interface ovpn-server server set certificate=server default-profile=ovpn cipher=aes256 enabled=yesĪfter going through all that trouble, we'll need to remember to retrieve our exported certificates on the client. Next, we'll configure the openvpn server itself: Strongly doubting this is the only one affected. The defaults used by RouterOS certificate manager (and the documented suggestions) are bad and unusable with at least the openvpn client shipped with EdgeOS.
Oct 11 15:35:54 gw openvpn: SIGUSR1 received, process restarting Oct 11 15:35:54 gw openvpn: Fatal TLS error (check_tls_errors_co), restarting Oct 11 15:35:54 gw openvpn: TLS Error: TLS handshake failed Oct 11 15:35:54 gw openvpn: TLS Error: TLS object -> incoming plaintext read error Oct 11 15:35:54 gw openvpn: TLS_ERROR: BIO read tls_read_plaintext error Oct 11 15:35:54 gw openvpn: OpenSSL: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed Oct 11 15:35:54 gw openvpn: VERIFY KU ERROR Oct 11 15:35:54 gw openvpn: ++ Certificate has key usage 00b6, expects 0088 Oct 11 15:35:54 gw openvpn: ++ Certificate has key usage 00b6, expects 00a0 Oct 11 15:35:54 gw openvpn: Validating certificate key usage "key-usage=." above is very important and largely undocumented, but without it you'll run into errors like this when connecting your client: certificate export-certificate client1 export-passphrase="somefreakishlylongpassphrase" certificate sign SomeCA ca-crl-host="10.5.5.1" certificate add name="client1" days-valid=3650 key-usage="digital-signature,tls-client" certificate add name="server" days-valid=3650 country="US" state="AK" locality="TundraTown" common-name="server" key-usage=digital-signature,key-encipherment,tls-server certificate add name="SomeCA" days-valid=3650 country="US" state="AK" locality="TundraTown" common-name="SomeCA" key-usage=key-cert-sign,crl-sign Next, we'll create a purpose-built CA, a server certificate, and a certificate for our client (client1): ppp secret add name="client1" password="somefreakishlylongpasswordupto233chars" profile=ovpn
Good luck.įirst, we'll need to add an IP pool, a PPP profile+secrets (RouterOS doesn't support any other kind of auth with OpenVPN): This information may or may not date itself quickly, as upstream firmware versions evolve. Mikrotik Routerboard RB2011UiAS-2HnD running RouterOS 6.48.4.Ubiquiti EdgeRouter X (ER-X, ERX) running EdgeOS 2.0.8-hotfix.1.When connecting an EdgeOS (Ubiquiti Edgerouter) OpenVPN client to a Mikrotik RouterOS OpenVPN server, one may run into some unclear documents and missing details.
0 kommentar(er)
