Greetings, this whole setup is driving me crazy because Mikrotik can't create profile without Login&Password auth and OPNsense can't use them to auth.
Basically, if I manually (i.e. in console of OPNsense) do:
openvpn --config ./openvpn.ovpn
+ login&password everything is working.
But if I try to do the same from GUI (i.e. by entering the same credentials in Authentication) I end up with error
[meta sequenceId="1"] TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
[meta sequenceId="2"] TLS Error: TLS handshake failed
[meta sequenceId="3"] TCP/UDP: Closing socket
[meta sequenceId="4"] SIGUSR1[soft,tls-error] received, process restarting
So I have spent a god damn hour thinking that maybe there is issue with connection between OPNsense and OpenVPN server. But nope. It's just because OPNsense doesn't allow to import config and tries to create it's own config.
So. When even we will be allowed to IMPORT pre-ready openvpn config?
And how the hell I can manually insert MY config in OPNsense?
For anyone interested - that's how OPNsense generate openvpn config
push "route 192.168.5.0 255.255.255.0"
route 192.168.1.0 255.255.255.0
client
dev ovpnc1
remote XX.XX.XX.XX ZZZZ
nobind
auth-user-pass /var/etc/openvpn/instance-60b0f28b-2953-477e-a690-40533c35407e.up
persist-tun
persist-key
dev-type tun
dev-node /dev/tun1
script-security 3
writepid /var/run/ovpn-instance-60b0f28b-2953-477e-a690-40533c35407e.pid
daemon openvpn_client1
management /var/etc/openvpn/instance-60b0f28b-2953-477e-a690-40533c35407e.sock unix
proto udp4
verb 6
up /usr/local/etc/inc/plugins.inc.d/openvpn/ovpn-linkup
down /usr/local/etc/inc/plugins.inc.d/openvpn/ovpn-linkdown
auth SHA512
And that's how it look in mikrotik config file that's just working by manually starting it from within opnsense
client
dev tun
remote XX.XX.XX.XX ZZZZ udp
tun-mtu 1500
tls-client
nobind
user nobody
group nogroup
ping 15
ping-restart 45
persist-tun
persist-key
mute-replay-warnings
verb 3
cipher AES-256-GCM
auth none
pull
auth-user-pass
connect-retry 1
reneg-sec 3600
explicit-exit-notify 1
remote-cert-tls server
Yep. And problem in the freaking ovpnc1
I have even created Firewall rule Allow ANY and NAT rule allow ANY. And it's still doesn't work
Quote from: Dante4 on June 15, 2024, 11:47:27 PM
Greetings, this whole setup is driving me crazy because Mikrotik can't create profile without Login&Password auth and OPNsense
For anyone interested - that's how OPNsense generate openvpn config
...
client
auth SHA512
...
And that's how it look in mikrotik config file that's just working by manually starting it from within opnsense
...
client
auth none
...
Where's the server config ? At least your "auth" settings differ, but it all depends on 'what' your server wants to match a OPNsense client config.
Quote from: netnut on June 16, 2024, 01:20:14 AM
Quote from: Dante4 on June 15, 2024, 11:47:27 PM
Greetings, this whole setup is driving me crazy because Mikrotik can't create profile without Login&Password auth and OPNsense
For anyone interested - that's how OPNsense generate openvpn config
...
client
auth SHA512
...
And that's how it look in mikrotik config file that's just working by manually starting it from within opnsense
...
client
auth none
...
Where's the server config ? At least your "auth" settings differ, but it all depends on 'what' your server wants to match a OPNsense client config.
The problem is that if I change dev to
tun everything is working. And if I change dev to
ovpnc1 - it's no longer works.
Firewall is disabled. I have tried both Legacy and non-Legacy option. Both of them doesn't work with ovpnc1.
I have tried to assign ovpnc1 to interface Opt1, didn't changed anything.
I.e. ovpnc1 for some reason can't reach the Internet even with disabled firewall, but wan and tun can
Welp, using PFsense under the same configuration fixed this problem under 30 mins. I guess OPNsense doesn't really ready as PFsense replacement