So I assigned server.cert as the certificate for the OpenVPN server on the MT. Under PPP Interface OVPN Server Certificate: SERVER Ticked Requires client certificate I signed SERVER. Certificate with CA.cert This is the exact commands I ran /certificate add name=CA-tpl country="AU" state="QLD" locality="Brisbane" organization="QCSGroup" unit="QCSGroup" common-name="CA" key-size=4096 days-valid=3650 key-usage=crl-sign,key-cert-sign /certificate sign CA-tpl ca-crl-host=127.0.0.1 name="CA" /certificate add name=SERVER-tpl country="AU" state="QLD" locality="Brisbane" organization="QCSGroup" unit="QCSGroup" common-name="core.router.dc.domainname.com.au" key-size=4096 days-valid=1095 key-usage=digital-signature,key-encipherment,tls-server /certificate sign SERVER-tpl ca="CA" name="SERVER" /certificate add name=CLIENT-tpl country="AU" state="QLD" locality="Brisbane" organization="QCSGroup" unit="QCSGroup" common-name="CLIENT" key-size=4096 days-valid=3650 key-usage=tls-client /certificate add name=CLIENT1 copy-from="CLIENT-tpl" common-name="CLIENT1" /certificate sign CLIENT1 ca="CA" name="CLIENT1" /certificate export-certificate CA export-passphrase="" /certificate export-certificate CLIENT1 export-passphrase="123456789" And then I downloaded: CA.cert CLIENT1.cert CLIENT1.privatekey To the client PC. -----Original Message----- From: Public <public-bounces@talk.mikrotik.com.au> On Behalf Of Tim Warnock Sent: Thursday, 29 March 2018 5:06 PM To: 'MikroTik Australia Public List' <public@talk.mikrotik.com.au> Subject: Re: [MT-AU Public] Mikrotik OpenVPN server Windows OpenVPN Server failure OpenSSL: error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure I'd imagine the fault lies with certificate 1 Did you upload: CA.certificate SERVER.certificate SERVER.privatekey And sign SERVER.certificate with SERVER.privatekey?
-----Original Message----- From: Public [mailto:public-bounces@talk.mikrotik.com.au] On Behalf Of QCS Group - Infrastructure Sent: Thursday, 29 March 2018 5:00 PM To: MikroTik Australia Public List <public@talk.mikrotik.com.au> Subject: Re: [MT-AU Public] Mikrotik OpenVPN server Windows OpenVPN Server failure OpenSSL: error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure
/certificate print Flags: K - private-key, D - dsa, L - crl, C - smart-card-key, A - authority, I - issued, R - revoked, E - expired, T - trusted # NAME COMMON-NAME SUBJECT-ALT-NAME FINGERPRINT 0 K L A T CA CA 3220f023d36f30fd3943c89bb... 1 K I SERVER core1.dc1.qcsgroup.com.au 79e074cf9d65c33dfe7db26cb... 2 CLIENT-tpl CLIENT 3 K I CLIENT1 CLIENT1 3428e08175c520d676531bc33...
-----Original Message----- From: Public <public-bounces@talk.mikrotik.com.au> On Behalf Of Tim Warnock Sent: Thursday, 29 March 2018 4:55 PM To: 'MikroTik Australia Public List' <public@talk.mikrotik.com.au> Subject: Re: [MT-AU Public] Mikrotik OpenVPN server Windows OpenVPN Server failure OpenSSL: error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure
For giggles:
/certificate> print
What is the output.
Thanks Tim.
-----Original Message----- From: Public [mailto:public-bounces@talk.mikrotik.com.au] On Behalf Of QCS Group - Infrastructure Sent: Thursday, 29 March 2018 4:48 PM To: MikroTik Australia Public List <public@talk.mikrotik.com.au> Subject: Re: [MT-AU Public] Mikrotik OpenVPN server Windows OpenVPN Server failure OpenSSL: error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure
I've watched a million different tutorials/read a million different setup guides and I come to the same issue everytime. I'm just setting up a linux VM now and seeing if I can get it going on that with MT port forwards.
-----Original Message----- From: Public <public-bounces@talk.mikrotik.com.au> On Behalf Of Aaron Were Sent: Thursday, 29 March 2018 1:37 PM To: MikroTik Australia Public List <public@talk.mikrotik.com.au> Subject: Re: [MT-AU Public] Mikrotik OpenVPN server Windows OpenVPN Server failure OpenSSL: error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure
Oh, I remember now, I couldn't get OpenVPN working on MT, and IPSec VPN's were/are blocked by Telstra on the fiber port. We're looking at a new ISP though, so thanks for the write-up!
Good points on the maths. We don't use it that much, ssh being so easy, having to pay for a 24/7 VPN was actually a much more expensive prospect than reserved instance pricing. It seems (on their page: https://aws.amazon.com/vpc/pricing/) that you pay the standard ec2 rate for data ingress/egress any which way you do it, so really, it's the per-hour of availability pricing that got me. Can't use it for anything else either, whereas an ec2 instance is remarkably flexible.
My original use-case was an actual VM on a Hyper-V server though, on-prem as they say.. which means no issues with speed/price etc. I then reapplied that concept to an ec2 instance (on a whim) and it worked great. We then copy the ami around the globe for any number of cheap easy vpn servers, swap out the EIP and simply adjust the dns whenever we feel like skipping around the GFWoC.. well, I mean, no, we would never do that!
On Thu, 29 Mar 2018 at 11:12 Karl Auer <kauer@nullarbor.com.au> wrote:
On Wed, 2018-03-28 at 23:40 +0000, Aaron Were wrote:
https://www.digitalocean.com/community/tutorials/how-to-set-up- an- op e nvpn-server-on-ubuntu-16-04
Works great in an Amazon VPC instead of paying extra for their VPN.
Yeeeesss.... but:
- it's only cheaper if you use a t2.micro or something, otherwise the EC2 costs will equal or exceed the AWS VPN costs
- unless you choose a pretty expensive instance type, your bandwidth will be very limited
- the AWS VPN can shift data much, MUCH faster than most instance types.
- the AWS VPN is essentially zero-maintenance after setup. The platform does not require securing, updating, patching or whatever.
So do the maths (and remember to include traffic costs) before you assume that an instance-based VPN will be better than an AWS Hardware VPN. It depends a lot on how much traffic you have, and whether you have the required skills and time to support it.
The AWS Hardware VPN works well with MikroTiks:
http://biplane.com.au/blog/?p=406
Regards, K.
--
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~~~~~~~
Karl Auer (kauer@nullarbor.com.au) work +61 2 64957435 <(02)%206495%207435> http://www.nullarbor.com.au mobile +61 428 957160 <0428%20957%20160>
GPG fingerprint: 8454 EE43 6215 B6DD 1B4D 9D8D 984D 7BA1 7378 A38D Old fingerprint: 58F8 09D4 97E4 D74A 0940 44BC 8D6D C28C 3BC9 B0CB
_______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com. au
--
Regards,
Aaron Were
TDJ Australia Pty Ltd [image: TDJ Australia Pty Ltd] [image: Serving Australia & New Zealand since 1985] <http://tdj.com.au> awere@tdj.com.au Delivery: 78 Mills Road, Braeside VIC 3195 Postal: PO Box 883, Braeside VIC 3195 Phone: +61-3-8587-8888 <+61385878888> Fax: +61-3-8587-8855 The information contained in this email is confidential and privileged material and is intended only for the use of the person(s) to whom it is addressed. If you are not the intended recipient of this email, please return it to the sender at TDJ Australia and destroy any copies made. _______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com. au
_______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com. au
_______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com. au
_______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com. au
_______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au