OpenVPN v Mikrotiku 6.49.2

iko

  • ***
  • 146
    • Zobrazit profil
    • E-mail
OpenVPN v Mikrotiku 6.49.2
« kdy: 29. 01. 2022, 17:10:03 »
zdravim

funguje niekomu ovpn medzi mikrotikom a windows/linux/android? certifikaty mam spravene a furt nic, windows mi pise po VEREIFY OK connection reset, restarting. mobil sa tiez nevie pripojit. mikrotik pise v logu len TCP connection established from ..., potom duplicate packet, dropping a potom : using encoding - AES-256-CBC/SHA1 a to je vsetko. presiel som uz 3000 navodov na webe ale nic nefunguje.


konfig na windows:
Kód: [Vybrat]
client
remote adresa.sk 1194
auth-user-pass
cipher AES-256-CBC
dev tun
auth sha1
proto tcp
nobind
auth-nocache
script-security 2
persist-key
persist-tun
remote-cert-tls server
verb 3
<ca>
...


Re:OpenVPN v Mikrotiku 6.49.2
« Odpověď #1 kdy: 06. 02. 2022, 21:48:51 »
Mám ten istý problém, poradilo sa ti to nejako vyriešiť?

iko

  • ***
  • 146
    • Zobrazit profil
    • E-mail
Re:OpenVPN v Mikrotiku 6.49.2
« Odpověď #2 kdy: 07. 02. 2022, 08:08:11 »
Nie, nefunguje a nefunguje.

Re:OpenVPN v Mikrotiku 6.49.2
« Odpověď #3 kdy: 07. 02. 2022, 08:52:19 »
Nie, nefunguje a nefunguje.

A kdy to bude fungovat ?

iko

  • ***
  • 146
    • Zobrazit profil
    • E-mail
Re:OpenVPN v Mikrotiku 6.49.2
« Odpověď #4 kdy: 07. 02. 2022, 08:54:39 »
A kdy to bude fungovat ?

a čo ja som sibyla? na lin/win som robil uz kopec vpniek, ale mikrotik nejak odolava


robac

  • ***
  • 198
    • Zobrazit profil
    • E-mail
Re:OpenVPN v Mikrotiku 6.49.2
« Odpověď #5 kdy: 07. 02. 2022, 10:04:13 »
Funguje bez problémů.

RouterOS:
  • 6.49.2
  • OVPN konfigurováno na jiné verzi, pak několik upgradů
  • certifikáty generované na Mikrotiku

Klient:
  • Windows 10
  • OpenVPN 2.5.2 x86_64-w64
Můžu vyzkoušet Android, předpokládám, že to tam pojede (jako vždy) bez problémů.

OVPN config:
Kód: [Vybrat]
client
route-nopull
route ***
route-metric 1
dev tun
proto tcp
remote ***
remote-cert-tls server
cipher AES-256-CBC
auth SHA1
auth-user-pass
auth-nocache
nobind
persist-key
persist-tun
verb 3
<ca>
...

Koukám, že duplicate packet mám v logu také:
Kód: [Vybrat]
TCP connection established from ***
duplicate packet, dropping
: using encoding - AES-256-CBC/SHA1
*** logged in, *** from ***
<ovpn-***>: connected

První bych asi zkontroloval nastavení Certificate, Auth a Cipher v OVPN server na Mikrotiku...

iko

  • ***
  • 146
    • Zobrazit profil
    • E-mail
Re:OpenVPN v Mikrotiku 6.49.2
« Odpověď #6 kdy: 07. 02. 2022, 16:10:49 »

tu je nastavenie ovpn, skusal som mat aj vsetko zapnute ale nepomohlo

Kód: [Vybrat]
                     enabled: yes
                        port: 1194
                        mode: ethernet
                     netmask: 24
                 mac-address: FE:B3:4A:DA:BC:42
                     max-mtu: 1500
           keepalive-timeout: 60
             default-profile: ovpn-profile
                 certificate: OPENVPN-SERVER
  require-client-certificate: yes
                        auth: sha1
                      cipher: aes256

ZAJDAN

  • *****
  • 2 078
    • Zobrazit profil
    • E-mail
Re:OpenVPN v Mikrotiku 6.49.2
« Odpověď #7 kdy: 07. 02. 2022, 16:24:07 »
ve firewallu TCP 1194 povolený máte?
Vesele, vesele do továrny dělník běží...vesele, vesele do továrny jde. Vesele se usmívá když mu soustruh zazpívá...vesele, vesele do továrny jde. Vesele si poskočí když se soustruh roztočí ...vesele, vesele do továrny jde.

iko

  • ***
  • 146
    • Zobrazit profil
    • E-mail
Re:OpenVPN v Mikrotiku 6.49.2
« Odpověď #8 kdy: 07. 02. 2022, 17:00:45 »
ve firewallu TCP 1194 povolený máte?

ano, spojenie sa nadviaze, overi sa certifikat:

Kód: [Vybrat]
Mon Jan 31 12:13:37 2022 Attempting to establish TCP connection with [AF_INET]xxx.xxx.xxx.xxx:1194 [nonblock]
Mon Jan 31 12:13:37 2022 MANAGEMENT: >STATE:1643627617,TCP_CONNECT,,,,,,
Mon Jan 31 12:13:38 2022 TCP connection established with [AF_INET]xxx.xxx.xxx.xxx:1194
Mon Jan 31 12:13:38 2022 TCP_CLIENT link local: (not bound)
Mon Jan 31 12:13:38 2022 TCP_CLIENT link remote: [AF_INET]xxx.xxx.xxx.xxx:1194
Mon Jan 31 12:13:38 2022 MANAGEMENT: >STATE:1643627618,WAIT,,,,,,
Mon Jan 31 12:13:38 2022 MANAGEMENT: >STATE:1643627618,AUTH,,,,,,
Mon Jan 31 12:13:38 2022 TLS: Initial packet from [AF_INET]xxx.xxx.xxx.xxx:1194, sid=fefa64f0 6af6217b
Mon Jan 31 12:13:38 2022 VERIFY OK: depth=1, C=SK, ST=Slovakia, O=XXX, CN=CA-XXX
Mon Jan 31 12:13:38 2022 VERIFY KU OK
Mon Jan 31 12:13:38 2022 Validating certificate extended key usage
Mon Jan 31 12:13:38 2022 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Mon Jan 31 12:13:38 2022 VERIFY EKU OK
Mon Jan 31 12:13:38 2022 VERIFY OK: depth=0, C=SK, ST=Slovakia, O=XXX, CN=adresa.tld
Mon Jan 31 12:13:38 2022 Connection reset, restarting [0]
Mon Jan 31 12:13:38 2022 SIGUSR1[soft,connection-reset] received, process restarting
Mon Jan 31 12:13:38 2022 MANAGEMENT: >STATE:1643627618,RECONNECTING,connection-reset,,,,,
Mon Jan 31 12:13:38 2022 Restart pause, 5 second(s)
Mon Jan 31 12:13:43 2022 MANAGEMENT: >STATE:1643627623,RESOLVE,,,,,,
Mon Jan 31 12:13:43 2022 TCP/UDP: Preserving recently used remote address: [AF_INET]xxx.xxx.xxx.xxx:1194
Mon Jan 31 12:13:43 2022 Socket Buffers: R=[8192->8192] S=[8192->8192]
Mon Jan 31 12:13:43 2022 Attempting to establish TCP connection with [AF_INET]xxx.xxx.xxx.xxx:1194 [nonblock]
Mon Jan 31 12:13:43 2022 MANAGEMENT: >STATE:1643627623,TCP_CONNECT,,,,,,
Mon Jan 31 12:13:44 2022 TCP connection established with [AF_INET]xxx.xxx.xxx.xxx:1194
Mon Jan 31 12:13:44 2022 TCP_CLIENT link local: (not bound)
Mon Jan 31 12:13:44 2022 TCP_CLIENT link remote: [AF_INET]xxx.xxx.xxx.xxx:1194
Mon Jan 31 12:13:44 2022 MANAGEMENT: >STATE:1643627624,WAIT,,,,,,
Mon Jan 31 12:13:44 2022 MANAGEMENT: >STATE:1643627624,AUTH,,,,,,
Mon Jan 31 12:13:44 2022 TLS: Initial packet from [AF_INET]xxx.xxx.xxx.xxx:1194, sid=a8692c25 dde54586
Mon Jan 31 12:13:45 2022 VERIFY OK: depth=1, C=SK, ST=Slovakia, O=XXX, CN=CA-XXX
Mon Jan 31 12:13:45 2022 VERIFY KU OK
Mon Jan 31 12:13:45 2022 Validating certificate extended key usage
Mon Jan 31 12:13:45 2022 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Mon Jan 31 12:13:45 2022 VERIFY EKU OK
Mon Jan 31 12:13:45 2022 VERIFY OK: depth=0, C=SK, ST=Slovakia, O=XXX, CN=adresa.tld
Mon Jan 31 12:13:45 2022 Connection reset, restarting [0]
Mon Jan 31 12:13:45 2022 SIGUSR1[soft,connection-reset] received, process restarting
Mon Jan 31 12:13:45 2022 MANAGEMENT: >STATE:1643627625,RECONNECTING,connection-reset,,,,,
Mon Jan 31 12:13:45 2022 Restart pause, 5 second(s)

Re:OpenVPN v Mikrotiku 6.49.2
« Odpověď #9 kdy: 07. 02. 2022, 17:07:28 »
Port povolený vo firewalle, takisto aj zaznamenáva packety.
môj log z Mikrotiku:
Kód: [Vybrat]
16:47:02 ovpn,info TCP connection established from <verejná ip>
16:47:02 ovpn,debug,error,63032,6936,7052,6208,31696,56268,5072,7048,l2tp,info,705
2,critical,79,65535,critical,42536,15944,37776,79,56344,40328,19200,4043,55668,562
68,54256,56268,error duplicate packet, dropping
16:47:04 ovpn,info : using encoding - AES-256-CBC/SHA1
a toto isté dookola.
Na fóre openVPN mi napísali
Citace
Looks like you are being blocked, or maybe your server is borken.
ešte ma napadlo či by nemohlo byť niečo zle s certifikátom CA, CRL host som dal WAN adresu a IP mám cez NAT 1:1.
config klienta vyzerá takto:
Kód: [Vybrat]
client
dev tun
proto tcp-client
remote <verejná ip>
port 1194
nobind
persist-key
persist-tun
tls-client
remote-cert-tls server
ca cert_export_CA.crt
cert cert_export_client.crt
key cert_export_client.key
verb 4
mute 10
cipher AES-256-CBC
auth SHA1
auth-user-pass secret
auth-nocache
log z openVPN:
Kód: [Vybrat]
2022-02-07 16:58:30 us=218000 DEPRECATED OPTION: --cipher set to 'AES-256-CBC' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM). Future OpenVPN version will ignore --cipher for cipher negotiations. Add 'AES-256-CBC' to --data-ciphers or change --cipher 'AES-256-CBC' to --data-ciphers-fallback 'AES-256-CBC' to silence this warning.
2022-02-07 16:58:30 us=218000 Current Parameter Settings:
2022-02-07 16:58:30 us=218000   config = 'openvpn.ovpn'
2022-02-07 16:58:30 us=218000   mode = 0
2022-02-07 16:58:30 us=218000   show_ciphers = DISABLED
2022-02-07 16:58:30 us=218000   show_digests = DISABLED
2022-02-07 16:58:30 us=218000   show_engines = DISABLED
2022-02-07 16:58:30 us=218000   genkey = DISABLED
2022-02-07 16:58:30 us=218000   genkey_filename = '[UNDEF]'
2022-02-07 16:58:30 us=218000   key_pass_file = '[UNDEF]'
2022-02-07 16:58:30 us=218000   show_tls_ciphers = DISABLED
2022-02-07 16:58:30 us=218000 NOTE: --mute triggered...
2022-02-07 16:58:30 us=218000 290 variation(s) on previous 10 message(s) suppressed by --mute
2022-02-07 16:58:30 us=218000 OpenVPN 2.5.5 Windows-MSVC [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] built on Dec 15 2021
2022-02-07 16:58:30 us=218000 Windows version 10.0 (Windows 10 or greater) 64bit
2022-02-07 16:58:30 us=218000 library versions: OpenSSL 1.1.1l  24 Aug 2021, LZO 2.10
2022-02-07 16:58:30 us=234000 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25340
2022-02-07 16:58:30 us=234000 Need hold release from management interface, waiting...
2022-02-07 16:58:30 us=718000 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:25340
2022-02-07 16:58:30 us=828000 MANAGEMENT: CMD 'state on'
2022-02-07 16:58:30 us=843000 MANAGEMENT: CMD 'log all on'
2022-02-07 16:58:30 us=890000 MANAGEMENT: CMD 'echo all on'
2022-02-07 16:58:30 us=890000 MANAGEMENT: CMD 'bytecount 5'
2022-02-07 16:58:30 us=890000 MANAGEMENT: CMD 'hold off'
2022-02-07 16:58:30 us=890000 MANAGEMENT: CMD 'hold release'
2022-02-07 16:58:30 us=890000 MANAGEMENT: CMD 'password [...]'
2022-02-07 16:58:30 us=890000 Control Channel MTU parms [ L:1623 D:1210 EF:40 EB:0 ET:0 EL:3 ]
2022-02-07 16:58:30 us=890000 Data Channel MTU parms [ L:1623 D:1450 EF:123 EB:406 ET:0 EL:3 ]
2022-02-07 16:58:30 us=890000 Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1559,tun-mtu 1500,proto TCPv4_CLIENT,cipher AES-256-CBC,auth SHA1,keysize 256,key-method 2,tls-client'
2022-02-07 16:58:30 us=890000 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1559,tun-mtu 1500,proto TCPv4_SERVER,cipher AES-256-CBC,auth SHA1,keysize 256,key-method 2,tls-server'
2022-02-07 16:58:30 us=890000 TCP/UDP: Preserving recently used remote address: [AF_INET]<verejná ip>:1194
2022-02-07 16:58:30 us=890000 Socket Buffers: R=[65536->65536] S=[65536->65536]
2022-02-07 16:58:30 us=890000 Attempting to establish TCP connection with [AF_INET]<verejná ip>:1194 [nonblock]
2022-02-07 16:58:30 us=890000 MANAGEMENT: >STATE:1644249510,TCP_CONNECT,,,,,,
2022-02-07 16:58:30 us=906000 TCP connection established with [AF_INET]<verejná ip>:1194
2022-02-07 16:58:30 us=906000 TCP_CLIENT link local: (not bound)
2022-02-07 16:58:30 us=906000 TCP_CLIENT link remote: [AF_INET]<verejná ip>:1194
2022-02-07 16:58:30 us=906000 MANAGEMENT: >STATE:1644249510,WAIT,,,,,,
2022-02-07 16:58:30 us=906000 MANAGEMENT: >STATE:1644249510,AUTH,,,,,,
2022-02-07 16:58:30 us=906000 TLS: Initial packet from [AF_INET]<verejná ip>:1194, sid=6bb53993 088eadc1
2022-02-07 16:58:33 us=15000 VERIFY OK: depth=1, CN=CA
2022-02-07 16:58:33 us=15000 VERIFY KU OK
2022-02-07 16:58:33 us=15000 Validating certificate extended key usage
2022-02-07 16:58:33 us=15000 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
2022-02-07 16:58:33 us=15000 VERIFY EKU OK
2022-02-07 16:58:33 us=15000 VERIFY OK: depth=0, CN=server
2022-02-07 16:58:33 us=609000 Connection reset, restarting [0]
2022-02-07 16:58:33 us=609000 TCP/UDP: Closing socket
2022-02-07 16:58:33 us=609000 SIGUSR1[soft,connection-reset] received, process restarting
2022-02-07 16:58:33 us=609000 MANAGEMENT: >STATE:1644249513,RECONNECTING,connection-reset,,,,,
2022-02-07 16:58:33 us=609000 Restart pause, 5 second(s)
2022-02-07 16:58:34 us=625000 SIGTERM[hard,init_instance] received, process exiting
2022-02-07 16:58:34 us=625000 MANAGEMENT: >STATE:1644249514,EXITING,init_instance,,,,,
Bridge nastavený proxy-arp interface ethernet na lan takisto
Log na firewalle vyzerá poväčšine takto:
Kód: [Vybrat]
17:03:17 firewall,info input: in:ether1-gateway out:(unknown 0), src-mac c4:ad:34:
30:90:bd, proto TCP (ACK,PSH), <verejná ip>:53443->10.202.45.229:1194, len 587
to je asi všetko čo by som mohol dodať ako info

robac

  • ***
  • 198
    • Zobrazit profil
    • E-mail
Re:OpenVPN v Mikrotiku 6.49.2
« Odpověď #10 kdy: 07. 02. 2022, 17:07:39 »
Kód: [Vybrat]
Mon Feb 07 17:05:04 2022 Connection reset, restarting [0]
Mon Feb 07 17:05:04 2022 SIGUSR1[soft,connection-reset] received, process restarting
Mon Feb 07 17:05:04 2022 MANAGEMENT: >STATE:1644249904,RECONNECTING,connection-reset,,

SIGUSR1/connection-reset dostanu, pokud zadám špatné heslo. Pokud jste si jistý, že ho dáváte dobře, tak postněte celou (očištěnou o citlivé údaje) konfiguraci pro OVPN na Mikrotiku...

Re:OpenVPN v Mikrotiku 6.49.2
« Odpověď #11 kdy: 07. 02. 2022, 17:13:01 »
Pohral som sa s heslami a už to ide, asi bol niekde preklep ;D
Ďakujem za pomoc.

robac

  • ***
  • 198
    • Zobrazit profil
    • E-mail
Re:OpenVPN v Mikrotiku 6.49.2
« Odpověď #12 kdy: 08. 02. 2022, 12:47:22 »
Pohral som sa s heslami a už to ide, asi bol niekde preklep ;D
Ďakujem za pomoc.
Bezva. Rádo se stalo...

Re:OpenVPN v Mikrotiku 6.49.2
« Odpověď #13 kdy: 17. 02. 2022, 15:27:56 »
Ahojte
Dnes som v logu Mikrotiku presnejšie pre openVPN našiel TCP connection established from : pár čínskych ruských a amerických IP. a niekoľko krát sa pokúšal 109.226.251.27 pripojiť cez web. Čo to je a mám sa toho báť?
Ďakujem