I don’t find in the OpenVPN any way to verify server certificate when Mikrotik act as client.
I did not find in the OpenVPN any “tls-cipher” that supports DH.
Just one more related a matter. A little problem is the built-in certificate management. I can not issue a certificate including EKU. Of course I can use the an external solution issuing certificates. I think it is not handy implementations manage the certificates in the case if the device supports OpenVPN.
Do not know the anybody why mikrotik reason to expose users to a false security in the case OpenVPN?
I am thinking, would not it be a better to abolish OpenVPN support than do it unsafe?
Or I’m wrong and there is a way to fix up OpenVPN to use secure in the Mikrotik?
^This
when it comes to OpenVPN, Mikrotik falls behind pretty terribly. They put all their energy and effort on developing SSTP which frankly is nothing but re-inventing the wheel and they abandoned OpenVPN all together “In favor of SSTP”. what they don’t seem to understand, is that OpenVPN is the de-facto of encryption. It is more popular than any other solution, including the overly complicated and most likely insecure ipsec(yeah, i said it).
Their implementation of OpenVPN seems to me to be just a workaround to shut the clients up. and their refusal to do anything about it despite all the cries from the clients, is just unreal.
I am using RouterOS as my main gateway and after much thought, i still naively decided to go with RouterOS’ OpenVPN despite all it’s limitations. However, i could not believe my eyes when it connected to the server without caring about the servers certificates validity. I mean are you serious? You just undermined everything that OpenVPN stands for.
It makes you wonder, if they did so with OpenVPN, what would guarantee that it’s not happening in other part of RouterOS? It seems quite hard imagining that it’s only their OpenVPN client/server implementation that lacks the proper coding and evaluation.
I have already switched part of my network infrastructure to other solutions(including to openwrt) solely because of lack of proper OpenVPN support in Mikrotik, and it is likely that i continue to do so.
I would have even been fine if their ‘MetaRouter’ solution was able to reliably run openwrt. but i think by now, we all know that’s not gonna happen.
Best Regards,
SSTP sucks just as badly as the limited OpenVPN in MikroTik.
Both of them are VPN that run over TCP, which is a BAD BAD idea!
OpenVPN also supports UDP but for unclear reasons MikroTik have not implemented that option
and although it has been requested thousands of times it is only rumoured to be implemented
in RouterOS v7 which is not even in alpha testing…