connect to mkt openvpn server

mkt server | linux client

warning

only tcp is supported by mkt openvpn

mkt openvpn is older so we need to adapt the config – see setup section below

this client version works

openvpn --version
# 2.5.5
# 2.5.9?

install

    apt install openvpn

req

make sure the server is available by TCP (re-checking UDP just in case)

vpn_server=VPN-SERVER-HERE

    nmap -sTUV -T4 -p 1194 $vpn_server

setup

we are using login/password and not PKI client certificate. there’s no compression enabled (comp-lzo). we are using data-ciphers-fallback. the route is manually forced.

openvpn --show-ciphers | grep AES

username=USER

cat > $username.ovpn <<EOF

dev tun
proto tcp-client

remote $vpn_server 1194

tls-client

user nobody
group nogroup

ping 15
ping-restart 45
ping-timer-rem
persist-tun
persist-key

mute-replay-warnings

verb 3

ca localca.crt
cert $username.crt
key $username.key

cipher AES-256-CBC
#data-ciphers-fallback AES-256-CBC
auth SHA1
pull
route 192.168.100.0 255.255.255.0 192.168.87.254

auth-user-pass $username.cfg
auth-nocache

and setup the auth file

vi $username.cfg

openvpn-USER
PASSWORD-HERE

ready to go

connect to the mkt openvpn server

openvpn --data-ciphers AES-256-CBC:AES-128-CBC --cipher AES-256-CBC --data-ciphers-fallback AES-128-CBC \
    --config $username.ovpn

(enter passphrase to unlock the privkey)

check the route to reach the mkt local bridge

route -n
ping 192.168.100.1
nmap -p 80,2222,8443 192.168.100.1

troubleshooting

# mkt console shows
10:10:17 echo: ovpn,debug,error,,,,,,,,,l2tp,info,,debug,update,,critical,,,,update,,,,,,,,,error duplicate packet, dropping

==> this doesn’t really matter, the more informative error msgs are in the openvpn client output

VERIFY ERROR: depth=1, error=certificate has expired: CN=LocalCA

==> re-create LocalCA for more than 365 days…

DEPRECATED OPTION: --cipher set to 'AES-256-CBC' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM). Future OpenVPN version will ignore --cipher for cipher negotiations. Add 'AES-256-CBC' to --data-ciphers or change --cipher 'AES-256-CBC' to --data-ciphers-fallback 'AES-256-CBC' to silence this warning.

==> call openvpn with all three cipher options as shown above

WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.

==> remote-cert-tls server

resources

https://forum.mikrotik.com/viewtopic.php?t=116774

http://openvpn.net/howto.html#mitm

https://openvpn.net/faq/how-do-i-use-a-client-certificate-and-private-key-from-the-android-keychain/

Настройка VPN через MikroTik - OpenVPN https://lantorg.com/article/nastrojka-vpn-cherez-mikrotik-openvpn

OpenVPN With Mikrotik Not As Primary Router https://forum.mikrotik.com/viewtopic.php?t=184237 –> nice config

troubles

https://forum.opnsense.org/index.php?topic=34552.0

https://bbs.archlinux.org/viewtopic.php?id=285177


HOME | GUIDES | LECTURES | LAB | SMTP HEALTH | HTML5 | CONTACT
Copyright © 2024 Pierre-Philipp Braun