Community discussions

MikroTik App
 
mariusp
just joined
Topic Author
Posts: 3
Joined: Mon May 15, 2017 5:08 pm

OpenVPN SHA256 + UDP

Mon May 15, 2017 5:15 pm

Hello!

Is there any news regarding:

1. OpenVPN over UDP support
2. SHA256 authentication support on OpenVPN. (Though SHA1 still provides strong authentication, clients are asking more and more for SHA256).

I could not find any relevant information, so I would be very grateful for any kind of information.

Thanks,
Marius
 
oscar120584
just joined
Posts: 8
Joined: Mon May 30, 2016 11:52 am

Re: OpenVPN SHA256 + UDP

Tue May 16, 2017 7:57 am

Sorry, man, this is a super mega ultra complicated task and developers do not know how to solve it. Or do not want to ... :wink:
 
mariusp
just joined
Topic Author
Posts: 3
Joined: Mon May 15, 2017 5:08 pm

Re: OpenVPN SHA256 + UDP

Tue May 16, 2017 11:02 am

Thanks for the info;)
Which one is the complicated one? I am more interested in the SHA256 OpenVPN item
 
mariusp
just joined
Topic Author
Posts: 3
Joined: Mon May 15, 2017 5:08 pm

Re: OpenVPN SHA256 + UDP

Fri May 19, 2017 6:05 pm

Any detail on OVPN SHA256 support?
 
eriitguy
Member Candidate
Member Candidate
Posts: 197
Joined: Thu Jan 26, 2017 1:16 pm

Re: OpenVPN SHA256 + UDP

Fri May 19, 2017 8:18 pm

mariusp,

Some information about this long awaited requests cab be found in the following forum topic: Feature Request: OpenVPN [ovpn] udp tunnels
 
schadom
Member Candidate
Member Candidate
Posts: 156
Joined: Sun Jun 25, 2017 2:47 am

Re: OpenVPN SHA256 + UDP

Sun Feb 04, 2018 11:11 pm

Would like to bump the feature request for SHA256 authentication. SHA1 is broken - https://shattered.io/
No need for other complicated features such as udp or lzo, as long as the current implementation is secure enough.

Thanks
 
swits1109
Frequent Visitor
Frequent Visitor
Posts: 81
Joined: Sat Sep 10, 2016 6:03 pm

Re: OpenVPN SHA256 + UDP

Wed Feb 28, 2018 4:54 am

+1

Just setup Ovpn for the first time on mikrotik and surprised no SHA256. Anything else is not as secure.
 
xt22
Frequent Visitor
Frequent Visitor
Posts: 75
Joined: Tue Jul 14, 2015 1:16 pm

Re: OpenVPN SHA256 + UDP

Tue Mar 20, 2018 2:50 pm

+1 for SHA256 :(

And UDP also, tcp openvpn from california to rb in europe is slow and laggy, good old l2tp/ipsec on the same machines is more than 10x faster

//edit - After the new openvpn TLSv1.2 update - what TLS does mikrotik openvpn server use? Is it possible to force usage of TLSv1.2 only? (--tls-cipher)
 
4xy
just joined
Posts: 2
Joined: Sun Mar 25, 2018 7:26 pm

Re: OpenVPN SHA256 + UDP

Sun Mar 25, 2018 7:28 pm

+1 for both
 
nin
newbie
Posts: 32
Joined: Sat Feb 20, 2010 9:02 pm

Re: OpenVPN SHA256 + UDP

Sun Apr 01, 2018 12:28 am

+1, again, again, again it sucks
 
ghusson
just joined
Posts: 6
Joined: Thu Mar 01, 2018 11:41 am

Re: OpenVPN SHA256 + UDP

Thu Apr 05, 2018 7:05 pm

+1 for SHA256
(and I don't understand that default settings on VPNs for hash functions ans symetric cryptography are still old ones that are reported to be broken/not secure anymore)
After hours of search and comparison, I will use openVPN as sites to central site VPN (simple to configure - thanks for keys genereation on mikrotik ! - , nat traversal, ~5% overhead, ...).
It not serious to use unsecure auth method for professional cases.
Please Mikrotik dev team, consider priority for this devlopment...
 
schadom
Member Candidate
Member Candidate
Posts: 156
Joined: Sun Jun 25, 2017 2:47 am

Re: OpenVPN SHA256 + UDP

Mon Apr 16, 2018 1:36 am

bump
 
icsterm
Frequent Visitor
Frequent Visitor
Posts: 58
Joined: Sun Mar 11, 2018 11:11 pm

Re: OpenVPN SHA256 + UDP

Tue Apr 17, 2018 11:59 am

I'd consider switching to L2TP+ipsec or EoIP+ipsec(for mikrotik on both sides), both use UDP and encryption and should perform the same or better in performance.
OpenVPN on UDP has been requested years ago and won't come too soon on Mikrotik, probably never.

SHA256 is supported on the mentioned protocols, not sure why openvpn would be more compelling, maybe only to opensource lovers.
 
squeeze
Member Candidate
Member Candidate
Posts: 145
Joined: Thu Mar 22, 2018 7:53 pm

Re: OpenVPN SHA256 + UDP

Tue Apr 17, 2018 1:09 pm

I'd consider switching to L2TP+ipsec or EoIP+ipsec(for mikrotik on both sides), both use UDP and encryption and should perform the same or better in performance.
OpenVPN on UDP has been requested years ago and won't come too soon on Mikrotik, probably never.

SHA256 is supported on the mentioned protocols, not sure why openvpn would be more compelling, maybe only to opensource lovers.

Many VPN providers, including the largest, only support OpenVPN. Some support weaker protocols such as PPTP, but these are either discouraged or being discontinued. Some support stronger protocols such as Wireguard, even before their code or standards are finalized.

But the one thing common to all modern retail VPN providers is OpenVPN. Since OpenVPN without UDP is less like having one hand tied behind your back and more like having both legs cut off in terms of throughput and latency, this is why threads like this exist.

Of course, those considering site-to-site VPNs have many more options for protocols, and are in a position to follow the advice you suggested.

As for SHA256 that's only for HMAC auth and SHA1 is widely still used. There is no rush there because the key lifetimes are so short, on average just an hour. Also, they can only be used to fake a packet not break the entire channels security. Such concerns, even for those worried about state actors, is so ridiculously unlikely (breaking a SHA-1 key in an hour AND using it), it is not worth considering from the client side. It is just a security integrity issue for the VPN provider to keep up with the latest tech, i.e. SHA-2.
 
User avatar
masseselsev
just joined
Posts: 11
Joined: Thu Mar 27, 2014 8:01 am
Location: Somewhere around the globe

Re: OpenVPN SHA256 + UDP

Sun Apr 22, 2018 12:44 pm

come on, Mikrotik, even Asus can do sha256...
 
lugovoyma
just joined
Posts: 2
Joined: Mon Apr 23, 2018 8:10 pm

Re: OpenVPN SHA256 + UDP

Mon Apr 23, 2018 8:17 pm

Накладные расходы на ширину канала из за отсутствия поддержки openvpn udp и сжатия ставят вопрос целесообразности использования микротика как шлюза.
Не очень понимаю политику компании, запросу более 10ти лет. Всяких свистелок перделок уже вагон, а нужной функции нету.
 
alli
newbie
Posts: 37
Joined: Tue Jan 24, 2017 5:43 pm

Re: OpenVPN SHA256 + UDP

Sat May 05, 2018 1:42 pm

+1 for both
 
CTSsean
Frequent Visitor
Frequent Visitor
Posts: 61
Joined: Fri Sep 15, 2017 12:56 pm

Re: OpenVPN SHA256 + UDP

Mon May 07, 2018 5:55 pm

IMO, if RouterOS7 is vapor ware, OpenVPN UDP needs to be addressed.
 
melky
just joined
Posts: 2
Joined: Wed May 09, 2018 11:02 am

Re: OpenVPN SHA256 + UDP

Wed May 09, 2018 11:16 am

+1 UDP
 
alxspb
just joined
Posts: 1
Joined: Wed May 16, 2018 9:48 pm

Re: OpenVPN SHA256 + UDP

Wed May 16, 2018 10:35 pm

Dear mikrotik!

You really done a good job in bringing enterprise-grade routing solution down to soho-level pricing.

Now you're competing in both - SOHO and enterprise segment.
SOHO routers can do OpenVPN. Yep, we're talking about 10-50Mbps in best case scenario, but it is still sufficient for most SOHO use cases.

Regarding enterprise market - It is not 2010 anymore, there are solutions that can do 100 to 1000 Mbps OpenVPN tunnel on a budget. There are enterprise customers that prefer OpenVPN to IPSec/L2TP (I hope PPTP is dead by itself) for its configuration simplicity and UDP-based protocol that is easier for NAT traversal without significant performance degradation

I'm really sad for your loosing this market (including myself and company I work for) of affordable but reliable and flexible routing that was, basically, created by your company.
 
linux99x
just joined
Posts: 1
Joined: Sat Jul 14, 2018 8:38 pm

Re: OpenVPN SHA256 + UDP

Sat Jul 14, 2018 8:48 pm

After being a loyal customer for the past 5 years, I have decided today the v7 unicorn and/or this ongoing udp and tls lack of support in openvpn makes these routers useless in my future. Lack of response to the complaints or anything beside hopeless post of v7 feature set demonstrates the future of this product. Moving to the U despite holding out hope for this support for the last 2 years. Anyone wanting to use any of todays standard vpn services should avoid this product line due to hours of frustration and lost time searching these forums for a solution that does not exist.
 
LDI
just joined
Posts: 1
Joined: Wed Oct 03, 2018 11:35 pm

Re: OpenVPN SHA256 + UDP

Wed Oct 03, 2018 11:45 pm

First of all, let me say thank you for making reliable and affordable product.

Still, I would also need OVPN+SHA256...right now, my Mikrotik has to forward a few hosts to a low end wireless router, running LEDE, which is perfectly able to handle OVPN+SHA256...

I would like to setup the tunnel on the Mikrotik (which is also my default gateway), keeping my actual OVPN configuration.

I love RouterOS...but if I can't find any proper solution for this, I may just end up flashing it to LEDE...
 
openpass
just joined
Posts: 3
Joined: Sat Dec 01, 2018 11:12 pm

Re: OpenVPN SHA256 + UDP

Sat Dec 01, 2018 11:23 pm

WTF?!?!
I thinked that mikrotik realy cool device...
this is unreal, openvpn client without support UDP!!! Without support SHA512 and SHA256.
Same mikrotik don't support DoH (DNS over HTTPS) such as cloudflare and google!
What kind of stupid developers creating and updating reuterOS ?!
 
schadom
Member Candidate
Member Candidate
Posts: 156
Joined: Sun Jun 25, 2017 2:47 am

Re: OpenVPN SHA256 + UDP

Sun Dec 02, 2018 8:30 am

WTF?!?!
I thinked that mikrotik realy cool device...
this is unreal, openvpn client without support UDP!!! Without support SHA512 and SHA256.
Same mikrotik don't support DoH (DNS over HTTPS) such as cloudflare and google!
What kind of stupid developers creating and updating reuterOS ?!
Calm down. Almost nobody supports DoH yet. UDP and SHA2 support for OpenVPN have been requested already many times but they stated why this is currently difficult to implement. I'm prettty certain they are working on this for ROSv7.
 
openpass
just joined
Posts: 3
Joined: Sat Dec 01, 2018 11:12 pm

Re: OpenVPN SHA256 + UDP

Sun Dec 02, 2018 10:59 am


Calm down. Almost nobody supports DoH yet. UDP and SHA2 support for OpenVPN have been requested already many times but they stated why this is currently difficult to implement. I'm prettty certain they are working on this for ROSv7.
I found requests UDP in this forum 11 years old viewtopic.php?t=20537
About ROSv7 beta 1 i listened 3 years ago
Nothing changes...
If ROSv7 comming in far far futures, please don't forget add tls-crypt option for openvpn (without this, ovpn can't work in china and near future in russia)
 
msatter
Forum Guru
Forum Guru
Posts: 2897
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: OpenVPN SHA256 + UDP

Sun Dec 02, 2018 1:06 pm

I don't think RouterOS v7 is that far away. Some v7 features are already implemented in v6.

On the DNS part there are better programs like Unbound that do that all, in a excellent way.
 
recipher
just joined
Posts: 2
Joined: Tue Apr 23, 2019 9:42 am

Re: OpenVPN SHA256 + UDP

Tue Apr 23, 2019 11:08 am

Hi,

Sorry to bring up an old thread, though it would be brilliant if we can get some form of reliable feedback regarding the old standing question of UDP & SHA256 support for OpenVPN Client.

Understand it is a difficult item....just really difficult to standardize Mikrotik when this one feature is included with basic DD-WRT / OpenWRT / Tomato / Lede yet neglected by Mikrotik.

Can it even be done? If so, WILL it ever be done? If the answer is Yes, does this mean we may have this feature in 2019?
 
ofirule
newbie
Posts: 29
Joined: Tue Mar 26, 2019 6:19 pm

Re: OpenVPN SHA256 + UDP

Thu May 23, 2019 6:54 pm

+1

configuring using regular openvpn config file would also be great
 
r00t
Long time Member
Long time Member
Posts: 672
Joined: Tue Nov 28, 2017 2:14 am

Re: OpenVPN SHA256 + UDP

Thu May 23, 2019 7:24 pm

State of OpenVPN in ROS 6.x is pretty much WONTFIX and other long OpenVPN UDP thread got locked up.
For any new features we have to wait for ROS 7.x (who knows how long) or just buy other hardware that does what you need today...
 
xorinzor
just joined
Posts: 3
Joined: Sat Jun 22, 2019 7:54 pm

Re: OpenVPN SHA256 + UDP

Sat Jun 22, 2019 7:58 pm

Just purchased my Mikrotik router, but was pretty annoyed to find out that I couldn't configure my VPN because the router lacks SHA256.
What's even worse is the seemingly lack of response from MikroTik. Quite worrying in fact to see that they apparently don't take security that serious.
 
recipher
just joined
Posts: 2
Joined: Tue Apr 23, 2019 9:42 am

Re: OpenVPN SHA256 + UDP

Wed Jun 26, 2019 8:41 am

Hello Mikrotik Engineers,

I know you have received many requests regarding OpenVPN UDP support, however it is proving almost impossible to get a clear answer.

We (just like the hundreds of other MT users) have a huge requirement for OpenVPN UDP support. Whilst we can (and do) use IP & SSTP tunnels for Mikrotik to Mikrotik VPN's, we have many sites that explicitly require OpenVPN + UDP support.

This is usually outside of our control as we are connecting to non Mikrotik services.

Additionally, UDP + SHA256 / SHA512 is becoming the standard.

What is the likelihood of Mikrotik Supporting OpenVPN UDP Support with SHA256 / SHA512 in the near future (ie. next 6 - 12 months)?


We trust you understand there must be hundreds (if not thousands) of users / devices that MUST use the above settings. Whilst we can implement alternative hardware, we would like to maintain uniformity with MT products where we can.

IF this is very unlikely to ever happen, please just let us know so we can all look to another solution.

Sincerely,

reCIPHER Group Australia
 
kobuki
Member Candidate
Member Candidate
Posts: 198
Joined: Sat Apr 02, 2011 5:59 pm

Re: OpenVPN SHA256 + UDP

Sun Jun 30, 2019 3:20 pm

Hello Mikrotik Engineers,

I know you have received many requests regarding OpenVPN UDP support, however it is proving almost impossible to get a clear answer.
I'm all for Mikrotik and I use a lot of their devices, physical and virtual ROS, and they are mostly great, but I'm afraid proper OVPN support is but a wet dream. They keep promising advances in this area but nothing significant ever happens. It seems that attracting users needing this feature is not financially viable. That's the only practical reason I can think of. Technical issues can all be solved, they have good network engineers and programmers. Too bad though, I found that OVPN is practically the only free solution that is almost problem-free on the client side (far from perfect, though), has a good performance and feature set with good client OS support.
 
bronco
just joined
Posts: 17
Joined: Mon Dec 08, 2014 12:09 pm

Re: OpenVPN SHA256 + UDP

Sun Jun 30, 2019 3:25 pm

+1 SHA256
+1 UDP
 
enzain
just joined
Posts: 24
Joined: Wed Jan 17, 2018 9:15 pm

Re: OpenVPN SHA256 + UDP

Tue Jul 02, 2019 4:16 pm

We all need full functional OpenVPN ... m.b. with special extension card, is ok .. but is needed :)
 
bronco
just joined
Posts: 17
Joined: Mon Dec 08, 2014 12:09 pm

Re: OpenVPN SHA256 + UDP

Tue Jul 02, 2019 11:20 pm

We all need full functional OpenVPN ... m.b. with special extension card, is ok .. but is needed :)
Some boards like the hexS already even have more crypto hardware accelleration than supported by Mikrotik software. So there's no need for extra hardware, just more source code has to be written or reimplemented since OpenVPN has been running stable for years on other platforms... :cry:
 
tlaguz
just joined
Posts: 7
Joined: Fri Jul 19, 2019 3:31 pm

Re: OpenVPN SHA256 + UDP

Tue Jul 23, 2019 5:36 pm

+1 SHA256
+1 UDP
 
Dude2048
Member Candidate
Member Candidate
Posts: 212
Joined: Thu Sep 01, 2016 4:04 pm

Re: OpenVPN SHA256 + UDP

Wed Sep 04, 2019 9:11 pm

If nothing changes very very soon, I have to replace my tiks. Talking over 3000 devices. Replacements will come, and it won’t be MikroTiks.

My field of work demands ovpn.
Last edited by Dude2048 on Wed Sep 04, 2019 9:12 pm, edited 1 time in total.
 
kobuki
Member Candidate
Member Candidate
Posts: 198
Joined: Sat Apr 02, 2011 5:59 pm

Re: OpenVPN SHA256 + UDP

Wed Sep 04, 2019 9:12 pm

If nothing changes very very soon, I have to replace my tiks. Talking over 3000 devices. Replaments will come.
May I ask what the replacements will be?
 
Dude2048
Member Candidate
Member Candidate
Posts: 212
Joined: Thu Sep 01, 2016 4:04 pm

Re: OpenVPN SHA256 + UDP

Wed Sep 04, 2019 9:14 pm

Something with a proper implementation. Selecting, testing and proof of concept starts within two months.

No further disclosures.
 
kobuki
Member Candidate
Member Candidate
Posts: 198
Joined: Sat Apr 02, 2011 5:59 pm

Re: OpenVPN SHA256 + UDP

Wed Sep 04, 2019 9:16 pm

Something with a proper implementation. Selecting, testing and proof of concept starts within two months.

No further disclosures.
Will you be allowed to tell after final selection is done?
 
Dude2048
Member Candidate
Member Candidate
Posts: 212
Joined: Thu Sep 01, 2016 4:04 pm

Re: OpenVPN SHA256 + UDP

Wed Sep 04, 2019 9:28 pm

Yes
 
pe1chl
Forum Guru
Forum Guru
Posts: 10195
Joined: Mon Jun 08, 2015 12:09 pm

Re: OpenVPN SHA256 + UDP

Wed Sep 04, 2019 9:50 pm

MikroTik staff on the forum have written that requests for features that are backed up by sales should be sent to their sales address and/or their distributors, not posted on the forum.
Apparently (and understandably) requests via that channel have more priority. Requests on the forum must have near zero priority, as there have literally been thousands of requests for better openvpn.
 
Dude2048
Member Candidate
Member Candidate
Posts: 212
Joined: Thu Sep 01, 2016 4:04 pm

Re: OpenVPN SHA256 + UDP

Wed Sep 04, 2019 10:01 pm

Yes I know. I have read their statement. But this is an issue since 2010.... Maybe earlier. I contacted the distributor and said that there is nothing he can do. Since there are literraly thousands of request, MikroTik could listen a bit more serious to some of them. Even though it is a user forum, their staff is reading along. But I am glad to have kid control.

However, the statement I made earlier stands.
 
kobuki
Member Candidate
Member Candidate
Posts: 198
Joined: Sat Apr 02, 2011 5:59 pm

Re: OpenVPN SHA256 + UDP

Wed Sep 04, 2019 10:38 pm

this is an issue since 2010
It's almost like a disincentive in spite of other VPN tech like IPSEC which has a quite good implementation that keeps evolving. In retrospect, what we heard in the last 10 years about why NOT implement it properly sound like really bad excuses. Or it's an indisclosable licensing issue (SW stacks inside an MT box are not exactly open source, when interfacing gets into picture). I might be making up a contheo here, though.
 
pe1chl
Forum Guru
Forum Guru
Posts: 10195
Joined: Mon Jun 08, 2015 12:09 pm

Re: OpenVPN SHA256 + UDP

Thu Sep 05, 2019 11:27 am

Yes I think it is a licensing issue. Somehow MikroTik cannot use the reference openvpn implementation and they had to write something themselves, which apparently was not done well and now nobody wants to touch that anymore.
I have had a router from another manufacturer that listed OpenVPN in its sales leaflet, but by the time I had updated the firmware to the latest revision it was gone. Forever.
So likely a similar issue.
 
kobuki
Member Candidate
Member Candidate
Posts: 198
Joined: Sat Apr 02, 2011 5:59 pm

Re: OpenVPN SHA256 + UDP

Thu Sep 05, 2019 12:09 pm

If at least we had a robust implementation of any virtualization tech in ROS for the lower-end devices, we would be able to add an image with a fully working OVPN implementation. It really baffles me that wherever we use MT devices and use OVPN (much more user friendly and easier to manage, support and pass through firewalls) we always need to add it to some other device or server.
 
pe1chl
Forum Guru
Forum Guru
Posts: 10195
Joined: Mon Jun 08, 2015 12:09 pm

Re: OpenVPN SHA256 + UDP

Thu Sep 05, 2019 12:21 pm

If at least we had a robust implementation of any virtualization tech in ROS for the lower-end devices, we would be able to add an image with a fully working OVPN implementation.
I think what we need is not virtualization as it (rudimentarily) exists now, but a feature to run user contributed programs on the router, which live in a chroot/limited privileges jail and can be configured to use simple network socket services and access to local configuration files only.
That could be used to implement OpenVPN and many other requested features for which a comparatively large number of requests is seen here, but for which there is no demand in the vast numbers of users of MikroTik equipment in general.
Running programs instead of virtualization uses much less resources and likely is easier to get going too.
Maybe, like the competitor does, a separate package of RouterOS containing this feature should be released so the plain users are protected from any additional security risks and the support department can handle issues occurring when using this feature at lower priority.
(similar to how some other competitors offer a "jailbreak" feature that gets indicated in generated support info and basically makes you lose product support)
 
kobuki
Member Candidate
Member Candidate
Posts: 198
Joined: Sat Apr 02, 2011 5:59 pm

Re: OpenVPN SHA256 + UDP

Thu Sep 05, 2019 12:30 pm

VIrtualization is a ubiquitous technology nowadays. Almost all x86 and many ARM platforms (and more) are capable of running it. Kernel/cgroup based technologies (eg. Docker, LXC) are practically available anywhere where a Linux kernel is running. It's not rudimentary, it's rock solid (when properly integrated - no need to reinvent the wheel for the whole stack). Believe me, it's a LOT simpler for the manufacturer to allow a users upload an image instead of letting them in their file system and using quirks like chroot. Easier and cleaner resource separation, better security, simpler maintenance. But I think chances for this to happen are in the same probability tier as having a fully working OVPN stack.
 
pe1chl
Forum Guru
Forum Guru
Posts: 10195
Joined: Mon Jun 08, 2015 12:09 pm

Re: OpenVPN SHA256 + UDP

Thu Sep 05, 2019 12:33 pm

RouterOS already has it. But newer small devices do not have enough resources (disk space, mainly) to use it.
And judging by the many demands for better OpenVPN, it does not suit the desires of most users anyway. Likely, it is too complicated to have 2 virtual routers for the task of implementing a VPN.
 
kobuki
Member Candidate
Member Candidate
Posts: 198
Joined: Sat Apr 02, 2011 5:59 pm

Re: OpenVPN SHA256 + UDP

Thu Sep 05, 2019 12:39 pm

I don't recall any of the device series released in the last couple of years actively supporting or advertising any kind of virtualization (not talking about x86 solutions here). Only one should be supported, if ever, not 2 or more. That wouldn't make sense. If the technology changes, so be it, but it should be one in general use for Linux kernels.
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: OpenVPN SHA256 + UDP

Thu Sep 05, 2019 3:26 pm

Likely, it is too complicated to have 2 virtual routers for the task of implementing a VPN.
If I have to manage whole OpenWRT in MetaROUTER (assuming that my device supports it at all), I might as well get some Raspi-like device and use that instead. And it will be even easier, I will have more OS choices, etc. But mainly, VPN is basic thing that shouldn't need anything extra and router should be able to handle it by itself, I don't want another machine for that, physical or virtual.
 
pe1chl
Forum Guru
Forum Guru
Posts: 10195
Joined: Mon Jun 08, 2015 12:09 pm

Re: OpenVPN SHA256 + UDP

Thu Sep 05, 2019 6:10 pm

I don't recall any of the device series released in the last couple of years actively supporting or advertising any kind of virtualization
That is probably because it is advertised so little.
But the mipsbe and ppc devices have a feature called MetaROUTER which basically is virtualisation.
You can run a virtual router running RouterOS as well, or some externally obtained image that could e.g. be OpenWRT.
 
kobuki
Member Candidate
Member Candidate
Posts: 198
Joined: Sat Apr 02, 2011 5:59 pm

Re: OpenVPN SHA256 + UDP

Thu Sep 05, 2019 7:23 pm

I know what MR is and I used to use and test it. But it's not supported well and I have no idea what technology it uses. Seems left in ROS as a feature but it's effectively abandoned.
 
pe1chl
Forum Guru
Forum Guru
Posts: 10195
Joined: Mon Jun 08, 2015 12:09 pm

Re: OpenVPN SHA256 + UDP

Thu Sep 05, 2019 7:53 pm

That is why I suggested a more lightweight approach which does not require special processor and kernel support and is the natural way to add functions: a user process.
And to keep it reasonably secure, use some existing Linux features to guard it.
 
kobuki
Member Candidate
Member Candidate
Posts: 198
Joined: Sat Apr 02, 2011 5:59 pm

Re: OpenVPN SHA256 + UDP

Thu Sep 05, 2019 7:58 pm

I already mentioned two of those. Support is in mainline for ages. Both stable, widely used. As for security, both can work unprivileged (no root access at all). A chroot is not a solution. But it's up to MT anyway and I'm not really keeping my hopes up in either subject.
 
Niemi
just joined
Posts: 12
Joined: Wed Mar 15, 2017 9:20 am
Location: Estonia/Tallinn

Re: OpenVPN SHA256 + UDP

Mon Oct 14, 2019 11:50 am

UP OpenVPN with SHA256!
 
nobbie
just joined
Posts: 14
Joined: Fri May 07, 2010 7:24 pm

Re: OpenVPN SHA256 + UDP

Sun Nov 24, 2019 4:02 pm

Finally up and running with RouterOS 7.0 beta3! 😊
 
kobuki
Member Candidate
Member Candidate
Posts: 198
Joined: Sat Apr 02, 2011 5:59 pm

Re: OpenVPN SHA256 + UDP

Sun Nov 24, 2019 4:49 pm

Finally up and running with RouterOS 7.0 beta3! 😊
Finally. That's nice. I see the new UDP option, however still no SHA2 HMAC or EC cipher algos there. Only the outdated MD5 and SHA1 and AES for cipher, which in itself is good, but not enough (no TLS auth either). Well, it's still a beta so hopefully we'll have a more or less complete implementation later in stable releases.
 
onlineuser
Member Candidate
Member Candidate
Posts: 250
Joined: Thu Aug 06, 2015 12:10 pm

Re: OpenVPN SHA256 + UDP

Tue Feb 11, 2020 7:32 pm

stable UDP and SHA512

Btw I now noticed that ovpn in ROS only supports md5 and sha1 (sha256, sha224, sha384, sha512). SHA512 would be fine!
 
SvenB
just joined
Posts: 16
Joined: Mon Dec 24, 2018 5:59 pm

Re: OpenVPN SHA256 + UDP

Wed Apr 29, 2020 7:09 pm

I do not really understand that they ignore their customers since over 10 years. The first request was 10 FCKING YEARS AGO FOR UDP SUPPORT.
It was my last Mikrotik router..
 
kobuki
Member Candidate
Member Candidate
Posts: 198
Joined: Sat Apr 02, 2011 5:59 pm

Re: OpenVPN SHA256 + UDP

Wed Apr 29, 2020 8:28 pm

stable UDP and SHA512

Btw I now noticed that ovpn in ROS only supports md5 and sha1 (sha256, sha224, sha384, sha512). SHA512 would be fine!
SHA256 and up are actually part of the SHA2 family of hashes, including SHA512. There's no practical difference between eg. SHA256 and SHA512. But still no GCM support, nor TLS auth.
 
User avatar
swa69er
just joined
Posts: 19
Joined: Sat Jan 02, 2021 11:54 am

Re: OpenVPN SHA256 + UDP

Sun Feb 28, 2021 8:25 am

2021
am I the only one here still waiting for sha256, TLS auth, and auth without username/password?

for now I'm trying aws free tier + openvpn AS
I would like to try openvpn Cloud
 
Sqopp
just joined
Posts: 1
Joined: Sun Feb 28, 2021 12:01 pm

Re: OpenVPN SHA256 + UDP

Sun Feb 28, 2021 12:08 pm

2021
am I the only one here still waiting for sha256, TLS auth, and auth without username/password?

for now I'm trying aws free tier + openvpn AS
I would like to try openvpn Cloud
No, you are not alone. I've been following this for the last 4 years, as this is the only thing holding me back from buying Mikrotik products.
Having full implementation of OpenVPN is rudimentary today, and I can't understand why Mikrotik engineer simply ignores this.
Are there some Latvian regulation that prohibits full OpenVPN implementation, so government can tap into encrypted communication, or what?
 
pe1chl
Forum Guru
Forum Guru
Posts: 10195
Joined: Mon Jun 08, 2015 12:09 pm

Re: OpenVPN SHA256 + UDP

Tue Mar 02, 2021 8:18 pm

I think the issue is that RouterOS does not use the available opensource OpenVPN implementation, probably for reasons of licensing.
They implemented the protocol themselves and now it is a lot of work to keep uptodate with what the opensource version develops.
And don't forget that while one crowd is asking for OpenVPN, another has moved on to Wireguard or standardized protcols like IKEv2.
So you never satisfy all the customers...
The v7 beta has a better OpenVPN but it still is not 100% complete.
 
Easen
just joined
Posts: 22
Joined: Tue Mar 23, 2021 9:38 pm

Re: OpenVPN SHA256 + UDP

Wed Apr 28, 2021 10:48 am

+1 for SHA256 support.

Let me start by saying I am fairly new to the Mikrotik eco-system and the lack of SHA256 does seem to be odd in 2021. I am also a bit shocked that this thread has been around for nearly 4 years. Wow...

At first read I thought the hold up might be due to the US's exporting of encryption laws (https://en.wikipedia.org/wiki/Export_of ... ted_States), but I'm fairly sure after 4 years they would have solved this (if this was indeed the reason for the delay) and RouterOS would have a available SHA256 library baked into it thats currently being used by a different component (Wifi, other VPN protocols, etc.)

Anyway, I have submitted a feature request via the official support channels, I assume you all have too.

Has anyone heard anything back from Mikrotik on this topic?
 
pe1chl
Forum Guru
Forum Guru
Posts: 10195
Joined: Mon Jun 08, 2015 12:09 pm

Re: OpenVPN SHA256 + UDP

Wed Apr 28, 2021 11:21 am

Please read the reply above your posting (#65)
OpenVPN in RouterOS is not the standard application that you just have to download every couple months to track what the world is doing.
For better (but not complete) OpenVPN see the v7 beta. Of course with the note that it is a beta.
 
Easen
just joined
Posts: 22
Joined: Tue Mar 23, 2021 9:38 pm

Re: OpenVPN SHA256 + UDP

Thu Apr 29, 2021 10:08 pm

Please read the reply above your posting (#65)
OpenVPN in RouterOS is not the standard application that you just have to download every couple months to track what the world is doing.
For better (but not complete) OpenVPN see the v7 beta. Of course with the note that it is a beta.

Yes I did read you post, I suspect you are correct that the OpenVPN within RouterOS is bespoke implementation.
I am currently running RouterOS v7 as I need to use Wireguard and the fq_codel has fixed my bufferbloat.

I got a response Mikrotik regarding from my submitted feature request...

Thank you for your feedback. Unfortunately, there are no short term plans to implement SHA2 support for OpenVPN in RouterOS.

...so it doesn't look like SHA256 is coming to RouterOS anytime soon, which is a shame as the rest of the world has moved on from SHA1 & MD5 as hashing algorithms
 
pe1chl
Forum Guru
Forum Guru
Posts: 10195
Joined: Mon Jun 08, 2015 12:09 pm

Re: OpenVPN SHA256 + UDP

Thu Apr 29, 2021 11:47 pm

...so it doesn't look like SHA256 is coming to RouterOS anytime soon, which is a shame as the rest of the world has moved on from SHA1 & MD5 as hashing algorithms
On the other hand, that does not really make sense.
The strength of the hashing algorithm is important for applications like certificates or password hashing, but for a VPN those algorithms are more than strong enough.
(in the application of hashing the data for integrity protection, it could be different for a connection procedure depending on the actual VPN protocol)

"the world" (and here I mean the security world) has a tendency to overstate the importance of issues like this, and forget the big picture.
They often are complaining that the 2cm steel doors in the bulding are not strong enough and need to be replaced by new 10cm titanium doors, while not paying attention to the 4mm glass window aside of it.

Who is online

Users browsing this forum: Ahrefs [Bot], Amazon [Bot], Google [Bot], InfraErik, normis and 82 guests