Connect client Mikrotik RouterOS to OpenVPN Access Server

Post Reply
Alvahro
OpenVpn Newbie
Posts: 1
Joined: Sun Jun 04, 2017 9:22 pm

Connect client Mikrotik RouterOS to OpenVPN Access Server

Post by Alvahro » Sun Jun 04, 2017 9:50 pm

Hello,

I have a AWS EC2 instance running a OpenVPN Access Server version 2.1.4b and i want to connect a Mikrotik router as a client.
i've been investigating and i know Mikrotik RouterOS openvpn client doesn't support UDP, LZO compression and TLS authentication, see: This post and This mkt doc.
So, i can't fully understand how the server configuration is manage by this implementation, there is the sqlite databases and the json config files in the etc dir but i don't how they relate and especially how to see the final configuration active and being used by the server.

I've tried several things:

If i use the certificate for the client i created in the AS and that i use the Mikrotik openvpn client, and the directive auth none in the "Advance NAT" -> "Additional OpenVPN Config Directives (Advanced)", i see this in the openvpnas.log:

Code: Select all

2017-06-04 18:42:06-0300 [-] OVPN 0 OUT: 'Sun Jun  4 21:42:06 2017 TCP connection established with [AF_INET]<ip>:45570'
2017-06-04 18:42:06-0300 [-] OVPN 0 OUT: 'Sun Jun  4 21:42:06 2017 <ip>:45570 TLS: Initial packet from [AF_INET]<ip>:45570, sid=961ac6cc 79ec15d9'
2017-06-04 18:42:06-0300 [-] OVPN 0 OUT: 'Sun Jun  4 21:42:06 2017 <ip>:45570 Connection reset, restarting [0]'
2017-06-04 18:42:06-0300 [-] OVPN 0 OUT: 'Sun Jun  4 21:42:06 2017 <ip>:45570 SIGUSR1[soft,connection-reset] received, client-instance restarting'
If i DONT use the certificate for the client i created in the AS and that i use the Mikrotik openvpn client, and the directive auth none in the "Advance NAT" -> "Additional OpenVPN Config Directives (Advanced)", i see this in the openvpnas.log:

Code: Select all

2017-06-04 16:04:39-0300 [-] OVPN 0 OUT: 'Sun Jun  4 19:04:39 2017 TCP connection established with [AF_INET]<ip>:44997'

2017-06-04 16:04:39-0300 [-] OVPN 0 OUT: 'Sun Jun  4 19:04:39 2017 <ip>:44997 TLS: Initial packet from [AF_INET]<ip>:44997, sid=12bfee6b 2f2de3c5'

2017-06-04 16:04:42-0300 [-] OVPN 0 OUT: "Sun Jun  4 19:04:42 2017 <ip>:44997 WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1540', remote='link-mtu 1539'"
2017-06-04 16:04:42-0300 [-] OVPN 0 OUT: "Sun Jun  4 19:04:42 2017 <ip>:44997 WARNING: 'comp-lzo' is present in local config but missing in remote config, local='comp-lzo'"
2017-06-04 16:04:42-0300 [-] OVPN 0 OUT: "Sun Jun  4 19:04:42 2017 <ip>:44997 WARNING: 'keydir' is present in local config but missing in remote config, local='keydir 1'"
2017-06-04 16:04:42-0300 [-] OVPN 0 OUT: "Sun Jun  4 19:04:42 2017 <ip>:44997 WARNING: 'tls-auth' is present in local config but missing in remote config, local='tls-auth'"

2017-06-04 16:04:42-0300 [-] OVPN 0 OUT: 'Sun Jun  4 19:04:42 2017 <ip>:44997 Option inconsistency warnings triggering disconnect due to --opt-verify'

2017-06-04 16:04:42-0300 [-] AUTH SUCCESS {'status': 0, 'reason': 'local auth succeeded', 'serial_list': [], 'user': u'guest', 'proplist': {u'pvt_password_digest': '[redacted]', u'prop_autogenerate': u'true', u'type': u'user_connect', u'prop_lzo': u'false'}, 'common_name': 'UNDEF_CN'} cli=''/''

2017-06-04 16:04:42-0300 [-] OVPN 0 OUT: "Sun Jun  4 19:04:42 2017 MANAGEMENT: CMD 'client-auth 13 0'"
2017-06-04 16:04:43-0300 [-] OVPN 0 OUT: 'Sun Jun  4 19:04:43 2017 <ip>:44997 Control Channel: TLSv1, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-SHA'

2017-06-04 16:04:43-0300 [-] OVPN 0 OUT: 'Sun Jun  4 19:04:43 2017 <ip>:44997 [] Peer Connection Initiated with [AF_INET]<ip>:44997'
2017-06-04 16:04:43-0300 [-] OVPN 0 OUT: 'Sun Jun  4 19:04:43 2017 <ip>:44997 Delayed exit in 5 seconds'
2017-06-04 16:04:43-0300 [-] OVPN 0 OUT: "Sun Jun  4 19:04:43 2017 <ip>:44997 SENT CONTROL [UNDEF]: 'AUTH_FAILED' (status=1)"
2017-06-04 16:04:48-0300 [-] OVPN 0 OUT: 'Sun Jun  4 19:04:48 2017 <ip>:44997 SIGTERM[soft,delayed-exit] received, client-instance exiting'
If i DONT use the directive auth none in the "Advance NAT" -> "Additional OpenVPN Config Directives (Advanced)", whether i use the certificate or not in the client, i see this in the openvpnas.log:

Code: Select all

2017-06-04 18:47:09-0300 [-] OVPN 0 OUT: 'Sun Jun  4 21:47:09 2017 TCP connection established with [AF_INET]<ip>:45598'
2017-06-04 18:47:09-0300 [-] OVPN 0 OUT: 'Sun Jun  4 21:47:09 2017 <ip>:45598 TLS: Initial packet from [AF_INET]<ip>:45598, sid=679bdc73 32612579'
2017-06-04 18:47:09-0300 [-] OVPN 0 OUT: 'Sun Jun  4 21:47:09 2017 <ip>:45598 TLS Error: cannot locate HMAC in incoming packet from [AF_INET]<ip>:45598'
2017-06-04 18:47:09-0300 [-] OVPN 0 OUT: 'Sun Jun  4 21:47:09 2017 <ip>:45598 Fatal TLS error (check_tls_errors_co), restarting'
2017-06-04 18:47:09-0300 [-] OVPN 0 OUT: 'Sun Jun  4 21:47:09 2017 <ip>:45598 SIGUSR1[soft,tls-error] received, client-instance restarting'
Is there any configuration that i can do in order to be able to connect a Mikrotik openvpn client to de AS?, if so, how?

Mikrotik openvpn cliente configuration options:
http://imgur.com/a/RBh6y
http://imgur.com/a/zpCR1

Thanks in advance!

Post Reply