I failed miserably to get OpenVPN working on my MT devices.. just spun up a VM instead, forwarded the port, sorted. https://www.digitalocean.com/community/tutorials/how-to-set-up-an-openvpn-se... Works great in an Amazon VPC instead of paying extra for their VPN. On Wed, 28 Mar. 2018, 18:05 Tim Warnock, <timoid@timoid.org> wrote:
Got NTP working on your MikroTik?
-----Original Message----- From: Public [mailto:public-bounces@talk.mikrotik.com.au] On Behalf Of QCS Group - Infrastructure Sent: Wednesday, 28 March 2018 4:50 PM To: public@talk.mikrotik.com.au Subject: [MT-AU Public] Mikrotik OpenVPN server Windows OpenVPN Server failure OpenSSL: error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure
Hi All,
I have spent a couple of hours on trying to setup an OpenVPN server on my Mirktoik CCR1036 (Hoping to replicate this for end users)
I have tried multiple different guides and each time I come back to the same error message.
I will forward my config for the OpenVPN server as well as my Windows client config.
OpenVPN Setup on Mikrotik:
/certificate add name=CA-tpl country="AU" state="QLD" locality="Brisbane" organization="QCSGroup" unit="QCSGroup" common-name="CA" key- size=4096 days-valid=3650 key-usage=crl-sign,key-cert-sign /certificate sign CA-tpl ca-crl-host=127.0.0.1 name="CA"
/certificate add name=SERVER-tpl country="AU" state="QLD" locality="Brisbane" organization="QCSGroup" unit="QCSGroup" common- name="core.router.dc.domainname.com.au" key-size=4096 days-valid=1095 key-usage=digital-signature,key-encipherment,tls-server /certificate sign SERVER-tpl ca="CA" name="SERVER"
/certificate add name=CLIENT-tpl country="AU" state="QLD" locality="Brisbane" organization="QCSGroup" unit="QCSGroup" common- name="CLIENT" key-size=4096 days-valid=3650 key-usage=tls-client /certificate add name=CLIENT1 copy-from="CLIENT-tpl" common- name="CLIENT1" /certificate sign CLIENT1 ca="CA" name="CLIENT1"
/certificate export-certificate CA export-passphrase="" /certificate export-certificate CLIENT1 export-passphrase="123456789"
/ip firewall filter add chain=input comment="Allow OpenVPN" dst-port=1194 protocol=tcp add chain=input comment="Allow OpenVPN" dst-port=1194 protocol=udp
/ppp secret add name=OpenVPNTest password=OpenVPNTest profile=OpenVPN-profile service=ovpn
/ppp profile add change-tcp-mss=yes local-address=172.16.99.254 name=OpenVPN- profile remote-address=OpenVPN-pool use-encryption=yes
/ip pool add name=OpenVPN-pool ranges=172.16.99.10-172.16.99.100
/interface ovpn-server server set auth=sha1 certificate=SERVER cipher=aes256 default-profile=OpenVPN- profile enabled=yes require-client-certificate=yes
Windows OpenVPN Client:
C:\Program Files\OpenVPN\config Directory contains:
(I renamed the exported certs/key)
ca.crt client1.crt client1.key client1.ovpn secret
client1.ovpn file contains:
client dev tun proto tcp-client remote core.router.dc.domainname.com.au port 1194 nobind persist-key persist-tun tls-client remote-cert-tls server ca ca.crt cert client1.crt key client1.key verb 4 mute 10 cipher AES-256-CBC auth SHA1 auth-user-pass secret auth-nocache ;redirect-gateway def1
Windows OpenVPN Log:
It looks like everything connects, I can see a TCP connection in the Router logs.
THis is the client logs.
(I have replaced router.ip with our IP address)
STATE:1522219208,TCP_CONNECT,,, Wed Mar 28 16:40:09 2018 us=664908 TCP connection established with [AF_INET]routerip:1194 Wed Mar 28 16:40:09 2018 us=664908 TCPv4_CLIENT link local: [undef] Wed Mar 28 16:40:09 2018 us=664908 TCPv4_CLIENT link remote: [AF_INET]router.ip:1194 Wed Mar 28 16:40:09 2018 us=665909 MANAGEMENT: STATE:1522219209,WAIT,,, Wed Mar 28 16:40:09 2018 us=666913 MANAGEMENT: STATE:1522219209,AUTH,,, Wed Mar 28 16:40:09 2018 us=666913 TLS: Initial packet from [AF_INET]router.ip:1194, sid=d2631263 4753bbdb Wed Mar 28 16:40:09 2018 us=759771 OpenSSL: error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure Wed Mar 28 16:40:09 2018 us=759771 TLS_ERROR: BIO read tls_read_plaintext error Wed Mar 28 16:40:09 2018 us=759771 TLS Error: TLS object -> incoming
Wed Mar 28 16:40:08 2018 us=663815 Local Options String: 'V4,dev-type tun,link-mtu 1559,tun-mtu 1500,proto TCPv4_CLIENT,cipher AES-256- CBC,auth SHA1,keysize 256,key-method 2,tls-client' Wed Mar 28 16:40:08 2018 us=663815 Expected Remote Options String: 'V4,dev-type tun,link-mtu 1559,tun-mtu 1500,proto TCPv4_SERVER,cipher AES-256-CBC,auth SHA1,keysize 256,key-method 2,tls-server' Wed Mar 28 16:40:08 2018 us=663815 Local Options hash (VER=V4): '5cb3f8dc' Wed Mar 28 16:40:08 2018 us=663815 Expected Remote Options hash (VER=V4): '898ae6c6' Wed Mar 28 16:40:08 2018 us=663815 Attempting to establish TCP connection with [AF_INET]router.ip:1194 [nonblock] Wed Mar 28 16:40:08 2018 us=663815 MANAGEMENT: plaintext read error Wed Mar 28 16:40:09 2018 us=760772 TLS Error: TLS handshake failed Wed Mar 28 16:40:09 2018 us=760772 Fatal TLS error (check_tls_errors_co), restarting Wed Mar 28 16:40:09 2018 us=760772 TCP/UDP: Closing socket Wed Mar 28 16:40:09 2018 us=760772 SIGUSR1[soft,tls-error] received, process restarting Wed Mar 28 16:40:09 2018 us=760772 MANAGEMENT:
STATE:1522219209,RECONNECTING,tls-error,, Wed Mar 28 16:40:09 2018 us=760772 Restart pause, 5 second(s)
If someone could please point out where my issue is I would be most grateful. I have already spent way too much time on this.
Kind Regards,
Russell Keavy. _______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
_______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
-- Regards, Aaron Were TDJ Australia Pty Ltd [image: TDJ Australia Pty Ltd] [image: Serving Australia & New Zealand since 1985] <http://tdj.com.au> awere@tdj.com.au Delivery: 78 Mills Road, Braeside VIC 3195 Postal: PO Box 883, Braeside VIC 3195 Phone: +61-3-8587-8888 <+61385878888> Fax: +61-3-8587-8855 The information contained in this email is confidential and privileged material and is intended only for the use of the person(s) to whom it is addressed. If you are not the intended recipient of this email, please return it to the sender at TDJ Australia and destroy any copies made.