Microtik as a pfSense OVPN client



  • I am trying to get MicroTik devices to connect to an OpenVPN server running on pfSense. The switches (hEX S) will appear in the connected client lists, but on the MicroTik, no data is transferred. Here is my pfSense log excerpt. Can anyone make sense of this?

    Jun 19 17:48:31	openvpn	62586	test1/10.10.10.25:40641 MULTI_sva: pool returned IPv4=10.0.8.2, IPv6=(Not enabled)
    Jun 19 17:48:31	openvpn	62586	test1/10.10.10.25:40641 OPTIONS IMPORT: reading client specific options from: /tmp/openvpn_cc_34090cb2edc32fb1e9e5cbc68fd5db2.tmp
    Jun 19 17:48:31	openvpn	62586	test1/10.10.10.25:40641 MULTI: Learn: 10.0.8.2 -> test1/10.10.10.25:40641
    Jun 19 17:48:31	openvpn	62586	test1/10.10.10.25:40641 MULTI: primary virtual IP for test1/10.10.10.25:40641: 10.0.8.2
    Jun 19 17:50:30	openvpn	62586	test1/10.10.10.25:40641 [test1] Inactivity timeout (--ping-restart), restarting
    Jun 19 17:50:30	openvpn	62586	test1/10.10.10.25:40641 SIGUSR1[soft,ping-restart] received, client-instance restarting
    Jun 19 17:50:30	openvpn	62586	TCP connection established with [AF_INET]10.10.10.25:40642
    Jun 19 17:50:30	openvpn	62586	10.10.10.25:40642 TLS: Initial packet from [AF_INET]10.10.10.25:40642, sid=e29e6011 a1c5dd02
    Jun 19 17:50:30	openvpn	62586	10.10.10.25:40642 VERIFY SCRIPT OK: depth=0, CN=xxx CA, C=US, ST=xx, L=xxx, O=xxx
    Jun 19 17:50:30	openvpn	62586	10.10.10.25:40642 VERIFY OK: depth=0, CN=xxx CA, C=US, ST=xx, L=xxx, O=xxx
    Jun 19 17:50:30	openvpn	62586	10.10.10.25:40642 PLUGIN_CALL: POST /usr/local/lib/openvpn/plugins/openvpn-plugin-auth-script.so/PLUGIN_AUTH_USER_PASS_VERIFY status=2
    Jun 19 17:50:30	openvpn	62586	10.10.10.25:40642 TLS: Username/Password authentication deferred for username 'test1' [CN SET]
    Jun 19 17:50:30	openvpn	62586	10.10.10.25:40642 WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1560', remote='link-mtu 1559'
    Jun 19 17:50:30	openvpn	62586	10.10.10.25:40642 WARNING: 'comp-lzo' is present in local config but missing in remote config, local='comp-lzo'
    Jun 19 17:50:30	openvpn	62586	10.10.10.25:40642 Outgoing Data Channel: Cipher 'AES-128-CBC' initialized with 128 bit key
    Jun 19 17:50:30	openvpn	62586	10.10.10.25:40642 Outgoing Data Channel: Using 160 bit message hash 'SHA1' for HMAC authentication
    Jun 19 17:50:30	openvpn	62586	10.10.10.25:40642 Incoming Data Channel: Cipher 'AES-128-CBC' initialized with 128 bit key
    Jun 19 17:50:30	openvpn	62586	10.10.10.25:40642 Incoming Data Channel: Using 160 bit message hash 'SHA1' for HMAC authentication
    Jun 19 17:50:30	openvpn	62586	10.10.10.25:40642 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
    Jun 19 17:50:30	openvpn	62586	10.10.10.25:40642 [test1] Peer Connection Initiated with [AF_INET]10.10.10.25:40642
    Jun 19 17:50:30	openvpn	62586	10.10.10.25:40642 PUSH: Received control message: 'PUSH_REQUEST'
    Jun 19 17:50:30	openvpn		user 'test1' authenticated
    

  • LAYER 8 Rebel Alliance

    Jun 19 17:50:30	openvpn	62586	10.10.10.25:40642 WARNING: 'comp-lzo' is present in local config but missing in remote config, local='comp-lzo'
    

    Use the same compression settings on both sites. Almost any setting need to match on both, recheck.

    -Rico



  • @Rico Thanks for the response. I have disabled LZO compression and there still appears to be a mismatch. Compression is unsupported by MicroTik for OVPN, but in these logs from my last connection attempt, the user authentication is deferred before an MTU & compression mismatch. I'm wondering why my user 'test1' is not authenticating; I have added the user in the user list without a cert generated, as this is how I've seen tutorials for MicroTik OPVN clients (no cert is used).

    edit: I changed this log to read from newest at the top.

    Jun 19 18:23:00	openvpn		user 'test1' authenticated
    Jun 19 18:23:00	openvpn	494	10.10.10.25:40659 PUSH: Received control message: 'PUSH_REQUEST'
    Jun 19 18:23:00	openvpn	494	10.10.10.25:40659 [test1] Peer Connection Initiated with [AF_INET]10.10.10.25:40659
    Jun 19 18:23:00	openvpn	494	10.10.10.25:40659 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384
    Jun 19 18:23:00	openvpn	494	10.10.10.25:40659 Incoming Data Channel: Using 160 bit message hash 'SHA1' for HMAC authentication
    Jun 19 18:23:00	openvpn	494	10.10.10.25:40659 Incoming Data Channel: Cipher 'AES-128-CBC' initialized with 128 bit key
    Jun 19 18:23:00	openvpn	494	10.10.10.25:40659 Outgoing Data Channel: Using 160 bit message hash 'SHA1' for HMAC authentication
    Jun 19 18:23:00	openvpn	494	10.10.10.25:40659 Outgoing Data Channel: Cipher 'AES-128-CBC' initialized with 128 bit key
    Jun 19 18:23:00	openvpn	494	10.10.10.25:40659 WARNING: 'comp-lzo' is present in local config but missing in remote config, local='comp-lzo'
    Jun 19 18:23:00	openvpn	494	10.10.10.25:40659 WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1560', remote='link-mtu 1559'
    Jun 19 18:23:00	openvpn	494	10.10.10.25:40659 TLS: Username/Password authentication deferred for username 'test1' [CN SET]
    Jun 19 18:23:00	openvpn	494	10.10.10.25:40659 PLUGIN_CALL: POST /usr/local/lib/openvpn/plugins/openvpn-plugin-auth-script.so/PLUGIN_AUTH_USER_PASS_VERIFY status=2
    Jun 19 18:23:00	openvpn	494	10.10.10.25:40659 TLS: Initial packet from [AF_INET]10.10.10.25:40659, sid=7454714b 5f937b39
    Jun 19 18:23:00	openvpn	494	TCP connection established with [AF_INET]10.10.10.25:40659
    

    EDIT: I got compression and authentication issues with TLS to go away by recreating the OVPN server using User Authentication (No SSL) and selecting Omit Preference + Disable for the compression settings. However, I am still unable to receive an IP address on the OVPN interface on the MicroTik device. In the pfSense logs, it only shows a successful connection and the IP assignment before timing out due to inactivity:

    Jun 19 19:48:09	openvpn	7059	test1/10.10.10.25:40713 [test1] Inactivity timeout (--ping-restart), restarting
    Jun 19 19:46:10	openvpn	7059	test1/10.10.10.25:40713 MULTI_sva: pool returned IPv4=10.0.254.2, IPv6=(Not enabled)
    Jun 19 19:46:09	openvpn		user 'test1' authenticated
    Jun 19 19:46:09	openvpn	7059	10.10.10.25:40713 [test1] Peer Connection Initiated with [AF_INET]10.10.10.25:40713
    

Log in to reply