Community discussions

MUM Europe 2020
 
July
just joined
Topic Author
Posts: 1
Joined: Wed Apr 25, 2012 3:53 pm

OVPN on new versoins ROS 6.0 and 5.1...

Wed Apr 25, 2012 4:27 pm

Good time of day

Do you plan to add support for UDP over (in) OVPN
and add the ability to automatically create certificates for client and server in the new version ROS 6 or 5.16 or higher ?
 
rbtux
just joined
Posts: 6
Joined: Wed Apr 18, 2012 4:27 pm

Re: OVPN on new versoins ROS 6.0 and 5.1...

Wed Apr 25, 2012 4:58 pm

I really doubt that they are working on those features.

I switched to sstp (and with sstp-client 1.0.7 it finally works quite ok with linux...)
 
User avatar
mrz
MikroTik Support
MikroTik Support
Posts: 5950
Joined: Wed Feb 07, 2007 12:45 pm
Location: Latvia
Contact:

Re: OVPN on new versoins ROS 6.0 and 5.1...

Thu Apr 26, 2012 10:36 am

v6 has features to generate certificats, and also SCEP.

OVPN UDP and LZO will not be added, at least not in the near future.
 
jandafields
Forum Guru
Forum Guru
Posts: 1514
Joined: Mon Sep 19, 2005 6:12 pm

Re: OVPN on new versoins ROS 6.0 and 5.1...

Fri Apr 27, 2012 2:49 am

I really doubt that they are working on those features.

I switched to sstp (and with sstp-client 1.0.7 it finally works quite ok with linux...)
I have had HORRIBLE stability issues with SSTP. I really wish SSTP worked better, but I (and other people on this forum) have problems with losing connection, etc.
 
slech
Long time Member
Long time Member
Posts: 533
Joined: Thu Feb 14, 2008 4:03 pm
Location: Moldova, Chisinau

Re: OVPN on new versoins ROS 6.0 and 5.1...

Fri Apr 27, 2012 10:23 pm

mrz
Any alternatives for OpenVPN with push route possibilities ?
sorry for my english
 
jandafields
Forum Guru
Forum Guru
Posts: 1514
Joined: Mon Sep 19, 2005 6:12 pm

Re: OVPN on new versoins ROS 6.0 and 5.1...

Sat Apr 28, 2012 12:03 am

mrz
Any alternatives for OpenVPN with push route possibilities ?
You can get an actual OPVN server... I use one, it works great!
 
JanezFord
Member Candidate
Member Candidate
Posts: 264
Joined: Wed May 23, 2012 10:58 am

Re: OVPN on new versoins ROS 6.0 and 5.1...

Wed May 23, 2012 12:14 pm

v6 has features to generate certificats, and also SCEP.

OVPN UDP and LZO will not be added, at least not in the near future.
As those two options seem to be the two most requested options on your forums for quite some time it is realy hard for me, as an experienced programer and developer, to understand why does it take so much time for your developers to implement this. You have a working openvpn implementation which needs only to add compression (this realy should not be such a problem) and UDP support.

Can you please explain in a few words to us why mikrotik team does not wish to implement those features nevertheless they are requested by so many users on this forum for quite some time.

Certificate generation on local comp is not a problem.... not being able to connect my router to existing openvpn infrastructure is.

JF

RB450G
 
User avatar
RusConSPb
newbie
Posts: 28
Joined: Thu May 03, 2012 4:17 pm
Location: Helsinki, Finland

Re: OVPN on new versoins ROS 6.0 and 5.1...

Sun Jun 24, 2012 3:06 pm

v6 has features to generate certificats, and also SCEP.

OVPN UDP and LZO will not be added, at least not in the near future.
Can you please explain in a few words to us why mikrotik team does not wish to implement those features nevertheless they are requested by so many users on this forum for quite some time.
Absolutly agree with JanezFord... Nobody understand what a problem to add UDP and LZO support... but more than that I can't understand why Mikrotik developers keep silence about the reasons of such fail... maybe it's government request (NSA, CIA etc.)? I think it's time for petition! Let's vote! :)
 
jandafields
Forum Guru
Forum Guru
Posts: 1514
Joined: Mon Sep 19, 2005 6:12 pm

Re: OVPN on new versoins ROS 6.0 and 5.1...

Sun Jun 24, 2012 9:56 pm

v6 has features to generate certificats, and also SCEP.

OVPN UDP and LZO will not be added, at least not in the near future.
Can you please explain in a few words to us why mikrotik team does not wish to implement those features nevertheless they are requested by so many users on this forum for quite some time.
Absolutly agree with JanezFord... Nobody understand what a problem to add UDP and LZO support... but more than that I can't understand why Mikrotik developers keep silence about the reasons of such fail... maybe it's government request (NSA, CIA etc.)? I think it's time for petition! Let's vote! :)

CIA and NSA are USA Entities. Mikrotik is not. I'm pretty sure there is no government involvement into the inclusion or exclusion of OVPN UPD.

I think Mikrotik simply doesn't like OVPN and they don't want to support it anymore. Simple as that.
 
User avatar
RusConSPb
newbie
Posts: 28
Joined: Thu May 03, 2012 4:17 pm
Location: Helsinki, Finland

Re: OVPN on new versoins ROS 6.0 and 5.1...

Mon Jun 25, 2012 2:02 am

I think if there is demand for OpenVPN from so many customers, it is necessary to reckon with it... OpenVPN is recognised the best and most secure VPN solution at the moment and it's just stupid to drop it as is... in real business there are no words like "we will not make our customers happy just because we don't like it", it's not a kindergarten really...
 
supportingit
just joined
Posts: 10
Joined: Sat Sep 11, 2010 5:09 pm

Re: OVPN on new versoins ROS 6.0 and 5.1...

Tue Jun 26, 2012 9:28 am

I will, again, add a vote for OpenVPN UDP support in RouterOS. It's caused me no end of problems. I switched to Mikrotik to gain access to a steady supply of low cost VPN routers, and lack of proper OpenVPN support is the only real problem I have (Other than weird sector write issues and now a freeze in a previously working script after upgrades on some, not all, routers).

I like Mikrotik routers now, I must have close to a hundred from the 1100Ah through 411AR's, 450's, OmniTik's, and lots of 750's, with the 750UP being my new favourite, as I'm planning on using them to remotely bridge in phones for auto provisioning and power.
 
syadnom
Member
Member
Posts: 407
Joined: Thu Jan 27, 2011 7:29 am

Re: OVPN on new versoins ROS 6.0 and 5.1...

Fri Jul 06, 2012 7:08 am

1) OPENVPN UDP is a highly wanted feature. I do PPTP over IPSEC because it's the only stable site-to-site VPN tech on mikrotik. SSTP is extremely unstable for me on all versions of routeros I have tested. Slow dialup times, frequent drops for no apparent reason.

2) SSTP is in theory really great. Fix the stability issue so we can use it in the real world please.
 
jandafields
Forum Guru
Forum Guru
Posts: 1514
Joined: Mon Sep 19, 2005 6:12 pm

Re: OVPN on new versoins ROS 6.0 and 5.1...

Fri Jul 06, 2012 7:13 am

1) OPENVPN UDP is a highly wanted feature. I do PPTP over IPSEC because it's the only stable site-to-site VPN tech on mikrotik. SSTP is extremely unstable for me on all versions of routeros I have tested. Slow dialup times, frequent drops for no apparent reason.

2) SSTP is in theory really great. Fix the stability issue so we can use it in the real world please.

AGREE! SSTP would be PERFECT for site-to-site... but it is VERY UNSTABLE. I have found that if you don't use public keys (which I *think* disables ecryption, then it works better... but that's not a good idea)

PLEASE FIX SSTP!!!!!!
 
User avatar
mrz
MikroTik Support
MikroTik Support
Posts: 5950
Joined: Wed Feb 07, 2007 12:45 pm
Location: Latvia
Contact:

Re: OVPN on new versoins ROS 6.0 and 5.1...

Fri Jul 06, 2012 10:00 am

Latest ROS versions (5.18) has SSTP improvements.
 
syadnom
Member
Member
Posts: 407
Joined: Thu Jan 27, 2011 7:29 am

Re: OVPN on new versoins ROS 6.0 and 5.1...

Fri Jul 06, 2012 5:40 pm

Latest ROS versions (5.18) has SSTP improvements.
I'm running 5.18 on my RB1200 and a RB751U, I just setup an SSTP tunnel and will watch it and see how it behaves.
 
syadnom
Member
Member
Posts: 407
Joined: Thu Jan 27, 2011 7:29 am

Re: OVPN on new versoins ROS 6.0 and 5.1...

Fri Jul 06, 2012 8:11 pm

Latest ROS versions (5.18) has SSTP improvements.
I'm running 5.18 on my RB1200 and a RB751U, I just setup an SSTP tunnel and will watch it and see how it behaves.
This is many times more stable now. No drops since I brought up the tunnel. I was getting drops every 10-15 minutes before. Will continue testing but this is looking better now.


I still would like to see OVPN over UDP.
 
syadnom
Member
Member
Posts: 407
Joined: Thu Jan 27, 2011 7:29 am

Re: OVPN on new versoins ROS 6.0 and 5.1...

Sun Jul 08, 2012 6:08 am

Ok, so SSTP is actually stable now (as in the connection stays up) but the connection has inconsinstent latency.

PPTP tunnel consistent 53ms
PPTP over ipsec, same 53ms consistent
SSTP 58-220ms wildly inconsistent.
L2TP over ipsec, 53ms consistent

jitter on the PPTP and L2TP is a max of about 6ms, vs over 160ms on the SSTP.


so SSTP, while more stable, is still useless.
 
ujemvi
just joined
Posts: 12
Joined: Wed May 16, 2012 9:37 pm

Re: OVPN on new versoins ROS 6.0 and 5.1...

Mon Jul 30, 2012 10:47 pm

UDP for OpenVPN would simplify my life a lot.
 
grg
newbie
Posts: 44
Joined: Fri Aug 20, 2010 9:51 am
Location: Latvia

Re: OVPN on new versoins ROS 6.0 and 5.1...

Fri Aug 03, 2012 12:34 am

In my opinion, MikroTik team should take VPN issues more seriously. What's the point of manufacturing hardware like RB1100AHx2 with encryption acceleration, when you can't use it in real life scenarios. I mean, you have an option to use it, but then you are faced with all those issues people are talking about on this forum.
 
User avatar
mrz
MikroTik Support
MikroTik Support
Posts: 5950
Joined: Wed Feb 07, 2007 12:45 pm
Location: Latvia
Contact:

Re: OVPN on new versoins ROS 6.0 and 5.1...

Fri Aug 03, 2012 11:01 am

Hardware acceleration can be used only by Ipsec.
 
Annihilator
just joined
Posts: 8
Joined: Wed May 30, 2007 12:38 am

Re: OVPN on new versoins ROS 6.0 and 5.1...

Fri Aug 03, 2012 2:30 pm

OpenVPN over TCP is practically useless. OpenVPN over UDP is the only way to run such a tunnel that makes sense, both in theory and in practice. Encapsulating stateful and stateless protocols into a stateful tunnel is fundamentally flawed. PPTP uses GRE and L2TP uses UDP - that is why they work well. SSTP uses TCP - barely usable, and no amount of tweaks is going to change that. The only thing going in favor of SSTP is user convenience, nothing else.

As for OpenVPN, as far as I'm concerned, either implement UDP or remove it altogether.
 
djdrastic
Member
Member
Posts: 305
Joined: Wed Aug 01, 2012 2:14 pm

Re: OVPN on new versoins ROS 6.0 and 5.1...

Sat Aug 11, 2012 12:58 pm

OpenVPN over TCP is practically useless. OpenVPN over UDP is the only way to run such a tunnel that makes sense, both in theory and in practice. Encapsulating stateful and stateless protocols into a stateful tunnel is fundamentally flawed. PPTP uses GRE and L2TP uses UDP - that is why they work well. SSTP uses TCP - barely usable, and no amount of tweaks is going to change that. The only thing going in favor of SSTP is user convenience, nothing else.

As for OpenVPN, as far as I'm concerned, either implement UDP or remove it altogether.
Agreed.At this point in time I have to buy a seperate centos box w/openvpn + udp just to do the vpn side of things , as I've had all sorts of troubles with openvpn over tcp in the past.It's ok when you just want to make a quick tunnel and test p2p functionality or setup a tiny site but anything that requires intense inter-site voip or huge transfers (In my case server replication) it fails miserably.
 
blueiom
just joined
Posts: 11
Joined: Sat Aug 04, 2012 1:42 am

Re: OVPN on new versoins ROS 6.0 and 5.1...

Sun Aug 12, 2012 10:48 pm

Supporting OpenVPN without UDP is like having a car with no wheels. Looks the same but utterly useless.

Mikrotik please support USP and LZO (the basis of 99% of ALL openvpn connections) or remove the feature entirely. We use OpenVPN all over our network.

Thanks
 
graba
just joined
Posts: 2
Joined: Thu Apr 14, 2011 11:50 pm

Re: OVPN on new versoins ROS 6.0 and 5.1...

Thu Jan 03, 2013 10:39 am

Please add UDP to ovpn. Why do not you listen to customers?
 
supportingit
just joined
Posts: 10
Joined: Sat Sep 11, 2010 5:09 pm

Re: OVPN on new versoins ROS 6.0 and 5.1...

Wed Jan 09, 2013 2:31 am

UDP support for the ovpn client/server is essential, and much needed. I have over 70 sites, and let me tell you, ANY kind of vpn running over TCP is a nightmare.

OpenVPN is flexible, mature, and an rb750 that has UDP based ovpn would be a godsend for me.

Seriously, Mikrotik, it is a repeatedly demanded feature, and should have a higher priority than some of the fluff like metarouter and partitioning.
 
User avatar
elgo
Member Candidate
Member Candidate
Posts: 151
Joined: Sat Apr 02, 2011 2:34 am
Location: France

Re: OVPN on new versoins ROS 6.0 and 5.1...

Thu Jan 10, 2013 12:51 pm

Christmas is over, no UDP this year either :)

Seriously, if you want a full featured openvpn server so badly on your devices, why not considering alternatives to rOS? Works great and stable.
RB450G - OpenWrt (so much more stable than with routerOS)
-> now: UBNT EdgeRouter Lite

(very unlikely to be MT customer again in the future)
 
User avatar
mrz
MikroTik Support
MikroTik Support
Posts: 5950
Joined: Wed Feb 07, 2007 12:45 pm
Location: Latvia
Contact:

Re: OVPN on new versoins ROS 6.0 and 5.1...

Thu Jan 10, 2013 1:00 pm

Run openwrt on metarouter and set up ovpn from there. That would be the best you can currently do.
 
Ulypka
Frequent Visitor
Frequent Visitor
Posts: 53
Joined: Wed Jan 09, 2013 8:26 am

Re: OVPN on new versoins ROS 6.0 and 5.1...

Thu Jan 10, 2013 1:15 pm

what's the problem of implementation in RouterOS ?
 
User avatar
elgo
Member Candidate
Member Candidate
Posts: 151
Joined: Sat Apr 02, 2011 2:34 am
Location: France

Re: OVPN on new versoins ROS 6.0 and 5.1...

Thu Jan 10, 2013 5:07 pm

Run openwrt on metarouter and set up ovpn from there. That would be the best you can currently do.
You mean the problems that plagued metarouter for months are finally fixed?
I can read there that's not the case.

"Might work" is not acceptable, in the tech world I live in.
RB450G - OpenWrt (so much more stable than with routerOS)
-> now: UBNT EdgeRouter Lite

(very unlikely to be MT customer again in the future)
 
infused
Member
Member
Posts: 305
Joined: Fri Dec 28, 2012 2:33 pm

Re: OVPN on new versoins ROS 6.0 and 5.1...

Sat Jan 12, 2013 12:21 am

Why does everyone want OpenVPN? I've never, ever seen it used in enterprise. It's GRE with IPSec, or just ipsec tunnels. Please explain to me why it's such a wanted feature?
 
User avatar
nz_monkey
Forum Guru
Forum Guru
Posts: 1825
Joined: Mon Jan 14, 2008 1:53 pm
Location: Straya
Contact:

Re: OVPN on new versoins ROS 6.0 and 5.1...

Sat Jan 12, 2013 4:11 am

Why does everyone want OpenVPN? I've never, ever seen it used in enterprise. It's GRE with IPSec, or just ipsec tunnels. Please explain to me why it's such a wanted feature?
It baffles me too. I suspect it is due to the vey basic IPSEC support on RouterOS.
I would be happy to see Mikrotik add xauth, mode-cfg, nhtb and svti support to IPSEC and get rid of OpenVPN from RouterOS all together.
Last edited by nz_monkey on Sat Jan 12, 2013 8:54 pm, edited 1 time in total.
http://thebrotherswisp.com/ | Mikrotik MTCNA, MTCRE, MTCINE | Fortinet FTCNA, FCNSP, FCT | Extreme Networks ENA
 
Sob
Forum Guru
Forum Guru
Posts: 4887
Joined: Mon Apr 20, 2009 9:11 pm

Re: OVPN on new versoins ROS 6.0 and 5.1...

Sat Jan 12, 2013 1:05 pm

Who said RouterOS is only for enterprise use? There are tons of hobby users and small businesses and IMHO for those, OpenVPN is the best there is (meaning primarily for road warriors). It's extremely simple, yet powerful enough.
Perhaps for large-scale deployments, IPSec with all the features might be great. I can't really say much about that, I'm no expert. My personal experience however, is that IPSec is PITA to configure and I run into different problems too often. It seems that interoperability and having all the cool features available everywhere, is not really a common thing with IPSec.
So I guess I'm not alone and IPSec simply isn't the right choice for this target group. Which leaves us with PPTP (NAT troubles, so no thanks), L2TP/IPSec (we're scared of the second part already ;) ) or SSTP (still too many XPs out there). We're lucky to have OpenVPN. Using only single port, it can squeze though everywhere. In most cases, all the features are available (simply because it's mostly the same client, as there are not many third-party implementations; which I agree is kind of unfair to present as advantage, but as user I can't really complain about it).
I wish MikroTik reconsidered and made all their users happy. Btw, release notes of latest OpenVPN 2.3.0 include "Much of the code has been better documented", so maybe it could help, if it's really true?
People who quote full posts should be spanked with ethernet cable. Some exceptions for multi-topic threads may apply.
 
infused
Member
Member
Posts: 305
Joined: Fri Dec 28, 2012 2:33 pm

Re: OVPN on new versoins ROS 6.0 and 5.1...

Sat Jan 12, 2013 2:50 pm

GRE works fine and takes two seconds to setup. VPNs were never meant to be used over slow connections, which I assume is why you want the UDP support?

The IPSec doesn't seem to be that basic. It has all the commands I'd use on a Cisco router...

Can you show me how OpenVPN is being used, connection type and application? I'm just curious.
 
Ulypka
Frequent Visitor
Frequent Visitor
Posts: 53
Joined: Wed Jan 09, 2013 8:26 am

Re: OVPN on new versoins ROS 6.0 and 5.1...

Sat Jan 12, 2013 3:25 pm

Do not you think that there are firewalls?
ovpn and is the only solution
 
User avatar
elgo
Member Candidate
Member Candidate
Posts: 151
Joined: Sat Apr 02, 2011 2:34 am
Location: France

Re: OVPN on new versoins ROS 6.0 and 5.1...

Sat Jan 12, 2013 7:33 pm

Why does everyone want OpenVPN? I've never, ever seen it used in enterprise. It's GRE with IPSec, or just ipsec tunnels. Please explain to me why it's such a wanted feature?
:lol:
Well, we live in different worlds, as it seems.
I just implemented OpenVPN + Token TFA for a worldwide company 2 months ago.

Live and learn.
RB450G - OpenWrt (so much more stable than with routerOS)
-> now: UBNT EdgeRouter Lite

(very unlikely to be MT customer again in the future)
 
dog
Member Candidate
Member Candidate
Posts: 186
Joined: Wed Aug 12, 2009 3:37 pm
Location: Germany

Re: OVPN on new versoins ROS 6.0 and 5.1...

Sun Jan 13, 2013 11:37 pm


Can you please explain in a few words to us why mikrotik team does not wish to implement those features nevertheless they are requested by so many users on this forum for quite some time.
Stubbornness.

OpenVPN/UDP is the by far most requested feature on the forums and in the wiki and MT rather chose to implement an SMB server, that no one wanted...
 
User avatar
elgo
Member Candidate
Member Candidate
Posts: 151
Joined: Sat Apr 02, 2011 2:34 am
Location: France

Re: OVPN on new versoins ROS 6.0 and 5.1...

Mon Jan 14, 2013 11:59 am


Can you please explain in a few words to us why mikrotik team does not wish to implement those features nevertheless they are requested by so many users on this forum for quite some time.
Stubbornness.

OpenVPN/UDP is the by far most requested feature on the forums and in the wiki and MT rather chose to implement an SMB server, that no one wanted...
Sooooo true :lol:
RB450G - OpenWrt (so much more stable than with routerOS)
-> now: UBNT EdgeRouter Lite

(very unlikely to be MT customer again in the future)
 
supportingit
just joined
Posts: 10
Joined: Sat Sep 11, 2010 5:09 pm

Re: OVPN on new versoins ROS 6.0 and 5.1...

Mon Jan 14, 2013 12:27 pm

Usage scenario 1: In use with two major global retailers and major oil company.
Remote support.
Backups of databases are taken daily to a central location from a variety of sites around the world, from a truck in Russia to an oil refinery in the UK for specialised machinery.
Remote control provides exceptionally quick response times to any issues, this includes access to webcams allowing remote support to see into the machines as well as vnc to the desktops and access to the networked PLC's. My implementation of this solution has literally cut site visits by engineers by 98-99 percent.
As a bonus, other applications can use the links to get realtime information on stock levels.
Support is initiated via a custom written xmpp application with google translate hooked in, to allow easy communication without much in the way of language barriers. Remote support team size is drastically reduced as a result. All this is achieved over standard broadband connections with low cost vpn routers (as hardware is very vulnerable to staff in high turnover situations, think being pinched or users circumventing access controls attempting to surf porn on public facing computers, both of which have happened), further reducing cost.


Usage scenario 2:
Remote access - road warrior style.
User is an international auditor, and has no control over internet connections, yet needs access to his email and files remotely and securely. Needed a secure, reliable solution that was able to navigate firewalls and proxies with a minimum of intervention.

In both of these, depending on the location, like a truck in Russia using 3G connections, network availability is dictated by location, not by wishful thinking. So saying "VPNs were never meant to be used over slow connections" is not realistic.

Why do any of us use Mikrotik? Cost I'm guessing. Sure you can do it all with other equipment, but for me, I need reliability of supply and it needs to be cheap. I don't want to be using five or six differing brands and configurations when I can standardise on one. As I'm sure we are all aware, support is a very cost concious area, no one wants to spend, as it is seen as wasted money as it isn't used constantly, but is screamed about if it doesn't work totally reliably.
 
Basiley
Member Candidate
Member Candidate
Posts: 101
Joined: Thu Dec 06, 2012 2:42 pm

Re: OVPN on new versoins ROS 6.0 and 5.1...

Mon Jan 14, 2013 1:11 pm

full-caps OVPN support in ROS could b nice even for home consumers[access to home network, check home, kids, pets, flowers], let alone corporate/job needs.
what else 4 that ? PPTP ? pff.... IPSec over L2TP ? hm. SSTP ? even less interesting.
 
patrickmkt
Member Candidate
Member Candidate
Posts: 157
Joined: Sat Jul 28, 2012 5:21 pm

Re: OVPN on new versoins ROS 6.0 and 5.1...

Mon Jan 14, 2013 4:16 pm

I am too voting for a full OVPN support in ROS.
 
Sob
Forum Guru
Forum Guru
Posts: 4887
Joined: Mon Apr 20, 2009 9:11 pm

Re: OVPN on new versoins ROS 6.0 and 5.1...

Mon Jan 14, 2013 9:02 pm

Exactly. Remote access to internal network from wherever user happens to be, no matter how bad that connections is, that's what it's perfect for. Personally I miss pushing routes a little more than udp support, but I wouldn't say "no" to that either. Or just implement everything and combined with user-friendly interface provided by WinBox, it will be absolute killer. :)
People who quote full posts should be spanked with ethernet cable. Some exceptions for multi-topic threads may apply.
 
blueiom
just joined
Posts: 11
Joined: Sat Aug 04, 2012 1:42 am

Re: OVPN on new versoins ROS 6.0 and 5.1...

Tue Jan 15, 2013 3:37 pm

I don't think I've ever come across a company so stubborn to change. The most requested feature (and by a country mile) and not even a comment as to why they won't support it.
 
bradg
newbie
Posts: 42
Joined: Tue Feb 01, 2005 9:50 pm

Re: OVPN on new versoins ROS 6.0 and 5.1...

Thu Jan 17, 2013 12:50 am

Do not you think that there are firewalls? ovpn and is the only solution
The top two reasons I use it between sites, as well as for remote access:

UDP transport - stateless, with very few (if any) issues passing through a firewall
Basic routing support - ability to push routes to clients or other sites for multi-subnet installations
 
User avatar
nz_monkey
Forum Guru
Forum Guru
Posts: 1825
Joined: Mon Jan 14, 2008 1:53 pm
Location: Straya
Contact:

Re: OVPN on new versoins ROS 6.0 and 5.1...

Thu Jan 17, 2013 3:50 am

Do not you think that there are firewalls? ovpn and is the only solution
The top two reasons I use it between sites, as well as for remote access:

UDP transport - stateless, with very few (if any) issues passing through a firewall
Basic routing support - ability to push routes to clients or other sites for multi-subnet installations
UDP transport - Can be provided by IPSEC with NAT-T
Basic routing support - Can be provided by IPSEC with VTI (aka SVTI) support

Unfortunately Mikrotik's IPSEC implementation is just as lacking as their OpenVPN implementation. I would sooner see them bring their IPSEC functionality up to standard than invest more time in OpenVPN.

IPSEC is a standard and allows interoperability with many other vendors.
http://thebrotherswisp.com/ | Mikrotik MTCNA, MTCRE, MTCINE | Fortinet FTCNA, FCNSP, FCT | Extreme Networks ENA
 
blueiom
just joined
Posts: 11
Joined: Sat Aug 04, 2012 1:42 am

Re: OVPN on new versoins ROS 6.0 and 5.1...

Thu Jan 17, 2013 2:51 pm

At the end of the day it comes down to what users want and if there are any alternatives available. Until now, there was no real alternative to Mikrotik products unless you wanted to "roll your own" Alix boards etc.

With Ubiquiti's new line of EdgeRouters, if they decide to support OpenVPN then I'm sure many hundreds of users will jump ship. We'll certainly be one of them as we shouldn't have to rework our network just because a vendor can't be bothered to support (or even comment on) the most widely used VPN standard out there.

Sorry if that sounds scathing but at the very least Mikrotik have an obligation to answer there users questions. By not evening discussing OpenVPN, they've opened themselves up to criticism.
 
Sob
Forum Guru
Forum Guru
Posts: 4887
Joined: Mon Apr 20, 2009 9:11 pm

Re: OVPN on new versoins ROS 6.0 and 5.1...

Fri Jan 18, 2013 2:17 pm

That's not exactly true. They commented several times, it's just that the answer was always some form of "no". And if they are not ready to change that to "yes", there's not much to discuss.

I understand it's not easy for them. RouterOS is closed source, while OpenVPN is under GPL, so they can't just take the original code, make few modifications to integrate it into system and distribute the resulting binary. At the same time, there doesn't seem to be any real documentation for OpenVPN protocol, except the source code itself (correct me if I'm wrong), which is not good for anyone trying to create independent implementation.
People who quote full posts should be spanked with ethernet cable. Some exceptions for multi-topic threads may apply.
 
supportingit
just joined
Posts: 10
Joined: Sat Sep 11, 2010 5:09 pm

Re: OVPN on new versoins ROS 6.0 and 5.1...

Sat Jan 19, 2013 2:45 am

You can now get OpenVPN for the iPhone.
 
infused
Member
Member
Posts: 305
Joined: Fri Dec 28, 2012 2:33 pm

Re: OVPN on new versoins ROS 6.0 and 5.1...

Sat Jan 19, 2013 3:14 am

Still not getting why ovpn is better than a gre tunnel... what am I missing here? It seems it's being used in niche type situations...
 
User avatar
nz_monkey
Forum Guru
Forum Guru
Posts: 1825
Joined: Mon Jan 14, 2008 1:53 pm
Location: Straya
Contact:

Re: OVPN on new versoins ROS 6.0 and 5.1...

Sat Jan 19, 2013 5:56 am

Still not getting why ovpn is better than a gre tunnel... what am I missing here? It seems it's being used in niche type situations...
Im guessing encrytion.

And yes OpenVPN is a niche technology. I have never seen an enterprise router with support for OpenVPN, and have never seen it being used outside of the soho/enthusiast segment.

IPSEC on the other hand.....
http://thebrotherswisp.com/ | Mikrotik MTCNA, MTCRE, MTCINE | Fortinet FTCNA, FCNSP, FCT | Extreme Networks ENA
 
blueiom
just joined
Posts: 11
Joined: Sat Aug 04, 2012 1:42 am

Re: OVPN on new versoins ROS 6.0 and 5.1...

Sat Jan 19, 2013 4:45 pm

OpenVPN is used to tunnel traffic without having to worry about firewalls. It is used in many fortune 500 companies including ours.

s
 
JanezFord
Member Candidate
Member Candidate
Posts: 264
Joined: Wed May 23, 2012 10:58 am

Re: OVPN on new versoins ROS 6.0 and 5.1...

Sun Jan 20, 2013 1:32 pm

Still not getting why ovpn is better than a gre tunnel... what am I missing here? It seems it's being used in niche type situations...
Im guessing encrytion.

And yes OpenVPN is a niche technology. I have never seen an enterprise router with support for OpenVPN, and have never seen it being used outside of the soho/enthusiast segment.

IPSEC on the other hand.....
Well I could answer this post in two ways ...

1. Mikrotik with RouterOS IMHO is not targeted only for enterprise but also for SOHO and even home use for advanced users. Some of them prefer using OpenVPN for their VPN connections.

2. I have seen OpenVPN being used in enterprise enviroment on several ocasions. And ALWAYS with UDP which RouterOS implementation (sadly) does not support, sometimes even with LZO - don't ask me, I did not set up those systems, I just have to connect to them! We had to set up intel atom boxes for our clients to do the job for now (we will test Edgemax when it's avaliable). Metarouter is a joke!

Mikrotik: Do you realy think all those people over the years request full openvpn support just for fun or what??

JF
 
Sob
Forum Guru
Forum Guru
Posts: 4887
Joined: Mon Apr 20, 2009 9:11 pm

Re: OVPN on new versoins ROS 6.0 and 5.1...

Sun Jan 20, 2013 4:50 pm

IMHO it's wrong way to make it a competition between IPSec and OpenVPN. Even if MikroTik supported either one 100%, need for the other one would not go away. They may be each appealing to different target groups (well, not strictly), but both are popular enough to not perish any time soon. We need both.

I'm just wondering if MikroTik has any estimates how many of their possible customers are currently forced to buy hardware and/or software from other vendors, because of missing features in RouterOS. And it's not only OpenVPN or IPSec, check the "feature requests" page on wiki and you'll find several important or useful ones. Years old, without much hope to be implemented soon or perhaps ever. They may not look as much important if people managed to live without them so far, but it often means they simply get them elsewhere. I may of course be wrong, but it seems to me that if MikroTik hired few more people to implement these things, they'd get the costs back in increased sales in no time.
People who quote full posts should be spanked with ethernet cable. Some exceptions for multi-topic threads may apply.
 
doush
Long time Member
Long time Member
Posts: 625
Joined: Thu Jun 04, 2009 3:11 pm

Re: OVPN on new versoins ROS 6.0 and 5.1...

Mon Jan 21, 2013 7:34 pm

Sadly the answer is always a "no" from mikrotik about this most requested feature.

On the other hand, in every RouterOS release with new features, I wonder who the hell requests those new features which are useless at all like SMB. WTF ?

Who uses it on a router ?

And think about fastpath now for example. It is very useful and I am sure it is implemented in no time after the publication of the Edgemax vs RouterOS benchmark sheet. If it was this easy to implement this, why they have been waiting all this time ?

so simply, mikrotik seems they are more influenced by the direct competiton in terms of adding new features, rather than customer requests.
 
friction
newbie
Posts: 40
Joined: Sun Aug 26, 2012 1:27 pm
Location: Werchter, Belgium

Re: OVPN on new versoins ROS 6.0 and 5.1...

Mon Jan 21, 2013 9:52 pm

I would also like to see a real reason why OpenVPN's UDP feature has not yet been implemented in rOS...
One of the advantages of the UDP-version is that it creates less overhead for both the connection and the router...
Running a metarouter only to get the UDP version seems kinda ridiculous.
I am not a complete idiot, some parts are missing. [CCNA Sec / CCNP / LPIC-1]
 
blueiom
just joined
Posts: 11
Joined: Sat Aug 04, 2012 1:42 am

Re: OVPN on new versoins ROS 6.0 and 5.1...

Tue Jan 22, 2013 4:02 pm

Luckily EdgeMax includes FULL OpenVPN support. Mikrotik will have to add OpenVPN now or else face a mass exodus of customers.

s
 
bradg
newbie
Posts: 42
Joined: Tue Feb 01, 2005 9:50 pm

Re: OVPN on new versoins ROS 6.0 and 5.1...

Wed Jan 23, 2013 1:19 am

Sadly the answer is always a "no" from mikrotik about this most requested feature.

On the other hand, in every RouterOS release with new features, I wonder who the hell requests those new features which are useless at all like SMB. WTF ?

Who uses it on a router ?

And think about fastpath now for example. It is very useful and I am sure it is implemented in no time after the publication of the Edgemax vs RouterOS benchmark sheet. If it was this easy to implement this, why they have been waiting all this time ?

so simply, mikrotik seems they are more influenced by the direct competiton in terms of adding new features, rather than customer requests.
It has struck me odd for many years now that MT has always taken the "everything but the kitchen sink" approach to features, but once implemented, many get little if any "love" by way of ongoing maintainance or enhancement.

If it were possible, I would really prefer to be able to strip ROS down to something much closer to the functionality I actually use in most cases - routing/bridging, wireless, and firewall functions only. I could see it being beneficial in terms of upgrade file size, memory footprint, and even vulnerability/bug containment. Unfortunately, the package granularity is far too coarse to accomodate that.

Now that an SMB server has been implemented (which I personally feel is pointless on a router, but would be a reasonable application for a metarouter - if it were stable on all platforms), I am actually surprised we haven't seen the addition of a print server, torrent downloader, and webcam server too.
 
elgrandiegote
newbie
Posts: 40
Joined: Tue Feb 05, 2013 6:02 am
Location: Buenos Aires, Argentina

Re: OVPN on new versoins ROS 6.0 and 5.1...

Thu Feb 28, 2013 6:23 pm


Can you please explain in a few words to us why mikrotik team does not wish to implement those features nevertheless they are requested by so many users on this forum for quite some time.
Stubbornness.

OpenVPN/UDP is the by far most requested feature on the forums and in the wiki and MT rather chose to implement an SMB server, that no one wanted...
:mrgreen: sad but true
 
Catsix
just joined
Posts: 4
Joined: Fri Apr 12, 2013 1:43 pm

Re: OVPN on new versoins ROS 6.0 and 5.1...

Mon Jun 03, 2013 12:27 am

Well, ROS 6 is out, don't see in the changelog :(

FYI, I've done an OpenVPN and IPSec setup, this is the difference on a 5Mbps line (was connected through WiFi though).
You do not have the required permissions to view the files attached to this post.
Last edited by Catsix on Thu Jun 06, 2013 9:54 am, edited 3 times in total.
 
Ivoshiee
Member
Member
Posts: 471
Joined: Sat May 06, 2006 4:11 pm

Re: OVPN on new versoins ROS 6.0 and 5.1...

Mon Jun 03, 2013 5:32 am

That's not exactly true. They commented several times, it's just that the answer was always some form of "no". And if they are not ready to change that to "yes", there's not much to discuss.

I understand it's not easy for them. RouterOS is closed source, while OpenVPN is under GPL, so they can't just take the original code, make few modifications to integrate it into system and distribute the resulting binary. At the same time, there doesn't seem to be any real documentation for OpenVPN protocol, except the source code itself (correct me if I'm wrong), which is not good for anyone trying to create independent implementation.
Any license issues can be worked out. The ROS is using Linux kernel and tools to operate and those are majority GPL as well. Having one protocol implementation added to the mix should not be that difficult.
 
gregorg
just joined
Posts: 2
Joined: Wed Nov 06, 2013 12:36 pm

Re: OVPN on new versoins ROS 6.0 and 5.1...

Wed Nov 06, 2013 12:50 pm

We (http://www.unwired.at) are running Austria´s biggest free WiFi network. We use only Ubiquiti Hardware because of the good OpenWRT support. The only thing that prevents us from using Mikrotik HW (which we would like to do) is the missing UDP support in MT´s OpenVPN.
 
User avatar
dynek
Member Candidate
Member Candidate
Posts: 197
Joined: Tue Jan 21, 2014 10:03 pm

Re: OVPN on new versoins ROS 6.0 and 5.1...

Thu Jan 23, 2014 12:28 pm

I'm sure they are losing few bucks because of this.

Products page shows SoHo devices as well as professional devices, right ?
SoHo users make use of solution such as OpenVPN, not IPsec (at least, not always).

In another post, somebody from Mikrotik answered some user that creation of package for RouterOS doesn't make sense because then people will start using it for "non-router" related things.
Then what's the point in taking time to implement SMB ?

I've been searching there and there about MikroTik/RouterOS/OpenVPN and what I see is people complaining about lack of features and issues.
I agree with some of your customers that you shouldn't advertise RouterOS as including OpenVPN.
Last edited by dynek on Mon Mar 24, 2014 2:09 pm, edited 1 time in total.
 
miharoot
just joined
Posts: 21
Joined: Sun May 19, 2013 3:59 pm

Re: OVPN on new versoins ROS 6.0 and 5.1...

Sun Jan 26, 2014 9:59 am

Run openwrt on metarouter and set up ovpn from there. That would be the best you can currently do.
I understand that you advise me to buy a router which works fine openWRT and use that router but not mikrotik?

Who is online

Users browsing this forum: Google [Bot] and 92 guests