Problems connecting to Mikrotik OVPN server using .ovpn file

[BrayanOrozco]

I am trying to connect to an OVPN server configured on a Mikrotik router.
When I generate the certificates, I get these three files:

ca.crt
client.crt
client.key

I use these three files on another Mikrotik client, and the connection to the server works. I have another Ubiquiti router where I need to connect as a client to the Mikrotik server, and for this, I have to use a file with an OVPN extension, inside that file I put the information of the three files mentioned above "inline", but it still doesn't work. I don't know what is wrong or what parameter I need in the OVPN file for the client to connect.
I really appreciate any help you can provide.

This is the information from my OVPN file:

client
dev tun
proto tcp-client
remote (my public IP)
port 1194
nobind
persist-key
persist-tun
tls-client
remote-cert-tls server
verb 4
mute 10
cipher AES-256-CBC
auth SHA1
auth-user-pass
auth-nocache
route 192.168.84.0 255.255.255.0
<ca>
-----BEGIN CERTIFICATE-----
MII(...)gwbLj
-----END CERTIFICATE-----
</ca>

<cert>
-----BEGIN CERTIFICATE-----
MII(...)WN2sw==
-----END CERTIFICATE-----
</cert>

<key>
-----BEGIN ENCRYPTED PRIVATE KEY-----
MII(...)/S6Q==
-----END ENCRYPTED PRIVATE KEY-----
</key>

[Fadim]

The configuration you've shared seems generally correct. It's tricky to diagnose the problem without logs or error messages. However, here are a few things you might want to check:

1. Ensure the certificates and keys are correctly formatted in the .ovpn file. They should be exactly as they are in the original files, including all lines and dashes.
2. Make sure the Mikrotik server is configured to allow connections from your Ubiquiti router's IP.
3. The line "proto tcp-client" might be causing issues, you could try changing it to "proto udp" instead, as UDP is generally recommended for VPNs due to better performance.
4. Check if the Mikrotik router's firewall rules allow the Ubiquiti router to establish a connection.
5. Lastly, verify that you have the correct public IP and port number.

If none of this works, it would be really helpful if you could share any error messages you're seeing. They could provide valuable clues on what's going wrong.

[BrayanOrozco]

The configuration you've shared seems generally correct. It's tricky to diagnose the problem without logs or error messages. However, here are a few things you might want to check:

1. Ensure the certificates and keys are correctly formatted in the .ovpn file. They should be exactly as they are in the original files, including all lines and dashes.
2. Make sure the Mikrotik server is configured to allow connections from your Ubiquiti router's IP.
3. The line "proto tcp-client" might be causing issues, you could try changing it to "proto udp" instead, as UDP is generally recommended for VPNs due to better performance.
4. Check if the Mikrotik router's firewall rules allow the Ubiquiti router to establish a connection.
5. Lastly, verify that you have the correct public IP and port number.

If none of this works, it would be really helpful if you could share any error messages you're seeing. They could provide valuable clues on what's going wrong.

Thank you very much for your reply. In the Mikrotik's log I don't have any error or connection attempt from the Ubiquiti router. And from the Ubiquiti router the only thing I have is a "problem" when trying to load the file.

I'll try to check the spaces or if everything is formatted correctly, because I don't really know what it could be.

This is what I get when I try to load the file:



Connection not established. Please check your credentials, configuration file and check if remote is online.

[Fadim]

Given that the error message is mentioning checking the credentials and configuration file, you might also want to double-check the auth-user-pass directive. It's possible the authentication details are not being read correctly from your .ovpn file.

Also, just to be sure, have you checked that your Ubiquiti router's firmware is up to date? Sometimes, updates can resolve compatibility issues.

[BrayanOrozco]

Well, I don't know if the credentials should be added in the .ovpn file because anyway in this screenshot, it asks me for the username and password (they are the same I used in the Mikrotik client to connect and it worked), so I have put the credentials in this section and I don't know if it is necessary to put a line with them in the file.:



As for the version, yes, I have the latest one.

[scott-ovpn@internetworkz.net]

Were you able to resolve this issue? If not I have a few suggestions which may or may not help.

I have several instances of openvpn using Mikrotik routeros as both vpn server and client and using tunnelblick (macos) and openvpn connect (macos) and openvpn (linux) as clients. ssl library, cipher and auth method mismatches between the client and server cause all sorts of havoc. working out which combo works is kind of difficult unless you have good logging on both client and server. Upgrading either the client or the router / server introduces problems almost every time. I got this all working w/ routeros 6.x several years ago but had to rework it each time (or nearly each time) the openvpn client software (either the linux version, tunnelblick or openvpn connect) upgraded. When I started upgrading the server side to routeros 7.x it all broke again. Here is the combo that I have found most recently which works w/ routeros 7.12 as the vpn server. Note I'm using client certificate required similar to you. I'm also using the auth-user-pass directive but reference an external file. I'm also using protocol tcp but I think udp would work the same.

Here are the key details which I I got to work.

Routeros server config:
tls version any
auth: sha1,md5,sha256,sha512 (I want to experiment w/ narrowing this to sha256 or sha512 but haven't done that yet)
cipher: aes256-gcm (this is the only cipher I have got to work so far w/ the linux and macos clients)

Client side: SSL version 3.0.13 (this is specified in the client outside the ovpn config file. I have no idea how to specify that or if it's possible on ubiquiti. You may get what you get as is typical w/ ubiquiti).

client ovpn config file:

cipher aes-256-gcm
auth sha256

You can see logs on the routeros / server side by /log print providing you have the right level of logging for topic 'ovpn' . Here is what I use for standard logging config on the routeros side:

set 0 topics=info,!wireless,!dhcp
add action=disk topics=error,warning,critical
add action=disk topics=info,!wireless,!dhcp

You can see ovpn logs w/ this:

/log print where topics ~"ovpn"

depending on what kind of ubiquiti you are using you may be able to see logs too. The EP16 switch os uses cisco style logging which is retrievable by > show logging | include "pattern" or something like that, I don't have time to look up exact syntax right now. The Airos clients have logging available in the UI or from dmesg or other linux utils. Look those up.

Once you can see logging you will get a better idea of which side (server or client) is having trouble w/ which parts of the config and/or auth, ciphers, ssl etc as well as generally debugging.

Hope this helps.
One final suggestion... do your 'development' on a linux or macos or windows client that provides better debugging.