Community discussions

MikroTik App
 
Mako2015
just joined
Topic Author
Posts: 5
Joined: Fri Mar 27, 2015 3:46 pm

Mikrotik as CLIENT OPENVPN with tls-auth static key

Fri Mar 27, 2015 3:52 pm

RB951G-2HnD
Version 6.27

Hello
I am not able to add static key security feature to mikrotik router.
I already have linux server with tls-auth /etc/openvpn/easy-rsa/keys/ta.key 0
I dont wan to diable this feature and I want to use MTik as CLIENT.

It is possibe.

KR,
Marcel
 
Mako2015
just joined
Topic Author
Posts: 5
Joined: Fri Mar 27, 2015 3:46 pm

Re: Mikrotik as CLIENT OPENVPN with tls-auth static key

Tue Mar 31, 2015 3:48 pm

Sorry guys..I was blind make it RED and FLASHING :)

http://wiki.mikrotik.com/wiki/Manual:Interface/OVPN

Currently [flash=]unsupported[/flash] OVPN feature:

UDP mode
LZO compression
TLS authentication
authentication without username/password
 
igyo
just joined
Posts: 1
Joined: Sun Nov 18, 2012 4:37 am

Re: Mikrotik as CLIENT OPENVPN with tls-auth static key

Wed Mar 29, 2017 3:25 pm

Planned implementation?
 
kapi2454
newbie
Posts: 38
Joined: Mon Oct 09, 2017 2:54 pm

Re: Mikrotik as CLIENT OPENVPN with tls-auth static key

Wed Nov 08, 2017 8:34 pm

Some new about this?
I be in the same situation.
 
User avatar
pianisteg
just joined
Posts: 5
Joined: Sat Oct 13, 2018 12:10 am

Re: Mikrotik as CLIENT OPENVPN with tls-auth static key

Sat Oct 13, 2018 12:24 am

Any update? We use key-based + TLS auth, and it's more secure.

It's time for Mikrotik ovpn to support this feature.
 
User avatar
sunblade
just joined
Posts: 9
Joined: Tue Apr 06, 2010 6:53 pm

Re: Mikrotik as CLIENT OPENVPN with tls-auth static key

Tue Sep 24, 2019 2:46 pm

Sorry, but Mikrotik's OVPN is a joke for noobs.
 
apant
just joined
Posts: 1
Joined: Mon May 03, 2021 3:38 pm

Re: Mikrotik as CLIENT OPENVPN with tls-auth static key

Mon May 03, 2021 3:45 pm

Does anyone know if openvpn client tls-auth will be ever supported ? I see posts from 2015. It's 2021 and it is still not supported... Too sad...
 
zingfrid
just joined
Posts: 2
Joined: Fri Apr 13, 2018 10:08 pm

Re: Mikrotik as CLIENT OPENVPN with tls-auth static key

Tue Dec 21, 2021 2:24 pm

Any updates in RTOS v7 on this?
 
karakuraizer
just joined
Posts: 18
Joined: Mon Apr 26, 2021 12:35 pm

Re: Mikrotik as CLIENT OPENVPN with tls-auth static key

Wed Jun 01, 2022 6:41 pm

Any updates in RTOS v7 on this?
also wonder if there are any updates on this topic since rOS v.7 released

udp already works just fine

https://wiki.mikrotik.com/wiki/Manual:I ... PN#Summary
 
stanelie
newbie
Posts: 30
Joined: Sun Jun 03, 2012 9:32 pm

Re: Mikrotik as CLIENT OPENVPN with tls-auth static key

Mon Aug 08, 2022 10:42 pm

+1 here.
 
neitro
just joined
Posts: 1
Joined: Thu Aug 19, 2021 10:33 pm

Re: Mikrotik as CLIENT OPENVPN with tls-auth static key

Wed Sep 07, 2022 6:36 pm

+1 also waiting this feature
 
welcome14
just joined
Posts: 3
Joined: Fri May 06, 2022 6:06 pm

Re: Mikrotik as CLIENT OPENVPN with tls-auth static key

Wed Sep 14, 2022 9:31 am

+1
i bought a routerboard but i can't use it!
 
DeKemadec
just joined
Posts: 2
Joined: Thu May 21, 2020 6:46 pm

Re: Mikrotik as CLIENT OPENVPN with tls-auth static key

Tue Oct 04, 2022 12:11 am

+1 - waiting for this 3 years
 
XRise
just joined
Posts: 10
Joined: Wed Nov 02, 2022 8:06 am

Re: Mikrotik as CLIENT OPENVPN with tls-auth static key

Wed Nov 02, 2022 10:17 am

+1 waiting here.
 
f2065
just joined
Posts: 1
Joined: Tue Dec 06, 2022 1:09 am

Re: Mikrotik as CLIENT OPENVPN with tls-auth static key

Tue Dec 06, 2022 1:17 am

+1
I am also waiting support for tls-auth and tls-crypt options...
 
pe1chl
Forum Guru
Forum Guru
Posts: 10186
Joined: Mon Jun 08, 2015 12:09 pm

Re: Mikrotik as CLIENT OPENVPN with tls-auth static key

Wed Feb 01, 2023 10:53 am

"official" OpenVPN version 2.6.0 just released has dropped the support for static key, so I think this topic can be closed.
 
gwynbleidd
just joined
Posts: 6
Joined: Sun Mar 13, 2022 4:32 pm

Re: Mikrotik as CLIENT OPENVPN with tls-auth static key

Thu May 04, 2023 5:29 am

Support for non-TLS static key was dropped, not for the tls-auth, so this topic shouldn't be closed at all.
 
linus
just joined
Posts: 2
Joined: Wed Jun 14, 2023 6:35 pm

Re: Mikrotik as CLIENT OPENVPN with tls-auth static key

Thu Jun 22, 2023 1:23 pm

+1 need tls-auth for ExpressVPN too.. any update or beta version to try?
 
chuczy
just joined
Posts: 1
Joined: Tue Jun 27, 2023 9:23 pm

Re: Mikrotik as CLIENT OPENVPN with tls-auth static key

Tue Jun 27, 2023 9:24 pm

+1 waiting here.
 
marlab
newbie
Posts: 25
Joined: Sun Mar 15, 2015 2:48 pm
Location: EU

Re: Mikrotik as CLIENT OPENVPN with tls-auth static key

Tue Jul 25, 2023 5:07 pm

+1, needed for AWS VPN
 
joaomvfsantos
just joined
Posts: 1
Joined: Thu Aug 24, 2023 7:56 pm

Re: Mikrotik as CLIENT OPENVPN with tls-auth static key

Thu Aug 24, 2023 7:59 pm

+1 This is a much-needed feature because VPN Providers are dropping PPTP solutions. OpenVPN is the defacto new standard for VPN solutions.
 
pe1chl
Forum Guru
Forum Guru
Posts: 10186
Joined: Mon Jun 08, 2015 12:09 pm

Re: Mikrotik as CLIENT OPENVPN with tls-auth static key

Thu Aug 24, 2023 9:08 pm

It has been added to 7.12beta. When you need it, test it with that version before it becomes "stable release".
 
User avatar
nisse
newbie
Posts: 28
Joined: Sun Jun 11, 2006 7:34 pm
Location: Malaga, Spain
Contact:

Re: Mikrotik as CLIENT OPENVPN with tls-auth static key

Fri Sep 15, 2023 10:52 am

It has been added to 7.12beta. When you need it, test it with that version before it becomes "stable release".
That is really good news, I have just installed it and are testing towards a Netgate OpenVpn server (works like a charm when using Raspberry Pi as client).

I cannot make it work ;-(


This is the normal Linux based OVPN I am trying to import:

verb 3
dev-type tap
dev tap0
writepid /var/run/openvpn_client1.pid
script-security 3
daemon
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
proto udp
cipher AES-128-CBC
auth RSA-SHA256
local 192.168.x.y
tls-client
client
lport 0
remote mynetgateserver.com 1194
ca /etc/openvpn/client/client1.ca
cert /etc/openvpn/client/client1.cert
key /etc/openvpn/client/client1.key
tls-auth /etc/openvpn/client/client1.tls-auth 1
comp-lzo adaptive
resolv-retry infinite
key-direction 1
<ca>
-----BEGIN CERTIFICATE-----
MII....
-----END CERTIFICATE-----
</ca>
<cert>
-----BEGIN CERTIFICATE-----
MII...
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN PRIVATE KEY-----
MII...
-----END PRIVATE KEY-----
</key>
<tls-auth>
-----BEGIN OpenVPN Static key V1-----
-----BEGIN OpenVPN Static key V1-----
94...
-----END OpenVPN Static key V1-----
</tls-auth>

I obviously needed to remove some parameters before the import:

dev-type tap
dev tap0
writepid /var/run/openvpn_client1.pid
auth RSA-SHA256
local 192.168.x.y
tls-client
lport 0
ca /etc/openvpn/client/client1.ca
cert /etc/openvpn/client/client1.cert
key /etc/openvpn/client/client1.key
tls-auth /etc/openvpn/client/client1.tls-auth 1
resolv-retry infinite

With that removed, the file actually imports - YAY!!!!

RESULTING CONFIG IMPORTED (with warnings - but nothing in the log):

-------------------------------------------------------------------------------------------------

ping-timer-rem
persist-tun
persist-key
proto udp
cipher AES-128-CBC
tls-client
client
remote mynetgateserver.com 1194
resolv-retry infinite
key-direction 1

<ca>
-----BEGIN CERTIFICATE-----
MII....
-----END CERTIFICATE-----
</ca>
<cert>
-----BEGIN CERTIFICATE-----
MII...
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN PRIVATE KEY-----
MII...
-----END PRIVATE KEY-----
</key>
<tls-auth>
-----BEGIN OpenVPN Static key V1-----
-----BEGIN OpenVPN Static key V1-----
94...
-----END OpenVPN Static key V1-----
</tls-auth>

-----------------------------------------------------------------------------------------------

Then I have adjusted the missing parameters (auth etc.) and try to connect.

FAIL!!!

Mikrotik Log:
ovpn-import1694759783: terminating... - TLS error: handshake timed out (6)

Netgate Log:
No log entries in OpenVPN and just a notice in IPSEC

Here is the relevant Mikrotik settings after the adjustments

# 2023-09-15 08:41:29 by RouterOS 7.12beta7
#
# model = C52iG-5HaxD2HaxD
# A LOT OF STUFF NOT INCLUDED.
/ip ipsec mode-config
set [ find default=yes ] name=request-only responder=no use-responder-dns=exclusively
/ip ipsec policy group
set [ find default=yes ] name=default
/ip ipsec profile
set [ find default=yes ] dh-group=modp2048,modp1024 dpd-interval=2m dpd-maximum-failures=5 enc-algorithm=aes-128,3des \
hash-algorithm=sha1 lifetime=1d name=default nat-traversal=yes proposal-check=obey
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha1 disabled=no enc-algorithms=aes-256-cbc,aes-192-cbc,aes-128-cbc lifetime=30m \
name=default pfs-group=modp1024
/certificate settings
set crl-download=no crl-store=ram crl-use=no

/interface ovpn-client
add add-default-route=no auth=sha256 certificate=cert_ovpn-import1694759783 cipher=aes128-cbc connect-to=mynetgateserver.com \
disabled=no disconnect-notify=yes mac-address=XX:XX:XX:XX:XX:XX max-mtu=1500 mode=ethernet name=ovpn-import1694759783 \
port=1194 profile=default-encryption protocol=udp route-nopull=no tls-version=any use-peer-dns=yes user=ovpnuser \
verify-server-certificate=no

# EXPORT END - SHOWING CERTS
/certificate> print detail
Flags: K - private-key; L - crl; C - smart-card-key; A - authority; I - issued, R - revoked; E - expired; T - trusted
0 T name="ca_ovpn-import1694759783" issuer=CN=vpn-tunnel-ca digest-algorithm=sha256 key-type=rsa
common-name="vpn-tunnel-ca" key-size=2048 subject-alt-name="" days-valid=3650 trusted=yes
key-usage=key-cert-sign,crl-sign serial-number="00"
fingerprint="...."
akid=id1masked skid=id1masked
invalid-before=2020-08-09 08:13:15 invalid-after=2030-08-07 08:13:15 expires-after=359w4d23h22m45s

1 K T name="cert_ovpn-import1694759783" issuer=CN=vpn-tunnel-ca digest-algorithm=sha256 key-type=rsa
common-name="spain2-bridge-cert" key-size=2048 subject-alt-name=DNS:spain2-bridge-cert days-valid=3650
trusted=yes key-usage=digital-signature,content-commitment,key-encipherment,tls-client serial-number="08"
fingerprint="...."
akid=id1masked skid=id2masked
invalid-before=2021-10-23 10:43:59 invalid-after=2031-10-21 10:43:59 expires-after=422w4d1h53m29s


Thank you anyone that may point me in the right direction - It would be so nice to stop having to use Raspberry Pi's to solve the need for establishing TAP interfaces but simply reuse the Mikrotik routers already there.

TAP (ethernet) is 100% needed and cannot be deselected as the interfaces need to send multicast etc. transparent from devices behind the VPN client via a bridge. So unfortunately this have been the only way to get this working.

/Niels
Last edited by nisse on Sun Sep 17, 2023 2:58 pm, edited 2 times in total.
 
pe1chl
Forum Guru
Forum Guru
Posts: 10186
Joined: Mon Jun 08, 2015 12:09 pm

Re: Mikrotik as CLIENT OPENVPN with tls-auth static key

Fri Sep 15, 2023 10:59 am

I obviously needed to remove some parameters before the import:

dev-type tap
dev tap0
writepid /var/run/openvpn_client1.pid
auth RSA-SHA256
local 192.168.x.y
tls-client
client
lport 0
ca /etc/openvpn/client/client1.ca
cert /etc/openvpn/client/client1.cert
key /etc/openvpn/client/client1.key
tls-auth /etc/openvpn/client/client1.tls-auth 1
resolv-retry infinite
key-direction 1
Well, by removing that you have obviously broken it.
At least "client" and "key-direction 1" should not be removed.
 
User avatar
nisse
newbie
Posts: 28
Joined: Sun Jun 11, 2006 7:34 pm
Location: Malaga, Spain
Contact:

Re: Mikrotik as CLIENT OPENVPN with tls-auth static key

Sun Sep 17, 2023 2:49 pm

I obviously needed to remove some parameters before the import:

dev-type tap
dev tap0
writepid /var/run/openvpn_client1.pid
auth RSA-SHA256
local 192.168.x.y
tls-client
client
lport 0
ca /etc/openvpn/client/client1.ca
cert /etc/openvpn/client/client1.cert
key /etc/openvpn/client/client1.key
tls-auth /etc/openvpn/client/client1.tls-auth 1
resolv-retry infinite
key-direction 1
Well, by removing that you have obviously broken it.
At least "client" and "key-direction 1" should not be removed.
My bad - those were of cause needed and as you see in the config - already present, only I missed removing them from the "excluded" part.
I have updated my original posting.

This does not solve the problem - I still get a "TLS error: handshake timed out" and no connection is established.

DEBUG OVPN LOG (anonymized):

sent P_CONTROL kid=0 sid=9a6d3ff275d4f207 tls-auth-hash=0e1ba11ddccxxxx tls-auth-extra=0000000272xxxx pid=1 DATA len=136
re-sent P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 sid=9a6d3ff275d4f207 ... (crippled)

How do I verify that the TLS auth actually is imported correctly into the Microtik (or still just ignored)

Do I really have to drop the idea of using the MT as OVPN client and continue using the rPI as today?

TIA
 
User avatar
guinnessMD
just joined
Posts: 18
Joined: Thu Sep 21, 2023 1:09 pm
Location: Chisinau, Moldova

Re: Mikrotik as CLIENT OPENVPN with tls-auth static key

Thu Dec 21, 2023 9:32 am

Hi nisse

"Currently unsupported OpenVPN features:
UDP mode
LZO compression
TLS authentication
authentication without username/password"

I am new to it but I think TLS auth is not working (implemented) yet... the error indicates on that... and udp mode could be not working properly.
 
karakuraizer
just joined
Posts: 18
Joined: Mon Apr 26, 2021 12:35 pm

Re: Mikrotik as CLIENT OPENVPN with tls-auth static key

Tue Feb 20, 2024 2:58 pm

Hi nisse

"Currently unsupported OpenVPN features:
UDP mode
LZO compression
TLS authentication
authentication without username/password"

I am new to it but I think TLS auth is not working (implemented) yet... the error indicates on that... and udp mode could be not working properly.
Read the latest wiki(>ROS 7.12.4):
https://help.mikrotik.com/docs/display/ ... imitations
Currently, unsupported OpenVPN features:
LZO compression
authentication without username/password

Who is online

Users browsing this forum: Bing [Bot], Google [Bot], stevencameron16 and 90 guests