TunnelBlick to Mikrotik

[aale...@gmail.com]

I recently implemented OVPN on a Mikrotik RB1100AHx2 running 6.33.3.  The Mikrotik has a public IP address and has been hosting PPTP for quite a  while.  I have since added SSTP and L2TP with IPSec due to Apple's change in support for PPTP.  

All works perfectly on my iPhone.  Using the same .opvn file on my Mac, I get the following error.  The iPhone is running the OpenVPN client and the iOS is 10.0.2.  My MacBook Pro is a mid 2015 model running 10.12.  The certificate name is the same as my username and the key associated with the certificate is my password.  I first tried with 3.6.8 as well as 3.6.9beta01.  

Any guidance will be greatly appreciated.

2016-10-13 12:22:54 Attempting to establish TCP connection with [AF_INET]<IP>:1194 [nonblock]

2016-10-13 12:22:54 MANAGEMENT: >STATE:1476375774,TCP_CONNECT,,,

2016-10-13 12:22:56 TCP connection established with [AF_INET]<IP>:1194

2016-10-13 12:22:56 TCPv4_CLIENT link local: [undef]

2016-10-13 12:22:56 TCPv4_CLIENT link remote: [AF_INET]<IP>:1194

2016-10-13 12:22:56 MANAGEMENT: >STATE:1476375776,WAIT,,,

2016-10-13 12:22:56 MANAGEMENT: >STATE:1476375776,AUTH,,,

2016-10-13 12:22:56 TLS: Initial packet from [AF_INET]<IP>:1194, sid=e2db9a16 3c348bf8

2016-10-13 12:22:56 OpenSSL: error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure

2016-10-13 12:22:56 TLS_ERROR: BIO read tls_read_plaintext error

2016-10-13 12:22:56 TLS Error: TLS object -> incoming plaintext read error

2016-10-13 12:22:56 TLS Error: TLS handshake failed

2016-10-13 12:22:56 Fatal TLS error (check_tls_errors_co), restarting

2016-10-13 12:22:56 SIGUSR1[soft,tls-error] received, process restarting

2016-10-13 12:22:56 MANAGEMENT: >STATE:1476375776,RECONNECTING,tls-error,,

2016-10-13 12:22:56 MANAGEMENT: CMD 'hold release'

2016-10-13 12:22:56 WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.

2016-10-13 12:22:56 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts

2016-10-13 12:22:56 Socket Buffers: R=[131072->131072] S=[131072->131072]

2016-10-13 12:22:56 MANAGEMENT: >STATE:1476375776,RESOLVE,,,

2016-10-13 12:22:56 Attempting to establish TCP connection with [AF_INET]<IP>:1194 [nonblock]

client

# this is a layer 3 (IP) VPN

dev tun

# Mikrotik only supports TCP at the moment

proto tcp

# put your VPN Server's routable (WAN or Internet-accessible) IP address here

remote <DNSnameofserver> 1194

resolv-retry infinite

nobind

tls-client

# Mikrotik does not support link compression at the moment

#comp-lzo

persist-key

persist-tun

#mute-replay-warnings

# OpenVPN client debug log verbosity

verb 1

#verb 3

#verb 6

#cipher BF-CBC

#cipher AES-128-CBC

#cipher AES-192-CBC

cipher AES-256-CBC

#auth MD5

auth SHA1

# Mikrotik's PPP server requires username/password authentication

# at the moment and it uses this in conjunction with both client and

# server-side x.509v3 certificate authentication

auth-user-pass

# domain name for home LAN

#dhcp-option DOMAIN your.home.domain.name

# DNS server (replace with your own)

dhcp-option DNS 8.8.8.8

# SMB WINS name server if you have one

#dhcp-option WINS 192.168.1.1

# route to multiple networks

#route 192.168.0.0 255.255.0.0

# Mikrotik accepts a CA cert

<ca>

-----BEGIN CERTIFICATE-----

CAcert

-----END CERTIFICATE-----

</ca>

# Mikrotik expects a VPN Client Certificate

<cert>

-----BEGIN CERTIFICATE-----

cert

-----END CERTIFICATE-----

</cert>

# OpenVPN Client needs the VPN Client Private Key to decrypt

# info sent by the server during the SSL/TLS handshake

<key>

-----BEGIN RSA PRIVATE KEY-----

key

-----END RSA PRIVATE KEY-----

</key>

[Tunnelblick developer]

Assuming it isn't a corrupted file, it could be a problem with line endings in the OpenVPN configuration file. Make sure the line ending is a LF (0x0A) character, not a CR-LF sequence (0x0D, 0x0A).

Tunnelblick should have detected this and fixed it automatically if you installed the configuration by dragging/dropping it onto the Tunnelblick icon in the menu bar, or onto the list of configurations in Tunnelblick's "VPN Details" window, or by double-clicking the file. If you instead just copied or moved the file to a location where you think Tunnelblick wants it (following some obsolete instructions from the web, for example), Tunnelblick wouldn't notice the problem.

It seems very unlikely to help, but you could also try LibreSSL instead of OpenSSL. You can do that only in the latest Tunnelbilck beta by selecting it when you choose a version of OpenVPN to use for the configuration.

Finally, there was a bug at one time when Tunnelblick installed configurations that caused the .ovpn file  to be truncated. You can check that the bug hasn't returned by selecting the configuration in Tunnelblick's "VPN Details" window, then clicking the little "gear" icon at the bottom of the list of configurations and selecting "Edit OpenVPN Configuration File..." or "Examine OpenVPN Configuration File...". 

[Adrien Alexson]

Thanks for getting back to me.

I edited the .ovpn using vi.  That said, I copied the .ovpn file over to my directory overwriting my previous config file.  No change.  I tried LibreSSL, no difference.  

When reviewing the .ovpn file, file looks to be good.

Any other suggestions?

[Tunnelblick developer]

You don't mention whether or not you checked the line endings, and when you say you "copied the .ovpn file over to my directory overwriting my previous config file", that is not the way to install a modified configuration file. Depending on what you mean by "my directory", doing that would probably not have any effect at all!

Install the .ovpn file by dragging/dropping it onto the Tunnelblick icon in the menu bar. The Console log will include a message if CR-LF line endings were converted to LF line endings or if any other problems were repaired.

Other than that, you could try OpenVPN resources. This is most likely

• OpenVPN FAQ
• OpenVPN HOWTO
• OpenVPN 2.3 Man Page
• OpenVPN Documentation
• OpenVPN Users Forum
• OpenVPN Users Mailing List

On Thursday, October 13, 2016 at 1:54:09 PM UTC-4, Adrien Alexson wrote:

Thanks for getting back to me.

I edited the .ovpn using vi.  That said, I copied the .ovpn file over to my directory overwriting my previous config file.  No change.  I tried LibreSSL, no difference.  

When reviewing the .ovpn file, file looks to be good.

Any other suggestions?

[Adrien Alexson]

All .ovpn files have been added to Tunnelblick by dragging them over to the application.  I only manually copied over the .ovpn file to see if that would help (it doesn’t). I have attached the console log, I do not see any CR-LR errors.

Thu Oct 13 15:54:31 2016 OpenVPN 2.3.12 x86_64-apple-darwin [SSL (OpenSSL)] [LZO] [PKCS11] [MH] [IPv6] built on Oct  9 2016

Thu Oct 13 15:54:31 2016 library versions: OpenSSL 1.0.2j  26 Sep 2016, LZO 2.09

Thu Oct 13 15:54:31 2016 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:1337

Thu Oct 13 15:54:31 2016 Need hold release from management interface, waiting...

Thu Oct 13 15:54:31 2016 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:1337

Thu Oct 13 15:54:31 2016 MANAGEMENT: CMD 'pid'

Thu Oct 13 15:54:31 2016 MANAGEMENT: CMD 'state on'

Thu Oct 13 15:54:31 2016 MANAGEMENT: CMD 'state'

Thu Oct 13 15:54:31 2016 MANAGEMENT: CMD 'bytecount 1'

Thu Oct 13 15:54:31 2016 MANAGEMENT: CMD 'hold release'

Thu Oct 13 15:54:34 2016 MANAGEMENT: CMD 'username "Auth” "XXXXXXX"'

Thu Oct 13 15:54:34 2016 MANAGEMENT: CMD 'password [...]'

Thu Oct 13 15:54:34 2016 WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.

Thu Oct 13 15:54:34 2016 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts

Thu Oct 13 15:54:34 2016 Socket Buffers: R=[131072->131072] S=[131072->131072]

Thu Oct 13 15:54:34 2016 MANAGEMENT: >STATE:1476388474,RESOLVE,,,

Thu Oct 13 15:54:34 2016 Attempting to establish TCP connection with [AF_INET]XXXXX:1194 [nonblock]

Thu Oct 13 15:54:34 2016 MANAGEMENT: >STATE:1476388474,TCP_CONNECT,,,

Thu Oct 13 15:54:35 2016 TCP connection established with [AF_INET]XXXXXXX:1194

Thu Oct 13 15:54:35 2016 TCPv4_CLIENT link local: [undef]

Thu Oct 13 15:54:35 2016 TCPv4_CLIENT link remote: [AF_INET]XXXXXXX:1194

Thu Oct 13 15:54:35 2016 MANAGEMENT: >STATE:1476388475,WAIT,,,

Thu Oct 13 15:54:35 2016 MANAGEMENT: >STATE:1476388475,AUTH,,,

Thu Oct 13 15:54:35 2016 TLS: Initial packet from [AF_INET]XXXXXXXX:1194, sid=a086d13b 8ad6ba13

Thu Oct 13 15:54:35 2016 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this

Thu Oct 13 15:54:36 2016 OpenSSL: error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure

Thu Oct 13 15:54:36 2016 TLS_ERROR: BIO read tls_read_plaintext error

Thu Oct 13 15:54:36 2016 TLS Error: TLS object -> incoming plaintext read error

Thu Oct 13 15:54:36 2016 TLS Error: TLS handshake failed

Thu Oct 13 15:54:36 2016 Fatal TLS error (check_tls_errors_co), restarting

Thu Oct 13 15:54:36 2016 SIGUSR1[soft,tls-error] received, process restarting

Thu Oct 13 15:54:36 2016 MANAGEMENT: >STATE:1476388476,RECONNECTING,tls-error,,

Thu Oct 13 15:54:36 2016 MANAGEMENT: CMD 'hold release'

Thu Oct 13 15:54:36 2016 WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.

Thu Oct 13 15:54:36 2016 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts

Thu Oct 13 15:54:36 2016 Socket Buffers: R=[131072->131072] S=[131072->131072]

Thu Oct 13 15:54:36 2016 MANAGEMENT: >STATE:1476388476,RESOLVE,,,

Thu Oct 13 15:54:36 2016 Attempting to establish TCP connection with [AF_INET]XXXXXXXX:1194 [nonblock]

Thu Oct 13 15:54:36 2016 MANAGEMENT: >STATE:1476388476,TCP_CONNECT,,,

Thu Oct 13 15:54:37 2016 TCP connection established with [AF_INET]XXXXXXXX:1194

Thu Oct 13 15:54:37 2016 TCPv4_CLIENT link local: [undef]

Thu Oct 13 15:54:37 2016 TCPv4_CLIENT link remote: [AF_INET]XXXXXXXXXX:1194

Thu Oct 13 15:54:37 2016 MANAGEMENT: >STATE:1476388477,WAIT,,,

Thu Oct 13 15:54:37 2016 MANAGEMENT: >STATE:1476388477,AUTH,,,

Thu Oct 13 15:54:37 2016 TLS: Initial packet from [AF_INET]XXXXXXXXXX:1194, sid=7eda41fa a3badbfd

Thu Oct 13 15:54:37 2016 OpenSSL: error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure

Thu Oct 13 15:54:37 2016 TLS_ERROR: BIO read tls_read_plaintext error

Thu Oct 13 15:54:37 2016 TLS Error: TLS object -> incoming plaintext read error

Thu Oct 13 15:54:37 2016 TLS Error: TLS handshake failed

Thu Oct 13 15:54:37 2016 Fatal TLS error (check_tls_errors_co), restarting

Thu Oct 13 15:54:37 2016 SIGUSR1[soft,tls-error] received, process restarting

Thu Oct 13 15:54:37 2016 MANAGEMENT: >STATE:1476388477,RECONNECTING,tls-error,,

Thu Oct 13 15:54:37 2016 MANAGEMENT: CMD 'hold release'

Thu Oct 13 15:54:37 2016 WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.

Thu Oct 13 15:54:37 2016 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts

Thu Oct 13 15:54:37 2016 Socket Buffers: R=[131072->131072] S=[131072->131072]

Thu Oct 13 15:54:37 2016 MANAGEMENT: >STATE:1476388477,RESOLVE,,,

Thu Oct 13 15:54:37 2016 Attempting to establish TCP connection with [AF_INET]XXXXXXXX:1194 [nonblock]

Thu Oct 13 15:54:37 2016 MANAGEMENT: >STATE:1476388477,TCP_CONNECT,,,

Thu Oct 13 15:54:38 2016 TCP connection established with [AF_INET]XXXXXXX:1194

Thu Oct 13 15:54:38 2016 TCPv4_CLIENT link local: [undef]

Thu Oct 13 15:54:38 2016 TCPv4_CLIENT link remote: [AF_INET]XXXXXXXX:1194

Thu Oct 13 15:54:38 2016 MANAGEMENT: >STATE:1476388478,WAIT,,,

Thu Oct 13 15:54:38 2016 MANAGEMENT: >STATE:1476388478,AUTH,,,

Thu Oct 13 15:54:38 2016 TLS: Initial packet from [AF_INET]XXXXXXXXX:1194, sid=0b9c63db 78ca8975

Thu Oct 13 15:54:38 2016 OpenSSL: error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure

Thu Oct 13 15:54:38 2016 TLS_ERROR: BIO read tls_read_plaintext error

Thu Oct 13 15:54:38 2016 TLS Error: TLS object -> incoming plaintext read error

Thu Oct 13 15:54:38 2016 TLS Error: TLS handshake failed

Thu Oct 13 15:54:38 2016 Fatal TLS error (check_tls_errors_co), restarting

Thu Oct 13 15:54:38 2016 SIGUSR1[soft,tls-error] received, process restarting

Thu Oct 13 15:54:38 2016 MANAGEMENT: >STATE:1476388478,RECONNECTING,tls-error,,

Thu Oct 13 15:54:38 2016 SIGTERM[hard,init_instance] received, process exiting

Thu Oct 13 15:54:38 2016 MANAGEMENT: >STATE:1476388478,EXITING,init_instance,,

[Adrien Alexson]

It was a bug in the OS for Mikrotik.  

[Breno]

Try using this site to generate your .config file: https://ovpnconfig.com.br