OpenVPN AS on AWS site-to-site between Mikrotik

Business solution to host your own OpenVPN server with web management interface and bundled clients.
Post Reply
tjbwkz
OpenVpn Newbie
Posts: 2
Joined: Mon Mar 01, 2021 7:13 am

OpenVPN AS on AWS site-to-site between Mikrotik

Post by tjbwkz » Mon Mar 01, 2021 7:29 am

Hello, this is my first post ;)
anybody tried OpenVPN Access Server on AWS EC2 and configure site-to-site VPN?
Because I spent a whole month trying to connect between 2 Mikrotik Router without success
I read all documentation from OpenVPN site-to-site
what could go wrong? I'm aware Mikrotik doesn't support TLS Auth and UDP

When I use OpenVPN as private tunneling from my PC, it worked

Problem is I can't ping between client

User avatar
openvpn_inc
OpenVPN Inc.
Posts: 81
Joined: Tue Feb 16, 2021 10:41 am

Re: OpenVPN AS on AWS site-to-site between Mikrotik

Post by openvpn_inc » Mon Mar 01, 2021 12:01 pm

Hello,

While I love the MikroTik routers for the versatility in routing configurations, and squeezing a lot of performance and functionality out of the limited hardware, I am not a fan of their OpenVPN implementation. These are problems/limitations that I've encountered getting it to work:
  • No support for UDP transport - this is very bad. Look up the term "TCP Meltdown" if you want to know why.
  • No support for compression - this is complicated. We advise not to use compression. But for historical reasons you need to have SUPPORT for it.
  • No support for autologin profiles - we can work around this though with user-locked profile.
  • No support for host names - can only connect by IP. Can't help you if you have a dynamic IP.
  • No support for .ovpn files - have to copy/paste your own set of certificates and upload them and import them.
  • No support for custom config - got some special setting for OpenVPN you need on the client side? Too bad.
:!: :!: :!: I can tell you that it is possible to get MikroTik connected to OpenVPN Access Server by adjusting a number of things and using obscure settings. But it will lower your security considerably and I cannot in good conscience recommend doing this. It would be much better to leave default settings and connecting a 'real' OpenVPN client to it. But, in case you wanted to do this after reading this disclaimer, then take the steps below - and reader beware that if you do this on a production Access Server, you will break things and make your security a lot less. Also you MUST have as recent a version of Access Server as possible for this or it won't work - so be sure to upgrade!

Go to Access Server Admin UI, go to Configuration, go to Advanced VPN, and make sure that TLS auth is turned off and that compression is turned off. Go to User Permissions and create a user and set a password for it. If you're using an external authentication system like RADIUS/LDAP or such, then take care of creating an account there. Do not make this an autologin profile.

Then go to the Access Server Client UI, log in as that user, and download a user-locked profile for this user account. Open the client.ovpn in a text editor. Take the piece between <ca> and </ca> and save it as ca.crt. Do not include the <ca> and </ca> lines themselves in this file, just what's inbetween them. Then take the piece between <cert> and </cert> and save that as cert.crt. And then take the piece between <key> and </key> and save that as key.pem. Note that the file extensions are important or it won't work.

Now go to the Access Server command line interface (SSH access to server, and gain root privileges). Then run these commands (replace <USERNAME> with the actual username of the account you just created on the Admin UI):

Code: Select all

cd /usr/local/openvpn_as/scripts/
./sacli --user <USERNAME> --key "prop_cc_cmds" --value 'compress stub-v2,push "compress stub-v2"' UserPropPut
service openvpnas restart
Go to the MikroTik web interface and go to files. Upload all 3 files: ca.crt, cert.crt, key.pem. Now go to System > Certificates, and click the [import] button. Select the file ca.crt first. Repeat the process with cert.crt. And as final file you import key.pem. You should now end up with 2 certificates listed. One will be the OpenVPN CA which we will use for verifying the server's identity. It will be marked with just the letter T meaning it is trusted. And the other will be the client cert which will have the username as common name in the cert, it will be marked with the letter T and the letter K, meaning it is trusted, and we have the private key for it.

Again go to the MikroTik web interface and go to Interfaces. Click [add new] and select OVPN Client. In 'connect to' you must enter the IP address of your OpenVPN Access Server. As port, the default will be TCP 443, so just enter 443. Port 1194 on Access Server is UDP by default so won't work. Mode should be left to 'IP' (Layer3). Enter username and password. Profile you can leave as is, and certificate must be select to the cert.crt you uploaded in a previous step - the one that has the private key too. This will be our client cerificate+key. Check the box to verify server certificate. Set auth to sha1. Set cipher to aes 256. The final two settings for using peer DNS or adding default route are up to your use-cases - if you just want split tunnel I would leave those off and just rely on whatever routes the Access Server pushes down.

Under IP > Routes you should see which routes are available and you should see new ones populated here when the connection is up and running.

You can now use Tools > Ping from the MikroTik interface to ping IP addresses that should be reachable through the OpenVPN tunnel, and it should now work. You should be able to see the ping packets travel through the Access Server by running tcpdump -eni any icmp on the Access Server itself while pinging through the VPN tunnel from the MikroTik router.

--

That's it. Again, I recommend against this as it kills TLS-auth which is pretty big part of the security of OpenVPN, and it only works over TCP, which is a problem for reliability. But if you really want to, this is how you can do it.

Kind regards,
Johan
Image OpenVPN Inc.
Answers provided by OpenVPN Inc. staff members here are provided on a voluntary best-effort basis, and no rights can be claimed on the basis of answers posted in this public forum. If you wish to get official support from OpenVPN Inc. please use the official support ticket system: https://openvpn.nets/support

tjbwkz
OpenVpn Newbie
Posts: 2
Joined: Mon Mar 01, 2021 7:13 am

Re: OpenVPN AS on AWS site-to-site between Mikrotik

Post by tjbwkz » Fri Mar 05, 2021 6:05 am

First of all, thank you very much for your response
and yes this answer almost all my question
and I agree as many people from Mikrotik forum said their implementation on OpenVPN is bad
but many suggest me to move to another VPN and there I disagree

when I'm offsite I love OpenVPN mobile version it is very easy to use
my goal now is site-to-site, and how all Mikrotik devices and my phone can talk each other

since OpenVPN Cloud not working with Mikrotik I tried Access Server
but this is my first experience in AWS

I did tried before almost exactly as you instructed
when I put

./sacli --user MyUsername --key "prop_cc_cmds" --value 'compress stub-v2,push "compress stub-v2"' UserPropPut

I got this error

Code: Select all

ERROR: [Errno 2] No such file or directory: 'out/tmp-nqj1x1AZEtOA.tmp': util/options:79,sagent/sacli:510,util/file:142,util/file:137,util/file:130,util/simplefile:11 (exceptions.IOError)

User avatar
openvpn_inc
OpenVPN Inc.
Posts: 81
Joined: Tue Feb 16, 2021 10:41 am

Re: OpenVPN AS on AWS site-to-site between Mikrotik

Post by openvpn_inc » Fri Mar 05, 2021 12:48 pm

Hello,

All commands on the Access Server must be run as root user unless you have made provisions to allow an unprivileged user to run commands.
The error message you pasted is the result of not running as root user.

Kind regards,
Johan
Image OpenVPN Inc.
Answers provided by OpenVPN Inc. staff members here are provided on a voluntary best-effort basis, and no rights can be claimed on the basis of answers posted in this public forum. If you wish to get official support from OpenVPN Inc. please use the official support ticket system: https://openvpn.nets/support

Post Reply