OpenVPN over TCP is practically useless. OpenVPN over UDP is the only way to run such a tunnel that makes sense, both in theory and in practice. Encapsulating stateful and stateless protocols into a stateful tunnel is fundamentally flawed. PPTP uses GRE and L2TP uses UDP - that is why they work well. SSTP uses TCP - barely usable, and no amount of tweaks is going to change that. The only thing going in favor of SSTP is user convenience, nothing else.
As for OpenVPN, as far as I’m concerned, either implement UDP or remove it altogether.
Agreed.At this point in time I have to buy a seperate centos box w/openvpn + udp just to do the vpn side of things , as I’ve had all sorts of troubles with openvpn over tcp in the past.It’s ok when you just want to make a quick tunnel and test p2p functionality or setup a tiny site but anything that requires intense inter-site voip or huge transfers (In my case server replication) it fails miserably.
UDP support for the ovpn client/server is essential, and much needed. I have over 70 sites, and let me tell you, ANY kind of vpn running over TCP is a nightmare.
OpenVPN is flexible, mature, and an rb750 that has UDP based ovpn would be a godsend for me.
Seriously, Mikrotik, it is a repeatedly demanded feature, and should have a higher priority than some of the fluff like metarouter and partitioning.
Why does everyone want OpenVPN? I’ve never, ever seen it used in enterprise. It’s GRE with IPSec, or just ipsec tunnels. Please explain to me why it’s such a wanted feature?
It baffles me too. I suspect it is due to the vey basic IPSEC support on RouterOS.
I would be happy to see Mikrotik add xauth, mode-cfg, nhtb and svti support to IPSEC and get rid of OpenVPN from RouterOS all together.
Who said RouterOS is only for enterprise use? There are tons of hobby users and small businesses and IMHO for those, OpenVPN is the best there is (meaning primarily for road warriors). It’s extremely simple, yet powerful enough.
Perhaps for large-scale deployments, IPSec with all the features might be great. I can’t really say much about that, I’m no expert. My personal experience however, is that IPSec is PITA to configure and I run into different problems too often. It seems that interoperability and having all the cool features available everywhere, is not really a common thing with IPSec.
So I guess I’m not alone and IPSec simply isn’t the right choice for this target group. Which leaves us with PPTP (NAT troubles, so no thanks), L2TP/IPSec (we’re scared of the second part already ) or SSTP (still too many XPs out there). We’re lucky to have OpenVPN. Using only single port, it can squeze though everywhere. In most cases, all the features are available (simply because it’s mostly the same client, as there are not many third-party implementations; which I agree is kind of unfair to present as advantage, but as user I can’t really complain about it).
I wish MikroTik reconsidered and made all their users happy. Btw, release notes of latest OpenVPN 2.3.0 include “Much of the code has been better documented”, so maybe it could help, if it’s really true?
Usage scenario 1: In use with two major global retailers and major oil company.
Remote support.
Backups of databases are taken daily to a central location from a variety of sites around the world, from a truck in Russia to an oil refinery in the UK for specialised machinery.
Remote control provides exceptionally quick response times to any issues, this includes access to webcams allowing remote support to see into the machines as well as vnc to the desktops and access to the networked PLC’s. My implementation of this solution has literally cut site visits by engineers by 98-99 percent.
As a bonus, other applications can use the links to get realtime information on stock levels.
Support is initiated via a custom written xmpp application with google translate hooked in, to allow easy communication without much in the way of language barriers. Remote support team size is drastically reduced as a result. All this is achieved over standard broadband connections with low cost vpn routers (as hardware is very vulnerable to staff in high turnover situations, think being pinched or users circumventing access controls attempting to surf porn on public facing computers, both of which have happened), further reducing cost.
Usage scenario 2:
Remote access - road warrior style.
User is an international auditor, and has no control over internet connections, yet needs access to his email and files remotely and securely. Needed a secure, reliable solution that was able to navigate firewalls and proxies with a minimum of intervention.
In both of these, depending on the location, like a truck in Russia using 3G connections, network availability is dictated by location, not by wishful thinking. So saying “VPNs were never meant to be used over slow connections” is not realistic.
Why do any of us use Mikrotik? Cost I’m guessing. Sure you can do it all with other equipment, but for me, I need reliability of supply and it needs to be cheap. I don’t want to be using five or six differing brands and configurations when I can standardise on one. As I’m sure we are all aware, support is a very cost concious area, no one wants to spend, as it is seen as wasted money as it isn’t used constantly, but is screamed about if it doesn’t work totally reliably.
full-caps OVPN support in ROS could b nice even for home consumers[access to home network, check home, kids, pets, flowers], let alone corporate/job needs.
what else 4 that ? PPTP ? pff… IPSec over L2TP ? hm. SSTP ? even less interesting.
) or SSTP (still too many XPs out there). We’re lucky to have OpenVPN. Using only single port, it can squeze though everywhere. In most cases, all the features are available (simply because it’s mostly the same client, as there are not many third-party implementations; which I agree is kind of unfair to present as advantage, but as user I can’t really complain about it).