MikroTik

Good time of day

Do you plan to add support for UDP over (in) OVPN
and add the ability to automatically create certificates for client and server in the new version ROS 6 or 5.16 or higher ?

I really doubt that they are working on those features.

I switched to sstp (and with sstp-client 1.0.7 it finally works quite ok with linux...)

v6 has features to generate certificats, and also SCEP.

OVPN UDP and LZO will not be added, at least not in the near future.

I really doubt that they are working on those features.

I switched to sstp (and with sstp-client 1.0.7 it finally works quite ok with linux...)

I have had HORRIBLE stability issues with SSTP. I really wish SSTP worked better, but I (and other people on this forum) have problems with losing connection, etc.

mrz
Any alternatives for OpenVPN with push route possibilities ?

mrz
Any alternatives for OpenVPN with push route possibilities ?

You can get an actual OPVN server... I use one, it works great!

v6 has features to generate certificats, and also SCEP.

OVPN UDP and LZO will not be added, at least not in the near future.

As those two options seem to be the two most requested options on your forums for quite some time it is realy hard for me, as an experienced programer and developer, to understand why does it take so much time for your developers to implement this. You have a working openvpn implementation which needs only to add compression (this realy should not be such a problem) and UDP support.

Can you please explain in a few words to us why mikrotik team does not wish to implement those features nevertheless they are requested by so many users on this forum for quite some time.

Certificate generation on local comp is not a problem.... not being able to connect my router to existing openvpn infrastructure is.

JF

RB450G

v6 has features to generate certificats, and also SCEP.

OVPN UDP and LZO will not be added, at least not in the near future.

Can you please explain in a few words to us why mikrotik team does not wish to implement those features nevertheless they are requested by so many users on this forum for quite some time.

Absolutly agree with JanezFord... Nobody understand what a problem to add UDP and LZO support... but more than that I can't understand why Mikrotik developers keep silence about the reasons of such fail... maybe it's government request (NSA, CIA etc.)? I think it's time for petition! Let's vote!

v6 has features to generate certificats, and also SCEP.

OVPN UDP and LZO will not be added, at least not in the near future.

Can you please explain in a few words to us why mikrotik team does not wish to implement those features nevertheless they are requested by so many users on this forum for quite some time.

Absolutly agree with JanezFord... Nobody understand what a problem to add UDP and LZO support... but more than that I can't understand why Mikrotik developers keep silence about the reasons of such fail... maybe it's government request (NSA, CIA etc.)? I think it's time for petition! Let's vote!

CIA and NSA are USA Entities. Mikrotik is not. I'm pretty sure there is no government involvement into the inclusion or exclusion of OVPN UPD.

I think Mikrotik simply doesn't like OVPN and they don't want to support it anymore. Simple as that.

I think if there is demand for OpenVPN from so many customers, it is necessary to reckon with it... OpenVPN is recognised the best and most secure VPN solution at the moment and it's just stupid to drop it as is... in real business there are no words like "we will not make our customers happy just because we don't like it", it's not a kindergarten really...

I will, again, add a vote for OpenVPN UDP support in RouterOS. It's caused me no end of problems. I switched to Mikrotik to gain access to a steady supply of low cost VPN routers, and lack of proper OpenVPN support is the only real problem I have (Other than weird sector write issues and now a freeze in a previously working script after upgrades on some, not all, routers).

I like Mikrotik routers now, I must have close to a hundred from the 1100Ah through 411AR's, 450's, OmniTik's, and lots of 750's, with the 750UP being my new favourite, as I'm planning on using them to remotely bridge in phones for auto provisioning and power.

1) OPENVPN UDP is a highly wanted feature. I do PPTP over IPSEC because it's the only stable site-to-site VPN tech on mikrotik. SSTP is extremely unstable for me on all versions of routeros I have tested. Slow dialup times, frequent drops for no apparent reason.

2) SSTP is in theory really great. Fix the stability issue so we can use it in the real world please.

1) OPENVPN UDP is a highly wanted feature. I do PPTP over IPSEC because it's the only stable site-to-site VPN tech on mikrotik. SSTP is extremely unstable for me on all versions of routeros I have tested. Slow dialup times, frequent drops for no apparent reason.

2) SSTP is in theory really great. Fix the stability issue so we can use it in the real world please.

AGREE! SSTP would be PERFECT for site-to-site... but it is VERY UNSTABLE. I have found that if you don't use public keys (which I *think* disables ecryption, then it works better... but that's not a good idea)

PLEASE FIX SSTP!!!!!!

Latest ROS versions (5.18) has SSTP improvements.

Latest ROS versions (5.18) has SSTP improvements.

I'm running 5.18 on my RB1200 and a RB751U, I just setup an SSTP tunnel and will watch it and see how it behaves.

Latest ROS versions (5.18) has SSTP improvements.

I'm running 5.18 on my RB1200 and a RB751U, I just setup an SSTP tunnel and will watch it and see how it behaves.

This is many times more stable now. No drops since I brought up the tunnel. I was getting drops every 10-15 minutes before. Will continue testing but this is looking better now.


I still would like to see OVPN over UDP.

Ok, so SSTP is actually stable now (as in the connection stays up) but the connection has inconsinstent latency.

PPTP tunnel consistent 53ms
PPTP over ipsec, same 53ms consistent
SSTP 58-220ms wildly inconsistent.
L2TP over ipsec, 53ms consistent

jitter on the PPTP and L2TP is a max of about 6ms, vs over 160ms on the SSTP.


so SSTP, while more stable, is still useless.

UDP for OpenVPN would simplify my life a lot.

In my opinion, MikroTik team should take VPN issues more seriously. What's the point of manufacturing hardware like RB1100AHx2 with encryption acceleration, when you can't use it in real life scenarios. I mean, you have an option to use it, but then you are faced with all those issues people are talking about on this forum.

Hardware acceleration can be used only by Ipsec.

OpenVPN over TCP is practically useless. OpenVPN over UDP is the only way to run such a tunnel that makes sense, both in theory and in practice. Encapsulating stateful and stateless protocols into a stateful tunnel is fundamentally flawed. PPTP uses GRE and L2TP uses UDP - that is why they work well. SSTP uses TCP - barely usable, and no amount of tweaks is going to change that. The only thing going in favor of SSTP is user convenience, nothing else.

As for OpenVPN, as far as I'm concerned, either implement UDP or remove it altogether.

OpenVPN over TCP is practically useless. OpenVPN over UDP is the only way to run such a tunnel that makes sense, both in theory and in practice. Encapsulating stateful and stateless protocols into a stateful tunnel is fundamentally flawed. PPTP uses GRE and L2TP uses UDP - that is why they work well. SSTP uses TCP - barely usable, and no amount of tweaks is going to change that. The only thing going in favor of SSTP is user convenience, nothing else.

As for OpenVPN, as far as I'm concerned, either implement UDP or remove it altogether.

Agreed.At this point in time I have to buy a seperate centos box w/openvpn + udp just to do the vpn side of things , as I've had all sorts of troubles with openvpn over tcp in the past.It's ok when you just want to make a quick tunnel and test p2p functionality or setup a tiny site but anything that requires intense inter-site voip or huge transfers (In my case server replication) it fails miserably.

Supporting OpenVPN without UDP is like having a car with no wheels. Looks the same but utterly useless.

Mikrotik please support USP and LZO (the basis of 99% of ALL openvpn connections) or remove the feature entirely. We use OpenVPN all over our network.

Thanks

Please add UDP to ovpn. Why do not you listen to customers?

UDP support for the ovpn client/server is essential, and much needed. I have over 70 sites, and let me tell you, ANY kind of vpn running over TCP is a nightmare.

OpenVPN is flexible, mature, and an rb750 that has UDP based ovpn would be a godsend for me.

Seriously, Mikrotik, it is a repeatedly demanded feature, and should have a higher priority than some of the fluff like metarouter and partitioning.

Christmas is over, no UDP this year either

Seriously, if you want a full featured openvpn server so badly on your devices, why not considering alternatives to rOS? Works great and stable.

Run openwrt on metarouter and set up ovpn from there. That would be the best you can currently do.

what's the problem of implementation in RouterOS ?

Run openwrt on metarouter and set up ovpn from there. That would be the best you can currently do.

You mean the problems that plagued metarouter for months are finally fixed?
I can read there that's not the case.

"Might work" is not acceptable, in the tech world I live in.

Why does everyone want OpenVPN? I've never, ever seen it used in enterprise. It's GRE with IPSec, or just ipsec tunnels. Please explain to me why it's such a wanted feature?

Why does everyone want OpenVPN? I've never, ever seen it used in enterprise. It's GRE with IPSec, or just ipsec tunnels. Please explain to me why it's such a wanted feature?

It baffles me too. I suspect it is due to the vey basic IPSEC support on RouterOS.
I would be happy to see Mikrotik add xauth, mode-cfg, nhtb and svti support to IPSEC and get rid of OpenVPN from RouterOS all together.

Who said RouterOS is only for enterprise use? There are tons of hobby users and small businesses and IMHO for those, OpenVPN is the best there is (meaning primarily for road warriors). It's extremely simple, yet powerful enough.
Perhaps for large-scale deployments, IPSec with all the features might be great. I can't really say much about that, I'm no expert. My personal experience however, is that IPSec is PITA to configure and I run into different problems too often. It seems that interoperability and having all the cool features available everywhere, is not really a common thing with IPSec.
So I guess I'm not alone and IPSec simply isn't the right choice for this target group. Which leaves us with PPTP (NAT troubles, so no thanks), L2TP/IPSec (we're scared of the second part already ) or SSTP (still too many XPs out there). We're lucky to have OpenVPN. Using only single port, it can squeze though everywhere. In most cases, all the features are available (simply because it's mostly the same client, as there are not many third-party implementations; which I agree is kind of unfair to present as advantage, but as user I can't really complain about it).
I wish MikroTik reconsidered and made all their users happy. Btw, release notes of latest OpenVPN 2.3.0 include "Much of the code has been better documented", so maybe it could help, if it's really true?

GRE works fine and takes two seconds to setup. VPNs were never meant to be used over slow connections, which I assume is why you want the UDP support?

The IPSec doesn't seem to be that basic. It has all the commands I'd use on a Cisco router...

Can you show me how OpenVPN is being used, connection type and application? I'm just curious.

Do not you think that there are firewalls?
ovpn and is the only solution

Why does everyone want OpenVPN? I've never, ever seen it used in enterprise. It's GRE with IPSec, or just ipsec tunnels. Please explain to me why it's such a wanted feature?

Well, we live in different worlds, as it seems.
I just implemented OpenVPN + Token TFA for a worldwide company 2 months ago.

Live and learn.

Can you please explain in a few words to us why mikrotik team does not wish to implement those features nevertheless they are requested by so many users on this forum for quite some time.

Stubbornness.

OpenVPN/UDP is the by far most requested feature on the forums and in the wiki and MT rather chose to implement an SMB server, that no one wanted...

Can you please explain in a few words to us why mikrotik team does not wish to implement those features nevertheless they are requested by so many users on this forum for quite some time.

Stubbornness.

OpenVPN/UDP is the by far most requested feature on the forums and in the wiki and MT rather chose to implement an SMB server, that no one wanted...

Sooooo true

Usage scenario 1: In use with two major global retailers and major oil company.
Remote support.
Backups of databases are taken daily to a central location from a variety of sites around the world, from a truck in Russia to an oil refinery in the UK for specialised machinery.
Remote control provides exceptionally quick response times to any issues, this includes access to webcams allowing remote support to see into the machines as well as vnc to the desktops and access to the networked PLC's. My implementation of this solution has literally cut site visits by engineers by 98-99 percent.
As a bonus, other applications can use the links to get realtime information on stock levels.
Support is initiated via a custom written xmpp application with google translate hooked in, to allow easy communication without much in the way of language barriers. Remote support team size is drastically reduced as a result. All this is achieved over standard broadband connections with low cost vpn routers (as hardware is very vulnerable to staff in high turnover situations, think being pinched or users circumventing access controls attempting to surf porn on public facing computers, both of which have happened), further reducing cost.


Usage scenario 2:
Remote access - road warrior style.
User is an international auditor, and has no control over internet connections, yet needs access to his email and files remotely and securely. Needed a secure, reliable solution that was able to navigate firewalls and proxies with a minimum of intervention.

In both of these, depending on the location, like a truck in Russia using 3G connections, network availability is dictated by location, not by wishful thinking. So saying "VPNs were never meant to be used over slow connections" is not realistic.

Why do any of us use Mikrotik? Cost I'm guessing. Sure you can do it all with other equipment, but for me, I need reliability of supply and it needs to be cheap. I don't want to be using five or six differing brands and configurations when I can standardise on one. As I'm sure we are all aware, support is a very cost concious area, no one wants to spend, as it is seen as wasted money as it isn't used constantly, but is screamed about if it doesn't work totally reliably.

full-caps OVPN support in ROS could b nice even for home consumers[access to home network, check home, kids, pets, flowers], let alone corporate/job needs.
what else 4 that ? PPTP ? pff.... IPSec over L2TP ? hm. SSTP ? even less interesting.

I am too voting for a full OVPN support in ROS.

Exactly. Remote access to internal network from wherever user happens to be, no matter how bad that connections is, that's what it's perfect for. Personally I miss pushing routes a little more than udp support, but I wouldn't say "no" to that either. Or just implement everything and combined with user-friendly interface provided by WinBox, it will be absolute killer.

I don't think I've ever come across a company so stubborn to change. The most requested feature (and by a country mile) and not even a comment as to why they won't support it.

Do not you think that there are firewalls? ovpn and is the only solution

The top two reasons I use it between sites, as well as for remote access:

UDP transport - stateless, with very few (if any) issues passing through a firewall
Basic routing support - ability to push routes to clients or other sites for multi-subnet installations

Do not you think that there are firewalls? ovpn and is the only solution

The top two reasons I use it between sites, as well as for remote access:

UDP transport - stateless, with very few (if any) issues passing through a firewall
Basic routing support - ability to push routes to clients or other sites for multi-subnet installations

UDP transport - Can be provided by IPSEC with NAT-T
Basic routing support - Can be provided by IPSEC with VTI (aka SVTI) support

Unfortunately Mikrotik's IPSEC implementation is just as lacking as their OpenVPN implementation. I would sooner see them bring their IPSEC functionality up to standard than invest more time in OpenVPN.

IPSEC is a standard and allows interoperability with many other vendors.

At the end of the day it comes down to what users want and if there are any alternatives available. Until now, there was no real alternative to Mikrotik products unless you wanted to "roll your own" Alix boards etc.

With Ubiquiti's new line of EdgeRouters, if they decide to support OpenVPN then I'm sure many hundreds of users will jump ship. We'll certainly be one of them as we shouldn't have to rework our network just because a vendor can't be bothered to support (or even comment on) the most widely used VPN standard out there.

Sorry if that sounds scathing but at the very least Mikrotik have an obligation to answer there users questions. By not evening discussing OpenVPN, they've opened themselves up to criticism.

That's not exactly true. They commented several times, it's just that the answer was always some form of "no". And if they are not ready to change that to "yes", there's not much to discuss.

I understand it's not easy for them. RouterOS is closed source, while OpenVPN is under GPL, so they can't just take the original code, make few modifications to integrate it into system and distribute the resulting binary. At the same time, there doesn't seem to be any real documentation for OpenVPN protocol, except the source code itself (correct me if I'm wrong), which is not good for anyone trying to create independent implementation.

You can now get OpenVPN for the iPhone.

Still not getting why ovpn is better than a gre tunnel... what am I missing here? It seems it's being used in niche type situations...

Still not getting why ovpn is better than a gre tunnel... what am I missing here? It seems it's being used in niche type situations...

Im guessing encrytion.

And yes OpenVPN is a niche technology. I have never seen an enterprise router with support for OpenVPN, and have never seen it being used outside of the soho/enthusiast segment.

IPSEC on the other hand.....

OpenVPN is used to tunnel traffic without having to worry about firewalls. It is used in many fortune 500 companies including ours.

s

Still not getting why ovpn is better than a gre tunnel... what am I missing here? It seems it's being used in niche type situations...

Im guessing encrytion.

And yes OpenVPN is a niche technology. I have never seen an enterprise router with support for OpenVPN, and have never seen it being used outside of the soho/enthusiast segment.

IPSEC on the other hand.....

Well I could answer this post in two ways ...

1. Mikrotik with RouterOS IMHO is not targeted only for enterprise but also for SOHO and even home use for advanced users. Some of them prefer using OpenVPN for their VPN connections.

2. I have seen OpenVPN being used in enterprise enviroment on several ocasions. And ALWAYS with UDP which RouterOS implementation (sadly) does not support, sometimes even with LZO - don't ask me, I did not set up those systems, I just have to connect to them! We had to set up intel atom boxes for our clients to do the job for now (we will test Edgemax when it's avaliable). Metarouter is a joke!

Mikrotik: Do you realy think all those people over the years request full openvpn support just for fun or what??

JF

IMHO it's wrong way to make it a competition between IPSec and OpenVPN. Even if MikroTik supported either one 100%, need for the other one would not go away. They may be each appealing to different target groups (well, not strictly), but both are popular enough to not perish any time soon. We need both.

I'm just wondering if MikroTik has any estimates how many of their possible customers are currently forced to buy hardware and/or software from other vendors, because of missing features in RouterOS. And it's not only OpenVPN or IPSec, check the "feature requests" page on wiki and you'll find several important or useful ones. Years old, without much hope to be implemented soon or perhaps ever. They may not look as much important if people managed to live without them so far, but it often means they simply get them elsewhere. I may of course be wrong, but it seems to me that if MikroTik hired few more people to implement these things, they'd get the costs back in increased sales in no time.

Sadly the answer is always a "no" from mikrotik about this most requested feature.

On the other hand, in every RouterOS release with new features, I wonder who the hell requests those new features which are useless at all like SMB. WTF ?

Who uses it on a router ?

And think about fastpath now for example. It is very useful and I am sure it is implemented in no time after the publication of the Edgemax vs RouterOS benchmark sheet. If it was this easy to implement this, why they have been waiting all this time ?

so simply, mikrotik seems they are more influenced by the direct competiton in terms of adding new features, rather than customer requests.

I would also like to see a real reason why OpenVPN's UDP feature has not yet been implemented in rOS...
One of the advantages of the UDP-version is that it creates less overhead for both the connection and the router...
Running a metarouter only to get the UDP version seems kinda ridiculous.

Luckily EdgeMax includes FULL OpenVPN support. Mikrotik will have to add OpenVPN now or else face a mass exodus of customers.

s

Sadly the answer is always a "no" from mikrotik about this most requested feature.

On the other hand, in every RouterOS release with new features, I wonder who the hell requests those new features which are useless at all like SMB. WTF ?

Who uses it on a router ?

And think about fastpath now for example. It is very useful and I am sure it is implemented in no time after the publication of the Edgemax vs RouterOS benchmark sheet. If it was this easy to implement this, why they have been waiting all this time ?

so simply, mikrotik seems they are more influenced by the direct competiton in terms of adding new features, rather than customer requests.

It has struck me odd for many years now that MT has always taken the "everything but the kitchen sink" approach to features, but once implemented, many get little if any "love" by way of ongoing maintainance or enhancement.

If it were possible, I would really prefer to be able to strip ROS down to something much closer to the functionality I actually use in most cases - routing/bridging, wireless, and firewall functions only. I could see it being beneficial in terms of upgrade file size, memory footprint, and even vulnerability/bug containment. Unfortunately, the package granularity is far too coarse to accomodate that.

Now that an SMB server has been implemented (which I personally feel is pointless on a router, but would be a reasonable application for a metarouter - if it were stable on all platforms), I am actually surprised we haven't seen the addition of a print server, torrent downloader, and webcam server too.

Can you please explain in a few words to us why mikrotik team does not wish to implement those features nevertheless they are requested by so many users on this forum for quite some time.

Stubbornness.

OpenVPN/UDP is the by far most requested feature on the forums and in the wiki and MT rather chose to implement an SMB server, that no one wanted...

sad but true

Well, ROS 6 is out, don't see in the changelog

FYI, I've done an OpenVPN and IPSec setup, this is the difference on a 5Mbps line (was connected through WiFi though).

That's not exactly true. They commented several times, it's just that the answer was always some form of "no". And if they are not ready to change that to "yes", there's not much to discuss.

I understand it's not easy for them. RouterOS is closed source, while OpenVPN is under GPL, so they can't just take the original code, make few modifications to integrate it into system and distribute the resulting binary. At the same time, there doesn't seem to be any real documentation for OpenVPN protocol, except the source code itself (correct me if I'm wrong), which is not good for anyone trying to create independent implementation.

Any license issues can be worked out. The ROS is using Linux kernel and tools to operate and those are majority GPL as well. Having one protocol implementation added to the mix should not be that difficult.

We (http://www.unwired.at) are running Austria´s biggest free WiFi network. We use only Ubiquiti Hardware because of the good OpenWRT support. The only thing that prevents us from using Mikrotik HW (which we would like to do) is the missing UDP support in MT´s OpenVPN.

I'm sure they are losing few bucks because of this.

Products page shows SoHo devices as well as professional devices, right ?
SoHo users make use of solution such as OpenVPN, not IPsec (at least, not always).

In another post, somebody from Mikrotik answered some user that creation of package for RouterOS doesn't make sense because then people will start using it for "non-router" related things.
Then what's the point in taking time to implement SMB ?

I've been searching there and there about MikroTik/RouterOS/OpenVPN and what I see is people complaining about lack of features and issues.
I agree with some of your customers that you shouldn't advertise RouterOS as including OpenVPN.

Run openwrt on metarouter and set up ovpn from there. That would be the best you can currently do.

I understand that you advise me to buy a router which works fine openWRT and use that router but not mikrotik?