022 1:06 pm

Re: Site-2-Site OpenVPN -- TLS failed

Sun Jan 30, 2022 1:13 pm

Not sure if it's the issue. But what is the OpenVPN server/concentrator? Another Mikrotik?

It's strange you have this in OVPN client config then
cipher AES-256-GCM
auth SHA512
cause all Mikrotik boxes I ever had supports just Auth mechanism SHA1 or MD5.
So I have this in OVPN config file
cipher AES-256-CBC
auth SHA1
Maybe you have some more fancy box like CloudCore or someting...
But if your VPN server is not Mikrotik, I believe the problem coul be in that AUTH mechanism. Maybe server requires SHA512 and Mikrotik as a client does not support that. Solution could be simply enabling SHA1 auth mechanism on server side.
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: Site-2-Site OpenVPN -- TLS failed

Sun Jan 30, 2022 7:13 pm

There's sha512 in 7.2rc, first only in CLI, but latest one added it to WinBox too.
 
arisk
newbie
Topic Author
Posts: 27
Joined: Wed Aug 01, 2018 12:56 pm

Re: Site-2-Site OpenVPN -- TLS failed

Thu Feb 03, 2022 11:56 am

There's sha512 in 7.2rc, first only in CLI, but latest one added it to WinBox too.
That would be great!
 
arisk
newbie
Topic Author
Posts: 27
Joined: Wed Aug 01, 2018 12:56 pm

Re: Site-2-Site OpenVPN -- TLS failed

Thu Feb 03, 2022 12:05 pm

Not sure if it's the issue. But what is the OpenVPN server/concentrator? Another Mikrotik?

It's strange you have this in OVPN client config then
cipher AES-256-GCM
auth SHA512
cause all Mikrotik boxes I ever had supports just Auth mechanism SHA1 or MD5.
So I have this in OVPN config file
cipher AES-256-CBC
auth SHA1
Maybe you have some more fancy box like CloudCore or someting...
But if your VPN server is not Mikrotik, I believe the problem coul be in that AUTH mechanism. Maybe server requires SHA512 and Mikrotik as a client does not support that. Solution could be simply enabling SHA1 auth mechanism on server side.

Good suggestion.
Unfortunatelly, the only thing i know about the server side, is that there is a Linux-based machine.
This VPN regards connecting to organization that receives and automatically analyzes data sent from the client side.
I suppose that the organization offers the ".ovpn" file for any clients that want to connect.
Neither me or the customer have any access there.

Who is online

Users browsing this forum: hatred, orionren and 60 guests