It's a long standing request, and shouldn't be a lot of work.

i'm need this feature too.

Anyone knows anything about this? Will udp support be included in upcoming releases?

Maybe some from Mikrotik can tell us?

Chris

Bump... Can we please get an update on UDP support for OpenVPN? TCP over TCP simply does not work. Normis or Uldis an update please?

I'm waiting for this as well.

I would've loved it to be able to use a standard OpenVPN configuration file.

The drawbacks with the current OpenVPN server/client are:
* No UDP support
* Unable to host a server without a username/password combination
* Unable to push routes to clients

+1!!!

I really need this feature. Using TCP to encapsulate TCP gives me a very low throughput... and it's a shame, because it's really easy to set up an OpenVPN tunnel (well, at least when you've done it ten times and you discover how RouterOS like's it's certs and some other tricky detalis).

Mikrotik, what's holding you from implementing UDP for OpenVPN? At least it would be nice to know why it is taking so long...

Thank you!

+1 on this.

I have a few tunnels setup, and as they all have dynamic client side IP's I basically have no choice but to use OpenVPN.

Which means I have to use TCP mode and the performance is poor.

Do you need people to test this? Is there beta/alpha code? Is it just as simple as not that many people need it?

Help!

Daniel

I really need this feature too! Stuck using OpenVPN due to dynamic IP's on client locations/sites.

Will we get this soon?

I think it would be nice to add your vote here:

http://wiki.mikrotik.com/wiki/MikroTik_ ... e_Requests

Probably someone should add all the votes from the v3 feature requests page which are not done yet:

http://wiki.mikrotik.com/wiki/MikroTik_ ... e_Requests

Regards

I need it very much . a mikrotik guy comment please ?
When will support udp ?

Udp i faster than tcp , but more dificult to bound than tcp

Udp i faster than tcp , but more dificult to bound than tcp

What?

I run OpenVPN on a separate linux box, and it rocks. Performance, features, multiplatfom ease of use are quite good.

Im currently at 72 Ovpn tunnels and would REALLY like full ovpn support. LZO compression, UDP support, etc.

Ill be at over 100 Ovpn tunnels in about a month, all with MT hardware. Please Please Please!

Hi,

@roadracer96 Have you been able to measure the bandwidth that you are loosing by using tcp instead of the native bandwidth of your link? In my tests I loose at least 50% of the links native bandwidth (and there aren't any lost packets nor high latency).

@everyone Has someone played with MTU's to try to increase the OpenVPN links performance?

Thank you!

Is there any comparison between OpenVPN vs EOIP ?

The tunnels are fast and I dont think I am losing a lot of bandwidth. One tunnel was pushing about 5mbit for 3 days straight doing DFS replication to my office from a colocation and the speed on the LAN side of the tunnel was about the same. But this was over a wire, not over wireless, so full duplex, etc, etc.

BUT. UDP is less expensive in pretty much every aspect.

EDIT: OpenVPN is an encrypted, certificate based VPN. EOIP is not. No comparison...

I was always using OpenVPN on my Linksys WRT54GL with DD-WRT firmware, which allowed me to open PPPoE client connections via the OpenVPN tunnel. Since I got a RB750, I've changed over to PPTP VPN, which doesn't allow me to open PPPoE connections over the VPN tunnel.

I've used the TCP based OpenVPN connection over a Wireless network, and the throughput was reasonably decent, considering the TCP overhead.

I would really be grateful if OpenVPN features would be expanded in ROS...

Vote +1

EDIT: OpenVPN is an encrypted, certificate based VPN. EOIP is not. No comparison...

I mean a comparison in performance,overhead,reliability etc between EOIP and OpenVPN

I mean a comparison in performance,overhead,reliability etc between EOIP and OpenVPN

EoIP will perform faster. For one EoIP is just using a plain GRE tunnel with a few Mikrotik added extensions and OpenVPN is an encrypted tunnel. Obviously EoIP will be faster. Currently reliability would be greater with EoIP as the Mikrotik implementation of OpenVPN only supports TCP which is problematic when running TCP over TCP.

+1..

The performance of OpenVPN TCP is too bad... why MikroTik don't add UDP feature? Why can't see any official staff reply this issue? Please stand out here and tell us there any schedule or difficult?

Thanks.

I must say I agree. We've never heard a definitive answer on this issue. Question: Why? So simple, yet no answer.

Has anyone seen an OpenVPN solution on any device support only TCP? Please respond if you could, anyone, I'm really curious. I'm wondering what's the difficulty in adding UDP support.

Anyway, please anyone respond, this is getting very old, and yes, very frustrating.

...
Anyway, please anyone respond, this is getting very old, and yes, very frustrating.

+1, we need answer to this question. It may or may not easy to implement this feature, but OpenVPN (the original one) has both TCP and UDP support, it's incomplete implementation right now. We need the UDP and LZO compression too. Please, just say a date eg. 2011. July and we'll wait for it, but now we don't have any info.

vote +1

OpenVPN support UDP is too important!!!!!!

I think the official opinion on this is "Why do you need that, if you want UDP based tunneling use L2TP"

To be honest, L2TP does work rather nicely

We also have SSTP now, which works great and has the same benefits as OpenVPN. It's currently not popular yet, and (except RouterOS) it's supported only in Windows, but technically it's very interesting.

Isn't SSTP also TCP-based and suffers from the TCP-meltdown problem?

Practically (i am on a SSTP tunnel all the time now, for testing), I couldn't say there is a performance difference with or without the tunnel. Local network file transfers are just as fast.

We also have SSTP now, which works great and has the same benefits as OpenVPN. It's currently not popular yet, and (except RouterOS) it's supported only in Windows, but technically it's very interesting.

SSTP does NOT work great... Tried it in 5b1 and 5b2 and it still has a long way to go.... IIRC, it disconnects every 2 minutes. There is some workaround on the client-side, but hacks arent really feasible for me with over 100 MT->MT VPN tunnels.

To be honest, L2TP does work rather nicely
I think the official opinion on this is "Why do you need that, if you want UDP based tunneling use L2TP"

To be honest, L2TP does work rather nicely

Yeah, except IPSEC is severely lacking... So again, you are left with MPPE-128 instead of 192/256bit certificate VPNs... There are many applications where there is a legal, or procedural requirement to use certificates.

Maybe the difference is that I use beta3 ?

Maybe the difference is that I use beta3 ?

Gimme!

We are about to release, it has numerous important fixes and improvements.

Why is Mikrotik ignoring all those request for UDP based OpenVPN and proposing and TCP VPN solution as an alternative ?

Why is Mikrotik ignoring all those request for UDP based OpenVPN and proposing and TCP VPN solution as an alternative ?

OpenVPN is very very buggy and hard to implement. Our developers almost all committed suicide trying to make it work. It's a big mess, so we can't continue to implement it 100%

Why is Mikrotik ignoring all those request for UDP based OpenVPN and proposing and TCP VPN solution as an alternative ?

OpenVPN is very very buggy and hard to implement. Our developers almost all committed suicide trying to make it work. It's a big mess, so we can't continue to implement it 100%

I disagree. Before I used MT for my VPN concentrator, I had a standard CentOS box with OpenVPN from source running flawlessly with RADIUS/certificate authentication using UDP and LZO compression.

I switched to MT because I figured an embedded system would end up being more reliable and manageable than a full PC.

Another problem with it, client and server end must match configuration 100%. if you have different clients connecting, this will be a huge pain to get done. OpenVPN is hard to configure. Maybe not for you, but in comparison to our other options.

Another problem with it, client and server end must match configuration 100%. if you have different clients connecting, this will be a huge pain to get done. OpenVPN is hard to configure. Maybe not for you, but in comparison to our other options.

Previously, I had Windows and linux clients connecting to it... The only difference is the limitation on the Windows side and not being able to do point-to-point addresses (Windows will only do a /30 in the tap32 interface).

I dunno.. It was easy for me to setup...

PS: I think I figured out why OpenVPN would bomb out my RB1000 randomly. I put a script in that runs every minute removing invalid IP addresses... So far, that seems to fix it. OpenVPN IPs seem to stick around in certain disconnect situations for some reason..

OpenVPN comes with scripts to automate the process (If you ask nicely, I'll send you my scripts to automate the process even more.) You'll also want to ensure the client's key expires within a reasonable amount of time and require a password. Also, OpenVPN supports static keys which is good for LAN-to-LAN connections. It can be a bit scary letting remote users have a static key out in the wild, so a public/private key exchange is best for remote users. Static keys should be changed very often (Note: OpenVPN static keys that are created on Windows can be used on Linux and vice versa. Remember the dos newline issue if you are creating and sending keys between unix and windows systems.

I don't like these kind of behaviour from MT crew when a user ask for a standard feature ("do you really need it? why won't you do something different like use this non-standard thing that we MT like?").
But what I hate beyond anything is bullsh..ing. OpenVPN hard to configure, really?

Anyway, for us, sysadmins and netadmins to understand clearly the issue, what exactly is preventing rOS user to benefit from all upstream features? I mean, routerOS is linux based, and aren't openVPN upstream sources available?
You have some difficulties to priovide a mere OpenSSH server or a OpenVPN server on routerOS and I wonder why.

I really would be happy to understand (I like days when I go to bed less stupid than the eve).

Thank for bringing up a thread more than a year old.

The answer was clear - We will not make new OpenVPN features.

Thank for bringing up a thread more than a year old.

What about automatically locking topic after let say 6 months of inactivity?

Thank for bringing up a thread more than a year old.

What about automatically locking topic after let say 6 months of inactivity?

not all topics get irrelevant after 6 months

Thank for bringing up a thread more than a year old.
The answer was clear - We will not make new OpenVPN features.

Well, I am ready to move from OpenVPN, but I need a good, speedy solution. My setup is:
> RB450
> Internet with dynamic ip and dyndns (every router on planet that has dyndns option, is easier to setup with dyndns that MT, why oh why?)
> 6 machines (2x WinXP SP3, 1x Win7HomePremium, 2x Ubuntu 10.04, 1x Osx 10.4)
> Need for: Vpn that works over 3g/umts/hsdpa connections without hassle. Good encryption - PPTP is out of any consideration, period. VPN client software for all of these platforms.

Any good offers?

My point is: Good low power cpu + ROS = bundle of features, speed amd versatility = why I choose it. If any of the parts of equation drop out, I will have to start searching.
Of course, MT support and this forum is the greatest thing about MT and let's keep it this way.

Thank for bringing up a thread more than a year old.

The answer was clear - We will not make new OpenVPN features.

Yes, it was "clear" (not satisfying but not the point here ) but in a general manner I'm wondering why you would "implement" this. What is the relation between openvpn server code in rOS and upstream OpenVPN server.

any news with udp and openvpn soon ? I am now forced to use openvpn and would need to change routers on 4 or 5 locations if can't made that working.

Thank you in advance,
Dejan

any news with udp and openvpn soon ? I am now forced to use openvpn and would need to change routers on 4 or 5 locations if can't made that working.

Thank you in advance,
Dejan

-->>>

The answer was clear - We will not make new OpenVPN features.

I am glad to have found this thread before I wasted money on what I thought would have been a good product. The other vendor thanks you for not supporting OpenVPN UDP.

Is it a joke or what?

1) UDP is suggested from openvpn creators and works better than tcp
2) apart from this ALL MY PARTNERS HAVE OPENVPN ON UDP and they will not change their setup because I HAVE A MIKROTIK. They laugh and says to me that debian or pfsense is free....

Is it a joke or what?

1) UDP is suggested from openvpn creators and works better than tcp
2) apart from this ALL MY PARTNERS HAVE OPENVPN ON UDP and they will not change their setup because I HAVE A MIKROTIK. They laugh and says to me that debian or pfsense is free....

Is it a joke or what?

1) UDP is suggested from openvpn creators and works better than tcp
2) apart from this ALL MY PARTNERS HAVE OPENVPN ON UDP and they will not change their setup because I HAVE A MIKROTIK. They laugh and says to me that debian or pfsense is free....

I'm also a long-time openvpn user: I think there is no other so "simple" (not for starters, but once configured ...) solution for vpn:
- maybe sstp has a good future (I didn't try it for now), but for now it's only for Windows vista, seven or 2008... too few opeating systems (... and Microsoft will not port it to XP, the most stable among their products!)
- ipsec is too difficult to implement if you don't have static addresses: it's not flexible.
- pptp is old protocol, only partially functioning behind nat, and you can't manage routes in the tunnel

So I say: OK, Mikrotik don't want us to use openvpn anymore, but which is a real alternative, with the same flexibility?
Give me a good alternative and I'll be happy to put ovpn out of the window. For "good" I mean:
- little protocol overhead (as in ovpn over udp)
- push configuration and routes from server to client (as ovpn does)
- nat and dynamic address proof (as ovpn)
These are the reasons, I think, that generated this thread.

The limited support to openvpn is really the only point I hate in routeros, for all my other needs is great.

I hope that Mikrotik team will reconsider ovpn support and implementation, or give a hint for a better protocol to use

Davide

+1

Mikrotik, please listen to your customers and don't implement new VPN protocols nobody is waiting for (SSTP).

To be fair, I'm sure that many people are or will be happy with SSTP. It has considerable advantages over solutions previously available in Windows (I mean by default, without third-party software). So SSTP support in ROS is a good thing.

But for now, for me and many others, the best VPN solution is still OpenVPN and better support from MikroTik would be real nice. I have seen that famous "our developers almost all committed suicide trying to make it work" comment, which made me abandon almost all hope, but I still think some more suicide-proof developers must exist somewhere and MikroTik could hire them to make their users (i.e. us) happy.

I completly agree with you, MT should remove any mention on routerOS "supporting OpenVPN".
(like in official brochure: Point to point tunneling: OpenVPN,etc)

+1 for udp

for site-2-site:
ipsec doesn't play nice with dynamic IP addresses and routeros doesnt implement any automated process to update VPN configs based on WAN address.
I have made IPSEC work buy ipsec 'transport' between the two WAN addresses and then an ipip/eoip tunnel between the WAN addresses. With dynamic clients I have to do a script to update the WAN address on a schedule. This should be an option to automate *OR* better yet, put a variable in the src-address to be $WANIP1$. Maybe in the ip address entry there can be a checkbox for VPNWANIP1 or something. Even better, make an ipsec client/server interface and do all the dirtywork behind the scenes, allowing for dynamic addressed clients and dns based server address(es)

pptp is old and crap.

lt2p is not secure without ipsec, then I need static WAN addresses so it is about equal to ipsec

openvpn is broken in routeros, no UDP

sstp is only tcp and cna suffer from tcp meltdown.

I would suggest you get on this pretty quick, vyatta is a pretty solid system and ubiquiti is deploying their edgeos product based on vyatta pretty soon (some say March)

i can understand some routeros-specific openvpn oddities, like the use of auth-user-pass, since it allows openvpn to fit in with the rest of the system. but tcp-only mode for openvpn is a limitation that seems to be present for no reason at all. i think the mikrotik people became so angry with openvpn that they intentionally crippled it to punish it's users. eastern european developers can be vengeful bunch...

eastern european developers can be vengeful bunch...

They may have no idea how angry future ex-consumers can cripple a business.

eastern european developers can be vengeful bunch...

They may have no idea how angry future ex-consumers can cripple a business.

For me I think that ovpn yes or no is not the only parameter to select routeros or other products. I'm sure that if it was a simple implementation they would have done it years ago.
I just hope that someone at Mikrotik says us: "well, you will not use ovpn anymore, cause we now support <????> that is really better". That would be a great! RouterOs developers ARE great ... think about nv2, for example!
Let me say a technically stupid thing, but just to explain an idea: I'll be better if I'll have an "nv2 over udp" !

eastern european developers can be vengeful bunch...

They may have no idea how angry future ex-consumers can cripple a business.

well, we test software all the time that does not meet our specific needs (often for unintelligible reasons) and we move on since you cannot really make demands on anyone unless you are the one writing the paychecks. people who buy licenses are just cattle but this is extra strange. i mean, they even modified openvpn to accept multiple encryption types (totally worthless), but they could not be bothered to allow to accept both/either protocol? makes no sense to me!

I think OpenVPN needs a bit different approach. I think MikroTik can make it as less as possible integrated with everything else (e.g. user specifies OpenVPN instances, for each instance an interface from dropdown and config text is specified, imho all keys, certificates etc. can be stored also in a subfolder in FTP).
I think it may be hard to integrate OpenVPN in existing architecture, but it should be relatively simple just to compile it and make a very simple user interface to it.
A good example is Cyanogenmod for Android and it's very limited OpenVPN "integration", there exist an alternative - application (OpenVPN settings) that has options to start/stop OpenVPN instances and a configurable folder for configuration files (that's all - all configuration is up to user and that is what most users want).
I think that other OpenVPN users can express their opinions about this compromise (that may be relatively easy for MikroTik to implement). And based on user feedback MikroTik can judge how good investment in their business this would be.

Of course I (as MikroTik user) want this, because it would solve most (currently all) of my OpenVPN issues with MikroTik.

it is very easy to make mikrotik-compatible openvpn configurations on any operating system, so it is not a show-stopping issue there, just a little annoying. but the lack of udp openvpn support is a huge performance problem which cannot be worked around.

It's not show-stopping if you're in charge of things and can live with some compromises and shortcomings. But try to connect to someone else's standard server. Ooops...

... but it should be relatively simple just to compile it and make a very simple user interface to it.

Putting standard OpenVPN in ROS would be great. And as much as WinBox is probably the main reason why I like ROS so much, I'd happily make an exception for OpenVPN and live with "paste your text config here" type of GUI.
On the other hand, I'm not sure if it would be enough. I mean things like handling of interfaces, addresses, routes, I don't think MikroTik would want something else messing with them aside. So it would probably require a little more integration, meaning changing OpenVPN code and that in turn would bring licence issues I guess... But in this case it would be nice to be wrong.

if mikrotik added these openvpn client features it would be able to connect to 99% of "standard" servers, no raw configuration needed:

• comp-lzo support
• some way to disable auth-user-pass (the servers i configure to have mikrotik clients must have a dummy auth script, what a joke!)
• tls-auth key support
• udp support (+fragment/mssfix)

A rather disappointing turn of events for OpenVPN. UDP support seems essential to me.
Why even implement it in such a limited way, it's not like this helps much.

I would suggest pumping up the "votes" on the wiki request page: http://wiki.mikrotik.com/wiki/MikroTik_ ... e_Requests
Perhaps the number of votes from users will be able to stimulate some "suicide immune" developers to do something...

1. UDP Support
2. Compression support
3. Cert based Auth support
4. Route Push support
5. DNS Suffix support
6. Ldap Authentication
7. DHCP (?)

This will be a very nice VPN solution !!!

+1
at least on UDP and compress support.

So... Based on this thread. Does OpenVpn and Mikrotik work? And if so, is it only between Mikrotik and Mikrotik? If this is the case, does Mikrotik have a VMWare appliance I can run? Then I can have the MT to MT scenario with their version of openvpn

So... Based on this thread. Does OpenVpn and Mikrotik work? And if so, is it only between Mikrotik and Mikrotik? If this is the case, does Mikrotik have a VMWare appliance I can run? Then I can have the MT to MT scenario with their version of openvpn

Openvpn on mikrotik works with any openvpn client or server, just you have to configure
- tcp only
- no lzo
- user and password AND keys
- no push options other than addresses, you must configure the other side correctly
I successfully run (the first on each couple is the client)
- mikrotik to mikrotik
- mikrotik to linux (debian)
- linux (centos) to mikrotik
- windows XP and seven to mikrotik

I don't think openvpn on mikrotik is bad, I just think it's a pity that they will not go developing it and they don't propose an alternative.

For the virtual machine:
- you can install the x86 version of routeros on vmware (just like any other pc) using netinstall... it's a matter of seconds.

Hi

It seems a bit odd (to say at least) to implement a feature as OpenVPN the way that makes it unusable for about 95% (my guess) of existing infrastructure. Not to mention that many of us do NOT always have an ability to change the server's side of configuration and that there are features in place (UDP) for a reason. So please fix this bummer OR add a big WARNING to any mention of OpenVPN on your wikis (Works ONLY with special server config - most uncommon in real world situations).

What openVPN on mikrotik IMHO needs is:

UDP
lzo-comp
push route
client key auth without a must for user/pass

This should be done ASAP and other openvpn features implemented later on to make this implementation 100% compatible with openvpn. Without this features mikrotik openvpn implementation is useless in existing, working (corporate) enviroments - developers should be aware of that.

OpenVPN is not some obscure feature... OpenVPN is used widely today because it's free, safe, quite easy to configure and works great on various software and hardware platforms ... except mikrotik (for now).


my 2 cents.

JF

RB450G

to come here by different way - why do we request to ADD UDP support and LZO comp as feature?
OpenVPN package - as it comes in source - support both above (and many others). So I'm asking, why they got removed???

I'm interested if Mikrotik's implementation based on original OpenVPN package, or they wrote their own compatible implementation? (i don't think the last one, since the first is free and working and original -so why waste time and money with it?)
If they are using the original source, do they allowed to remove a basic feature?

I'm interested if Mikrotik's implementation based on original OpenVPN package, or they wrote their own compatible implementation? (i don't think the last one, since the first is free and working and original -so why waste time and money with it?)

I assume MikroTik reimplemented the protocol from scratch. The most probable reason is simple- GPL. Totally IMHO.

Well, that seems to be the reason.
Honestly, Openvpn as it is in Routeros is by 90% useless.
For the owners of RB450 there is an answer - Openwrt, but for the roadwarrior scenario I hope to see Openwrt on RB750.
I have migrated to x86 with openwrt for just that reason.

FYI: We are running two RB750 with native OpenWRT trunk, it works great (including OpenVPN).

I used this tutorial http://blog.poettner.de/2011/05/27/open ... rd-411750/. Don't forget to move to Port 2 after flashing...

I used this tutorial http://blog.poettner.de/2011/05/27/open ... rd-411750/. Don't forget to move to Port 2 after flashing...

Missed this one - thank you, MartinEmrich!

I used this tutorial http://blog.poettner.de/2011/05/27/open ... rd-411750/. Don't forget to move to Port 2 after flashing...

Missed this one - thank you, MartinEmrich!

+1, thank you.

Any updates in this area? Or is there any VPN tunnel fully supported in ROS, that works over UDP? Well, except L2TP...

no, nothing. some improvements to SSTP, but SSTP isn't good for either low latency or site-to-site.

This single factor has caused me to look elseware. There is another vendor with an nice little router that does open vpn perfectly. Edge something or other...

EdgeMax is not yet available for buying. And no idea how it will perform, as it is in the "baby" stage. I will buy at least 3 as soon as they are available

EdgeMax is not yet available for buying. And no idea how it will perform, as it is in the "baby" stage. I will buy at least 3 as soon as they are available

It may not be 'available' for buying, but they are in some luck individual's hands and they perform very well.

Cisco VPN group authentication (group name & group password).

I just hope they support OpenVPN UDP.
I just don't get it why MTK refusest to implement this feature. Their passive-agressive answers on this forum are at least weird. They are inviting you to look someplace else. Too bad, it is a great product, flawed by some really bad choices. Too much "russian" approach in this product development.

I just hope they support OpenVPN UDP.
I just don't get it why MTK refusest to implement this feature. Their passive-agressive answers on this forum are at least weird. They are inviting you to look someplace else. Too bad, it is a great product, flawed by some really bad choices. Too much "russian" approach in this product development.

Yes, EdgeMAX supports UDP for OVPN.

I just hope they support OpenVPN UDP.
I just don't get it why MTK refusest to implement this feature. Their passive-agressive answers on this forum are at least weird. They are inviting you to look someplace else. Too bad, it is a great product, flawed by some really bad choices. Too much "russian" approach in this product development.

Yes, EdgeMAX supports UDP for OVPN.

That's great news ... do you have any more info on their ovpn implementation (lzo, push route, certificate based auth) ... MT lacks all of theese features.

JF

I just hope they support OpenVPN UDP.
I just don't get it why MTK refusest to implement this feature. Their passive-agressive answers on this forum are at least weird. They are inviting you to look someplace else. Too bad, it is a great product, flawed by some really bad choices. Too much "russian" approach in this product development.

Yes, EdgeMAX supports UDP for OVPN.

That's great news ... do you have any more info on their ovpn implementation (lzo, push route, certificate based auth) ... MT lacks all of theese features.

JF

Easy, search google for vyatta openopen VPN.

Sorry for bringing this up again, but I can't make ipsec to work at all. Connection is dropping randomly. We are working on multiple site to one site with Citrix XenApp. Citrix got dumped randomly every few minutes on all sites. The only static ip and stable connection are on main office, while other sites are on GPRS connection, some on 3G.

My solution was using vyatta's openvpn on separate machine, but I want to put everything under RB750 we owned, and shut down that old vyatta machine. Efficiency was the main factor.

So, is there any alternative there, for stable openvpn udp with lzo compression? Compression is a MUST. We can't send much data over GPRS connection without compression. MT or anything? Or is there any suggestion what device with stable OpenVPN UDP so that we can replace our MT.

you have many options - but only a few with Mikrotik
1) use routerboard with linux
2) use routeros with metarouter+openwrt for tunnel (hopefully there is a working package for that)
3) use Wrap/alix boards with linux
4) use atom based pc
5) use a raspberry pi (sadly it has only one NIC onboard) or other linux based small computer

Bump,

Please Mikrotik, stop ignoring the issue and please implement UDP for OpenVPN.

I've never seen a company ignoring customers like this. People are requesting this feature for years now.

Not to put a damper on things. But I have had all the support I have needed and haven't had a single box brick since I kept using and put out even more SonicWALL's.

Yes they cost more. But for business stuff, it is worth not only my time, but reputation. When I was asking the MT vendors about what to use, even they were like: why dont you use such and such instead?

I do love MT's stuff, but not enough to put ny lively-hood on it.

Just my 2 cents worth...

Sent from my DROIDX using Tapatalk 2

Thank for bringing up a thread more than a year old.

What about automatically locking topic after let say 6 months of inactivity?

not all topics get irrelevant after 6 months

For me this topic will never become irrelevant as long it is not implemented.

There is simply no alternative as flexible as OpenVPN with udp...

Like mentioned before... I won't mind even if we have to specify a regular openvpn configuration file, as long as it works...

what about offering a bounty for OpenVPN to Mikrotik?

what about offering a bounty for OpenVPN to Mikrotik?

You mean like paying a second time for a "feature" you already bought? Mmmmmm...

We're mid-2013 already, and still no news of any udp support for RouterOS openvpn ?

+1
It has been repeatedly voiced by the addition of UDP requests to OpenVPN. Though approximate voiced plans to gentlemen developers ).

In fact, there's no anything such flexible as openvpn on market. So UDP and route-push support would be great.

I've already read many threads here about requests for UDP support for OpenVPN and I wasn't able to find one explanation why it is not supported or why it is not planned to be supported :-/ It's really shame :/

So count me as another customer "begging" for this feature. I think there is plenty of us.

I've already read many threads here about requests for UDP support for OpenVPN and I wasn't able to find one explanation why it is not supported or why it is not planned to be supported :-/ It's really shame :/

So count me as another customer "begging" for this feature. I think there is plenty of us.

+1, but normis already said they aren't working on OpenVPN any more. And personally I'd rather see 802.11ac with wireless controller support first, but OpenVPN over UDP would be nice.

I've already read many threads here about requests for UDP support for OpenVPN and I wasn't able to find one explanation why it is not supported or why it is not planned to be supported :-/ It's really shame :/

So count me as another customer "begging" for this feature. I think there is plenty of us.

+1, but normis already said they aren't working on OpenVPN any more. And personally I'd rather see 802.11ac with wireless controller support first, but OpenVPN over UDP would be nice.

Thanks, I had to miss the thread where was this info (you know, there are many threads about UDP / OVPN ). And personally UDP for OVPN is still my priority

Is it a joke or what?

1) UDP is suggested from openvpn creators and works better than tcp
2) apart from this ALL MY PARTNERS HAVE OPENVPN ON UDP and they will not change their setup because I HAVE A MIKROTIK. They laugh and says to me that debian or pfsense is free....

I don´t really know why they are not inserting all known variants of the VPN!
VPN is more and more present in all kind of computing, from the lowest bottom (private usage)
to the highest top (enterprise business) and with more then 30.000.000 sold new mobile devices
like smartphones all 2 years one of the biggest criteria to get new customers and clients in my eyes.

What could be wrong to chose a cpu from a vendor that comes with this capabilities to
compress and also made for de- and encryption so heavy tasks can be handled easily?
Exar formerly HiFn has some interesting chips that can nearly or more handling wired
speed encryption for each know VPN method on the market.

For sure inside of Latvia encryption is not permitted to use and also perhaps MikroTik has
some problems to set those things up, like the vendors in the USA are not able to export
their cryptography equipment outside of the USA to another country, but inside routers
this is since long time a very often used and asked function before buying a router.

And with the new Tilera series including the high speed encryption engine called MiCA, MikroTik has
once more the chance to roll out or inserting a ROS version with all kind of VPN methods!
SSL-VPN
SSTP-VPN
PPTP
PPPD
IPSec
L2TP
OpenVPN

I would more think in that direction, that it is better to offer more different VPN variants then my
concurrence on the router market, for sure. Perhaps some of yours want to spend one minute to
vote here for your favourite VPN method you will see inside of RouterOS or not. If not don´t give
the named VPN method not a point but the other, 8 points can given by your the poll is ending
never up, thanks first to spending a minute. RouterOS VPN types support

if mikrotik added these openvpn client features it would be able to connect to 99% of "standard" servers, no raw configuration needed:

• comp-lzo support
• some way to disable auth-user-pass (the servers i configure to have mikrotik clients must have a dummy auth script, what a joke!)
• tls-auth key support
• udp support (+fragment/mssfix)

If only they could listen!
Just receive confirmation from their support, that they won't do anything about it.
I wanted to buy a MikroTik RB1100AHx2 to play with, now I'm lost cause I use OpenVPN a lot and I wanted to replace the server-side using RouterOS.

Is there a way for the community to create packages that could be use within RouterOS ?

Could be a solution to create one package with full OpenVPN support, cause that's the only thing that makes me refrain from buying a MikroTik device

If you really need those features at the moment. Run openwrt image in metarouter and run ovpn from there with full feature set.

Is it possible create virtual network interfaces on RouterOS that could be used from within openwrt for incoming and outcoming data ?

Anyway, all information/logs/graphs/users currently logged in, ... won't be there

If you really need those features at the moment. Run openwrt image in metarouter and run ovpn from there with full feature set.

This is not the solution. With metarouter my router's CPU gets horribly overloaded so much that my whole LAN starts lagging (RB2011).

i'm very interested when we reach the point where Mikrotik will admint why they deny to use UDP and compression in OpenVPN.

If you really need those features at the moment. Run openwrt image in metarouter and run ovpn from there with full feature set.

I understand that you advise me to buy a router which works fine openWRT and use that router but not mikrotik?

When will this be added?

+1+1+1+1+1
Udp for ovpn now!!!

over 4 years and no comment from Mikrotik??

See: http://forum.mikrotik.com/viewtopic.php ... 50#p435410

Oh, we're making progress!
Few years ago it was almost written in stone that no UDP support is ever planned.
Those are good news, at least they are considering it now.

please add full openvpn support like OpenWTR software.

Thank You!

+1

I really need UDP OpenVPN + compression. TCP OpenVPN doesn't perform well on latency.

All of you, Go and vote your support here : http://forum.mikrotik.com/viewtopic.php?f=1&t=86461

All of you, Go and vote your support here : http://forum.mikrotik.com/viewtopic.php?f=1&t=86461

Seriously. Not even related. Not at all. Thread jacking.

+1

UDP + LZO

+1

UDP + LZO

+ 1000000

but that mikrotik continually ignore our requests

+100 need LZO +UDP OpenVpn

+1

UDP + LZO

+ 1000000

but that mikrotik continually ignore our requests

after 30 day New Year 2015 but not LZO and UPD OpenVPN in Mikrotik Os 6 - OMG....

Looks like thay haven't managed to make it work like it should so they just cut it off from the software. It would be nice if they talk to us e tell why such important features inside OpenVPN are not going to be implemented.
Sorry mikrotik team... but it sounds like lazy developers trying to not have to debug the code...

Anyway...
+1 for OpenVPN full support!

I also would like to see the ovpn over udp in ros.

Why is Mikrotik ignoring all those request for UDP based OpenVPN and proposing and TCP VPN solution as an alternative ?

OpenVPN is very very buggy and hard to implement. Our developers almost all committed suicide trying to make it work. It's a big mess, so we can't continue to implement it 100%

I don't think we need all features of OpenVPN. UDP support requires the same effort as TCP support, which I find hard to believe would be difficult at all. When I configure OpenVPN by hand, it is a single line where I write either "TCP" or "UDP". Not exactly rocket science. I don't believe that implementing that should trigger any suicide. Almost every OpenVPN implementation I have worked with is using UDP for performance reasons. The choice to use TCP to me is very strange anyhow.

At least consider to implement UDP. Please!

+1 for UDP on openvpn !

+100500 for ovpn udp lzo

Please add UDP for openvpn !

+1 for udp.

+100999500100999500100999500100999500100999500 for ovpn udp lzo

pleaz pleaz pleaz pleaz pleaz pleaz pleaz pleaz pleaz pleaz pleaz pleaz pleaz pleaz

ok just kidding. As stated before nobody cares about +1, please, whatsoever.

if mikrotik added these openvpn client features it would be able to connect to 99% of "standard" servers, no raw configuration needed:

• comp-lzo support
• some way to disable auth-user-pass (the servers i configure to have mikrotik clients must have a dummy auth script, what a joke!)
• tls-auth key support
• udp support (+fragment/mssfix)

I second tls-auth support. I work for an ISP that offers VPN services to our internet connectivity customers and if RouterOS supported TLS auth, we would sell *a lot* of these devices. The demand for our VPN keeps growing every day, more and more customers are looking to do "whole home VPN", and are struggling to find an inexpensive, "off the shelf" router that supports this with OpenVPN. I have wished a long time for myself and them ROS could do tls-auth.

+100500 for ovpn udp!!!

+1 for lzo.

We are going to replace all our routers and lzo is a requirement

Yes please, OpenVPN is in a urgent need of an update, I can't understand why this is being ignored for such a long time.

Probably because of RouterOS 7.x

Yes please, OpenVPN is in a urgent need of an update, I can't understand why this is being ignored for such a long time.

At first I could not understand either, but now I do:
I thought that there was just a standard OpenVPN daemon running on the MikroTik, which maybe had to be updated to a
recent version and some config widgets added to the GUI.
But in one of the many posts about this subject it was revealed that this is not the case. The OpenVPN on RouterOS is an own
implementation that does only part of the protocol. And of course, extending that to a full version takes a lot of work.

I don't know why the existing and widely used OpenVPN is not used, but it may be a licensing issue.
I have had another router that once offered OpenVPN and after an update this functionality vanished without explanation.
Maybe the OpenVPN folks are actively pursuing use of their software outside of their conditions (e.g. in a close-source product).

Yes please, OpenVPN is in a urgent need of an update, I can't understand why this is being ignored for such a long time.

At first I could not understand either, but now I do:
I thought that there was just a standard OpenVPN daemon running on the MikroTik, which maybe had to be updated to a
recent version and some config widgets added to the GUI.
But in one of the many posts about this subject it was revealed that this is not the case. The OpenVPN on RouterOS is an own
implementation that does only part of the protocol. And of course, extending that to a full version takes a lot of work.

I don't know why the existing and widely used OpenVPN is not used, but it may be a licensing issue.
I have had another router that once offered OpenVPN and after an update this functionality vanished without explanation.
Maybe the OpenVPN folks are actively pursuing use of their software outside of their conditions (e.g. in a close-source product).

Well if to go on their website you can scroll through the Licensing page and you can clearly see there are 3 types of licensing, the first two are related to their own Access Server implementation and not the case we look for and the third one is the OpenVPN® Open Source Community Software which I suppose is the one most use, so if there are any licensing problems then those must be tied to these two:
• OpenVPN 2 Open Source Software License is governed by GNU General Public License version 2 (GPLv2).
• OpenVPN 3 Open Source Software License is governed by GNU Affero General Public License (AGPL).

That being said I don't think the case you were explaining is because of licensing as generally GPL is good for everyone, probably it's mostly tied to the popularity of a service, so if their metrics say that service was used by a low number of customers who purchased their routers then they wouldn't see any benefit in investing development resources into that, leading to an out of date service and it's removal as not to receive complaints about a service being offered but not working as it should.

Unless this viewtopic.php?f=1&t=77898&start=150#p546841
post has been invalidated. It will be in V7.

Normis & Mr Z Please correct me if I am wrong.

Also I found out and interesting fact about OpenVPN, it is not multl-threaded, it is single threaded, meaing it doesn't scale with ANY SMP architecture.

Normis and Mrz are the IPSEC and SSTP Implementations in the RouterOS multi-threaded?
Is this and the other issues listed @ https://community.openvpn.net/openvpn/w ... #Threading the reason for the long delay in adding UDP and LZO Comp to OpenVPN?

If it is, do you plan to share how you are solving it with the OpenVPN Authors?

Unless this viewtopic.php?f=1&t=77898&start=150#p546841
post has been invalidated. It will be in V7.

We all know that. But there is no indication whatsoever there will ever be a V7. So that is useless info.
People are waiting for something they can use, don't want to be referred to some future product that may or may not
become available in 3 years time.

Unless this viewtopic.php?f=1&t=77898&start=150#p546841
post has been invalidated. It will be in V7.

We all know that. But there is no indication whatsoever there will ever be a V7. So that is useless info.
People are waiting for something they can use, don't want to be referred to some future product that may or may not
become available in 3 years time.

True. I am more curious as to if the issues making it take so long are the ones I brought up.

openvpn clients in routers with tls-auth, udp, compression are industry standard by now... Did Mikrotik ever comment on the openvpn deficiency resp. corrective actions?

While Mirotik plan for 100G ports in upcoming routers maybe they can offer open module spec if they unable to implement ovpn module?

OVPN is one os the main distinct feature of MT. And while ovpn developers at openvpn.net produce one version after another MT developers won't make good implementation?

Please, please! Ovpn is the Swish Knife in network field so it is a shame not to use it. Yes, this is not that Enterprise thing but a lot of people uses it!

Its fall of 2017 now... 9 years from initial feature request.

teaser:

teaser:

Code: Select all

What's new in 7.0 alpha
*) added support for UDP OpenVPN;

U are So funny m8
RouterOS v7 is a funny joke

It is actual copy from actual changelog.

Cool thing - Thanks for the info.

It is actual copy from actual changelog.

OK Cool
Let Us test it

Hmm, alpha... it looks like we may get something ready for this thread's 10th anniversary. I just hope that other nice OpenVPN features will also make it to the party.

Hmm, alpha... it looks like we may get something ready for this thread's 10th anniversary. I just hope that other nice OpenVPN features will also make it to the party.

LZO compression and SHA2 (SHA512) authentication come to mind...

Just wanted to setup another new MT device with openvpn / udp but now I am reading this. It's actually very disappointing to read the whole thread from the beginning guys.

It's a long standing request, and shouldn't be a lot of work.

This is a 12 year old request. What is going on?? Had to switch all of my VPN clients to other routers simply because of this. Mikrotik OpenVPN was 600+ms ping time and LOTS of packet loss. PPTP or IPsec was 90ms. But, OpenVPN is the only tech that the NSA can't break and that is truly secure. Also, it is the only one besides PPTP that AT&T's routers will allow to have servers.

It's a long standing request, and shouldn't be a lot of work.

This is a 12 year old request. What is going on?? Had to switch all of my VPN clients to other routers simply because of this. Mikrotik OpenVPN was 600+ms ping time and LOTS of packet loss. PPTP or IPsec was 90ms. But, OpenVPN is the only tech that the NSA can't break and that is truly secure. Also, it is the only one besides PPTP that AT&T's routers will allow to have servers.

don't agree. routeros openvpn implementation sure is not complete neither perfect, but I have no problems on many ovpn over tcp tunnels I have. I don't have the big latency even if I ping traversing 2 tunnels.

Argh....stumbled across this limitation here. Needing UDP wOVPN here as well. The UDP seems to operate faster, and we use lots of VoIP here that cannot tolerate retries. Is this a CPU horsepower issue?

No, the problem is that RouterOS does not use the opensource OpenVPN program but they have re-implemented it.
So the advances in OpenVPN with release of each new version do not carry over into the RouterOS version.
Apparently nobody at MikroTik dares to take on the task of updating their implementation or axing it entirely and using the open source version instead.
It has been promised that this would happen in RouterOS v7 but it looks like v7 has been indefinitely postponed.
(in another topic the remark has been made that "most features of v7 have been backported into v6 so why would we still want v7?")

I bought one due to it costs $20, looks very good all around and SUPPORT OpenVPN... It's really sad, it seemed the happiness is here!!

+1 for UDP tunnels

I very disappointed to read this topic after i brought MikroTik hAP ac².

Still no news in June 2018 after two year.

viewtopic.php?f=1&t=77898&start=150#p527829

I very disappointed to read this topic after i brought MikroTik hAP ac².

Did you really buy an access point to establish OpenVPN connection(s) ?!

I very disappointed to read this topic after i brought MikroTik hAP ac².

Did you really buy an access point to establish OpenVPN connection(s) ?!

I prepare to install OpenVPN server in hAP ac2.

I prepare to install OpenVPN server in hAP ac2.

It is possible but it will just be a server with very limited options.
After all this I start to think it would be better when MikroTik simply relabled the OpenVPN feature: name it something like MikroTikVPN and don't suggest any compatability to OpenVPN.
Then prospective buyers will no longer be deceived into thinking that they can use this OpenVPN feature to interconnect with some other OpenVPN service or client.
It would make it just an incompatible variant of SSTP and it could just as well be dropped entirely, but keeping it so existing users do not have to rework their setup would be nice.

As an OpenVPN server or client, well, it is just worthless.

I prepare to install OpenVPN server in hAP ac2.

After all this I start to think it would be better when MikroTik simply relabled the OpenVPN feature: name it something like MikroTikVPN and don't suggest any compatability to OpenVPN.

Really agree your comment.

Nah, give it a little time ^(*1), it will happen. Check it yourself, how the attitude changes from "no way" to "we already have it" ^(*2):

search.php?keywords=openvpn&author=normis

It's getting more optimistic over the time.

-
(*1) two or five years, ten maximum
(*2) at least a part of it

Nah, give it a little time ^(*1), it will happen. Check it yourself, how the attitude changes from "no way" to "we already have it" ^(*2):

search.php?keywords=openvpn&author=normis

It's getting more optimistic over the time.

-
(*1) two or five years, ten maximum
(*2) at least a part of it

At least, they give the user a answer. Yes or no. It is very easy to answer. I don't know why they always silence.

What silence are you talking about? The answer was already given: "v6 - no UDP, v7 - UDP is ready, just wait for v7 itself".

But there has also been the "well... maybe there will not be a v7... we already implemented most of the promised features in v6!".
Of course this does not include the promised features w.r.t. OpenVPN. (and others, e.g. BGP)

Yep, we could use some update, at least about status of the thing, if not for OpenVPN itself. Because while some features might be impossible to add to v6, OpenVPN shouldn't be one of them.

Huh huh what about Metarouter on RB1100AHx2

What silence are you talking about? The answer was already given: "v6 - no UDP, v7 - UDP is ready, just wait for v7 itself".

Link, please.

v7 should be developed over FOUR Years. When we can get the v7 ?

Link, please.

search.php?keywords=openvpn&author=normis

v7 should be developed over FOUR Years.

Even more.

When we can get the v7 ?

When it's ready.

Link, please.

search.php?keywords=openvpn&author=normis

v7 should be developed over FOUR Years.

Even more.

When we can get the v7 ?

When it's ready.

I just wait until they ready. I hope my router is worked when they ready.

We're all waiting for it

we're still waiting +1

we're still waiting +1

Please post this only once a couple of month/years, not every week

up )
+1 UDP

Waiting...

+1 UDP suport OpenVPN ovpn
+1 RouterOS v7

Hmm, alpha... it looks like we may get something ready for this thread's 10th anniversary. I just hope that other nice OpenVPN features will also make it to the party.

LZO compression and SHA2 (SHA512) authentication come to mind...

wondering why one would go with ShA512 ... what is the big benefit (security/performance balance in mind) going with that?
sha256 brings no real security benefit over sha192 (hash length extension vuln. and so forth....)

LZO on the other hand would be a BIG improvement and UDP anyway! mikrotik is driving its users insane with still not implementing such "feature" (it is a basic openvpn mechanism AFAIK)....

come on guys ... this is not funny anymore and it's not getting better....

LZO is deprecated, so you should be asking for LZ4 instead

You better have LZ4 up your sleeve already, otherwise it's a cruel joke!

from here :
https://www.reddit.com/r/Windscribe/com ... ard_setup/

how about SHA512 auth,
I can not use my windscribe account

+1 for UDP support for OVPN on MikroTik

from here :
https://www.reddit.com/r/Windscribe/com ... ard_setup/

how about SHA512 auth,
I can not use my windscribe account

+1 for sha256/sha512 in openvpn
seems it got implemented for ipsec recently

The long waiting time makes me so sad! Products and software - this is not a good match. One is good the other is a joke!

The long waiting time makes me so sad! Products and software - this is not a good match. One is good the other is a joke!

Please enumerate your list of commercial routers (not alternative firmware) that actually have OpenVPN support that conforms to your wishes.

Another solution would be to support and maintain Metarouter.... even on the RB1100AHx2, but that's another story.

Another solution would be to support and maintain Metarouter.... even on the RB1100AHx2, but that's another story.

Yes, it would be very good to have metarouter back in service, or some other way of running user programs in some sandbox that only gives them some memory, a disk directory, and one or more network interfaces towards the physical router (tun/tap or similar).
That would allow all kinds of solutions to issues being posted all the time here and in the feature suggestion topic.
(OpenVPN, Wireguard, full-function DNS server, DHCP server for exotic requirements, etc etc)

LZO is deprecated, so you should be asking for LZ4 instead

What about TLS auth and no username/password auth (only by keys)?

Aaahhh Wireguard

LZO is deprecated, so you should be asking for LZ4 instead

well ...

+1 for UDP.

Damn, take 10% of my payments to you for routers and hire a programmer for 6 months to do this (he'll implement it in a few weeks and work for you for the remaining 5 months) :-/ It is so annoying to have CCRs with speed of RB750 running openvpn via TCP..

+1 for UDP.

Damn, take 10% of my payments to you for routers and hire a programmer for 6 months to do this (he'll implement it in a few weeks and work for you for the remaining 5 months) :-/ It is so annoying to have CCRs with speed of RB750 running openvpn via TCP..

Instead, pay them to implement the suggestion in message viewtopic.php?p=692031#p692031
That will serve a lot of other purposes on CCR.

Instead, pay them to implement the suggestion in message viewtopic.php?p=692031#p692031
That will serve a lot of other purposes on CCR.

Although I agree, I believe that would take some serious time. I don't get the point of not implementing already finished UDP support and waiting years for v7.. this reminds me the play "Waiting for Godot" :-/ TCP ovpn between europe and usa is damn slow, I had to go back to the good old l2tp+ipsec

It is likely quite easy to implement a user process but it could take some iterations to make it completely secure.
I would envision it like: you make a folder on the flash disk and put the executable there and add a config item which specifies the folder and the network devices you desire.
(like 1..4 tun/tap devices)
RouterOS creates/opens/initializes the tun/tap devices and chroots to the folder and starts the program. The program can read/write files (only) from "the root directory" which is the folder, and it can access the pre-opened network devices. The other end of those devices is visible in RouterOS where you can put them in a bridge, or set an IP address on them and route to them.
The program runs as a nonprivileged user which is disallowed to make critical system calls.
The user cross-compiles his software for the processor architecture (using gcc) and links it as a standalone executable. Maybe a libc shared library could be made available.

Once this is realized you can port a current version of standard OpenVPN or other software which includes all features you like, which is of course much easier to do than to add features to the rewrite that MikroTik is using in RouterOS.
I am running an old TCP/IP program (KA9Q NET) under Linux using this method in a Raspberry Pi, and it works perfectly.

Count me as +10 for OpenVPN over UDP. If you do not know why this is important, see http://sites.inka.de/bigred/devel/tcp-tcp.html

I have iOS programs that simply do not work because of the transmission problems caused by trying to run their TCP connections over TCP-based OpenVPN. They just get into some kind of meltdown and give up.

I bought the hEX for only 2 reasons: to provide a IPv6 firewall and to provide remote access. I bought a hAP for only one reason: to enable remote access. Since I eventually decided that IPv6 was too much of a privacy risk and disabled it, it turns out that I pretty much wasted my money on the hardware and wasted a considerable amount of time (~200 hours) figuring all this out.

+100 for standard openvpn realization.
It`s awful that 10 years old, very important issue is still open. OpenVPN nowadays is used by different kind of customers and there is no way to use mikrotik routers without openvpn with certs and udp protocol.
And another even bigger problem is that support team does not want (can`t) to tell when normal openvpn will be supported by router OS (if it will), so I have to guess what to do, whether to change the equipment or wait (it is not clear how long) that a miracle will happen and normal protocol support will finally appear.

Such a lack of information and lack of dates and workflows about this topic is very strange for a rather famous company.

I have to guess what to do, whether to change the equipment or wait

I wonder what router equipment you are going to change to (with software supported by the router manufacturer) that will do what you need...
Of course a plain Linux system can do it, and some open router firmware replacement can do it, but what manufacturer-supported router is your alternative?

This is not the same level but anyway for example ASUS right out of the box from 2017 for customers with 10-20 light users.
RT-AC66U

And as you mentioned - any router with replaced firmware "from Padavan", DD-WRT, Open-WRT, Tomato and so on.

Metarouter is not the same. OpenVPN in metarouter is very peculiar thing.

Of course you can install such alternative firmware on some of the MikroTik routers as well.
And mentions on spec sheets of other routers is not the full story!
Before my MikroTik router I had a Draytek router which claimed OpenVPN support on the spec leaflet, but by the time I had bought it and updated the firmware, the whole OpenVPN feature had been silently removed.
There probably are software licensing issues around it, which also could explain why MikroTik do not simply add the latest OpenVPN program in RouterOS but instead did their own rewrite of a subset of the functions.

I wonder what router equipment you are going to change to (with software supported by the router manufacturer) that will do what you need...

I understand the OpenVPN license is problematic.

It would be fine with me if Mikrotik would only support OpenVPN udp and drop support for tcp. It would also be fine if they created a way for us to install an OpenVPN package from somewhere else.

+1
We are installing Mikrotik Routers in renewable power plants for remote monitoring+control. Connection to our own VPN-Server is no Problem, but the connection to all the energyexchage traders must be done via ovpn udp. At the moment we are installing 2 Routers in each Plant, one Mikrotik for routing, firewall, NAT, VPN and WAN-connection and one Ubiquiti just for one ovpn-udp connection.

You could consider using a single router or server at central location to do the OpenVPN and route everything first to central (using whatever VPN you like) and then further route it over OpenVPN there.
Or ask the traders to support really standard protocols in addition to OpenVPN. In a similar situation (which involved only us and 1 other party) I was successful in convincing them that only offering OpenVPN and not IPsec, L2TP/IPsec or similar was not very flexible.

Just came here to update this 10 years old thread and to ask for a serious support of 17 years old widely used vpn...

We are almost in 2019 and still no UDP support.
Shame on you

Would be great if we could get it and also not only sha1 and md5 for auth


Keep looking forward to this!

In a similar situation (which involved only us and 1 other party) I was successful in convincing them that only offering OpenVPN and not IPsec, L2TP/IPsec or similar was not very flexible.

What options does Mikrotik have for a UDP (or at least not TCP) based secure connection that I could use to tunnel an EoIP connection?

L2TP/IPsec, GRE/IPsec, IPIP/IPsec, plain IPsec transport.

NordVPN says no. RouterOS is getting outdated.

NordVPN says no. RouterOS is getting outdated.

Implementing such services on a router is silly. You should implement it on your end device so the entire path is protected.

Furthermore, when today's protocol enforced by something like NordVPN would be implemented by MikroTik, tomorrow they
will switch to another protocol that appears to be better at that time. Look, people are already requesting Wireguard
and unimplemented IKEv2 options. It is just not possible to satisfy everyone in a commercial closed-source router.
Either get some open box that you can tinker yourself, or do it on the endpoint (PC, phone, etc).

MikroTik could include an extension possibility in the form of a "MetaROUTER light" that allows the user to run processes that
implement network functions like exotic VPNs, special DNS servers, etc.
I have suggested it before but there is total lack of response, so apparently total lack of interest.

hi, I wanted to know if mikrotik intends to implement the protocol udp and security sha 256 on its openvpn.
Thank you

hi, I wanted to know if mikrotik intends to implement the protocol udp

It's implemented already, just wait for the release
viewtopic.php?f=1&t=26499&p=617477#p617477

perfetc

just to know, do you know an approximate release date? I would not wait all 2019 ...

just to know, do you know an approximate release date? I would not wait all 2019 ...

in a far future

just to know, do you know an approximate release date? I would not wait all 2019 ...

Maybe @normis can say a date, will it be before 2020?

let's not joke guys, we hope in a very short time that solve this gap

I bet 2022 by then everything will be obsolete.

+1 for udp support for ovpn

Thank for bringing up a thread more than a year old.

The answer was clear - We will not make new OpenVPN features.

Noooooooooo.....