Exactly. Remote access to internal network from wherever user happens to be, no matter how bad that connections is, that’s what it’s perfect for. Personally I miss pushing routes a little more than udp support, but I wouldn’t say “no” to that either. Or just implement everything and combined with user-friendly interface provided by WinBox, it will be absolute killer. 
I don’t think I’ve ever come across a company so stubborn to change. The most requested feature (and by a country mile) and not even a comment as to why they won’t support it.
The top two reasons I use it between sites, as well as for remote access:
UDP transport - stateless, with very few (if any) issues passing through a firewall
Basic routing support - ability to push routes to clients or other sites for multi-subnet installations
UDP transport - Can be provided by IPSEC with NAT-T
Basic routing support - Can be provided by IPSEC with VTI (aka SVTI) support
Unfortunately Mikrotik’s IPSEC implementation is just as lacking as their OpenVPN implementation. I would sooner see them bring their IPSEC functionality up to standard than invest more time in OpenVPN.
IPSEC is a standard and allows interoperability with many other vendors.
At the end of the day it comes down to what users want and if there are any alternatives available. Until now, there was no real alternative to Mikrotik products unless you wanted to “roll your own” Alix boards etc.
With Ubiquiti’s new line of EdgeRouters, if they decide to support OpenVPN then I’m sure many hundreds of users will jump ship. We’ll certainly be one of them as we shouldn’t have to rework our network just because a vendor can’t be bothered to support (or even comment on) the most widely used VPN standard out there.
Sorry if that sounds scathing but at the very least Mikrotik have an obligation to answer there users questions. By not evening discussing OpenVPN, they’ve opened themselves up to criticism.
That’s not exactly true. They commented several times, it’s just that the answer was always some form of “no”. And if they are not ready to change that to “yes”, there’s not much to discuss.
I understand it’s not easy for them. RouterOS is closed source, while OpenVPN is under GPL, so they can’t just take the original code, make few modifications to integrate it into system and distribute the resulting binary. At the same time, there doesn’t seem to be any real documentation for OpenVPN protocol, except the source code itself (correct me if I’m wrong), which is not good for anyone trying to create independent implementation.
You can now get OpenVPN for the iPhone.
Still not getting why ovpn is better than a gre tunnel… what am I missing here? It seems it’s being used in niche type situations…
Im guessing encrytion.
And yes OpenVPN is a niche technology. I have never seen an enterprise router with support for OpenVPN, and have never seen it being used outside of the soho/enthusiast segment.
IPSEC on the other hand…
OpenVPN is used to tunnel traffic without having to worry about firewalls. It is used in many fortune 500 companies including ours.
s
Well I could answer this post in two ways …
-
Mikrotik with RouterOS IMHO is not targeted only for enterprise but also for SOHO and even home use for advanced users. Some of them prefer using OpenVPN for their VPN connections.
-
I have seen OpenVPN being used in enterprise enviroment on several ocasions. And ALWAYS with UDP which RouterOS implementation (sadly) does not support, sometimes even with LZO - don’t ask me, I did not set up those systems, I just have to connect to them! We had to set up intel atom boxes for our clients to do the job for now (we will test Edgemax when it’s avaliable). Metarouter is a joke!
Mikrotik: Do you realy think all those people over the years request full openvpn support just for fun or what??
JF
IMHO it’s wrong way to make it a competition between IPSec and OpenVPN. Even if MikroTik supported either one 100%, need for the other one would not go away. They may be each appealing to different target groups (well, not strictly), but both are popular enough to not perish any time soon. We need both.
I’m just wondering if MikroTik has any estimates how many of their possible customers are currently forced to buy hardware and/or software from other vendors, because of missing features in RouterOS. And it’s not only OpenVPN or IPSec, check the “feature requests” page on wiki and you’ll find several important or useful ones. Years old, without much hope to be implemented soon or perhaps ever. They may not look as much important if people managed to live without them so far, but it often means they simply get them elsewhere. I may of course be wrong, but it seems to me that if MikroTik hired few more people to implement these things, they’d get the costs back in increased sales in no time.
Sadly the answer is always a “no” from mikrotik about this most requested feature.
On the other hand, in every RouterOS release with new features, I wonder who the hell requests those new features which are useless at all like SMB. WTF ?
Who uses it on a router ?
And think about fastpath now for example. It is very useful and I am sure it is implemented in no time after the publication of the Edgemax vs RouterOS benchmark sheet. If it was this easy to implement this, why they have been waiting all this time ?
so simply, mikrotik seems they are more influenced by the direct competiton in terms of adding new features, rather than customer requests.
I would also like to see a real reason why OpenVPN’s UDP feature has not yet been implemented in rOS…
One of the advantages of the UDP-version is that it creates less overhead for both the connection and the router…
Running a metarouter only to get the UDP version seems kinda ridiculous.
Luckily EdgeMax includes FULL OpenVPN support. Mikrotik will have to add OpenVPN now or else face a mass exodus of customers.
s
It has struck me odd for many years now that MT has always taken the “everything but the kitchen sink” approach to features, but once implemented, many get little if any “love” by way of ongoing maintainance or enhancement.
If it were possible, I would really prefer to be able to strip ROS down to something much closer to the functionality I actually use in most cases - routing/bridging, wireless, and firewall functions only. I could see it being beneficial in terms of upgrade file size, memory footprint, and even vulnerability/bug containment. Unfortunately, the package granularity is far too coarse to accomodate that.
Now that an SMB server has been implemented (which I personally feel is pointless on a router, but would be a reasonable application for a metarouter - if it were stable on all platforms), I am actually surprised we haven’t seen the addition of a print server, torrent downloader, and webcam server too.
sad but true
Well, ROS 6 is out, don’t see in the changelog 
FYI, I’ve done an OpenVPN and IPSec setup, this is the difference on a 5Mbps line (was connected through WiFi though).
Any license issues can be worked out. The ROS is using Linux kernel and tools to operate and those are majority GPL as well. Having one protocol implementation added to the mix should not be that difficult.
We (http://www.unwired.at) are running Austria´s biggest free WiFi network. We use only Ubiquiti Hardware because of the good OpenWRT support. The only thing that prevents us from using Mikrotik HW (which we would like to do) is the missing UDP support in MT´s OpenVPN.