Hi! I’ve just got my hands on a couple of RB1000 boxes. First time running RouterOS and I must say I’m VERY impressed! Great work! I’ve been running my own custom-made linux based firewalls for 10 years now and been waiting for an appliance like this that is featurerich enough to replace my own systems and I think Ive finally found it!
Anyway, I’m currently benchmarking and OpenVPN performance through this device and think I’ve found a bug, or perhaps I’m just overlooking some setting.
Even though my OpenVPN server is configured to only accept cipher AES-256 and AUTH SHA1, I can have a client connect using any cipher/auth algos, including NONE, which defeats security completely.
The OpenVPN server tested is running on RouterOS 4.0-beta1, and the client I’m connecting with is running RouterOS 3.18.
Here is my current OpenVPN server config:
/interface ovpn-server server
set auth=sha1,md5 certificate=ovpn-server cipher=aes256 default-profile=ovpn-profile \
enabled=yes keepalive-timeout=60 mac-address=FE:5A:CF:35:E5:9A max-mtu=1400 \
mode=ip netmask=29 port=1194 require-client-certificate=no
Then a few other notes about the OpenVPN implementation. It would be really nice to be able to:
- Use UDP
- Run multiple instances of OpenVPN without running them in seperate MetaRouters, just like you can run multiple IPSec tunnels. Yes I know I can terminate multiple clients in one OpenVPN server, but I want to run multiple instances so I can bridge each instance to a seperate VLAN.
- Use client-config specs, so I can push unique configs to clients based on their CN.
- Use StaticKey mode for simple PtP tunnels without having to create certificates, similar to a PSK IPSec tunnel.
Probably more I havn’t thought of yet after only a couple of hours playing 
If you need any assistance or beta testing while implementing any of this I’d be happy to help out.
Cheers
Mathias Sundman
OpenVPN GUI for Windows