Modify

Opened 5 years ago

Closed 2 years ago

Last modified 2 years ago

#11982 closed defect (fixed)

OpenWRT OpenVPN client can't connect to OpenVPN Mikrotik server

Reported by: anonymous Owned by: developers
Priority: response-needed Milestone: Barrier Breaker 14.07
Component: packages Version: Trunk
Keywords: openvpn Cc:

Description

Please excuse for my english it isn't very good.

When I try to connet with openvpn client of openwrt to a mikrotik openvpn server can't connect. Mikrotik Server gives the error code:

"terminating -unkown auth alg"

I tried with auth SHA1, MD5 and none. Always give the same error.

Using the same openvpn.conf in my Ubuntu Desktop, OpenVPN connect to the Mikrotik server without problems. So I suspect that is an OpenWRT bug.

Attachments (0)

Change History (18)

comment:1 Changed 5 years ago by florian

  • Resolution set to invalid
  • Status changed from new to closed

Please direct this question to the forum, the bugtracker is not a support channel.

comment:2 follow-up: Changed 4 years ago by redflag237@…

  • Resolution invalid deleted
  • Status changed from closed to reopened

Problem is still existing.
It could be solved, if someone compiles the openssl with the needed options for Cipher BF Algorithm. Mikrotik runs OpenSSL ver 0.9.8 with Cipher BF algorithm inside. This is the reason for this message. Can you fix this, please?

comment:3 in reply to: ↑ 2 Changed 4 years ago by anonymous

Replying to redflag237@…:

Problem is still existing.
It could be solved, if someone compiles the openssl with the needed options for Cipher BF Algorithm. Mikrotik runs OpenSSL ver 0.9.8 with Cipher BF algorithm inside. This is the reason for this message. Can you fix this, please?

Reference: http://forum.mikrotik.com/viewtopic.php?f=2&t=21087

comment:4 follow-up: Changed 4 years ago by nbd

I've been using openvpn 2.3.0 both with polarssl and openssl using the BF algorithm. Please provide some information on what version of OpenWrt and OpenVPN you're running.

comment:5 in reply to: ↑ 4 ; follow-up: Changed 4 years ago by redflag237@…

Replying to nbd:

I've been using openvpn 2.3.0 both with polarssl and openssl using the BF algorithm. Please provide some information on what version of OpenWrt and OpenVPN you're running.

OpenWrt Attitude Adjustment 12.09 / LuCI 0.11.1 Release (0.11.1)
Please, as far as i can see, the control channel is mentioned. I can choose bf-algorithm in openvpn-config, too.

Wed Sep 11 09:43:56 2013 Attempting to establish TCP connection with :4733 [nonblock]
Wed Sep 11 09:43:57 2013 TCP connection established with :4733
Wed Sep 11 09:43:57 2013 TLS: Initial packet from :4733, sid=16f7ead4 cb120a15
Wed Sep 11 09:43:57 2013 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Wed Sep 11 09:43:58 2013 VERIFY OK: depth=1, /C=DE/ST=*/L=*/O=*/OU=*/CN=*/name=*/emailAddress=*
Wed Sep 11 09:43:58 2013 VERIFY OK: depth=0, /C=*/ST=*/L=*/O=*/OU=*/CN=*/name=*/emailAddress=*
Wed Sep 11 09:44:03 2013 Connection reset, restarting [0]
Wed Sep 11 09:44:03 2013 TCP/UDP: Closing socket
Wed Sep 11 09:44:03 2013 SIGUSR1[soft,connection-reset] received, process restarting

Mikrotik reports:

  • dialing...
  • terminating... - unknown auth alg
  • disconnected

Thanks in advance,

redflag237

comment:6 in reply to: ↑ 5 Changed 4 years ago by redflag237

Replying to redflag237@…:

Replying to nbd:

I've been using openvpn 2.3.0 both with polarssl and openssl using the BF algorithm. Please provide some information on what version of OpenWrt and OpenVPN you're running.

OpenWrt Attitude Adjustment 12.09 / LuCI 0.11.1 Release (0.11.1)
Please, as far as i can see, the control channel is mentioned. I can choose bf-algorithm in openvpn-config, too.

Wed Sep 11 09:43:56 2013 Attempting to establish TCP connection with :4733 [nonblock]
Wed Sep 11 09:43:57 2013 TCP connection established with :4733
Wed Sep 11 09:43:57 2013 TLS: Initial packet from :4733, sid=16f7ead4 cb120a15
Wed Sep 11 09:43:57 2013 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Wed Sep 11 09:43:58 2013 VERIFY OK: depth=1, /C=DE/ST=*/L=*/O=*/OU=*/CN=*/name=*/emailAddress=*
Wed Sep 11 09:43:58 2013 VERIFY OK: depth=0, /C=*/ST=*/L=*/O=*/OU=*/CN=*/name=*/emailAddress=*
Wed Sep 11 09:44:03 2013 Connection reset, restarting [0]
Wed Sep 11 09:44:03 2013 TCP/UDP: Closing socket
Wed Sep 11 09:44:03 2013 SIGUSR1[soft,connection-reset] received, process restarting

Mikrotik reports:

  • dialing...
  • terminating... - unknown auth alg
  • disconnected

Thanks in advance,

redflag237

Seems to Open a Channel on 2.3.0 (Alpha Package), but unfortunately in this version it is impossible to read credentials from a file. I hardly need that feature, because i cannot connect without credentials.

comment:7 Changed 4 years ago by skyline@…

Hi. I got the same problem.

OpenWrt Attitude Adjustment 12.09 / LuCI 0.11.1 Release (0.11.1)

OpenWRT log:
Sep 13 14:50:58 : Re-using SSL/TLS context
Sep 13 14:50:58 : Control Channel MTU parms [ L:1539 D:140 EF:40 EB:0 ET:0 EL:0 ]
Sep 13 14:50:58 : Socket Buffers: R=[87380->131072] S=[16384->131072]
Sep 13 14:50:58 : Data Channel MTU parms [ L:1539 D:1450 EF:7 EB:4 ET:32 EL:0 AF:14/7 ]
Sep 13 14:50:58 : Attempting to establish TCP connection with Mikrotik-OVPN-server:1194 [nonblock]
Sep 13 14:50:59 : TCP connection established with Mikrotik-OVPN-server:1194
Sep 13 14:50:59 : TCPv4_CLIENT link local: [undef]
Sep 13 14:50:59 : TCPv4_CLIENT link remote: Mikrotik-OVPN-server:1194
Sep 13 14:50:59 : TLS: Initial packet from Mikrotik-OVPN-server:1194, sid=b8c861a5 13c9e64e
Sep 13 14:51:00 : VERIFY OK: depth=1, /C=RU/ST=MSK/L=Moskow/O=Org_1/OU=Office_1/CN=Mikrotik/name=Admin/emailAddress=*
Sep 13 14:51:00 : VERIFY OK: depth=0, /C=RU/ST=MSK/L=Moskow/O=Org_1/OU=Office_1/CN=Mikrotik/name=Admin/emailAddress=*
Sep 13 14:51:07 : Connection reset, restarting [0]

Mikrotik log:
14:50:59 ovpn,info TCP connection established from DIR825-OpenWRT-client
14:50:59 ovpn,info <ovpn-0>: dialing...
14:51:07 ovpn,info <ovpn-0>: terminating... - unkown auth alg
14:51:07 ovpn,info <ovpn-0>: disconnected

comment:8 Changed 4 years ago by redflag237@…

https://forum.openwrt.org/viewtopic.php?pid=212219#p212219
Please also have a look at the Forum, wherefore i opened up a Thread.

Best Regards,

redflag237

comment:9 Changed 4 years ago by jow

  • Milestone changed from Attitude Adjustment 12.09 to Barrier Breaker 14.07

Milestone Attitude Adjustment 12.09 deleted

comment:10 Changed 2 years ago by anonymous

I have an OpenWRT "BARRIER BREAKER (Bleeding Edge, r37894)" and I hit this problem. I use fixed "auth SHA1" and "cipher BF-CBC".

This OpenWRT runs: OpenVPN 2.3.2 mips-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [MH] [IPv6] built on Oct 4 2013

The exact openvpn conf works in an OpenVPN in an i686 linux (I can't remember the openvpn/openssl versions there, must be of around 2013 or 2014). I will try to report if I find out the cause of this.

comment:11 Changed 2 years ago by nbd

you might want to try chaos calmer instead of barrier breaker

comment:12 Changed 2 years ago by anonymous

Just for the record, I confirm that in the BARRIER BREAKER (14.07, r42625) it still happens. This version of openvpn:

OpenVPN 2.3.6 mips-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [MH] [IPv6] built on Jan 6 2015
library versions: OpenSSL 1.0.1k 8 Jan 2015, LZO 2.08

I will test Chaos Calmer.

comment:13 Changed 2 years ago by viric

I just tested Chaos Calmer (x86, kvm_guest). The same problem happens.

I'm using openvpn-openssl: OpenVPN 2.3.6 i486-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [MH] [IPv6] built on Jul 25 2015
library versions: OpenSSL 1.0.2d 9 Jul 2015, LZO 2.08

The same happens with openvpn-polarssl.

The openvpn side says:

Tue Nov 10 11:04:16 2015 us=558746 TCPv4_CLIENT write returned 45
Tue Nov 10 11:04:16 2015 us=680147  event_wait returned 1
Tue Nov 10 11:04:16 2015 us=680746 TCPv4_CLIENT read returned 22
Tue Nov 10 11:04:16 2015 us=681489 TCPv4_CLIENT READ [22] from [AF_INET]10.0.2.2:9000: P_ACK_V1 kid=0 sid=748a0ba5 664ef81b [ 7 sid=5a6e1264 40bf3687 ]
Tue Nov 10 11:04:16 2015 us=682853  event_wait returned 1
Tue Nov 10 11:04:16 2015 us=683628 TCPv4_CLIENT read returned 22
Tue Nov 10 11:04:16 2015 us=684386 TCPv4_CLIENT READ [22] from [AF_INET]10.0.2.2:9000: P_ACK_V1 kid=0 sid=748a0ba5 664ef81b [ 8 sid=5a6e1264 40bf3687 ]
Tue Nov 10 11:04:16 2015 us=685797 TCPv4_CLIENT read returned 22
Tue Nov 10 11:04:16 2015 us=686561 TCPv4_CLIENT READ [22] from [AF_INET]10.0.2.2:9000: P_ACK_V1 kid=0 sid=748a0ba5 664ef81b [ 9 sid=5a6e1264 40bf3687 ]
Tue Nov 10 11:04:16 2015 us=687572  event_wait returned 1
Tue Nov 10 11:04:16 2015 us=688266 Connection reset, restarting [0]
Tue Nov 10 11:04:16 2015 us=691615 TCP/UDP: Closing socket

The miktrotik (version 6.20) side says (I hide the IP): <10.x.x.x>: disconnected <unkown auth alg>

Using OpenVPN in my Linux distribution in my computer (NixOS) all works fine. This version: OpenVPN 2.3.7 x86_64-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [MH] [IPv6] built on Jan 01 1970
library versions: OpenSSL 1.0.1p 9 Jul 2015, LZO 2.09

I use the very same openvpn config in all tests:

client
ca ca.crt
auth-user-pass
dev tap0
proto tcp-client
tls-client
remote localhost 9000
resolv-retry infinite
nobind
persist-key
persist-tun
cipher BF-CBC        # Blowfish (default)
auth SHA1
verb 10
keepalive 10 30

comment:14 Changed 2 years ago by viric

Damn it. The last mikrotik update (v6.33, 6/Nov/2015) includes this change:

ovpn: support OpenWRT ovpn clients (or any other with enable-small option enabled);

I hit a 3 years old issue two days ago, and it is solved by an update of Mikrotik of four days ago.

comment:15 Changed 2 years ago by anonymous

Just for the record, this seems related to #16898.

It would be nice to have openvpn available without enable-small, too, in the package list.

comment:16 Changed 2 years ago by nbd

  • Resolution set to fixed
  • Status changed from reopened to closed

In r47439, I enabled the options consistency check, which normally gets compiled out with --enable-small. This only costs about 3k compressed, but should fix these compatibility issues.
That way we don't have to make an extra build without --enable-small

comment:17 Changed 2 years ago by viric

Once there are nightly builds ready for x86 kvm_guest, I will check if this solves the mikrotik connections with firmware under 6.33. Thank you.

comment:18 Changed 2 years ago by viric

I confirm that r47439 fixes the connection with the mikrotik firmware 6.20 (pre-6.33). I just tested the snapshot on kvm_guest.

Add Comment

Modify Ticket

Action
as closed .
The resolution will be deleted. Next status will be 'reopened'.
Author


E-mail address and user name can be saved in the Preferences.

 
Note: See TracTickets for help on using tickets.