Microtik as a pfSense OVPN client
-
I am trying to get MicroTik devices to connect to an OpenVPN server running on pfSense. The switches (hEX S) will appear in the connected client lists, but on the MicroTik, no data is transferred. Here is my pfSense log excerpt. Can anyone make sense of this?
Jun 19 17:48:31 openvpn 62586 test1/10.10.10.25:40641 MULTI_sva: pool returned IPv4=10.0.8.2, IPv6=(Not enabled) Jun 19 17:48:31 openvpn 62586 test1/10.10.10.25:40641 OPTIONS IMPORT: reading client specific options from: /tmp/openvpn_cc_34090cb2edc32fb1e9e5cbc68fd5db2.tmp Jun 19 17:48:31 openvpn 62586 test1/10.10.10.25:40641 MULTI: Learn: 10.0.8.2 -> test1/10.10.10.25:40641 Jun 19 17:48:31 openvpn 62586 test1/10.10.10.25:40641 MULTI: primary virtual IP for test1/10.10.10.25:40641: 10.0.8.2 Jun 19 17:50:30 openvpn 62586 test1/10.10.10.25:40641 [test1] Inactivity timeout (--ping-restart), restarting Jun 19 17:50:30 openvpn 62586 test1/10.10.10.25:40641 SIGUSR1[soft,ping-restart] received, client-instance restarting Jun 19 17:50:30 openvpn 62586 TCP connection established with [AF_INET]10.10.10.25:40642 Jun 19 17:50:30 openvpn 62586 10.10.10.25:40642 TLS: Initial packet from [AF_INET]10.10.10.25:40642, sid=e29e6011 a1c5dd02 Jun 19 17:50:30 openvpn 62586 10.10.10.25:40642 VERIFY SCRIPT OK: depth=0, CN=xxx CA, C=US, ST=xx, L=xxx, O=xxx Jun 19 17:50:30 openvpn 62586 10.10.10.25:40642 VERIFY OK: depth=0, CN=xxx CA, C=US, ST=xx, L=xxx, O=xxx Jun 19 17:50:30 openvpn 62586 10.10.10.25:40642 PLUGIN_CALL: POST /usr/local/lib/openvpn/plugins/openvpn-plugin-auth-script.so/PLUGIN_AUTH_USER_PASS_VERIFY status=2 Jun 19 17:50:30 openvpn 62586 10.10.10.25:40642 TLS: Username/Password authentication deferred for username 'test1' [CN SET] Jun 19 17:50:30 openvpn 62586 10.10.10.25:40642 WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1560', remote='link-mtu 1559' Jun 19 17:50:30 openvpn 62586 10.10.10.25:40642 WARNING: 'comp-lzo' is present in local config but missing in remote config, local='comp-lzo' Jun 19 17:50:30 openvpn 62586 10.10.10.25:40642 Outgoing Data Channel: Cipher 'AES-128-CBC' initialized with 128 bit key Jun 19 17:50:30 openvpn 62586 10.10.10.25:40642 Outgoing Data Channel: Using 160 bit message hash 'SHA1' for HMAC authentication Jun 19 17:50:30 openvpn 62586 10.10.10.25:40642 Incoming Data Channel: Cipher 'AES-128-CBC' initialized with 128 bit key Jun 19 17:50:30 openvpn 62586 10.10.10.25:40642 Incoming Data Channel: Using 160 bit message hash 'SHA1' for HMAC authentication Jun 19 17:50:30 openvpn 62586 10.10.10.25:40642 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384, 2048 bit RSA Jun 19 17:50:30 openvpn 62586 10.10.10.25:40642 [test1] Peer Connection Initiated with [AF_INET]10.10.10.25:40642 Jun 19 17:50:30 openvpn 62586 10.10.10.25:40642 PUSH: Received control message: 'PUSH_REQUEST' Jun 19 17:50:30 openvpn user 'test1' authenticated
-
Jun 19 17:50:30 openvpn 62586 10.10.10.25:40642 WARNING: 'comp-lzo' is present in local config but missing in remote config, local='comp-lzo'
Use the same compression settings on both sites. Almost any setting need to match on both, recheck.
-Rico
-
@Rico Thanks for the response. I have disabled LZO compression and there still appears to be a mismatch. Compression is unsupported by MicroTik for OVPN, but in these logs from my last connection attempt, the user authentication is deferred before an MTU & compression mismatch. I'm wondering why my user 'test1' is not authenticating; I have added the user in the user list without a cert generated, as this is how I've seen tutorials for MicroTik OPVN clients (no cert is used).
edit: I changed this log to read from newest at the top.
Jun 19 18:23:00 openvpn user 'test1' authenticated Jun 19 18:23:00 openvpn 494 10.10.10.25:40659 PUSH: Received control message: 'PUSH_REQUEST' Jun 19 18:23:00 openvpn 494 10.10.10.25:40659 [test1] Peer Connection Initiated with [AF_INET]10.10.10.25:40659 Jun 19 18:23:00 openvpn 494 10.10.10.25:40659 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384 Jun 19 18:23:00 openvpn 494 10.10.10.25:40659 Incoming Data Channel: Using 160 bit message hash 'SHA1' for HMAC authentication Jun 19 18:23:00 openvpn 494 10.10.10.25:40659 Incoming Data Channel: Cipher 'AES-128-CBC' initialized with 128 bit key Jun 19 18:23:00 openvpn 494 10.10.10.25:40659 Outgoing Data Channel: Using 160 bit message hash 'SHA1' for HMAC authentication Jun 19 18:23:00 openvpn 494 10.10.10.25:40659 Outgoing Data Channel: Cipher 'AES-128-CBC' initialized with 128 bit key Jun 19 18:23:00 openvpn 494 10.10.10.25:40659 WARNING: 'comp-lzo' is present in local config but missing in remote config, local='comp-lzo' Jun 19 18:23:00 openvpn 494 10.10.10.25:40659 WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1560', remote='link-mtu 1559' Jun 19 18:23:00 openvpn 494 10.10.10.25:40659 TLS: Username/Password authentication deferred for username 'test1' [CN SET] Jun 19 18:23:00 openvpn 494 10.10.10.25:40659 PLUGIN_CALL: POST /usr/local/lib/openvpn/plugins/openvpn-plugin-auth-script.so/PLUGIN_AUTH_USER_PASS_VERIFY status=2 Jun 19 18:23:00 openvpn 494 10.10.10.25:40659 TLS: Initial packet from [AF_INET]10.10.10.25:40659, sid=7454714b 5f937b39 Jun 19 18:23:00 openvpn 494 TCP connection established with [AF_INET]10.10.10.25:40659
EDIT: I got compression and authentication issues with TLS to go away by recreating the OVPN server using User Authentication (No SSL) and selecting Omit Preference + Disable for the compression settings. However, I am still unable to receive an IP address on the OVPN interface on the MicroTik device. In the pfSense logs, it only shows a successful connection and the IP assignment before timing out due to inactivity:
Jun 19 19:48:09 openvpn 7059 test1/10.10.10.25:40713 [test1] Inactivity timeout (--ping-restart), restarting Jun 19 19:46:10 openvpn 7059 test1/10.10.10.25:40713 MULTI_sva: pool returned IPv4=10.0.254.2, IPv6=(Not enabled) Jun 19 19:46:09 openvpn user 'test1' authenticated Jun 19 19:46:09 openvpn 7059 10.10.10.25:40713 [test1] Peer Connection Initiated with [AF_INET]10.10.10.25:40713
-
Just try to do it as written here:
https://medium.com/@gmanual/pfsense-mikrotik-openvpn-site-to-site-b001c105843c