Novice sysadmin facing issues with Mikrotik router setup and ovpn configuration file.

This forum is for admins who are looking to build or expand their OpenVPN setup.

Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech

Forum rules
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
Post Reply
Landland
OpenVpn Newbie
Posts: 3
Joined: Wed Nov 17, 2021 1:50 pm

Novice sysadmin facing issues with Mikrotik router setup and ovpn configuration file.

Post by Landland » Wed Nov 17, 2021 2:08 pm

Hello,

New to the forum o7.

I'm trying to setup a VPN connection using OpenVPN Connect for our remote employees to our secondary router that I just set up (Mikrotik Cloud Core).
It's my very first time trying to deal with something like this, so apologies in advance is something doesn't make sense.

I'm following https://wiki.mikrotik.com/wiki/Manual:C ... rtificates as a starting point for creating a Certificate Authority on the router using its public IP, a Server signed by the same CA and one Client - also signed by the same CA.
I've also gone to the router's PPP interface and made sure that "OpenVPN Server" is enabled and on the correct port (1194). Down that selection I've used "Certificate : Server" as the authentication method, which I'm not too sure of if it's correct still.

I went to the certificates and used "Export" on Server and Client and used a passphrase on the Client so it would generate a .key file - I was told that these three should suffice to make the connection between the OpenVPN Connect and my router.
I downloaded all three files on my desktop and edited them with Notepad+, copy pasted all the stuff in there onto my .ovpn file.

My .ovpn config file is like this :
client
dev tun
proto tcp-client
persist-key
persist-tun
tls-client
remote-cert-tls server
verb 4
auth-nocache
mute 10
remote X.X.X.X
port 1194
auth SHA1
cipher AES-256-CBC
redirect-gateway def1
auth-user-pass credentials
<ca>
stuff goes here
</ca>
<cert>
stuff goes here
</cert>
<key>
stuff goes here
</key>

Using it like this gives a weird private key error message, so I went looking for a bit and it seems that I needed openssl to convert the .key file to a RSA format. I did that with cygwin and after all the shenanigans, I get
Peer Certificate Verification Failure.

I've been trying for a couple of days and failing horribly, is there anyone who has overlapping knowledge of Mikrotik Routers and OpenVPN Connect?

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: Novice sysadmin facing issues with Mikrotik router setup and ovpn configuration file.

Post by TinCanTech » Wed Nov 17, 2021 2:29 pm

Landland wrote:
Wed Nov 17, 2021 2:08 pm
I went to the certificates and used "Export" on Server and Client and used a passphrase on the Client
You probably need to add --askpass to your client config.

Landland
OpenVpn Newbie
Posts: 3
Joined: Wed Nov 17, 2021 1:50 pm

Re: Novice sysadmin facing issues with Mikrotik router setup and ovpn configuration file.

Post by Landland » Wed Nov 17, 2021 2:43 pm

TinCanTech wrote:
Wed Nov 17, 2021 2:29 pm
Landland wrote:
Wed Nov 17, 2021 2:08 pm
I went to the certificates and used "Export" on Server and Client and used a passphrase on the Client
You probably need to add --askpass to your client config.
On which line would this be? I've already added a line for authentication just before <ca>, which takes the credentials automatically from a file. Does --askpass serve another function?


Landland
OpenVpn Newbie
Posts: 3
Joined: Wed Nov 17, 2021 1:50 pm

Re: Novice sysadmin facing issues with Mikrotik router setup and ovpn configuration file.

Post by Landland » Thu Nov 18, 2021 11:17 am

Thanks for the help because I did manage to make the VPN connection after reading some more in the two links provided.

For anyone looking at this post in the future, I learned that you import the CA.crt, the client.crt and the client.key values in the opvn config file. My mistake was that I was using Server.crt in the configuration, which isn't needed at all apparently.

Post Reply