Community discussions

 
mariusp
just joined
Topic Author
Posts: 3
Joined: Mon May 15, 2017 5:08 pm

OpenVPN SHA256 + UDP

Mon May 15, 2017 5:15 pm

Hello!

Is there any news regarding:

1. OpenVPN over UDP support
2. SHA256 authentication support on OpenVPN. (Though SHA1 still provides strong authentication, clients are asking more and more for SHA256).

I could not find any relevant information, so I would be very grateful for any kind of information.

Thanks,
Marius
 
oscar120584
just joined
Posts: 7
Joined: Mon May 30, 2016 11:52 am

Re: OpenVPN SHA256 + UDP

Tue May 16, 2017 7:57 am

Sorry, man, this is a super mega ultra complicated task and developers do not know how to solve it. Or do not want to ... :wink:
 
mariusp
just joined
Topic Author
Posts: 3
Joined: Mon May 15, 2017 5:08 pm

Re: OpenVPN SHA256 + UDP

Tue May 16, 2017 11:02 am

Thanks for the info;)
Which one is the complicated one? I am more interested in the SHA256 OpenVPN item
 
mariusp
just joined
Topic Author
Posts: 3
Joined: Mon May 15, 2017 5:08 pm

Re: OpenVPN SHA256 + UDP

Fri May 19, 2017 6:05 pm

Any detail on OVPN SHA256 support?
 
eriitguy
Member Candidate
Member Candidate
Posts: 197
Joined: Thu Jan 26, 2017 1:16 pm

Re: OpenVPN SHA256 + UDP

Fri May 19, 2017 8:18 pm

mariusp,

Some information about this long awaited requests cab be found in the following forum topic: Feature Request: OpenVPN [ovpn] udp tunnels
 
schadom
Member Candidate
Member Candidate
Posts: 139
Joined: Sun Jun 25, 2017 2:47 am
Location: Austria

Re: OpenVPN SHA256 + UDP

Sun Feb 04, 2018 11:11 pm

Would like to bump the feature request for SHA256 authentication. SHA1 is broken - https://shattered.io/
No need for other complicated features such as udp or lzo, as long as the current implementation is secure enough.

Thanks
 
swits1109
Frequent Visitor
Frequent Visitor
Posts: 56
Joined: Sat Sep 10, 2016 6:03 pm

Re: OpenVPN SHA256 + UDP

Wed Feb 28, 2018 4:54 am

+1

Just setup Ovpn for the first time on mikrotik and surprised no SHA256. Anything else is not as secure.
 
xt22
Frequent Visitor
Frequent Visitor
Posts: 51
Joined: Tue Jul 14, 2015 1:16 pm

Re: OpenVPN SHA256 + UDP

Tue Mar 20, 2018 2:50 pm

+1 for SHA256 :(

And UDP also, tcp openvpn from california to rb in europe is slow and laggy, good old l2tp/ipsec on the same machines is more than 10x faster

//edit - After the new openvpn TLSv1.2 update - what TLS does mikrotik openvpn server use? Is it possible to force usage of TLSv1.2 only? (--tls-cipher)
 
4xy
just joined
Posts: 2
Joined: Sun Mar 25, 2018 7:26 pm

Re: OpenVPN SHA256 + UDP

Sun Mar 25, 2018 7:28 pm

+1 for both
 
nin
just joined
Posts: 22
Joined: Sat Feb 20, 2010 9:02 pm

Re: OpenVPN SHA256 + UDP

Sun Apr 01, 2018 12:28 am

+1, again, again, again it sucks
 
ghusson
just joined
Posts: 5
Joined: Thu Mar 01, 2018 11:41 am

Re: OpenVPN SHA256 + UDP

Thu Apr 05, 2018 7:05 pm

+1 for SHA256
(and I don't understand that default settings on VPNs for hash functions ans symetric cryptography are still old ones that are reported to be broken/not secure anymore)
After hours of search and comparison, I will use openVPN as sites to central site VPN (simple to configure - thanks for keys genereation on mikrotik ! - , nat traversal, ~5% overhead, ...).
It not serious to use unsecure auth method for professional cases.
Please Mikrotik dev team, consider priority for this devlopment...
 
schadom
Member Candidate
Member Candidate
Posts: 139
Joined: Sun Jun 25, 2017 2:47 am
Location: Austria

Re: OpenVPN SHA256 + UDP

Mon Apr 16, 2018 1:36 am

bump
 
icsterm
newbie
Posts: 26
Joined: Sun Mar 11, 2018 11:11 pm

Re: OpenVPN SHA256 + UDP

Tue Apr 17, 2018 11:59 am

I'd consider switching to L2TP+ipsec or EoIP+ipsec(for mikrotik on both sides), both use UDP and encryption and should perform the same or better in performance.
OpenVPN on UDP has been requested years ago and won't come too soon on Mikrotik, probably never.

SHA256 is supported on the mentioned protocols, not sure why openvpn would be more compelling, maybe only to opensource lovers.
 
squeeze
Member Candidate
Member Candidate
Posts: 146
Joined: Thu Mar 22, 2018 7:53 pm

Re: OpenVPN SHA256 + UDP

Tue Apr 17, 2018 1:09 pm

I'd consider switching to L2TP+ipsec or EoIP+ipsec(for mikrotik on both sides), both use UDP and encryption and should perform the same or better in performance.
OpenVPN on UDP has been requested years ago and won't come too soon on Mikrotik, probably never.

SHA256 is supported on the mentioned protocols, not sure why openvpn would be more compelling, maybe only to opensource lovers.

Many VPN providers, including the largest, only support OpenVPN. Some support weaker protocols such as PPTP, but these are either discouraged or being discontinued. Some support stronger protocols such as Wireguard, even before their code or standards are finalized.

But the one thing common to all modern retail VPN providers is OpenVPN. Since OpenVPN without UDP is less like having one hand tied behind your back and more like having both legs cut off in terms of throughput and latency, this is why threads like this exist.

Of course, those considering site-to-site VPNs have many more options for protocols, and are in a position to follow the advice you suggested.

As for SHA256 that's only for HMAC auth and SHA1 is widely still used. There is no rush there because the key lifetimes are so short, on average just an hour. Also, they can only be used to fake a packet not break the entire channels security. Such concerns, even for those worried about state actors, is so ridiculously unlikely (breaking a SHA-1 key in an hour AND using it), it is not worth considering from the client side. It is just a security integrity issue for the VPN provider to keep up with the latest tech, i.e. SHA-2.
 
masseselsev
just joined
Posts: 9
Joined: Thu Mar 27, 2014 8:01 am
Location: Zhukovskiy, MO, Russia
Contact:

Re: OpenVPN SHA256 + UDP

Sun Apr 22, 2018 12:44 pm

come on, Mikrotik, even Asus can do sha256...
MTCNA, MTCWE
 
lugovoyma
just joined
Posts: 2
Joined: Mon Apr 23, 2018 8:10 pm

Re: OpenVPN SHA256 + UDP

Mon Apr 23, 2018 8:17 pm

Накладные расходы на ширину канала из за отсутствия поддержки openvpn udp и сжатия ставят вопрос целесообразности использования микротика как шлюза.
Не очень понимаю политику компании, запросу более 10ти лет. Всяких свистелок перделок уже вагон, а нужной функции нету.
 
alli
newbie
Posts: 35
Joined: Tue Jan 24, 2017 5:43 pm

Re: OpenVPN SHA256 + UDP

Sat May 05, 2018 1:42 pm

+1 for both
 
CTSsean
just joined
Posts: 23
Joined: Fri Sep 15, 2017 12:56 pm

Re: OpenVPN SHA256 + UDP

Mon May 07, 2018 5:55 pm

IMO, if RouterOS7 is vapor ware, OpenVPN UDP needs to be addressed.
 
melky
just joined
Posts: 2
Joined: Wed May 09, 2018 11:02 am

Re: OpenVPN SHA256 + UDP

Wed May 09, 2018 11:16 am

+1 UDP
 
User avatar
acald3ron
just joined
Posts: 18
Joined: Tue Jan 06, 2015 8:26 am
Location: Rosarito, México
Contact:

Re: OpenVPN SHA256 + UDP

Wed May 09, 2018 5:32 pm

This topic should be already resolve. 2018.
Pay more to your developer's to solve this !
 
alxspb
just joined
Posts: 1
Joined: Wed May 16, 2018 9:48 pm

Re: OpenVPN SHA256 + UDP

Wed May 16, 2018 10:35 pm

Dear mikrotik!

You really done a good job in bringing enterprise-grade routing solution down to soho-level pricing.

Now you're competing in both - SOHO and enterprise segment.
SOHO routers can do OpenVPN. Yep, we're talking about 10-50Mbps in best case scenario, but it is still sufficient for most SOHO use cases.

Regarding enterprise market - It is not 2010 anymore, there are solutions that can do 100 to 1000 Mbps OpenVPN tunnel on a budget. There are enterprise customers that prefer OpenVPN to IPSec/L2TP (I hope PPTP is dead by itself) for its configuration simplicity and UDP-based protocol that is easier for NAT traversal without significant performance degradation

I'm really sad for your loosing this market (including myself and company I work for) of affordable but reliable and flexible routing that was, basically, created by your company.
 
linux99x
just joined
Posts: 1
Joined: Sat Jul 14, 2018 8:38 pm

Re: OpenVPN SHA256 + UDP

Sat Jul 14, 2018 8:48 pm

After being a loyal customer for the past 5 years, I have decided today the v7 unicorn and/or this ongoing udp and tls lack of support in openvpn makes these routers useless in my future. Lack of response to the complaints or anything beside hopeless post of v7 feature set demonstrates the future of this product. Moving to the U despite holding out hope for this support for the last 2 years. Anyone wanting to use any of todays standard vpn services should avoid this product line due to hours of frustration and lost time searching these forums for a solution that does not exist.
 
LDI
just joined
Posts: 1
Joined: Wed Oct 03, 2018 11:35 pm

Re: OpenVPN SHA256 + UDP

Wed Oct 03, 2018 11:45 pm

First of all, let me say thank you for making reliable and affordable product.

Still, I would also need OVPN+SHA256...right now, my Mikrotik has to forward a few hosts to a low end wireless router, running LEDE, which is perfectly able to handle OVPN+SHA256...

I would like to setup the tunnel on the Mikrotik (which is also my default gateway), keeping my actual OVPN configuration.

I love RouterOS...but if I can't find any proper solution for this, I may just end up flashing it to LEDE...
 
openpass
just joined
Posts: 2
Joined: Sat Dec 01, 2018 11:12 pm

Re: OpenVPN SHA256 + UDP

Sat Dec 01, 2018 11:23 pm

WTF?!?!
I thinked that mikrotik realy cool device...
this is unreal, openvpn client without support UDP!!! Without support SHA512 and SHA256.
Same mikrotik don't support DoH (DNS over HTTPS) such as cloudflare and google!
What kind of stupid developers creating and updating reuterOS ?!
 
schadom
Member Candidate
Member Candidate
Posts: 139
Joined: Sun Jun 25, 2017 2:47 am
Location: Austria

Re: OpenVPN SHA256 + UDP

Sun Dec 02, 2018 8:30 am

WTF?!?!
I thinked that mikrotik realy cool device...
this is unreal, openvpn client without support UDP!!! Without support SHA512 and SHA256.
Same mikrotik don't support DoH (DNS over HTTPS) such as cloudflare and google!
What kind of stupid developers creating and updating reuterOS ?!
Calm down. Almost nobody supports DoH yet. UDP and SHA2 support for OpenVPN have been requested already many times but they stated why this is currently difficult to implement. I'm prettty certain they are working on this for ROSv7.
 
openpass
just joined
Posts: 2
Joined: Sat Dec 01, 2018 11:12 pm

Re: OpenVPN SHA256 + UDP

Sun Dec 02, 2018 10:59 am


Calm down. Almost nobody supports DoH yet. UDP and SHA2 support for OpenVPN have been requested already many times but they stated why this is currently difficult to implement. I'm prettty certain they are working on this for ROSv7.
I found requests UDP in this forum 11 years old viewtopic.php?t=20537
About ROSv7 beta 1 i listened 3 years ago
Nothing changes...
If ROSv7 comming in far far futures, please don't forget add tls-crypt option for openvpn (without this, ovpn can't work in china and near future in russia)
 
msatter
Forum Guru
Forum Guru
Posts: 1177
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: OpenVPN SHA256 + UDP

Sun Dec 02, 2018 1:06 pm

I don't think RouterOS v7 is that far away. Some v7 features are already implemented in v6.

On the DNS part there are better programs like Unbound that do that all, in a excellent way.
Two RB760iGS (hEX S) in series. One does PPPoE and both do IKEv2.
Running:
RouterOS 6.46Beta / Winbox 3.19 / MikroTik APP 1.3.1
Having an Android device, use https://github.com/M66B/NetGuard/releases (no root required)
 
recipher
just joined
Posts: 2
Joined: Tue Apr 23, 2019 9:42 am

Re: OpenVPN SHA256 + UDP

Tue Apr 23, 2019 11:08 am

Hi,

Sorry to bring up an old thread, though it would be brilliant if we can get some form of reliable feedback regarding the old standing question of UDP & SHA256 support for OpenVPN Client.

Understand it is a difficult item....just really difficult to standardize Mikrotik when this one feature is included with basic DD-WRT / OpenWRT / Tomato / Lede yet neglected by Mikrotik.

Can it even be done? If so, WILL it ever be done? If the answer is Yes, does this mean we may have this feature in 2019?
 
ofirule
just joined
Posts: 8
Joined: Tue Mar 26, 2019 6:19 pm

Re: OpenVPN SHA256 + UDP

Thu May 23, 2019 6:54 pm

+1

configuring using regular openvpn config file would also be great
 
r00t
Member Candidate
Member Candidate
Posts: 161
Joined: Tue Nov 28, 2017 2:14 am

Re: OpenVPN SHA256 + UDP

Thu May 23, 2019 7:24 pm

State of OpenVPN in ROS 6.x is pretty much WONTFIX and other long OpenVPN UDP thread got locked up.
For any new features we have to wait for ROS 7.x (who knows how long) or just buy other hardware that does what you need today...
 
xorinzor
just joined
Posts: 1
Joined: Sat Jun 22, 2019 7:54 pm

Re: OpenVPN SHA256 + UDP

Sat Jun 22, 2019 7:58 pm

Just purchased my Mikrotik router, but was pretty annoyed to find out that I couldn't configure my VPN because the router lacks SHA256.
What's even worse is the seemingly lack of response from MikroTik. Quite worrying in fact to see that they apparently don't take security that serious.
 
recipher
just joined
Posts: 2
Joined: Tue Apr 23, 2019 9:42 am

Re: OpenVPN SHA256 + UDP

Wed Jun 26, 2019 8:41 am

Hello Mikrotik Engineers,

I know you have received many requests regarding OpenVPN UDP support, however it is proving almost impossible to get a clear answer.

We (just like the hundreds of other MT users) have a huge requirement for OpenVPN UDP support. Whilst we can (and do) use IP & SSTP tunnels for Mikrotik to Mikrotik VPN's, we have many sites that explicitly require OpenVPN + UDP support.

This is usually outside of our control as we are connecting to non Mikrotik services.

Additionally, UDP + SHA256 / SHA512 is becoming the standard.

What is the likelihood of Mikrotik Supporting OpenVPN UDP Support with SHA256 / SHA512 in the near future (ie. next 6 - 12 months)?


We trust you understand there must be hundreds (if not thousands) of users / devices that MUST use the above settings. Whilst we can implement alternative hardware, we would like to maintain uniformity with MT products where we can.

IF this is very unlikely to ever happen, please just let us know so we can all look to another solution.

Sincerely,

reCIPHER Group Australia
 
kobuki
Member Candidate
Member Candidate
Posts: 134
Joined: Sat Apr 02, 2011 5:59 pm

Re: OpenVPN SHA256 + UDP

Sun Jun 30, 2019 3:20 pm

Hello Mikrotik Engineers,

I know you have received many requests regarding OpenVPN UDP support, however it is proving almost impossible to get a clear answer.
I'm all for Mikrotik and I use a lot of their devices, physical and virtual ROS, and they are mostly great, but I'm afraid proper OVPN support is but a wet dream. They keep promising advances in this area but nothing significant ever happens. It seems that attracting users needing this feature is not financially viable. That's the only practical reason I can think of. Technical issues can all be solved, they have good network engineers and programmers. Too bad though, I found that OVPN is practically the only free solution that is almost problem-free on the client side (far from perfect, though), has a good performance and feature set with good client OS support.
 
bronco
just joined
Posts: 15
Joined: Mon Dec 08, 2014 12:09 pm

Re: OpenVPN SHA256 + UDP

Sun Jun 30, 2019 3:25 pm

+1 SHA256
+1 UDP
 
enzain
just joined
Posts: 20
Joined: Wed Jan 17, 2018 9:15 pm

Re: OpenVPN SHA256 + UDP

Tue Jul 02, 2019 4:16 pm

We all need full functional OpenVPN ... m.b. with special extension card, is ok .. but is needed :)
 
bronco
just joined
Posts: 15
Joined: Mon Dec 08, 2014 12:09 pm

Re: OpenVPN SHA256 + UDP

Tue Jul 02, 2019 11:20 pm

We all need full functional OpenVPN ... m.b. with special extension card, is ok .. but is needed :)
Some boards like the hexS already even have more crypto hardware accelleration than supported by Mikrotik software. So there's no need for extra hardware, just more source code has to be written or reimplemented since OpenVPN has been running stable for years on other platforms... :cry:
 
tlaguz
just joined
Posts: 2
Joined: Fri Jul 19, 2019 3:31 pm

Re: OpenVPN SHA256 + UDP

Tue Jul 23, 2019 5:36 pm

+1 SHA256
+1 UDP

Who is online

Users browsing this forum: No registered users and 13 guests