There are some significant changes in OpenVPN 2.5.0. Any roadmap to upgrade OpenVPN on Mikrotik?
Can it still connect?
If yes, then don’t expect anything except miracle. RouterOS has own implementation and it’s only veeeeery slooooowly approaching the original. Possibly catching up in about ten years, assuming that original stops where it is now, otherwise probably never.
If not, then expect, slightly sooner, bare minimum changes to fix it.
OpenVPN claims quote:
“If you really need to use an unsupported OpenVPN 2.3 (or even older) release and need to stay on BF-CBC (not recommended), the OpenVPN 2.5 based client will need a config file change to re-enable BF-CBC. But be warned that BF-CBC and other related weak ciphers will be removed in coming OpenVPN major releases.”
I am using multiple OpenVPN configs and some of the servers are updated regularly to latest OpenVPN version, so the risk is that in near future I’ll get to Sophie’s Choice situation … using old client version to connect MikroTik or new client and connect new OpenVPN servers (both will not be possible).
BF-CBC is not the only cipher that ROS supports, so I do not see any reason why you should not be able to connect to new server with disabled BF.
You are right! Using e.g. following parameters on OpenVPN client side with corresponding MikroTik OpenVPN server setup solves the issue.
cipher AES-256-CBC
data-ciphers AES-256-CBC
auth SHA1
Thank You!