Page 1 of 1

OpenVPN SHA256 + UDP

Posted: Mon May 15, 2017 5:15 pm
by mariusp
Hello!

Is there any news regarding:

1. OpenVPN over UDP support
2. SHA256 authentication support on OpenVPN. (Though SHA1 still provides strong authentication, clients are asking more and more for SHA256).

I could not find any relevant information, so I would be very grateful for any kind of information.

Thanks,
Marius

Re: OpenVPN SHA256 + UDP

Posted: Tue May 16, 2017 7:57 am
by oscar120584
Sorry, man, this is a super mega ultra complicated task and developers do not know how to solve it. Or do not want to ... :wink:

Re: OpenVPN SHA256 + UDP

Posted: Tue May 16, 2017 11:02 am
by mariusp
Thanks for the info;)
Which one is the complicated one? I am more interested in the SHA256 OpenVPN item

Re: OpenVPN SHA256 + UDP

Posted: Fri May 19, 2017 6:05 pm
by mariusp
Any detail on OVPN SHA256 support?

Re: OpenVPN SHA256 + UDP

Posted: Fri May 19, 2017 8:18 pm
by eriitguy
mariusp,

Some information about this long awaited requests cab be found in the following forum topic: Feature Request: OpenVPN [ovpn] udp tunnels

Re: OpenVPN SHA256 + UDP

Posted: Sun Feb 04, 2018 11:11 pm
by schadom
Would like to bump the feature request for SHA256 authentication. SHA1 is broken - https://shattered.io/
No need for other complicated features such as udp or lzo, as long as the current implementation is secure enough.

Thanks

Re: OpenVPN SHA256 + UDP

Posted: Wed Feb 28, 2018 4:54 am
by swits1109
+1

Just setup Ovpn for the first time on mikrotik and surprised no SHA256. Anything else is not as secure.

Re: OpenVPN SHA256 + UDP

Posted: Tue Mar 20, 2018 2:50 pm
by xt22
+1 for SHA256 :(

And UDP also, tcp openvpn from california to rb in europe is slow and laggy, good old l2tp/ipsec on the same machines is more than 10x faster

//edit - After the new openvpn TLSv1.2 update - what TLS does mikrotik openvpn server use? Is it possible to force usage of TLSv1.2 only? (--tls-cipher)

Re: OpenVPN SHA256 + UDP

Posted: Sun Mar 25, 2018 7:28 pm
by 4xy
+1 for both

Re: OpenVPN SHA256 + UDP

Posted: Sun Apr 01, 2018 12:28 am
by nin
+1, again, again, again it sucks

Re: OpenVPN SHA256 + UDP

Posted: Thu Apr 05, 2018 7:05 pm
by ghusson
+1 for SHA256
(and I don't understand that default settings on VPNs for hash functions ans symetric cryptography are still old ones that are reported to be broken/not secure anymore)
After hours of search and comparison, I will use openVPN as sites to central site VPN (simple to configure - thanks for keys genereation on mikrotik ! - , nat traversal, ~5% overhead, ...).
It not serious to use unsecure auth method for professional cases.
Please Mikrotik dev team, consider priority for this devlopment...

Re: OpenVPN SHA256 + UDP

Posted: Mon Apr 16, 2018 1:36 am
by schadom
bump

Re: OpenVPN SHA256 + UDP

Posted: Tue Apr 17, 2018 11:59 am
by icsterm
I'd consider switching to L2TP+ipsec or EoIP+ipsec(for mikrotik on both sides), both use UDP and encryption and should perform the same or better in performance.
OpenVPN on UDP has been requested years ago and won't come too soon on Mikrotik, probably never.

SHA256 is supported on the mentioned protocols, not sure why openvpn would be more compelling, maybe only to opensource lovers.

Re: OpenVPN SHA256 + UDP

Posted: Tue Apr 17, 2018 1:09 pm
by squeeze
I'd consider switching to L2TP+ipsec or EoIP+ipsec(for mikrotik on both sides), both use UDP and encryption and should perform the same or better in performance.
OpenVPN on UDP has been requested years ago and won't come too soon on Mikrotik, probably never.

SHA256 is supported on the mentioned protocols, not sure why openvpn would be more compelling, maybe only to opensource lovers.

Many VPN providers, including the largest, only support OpenVPN. Some support weaker protocols such as PPTP, but these are either discouraged or being discontinued. Some support stronger protocols such as Wireguard, even before their code or standards are finalized.

But the one thing common to all modern retail VPN providers is OpenVPN. Since OpenVPN without UDP is less like having one hand tied behind your back and more like having both legs cut off in terms of throughput and latency, this is why threads like this exist.

Of course, those considering site-to-site VPNs have many more options for protocols, and are in a position to follow the advice you suggested.

As for SHA256 that's only for HMAC auth and SHA1 is widely still used. There is no rush there because the key lifetimes are so short, on average just an hour. Also, they can only be used to fake a packet not break the entire channels security. Such concerns, even for those worried about state actors, is so ridiculously unlikely (breaking a SHA-1 key in an hour AND using it), it is not worth considering from the client side. It is just a security integrity issue for the VPN provider to keep up with the latest tech, i.e. SHA-2.

Re: OpenVPN SHA256 + UDP

Posted: Sun Apr 22, 2018 12:44 pm
by masseselsev
come on, Mikrotik, even Asus can do sha256...

Re: OpenVPN SHA256 + UDP

Posted: Mon Apr 23, 2018 8:17 pm
by lugovoyma
Накладные расходы на ширину канала из за отсутствия поддержки openvpn udp и сжатия ставят вопрос целесообразности использования микротика как шлюза.
Не очень понимаю политику компании, запросу более 10ти лет. Всяких свистелок перделок уже вагон, а нужной функции нету.

Re: OpenVPN SHA256 + UDP

Posted: Sat May 05, 2018 1:42 pm
by alli
+1 for both

Re: OpenVPN SHA256 + UDP

Posted: Mon May 07, 2018 5:55 pm
by CTSsean
IMO, if RouterOS7 is vapor ware, OpenVPN UDP needs to be addressed.

Re: OpenVPN SHA256 + UDP

Posted: Wed May 09, 2018 11:16 am
by melky
+1 UDP

Re: OpenVPN SHA256 + UDP

Posted: Wed May 09, 2018 5:32 pm
by acald3ron
This topic should be already resolve. 2018.
Pay more to your developer's to solve this !

Re: OpenVPN SHA256 + UDP

Posted: Wed May 16, 2018 10:35 pm
by alxspb
Dear mikrotik!

You really done a good job in bringing enterprise-grade routing solution down to soho-level pricing.

Now you're competing in both - SOHO and enterprise segment.
SOHO routers can do OpenVPN. Yep, we're talking about 10-50Mbps in best case scenario, but it is still sufficient for most SOHO use cases.

Regarding enterprise market - It is not 2010 anymore, there are solutions that can do 100 to 1000 Mbps OpenVPN tunnel on a budget. There are enterprise customers that prefer OpenVPN to IPSec/L2TP (I hope PPTP is dead by itself) for its configuration simplicity and UDP-based protocol that is easier for NAT traversal without significant performance degradation

I'm really sad for your loosing this market (including myself and company I work for) of affordable but reliable and flexible routing that was, basically, created by your company.

Re: OpenVPN SHA256 + UDP

Posted: Sat Jul 14, 2018 8:48 pm
by linux99x
After being a loyal customer for the past 5 years, I have decided today the v7 unicorn and/or this ongoing udp and tls lack of support in openvpn makes these routers useless in my future. Lack of response to the complaints or anything beside hopeless post of v7 feature set demonstrates the future of this product. Moving to the U despite holding out hope for this support for the last 2 years. Anyone wanting to use any of todays standard vpn services should avoid this product line due to hours of frustration and lost time searching these forums for a solution that does not exist.

Re: OpenVPN SHA256 + UDP

Posted: Wed Oct 03, 2018 11:45 pm
by LDI
First of all, let me say thank you for making reliable and affordable product.

Still, I would also need OVPN+SHA256...right now, my Mikrotik has to forward a few hosts to a low end wireless router, running LEDE, which is perfectly able to handle OVPN+SHA256...

I would like to setup the tunnel on the Mikrotik (which is also my default gateway), keeping my actual OVPN configuration.

I love RouterOS...but if I can't find any proper solution for this, I may just end up flashing it to LEDE...

Re: OpenVPN SHA256 + UDP

Posted: Sat Dec 01, 2018 11:23 pm
by openpass
WTF?!?!
I thinked that mikrotik realy cool device...
this is unreal, openvpn client without support UDP!!! Without support SHA512 and SHA256.
Same mikrotik don't support DoH (DNS over HTTPS) such as cloudflare and google!
What kind of stupid developers creating and updating reuterOS ?!

Re: OpenVPN SHA256 + UDP

Posted: Sun Dec 02, 2018 8:30 am
by schadom
WTF?!?!
I thinked that mikrotik realy cool device...
this is unreal, openvpn client without support UDP!!! Without support SHA512 and SHA256.
Same mikrotik don't support DoH (DNS over HTTPS) such as cloudflare and google!
What kind of stupid developers creating and updating reuterOS ?!
Calm down. Almost nobody supports DoH yet. UDP and SHA2 support for OpenVPN have been requested already many times but they stated why this is currently difficult to implement. I'm prettty certain they are working on this for ROSv7.

Re: OpenVPN SHA256 + UDP

Posted: Sun Dec 02, 2018 10:59 am
by openpass

Calm down. Almost nobody supports DoH yet. UDP and SHA2 support for OpenVPN have been requested already many times but they stated why this is currently difficult to implement. I'm prettty certain they are working on this for ROSv7.
I found requests UDP in this forum 11 years old viewtopic.php?t=20537
About ROSv7 beta 1 i listened 3 years ago
Nothing changes...
If ROSv7 comming in far far futures, please don't forget add tls-crypt option for openvpn (without this, ovpn can't work in china and near future in russia)

Re: OpenVPN SHA256 + UDP

Posted: Sun Dec 02, 2018 1:06 pm
by msatter
I don't think RouterOS v7 is that far away. Some v7 features are already implemented in v6.

On the DNS part there are better programs like Unbound that do that all, in a excellent way.

Re: OpenVPN SHA256 + UDP

Posted: Tue Apr 23, 2019 11:08 am
by recipher
Hi,

Sorry to bring up an old thread, though it would be brilliant if we can get some form of reliable feedback regarding the old standing question of UDP & SHA256 support for OpenVPN Client.

Understand it is a difficult item....just really difficult to standardize Mikrotik when this one feature is included with basic DD-WRT / OpenWRT / Tomato / Lede yet neglected by Mikrotik.

Can it even be done? If so, WILL it ever be done? If the answer is Yes, does this mean we may have this feature in 2019?

Re: OpenVPN SHA256 + UDP

Posted: Thu May 23, 2019 6:54 pm
by ofirule
+1

configuring using regular openvpn config file would also be great

Re: OpenVPN SHA256 + UDP

Posted: Thu May 23, 2019 7:24 pm
by r00t
State of OpenVPN in ROS 6.x is pretty much WONTFIX and other long OpenVPN UDP thread got locked up.
For any new features we have to wait for ROS 7.x (who knows how long) or just buy other hardware that does what you need today...

Re: OpenVPN SHA256 + UDP

Posted: Sat Jun 22, 2019 7:58 pm
by xorinzor
Just purchased my Mikrotik router, but was pretty annoyed to find out that I couldn't configure my VPN because the router lacks SHA256.
What's even worse is the seemingly lack of response from MikroTik. Quite worrying in fact to see that they apparently don't take security that serious.

Re: OpenVPN SHA256 + UDP

Posted: Wed Jun 26, 2019 8:41 am
by recipher
Hello Mikrotik Engineers,

I know you have received many requests regarding OpenVPN UDP support, however it is proving almost impossible to get a clear answer.

We (just like the hundreds of other MT users) have a huge requirement for OpenVPN UDP support. Whilst we can (and do) use IP & SSTP tunnels for Mikrotik to Mikrotik VPN's, we have many sites that explicitly require OpenVPN + UDP support.

This is usually outside of our control as we are connecting to non Mikrotik services.

Additionally, UDP + SHA256 / SHA512 is becoming the standard.

What is the likelihood of Mikrotik Supporting OpenVPN UDP Support with SHA256 / SHA512 in the near future (ie. next 6 - 12 months)?


We trust you understand there must be hundreds (if not thousands) of users / devices that MUST use the above settings. Whilst we can implement alternative hardware, we would like to maintain uniformity with MT products where we can.

IF this is very unlikely to ever happen, please just let us know so we can all look to another solution.

Sincerely,

reCIPHER Group Australia

Re: OpenVPN SHA256 + UDP

Posted: Sun Jun 30, 2019 3:20 pm
by kobuki
Hello Mikrotik Engineers,

I know you have received many requests regarding OpenVPN UDP support, however it is proving almost impossible to get a clear answer.
I'm all for Mikrotik and I use a lot of their devices, physical and virtual ROS, and they are mostly great, but I'm afraid proper OVPN support is but a wet dream. They keep promising advances in this area but nothing significant ever happens. It seems that attracting users needing this feature is not financially viable. That's the only practical reason I can think of. Technical issues can all be solved, they have good network engineers and programmers. Too bad though, I found that OVPN is practically the only free solution that is almost problem-free on the client side (far from perfect, though), has a good performance and feature set with good client OS support.

Re: OpenVPN SHA256 + UDP

Posted: Sun Jun 30, 2019 3:25 pm
by bronco
+1 SHA256
+1 UDP

Re: OpenVPN SHA256 + UDP

Posted: Tue Jul 02, 2019 4:16 pm
by enzain
We all need full functional OpenVPN ... m.b. with special extension card, is ok .. but is needed :)

Re: OpenVPN SHA256 + UDP

Posted: Tue Jul 02, 2019 11:20 pm
by bronco
We all need full functional OpenVPN ... m.b. with special extension card, is ok .. but is needed :)
Some boards like the hexS already even have more crypto hardware accelleration than supported by Mikrotik software. So there's no need for extra hardware, just more source code has to be written or reimplemented since OpenVPN has been running stable for years on other platforms... :cry:

Re: OpenVPN SHA256 + UDP

Posted: Tue Jul 23, 2019 5:36 pm
by tlaguz
+1 SHA256
+1 UDP

Re: OpenVPN SHA256 + UDP

Posted: Wed Sep 04, 2019 9:11 pm
by Dude2048
If nothing changes very very soon, I have to replace my tiks. Talking over 3000 devices. Replacements will come, and it won’t be MikroTiks.

My field of work demands ovpn.

Re: OpenVPN SHA256 + UDP

Posted: Wed Sep 04, 2019 9:12 pm
by kobuki
If nothing changes very very soon, I have to replace my tiks. Talking over 3000 devices. Replaments will come.
May I ask what the replacements will be?

Re: OpenVPN SHA256 + UDP

Posted: Wed Sep 04, 2019 9:14 pm
by Dude2048
Something with a proper implementation. Selecting, testing and proof of concept starts within two months.

No further disclosures.

Re: OpenVPN SHA256 + UDP

Posted: Wed Sep 04, 2019 9:16 pm
by kobuki
Something with a proper implementation. Selecting, testing and proof of concept starts within two months.

No further disclosures.
Will you be allowed to tell after final selection is done?

Re: OpenVPN SHA256 + UDP

Posted: Wed Sep 04, 2019 9:28 pm
by Dude2048
Yes

Re: OpenVPN SHA256 + UDP

Posted: Wed Sep 04, 2019 9:50 pm
by pe1chl
MikroTik staff on the forum have written that requests for features that are backed up by sales should be sent to their sales address and/or their distributors, not posted on the forum.
Apparently (and understandably) requests via that channel have more priority. Requests on the forum must have near zero priority, as there have literally been thousands of requests for better openvpn.

Re: OpenVPN SHA256 + UDP

Posted: Wed Sep 04, 2019 10:01 pm
by Dude2048
Yes I know. I have read their statement. But this is an issue since 2010.... Maybe earlier. I contacted the distributor and said that there is nothing he can do. Since there are literraly thousands of request, MikroTik could listen a bit more serious to some of them. Even though it is a user forum, their staff is reading along. But I am glad to have kid control.

However, the statement I made earlier stands.

Re: OpenVPN SHA256 + UDP

Posted: Wed Sep 04, 2019 10:38 pm
by kobuki
this is an issue since 2010
It's almost like a disincentive in spite of other VPN tech like IPSEC which has a quite good implementation that keeps evolving. In retrospect, what we heard in the last 10 years about why NOT implement it properly sound like really bad excuses. Or it's an indisclosable licensing issue (SW stacks inside an MT box are not exactly open source, when interfacing gets into picture). I might be making up a contheo here, though.

Re: OpenVPN SHA256 + UDP

Posted: Thu Sep 05, 2019 11:27 am
by pe1chl
Yes I think it is a licensing issue. Somehow MikroTik cannot use the reference openvpn implementation and they had to write something themselves, which apparently was not done well and now nobody wants to touch that anymore.
I have had a router from another manufacturer that listed OpenVPN in its sales leaflet, but by the time I had updated the firmware to the latest revision it was gone. Forever.
So likely a similar issue.

Re: OpenVPN SHA256 + UDP

Posted: Thu Sep 05, 2019 12:09 pm
by kobuki
If at least we had a robust implementation of any virtualization tech in ROS for the lower-end devices, we would be able to add an image with a fully working OVPN implementation. It really baffles me that wherever we use MT devices and use OVPN (much more user friendly and easier to manage, support and pass through firewalls) we always need to add it to some other device or server.

Re: OpenVPN SHA256 + UDP

Posted: Thu Sep 05, 2019 12:21 pm
by pe1chl
If at least we had a robust implementation of any virtualization tech in ROS for the lower-end devices, we would be able to add an image with a fully working OVPN implementation.
I think what we need is not virtualization as it (rudimentarily) exists now, but a feature to run user contributed programs on the router, which live in a chroot/limited privileges jail and can be configured to use simple network socket services and access to local configuration files only.
That could be used to implement OpenVPN and many other requested features for which a comparatively large number of requests is seen here, but for which there is no demand in the vast numbers of users of MikroTik equipment in general.
Running programs instead of virtualization uses much less resources and likely is easier to get going too.
Maybe, like the competitor does, a separate package of RouterOS containing this feature should be released so the plain users are protected from any additional security risks and the support department can handle issues occurring when using this feature at lower priority.
(similar to how some other competitors offer a "jailbreak" feature that gets indicated in generated support info and basically makes you lose product support)

Re: OpenVPN SHA256 + UDP

Posted: Thu Sep 05, 2019 12:30 pm
by kobuki
VIrtualization is a ubiquitous technology nowadays. Almost all x86 and many ARM platforms (and more) are capable of running it. Kernel/cgroup based technologies (eg. Docker, LXC) are practically available anywhere where a Linux kernel is running. It's not rudimentary, it's rock solid (when properly integrated - no need to reinvent the wheel for the whole stack). Believe me, it's a LOT simpler for the manufacturer to allow a users upload an image instead of letting them in their file system and using quirks like chroot. Easier and cleaner resource separation, better security, simpler maintenance. But I think chances for this to happen are in the same probability tier as having a fully working OVPN stack.

Re: OpenVPN SHA256 + UDP

Posted: Thu Sep 05, 2019 12:33 pm
by pe1chl
RouterOS already has it. But newer small devices do not have enough resources (disk space, mainly) to use it.
And judging by the many demands for better OpenVPN, it does not suit the desires of most users anyway. Likely, it is too complicated to have 2 virtual routers for the task of implementing a VPN.

Re: OpenVPN SHA256 + UDP

Posted: Thu Sep 05, 2019 12:39 pm
by kobuki
I don't recall any of the device series released in the last couple of years actively supporting or advertising any kind of virtualization (not talking about x86 solutions here). Only one should be supported, if ever, not 2 or more. That wouldn't make sense. If the technology changes, so be it, but it should be one in general use for Linux kernels.

Re: OpenVPN SHA256 + UDP

Posted: Thu Sep 05, 2019 3:26 pm
by Sob
Likely, it is too complicated to have 2 virtual routers for the task of implementing a VPN.
If I have to manage whole OpenWRT in MetaROUTER (assuming that my device supports it at all), I might as well get some Raspi-like device and use that instead. And it will be even easier, I will have more OS choices, etc. But mainly, VPN is basic thing that shouldn't need anything extra and router should be able to handle it by itself, I don't want another machine for that, physical or virtual.

Re: OpenVPN SHA256 + UDP

Posted: Thu Sep 05, 2019 6:10 pm
by pe1chl
I don't recall any of the device series released in the last couple of years actively supporting or advertising any kind of virtualization
That is probably because it is advertised so little.
But the mipsbe and ppc devices have a feature called MetaROUTER which basically is virtualisation.
You can run a virtual router running RouterOS as well, or some externally obtained image that could e.g. be OpenWRT.

Re: OpenVPN SHA256 + UDP

Posted: Thu Sep 05, 2019 7:23 pm
by kobuki
I know what MR is and I used to use and test it. But it's not supported well and I have no idea what technology it uses. Seems left in ROS as a feature but it's effectively abandoned.

Re: OpenVPN SHA256 + UDP

Posted: Thu Sep 05, 2019 7:53 pm
by pe1chl
That is why I suggested a more lightweight approach which does not require special processor and kernel support and is the natural way to add functions: a user process.
And to keep it reasonably secure, use some existing Linux features to guard it.

Re: OpenVPN SHA256 + UDP

Posted: Thu Sep 05, 2019 7:58 pm
by kobuki
I already mentioned two of those. Support is in mainline for ages. Both stable, widely used. As for security, both can work unprivileged (no root access at all). A chroot is not a solution. But it's up to MT anyway and I'm not really keeping my hopes up in either subject.

Re: OpenVPN SHA256 + UDP

Posted: Mon Oct 14, 2019 11:50 am
by Niemi
UP OpenVPN with SHA256!

Re: OpenVPN SHA256 + UDP

Posted: Sun Nov 24, 2019 4:02 pm
by nobbie
Finally up and running with RouterOS 7.0 beta3! 😊

Re: OpenVPN SHA256 + UDP

Posted: Sun Nov 24, 2019 4:49 pm
by kobuki
Finally up and running with RouterOS 7.0 beta3! 😊
Finally. That's nice. I see the new UDP option, however still no SHA2 HMAC or EC cipher algos there. Only the outdated MD5 and SHA1 and AES for cipher, which in itself is good, but not enough (no TLS auth either). Well, it's still a beta so hopefully we'll have a more or less complete implementation later in stable releases.

Re: OpenVPN SHA256 + UDP

Posted: Tue Feb 11, 2020 7:32 pm
by onlineuser
stable UDP and SHA512

Btw I now noticed that ovpn in ROS only supports md5 and sha1 (sha256, sha224, sha384, sha512). SHA512 would be fine!

Re: OpenVPN SHA256 + UDP

Posted: Wed Apr 29, 2020 7:09 pm
by SvenB
I do not really understand that they ignore their customers since over 10 years. The first request was 10 FCKING YEARS AGO FOR UDP SUPPORT.
It was my last Mikrotik router..

Re: OpenVPN SHA256 + UDP

Posted: Wed Apr 29, 2020 8:28 pm
by kobuki
stable UDP and SHA512

Btw I now noticed that ovpn in ROS only supports md5 and sha1 (sha256, sha224, sha384, sha512). SHA512 would be fine!
SHA256 and up are actually part of the SHA2 family of hashes, including SHA512. There's no practical difference between eg. SHA256 and SHA512. But still no GCM support, nor TLS auth.