I'd consider switching to L2TP+ipsec or EoIP+ipsec(for mikrotik on both sides), both use UDP and encryption and should perform the same or better in performance.
OpenVPN on UDP has been requested years ago and won't come too soon on Mikrotik, probably never.
SHA256 is supported on the mentioned protocols, not sure why openvpn would be more compelling, maybe only to opensource lovers.
Calm down. Almost nobody supports DoH yet. UDP and SHA2 support for OpenVPN have been requested already many times but they stated why this is currently difficult to implement. I'm prettty certain they are working on this for ROSv7.WTF?!?!
I thinked that mikrotik realy cool device...
this is unreal, openvpn client without support UDP!!! Without support SHA512 and SHA256.
Same mikrotik don't support DoH (DNS over HTTPS) such as cloudflare and google!
What kind of stupid developers creating and updating reuterOS ?!
I found requests UDP in this forum 11 years old viewtopic.php?t=20537
Calm down. Almost nobody supports DoH yet. UDP and SHA2 support for OpenVPN have been requested already many times but they stated why this is currently difficult to implement. I'm prettty certain they are working on this for ROSv7.
I'm all for Mikrotik and I use a lot of their devices, physical and virtual ROS, and they are mostly great, but I'm afraid proper OVPN support is but a wet dream. They keep promising advances in this area but nothing significant ever happens. It seems that attracting users needing this feature is not financially viable. That's the only practical reason I can think of. Technical issues can all be solved, they have good network engineers and programmers. Too bad though, I found that OVPN is practically the only free solution that is almost problem-free on the client side (far from perfect, though), has a good performance and feature set with good client OS support.Hello Mikrotik Engineers,
I know you have received many requests regarding OpenVPN UDP support, however it is proving almost impossible to get a clear answer.
Some boards like the hexS already even have more crypto hardware accelleration than supported by Mikrotik software. So there's no need for extra hardware, just more source code has to be written or reimplemented since OpenVPN has been running stable for years on other platforms...We all need full functional OpenVPN ... m.b. with special extension card, is ok .. but is needed
It's almost like a disincentive in spite of other VPN tech like IPSEC which has a quite good implementation that keeps evolving. In retrospect, what we heard in the last 10 years about why NOT implement it properly sound like really bad excuses. Or it's an indisclosable licensing issue (SW stacks inside an MT box are not exactly open source, when interfacing gets into picture). I might be making up a contheo here, though.this is an issue since 2010
I think what we need is not virtualization as it (rudimentarily) exists now, but a feature to run user contributed programs on the router, which live in a chroot/limited privileges jail and can be configured to use simple network socket services and access to local configuration files only.If at least we had a robust implementation of any virtualization tech in ROS for the lower-end devices, we would be able to add an image with a fully working OVPN implementation.
If I have to manage whole OpenWRT in MetaROUTER (assuming that my device supports it at all), I might as well get some Raspi-like device and use that instead. And it will be even easier, I will have more OS choices, etc. But mainly, VPN is basic thing that shouldn't need anything extra and router should be able to handle it by itself, I don't want another machine for that, physical or virtual.Likely, it is too complicated to have 2 virtual routers for the task of implementing a VPN.
That is probably because it is advertised so little.I don't recall any of the device series released in the last couple of years actively supporting or advertising any kind of virtualization
Finally. That's nice. I see the new UDP option, however still no SHA2 HMAC or EC cipher algos there. Only the outdated MD5 and SHA1 and AES for cipher, which in itself is good, but not enough (no TLS auth either). Well, it's still a beta so hopefully we'll have a more or less complete implementation later in stable releases.Finally up and running with RouterOS 7.0 beta3!
SHA256 and up are actually part of the SHA2 family of hashes, including SHA512. There's no practical difference between eg. SHA256 and SHA512. But still no GCM support, nor TLS auth.stable UDP and SHA512
Btw I now noticed that ovpn in ROS only supports md5 and sha1 (sha256, sha224, sha384, sha512). SHA512 would be fine!