Hi,
Is it possible to have a complete openvpn with complete certificate support ?
I would like to have all my clients using certificates to connect on RouterOS.
I would also like support of CCD feature.
For example, here is what I want to do.
Clients with certificates on a pool 192.168.20.0/128
Admin with certificates on a pool 192.168.21.0/240 and CCD
Today I cannot do this with RouterOS 4.2.
Re: Feature Request - OpenVPN - Certificates full support
Good luck with that request.
Re: Feature Request - OpenVPN - Certificates full support
I wish for this too. And also for more complete OpenVPN support in general. Especially the wonderful "push routes to clients" feature that I miss very much.
I don't really understand, why Mikrotik guys don't try to support as much as possible. OpenVPN is by far the best VPN solution available in ROS. Well, at least for road warrior scenario, where I don't know from which rotten network I'll have to connect.
World is full of NATs. PPTP is unusable. There are still stupid NATs that don't pass GRE correctly. The same goes for IPSec tunnels and L2TP/IPSec. Many NATs don't support NAT-T and without it there's no IPSec possible. OpenVPN needs only one open port on server and nothing special on client side. Unless some firewall blocks the needed port, it just works from anywhere. Plain L2TP without IPSec should probably work too, but then comes the routing thing...
I don't want and even can't use default gateway through VPN, because I need to be connected to more VPN's at the same time. This is where traditional PPTP/L2TP fails, because no routes are pushed from client to server. Only on Windows clients there's this not very clever "autorouting" feature, that guesses the route to remote network, based on network class (e.g. if address is 10.x.x.x, it adds route to 10.0.0.0/8). Nice try, but totally useless, when I need to access e.g. 10.0.0.0/24 over one VPN link and 10.0.1.0/24 over the other). So the only solution is setting routes manually. And full OpenVPN can solve it so easily..
Sorry for slight OT, but I think pushing routes and CCD are quite close.
I don't really understand, why Mikrotik guys don't try to support as much as possible. OpenVPN is by far the best VPN solution available in ROS. Well, at least for road warrior scenario, where I don't know from which rotten network I'll have to connect.
World is full of NATs. PPTP is unusable. There are still stupid NATs that don't pass GRE correctly. The same goes for IPSec tunnels and L2TP/IPSec. Many NATs don't support NAT-T and without it there's no IPSec possible. OpenVPN needs only one open port on server and nothing special on client side. Unless some firewall blocks the needed port, it just works from anywhere. Plain L2TP without IPSec should probably work too, but then comes the routing thing...
I don't want and even can't use default gateway through VPN, because I need to be connected to more VPN's at the same time. This is where traditional PPTP/L2TP fails, because no routes are pushed from client to server. Only on Windows clients there's this not very clever "autorouting" feature, that guesses the route to remote network, based on network class (e.g. if address is 10.x.x.x, it adds route to 10.0.0.0/8). Nice try, but totally useless, when I need to access e.g. 10.0.0.0/24 over one VPN link and 10.0.1.0/24 over the other). So the only solution is setting routes manually. And full OpenVPN can solve it so easily..
Sorry for slight OT, but I think pushing routes and CCD are quite close.
Re: Feature Request - OpenVPN - Certificates full support
Any news in this area?
I need the push route feature too. At least mikrotik developers should add a text field where we can put any config strings (like there is in pfSense)
I need the push route feature too. At least mikrotik developers should add a text field where we can put any config strings (like there is in pfSense)
-
-
roadracer96
Forum Veteran
- Posts: 736
- Joined:
Re: Feature Request - OpenVPN - Certificates full support
I wish for this too. And also for more complete OpenVPN support in general. Especially the wonderful "push routes to clients" feature that I miss very much.
...
Sorry for slight OT, but I think pushing routes and CCD are quite close.
Pushing routes to clients is a must.. I switched to MT from a Linux OVPN concentrator. Pushing routes from RADIUS to MT clients worked great. I just wish the MT OVPN server could do the same. Im not looking forward to changing static routes on 100+ remote boxes when I could just add one line to an SQL database.