Connect client Mikrotik RouterOS to OpenVPN Access Server

Business solution to host your own OpenVPN server with web management interface and bundled clients.
Locked
Alvahro
OpenVpn Newbie
Posts: 1
Joined: Sun Jun 04, 2017 9:22 pm

Connect client Mikrotik RouterOS to OpenVPN Access Server

Post by Alvahro » Sun Jun 04, 2017 9:50 pm

Hello,

I have a AWS EC2 instance running a OpenVPN Access Server version 2.1.4b and i want to connect a Mikrotik router as a client.
i've been investigating and i know Mikrotik RouterOS openvpn client doesn't support UDP, LZO compression and TLS authentication, see: This post and This mkt doc.
So, i can't fully understand how the server configuration is manage by this implementation, there is the sqlite databases and the json config files in the etc dir but i don't how they relate and especially how to see the final configuration active and being used by the server.

I've tried several things:

If i use the certificate for the client i created in the AS and that i use the Mikrotik openvpn client, and the directive auth none in the "Advance NAT" -> "Additional OpenVPN Config Directives (Advanced)", i see this in the openvpnas.log:

Code: Select all

2017-06-04 18:42:06-0300 [-] OVPN 0 OUT: 'Sun Jun  4 21:42:06 2017 TCP connection established with [AF_INET]<ip>:45570'
2017-06-04 18:42:06-0300 [-] OVPN 0 OUT: 'Sun Jun  4 21:42:06 2017 <ip>:45570 TLS: Initial packet from [AF_INET]<ip>:45570, sid=961ac6cc 79ec15d9'
2017-06-04 18:42:06-0300 [-] OVPN 0 OUT: 'Sun Jun  4 21:42:06 2017 <ip>:45570 Connection reset, restarting [0]'
2017-06-04 18:42:06-0300 [-] OVPN 0 OUT: 'Sun Jun  4 21:42:06 2017 <ip>:45570 SIGUSR1[soft,connection-reset] received, client-instance restarting'
If i DONT use the certificate for the client i created in the AS and that i use the Mikrotik openvpn client, and the directive auth none in the "Advance NAT" -> "Additional OpenVPN Config Directives (Advanced)", i see this in the openvpnas.log:

Code: Select all

2017-06-04 16:04:39-0300 [-] OVPN 0 OUT: 'Sun Jun  4 19:04:39 2017 TCP connection established with [AF_INET]<ip>:44997'

2017-06-04 16:04:39-0300 [-] OVPN 0 OUT: 'Sun Jun  4 19:04:39 2017 <ip>:44997 TLS: Initial packet from [AF_INET]<ip>:44997, sid=12bfee6b 2f2de3c5'

2017-06-04 16:04:42-0300 [-] OVPN 0 OUT: "Sun Jun  4 19:04:42 2017 <ip>:44997 WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1540', remote='link-mtu 1539'"
2017-06-04 16:04:42-0300 [-] OVPN 0 OUT: "Sun Jun  4 19:04:42 2017 <ip>:44997 WARNING: 'comp-lzo' is present in local config but missing in remote config, local='comp-lzo'"
2017-06-04 16:04:42-0300 [-] OVPN 0 OUT: "Sun Jun  4 19:04:42 2017 <ip>:44997 WARNING: 'keydir' is present in local config but missing in remote config, local='keydir 1'"
2017-06-04 16:04:42-0300 [-] OVPN 0 OUT: "Sun Jun  4 19:04:42 2017 <ip>:44997 WARNING: 'tls-auth' is present in local config but missing in remote config, local='tls-auth'"

2017-06-04 16:04:42-0300 [-] OVPN 0 OUT: 'Sun Jun  4 19:04:42 2017 <ip>:44997 Option inconsistency warnings triggering disconnect due to --opt-verify'

2017-06-04 16:04:42-0300 [-] AUTH SUCCESS {'status': 0, 'reason': 'local auth succeeded', 'serial_list': [], 'user': u'guest', 'proplist': {u'pvt_password_digest': '[redacted]', u'prop_autogenerate': u'true', u'type': u'user_connect', u'prop_lzo': u'false'}, 'common_name': 'UNDEF_CN'} cli=''/''

2017-06-04 16:04:42-0300 [-] OVPN 0 OUT: "Sun Jun  4 19:04:42 2017 MANAGEMENT: CMD 'client-auth 13 0'"
2017-06-04 16:04:43-0300 [-] OVPN 0 OUT: 'Sun Jun  4 19:04:43 2017 <ip>:44997 Control Channel: TLSv1, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-SHA'

2017-06-04 16:04:43-0300 [-] OVPN 0 OUT: 'Sun Jun  4 19:04:43 2017 <ip>:44997 [] Peer Connection Initiated with [AF_INET]<ip>:44997'
2017-06-04 16:04:43-0300 [-] OVPN 0 OUT: 'Sun Jun  4 19:04:43 2017 <ip>:44997 Delayed exit in 5 seconds'
2017-06-04 16:04:43-0300 [-] OVPN 0 OUT: "Sun Jun  4 19:04:43 2017 <ip>:44997 SENT CONTROL [UNDEF]: 'AUTH_FAILED' (status=1)"
2017-06-04 16:04:48-0300 [-] OVPN 0 OUT: 'Sun Jun  4 19:04:48 2017 <ip>:44997 SIGTERM[soft,delayed-exit] received, client-instance exiting'
If i DONT use the directive auth none in the "Advance NAT" -> "Additional OpenVPN Config Directives (Advanced)", whether i use the certificate or not in the client, i see this in the openvpnas.log:

Code: Select all

2017-06-04 18:47:09-0300 [-] OVPN 0 OUT: 'Sun Jun  4 21:47:09 2017 TCP connection established with [AF_INET]<ip>:45598'
2017-06-04 18:47:09-0300 [-] OVPN 0 OUT: 'Sun Jun  4 21:47:09 2017 <ip>:45598 TLS: Initial packet from [AF_INET]<ip>:45598, sid=679bdc73 32612579'
2017-06-04 18:47:09-0300 [-] OVPN 0 OUT: 'Sun Jun  4 21:47:09 2017 <ip>:45598 TLS Error: cannot locate HMAC in incoming packet from [AF_INET]<ip>:45598'
2017-06-04 18:47:09-0300 [-] OVPN 0 OUT: 'Sun Jun  4 21:47:09 2017 <ip>:45598 Fatal TLS error (check_tls_errors_co), restarting'
2017-06-04 18:47:09-0300 [-] OVPN 0 OUT: 'Sun Jun  4 21:47:09 2017 <ip>:45598 SIGUSR1[soft,tls-error] received, client-instance restarting'
Is there any configuration that i can do in order to be able to connect a Mikrotik openvpn client to de AS?, if so, how?

Mikrotik openvpn cliente configuration options:
http://imgur.com/a/RBh6y
http://imgur.com/a/zpCR1

Thanks in advance!

User avatar
openvpn_inc
OpenVPN Inc.
Posts: 1333
Joined: Tue Feb 16, 2021 10:41 am

Re: Connect client Mikrotik RouterOS to OpenVPN Access Server

Post by openvpn_inc » Wed Jun 01, 2022 2:20 pm

Image OpenVPN Inc.
Answers provided by OpenVPN Inc. staff members here are provided on a voluntary best-effort basis, and no rights can be claimed on the basis of answers posted in this public forum. If you wish to get official support from OpenVPN Inc. please use the official support ticket system: https://openvpn.net/support

Locked