Mikrotik OpenVPN server Windows OpenVPN Server failure OpenSSL: error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure
Hi All, I have spent a couple of hours on trying to setup an OpenVPN server on my Mirktoik CCR1036 (Hoping to replicate this for end users) I have tried multiple different guides and each time I come back to the same error message. I will forward my config for the OpenVPN server as well as my Windows client config. OpenVPN Setup on Mikrotik: /certificate add name=CA-tpl country="AU" state="QLD" locality="Brisbane" organization="QCSGroup" unit="QCSGroup" common-name="CA" key-size=4096 days-valid=3650 key-usage=crl-sign,key-cert-sign /certificate sign CA-tpl ca-crl-host=127.0.0.1 name="CA" /certificate add name=SERVER-tpl country="AU" state="QLD" locality="Brisbane" organization="QCSGroup" unit="QCSGroup" common-name="core.router.dc.domainname.com.au" key-size=4096 days-valid=1095 key-usage=digital-signature,key-encipherment,tls-server /certificate sign SERVER-tpl ca="CA" name="SERVER" /certificate add name=CLIENT-tpl country="AU" state="QLD" locality="Brisbane" organization="QCSGroup" unit="QCSGroup" common-name="CLIENT" key-size=4096 days-valid=3650 key-usage=tls-client /certificate add name=CLIENT1 copy-from="CLIENT-tpl" common-name="CLIENT1" /certificate sign CLIENT1 ca="CA" name="CLIENT1" /certificate export-certificate CA export-passphrase="" /certificate export-certificate CLIENT1 export-passphrase="123456789" /ip firewall filter add chain=input comment="Allow OpenVPN" dst-port=1194 protocol=tcp add chain=input comment="Allow OpenVPN" dst-port=1194 protocol=udp /ppp secret add name=OpenVPNTest password=OpenVPNTest profile=OpenVPN-profile service=ovpn /ppp profile add change-tcp-mss=yes local-address=172.16.99.254 name=OpenVPN-profile remote-address=OpenVPN-pool use-encryption=yes /ip pool add name=OpenVPN-pool ranges=172.16.99.10-172.16.99.100 /interface ovpn-server server set auth=sha1 certificate=SERVER cipher=aes256 default-profile=OpenVPN-profile enabled=yes require-client-certificate=yes Windows OpenVPN Client: C:\Program Files\OpenVPN\config Directory contains: (I renamed the exported certs/key) ca.crt client1.crt client1.key client1.ovpn secret client1.ovpn file contains: client dev tun proto tcp-client remote core.router.dc.domainname.com.au port 1194 nobind persist-key persist-tun tls-client remote-cert-tls server ca ca.crt cert client1.crt key client1.key verb 4 mute 10 cipher AES-256-CBC auth SHA1 auth-user-pass secret auth-nocache ;redirect-gateway def1 Windows OpenVPN Log: It looks like everything connects, I can see a TCP connection in the Router logs. THis is the client logs. (I have replaced router.ip with our IP address) Wed Mar 28 16:40:08 2018 us=663815 Local Options String: 'V4,dev-type tun,link-mtu 1559,tun-mtu 1500,proto TCPv4_CLIENT,cipher AES-256-CBC,auth SHA1,keysize 256,key-method 2,tls-client' Wed Mar 28 16:40:08 2018 us=663815 Expected Remote Options String: 'V4,dev-type tun,link-mtu 1559,tun-mtu 1500,proto TCPv4_SERVER,cipher AES-256-CBC,auth SHA1,keysize 256,key-method 2,tls-server' Wed Mar 28 16:40:08 2018 us=663815 Local Options hash (VER=V4): '5cb3f8dc' Wed Mar 28 16:40:08 2018 us=663815 Expected Remote Options hash (VER=V4): '898ae6c6' Wed Mar 28 16:40:08 2018 us=663815 Attempting to establish TCP connection with [AF_INET]router.ip:1194 [nonblock] Wed Mar 28 16:40:08 2018 us=663815 MANAGEMENT: >STATE:1522219208,TCP_CONNECT,,, Wed Mar 28 16:40:09 2018 us=664908 TCP connection established with [AF_INET]routerip:1194 Wed Mar 28 16:40:09 2018 us=664908 TCPv4_CLIENT link local: [undef] Wed Mar 28 16:40:09 2018 us=664908 TCPv4_CLIENT link remote: [AF_INET]router.ip:1194 Wed Mar 28 16:40:09 2018 us=665909 MANAGEMENT: >STATE:1522219209,WAIT,,, Wed Mar 28 16:40:09 2018 us=666913 MANAGEMENT: >STATE:1522219209,AUTH,,, Wed Mar 28 16:40:09 2018 us=666913 TLS: Initial packet from [AF_INET]router.ip:1194, sid=d2631263 4753bbdb Wed Mar 28 16:40:09 2018 us=759771 OpenSSL: error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure Wed Mar 28 16:40:09 2018 us=759771 TLS_ERROR: BIO read tls_read_plaintext error Wed Mar 28 16:40:09 2018 us=759771 TLS Error: TLS object -> incoming plaintext read error Wed Mar 28 16:40:09 2018 us=760772 TLS Error: TLS handshake failed Wed Mar 28 16:40:09 2018 us=760772 Fatal TLS error (check_tls_errors_co), restarting Wed Mar 28 16:40:09 2018 us=760772 TCP/UDP: Closing socket Wed Mar 28 16:40:09 2018 us=760772 SIGUSR1[soft,tls-error] received, process restarting Wed Mar 28 16:40:09 2018 us=760772 MANAGEMENT: >STATE:1522219209,RECONNECTING,tls-error,, Wed Mar 28 16:40:09 2018 us=760772 Restart pause, 5 second(s) If someone could please point out where my issue is I would be most grateful. I have already spent way too much time on this. Kind Regards, Russell Keavy.
Got NTP working on your MikroTik?
-----Original Message----- From: Public [mailto:public-bounces@talk.mikrotik.com.au] On Behalf Of QCS Group - Infrastructure Sent: Wednesday, 28 March 2018 4:50 PM To: public@talk.mikrotik.com.au Subject: [MT-AU Public] Mikrotik OpenVPN server Windows OpenVPN Server failure OpenSSL: error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure
Hi All,
I have spent a couple of hours on trying to setup an OpenVPN server on my Mirktoik CCR1036 (Hoping to replicate this for end users)
I have tried multiple different guides and each time I come back to the same error message.
I will forward my config for the OpenVPN server as well as my Windows client config.
OpenVPN Setup on Mikrotik:
/certificate add name=CA-tpl country="AU" state="QLD" locality="Brisbane" organization="QCSGroup" unit="QCSGroup" common-name="CA" key- size=4096 days-valid=3650 key-usage=crl-sign,key-cert-sign /certificate sign CA-tpl ca-crl-host=127.0.0.1 name="CA"
/certificate add name=SERVER-tpl country="AU" state="QLD" locality="Brisbane" organization="QCSGroup" unit="QCSGroup" common- name="core.router.dc.domainname.com.au" key-size=4096 days-valid=1095 key-usage=digital-signature,key-encipherment,tls-server /certificate sign SERVER-tpl ca="CA" name="SERVER"
/certificate add name=CLIENT-tpl country="AU" state="QLD" locality="Brisbane" organization="QCSGroup" unit="QCSGroup" common- name="CLIENT" key-size=4096 days-valid=3650 key-usage=tls-client /certificate add name=CLIENT1 copy-from="CLIENT-tpl" common- name="CLIENT1" /certificate sign CLIENT1 ca="CA" name="CLIENT1"
/certificate export-certificate CA export-passphrase="" /certificate export-certificate CLIENT1 export-passphrase="123456789"
/ip firewall filter add chain=input comment="Allow OpenVPN" dst-port=1194 protocol=tcp add chain=input comment="Allow OpenVPN" dst-port=1194 protocol=udp
/ppp secret add name=OpenVPNTest password=OpenVPNTest profile=OpenVPN-profile service=ovpn
/ppp profile add change-tcp-mss=yes local-address=172.16.99.254 name=OpenVPN- profile remote-address=OpenVPN-pool use-encryption=yes
/ip pool add name=OpenVPN-pool ranges=172.16.99.10-172.16.99.100
/interface ovpn-server server set auth=sha1 certificate=SERVER cipher=aes256 default-profile=OpenVPN- profile enabled=yes require-client-certificate=yes
Windows OpenVPN Client:
C:\Program Files\OpenVPN\config Directory contains:
(I renamed the exported certs/key)
ca.crt client1.crt client1.key client1.ovpn secret
client1.ovpn file contains:
client dev tun proto tcp-client remote core.router.dc.domainname.com.au port 1194 nobind persist-key persist-tun tls-client remote-cert-tls server ca ca.crt cert client1.crt key client1.key verb 4 mute 10 cipher AES-256-CBC auth SHA1 auth-user-pass secret auth-nocache ;redirect-gateway def1
Windows OpenVPN Log:
It looks like everything connects, I can see a TCP connection in the Router logs.
THis is the client logs.
(I have replaced router.ip with our IP address)
STATE:1522219208,TCP_CONNECT,,, Wed Mar 28 16:40:09 2018 us=664908 TCP connection established with [AF_INET]routerip:1194 Wed Mar 28 16:40:09 2018 us=664908 TCPv4_CLIENT link local: [undef] Wed Mar 28 16:40:09 2018 us=664908 TCPv4_CLIENT link remote: [AF_INET]router.ip:1194 Wed Mar 28 16:40:09 2018 us=665909 MANAGEMENT: STATE:1522219209,WAIT,,, Wed Mar 28 16:40:09 2018 us=666913 MANAGEMENT: STATE:1522219209,AUTH,,, Wed Mar 28 16:40:09 2018 us=666913 TLS: Initial packet from [AF_INET]router.ip:1194, sid=d2631263 4753bbdb Wed Mar 28 16:40:09 2018 us=759771 OpenSSL: error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure Wed Mar 28 16:40:09 2018 us=759771 TLS_ERROR: BIO read tls_read_plaintext error Wed Mar 28 16:40:09 2018 us=759771 TLS Error: TLS object -> incoming
Wed Mar 28 16:40:08 2018 us=663815 Local Options String: 'V4,dev-type tun,link-mtu 1559,tun-mtu 1500,proto TCPv4_CLIENT,cipher AES-256- CBC,auth SHA1,keysize 256,key-method 2,tls-client' Wed Mar 28 16:40:08 2018 us=663815 Expected Remote Options String: 'V4,dev-type tun,link-mtu 1559,tun-mtu 1500,proto TCPv4_SERVER,cipher AES-256-CBC,auth SHA1,keysize 256,key-method 2,tls-server' Wed Mar 28 16:40:08 2018 us=663815 Local Options hash (VER=V4): '5cb3f8dc' Wed Mar 28 16:40:08 2018 us=663815 Expected Remote Options hash (VER=V4): '898ae6c6' Wed Mar 28 16:40:08 2018 us=663815 Attempting to establish TCP connection with [AF_INET]router.ip:1194 [nonblock] Wed Mar 28 16:40:08 2018 us=663815 MANAGEMENT: plaintext read error Wed Mar 28 16:40:09 2018 us=760772 TLS Error: TLS handshake failed Wed Mar 28 16:40:09 2018 us=760772 Fatal TLS error (check_tls_errors_co), restarting Wed Mar 28 16:40:09 2018 us=760772 TCP/UDP: Closing socket Wed Mar 28 16:40:09 2018 us=760772 SIGUSR1[soft,tls-error] received, process restarting Wed Mar 28 16:40:09 2018 us=760772 MANAGEMENT:
STATE:1522219209,RECONNECTING,tls-error,, Wed Mar 28 16:40:09 2018 us=760772 Restart pause, 5 second(s)
If someone could please point out where my issue is I would be most grateful. I have already spent way too much time on this.
Kind Regards,
Russell Keavy. _______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
Hi Tim, Thanks for your response. I have SNTP Client setup and working on my Mikrotik. -----Original Message----- From: Public <public-bounces@talk.mikrotik.com.au> On Behalf Of Tim Warnock Sent: Wednesday, 28 March 2018 5:04 PM To: 'MikroTik Australia Public List' <public@talk.mikrotik.com.au> Subject: Re: [MT-AU Public] Mikrotik OpenVPN server Windows OpenVPN Server failure OpenSSL: error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure Got NTP working on your MikroTik?
-----Original Message----- From: Public [mailto:public-bounces@talk.mikrotik.com.au] On Behalf Of QCS Group - Infrastructure Sent: Wednesday, 28 March 2018 4:50 PM To: public@talk.mikrotik.com.au Subject: [MT-AU Public] Mikrotik OpenVPN server Windows OpenVPN Server failure OpenSSL: error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure
Hi All,
I have spent a couple of hours on trying to setup an OpenVPN server on my Mirktoik CCR1036 (Hoping to replicate this for end users)
I have tried multiple different guides and each time I come back to the same error message.
I will forward my config for the OpenVPN server as well as my Windows client config.
OpenVPN Setup on Mikrotik:
/certificate add name=CA-tpl country="AU" state="QLD" locality="Brisbane" organization="QCSGroup" unit="QCSGroup" common-name="CA" key- size=4096 days-valid=3650 key-usage=crl-sign,key-cert-sign /certificate sign CA-tpl ca-crl-host=127.0.0.1 name="CA"
/certificate add name=SERVER-tpl country="AU" state="QLD" locality="Brisbane" organization="QCSGroup" unit="QCSGroup" common- name="core.router.dc.domainname.com.au" key-size=4096 days-valid=1095 key-usage=digital-signature,key-encipherment,tls-server /certificate sign SERVER-tpl ca="CA" name="SERVER"
/certificate add name=CLIENT-tpl country="AU" state="QLD" locality="Brisbane" organization="QCSGroup" unit="QCSGroup" common- name="CLIENT" key-size=4096 days-valid=3650 key-usage=tls-client /certificate add name=CLIENT1 copy-from="CLIENT-tpl" common- name="CLIENT1" /certificate sign CLIENT1 ca="CA" name="CLIENT1"
/certificate export-certificate CA export-passphrase="" /certificate export-certificate CLIENT1 export-passphrase="123456789"
/ip firewall filter add chain=input comment="Allow OpenVPN" dst-port=1194 protocol=tcp add chain=input comment="Allow OpenVPN" dst-port=1194 protocol=udp
/ppp secret add name=OpenVPNTest password=OpenVPNTest profile=OpenVPN-profile service=ovpn
/ppp profile add change-tcp-mss=yes local-address=172.16.99.254 name=OpenVPN- profile remote-address=OpenVPN-pool use-encryption=yes
/ip pool add name=OpenVPN-pool ranges=172.16.99.10-172.16.99.100
/interface ovpn-server server set auth=sha1 certificate=SERVER cipher=aes256 default-profile=OpenVPN- profile enabled=yes require-client-certificate=yes
Windows OpenVPN Client:
C:\Program Files\OpenVPN\config Directory contains:
(I renamed the exported certs/key)
ca.crt client1.crt client1.key client1.ovpn secret
client1.ovpn file contains:
client dev tun proto tcp-client remote core.router.dc.domainname.com.au port 1194 nobind persist-key persist-tun tls-client remote-cert-tls server ca ca.crt cert client1.crt key client1.key verb 4 mute 10 cipher AES-256-CBC auth SHA1 auth-user-pass secret auth-nocache ;redirect-gateway def1
Windows OpenVPN Log:
It looks like everything connects, I can see a TCP connection in the Router logs.
THis is the client logs.
(I have replaced router.ip with our IP address)
Wed Mar 28 16:40:08 2018 us=663815 Local Options String: 'V4,dev-type tun,link-mtu 1559,tun-mtu 1500,proto TCPv4_CLIENT,cipher AES-256- CBC,auth SHA1,keysize 256,key-method 2,tls-client' Wed Mar 28 16:40:08 2018 us=663815 Expected Remote Options String: 'V4,dev-type tun,link-mtu 1559,tun-mtu 1500,proto TCPv4_SERVER,cipher AES-256-CBC,auth SHA1,keysize 256,key-method 2,tls-server' Wed Mar 28 16:40:08 2018 us=663815 Local Options hash (VER=V4): '5cb3f8dc' Wed Mar 28 16:40:08 2018 us=663815 Expected Remote Options hash (VER=V4): '898ae6c6' Wed Mar 28 16:40:08 2018 us=663815 Attempting to establish TCP connection with [AF_INET]router.ip:1194 [nonblock] Wed Mar 28 16:40:08 2018 us=663815 MANAGEMENT:
STATE:1522219208,TCP_CONNECT,,, Wed Mar 28 16:40:09 2018 us=664908 TCP connection established with [AF_INET]routerip:1194 Wed Mar 28 16:40:09 2018 us=664908 TCPv4_CLIENT link local: [undef] Wed Mar 28 16:40:09 2018 us=664908 TCPv4_CLIENT link remote: [AF_INET]router.ip:1194 Wed Mar 28 16:40:09 2018 us=665909 MANAGEMENT: STATE:1522219209,WAIT,,, Wed Mar 28 16:40:09 2018 us=666913 MANAGEMENT: STATE:1522219209,AUTH,,, Wed Mar 28 16:40:09 2018 us=666913 TLS: Initial packet from [AF_INET]router.ip:1194, sid=d2631263 4753bbdb Wed Mar 28 16:40:09 2018 us=759771 OpenSSL: error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure Wed Mar 28 16:40:09 2018 us=759771 TLS_ERROR: BIO read tls_read_plaintext error Wed Mar 28 16:40:09 2018 us=759771 TLS Error: TLS object -> incoming plaintext read error Wed Mar 28 16:40:09 2018 us=760772 TLS Error: TLS handshake failed Wed Mar 28 16:40:09 2018 us=760772 Fatal TLS error (check_tls_errors_co), restarting Wed Mar 28 16:40:09 2018 us=760772 TCP/UDP: Closing socket Wed Mar 28 16:40:09 2018 us=760772 SIGUSR1[soft,tls-error] received, process restarting Wed Mar 28 16:40:09 2018 us=760772 MANAGEMENT: STATE:1522219209,RECONNECTING,tls-error,, Wed Mar 28 16:40:09 2018 us=760772 Restart pause, 5 second(s)
If someone could please point out where my issue is I would be most grateful. I have already spent way too much time on this.
Kind Regards,
Russell Keavy. _______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com. au
_______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
I failed miserably to get OpenVPN working on my MT devices.. just spun up a VM instead, forwarded the port, sorted. https://www.digitalocean.com/community/tutorials/how-to-set-up-an-openvpn-se... Works great in an Amazon VPC instead of paying extra for their VPN. On Wed, 28 Mar. 2018, 18:05 Tim Warnock, <timoid@timoid.org> wrote:
Got NTP working on your MikroTik?
-----Original Message----- From: Public [mailto:public-bounces@talk.mikrotik.com.au] On Behalf Of QCS Group - Infrastructure Sent: Wednesday, 28 March 2018 4:50 PM To: public@talk.mikrotik.com.au Subject: [MT-AU Public] Mikrotik OpenVPN server Windows OpenVPN Server failure OpenSSL: error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure
Hi All,
I have spent a couple of hours on trying to setup an OpenVPN server on my Mirktoik CCR1036 (Hoping to replicate this for end users)
I have tried multiple different guides and each time I come back to the same error message.
I will forward my config for the OpenVPN server as well as my Windows client config.
OpenVPN Setup on Mikrotik:
/certificate add name=CA-tpl country="AU" state="QLD" locality="Brisbane" organization="QCSGroup" unit="QCSGroup" common-name="CA" key- size=4096 days-valid=3650 key-usage=crl-sign,key-cert-sign /certificate sign CA-tpl ca-crl-host=127.0.0.1 name="CA"
/certificate add name=SERVER-tpl country="AU" state="QLD" locality="Brisbane" organization="QCSGroup" unit="QCSGroup" common- name="core.router.dc.domainname.com.au" key-size=4096 days-valid=1095 key-usage=digital-signature,key-encipherment,tls-server /certificate sign SERVER-tpl ca="CA" name="SERVER"
/certificate add name=CLIENT-tpl country="AU" state="QLD" locality="Brisbane" organization="QCSGroup" unit="QCSGroup" common- name="CLIENT" key-size=4096 days-valid=3650 key-usage=tls-client /certificate add name=CLIENT1 copy-from="CLIENT-tpl" common- name="CLIENT1" /certificate sign CLIENT1 ca="CA" name="CLIENT1"
/certificate export-certificate CA export-passphrase="" /certificate export-certificate CLIENT1 export-passphrase="123456789"
/ip firewall filter add chain=input comment="Allow OpenVPN" dst-port=1194 protocol=tcp add chain=input comment="Allow OpenVPN" dst-port=1194 protocol=udp
/ppp secret add name=OpenVPNTest password=OpenVPNTest profile=OpenVPN-profile service=ovpn
/ppp profile add change-tcp-mss=yes local-address=172.16.99.254 name=OpenVPN- profile remote-address=OpenVPN-pool use-encryption=yes
/ip pool add name=OpenVPN-pool ranges=172.16.99.10-172.16.99.100
/interface ovpn-server server set auth=sha1 certificate=SERVER cipher=aes256 default-profile=OpenVPN- profile enabled=yes require-client-certificate=yes
Windows OpenVPN Client:
C:\Program Files\OpenVPN\config Directory contains:
(I renamed the exported certs/key)
ca.crt client1.crt client1.key client1.ovpn secret
client1.ovpn file contains:
client dev tun proto tcp-client remote core.router.dc.domainname.com.au port 1194 nobind persist-key persist-tun tls-client remote-cert-tls server ca ca.crt cert client1.crt key client1.key verb 4 mute 10 cipher AES-256-CBC auth SHA1 auth-user-pass secret auth-nocache ;redirect-gateway def1
Windows OpenVPN Log:
It looks like everything connects, I can see a TCP connection in the Router logs.
THis is the client logs.
(I have replaced router.ip with our IP address)
STATE:1522219208,TCP_CONNECT,,, Wed Mar 28 16:40:09 2018 us=664908 TCP connection established with [AF_INET]routerip:1194 Wed Mar 28 16:40:09 2018 us=664908 TCPv4_CLIENT link local: [undef] Wed Mar 28 16:40:09 2018 us=664908 TCPv4_CLIENT link remote: [AF_INET]router.ip:1194 Wed Mar 28 16:40:09 2018 us=665909 MANAGEMENT: STATE:1522219209,WAIT,,, Wed Mar 28 16:40:09 2018 us=666913 MANAGEMENT: STATE:1522219209,AUTH,,, Wed Mar 28 16:40:09 2018 us=666913 TLS: Initial packet from [AF_INET]router.ip:1194, sid=d2631263 4753bbdb Wed Mar 28 16:40:09 2018 us=759771 OpenSSL: error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure Wed Mar 28 16:40:09 2018 us=759771 TLS_ERROR: BIO read tls_read_plaintext error Wed Mar 28 16:40:09 2018 us=759771 TLS Error: TLS object -> incoming
Wed Mar 28 16:40:08 2018 us=663815 Local Options String: 'V4,dev-type tun,link-mtu 1559,tun-mtu 1500,proto TCPv4_CLIENT,cipher AES-256- CBC,auth SHA1,keysize 256,key-method 2,tls-client' Wed Mar 28 16:40:08 2018 us=663815 Expected Remote Options String: 'V4,dev-type tun,link-mtu 1559,tun-mtu 1500,proto TCPv4_SERVER,cipher AES-256-CBC,auth SHA1,keysize 256,key-method 2,tls-server' Wed Mar 28 16:40:08 2018 us=663815 Local Options hash (VER=V4): '5cb3f8dc' Wed Mar 28 16:40:08 2018 us=663815 Expected Remote Options hash (VER=V4): '898ae6c6' Wed Mar 28 16:40:08 2018 us=663815 Attempting to establish TCP connection with [AF_INET]router.ip:1194 [nonblock] Wed Mar 28 16:40:08 2018 us=663815 MANAGEMENT: plaintext read error Wed Mar 28 16:40:09 2018 us=760772 TLS Error: TLS handshake failed Wed Mar 28 16:40:09 2018 us=760772 Fatal TLS error (check_tls_errors_co), restarting Wed Mar 28 16:40:09 2018 us=760772 TCP/UDP: Closing socket Wed Mar 28 16:40:09 2018 us=760772 SIGUSR1[soft,tls-error] received, process restarting Wed Mar 28 16:40:09 2018 us=760772 MANAGEMENT:
STATE:1522219209,RECONNECTING,tls-error,, Wed Mar 28 16:40:09 2018 us=760772 Restart pause, 5 second(s)
If someone could please point out where my issue is I would be most grateful. I have already spent way too much time on this.
Kind Regards,
Russell Keavy. _______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
_______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
-- Regards, Aaron Were TDJ Australia Pty Ltd [image: TDJ Australia Pty Ltd] [image: Serving Australia & New Zealand since 1985] <http://tdj.com.au> awere@tdj.com.au Delivery: 78 Mills Road, Braeside VIC 3195 Postal: PO Box 883, Braeside VIC 3195 Phone: +61-3-8587-8888 <+61385878888> Fax: +61-3-8587-8855 The information contained in this email is confidential and privileged material and is intended only for the use of the person(s) to whom it is addressed. If you are not the intended recipient of this email, please return it to the sender at TDJ Australia and destroy any copies made.
On Wed, 2018-03-28 at 23:40 +0000, Aaron Were wrote:
https://www.digitalocean.com/community/tutorials/how-to-set-up-an-ope nvpn-server-on-ubuntu-16-04
Works great in an Amazon VPC instead of paying extra for their VPN.
Yeeeesss.... but: - it's only cheaper if you use a t2.micro or something, otherwise the EC2 costs will equal or exceed the AWS VPN costs - unless you choose a pretty expensive instance type, your bandwidth will be very limited - the AWS VPN can shift data much, MUCH faster than most instance types. - the AWS VPN is essentially zero-maintenance after setup. The platform does not require securing, updating, patching or whatever. So do the maths (and remember to include traffic costs) before you assume that an instance-based VPN will be better than an AWS Hardware VPN. It depends a lot on how much traffic you have, and whether you have the required skills and time to support it. The AWS Hardware VPN works well with MikroTiks: http://biplane.com.au/blog/?p=406 Regards, K. -- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Karl Auer (kauer@nullarbor.com.au) work +61 2 64957435 http://www.nullarbor.com.au mobile +61 428 957160 GPG fingerprint: 8454 EE43 6215 B6DD 1B4D 9D8D 984D 7BA1 7378 A38D Old fingerprint: 58F8 09D4 97E4 D74A 0940 44BC 8D6D C28C 3BC9 B0CB
Oh, I remember now, I couldn't get OpenVPN working on MT, and IPSec VPN's were/are blocked by Telstra on the fiber port. We're looking at a new ISP though, so thanks for the write-up! Good points on the maths. We don't use it that much, ssh being so easy, having to pay for a 24/7 VPN was actually a much more expensive prospect than reserved instance pricing. It seems (on their page: https://aws.amazon.com/vpc/pricing/) that you pay the standard ec2 rate for data ingress/egress any which way you do it, so really, it's the per-hour of availability pricing that got me. Can't use it for anything else either, whereas an ec2 instance is remarkably flexible. My original use-case was an actual VM on a Hyper-V server though, on-prem as they say.. which means no issues with speed/price etc. I then reapplied that concept to an ec2 instance (on a whim) and it worked great. We then copy the ami around the globe for any number of cheap easy vpn servers, swap out the EIP and simply adjust the dns whenever we feel like skipping around the GFWoC.. well, I mean, no, we would never do that! On Thu, 29 Mar 2018 at 11:12 Karl Auer <kauer@nullarbor.com.au> wrote:
On Wed, 2018-03-28 at 23:40 +0000, Aaron Were wrote:
https://www.digitalocean.com/community/tutorials/how-to-set-up-an-ope nvpn-server-on-ubuntu-16-04
Works great in an Amazon VPC instead of paying extra for their VPN.
Yeeeesss.... but:
- it's only cheaper if you use a t2.micro or something, otherwise the EC2 costs will equal or exceed the AWS VPN costs
- unless you choose a pretty expensive instance type, your bandwidth will be very limited
- the AWS VPN can shift data much, MUCH faster than most instance types.
- the AWS VPN is essentially zero-maintenance after setup. The platform does not require securing, updating, patching or whatever.
So do the maths (and remember to include traffic costs) before you assume that an instance-based VPN will be better than an AWS Hardware VPN. It depends a lot on how much traffic you have, and whether you have the required skills and time to support it.
The AWS Hardware VPN works well with MikroTiks:
http://biplane.com.au/blog/?p=406
Regards, K.
-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Karl Auer (kauer@nullarbor.com.au) work +61 2 64957435 <(02)%206495%207435> http://www.nullarbor.com.au mobile +61 428 957160 <0428%20957%20160>
GPG fingerprint: 8454 EE43 6215 B6DD 1B4D 9D8D 984D 7BA1 7378 A38D Old fingerprint: 58F8 09D4 97E4 D74A 0940 44BC 8D6D C28C 3BC9 B0CB
_______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
-- Regards, Aaron Were TDJ Australia Pty Ltd [image: TDJ Australia Pty Ltd] [image: Serving Australia & New Zealand since 1985] <http://tdj.com.au> awere@tdj.com.au Delivery: 78 Mills Road, Braeside VIC 3195 Postal: PO Box 883, Braeside VIC 3195 Phone: +61-3-8587-8888 <+61385878888> Fax: +61-3-8587-8855 The information contained in this email is confidential and privileged material and is intended only for the use of the person(s) to whom it is addressed. If you are not the intended recipient of this email, please return it to the sender at TDJ Australia and destroy any copies made.
On Thu, 2018-03-29 at 03:37 +0000, Aaron Were wrote:
Oh, I remember now, I couldn't get OpenVPN working on MT, and IPSec VPN's were/are blocked by Telstra on the fiber port. We're looking at a new ISP though, so thanks for the write-up!
Wait - you were paying Telstra for a fibre port and they blocked VPNs? I can see why you would change ISPs.
it's the per-hour of availability pricing that got me. Can't use it for anything else either, whereas an ec2 instance is remarkably flexible.
Right - but that doesn't address the low bandwidth on pretty much any mid to small instance type. If you run lots of traffic then the crypto load will burn your CPU credits too, and then the CPU limits will lower the VPN throughput. T2 Unlimited will quickly chew up the difference between any small instance type and an AWS VPN. Nor does it address the maintenance issue, or the fact that you are running a security service on a general-purpose machine. Bad idea, IMHO :-) Moderate-to-low traffic requirements are all an in-instance VPN can handle unless you run it on something stonkingly large and/or expensive. Most instance types have limits well below 1Gb/s. WELL below. An AWS Hardware VPN can shift 4Gb/s for the price (roughly) of a t2.medium. AWS seems a bit cagey about bandwidth generally, but a bit of googling will get you various peoples' test results. Regards, K. -- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Karl Auer (kauer@nullarbor.com.au) work +61 2 64957435 http://www.nullarbor.com.au mobile +61 428 957160 GPG fingerprint: 8454 EE43 6215 B6DD 1B4D 9D8D 984D 7BA1 7378 A38D Old fingerprint: 58F8 09D4 97E4 D74A 0940 44BC 8D6D C28C 3BC9 B0CB
I've watched a million different tutorials/read a million different setup guides and I come to the same issue everytime. I'm just setting up a linux VM now and seeing if I can get it going on that with MT port forwards. -----Original Message----- From: Public <public-bounces@talk.mikrotik.com.au> On Behalf Of Aaron Were Sent: Thursday, 29 March 2018 1:37 PM To: MikroTik Australia Public List <public@talk.mikrotik.com.au> Subject: Re: [MT-AU Public] Mikrotik OpenVPN server Windows OpenVPN Server failure OpenSSL: error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure Oh, I remember now, I couldn't get OpenVPN working on MT, and IPSec VPN's were/are blocked by Telstra on the fiber port. We're looking at a new ISP though, so thanks for the write-up! Good points on the maths. We don't use it that much, ssh being so easy, having to pay for a 24/7 VPN was actually a much more expensive prospect than reserved instance pricing. It seems (on their page: https://aws.amazon.com/vpc/pricing/) that you pay the standard ec2 rate for data ingress/egress any which way you do it, so really, it's the per-hour of availability pricing that got me. Can't use it for anything else either, whereas an ec2 instance is remarkably flexible. My original use-case was an actual VM on a Hyper-V server though, on-prem as they say.. which means no issues with speed/price etc. I then reapplied that concept to an ec2 instance (on a whim) and it worked great. We then copy the ami around the globe for any number of cheap easy vpn servers, swap out the EIP and simply adjust the dns whenever we feel like skipping around the GFWoC.. well, I mean, no, we would never do that! On Thu, 29 Mar 2018 at 11:12 Karl Auer <kauer@nullarbor.com.au> wrote:
On Wed, 2018-03-28 at 23:40 +0000, Aaron Were wrote:
https://www.digitalocean.com/community/tutorials/how-to-set-up-an-op e nvpn-server-on-ubuntu-16-04
Works great in an Amazon VPC instead of paying extra for their VPN.
Yeeeesss.... but:
- it's only cheaper if you use a t2.micro or something, otherwise the EC2 costs will equal or exceed the AWS VPN costs
- unless you choose a pretty expensive instance type, your bandwidth will be very limited
- the AWS VPN can shift data much, MUCH faster than most instance types.
- the AWS VPN is essentially zero-maintenance after setup. The platform does not require securing, updating, patching or whatever.
So do the maths (and remember to include traffic costs) before you assume that an instance-based VPN will be better than an AWS Hardware VPN. It depends a lot on how much traffic you have, and whether you have the required skills and time to support it.
The AWS Hardware VPN works well with MikroTiks:
http://biplane.com.au/blog/?p=406
Regards, K.
-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Karl Auer (kauer@nullarbor.com.au) work +61 2 64957435 <(02)%206495%207435> http://www.nullarbor.com.au mobile +61 428 957160 <0428%20957%20160>
GPG fingerprint: 8454 EE43 6215 B6DD 1B4D 9D8D 984D 7BA1 7378 A38D Old fingerprint: 58F8 09D4 97E4 D74A 0940 44BC 8D6D C28C 3BC9 B0CB
_______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com. au
-- Regards, Aaron Were TDJ Australia Pty Ltd [image: TDJ Australia Pty Ltd] [image: Serving Australia & New Zealand since 1985] <http://tdj.com.au> awere@tdj.com.au Delivery: 78 Mills Road, Braeside VIC 3195 Postal: PO Box 883, Braeside VIC 3195 Phone: +61-3-8587-8888 <+61385878888> Fax: +61-3-8587-8855 The information contained in this email is confidential and privileged material and is intended only for the use of the person(s) to whom it is addressed. If you are not the intended recipient of this email, please return it to the sender at TDJ Australia and destroy any copies made. _______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
For giggles: /certificate> print What is the output. Thanks Tim.
-----Original Message----- From: Public [mailto:public-bounces@talk.mikrotik.com.au] On Behalf Of QCS Group - Infrastructure Sent: Thursday, 29 March 2018 4:48 PM To: MikroTik Australia Public List <public@talk.mikrotik.com.au> Subject: Re: [MT-AU Public] Mikrotik OpenVPN server Windows OpenVPN Server failure OpenSSL: error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure
I've watched a million different tutorials/read a million different setup guides and I come to the same issue everytime. I'm just setting up a linux VM now and seeing if I can get it going on that with MT port forwards.
-----Original Message----- From: Public <public-bounces@talk.mikrotik.com.au> On Behalf Of Aaron Were Sent: Thursday, 29 March 2018 1:37 PM To: MikroTik Australia Public List <public@talk.mikrotik.com.au> Subject: Re: [MT-AU Public] Mikrotik OpenVPN server Windows OpenVPN Server failure OpenSSL: error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure
Oh, I remember now, I couldn't get OpenVPN working on MT, and IPSec VPN's were/are blocked by Telstra on the fiber port. We're looking at a new ISP though, so thanks for the write-up!
Good points on the maths. We don't use it that much, ssh being so easy, having to pay for a 24/7 VPN was actually a much more expensive prospect than reserved instance pricing. It seems (on their page: https://aws.amazon.com/vpc/pricing/) that you pay the standard ec2 rate for data ingress/egress any which way you do it, so really, it's the per-hour of availability pricing that got me. Can't use it for anything else either, whereas an ec2 instance is remarkably flexible.
My original use-case was an actual VM on a Hyper-V server though, on-prem as they say.. which means no issues with speed/price etc. I then reapplied that concept to an ec2 instance (on a whim) and it worked great. We then copy the ami around the globe for any number of cheap easy vpn servers, swap out the EIP and simply adjust the dns whenever we feel like skipping around the GFWoC.. well, I mean, no, we would never do that!
On Thu, 29 Mar 2018 at 11:12 Karl Auer <kauer@nullarbor.com.au> wrote:
On Wed, 2018-03-28 at 23:40 +0000, Aaron Were wrote:
https://www.digitalocean.com/community/tutorials/how-to-set-up-an- op e nvpn-server-on-ubuntu-16-04
Works great in an Amazon VPC instead of paying extra for their VPN.
Yeeeesss.... but:
- it's only cheaper if you use a t2.micro or something, otherwise the EC2 costs will equal or exceed the AWS VPN costs
- unless you choose a pretty expensive instance type, your bandwidth will be very limited
- the AWS VPN can shift data much, MUCH faster than most instance types.
- the AWS VPN is essentially zero-maintenance after setup. The platform does not require securing, updating, patching or whatever.
So do the maths (and remember to include traffic costs) before you assume that an instance-based VPN will be better than an AWS Hardware VPN. It depends a lot on how much traffic you have, and whether you have the required skills and time to support it.
The AWS Hardware VPN works well with MikroTiks:
http://biplane.com.au/blog/?p=406
Regards, K.
--
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~
Karl Auer (kauer@nullarbor.com.au) work +61 2 64957435 <(02)%206495%207435> http://www.nullarbor.com.au mobile +61 428 957160 <0428%20957%20160>
GPG fingerprint: 8454 EE43 6215 B6DD 1B4D 9D8D 984D 7BA1 7378 A38D Old fingerprint: 58F8 09D4 97E4 D74A 0940 44BC 8D6D C28C 3BC9 B0CB
_______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com. au
--
Regards,
Aaron Were
TDJ Australia Pty Ltd [image: TDJ Australia Pty Ltd] [image: Serving Australia & New Zealand since 1985] <http://tdj.com.au> awere@tdj.com.au Delivery: 78 Mills Road, Braeside VIC 3195 Postal: PO Box 883, Braeside VIC 3195 Phone: +61-3-8587-8888 <+61385878888> Fax: +61-3-8587-8855 The information contained in this email is confidential and privileged material and is intended only for the use of the person(s) to whom it is addressed. If you are not the intended recipient of this email, please return it to the sender at TDJ Australia and destroy any copies made. _______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
_______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
/certificate print Flags: K - private-key, D - dsa, L - crl, C - smart-card-key, A - authority, I - issued, R - revoked, E - expired, T - trusted # NAME COMMON-NAME SUBJECT-ALT-NAME FINGERPRINT 0 K L A T CA CA 3220f023d36f30fd3943c89bb... 1 K I SERVER core1.dc1.qcsgroup.com.au 79e074cf9d65c33dfe7db26cb... 2 CLIENT-tpl CLIENT 3 K I CLIENT1 CLIENT1 3428e08175c520d676531bc33... -----Original Message----- From: Public <public-bounces@talk.mikrotik.com.au> On Behalf Of Tim Warnock Sent: Thursday, 29 March 2018 4:55 PM To: 'MikroTik Australia Public List' <public@talk.mikrotik.com.au> Subject: Re: [MT-AU Public] Mikrotik OpenVPN server Windows OpenVPN Server failure OpenSSL: error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure For giggles: /certificate> print What is the output. Thanks Tim.
-----Original Message----- From: Public [mailto:public-bounces@talk.mikrotik.com.au] On Behalf Of QCS Group - Infrastructure Sent: Thursday, 29 March 2018 4:48 PM To: MikroTik Australia Public List <public@talk.mikrotik.com.au> Subject: Re: [MT-AU Public] Mikrotik OpenVPN server Windows OpenVPN Server failure OpenSSL: error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure
I've watched a million different tutorials/read a million different setup guides and I come to the same issue everytime. I'm just setting up a linux VM now and seeing if I can get it going on that with MT port forwards.
-----Original Message----- From: Public <public-bounces@talk.mikrotik.com.au> On Behalf Of Aaron Were Sent: Thursday, 29 March 2018 1:37 PM To: MikroTik Australia Public List <public@talk.mikrotik.com.au> Subject: Re: [MT-AU Public] Mikrotik OpenVPN server Windows OpenVPN Server failure OpenSSL: error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure
Oh, I remember now, I couldn't get OpenVPN working on MT, and IPSec VPN's were/are blocked by Telstra on the fiber port. We're looking at a new ISP though, so thanks for the write-up!
Good points on the maths. We don't use it that much, ssh being so easy, having to pay for a 24/7 VPN was actually a much more expensive prospect than reserved instance pricing. It seems (on their page: https://aws.amazon.com/vpc/pricing/) that you pay the standard ec2 rate for data ingress/egress any which way you do it, so really, it's the per-hour of availability pricing that got me. Can't use it for anything else either, whereas an ec2 instance is remarkably flexible.
My original use-case was an actual VM on a Hyper-V server though, on-prem as they say.. which means no issues with speed/price etc. I then reapplied that concept to an ec2 instance (on a whim) and it worked great. We then copy the ami around the globe for any number of cheap easy vpn servers, swap out the EIP and simply adjust the dns whenever we feel like skipping around the GFWoC.. well, I mean, no, we would never do that!
On Thu, 29 Mar 2018 at 11:12 Karl Auer <kauer@nullarbor.com.au> wrote:
On Wed, 2018-03-28 at 23:40 +0000, Aaron Were wrote:
https://www.digitalocean.com/community/tutorials/how-to-set-up-an- op e nvpn-server-on-ubuntu-16-04
Works great in an Amazon VPC instead of paying extra for their VPN.
Yeeeesss.... but:
- it's only cheaper if you use a t2.micro or something, otherwise the EC2 costs will equal or exceed the AWS VPN costs
- unless you choose a pretty expensive instance type, your bandwidth will be very limited
- the AWS VPN can shift data much, MUCH faster than most instance types.
- the AWS VPN is essentially zero-maintenance after setup. The platform does not require securing, updating, patching or whatever.
So do the maths (and remember to include traffic costs) before you assume that an instance-based VPN will be better than an AWS Hardware VPN. It depends a lot on how much traffic you have, and whether you have the required skills and time to support it.
The AWS Hardware VPN works well with MikroTiks:
http://biplane.com.au/blog/?p=406
Regards, K.
--
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~
Karl Auer (kauer@nullarbor.com.au) work +61 2 64957435 <(02)%206495%207435> http://www.nullarbor.com.au mobile +61 428 957160 <0428%20957%20160>
GPG fingerprint: 8454 EE43 6215 B6DD 1B4D 9D8D 984D 7BA1 7378 A38D Old fingerprint: 58F8 09D4 97E4 D74A 0940 44BC 8D6D C28C 3BC9 B0CB
_______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com. au
--
Regards,
Aaron Were
TDJ Australia Pty Ltd [image: TDJ Australia Pty Ltd] [image: Serving Australia & New Zealand since 1985] <http://tdj.com.au> awere@tdj.com.au Delivery: 78 Mills Road, Braeside VIC 3195 Postal: PO Box 883, Braeside VIC 3195 Phone: +61-3-8587-8888 <+61385878888> Fax: +61-3-8587-8855 The information contained in this email is confidential and privileged material and is intended only for the use of the person(s) to whom it is addressed. If you are not the intended recipient of this email, please return it to the sender at TDJ Australia and destroy any copies made. _______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com. au
_______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com. au
_______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
I'd imagine the fault lies with certificate 1 Did you upload: CA.certificate SERVER.certificate SERVER.privatekey And sign SERVER.certificate with SERVER.privatekey?
-----Original Message----- From: Public [mailto:public-bounces@talk.mikrotik.com.au] On Behalf Of QCS Group - Infrastructure Sent: Thursday, 29 March 2018 5:00 PM To: MikroTik Australia Public List <public@talk.mikrotik.com.au> Subject: Re: [MT-AU Public] Mikrotik OpenVPN server Windows OpenVPN Server failure OpenSSL: error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure
/certificate print Flags: K - private-key, D - dsa, L - crl, C - smart-card-key, A - authority, I - issued, R - revoked, E - expired, T - trusted # NAME COMMON-NAME SUBJECT-ALT-NAME FINGERPRINT 0 K L A T CA CA 3220f023d36f30fd3943c89bb... 1 K I SERVER core1.dc1.qcsgroup.com.au 79e074cf9d65c33dfe7db26cb... 2 CLIENT-tpl CLIENT 3 K I CLIENT1 CLIENT1 3428e08175c520d676531bc33...
-----Original Message----- From: Public <public-bounces@talk.mikrotik.com.au> On Behalf Of Tim Warnock Sent: Thursday, 29 March 2018 4:55 PM To: 'MikroTik Australia Public List' <public@talk.mikrotik.com.au> Subject: Re: [MT-AU Public] Mikrotik OpenVPN server Windows OpenVPN Server failure OpenSSL: error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure
For giggles:
/certificate> print
What is the output.
Thanks Tim.
-----Original Message----- From: Public [mailto:public-bounces@talk.mikrotik.com.au] On Behalf Of QCS Group - Infrastructure Sent: Thursday, 29 March 2018 4:48 PM To: MikroTik Australia Public List <public@talk.mikrotik.com.au> Subject: Re: [MT-AU Public] Mikrotik OpenVPN server Windows OpenVPN Server failure OpenSSL: error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure
I've watched a million different tutorials/read a million different setup guides and I come to the same issue everytime. I'm just setting up a linux VM now and seeing if I can get it going on that with MT port forwards.
-----Original Message----- From: Public <public-bounces@talk.mikrotik.com.au> On Behalf Of Aaron Were Sent: Thursday, 29 March 2018 1:37 PM To: MikroTik Australia Public List <public@talk.mikrotik.com.au> Subject: Re: [MT-AU Public] Mikrotik OpenVPN server Windows OpenVPN Server failure OpenSSL: error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure
Oh, I remember now, I couldn't get OpenVPN working on MT, and IPSec VPN's were/are blocked by Telstra on the fiber port. We're looking at a new ISP though, so thanks for the write-up!
Good points on the maths. We don't use it that much, ssh being so easy, having to pay for a 24/7 VPN was actually a much more expensive prospect than reserved instance pricing. It seems (on their page: https://aws.amazon.com/vpc/pricing/) that you pay the standard ec2 rate for data ingress/egress any which way you do it, so really, it's the per-hour of availability pricing that got me. Can't use it for anything else either, whereas an ec2 instance is remarkably flexible.
My original use-case was an actual VM on a Hyper-V server though, on-prem as they say.. which means no issues with speed/price etc. I then reapplied that concept to an ec2 instance (on a whim) and it worked great. We then copy the ami around the globe for any number of cheap easy vpn servers, swap out the EIP and simply adjust the dns whenever we feel like skipping around the GFWoC.. well, I mean, no, we would never do that!
On Thu, 29 Mar 2018 at 11:12 Karl Auer <kauer@nullarbor.com.au> wrote:
On Wed, 2018-03-28 at 23:40 +0000, Aaron Were wrote:
https://www.digitalocean.com/community/tutorials/how-to-set-up- an- op e nvpn-server-on-ubuntu-16-04
Works great in an Amazon VPC instead of paying extra for their VPN.
Yeeeesss.... but:
- it's only cheaper if you use a t2.micro or something, otherwise the EC2 costs will equal or exceed the AWS VPN costs
- unless you choose a pretty expensive instance type, your bandwidth will be very limited
- the AWS VPN can shift data much, MUCH faster than most instance types.
- the AWS VPN is essentially zero-maintenance after setup. The platform does not require securing, updating, patching or whatever.
So do the maths (and remember to include traffic costs) before you assume that an instance-based VPN will be better than an AWS Hardware VPN. It depends a lot on how much traffic you have, and whether you have the required skills and time to support it.
The AWS Hardware VPN works well with MikroTiks:
http://biplane.com.au/blog/?p=406
Regards, K.
--
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~~~~~~~
Karl Auer (kauer@nullarbor.com.au) work +61 2 64957435 <(02)%206495%207435> http://www.nullarbor.com.au mobile +61 428 957160 <0428%20957%20160>
GPG fingerprint: 8454 EE43 6215 B6DD 1B4D 9D8D 984D 7BA1 7378 A38D Old fingerprint: 58F8 09D4 97E4 D74A 0940 44BC 8D6D C28C 3BC9 B0CB
_______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com. au
--
Regards,
Aaron Were
TDJ Australia Pty Ltd [image: TDJ Australia Pty Ltd] [image: Serving Australia & New Zealand since 1985] <http://tdj.com.au> awere@tdj.com.au Delivery: 78 Mills Road, Braeside VIC 3195 Postal: PO Box 883, Braeside VIC 3195 Phone: +61-3-8587-8888 <+61385878888> Fax: +61-3-8587-8855 The information contained in this email is confidential and privileged material and is intended only for the use of the person(s) to whom it is addressed. If you are not the intended recipient of this email, please return it to the sender at TDJ Australia and destroy any copies made. _______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com. au
_______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com. au
_______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
_______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
So I assigned server.cert as the certificate for the OpenVPN server on the MT. Under PPP Interface OVPN Server Certificate: SERVER Ticked Requires client certificate I signed SERVER. Certificate with CA.cert This is the exact commands I ran /certificate add name=CA-tpl country="AU" state="QLD" locality="Brisbane" organization="QCSGroup" unit="QCSGroup" common-name="CA" key-size=4096 days-valid=3650 key-usage=crl-sign,key-cert-sign /certificate sign CA-tpl ca-crl-host=127.0.0.1 name="CA" /certificate add name=SERVER-tpl country="AU" state="QLD" locality="Brisbane" organization="QCSGroup" unit="QCSGroup" common-name="core.router.dc.domainname.com.au" key-size=4096 days-valid=1095 key-usage=digital-signature,key-encipherment,tls-server /certificate sign SERVER-tpl ca="CA" name="SERVER" /certificate add name=CLIENT-tpl country="AU" state="QLD" locality="Brisbane" organization="QCSGroup" unit="QCSGroup" common-name="CLIENT" key-size=4096 days-valid=3650 key-usage=tls-client /certificate add name=CLIENT1 copy-from="CLIENT-tpl" common-name="CLIENT1" /certificate sign CLIENT1 ca="CA" name="CLIENT1" /certificate export-certificate CA export-passphrase="" /certificate export-certificate CLIENT1 export-passphrase="123456789" And then I downloaded: CA.cert CLIENT1.cert CLIENT1.privatekey To the client PC. -----Original Message----- From: Public <public-bounces@talk.mikrotik.com.au> On Behalf Of Tim Warnock Sent: Thursday, 29 March 2018 5:06 PM To: 'MikroTik Australia Public List' <public@talk.mikrotik.com.au> Subject: Re: [MT-AU Public] Mikrotik OpenVPN server Windows OpenVPN Server failure OpenSSL: error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure I'd imagine the fault lies with certificate 1 Did you upload: CA.certificate SERVER.certificate SERVER.privatekey And sign SERVER.certificate with SERVER.privatekey?
-----Original Message----- From: Public [mailto:public-bounces@talk.mikrotik.com.au] On Behalf Of QCS Group - Infrastructure Sent: Thursday, 29 March 2018 5:00 PM To: MikroTik Australia Public List <public@talk.mikrotik.com.au> Subject: Re: [MT-AU Public] Mikrotik OpenVPN server Windows OpenVPN Server failure OpenSSL: error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure
/certificate print Flags: K - private-key, D - dsa, L - crl, C - smart-card-key, A - authority, I - issued, R - revoked, E - expired, T - trusted # NAME COMMON-NAME SUBJECT-ALT-NAME FINGERPRINT 0 K L A T CA CA 3220f023d36f30fd3943c89bb... 1 K I SERVER core1.dc1.qcsgroup.com.au 79e074cf9d65c33dfe7db26cb... 2 CLIENT-tpl CLIENT 3 K I CLIENT1 CLIENT1 3428e08175c520d676531bc33...
-----Original Message----- From: Public <public-bounces@talk.mikrotik.com.au> On Behalf Of Tim Warnock Sent: Thursday, 29 March 2018 4:55 PM To: 'MikroTik Australia Public List' <public@talk.mikrotik.com.au> Subject: Re: [MT-AU Public] Mikrotik OpenVPN server Windows OpenVPN Server failure OpenSSL: error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure
For giggles:
/certificate> print
What is the output.
Thanks Tim.
-----Original Message----- From: Public [mailto:public-bounces@talk.mikrotik.com.au] On Behalf Of QCS Group - Infrastructure Sent: Thursday, 29 March 2018 4:48 PM To: MikroTik Australia Public List <public@talk.mikrotik.com.au> Subject: Re: [MT-AU Public] Mikrotik OpenVPN server Windows OpenVPN Server failure OpenSSL: error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure
I've watched a million different tutorials/read a million different setup guides and I come to the same issue everytime. I'm just setting up a linux VM now and seeing if I can get it going on that with MT port forwards.
-----Original Message----- From: Public <public-bounces@talk.mikrotik.com.au> On Behalf Of Aaron Were Sent: Thursday, 29 March 2018 1:37 PM To: MikroTik Australia Public List <public@talk.mikrotik.com.au> Subject: Re: [MT-AU Public] Mikrotik OpenVPN server Windows OpenVPN Server failure OpenSSL: error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure
Oh, I remember now, I couldn't get OpenVPN working on MT, and IPSec VPN's were/are blocked by Telstra on the fiber port. We're looking at a new ISP though, so thanks for the write-up!
Good points on the maths. We don't use it that much, ssh being so easy, having to pay for a 24/7 VPN was actually a much more expensive prospect than reserved instance pricing. It seems (on their page: https://aws.amazon.com/vpc/pricing/) that you pay the standard ec2 rate for data ingress/egress any which way you do it, so really, it's the per-hour of availability pricing that got me. Can't use it for anything else either, whereas an ec2 instance is remarkably flexible.
My original use-case was an actual VM on a Hyper-V server though, on-prem as they say.. which means no issues with speed/price etc. I then reapplied that concept to an ec2 instance (on a whim) and it worked great. We then copy the ami around the globe for any number of cheap easy vpn servers, swap out the EIP and simply adjust the dns whenever we feel like skipping around the GFWoC.. well, I mean, no, we would never do that!
On Thu, 29 Mar 2018 at 11:12 Karl Auer <kauer@nullarbor.com.au> wrote:
On Wed, 2018-03-28 at 23:40 +0000, Aaron Were wrote:
https://www.digitalocean.com/community/tutorials/how-to-set-up- an- op e nvpn-server-on-ubuntu-16-04
Works great in an Amazon VPC instead of paying extra for their VPN.
Yeeeesss.... but:
- it's only cheaper if you use a t2.micro or something, otherwise the EC2 costs will equal or exceed the AWS VPN costs
- unless you choose a pretty expensive instance type, your bandwidth will be very limited
- the AWS VPN can shift data much, MUCH faster than most instance types.
- the AWS VPN is essentially zero-maintenance after setup. The platform does not require securing, updating, patching or whatever.
So do the maths (and remember to include traffic costs) before you assume that an instance-based VPN will be better than an AWS Hardware VPN. It depends a lot on how much traffic you have, and whether you have the required skills and time to support it.
The AWS Hardware VPN works well with MikroTiks:
http://biplane.com.au/blog/?p=406
Regards, K.
--
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~~~~~~~
Karl Auer (kauer@nullarbor.com.au) work +61 2 64957435 <(02)%206495%207435> http://www.nullarbor.com.au mobile +61 428 957160 <0428%20957%20160>
GPG fingerprint: 8454 EE43 6215 B6DD 1B4D 9D8D 984D 7BA1 7378 A38D Old fingerprint: 58F8 09D4 97E4 D74A 0940 44BC 8D6D C28C 3BC9 B0CB
_______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com. au
--
Regards,
Aaron Were
TDJ Australia Pty Ltd [image: TDJ Australia Pty Ltd] [image: Serving Australia & New Zealand since 1985] <http://tdj.com.au> awere@tdj.com.au Delivery: 78 Mills Road, Braeside VIC 3195 Postal: PO Box 883, Braeside VIC 3195 Phone: +61-3-8587-8888 <+61385878888> Fax: +61-3-8587-8855 The information contained in this email is confidential and privileged material and is intended only for the use of the person(s) to whom it is addressed. If you are not the intended recipient of this email, please return it to the sender at TDJ Australia and destroy any copies made. _______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com. au
_______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com. au
_______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com. au
_______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com. au
_______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
participants (4)
-
Aaron Were
-
Karl Auer
-
QCS Group - Infrastructure
-
Tim Warnock