The reason why RotuerOS NEEDS OpenVPN UDP.

RouterOS NEEDS OpenVPN UDP support. Every single TCP based site-to-site VPN is SLOW when you are using any ISP provided modem/gateway combo (even if you are using ISP provided static IP’s and are bypassing the ISP’s hardware’s NAT table).

Example, AT&T Uverse:

If i disable ALL FIREWALL rules and set up and run a bandwidth test I get 50mbit/5mbit TCP and UDP.

Set up IPSEC between the 2 (both RouterOS x86 on hardware that does 200Mbit over IPSEC) and you get 50/5 UDP and 22/5 TCP. Cuts the TCP performance in half. MTU has been addressed, everything.

OpenVPN tunnels show the same behavior.

If i set up a site to site VPN with PFSense over IPSEC, no matter what you get 50/5 TCP & UDP, even single stream. Set up an OpenVPN tunnel with a OpenVPN AS VM, you get 50/5 all the time, even on TCP setting.

In other words, there is something wrong with the way RouterOS handles the encryption/decryption of TCP. Enabling OpenVPN UDP support would also allow seamless integration between brands.

This was requested many times. Why to create a new thread if you can join already existing?

Actually, one of the main problems here is that TCP-over-TCP is just a plain bad idea, period. You might have an okay experience with it in some situations, but as they say, “YMMV.” In my opinion, It should only be used when you have absolutely no other option (for example, you are behind a firewall that you have no control over that won’t let anything through except for web traffic; in that case, you can run a TCP-based VPN over port 443 and it will probably work, but it is going to suck).

I fully expect you would have a similar experience with SSTP.

Why don’t you just use L2TP? It’s PPP over pure UDP.

– Nathan