Hello!

Is there any news regarding:

1. OpenVPN over UDP support
2. SHA256 authentication support on OpenVPN. (Though SHA1 still provides strong authentication, clients are asking more and more for SHA256).

I could not find any relevant information, so I would be very grateful for any kind of information.

Thanks,
Marius

Sorry, man, this is a super mega ultra complicated task and developers do not know how to solve it. Or do not want to ...

Thanks for the info;)
Which one is the complicated one? I am more interested in the SHA256 OpenVPN item

Any detail on OVPN SHA256 support?

mariusp,

Some information about this long awaited requests cab be found in the following forum topic: Feature Request: OpenVPN [ovpn] udp tunnels

Would like to bump the feature request for SHA256 authentication. SHA1 is broken - https://shattered.io/
No need for other complicated features such as udp or lzo, as long as the current implementation is secure enough.

Thanks

+1

Just setup Ovpn for the first time on mikrotik and surprised no SHA256. Anything else is not as secure.

+1 for SHA256

And UDP also, tcp openvpn from california to rb in europe is slow and laggy, good old l2tp/ipsec on the same machines is more than 10x faster

//edit - After the new openvpn TLSv1.2 update - what TLS does mikrotik openvpn server use? Is it possible to force usage of TLSv1.2 only? (--tls-cipher)

+1 for both

+1, again, again, again it sucks

+1 for SHA256
(and I don't understand that default settings on VPNs for hash functions ans symetric cryptography are still old ones that are reported to be broken/not secure anymore)
After hours of search and comparison, I will use openVPN as sites to central site VPN (simple to configure - thanks for keys genereation on mikrotik ! - , nat traversal, ~5% overhead, ...).
It not serious to use unsecure auth method for professional cases.
Please Mikrotik dev team, consider priority for this devlopment...

bump

I'd consider switching to L2TP+ipsec or EoIP+ipsec(for mikrotik on both sides), both use UDP and encryption and should perform the same or better in performance.
OpenVPN on UDP has been requested years ago and won't come too soon on Mikrotik, probably never.

SHA256 is supported on the mentioned protocols, not sure why openvpn would be more compelling, maybe only to opensource lovers.

I'd consider switching to L2TP+ipsec or EoIP+ipsec(for mikrotik on both sides), both use UDP and encryption and should perform the same or better in performance.
OpenVPN on UDP has been requested years ago and won't come too soon on Mikrotik, probably never.

SHA256 is supported on the mentioned protocols, not sure why openvpn would be more compelling, maybe only to opensource lovers.

Many VPN providers, including the largest, only support OpenVPN. Some support weaker protocols such as PPTP, but these are either discouraged or being discontinued. Some support stronger protocols such as Wireguard, even before their code or standards are finalized.

But the one thing common to all modern retail VPN providers is OpenVPN. Since OpenVPN without UDP is less like having one hand tied behind your back and more like having both legs cut off in terms of throughput and latency, this is why threads like this exist.

Of course, those considering site-to-site VPNs have many more options for protocols, and are in a position to follow the advice you suggested.

As for SHA256 that's only for HMAC auth and SHA1 is widely still used. There is no rush there because the key lifetimes are so short, on average just an hour. Also, they can only be used to fake a packet not break the entire channels security. Such concerns, even for those worried about state actors, is so ridiculously unlikely (breaking a SHA-1 key in an hour AND using it), it is not worth considering from the client side. It is just a security integrity issue for the VPN provider to keep up with the latest tech, i.e. SHA-2.

come on, Mikrotik, even Asus can do sha256...

Накладные расходы на ширину канала из за отсутствия поддержки openvpn udp и сжатия ставят вопрос целесообразности использования микротика как шлюза.
Не очень понимаю политику компании, запросу более 10ти лет. Всяких свистелок перделок уже вагон, а нужной функции нету.

+1 for both

IMO, if RouterOS7 is vapor ware, OpenVPN UDP needs to be addressed.

+1 UDP

Dear mikrotik!

You really done a good job in bringing enterprise-grade routing solution down to soho-level pricing.

Now you're competing in both - SOHO and enterprise segment.
SOHO routers can do OpenVPN. Yep, we're talking about 10-50Mbps in best case scenario, but it is still sufficient for most SOHO use cases.

Regarding enterprise market - It is not 2010 anymore, there are solutions that can do 100 to 1000 Mbps OpenVPN tunnel on a budget. There are enterprise customers that prefer OpenVPN to IPSec/L2TP (I hope PPTP is dead by itself) for its configuration simplicity and UDP-based protocol that is easier for NAT traversal without significant performance degradation

I'm really sad for your loosing this market (including myself and company I work for) of affordable but reliable and flexible routing that was, basically, created by your company.

After being a loyal customer for the past 5 years, I have decided today the v7 unicorn and/or this ongoing udp and tls lack of support in openvpn makes these routers useless in my future. Lack of response to the complaints or anything beside hopeless post of v7 feature set demonstrates the future of this product. Moving to the U despite holding out hope for this support for the last 2 years. Anyone wanting to use any of todays standard vpn services should avoid this product line due to hours of frustration and lost time searching these forums for a solution that does not exist.

First of all, let me say thank you for making reliable and affordable product.

Still, I would also need OVPN+SHA256...right now, my Mikrotik has to forward a few hosts to a low end wireless router, running LEDE, which is perfectly able to handle OVPN+SHA256...

I would like to setup the tunnel on the Mikrotik (which is also my default gateway), keeping my actual OVPN configuration.

I love RouterOS...but if I can't find any proper solution for this, I may just end up flashing it to LEDE...

WTF?!?!
I thinked that mikrotik realy cool device...
this is unreal, openvpn client without support UDP!!! Without support SHA512 and SHA256.
Same mikrotik don't support DoH (DNS over HTTPS) such as cloudflare and google!
What kind of stupid developers creating and updating reuterOS ?!

WTF?!?!
I thinked that mikrotik realy cool device...
this is unreal, openvpn client without support UDP!!! Without support SHA512 and SHA256.
Same mikrotik don't support DoH (DNS over HTTPS) such as cloudflare and google!
What kind of stupid developers creating and updating reuterOS ?!

Calm down. Almost nobody supports DoH yet. UDP and SHA2 support for OpenVPN have been requested already many times but they stated why this is currently difficult to implement. I'm prettty certain they are working on this for ROSv7.

Calm down. Almost nobody supports DoH yet. UDP and SHA2 support for OpenVPN have been requested already many times but they stated why this is currently difficult to implement. I'm prettty certain they are working on this for ROSv7.

I found requests UDP in this forum 11 years old viewtopic.php?t=20537
About ROSv7 beta 1 i listened 3 years ago
Nothing changes...
If ROSv7 comming in far far futures, please don't forget add tls-crypt option for openvpn (without this, ovpn can't work in china and near future in russia)

I don't think RouterOS v7 is that far away. Some v7 features are already implemented in v6.

On the DNS part there are better programs like Unbound that do that all, in a excellent way.

Hi,

Sorry to bring up an old thread, though it would be brilliant if we can get some form of reliable feedback regarding the old standing question of UDP & SHA256 support for OpenVPN Client.

Understand it is a difficult item....just really difficult to standardize Mikrotik when this one feature is included with basic DD-WRT / OpenWRT / Tomato / Lede yet neglected by Mikrotik.

Can it even be done? If so, WILL it ever be done? If the answer is Yes, does this mean we may have this feature in 2019?

+1

configuring using regular openvpn config file would also be great

State of OpenVPN in ROS 6.x is pretty much WONTFIX and other long OpenVPN UDP thread got locked up.
For any new features we have to wait for ROS 7.x (who knows how long) or just buy other hardware that does what you need today...

Just purchased my Mikrotik router, but was pretty annoyed to find out that I couldn't configure my VPN because the router lacks SHA256.
What's even worse is the seemingly lack of response from MikroTik. Quite worrying in fact to see that they apparently don't take security that serious.

Hello Mikrotik Engineers,

I know you have received many requests regarding OpenVPN UDP support, however it is proving almost impossible to get a clear answer.

We (just like the hundreds of other MT users) have a huge requirement for OpenVPN UDP support. Whilst we can (and do) use IP & SSTP tunnels for Mikrotik to Mikrotik VPN's, we have many sites that explicitly require OpenVPN + UDP support.

This is usually outside of our control as we are connecting to non Mikrotik services.

Additionally, UDP + SHA256 / SHA512 is becoming the standard.

What is the likelihood of Mikrotik Supporting OpenVPN UDP Support with SHA256 / SHA512 in the near future (ie. next 6 - 12 months)?


We trust you understand there must be hundreds (if not thousands) of users / devices that MUST use the above settings. Whilst we can implement alternative hardware, we would like to maintain uniformity with MT products where we can.

IF this is very unlikely to ever happen, please just let us know so we can all look to another solution.

Sincerely,

reCIPHER Group Australia

Hello Mikrotik Engineers,

I know you have received many requests regarding OpenVPN UDP support, however it is proving almost impossible to get a clear answer.

I'm all for Mikrotik and I use a lot of their devices, physical and virtual ROS, and they are mostly great, but I'm afraid proper OVPN support is but a wet dream. They keep promising advances in this area but nothing significant ever happens. It seems that attracting users needing this feature is not financially viable. That's the only practical reason I can think of. Technical issues can all be solved, they have good network engineers and programmers. Too bad though, I found that OVPN is practically the only free solution that is almost problem-free on the client side (far from perfect, though), has a good performance and feature set with good client OS support.

+1 SHA256
+1 UDP

We all need full functional OpenVPN ... m.b. with special extension card, is ok .. but is needed

We all need full functional OpenVPN ... m.b. with special extension card, is ok .. but is needed

Some boards like the hexS already even have more crypto hardware accelleration than supported by Mikrotik software. So there's no need for extra hardware, just more source code has to be written or reimplemented since OpenVPN has been running stable for years on other platforms...

+1 SHA256
+1 UDP

If nothing changes very very soon, I have to replace my tiks. Talking over 3000 devices. Replacements will come, and it won’t be MikroTiks.

My field of work demands ovpn.

If nothing changes very very soon, I have to replace my tiks. Talking over 3000 devices. Replaments will come.

May I ask what the replacements will be?

Something with a proper implementation. Selecting, testing and proof of concept starts within two months.

No further disclosures.

Something with a proper implementation. Selecting, testing and proof of concept starts within two months.

No further disclosures.

Will you be allowed to tell after final selection is done?

Yes

MikroTik staff on the forum have written that requests for features that are backed up by sales should be sent to their sales address and/or their distributors, not posted on the forum.
Apparently (and understandably) requests via that channel have more priority. Requests on the forum must have near zero priority, as there have literally been thousands of requests for better openvpn.

Yes I know. I have read their statement. But this is an issue since 2010.... Maybe earlier. I contacted the distributor and said that there is nothing he can do. Since there are literraly thousands of request, MikroTik could listen a bit more serious to some of them. Even though it is a user forum, their staff is reading along. But I am glad to have kid control.

However, the statement I made earlier stands.

this is an issue since 2010

It's almost like a disincentive in spite of other VPN tech like IPSEC which has a quite good implementation that keeps evolving. In retrospect, what we heard in the last 10 years about why NOT implement it properly sound like really bad excuses. Or it's an indisclosable licensing issue (SW stacks inside an MT box are not exactly open source, when interfacing gets into picture). I might be making up a contheo here, though.

Yes I think it is a licensing issue. Somehow MikroTik cannot use the reference openvpn implementation and they had to write something themselves, which apparently was not done well and now nobody wants to touch that anymore.
I have had a router from another manufacturer that listed OpenVPN in its sales leaflet, but by the time I had updated the firmware to the latest revision it was gone. Forever.
So likely a similar issue.

If at least we had a robust implementation of any virtualization tech in ROS for the lower-end devices, we would be able to add an image with a fully working OVPN implementation. It really baffles me that wherever we use MT devices and use OVPN (much more user friendly and easier to manage, support and pass through firewalls) we always need to add it to some other device or server.

If at least we had a robust implementation of any virtualization tech in ROS for the lower-end devices, we would be able to add an image with a fully working OVPN implementation.

I think what we need is not virtualization as it (rudimentarily) exists now, but a feature to run user contributed programs on the router, which live in a chroot/limited privileges jail and can be configured to use simple network socket services and access to local configuration files only.
That could be used to implement OpenVPN and many other requested features for which a comparatively large number of requests is seen here, but for which there is no demand in the vast numbers of users of MikroTik equipment in general.
Running programs instead of virtualization uses much less resources and likely is easier to get going too.
Maybe, like the competitor does, a separate package of RouterOS containing this feature should be released so the plain users are protected from any additional security risks and the support department can handle issues occurring when using this feature at lower priority.
(similar to how some other competitors offer a "jailbreak" feature that gets indicated in generated support info and basically makes you lose product support)

VIrtualization is a ubiquitous technology nowadays. Almost all x86 and many ARM platforms (and more) are capable of running it. Kernel/cgroup based technologies (eg. Docker, LXC) are practically available anywhere where a Linux kernel is running. It's not rudimentary, it's rock solid (when properly integrated - no need to reinvent the wheel for the whole stack). Believe me, it's a LOT simpler for the manufacturer to allow a users upload an image instead of letting them in their file system and using quirks like chroot. Easier and cleaner resource separation, better security, simpler maintenance. But I think chances for this to happen are in the same probability tier as having a fully working OVPN stack.

RouterOS already has it. But newer small devices do not have enough resources (disk space, mainly) to use it.
And judging by the many demands for better OpenVPN, it does not suit the desires of most users anyway. Likely, it is too complicated to have 2 virtual routers for the task of implementing a VPN.

I don't recall any of the device series released in the last couple of years actively supporting or advertising any kind of virtualization (not talking about x86 solutions here). Only one should be supported, if ever, not 2 or more. That wouldn't make sense. If the technology changes, so be it, but it should be one in general use for Linux kernels.

Likely, it is too complicated to have 2 virtual routers for the task of implementing a VPN.

If I have to manage whole OpenWRT in MetaROUTER (assuming that my device supports it at all), I might as well get some Raspi-like device and use that instead. And it will be even easier, I will have more OS choices, etc. But mainly, VPN is basic thing that shouldn't need anything extra and router should be able to handle it by itself, I don't want another machine for that, physical or virtual.

I don't recall any of the device series released in the last couple of years actively supporting or advertising any kind of virtualization

That is probably because it is advertised so little.
But the mipsbe and ppc devices have a feature called MetaROUTER which basically is virtualisation.
You can run a virtual router running RouterOS as well, or some externally obtained image that could e.g. be OpenWRT.

I know what MR is and I used to use and test it. But it's not supported well and I have no idea what technology it uses. Seems left in ROS as a feature but it's effectively abandoned.

That is why I suggested a more lightweight approach which does not require special processor and kernel support and is the natural way to add functions: a user process.
And to keep it reasonably secure, use some existing Linux features to guard it.

I already mentioned two of those. Support is in mainline for ages. Both stable, widely used. As for security, both can work unprivileged (no root access at all). A chroot is not a solution. But it's up to MT anyway and I'm not really keeping my hopes up in either subject.

UP OpenVPN with SHA256!

Finally up and running with RouterOS 7.0 beta3!

Finally up and running with RouterOS 7.0 beta3!

Finally. That's nice. I see the new UDP option, however still no SHA2 HMAC or EC cipher algos there. Only the outdated MD5 and SHA1 and AES for cipher, which in itself is good, but not enough (no TLS auth either). Well, it's still a beta so hopefully we'll have a more or less complete implementation later in stable releases.

stable UDP and SHA512

Btw I now noticed that ovpn in ROS only supports md5 and sha1 (sha256, sha224, sha384, sha512). SHA512 would be fine!

I do not really understand that they ignore their customers since over 10 years. The first request was 10 FCKING YEARS AGO FOR UDP SUPPORT.
It was my last Mikrotik router..

stable UDP and SHA512

Btw I now noticed that ovpn in ROS only supports md5 and sha1 (sha256, sha224, sha384, sha512). SHA512 would be fine!

SHA256 and up are actually part of the SHA2 family of hashes, including SHA512. There's no practical difference between eg. SHA256 and SHA512. But still no GCM support, nor TLS auth.

2021
am I the only one here still waiting for sha256, TLS auth, and auth without username/password?

for now I'm trying aws free tier + openvpn AS
I would like to try openvpn Cloud

2021
am I the only one here still waiting for sha256, TLS auth, and auth without username/password?

for now I'm trying aws free tier + openvpn AS
I would like to try openvpn Cloud

No, you are not alone. I've been following this for the last 4 years, as this is the only thing holding me back from buying Mikrotik products.
Having full implementation of OpenVPN is rudimentary today, and I can't understand why Mikrotik engineer simply ignores this.
Are there some Latvian regulation that prohibits full OpenVPN implementation, so government can tap into encrypted communication, or what?

I think the issue is that RouterOS does not use the available opensource OpenVPN implementation, probably for reasons of licensing.
They implemented the protocol themselves and now it is a lot of work to keep uptodate with what the opensource version develops.
And don't forget that while one crowd is asking for OpenVPN, another has moved on to Wireguard or standardized protcols like IKEv2.
So you never satisfy all the customers...
The v7 beta has a better OpenVPN but it still is not 100% complete.

+1 for SHA256 support.

Let me start by saying I am fairly new to the Mikrotik eco-system and the lack of SHA256 does seem to be odd in 2021. I am also a bit shocked that this thread has been around for nearly 4 years. Wow...

At first read I thought the hold up might be due to the US's exporting of encryption laws (https://en.wikipedia.org/wiki/Export_of ... ted_States), but I'm fairly sure after 4 years they would have solved this (if this was indeed the reason for the delay) and RouterOS would have a available SHA256 library baked into it thats currently being used by a different component (Wifi, other VPN protocols, etc.)

Anyway, I have submitted a feature request via the official support channels, I assume you all have too.

Has anyone heard anything back from Mikrotik on this topic?

Please read the reply above your posting (#65)
OpenVPN in RouterOS is not the standard application that you just have to download every couple months to track what the world is doing.
For better (but not complete) OpenVPN see the v7 beta. Of course with the note that it is a beta.

Please read the reply above your posting (#65)
OpenVPN in RouterOS is not the standard application that you just have to download every couple months to track what the world is doing.
For better (but not complete) OpenVPN see the v7 beta. Of course with the note that it is a beta.

Yes I did read you post, I suspect you are correct that the OpenVPN within RouterOS is bespoke implementation.
I am currently running RouterOS v7 as I need to use Wireguard and the fq_codel has fixed my bufferbloat.

I got a response Mikrotik regarding from my submitted feature request...

Thank you for your feedback. Unfortunately, there are no short term plans to implement SHA2 support for OpenVPN in RouterOS.

...so it doesn't look like SHA256 is coming to RouterOS anytime soon, which is a shame as the rest of the world has moved on from SHA1 & MD5 as hashing algorithms

...so it doesn't look like SHA256 is coming to RouterOS anytime soon, which is a shame as the rest of the world has moved on from SHA1 & MD5 as hashing algorithms

On the other hand, that does not really make sense.
The strength of the hashing algorithm is important for applications like certificates or password hashing, but for a VPN those algorithms are more than strong enough.
(in the application of hashing the data for integrity protection, it could be different for a connection procedure depending on the actual VPN protocol)

"the world" (and here I mean the security world) has a tendency to overstate the importance of issues like this, and forget the big picture.
They often are complaining that the 2cm steel doors in the bulding are not strong enough and need to be replaced by new 10cm titanium doors, while not paying attention to the 4mm glass window aside of it.