Community discussions

MikroTik App
 
spiketechnics
newbie
Topic Author
Posts: 34
Joined: Tue Dec 12, 2017 10:47 pm
Location: Breda

OpenVPN behind NAT

Mon May 22, 2023 1:05 pm

Hello,

We have one RB2011 and behind this router we have a hAP Lite, with seperate network.

Setting up OpenVPN works, i've also forward port 1194 to the hAP Lite. But when connection we receive Certificate-errors. See below.

Is it even possible to use OpenVPN behind NAT?

Mon May 22 12:02:30 2023 VERIFY OK: depth=1, CN=CA
Mon May 22 12:02:30 2023 VERIFY KU OK
Mon May 22 12:02:30 2023 Validating certificate extended key usage
Mon May 22 12:02:30 2023 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Mon May 22 12:02:30 2023 VERIFY EKU OK
Mon May 22 12:02:30 2023 VERIFY OK: depth=0, CN=Server
Mon May 22 12:02:30 2023 Connection reset, restarting [-1]

Best regards,
Joost Lauwen
 
User avatar
MickeyT
Member Candidate
Member Candidate
Posts: 125
Joined: Tue Feb 18, 2020 7:06 am
Location: Australia

Re: OpenVPN behind NAT

Wed May 24, 2023 12:29 pm

Is it even possible to use OpenVPN behind NAT?
Short answer: Yes, you can put the OpenVPN server behind a NAT.

The 2 things I would check first are:
  1. Is the OpenVPN server turned on in the RB2011 (I assume it has the option. I don't know since I don't have one). This needs to be turned off.
  2. Are you using the correct certificates on the hAP lite (both CA and server certs)? The public certificates on the hAP lite are the ones needed by the OpenVPN client.

You've probably checked these settings but I just want to be sure.

--
Backups are your friend. Always make a backup!
/system backup save encryption=aes-sha256 name=MyBackup

Please, export and attach your current config to your post if you want help with a config issue:

RouterOS v6 code

/export hide-sensitive file=MyConfig

RouterOS v7 code

/export file=MyConfig
 
spiketechnics
newbie
Topic Author
Posts: 34
Joined: Tue Dec 12, 2017 10:47 pm
Location: Breda

Re: OpenVPN behind NAT

Tue Jun 20, 2023 10:42 am

Hi.

I've managed to get OpenVPN running. But you need to use OpenVPN version 2.5.8. Newer versions will give a TLS Handshake error.
 
Muschelpuster
just joined
Posts: 9
Joined: Wed Aug 02, 2017 7:01 pm
Location: Germany

Re: OpenVPN behind NAT

Tue Jun 20, 2023 11:05 am

Hi.

I've managed to get OpenVPN running. But you need to use OpenVPN version 2.5.8. Newer versions will give a TLS Handshake error.
How can I downgrade OpenVPN? I did an upgrade to 6.48.8 and no OpenVPN is coming up :(

Niels
 
User avatar
MickeyT
Member Candidate
Member Candidate
Posts: 125
Joined: Tue Feb 18, 2020 7:06 am
Location: Australia

Re: OpenVPN behind NAT

Wed Jun 21, 2023 2:48 pm

How can I downgrade OpenVPN? I did an upgrade to 6.48.8 and no OpenVPN is coming up :(

@spiketechnics is refering to the OpenVPN client you download from the OpenVPN website (Download page here) not the one built in to RouterOS. If you are trying to connect 2 RouterOS units then just matching the RoS versions will be enough.

Who is online

Users browsing this forum: aoravent, loloski and 81 guests