OpenVPN problem

[newvier21]

Hello everyone! I need help with OpenVPN.
Problem is going about 2-3 weeks since trying to make OpenVPN work properly on Keenetic and Mikrotik
Once OpenVPN isn't working because off "TLS Error: TLS handshake failed" i trying to fix that with guides that i ever can find.
After that OpenVPN on Keenitc can't connect and appear even more failure:

• VERIFY ERROR: depth=0, error=unsupported certificate purpose: C=XX, O=XX, OU=IT, CN=ca
• OpenSSL: error:1416F086:lib(20):func(367):reason(134)
• TLS_ERROR: BIO read tls_read_plaintext error
• TLS Error: TLS object -> incoming plaintext read error
• TLS Error: TLS handshake failed
• Fatal TLS error (check_tls_errors_co), restarting
• Service: "OpenVPN0": unexpectedly stopped.

Here is the configuration on Keenetic

• client
• dev tun
• proto tcp
• remote 9X.XXX.XXX.XXX 1194
• nobind
• persist-key
• persist-tun
• <ca>
• -----BEGIN CERTIFICATE-----
• XXX
• -----END CERTIFICATE-----
• </cert>
• <key>
• -----BEGIN ENCRYPTED PRIVATE KEY-----
• XXXX
• -----END ENCRYPTED PRIVATE KEY-----
• </key>
• <auth-user-pass>
• username
• password
• </auth-user-pass>
• remote-cert-tls server
• verb 3

Does it even possible to make Mikrotic and Keenetic working properly with each other?
I hope i described my problem normaly and can get help with that problem

P.S.Configuration was taken from: https://habr.com/ru/post/269679/
(2tun)

Edited December 12, 2022 by newvier21

[Mikhail Romanenko]

if it help you.

This is my configs:

client(Keenetic):

Spoiler

dev tun
proto udp
remote ***.***.***.*** ????
client
resolv-retry infinite
remote-cert-tls server
auth SHA256
auth-nocache
cipher AES-256-CBC
data-ciphers AES-256-CBC
persist-key
persist-tun
nobind
comp-lzo
verb 3
<ca>
-----BEGIN CERTIFICATE-----

-----END CERTIFICATE-----
</ca>
<cert>
-----BEGIN CERTIFICATE-----

-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN PRIVATE KEY-----

-----END PRIVATE KEY-----
</key>
<tls-crypt>
#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----

-----END OpenVPN Static key V1-----
</tls-crypt>

server (Centos7):

Spoiler

port ????
proto udp 
dev tun

crl-verify /etc/openvpn/server/crl.pem # my revoked certs list # real revoked certs list /etc/openvpn/keys/easyrsa/pki/crl.pem

sndbuf 393216
rcvbuf 393216
push "sndbuf 393216"
push "rcvbuf 393216"

ca /etc/openvpn/server/ca.crt
cert /etc/openvpn/server/ASvps.crt
key /etc/openvpn/server/ASvps.key
dh /etc/openvpn/server/dh.pem

auth SHA256 
cipher AES-256-CBC 
tls-version-min 1.2 
tls-crypt tc.key 

server ***.***.***.0 255.255.255.0 
topology subnet

local ***.***.***.*** # Internet server IP

ifconfig-pool-persist ipp.txt #  clinet - ip
client-to-client # 
client-config-dir /etc/openvpn/ccd 

keepalive 10 120
comp-lzo 
explicit-exit-notify 1 # if tcp, change for "0"
persist-key
persist-tun
status /var/log/openvpn/openvpn-status.log
log /var/log/openvpn/openvpn.log
user nobody
group nobody

verb 3