OpenVPN Client

Hi gurus and members,

I am having difficulties in figuring out where should I insert the settings provided by my VPN provider.

The settings laid out by the provider is as follows:

client
dev tun
reneg-sec 0
persist-tun
persist-key
ping 5
ping-exit 30
nobind
comp-lzo no
remote-random
remote-cert-tls server
auth-nocache
route-metric 1
cipher AES-256-CBC
auth sha512

From winbox, the settings available aren’t many and thus many of the settings I don’t know where to plug them in, especially the auth section where I read https://wiki.mikrotik.com/wiki/Manual:IP/IPsec#Authentication_Header_.28AH.29 sha2 = sha256/512, while in my RB951G it is not available.

So, where do I input the settings above in the Mikrotik?

Thank you.
H

The option “auth sha512” isn’t supported I don’t believe.

yeah, I suspected the sha512 setting causes connection failure. Hard to believe that Mikrotik does not support sha512 in the RB951.

It’s actually not at all hard to believe, they had half-implemented OpenVPN for many years, so one more missing feature is no surprise. They will surely add it, but OpenVPN was never high priority for them.

I say it is surprising because Mikrotik is a commercial/enterprise grade versatile network product, yet it does not support sha256/512.

Yet, household grade router that can be installed DDWRT firmware actually supports sha512 in OpenVPN.

Hopefully Mikrotik can implement ciper sha256/512 in OpenVPN soon.


Henry

There’s simple explanation, others simply took open-source OpenVPN with all features, MikroTik wrote their own implementation.

It’s the only way it would fit.

Two years later… release 7.1.3 finally supports UDP, but still no SHA512

Sha512 is in 7.2rc.

What about AES-GCM? Because CBC mode is insecure and must not be used - it’s dropped by many apps/protocols.