Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

How i to disable tls auth , because Mikrotik does not support tls #1188

Open
A10h15 opened this issue Dec 11, 2023 · 0 comments
Open

How i to disable tls auth , because Mikrotik does not support tls #1188

A10h15 opened this issue Dec 11, 2023 · 0 comments

Comments

@A10h15
Copy link

A10h15 commented Dec 11, 2023
edited

Hello
I want to connect to the openVPN server, with Mikrotik router, but apparently Mikrotik doesn't support tls, please guide me how to disable tls-auth?

‍‍‍my server config :

root@Nuremberg:~# cat /etc/openvpn/server.conf 
port 8585
proto tcp
dev tun
user nobody
group nogroup
persist-key
persist-tun
keepalive 10 120
topology subnet
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "dhcp-option DNS 185.12.64.2"
push "dhcp-option DNS 185.12.64.1"
push "redirect-gateway def1 bypass-dhcp"
dh none
ecdh-curve prime256v1
tls-crypt tls-crypt.key
crl-verify crl.pem
ca ca.crt
cert server_9Uuq3iAqlupYpVYm.crt
key server_9Uuq3iAqlupYpVYm.key
auth SHA256
cipher AES-128-GCM
ncp-ciphers AES-128-GCM
tls-server
tls-version-min 1.2
tls-cipher TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256
client-config-dir /etc/openvpn/ccd
status /var/log/openvpn/status.log
verb 3

my client config :

client
proto tcp-client
remote xx.xx.xx.xx 8443
dev tun
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
verify-x509-name server_9Uuq3iAqlupYpVYm name
auth SHA256
auth-nocache
cipher AES-128-GCM
tls-client
tls-version-min 1.2
tls-cipher TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256
ignore-unknown-option block-outside-dns
setenv opt block-outside-dns # Prevent Windows 10 DNS leak
verb 3
<ca>
-----BEGIN CERTIFICATE-----
.
.
.
-----END CERTIFICATE-----
</ca>
<cert>
-----BEGIN CERTIFICATE-----
.
.
.
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN PRIVATE KEY-----
.
.
.
-----END PRIVATE KEY-----
</key>
<tls-crypt>
#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
.
.
.
-----END OpenVPN Static key V1-----
</tls-crypt>

my server log :

Dec 11 16:13:29 Nuremberg ovpn-server[34959]: Outgoing Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
Dec 11 16:13:29 Nuremberg ovpn-server[34959]: Outgoing Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
Dec 11 16:13:29 Nuremberg ovpn-server[34959]: Incoming Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
Dec 11 16:13:29 Nuremberg ovpn-server[34959]: Incoming Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
Dec 11 16:13:29 Nuremberg ovpn-server[34959]: TCP connection established with [AF_INET]127.0.0.1:41640
Dec 11 16:13:30 Nuremberg ovpn-server[34959]: 127.0.0.1:41640 TLS: Initial packet from [AF_INET]127.0.0.1:41640, sid=ee9250d6 608a4103
Dec 11 16:13:30 Nuremberg ovpn-server[34959]: 127.0.0.1:41640 tls-crypt unwrap error: packet too short
Dec 11 16:13:30 Nuremberg ovpn-server[34959]: 127.0.0.1:41640 TLS Error: tls-crypt unwrapping failed from [AF_INET]127.0.0.1:41640
Dec 11 16:13:30 Nuremberg ovpn-server[34959]: 127.0.0.1:41640 Fatal TLS error (check_tls_errors_co), restarting
Dec 11 16:13:30 Nuremberg ovpn-server[34959]: 127.0.0.1:41640 SIGUSR1[soft,tls-error] received, client-instance restarting
Dec 11 16:13:30 Nuremberg ovpn-server[34959]: Outgoing Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
Dec 11 16:13:30 Nuremberg ovpn-server[34959]: Outgoing Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
Dec 11 16:13:30 Nuremberg ovpn-server[34959]: Incoming Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
Dec 11 16:13:30 Nuremberg ovpn-server[34959]: Incoming Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
Dec 11 16:13:30 Nuremberg ovpn-server[34959]: TCP connection established with [AF_INET]127.0.0.1:41656
Dec 11 16:13:30 Nuremberg ovpn-server[34959]: 127.0.0.1:41656 TLS: Initial packet from [AF_INET]127.0.0.1:41656, sid=d9f0e18b 633932b6
Dec 11 16:13:30 Nuremberg ovpn-server[34959]: 127.0.0.1:41656 tls-crypt unwrap error: packet too short
Dec 11 16:13:30 Nuremberg ovpn-server[34959]: 127.0.0.1:41656 TLS Error: tls-crypt unwrapping failed from [AF_INET]127.0.0.1:41656
Dec 11 16:13:30 Nuremberg ovpn-server[34959]: 127.0.0.1:41656 Fatal TLS error (check_tls_errors_co), restarting
Dec 11 16:13:30 Nuremberg ovpn-server[34959]: 127.0.0.1:41656 SIGUSR1[soft,tls-error] received, client-instance restarting
Dec 11 16:13:31 Nuremberg ovpn-server[34959]: Outgoing Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
Dec 11 16:13:31 Nuremberg ovpn-server[34959]: Outgoing Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
Dec 11 16:13:31 Nuremberg ovpn-server[34959]: Incoming Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
Dec 11 16:13:31 Nuremberg ovpn-server[34959]: Incoming Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
Dec 11 16:13:31 Nuremberg ovpn-server[34959]: TCP connection established with [AF_INET]127.0.0.1:41668
Dec 11 16:13:31 Nuremberg ovpn-server[34959]: 127.0.0.1:41668 TLS: Initial packet from [AF_INET]127.0.0.1:41668, sid=88e3691d 6436deb3
Dec 11 16:13:31 Nuremberg ovpn-server[34959]: 127.0.0.1:41668 tls-crypt unwrap error: packet too short
Dec 11 16:13:31 Nuremberg ovpn-server[34959]: 127.0.0.1:41668 TLS Error: tls-crypt unwrapping failed from [AF_INET]127.0.0.1:41668
Dec 11 16:13:31 Nuremberg ovpn-server[34959]: 127.0.0.1:41668 Fatal TLS error (check_tls_errors_co), restarting
Dec 11 16:13:31 Nuremberg ovpn-server[34959]: 127.0.0.1:41668 SIGUSR1[soft,tls-error] received, client-instance restarting
Dec 11 16:13:31 Nuremberg ovpn-server[34959]: Outgoing Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
Dec 11 16:13:31 Nuremberg ovpn-server[34959]: Outgoing Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
Dec 11 16:13:31 Nuremberg ovpn-server[34959]: Incoming Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
Dec 11 16:13:31 Nuremberg ovpn-server[34959]: Incoming Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
Dec 11 16:13:31 Nuremberg ovpn-server[34959]: TCP connection established with [AF_INET]127.0.0.1:41676
Dec 11 16:13:32 Nuremberg ovpn-server[34959]: 127.0.0.1:41676 TLS: Initial packet from [AF_INET]127.0.0.1:41676, sid=fabbed38 bf602507
Dec 11 16:13:32 Nuremberg ovpn-server[34959]: 127.0.0.1:41676 tls-crypt unwrap error: packet too short
Dec 11 16:13:32 Nuremberg ovpn-server[34959]: 127.0.0.1:41676 TLS Error: tls-crypt unwrapping failed from [AF_INET]127.0.0.1:41676
Dec 11 16:13:32 Nuremberg ovpn-server[34959]: 127.0.0.1:41676 Fatal TLS error (check_tls_errors_co), restarting
Dec 11 16:13:32 Nuremberg ovpn-server[34959]: 127.0.0.1:41676 SIGUSR1[soft,tls-error] received, client-instance restarting
Dec 11 16:13:33 Nuremberg ovpn-server[34959]: Outgoing Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
Dec 11 16:13:33 Nuremberg ovpn-server[34959]: Outgoing Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
Dec 11 16:13:33 Nuremberg ovpn-server[34959]: Incoming Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
Dec 11 16:13:33 Nuremberg ovpn-server[34959]: Incoming Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
Dec 11 16:13:33 Nuremberg ovpn-server[34959]: TCP connection established with [AF_INET]127.0.0.1:35156
Dec 11 16:13:33 Nuremberg ovpn-server[34959]: 127.0.0.1:35156 TLS: Initial packet from [AF_INET]127.0.0.1:35156, sid=b2095afc 3adbb355
Dec 11 16:13:33 Nuremberg ovpn-server[34959]: 127.0.0.1:35156 tls-crypt unwrap error: packet too short
Dec 11 16:13:33 Nuremberg ovpn-server[34959]: 127.0.0.1:35156 TLS Error: tls-crypt unwrapping failed from [AF_INET]127.0.0.1:35156
Dec 11 16:13:33 Nuremberg ovpn-server[34959]: 127.0.0.1:35156 Fatal TLS error (check_tls_errors_co), restarting
Dec 11 16:13:33 Nuremberg ovpn-server[34959]: 127.0.0.1:35156 SIGUSR1[soft,tls-error] received, client-instance restarting

*** NOTE : I have a stunnel4 for proxy between server and client, The proxy works correctly and I can connect to the server without any problems on all devices, but there is this problem for the Mikrotik router.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@A10h15