Hello, this is my first post
anybody tried OpenVPN Access Server on AWS EC2 and configure site-to-site VPN?
Because I spent a whole month trying to connect between 2 Mikrotik Router without success
I read all documentation from OpenVPN site-to-site
what could go wrong? I'm aware Mikrotik doesn't support TLS Auth and UDP
When I use OpenVPN as private tunneling from my PC, it worked
Problem is I can't ping between client
OpenVPN AS on AWS site-to-site between Mikrotik
-
- OpenVpn Newbie
- Posts: 2
- Joined: Mon Mar 01, 2021 7:13 am
- openvpn_inc
- OpenVPN Inc.
- Posts: 1333
- Joined: Tue Feb 16, 2021 10:41 am
Re: OpenVPN AS on AWS site-to-site between Mikrotik
Hello,
While I love the MikroTik routers for the versatility in routing configurations, and squeezing a lot of performance and functionality out of the limited hardware, I am not a fan of their OpenVPN implementation. These are problems/limitations that I've encountered getting it to work:
Go to Access Server Admin UI, go to Configuration, go to Advanced VPN, and make sure that TLS auth is turned off and that compression is turned off. Go to User Permissions and create a user and set a password for it. If you're using an external authentication system like RADIUS/LDAP or such, then take care of creating an account there. Do not make this an autologin profile.
Then go to the Access Server Client UI, log in as that user, and download a user-locked profile for this user account. Open the client.ovpn in a text editor. Take the piece between <ca> and </ca> and save it as ca.crt. Do not include the <ca> and </ca> lines themselves in this file, just what's inbetween them. Then take the piece between <cert> and </cert> and save that as cert.crt. And then take the piece between <key> and </key> and save that as key.pem. Note that the file extensions are important or it won't work.
Now go to the Access Server command line interface (SSH access to server, and gain root privileges). Then run these commands (replace <USERNAME> with the actual username of the account you just created on the Admin UI):
Go to the MikroTik web interface and go to files. Upload all 3 files: ca.crt, cert.crt, key.pem. Now go to System > Certificates, and click the [import] button. Select the file ca.crt first. Repeat the process with cert.crt. And as final file you import key.pem. You should now end up with 2 certificates listed. One will be the OpenVPN CA which we will use for verifying the server's identity. It will be marked with just the letter T meaning it is trusted. And the other will be the client cert which will have the username as common name in the cert, it will be marked with the letter T and the letter K, meaning it is trusted, and we have the private key for it.
Again go to the MikroTik web interface and go to Interfaces. Click [add new] and select OVPN Client. In 'connect to' you must enter the IP address of your OpenVPN Access Server. As port, the default will be TCP 443, so just enter 443. Port 1194 on Access Server is UDP by default so won't work. Mode should be left to 'IP' (Layer3). Enter username and password. Profile you can leave as is, and certificate must be select to the cert.crt you uploaded in a previous step - the one that has the private key too. This will be our client cerificate+key. Check the box to verify server certificate. Set auth to sha1. Set cipher to aes 256. The final two settings for using peer DNS or adding default route are up to your use-cases - if you just want split tunnel I would leave those off and just rely on whatever routes the Access Server pushes down.
Under IP > Routes you should see which routes are available and you should see new ones populated here when the connection is up and running.
You can now use Tools > Ping from the MikroTik interface to ping IP addresses that should be reachable through the OpenVPN tunnel, and it should now work. You should be able to see the ping packets travel through the Access Server by running tcpdump -eni any icmp on the Access Server itself while pinging through the VPN tunnel from the MikroTik router.
--
That's it. Again, I recommend against this as it kills TLS-auth which is pretty big part of the security of OpenVPN, and it only works over TCP, which is a problem for reliability. But if you really want to, this is how you can do it.
Kind regards,
Johan
While I love the MikroTik routers for the versatility in routing configurations, and squeezing a lot of performance and functionality out of the limited hardware, I am not a fan of their OpenVPN implementation. These are problems/limitations that I've encountered getting it to work:
- No support for UDP transport - this is very bad. Look up the term "TCP Meltdown" if you want to know why.
- No support for compression - this is complicated. We advise not to use compression. But for historical reasons you need to have SUPPORT for it.
- No support for autologin profiles - we can work around this though with user-locked profile.
- No support for host names - can only connect by IP. Can't help you if you have a dynamic IP.
- No support for .ovpn files - have to copy/paste your own set of certificates and upload them and import them.
- No support for custom config - got some special setting for OpenVPN you need on the client side? Too bad.
Go to Access Server Admin UI, go to Configuration, go to Advanced VPN, and make sure that TLS auth is turned off and that compression is turned off. Go to User Permissions and create a user and set a password for it. If you're using an external authentication system like RADIUS/LDAP or such, then take care of creating an account there. Do not make this an autologin profile.
Then go to the Access Server Client UI, log in as that user, and download a user-locked profile for this user account. Open the client.ovpn in a text editor. Take the piece between <ca> and </ca> and save it as ca.crt. Do not include the <ca> and </ca> lines themselves in this file, just what's inbetween them. Then take the piece between <cert> and </cert> and save that as cert.crt. And then take the piece between <key> and </key> and save that as key.pem. Note that the file extensions are important or it won't work.
Now go to the Access Server command line interface (SSH access to server, and gain root privileges). Then run these commands (replace <USERNAME> with the actual username of the account you just created on the Admin UI):
Code: Select all
cd /usr/local/openvpn_as/scripts/
./sacli --user <USERNAME> --key "prop_cc_cmds" --value 'compress stub-v2,push "compress stub-v2"' UserPropPut
service openvpnas restart
Again go to the MikroTik web interface and go to Interfaces. Click [add new] and select OVPN Client. In 'connect to' you must enter the IP address of your OpenVPN Access Server. As port, the default will be TCP 443, so just enter 443. Port 1194 on Access Server is UDP by default so won't work. Mode should be left to 'IP' (Layer3). Enter username and password. Profile you can leave as is, and certificate must be select to the cert.crt you uploaded in a previous step - the one that has the private key too. This will be our client cerificate+key. Check the box to verify server certificate. Set auth to sha1. Set cipher to aes 256. The final two settings for using peer DNS or adding default route are up to your use-cases - if you just want split tunnel I would leave those off and just rely on whatever routes the Access Server pushes down.
Under IP > Routes you should see which routes are available and you should see new ones populated here when the connection is up and running.
You can now use Tools > Ping from the MikroTik interface to ping IP addresses that should be reachable through the OpenVPN tunnel, and it should now work. You should be able to see the ping packets travel through the Access Server by running tcpdump -eni any icmp on the Access Server itself while pinging through the VPN tunnel from the MikroTik router.
--
That's it. Again, I recommend against this as it kills TLS-auth which is pretty big part of the security of OpenVPN, and it only works over TCP, which is a problem for reliability. But if you really want to, this is how you can do it.
Kind regards,
Johan
OpenVPN Inc.
Answers provided by OpenVPN Inc. staff members here are provided on a voluntary best-effort basis, and no rights can be claimed on the basis of answers posted in this public forum. If you wish to get official support from OpenVPN Inc. please use the official support ticket system: https://openvpn.net/support
Answers provided by OpenVPN Inc. staff members here are provided on a voluntary best-effort basis, and no rights can be claimed on the basis of answers posted in this public forum. If you wish to get official support from OpenVPN Inc. please use the official support ticket system: https://openvpn.net/support
-
- OpenVpn Newbie
- Posts: 2
- Joined: Mon Mar 01, 2021 7:13 am
Re: OpenVPN AS on AWS site-to-site between Mikrotik
First of all, thank you very much for your response
and yes this answer almost all my question
and I agree as many people from Mikrotik forum said their implementation on OpenVPN is bad
but many suggest me to move to another VPN and there I disagree
when I'm offsite I love OpenVPN mobile version it is very easy to use
my goal now is site-to-site, and how all Mikrotik devices and my phone can talk each other
since OpenVPN Cloud not working with Mikrotik I tried Access Server
but this is my first experience in AWS
I did tried before almost exactly as you instructed
when I put
./sacli --user MyUsername --key "prop_cc_cmds" --value 'compress stub-v2,push "compress stub-v2"' UserPropPut
I got this error
and yes this answer almost all my question
and I agree as many people from Mikrotik forum said their implementation on OpenVPN is bad
but many suggest me to move to another VPN and there I disagree
when I'm offsite I love OpenVPN mobile version it is very easy to use
my goal now is site-to-site, and how all Mikrotik devices and my phone can talk each other
since OpenVPN Cloud not working with Mikrotik I tried Access Server
but this is my first experience in AWS
I did tried before almost exactly as you instructed
when I put
./sacli --user MyUsername --key "prop_cc_cmds" --value 'compress stub-v2,push "compress stub-v2"' UserPropPut
I got this error
Code: Select all
ERROR: [Errno 2] No such file or directory: 'out/tmp-nqj1x1AZEtOA.tmp': util/options:79,sagent/sacli:510,util/file:142,util/file:137,util/file:130,util/simplefile:11 (exceptions.IOError)
- openvpn_inc
- OpenVPN Inc.
- Posts: 1333
- Joined: Tue Feb 16, 2021 10:41 am
Re: OpenVPN AS on AWS site-to-site between Mikrotik
Hello,
All commands on the Access Server must be run as root user unless you have made provisions to allow an unprivileged user to run commands.
The error message you pasted is the result of not running as root user.
Kind regards,
Johan
All commands on the Access Server must be run as root user unless you have made provisions to allow an unprivileged user to run commands.
The error message you pasted is the result of not running as root user.
Kind regards,
Johan
OpenVPN Inc.
Answers provided by OpenVPN Inc. staff members here are provided on a voluntary best-effort basis, and no rights can be claimed on the basis of answers posted in this public forum. If you wish to get official support from OpenVPN Inc. please use the official support ticket system: https://openvpn.net/support
Answers provided by OpenVPN Inc. staff members here are provided on a voluntary best-effort basis, and no rights can be claimed on the basis of answers posted in this public forum. If you wish to get official support from OpenVPN Inc. please use the official support ticket system: https://openvpn.net/support