Were you able to resolve this issue? If not I have a few suggestions which may or may not help.
I have several instances of openvpn using Mikrotik routeros as both vpn server and client and using tunnelblick (macos) and openvpn connect (macos) and openvpn (linux) as clients. ssl library, cipher and auth method mismatches between the client and server cause all sorts of havoc. working out which combo works is kind of difficult unless you have good logging on both client and server. Upgrading either the client or the router / server introduces problems almost every time. I got this all working w/ routeros 6.x several years ago but had to rework it each time (or nearly each time) the openvpn client software (either the linux version, tunnelblick or openvpn connect) upgraded. When I started upgrading the server side to routeros 7.x it all broke again. Here is the combo that I have found most recently which works w/ routeros 7.12 as the vpn server. Note I'm using client certificate required similar to you. I'm also using the auth-user-pass directive but reference an external file. I'm also using protocol tcp but I think udp would work the same.
Here are the key details which I I got to work.
Routeros server config:
tls version any
auth: sha1,md5,sha256,sha512 (I want to experiment w/ narrowing this to sha256 or sha512 but haven't done that yet)
cipher: aes256-gcm (this is the only cipher I have got to work so far w/ the linux and macos clients)
Client side: SSL version 3.0.13 (this is specified in the client outside the ovpn config file. I have no idea how to specify that or if it's possible on ubiquiti. You may get what you get as is typical w/ ubiquiti).
client ovpn config file:
cipher aes-256-gcm
auth sha256
You can see logs on the routeros / server side by /log print providing you have the right level of logging for topic 'ovpn' . Here is what I use for standard logging config on the routeros side:
set 0 topics=info,!wireless,!dhcp
add action=disk topics=error,warning,critical
add action=disk topics=info,!wireless,!dhcp
You can see ovpn logs w/ this:
/log print where topics ~"ovpn"
depending on what kind of ubiquiti you are using you may be able to see logs too. The EP16 switch os uses cisco style logging which is retrievable by > show logging | include "pattern" or something like that, I don't have time to look up exact syntax right now. The Airos clients have logging available in the UI or from dmesg or other linux utils. Look those up.
Once you can see logging you will get a better idea of which side (server or client) is having trouble w/ which parts of the config and/or auth, ciphers, ssl etc as well as generally debugging.
Hope this helps.
One final suggestion... do your 'development' on a linux or macos or windows client that provides better debugging.
I have several instances of openvpn using Mikrotik routeros as both vpn server and client and using tunnelblick (macos) and openvpn connect (macos) and openvpn (linux) as clients. ssl library, cipher and auth method mismatches between the client and server cause all sorts of havoc. working out which combo works is kind of difficult unless you have good logging on both client and server. Upgrading either the client or the router / server introduces problems almost every time. I got this all working w/ routeros 6.x several years ago but had to rework it each time (or nearly each time) the openvpn client software (either the linux version, tunnelblick or openvpn connect) upgraded. When I started upgrading the server side to routeros 7.x it all broke again. Here is the combo that I have found most recently which works w/ routeros 7.12 as the vpn server. Note I'm using client certificate required similar to you. I'm also using the auth-user-pass directive but reference an external file. I'm also using protocol tcp but I think udp would work the same.
Here are the key details which I I got to work.
Routeros server config:
tls version any
auth: sha1,md5,sha256,sha512 (I want to experiment w/ narrowing this to sha256 or sha512 but haven't done that yet)
cipher: aes256-gcm (this is the only cipher I have got to work so far w/ the linux and macos clients)
Client side: SSL version 3.0.13 (this is specified in the client outside the ovpn config file. I have no idea how to specify that or if it's possible on ubiquiti. You may get what you get as is typical w/ ubiquiti).
client ovpn config file:
cipher aes-256-gcm
auth sha256
You can see logs on the routeros / server side by /log print providing you have the right level of logging for topic 'ovpn' . Here is what I use for standard logging config on the routeros side:
set 0 topics=info,!wireless,!dhcp
add action=disk topics=error,warning,critical
add action=disk topics=info,!wireless,!dhcp
You can see ovpn logs w/ this:
/log print where topics ~"ovpn"
depending on what kind of ubiquiti you are using you may be able to see logs too. The EP16 switch os uses cisco style logging which is retrievable by > show logging | include "pattern" or something like that, I don't have time to look up exact syntax right now. The Airos clients have logging available in the UI or from dmesg or other linux utils. Look those up.
Once you can see logging you will get a better idea of which side (server or client) is having trouble w/ which parts of the config and/or auth, ciphers, ssl etc as well as generally debugging.
Hope this helps.
One final suggestion... do your 'development' on a linux or macos or windows client that provides better debugging.
Statistics: Posted by scott-ovpn@internetworkz.net — Fri Nov 08, 2024 4:17 pm