Got NTP working on your MikroTik?
-----Original Message----- From: Public [mailto:public-bounces@talk.mikrotik.com.au] On Behalf Of QCS Group - Infrastructure Sent: Wednesday, 28 March 2018 4:50 PM To: public@talk.mikrotik.com.au Subject: [MT-AU Public] Mikrotik OpenVPN server Windows OpenVPN Server failure OpenSSL: error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure
Hi All,
I have spent a couple of hours on trying to setup an OpenVPN server on my Mirktoik CCR1036 (Hoping to replicate this for end users)
I have tried multiple different guides and each time I come back to the same error message.
I will forward my config for the OpenVPN server as well as my Windows client config.
OpenVPN Setup on Mikrotik:
/certificate add name=CA-tpl country="AU" state="QLD" locality="Brisbane" organization="QCSGroup" unit="QCSGroup" common-name="CA" key- size=4096 days-valid=3650 key-usage=crl-sign,key-cert-sign /certificate sign CA-tpl ca-crl-host=127.0.0.1 name="CA"
/certificate add name=SERVER-tpl country="AU" state="QLD" locality="Brisbane" organization="QCSGroup" unit="QCSGroup" common- name="core.router.dc.domainname.com.au" key-size=4096 days-valid=1095 key-usage=digital-signature,key-encipherment,tls-server /certificate sign SERVER-tpl ca="CA" name="SERVER"
/certificate add name=CLIENT-tpl country="AU" state="QLD" locality="Brisbane" organization="QCSGroup" unit="QCSGroup" common- name="CLIENT" key-size=4096 days-valid=3650 key-usage=tls-client /certificate add name=CLIENT1 copy-from="CLIENT-tpl" common- name="CLIENT1" /certificate sign CLIENT1 ca="CA" name="CLIENT1"
/certificate export-certificate CA export-passphrase="" /certificate export-certificate CLIENT1 export-passphrase="123456789"
/ip firewall filter add chain=input comment="Allow OpenVPN" dst-port=1194 protocol=tcp add chain=input comment="Allow OpenVPN" dst-port=1194 protocol=udp
/ppp secret add name=OpenVPNTest password=OpenVPNTest profile=OpenVPN-profile service=ovpn
/ppp profile add change-tcp-mss=yes local-address=172.16.99.254 name=OpenVPN- profile remote-address=OpenVPN-pool use-encryption=yes
/ip pool add name=OpenVPN-pool ranges=172.16.99.10-172.16.99.100
/interface ovpn-server server set auth=sha1 certificate=SERVER cipher=aes256 default-profile=OpenVPN- profile enabled=yes require-client-certificate=yes
Windows OpenVPN Client:
C:\Program Files\OpenVPN\config Directory contains:
(I renamed the exported certs/key)
ca.crt client1.crt client1.key client1.ovpn secret
client1.ovpn file contains:
client dev tun proto tcp-client remote core.router.dc.domainname.com.au port 1194 nobind persist-key persist-tun tls-client remote-cert-tls server ca ca.crt cert client1.crt key client1.key verb 4 mute 10 cipher AES-256-CBC auth SHA1 auth-user-pass secret auth-nocache ;redirect-gateway def1
Windows OpenVPN Log:
It looks like everything connects, I can see a TCP connection in the Router logs.
THis is the client logs.
(I have replaced router.ip with our IP address)
STATE:1522219208,TCP_CONNECT,,, Wed Mar 28 16:40:09 2018 us=664908 TCP connection established with [AF_INET]routerip:1194 Wed Mar 28 16:40:09 2018 us=664908 TCPv4_CLIENT link local: [undef] Wed Mar 28 16:40:09 2018 us=664908 TCPv4_CLIENT link remote: [AF_INET]router.ip:1194 Wed Mar 28 16:40:09 2018 us=665909 MANAGEMENT: STATE:1522219209,WAIT,,, Wed Mar 28 16:40:09 2018 us=666913 MANAGEMENT: STATE:1522219209,AUTH,,, Wed Mar 28 16:40:09 2018 us=666913 TLS: Initial packet from [AF_INET]router.ip:1194, sid=d2631263 4753bbdb Wed Mar 28 16:40:09 2018 us=759771 OpenSSL: error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure Wed Mar 28 16:40:09 2018 us=759771 TLS_ERROR: BIO read tls_read_plaintext error Wed Mar 28 16:40:09 2018 us=759771 TLS Error: TLS object -> incoming
Wed Mar 28 16:40:08 2018 us=663815 Local Options String: 'V4,dev-type tun,link-mtu 1559,tun-mtu 1500,proto TCPv4_CLIENT,cipher AES-256- CBC,auth SHA1,keysize 256,key-method 2,tls-client' Wed Mar 28 16:40:08 2018 us=663815 Expected Remote Options String: 'V4,dev-type tun,link-mtu 1559,tun-mtu 1500,proto TCPv4_SERVER,cipher AES-256-CBC,auth SHA1,keysize 256,key-method 2,tls-server' Wed Mar 28 16:40:08 2018 us=663815 Local Options hash (VER=V4): '5cb3f8dc' Wed Mar 28 16:40:08 2018 us=663815 Expected Remote Options hash (VER=V4): '898ae6c6' Wed Mar 28 16:40:08 2018 us=663815 Attempting to establish TCP connection with [AF_INET]router.ip:1194 [nonblock] Wed Mar 28 16:40:08 2018 us=663815 MANAGEMENT: plaintext read error Wed Mar 28 16:40:09 2018 us=760772 TLS Error: TLS handshake failed Wed Mar 28 16:40:09 2018 us=760772 Fatal TLS error (check_tls_errors_co), restarting Wed Mar 28 16:40:09 2018 us=760772 TCP/UDP: Closing socket Wed Mar 28 16:40:09 2018 us=760772 SIGUSR1[soft,tls-error] received, process restarting Wed Mar 28 16:40:09 2018 us=760772 MANAGEMENT:
STATE:1522219209,RECONNECTING,tls-error,, Wed Mar 28 16:40:09 2018 us=760772 Restart pause, 5 second(s)
If someone could please point out where my issue is I would be most grateful. I have already spent way too much time on this.
Kind Regards,
Russell Keavy. _______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au