Page 1 of 1

Does not connect to mikrotik ovpn server

Posted: Thu Aug 22, 2024 1:32 am
by Mk51
Hi guys.
I encountered a problem. For some reason the program does not connect to my home OVPN server on the Mikrotik router. Basic server settings, no frills. Login + password + certificate.

Code: Select all

/certificate 
add name=ca country="RU" state="31" locality="BEL" organization="Interface LLC" unit="IT" common-name="ca" key-size=2048 days-valid=3650 key-usage=crl-sign,key-cert-sign 
sign ca ca-crl-host=127.0.0.1

add name=ovpn-server country="RU" state="31" locality="BEL" organization="Interface LLC" unit="IT" common-name="ovpn-server" key-size=2048 days-valid=3650 key-usage=digital-signature,key-encipherment,tls-server 
sign ovpn-server ca="ca"

add name=mikrotik country="RU" state="31" locality="BEL" organization="Interface LLC" unit="IT" common-name="mikrotik" key-size=2048 days-valid=3650 key-usage=tls-client 
sign mikrotik ca="ca"

export-certificate mikrotik type=pkcs12 export-passphrase=12345678

/ip pool
add name=ovpn_pool ranges=10.8.8.100-10.8.8.199

/ppp profile
add local-address=10.8.8.1 name=ovpn remote-address=ovpn_pool

/ppp aaa
set accounting=yes

/ppp secret
add name=USER1 password=1234567890 profile=ovpn service=ovpn

/interface ovpn-server server
set auth=sha1 certificate=ovpn-server cipher=aes256 default-profile=ovpn enabled=yes require-client-certificate=yes
An ovpn file was generated for the client.

Code: Select all

client
dev tun
proto tcp
remote 192.168.88.1 24852
resolv-retry infinite
nobind
persist-key
persist-tun
tls-client
remote-cert-tls server
auth sha1
cipher AES-256-CBC
key-direction 1

<auth-user-pass>
USER1
1234567890
</auth-user-pass>

<ca>
-----BEGIN CERTIFICATE-----
MIIDz
-----END CERTIFICATE-----
</ca>

<cert>
-----BEGIN CERTIFICATE-----
MIIDuT
-----END CERTIFICATE-----
</cert>

<key>
-----BEGIN PRIVATE KEY-----
MIIEvg
-----END PRIVATE KEY-----
</key>
Connects perfectly via OpenVPN Connect, but does not want to connect via VPN Client Pro.
After sending the basic handshakes, the client authorization process occurs.
Mikrotik logs

Code: Select all

TCP connection established from 192.168.88.97
rcvd P_CONTROL kid=0 sid=ac89e102d1a966 pid=1 DATA len=287
sent P_ACK kid=0 sid=1723adfdba3e2b7 [3 sid=29dbad9ca824def] DATA len=0
bla bla bla
......
: using encoding - AES-256-CBC/SHA1
And that's all.
If the connection was successful, then immediately after that a line like this should be displayed in the log

Code: Select all

USER1 logged in, 10.8.8.100 from 192.168.88.97
<ovpn-USER1>: connected
But this does not happen.

VPN Client Pro logs

Code: Select all

2024-08-22 04:24:16 VpnClientPro-google-api27-release-1.01.88 (30010188)
2024-08-22 04:24:16 Connecting request by user
2024-08-22 04:24:16 DEPRECATED OPTION: --cipher set to 'AES-256-CBC' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM). Future OpenVPN version will ignore --cipher for cipher negotiations. Add 'AES-256-CBC' to --data-ciphers or change --cipher 'AES-256-CBC' to --data-ciphers-fallback 'AES-256-CBC' to silence this warning.
2024-08-22 04:24:16 OpenVPN 2.5.8 android-arm64-v8a [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Aug 14 2024
2024-08-22 04:24:16 library versions: OpenSSL 3.0.14 4 Jun 2024, LZO 2.10
2024-08-22 04:24:16 TCP/UDP: Preserving recently used remote address: [AF_INET]192.168.88.1:24852
2024-08-22 04:24:16 Attempting to establish TCP connection with [AF_INET]192.168.88.1:24852 [nonblock]
2024-08-22 04:24:16 TCP connection established with [AF_INET]192.168.88.1:24852
2024-08-22 04:24:16 TCPv4_CLIENT link local: (not bound)
2024-08-22 04:24:16 TCPv4_CLIENT link remote: [AF_INET]192.168.88.1:24852
2024-08-22 04:24:18 Disconnecting request by user
2024-08-22 04:24:18 Disconnecting...
2024-08-22 04:24:18 SIGINT[soft,] received, process exiting
Please help.

Re: Does not connect to mikrotik ovpn server

Posted: Thu Aug 22, 2024 8:47 am
by admin
Hello,

the issue is due to the "<auth-user-pass></auth-user-pass>" inline option which is currently ignored during import (Currently the app expects the "auth-user-pass" option with the authentication data in a separate file).
You can fix this by following these steps:
  • Edit the VPN profile
  • Tap on "Authentication
  • Set the "Authentication mode" to "Certificate (TLS) + password"
  • Select "Save user and password" and insert the authentication data
  • Save the changes

The import issue will be fixed in the next release.
Thanks for reporting.

Re: Does not connect to mikrotik ovpn server

Posted: Thu Aug 22, 2024 4:12 pm
by Mk51
Thank you. It worked successfully.

Re: Does not connect to mikrotik ovpn server

Posted: Fri Aug 23, 2024 7:31 am
by admin
Thanks for the feedback.
The import issue has been fixed in the new version 1.01.89