Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    Microtik as a pfSense OVPN client

    OpenVPN
    3
    4
    111
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • I
      icedcoffee last edited by

      I am trying to get MicroTik devices to connect to an OpenVPN server running on pfSense. The switches (hEX S) will appear in the connected client lists, but on the MicroTik, no data is transferred. Here is my pfSense log excerpt. Can anyone make sense of this?

      Jun 19 17:48:31	openvpn	62586	test1/10.10.10.25:40641 MULTI_sva: pool returned IPv4=10.0.8.2, IPv6=(Not enabled)
Jun 19 17:48:31	openvpn	62586	test1/10.10.10.25:40641 OPTIONS IMPORT: reading client specific options from: /tmp/openvpn_cc_34090cb2edc32fb1e9e5cbc68fd5db2.tmp
Jun 19 17:48:31	openvpn	62586	test1/10.10.10.25:40641 MULTI: Learn: 10.0.8.2 -> test1/10.10.10.25:40641
Jun 19 17:48:31	openvpn	62586	test1/10.10.10.25:40641 MULTI: primary virtual IP for test1/10.10.10.25:40641: 10.0.8.2
Jun 19 17:50:30	openvpn	62586	test1/10.10.10.25:40641 [test1] Inactivity timeout (--ping-restart), restarting
Jun 19 17:50:30	openvpn	62586	test1/10.10.10.25:40641 SIGUSR1[soft,ping-restart] received, client-instance restarting
Jun 19 17:50:30	openvpn	62586	TCP connection established with [AF_INET]10.10.10.25:40642
Jun 19 17:50:30	openvpn	62586	10.10.10.25:40642 TLS: Initial packet from [AF_INET]10.10.10.25:40642, sid=e29e6011 a1c5dd02
Jun 19 17:50:30	openvpn	62586	10.10.10.25:40642 VERIFY SCRIPT OK: depth=0, CN=xxx CA, C=US, ST=xx, L=xxx, O=xxx
Jun 19 17:50:30	openvpn	62586	10.10.10.25:40642 VERIFY OK: depth=0, CN=xxx CA, C=US, ST=xx, L=xxx, O=xxx
Jun 19 17:50:30	openvpn	62586	10.10.10.25:40642 PLUGIN_CALL: POST /usr/local/lib/openvpn/plugins/openvpn-plugin-auth-script.so/PLUGIN_AUTH_USER_PASS_VERIFY status=2
Jun 19 17:50:30	openvpn	62586	10.10.10.25:40642 TLS: Username/Password authentication deferred for username 'test1' [CN SET]
Jun 19 17:50:30	openvpn	62586	10.10.10.25:40642 WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1560', remote='link-mtu 1559'
Jun 19 17:50:30	openvpn	62586	10.10.10.25:40642 WARNING: 'comp-lzo' is present in local config but missing in remote config, local='comp-lzo'
Jun 19 17:50:30	openvpn	62586	10.10.10.25:40642 Outgoing Data Channel: Cipher 'AES-128-CBC' initialized with 128 bit key
Jun 19 17:50:30	openvpn	62586	10.10.10.25:40642 Outgoing Data Channel: Using 160 bit message hash 'SHA1' for HMAC authentication
Jun 19 17:50:30	openvpn	62586	10.10.10.25:40642 Incoming Data Channel: Cipher 'AES-128-CBC' initialized with 128 bit key
Jun 19 17:50:30	openvpn	62586	10.10.10.25:40642 Incoming Data Channel: Using 160 bit message hash 'SHA1' for HMAC authentication
Jun 19 17:50:30	openvpn	62586	10.10.10.25:40642 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
Jun 19 17:50:30	openvpn	62586	10.10.10.25:40642 [test1] Peer Connection Initiated with [AF_INET]10.10.10.25:40642
Jun 19 17:50:30	openvpn	62586	10.10.10.25:40642 PUSH: Received control message: 'PUSH_REQUEST'
Jun 19 17:50:30	openvpn		user 'test1' authenticated
      1 Reply Last reply Reply Quote 0
      • Rico
        Rico LAYER 8 Rebel Alliance last edited by 

        Jun 19 17:50:30	openvpn	62586	10.10.10.25:40642 WARNING: 'comp-lzo' is present in local config but missing in remote config, local='comp-lzo'

        Use the same compression settings on both sites. Almost any setting need to match on both, recheck.

        -Rico

        2x Netgate XG-7100 | 11x Netgate SG-5100 | 6x Netgate SG-3100 | 2x Netgate SG-1100

        I 1 Reply Last reply Reply Quote 0
        • I
          icedcoffee @Rico last edited by icedcoffee

          @Rico Thanks for the response. I have disabled LZO compression and there still appears to be a mismatch. Compression is unsupported by MicroTik for OVPN, but in these logs from my last connection attempt, the user authentication is deferred before an MTU & compression mismatch. I'm wondering why my user 'test1' is not authenticating; I have added the user in the user list without a cert generated, as this is how I've seen tutorials for MicroTik OPVN clients (no cert is used).

          edit: I changed this log to read from newest at the top.

          Jun 19 18:23:00	openvpn		user 'test1' authenticated
Jun 19 18:23:00	openvpn	494	10.10.10.25:40659 PUSH: Received control message: 'PUSH_REQUEST'
Jun 19 18:23:00	openvpn	494	10.10.10.25:40659 [test1] Peer Connection Initiated with [AF_INET]10.10.10.25:40659
Jun 19 18:23:00	openvpn	494	10.10.10.25:40659 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384
Jun 19 18:23:00	openvpn	494	10.10.10.25:40659 Incoming Data Channel: Using 160 bit message hash 'SHA1' for HMAC authentication
Jun 19 18:23:00	openvpn	494	10.10.10.25:40659 Incoming Data Channel: Cipher 'AES-128-CBC' initialized with 128 bit key
Jun 19 18:23:00	openvpn	494	10.10.10.25:40659 Outgoing Data Channel: Using 160 bit message hash 'SHA1' for HMAC authentication
Jun 19 18:23:00	openvpn	494	10.10.10.25:40659 Outgoing Data Channel: Cipher 'AES-128-CBC' initialized with 128 bit key
Jun 19 18:23:00	openvpn	494	10.10.10.25:40659 WARNING: 'comp-lzo' is present in local config but missing in remote config, local='comp-lzo'
Jun 19 18:23:00	openvpn	494	10.10.10.25:40659 WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1560', remote='link-mtu 1559'
Jun 19 18:23:00	openvpn	494	10.10.10.25:40659 TLS: Username/Password authentication deferred for username 'test1' [CN SET]
Jun 19 18:23:00	openvpn	494	10.10.10.25:40659 PLUGIN_CALL: POST /usr/local/lib/openvpn/plugins/openvpn-plugin-auth-script.so/PLUGIN_AUTH_USER_PASS_VERIFY status=2
Jun 19 18:23:00	openvpn	494	10.10.10.25:40659 TLS: Initial packet from [AF_INET]10.10.10.25:40659, sid=7454714b 5f937b39
Jun 19 18:23:00	openvpn	494	TCP connection established with [AF_INET]10.10.10.25:40659

          EDIT: I got compression and authentication issues with TLS to go away by recreating the OVPN server using User Authentication (No SSL) and selecting Omit Preference + Disable for the compression settings. However, I am still unable to receive an IP address on the OVPN interface on the MicroTik device. In the pfSense logs, it only shows a successful connection and the IP assignment before timing out due to inactivity:

          Jun 19 19:48:09	openvpn	7059	test1/10.10.10.25:40713 [test1] Inactivity timeout (--ping-restart), restarting
Jun 19 19:46:10	openvpn	7059	test1/10.10.10.25:40713 MULTI_sva: pool returned IPv4=10.0.254.2, IPv6=(Not enabled)
Jun 19 19:46:09	openvpn		user 'test1' authenticated
Jun 19 19:46:09	openvpn	7059	10.10.10.25:40713 [test1] Peer Connection Initiated with [AF_INET]10.10.10.25:40713
          1 Reply Last reply Reply Quote 0
          • C
            CarolBrown last edited by

            Just try to do it as written here:

            https://medium.com/@gmanual/pfsense-mikrotik-openvpn-site-to-site-b001c105843c

            1 Reply Last reply Reply Quote 0
            • First post
              Last post