MikroTik

Is UDP support for OpenVPN planned anytime soon?

I also wanted to use this post to thank you for both OpenVPN and MPLS - good to see RouterOS developing in good directions - so, THANK YOU!

also lzo support

Bump on this. Any plans to add UDP support to RouterOS' implementation of OpenVPN?

You can solve this using zeroshell, suports open vpn udp, compression

And RADIUS and proper certificate authentication.

PLEASE!

What's the status on this ?

I got RADIUS to work right, and certificates to a point, but not the way I want em.

MT doesnt seem to care about adding lzo or UDP support into OVPN.

RouterOS is kept lightweight and that's good, so... I wound't want to rush the developers to put in a big pile of code that might break things.

But this functionality seems to eb extremely useful for a ton of potential and current buyers of MT products.


Sooo....

The only part of it that I could see making it not "small and lightweight" is lzo. I understand they would have to compile lzo into it but that would add add what? 20-30k to the openvpn executable if complied statically?

I might be off base, but UDP support is the default for OpenVPN and I dont see why it wouldnt remain enabled by default.

I am on your side. I even edited the wiki here http://wiki.mikrotik.com/wiki/MikroTik_ ... e_Requests And I hope I made it clear that people are asking for this.

Damn dude... You were busy.



I was already on that list. Although there are other features I would like, I try to minimize my requests to the most important. Im fine with not asking for everything as long as I get something.

I will give them 100$ right now cash if they make 'em happen - the things that I and my clients need. But the devs will need more time Maybe in v7

My 2 other wishes are arpwatch and rogue ap detection.

RouterOS OpenVPN support UDP is our wish. Because Performance was not good when Using TCP in over 10 openvpn site-to-site mesh infrastructure.

+1 for UDP.

OpenNMS requires UDP to monitor SNMP info

Currently we need to have an OpenNMS server running to monitor all our non-RouterOS locations, and another ONMS server running inside each of our RouterOS locations for SNMP collection.

This means instead of keeping track of all our systems in one ONMS interface we have to maintain and monitor numerous ONMS deployments.

If UDP support were enabled we could just VPN all our locations and have a single OpenNMS server keeping track of everything.

If your monitoring thing is so leet, why don't you just PPTP , or EoIP to it ? To collect UDP packets and whatever.

If your monitoring thing is so leet, why don't you just PPTP , or EoIP to it ? To collect UDP packets and whatever.

Can't find any clear guide for setting up a PPTP or EoIP tunnel between a Routerboard 450 and a CentOS/RHEL server.

Can you point me in the right direction?

I'm unfamiliar with both PPTP and EoIP.

Thanks!

PPTP is minimally secure... Shouldnt be used for permanent VPN connections.

Do you think that the farmers from the viligaes have any security ? It's the ISP business reality.

Some networks need security, it is true. But then IPSec is an option as well.

+1 for UDP.

OpenNMS requires UDP to monitor SNMP info

...

I think you misunderstood what is not supported. OpenVPN tunnel can forward UDP packets or any other protocol packets without any problems. So you can easily set up ovpn tunnels to your server and use that monitoring tool.

Do you think that the farmers from the viligaes have any security ? It's the ISP business reality.

Some networks need security, it is true. But then IPSec is an option as well.

Yeah, but the MT implementation of IPSEC is pretty limiting, especially when it comes to NAT Traversal and Dynamic IPs..

+1 for UDP.

OpenNMS requires UDP to monitor SNMP info

...

I think you misunderstood what is not supported. OpenVPN tunnel can forward UDP packets or any other protocol packets without any problems. So you can easily set up ovpn tunnels to your server and use that monitoring tool.

I think you're right - I do misunderstand what is not supported. In what way is UDP not supported? Or is that simply a false claim that should be amended?

I think you're right - I do misunderstand what is not supported. In what way is UDP not supported? Or is that simply a false claim that should be amended?

The transport of the tunnel is TCP only in MT, where in the complete OpenVPN implementation, it can be either TCP or UDP. UDP is more efficient and less problematic in most situations.

Yes. Let's organise a protest in fron of MT HQ in Latvia With signs and shouting UDP UDP !

Yes. Let's organise a protest in fron of MT HQ in Latvia With signs and shouting UDP UDP !

Thatd probably be going a little far... But, by all accounts, this feature is in high demand. I think it deserves a little more attention than "But its hard"...

When a large amount of customers request a feature, you dont complain about how difficult it is, you make it happen.

Or at least announce when and if to expect it. In two years ? When MikroTik RouterOS no longer is Linux based?

I solved it with metarouter, openwrt works perfectly on rb450g, then you can install openvpn and luci to mnage it. Isn't the best option but for now there is no other with mikrotik...
I saw a fortinet seller after a pilot test vs openvpn going out with his expensive hardware, and I think the real difference was the compression and transmission udp.

UDP! UDP! UDP!
if routeros can not do it, can someone comment an alternative to run on routerboard?
and if routerboard is not good enough, can someone comment good hardware to run openvpn?
we are using cisco 1841 routers for all our offices now, and we want to replace them with openvpn hardware.
thanks for help!!

A Linux box.

UDP! UDP! UDP!
if routeros can not do it, can someone comment an alternative to run on routerboard?
and if routerboard is not good enough, can someone comment good hardware to run openvpn?
we are using cisco 1841 routers for all our offices now, and we want to replace them with openvpn hardware.
thanks for help!!

It is possible to set up openwrt metarouter inside RouterOS. Openwrt will allow you to run OpenVPN with UDP support.
http://wiki.mikrotik.com/wiki/Metaroute ... al_machine

A Linux box.

we already run open vpn linux box at head quarter for many years.
now we want to replace cisco routers at branch offices with hardware that is easy to maintain/replace..

UDP! UDP! UDP!
if routeros can not do it, can someone comment an alternative to run on routerboard?
and if routerboard is not good enough, can someone comment good hardware to run openvpn?
we are using cisco 1841 routers for all our offices now, and we want to replace them with openvpn hardware.
thanks for help!!

It is possible to set up openwrt metarouter inside RouterOS. Openwrt will allow you to run OpenVPN with UDP support.
http://wiki.mikrotik.com/wiki/Metaroute ... al_machine

I have saw post in the forum that metarouter is not very stable. I don't know if people running that in production?
it seems a complicated structure..

+1 for UDP.

OpenNMS requires UDP to monitor SNMP info

...

I think you misunderstood what is not supported. OpenVPN tunnel can forward UDP packets or any other protocol packets without any problems. So you can easily set up ovpn tunnels to your server and use that monitoring tool.

I think you're right - I do misunderstand what is not supported. In what way is UDP not supported? Or is that simply a false claim that should be amended?

this is a great example of how people sometimes don't really know what they need

"this is a great example of how people sometimes don't really know what they need"


Seems like Mikrotik sometimes they don't know what we need :=)

[joking]I need free and open minded women by 2 or 3 at a time.[/joking][or am i]

I also really need the OpenVPN UDP because I have several networks and I have to keep only linux machines to meet the VPNs being that I could do that in RB1100, using TCP is slow and cumbersome, consuming too much CPU.

help much if there was a preview for this.



sds
Marcelino Viana Pinheiro
MVP Technologies Corp
+ 55 41 35261227
+ 55 41 84188001

The CPU is going to be consumed by encryption anyway. You need UDP because it gives better communication performance etc.

OpenVPN's UDP support is one of the main reasons people use OpenVPN (among others), and is enabled by default on almost every installation.

Keep push'n....

Tunneling TCP over a TCP transport is not a good idea at all.

Watch here for details :

http://sites.inka.de/bigred/devel/tcp-tcp.html

So Mikrotik should implement OpenVPN UDP. This is the mode all professionnals are using.

Mikrotik said that OpenVPN will not receive special attention on futur Router OS versions.


I would say that it's certainly more important to developpe a full IPv6 set of functions as well as MPLS on Router OS, Enhance BGP, and keep OpenVPN tunnels on separate boxes where eventually SSL hardware acceleration is available.

Is SSL hardware acceleration available on Router OS ? I don't think so. So if not it's not the right place to put OpenVPN Tunnels.

Is SSL hardware acceleration available on Router OS ? I don't think so. So if not it's not the right place to put OpenVPN Tunnels.

It is on RB1000.... Besides, a 450g will push a 10mbit+ SSL link... I use 2 of them behind my RB1000 for ~150 SSTP tunnels cuz when I have it running my my RB1000, it just leaks memory...

I love Mikrotiks because of their vast amount of features and reasonable license costs and good documentation and user community. i would pay a fair price to have this feature developed. It is sad that UDP is not supported at the moment. I would love to hear from the developers if it is just not technically possible or just is not a priority at the moment and weather or not it is ever planned. Does any know the best way to create a (non-encrypted) tunnel or connection between a Mikrotik and a remote box. Is there some good documentaion for such?

I'm not sure about this but i think i've read somewhere, when i studied OpenVPN some years ago, that UDP do have assembler code optimized for the destination processor and that C++ code is not available for this part of the project.

This need to be verified inside the source code, but if it's true, then it is certainly the reason why UDP is not supported. Too much work to write the needed assembler code.

It would be nice to have explanations from Mikrotik why UDP is not supported. It's only a single parameter to change in the OpenVPN config file (proto udp instead of proto tcp).

I can't undestand why they didn't choose UDP as the default protocol, as it is the recommanded way of doing things. That's why i think there is a low level implementation problem.

Here is somethng i've found on the OpenVPN community Wiki, where we can see that at least the crypto code do have assembler code in it :

From OpenVPN community Wiki :

Some of the crypto routines are written in assembler to increase performance, so you need to/should use an assembler in the next step. If you're building OpenSSL 0.9.8x you can choose between Microsoft Macro Assembler and NASM assembler.

Efforts have been done in the X64 version to remove assembly code, but it is not fully cleaned. (Information found in the OpenVPN developers List).

OpenVPN seems not so easy to compile for something else than X86. I remember i had problems with Synology and Asus products, where new versions of their OS did not allow to run OpenVPN (segmentation faults or not working OpenVPN at all).

There is UDP OpenVPN for all kinds of mips sh!t. DD-WRT, OpenWRT, Bitswitcher, and who knows what.

There is UDP OpenVPN for all kinds of mips sh!t. DD-WRT, OpenWRT, Bitswitcher, and who knows what.

That's true. But when Openwrt has been upgraded from kernel 2.4 to kernel 2.6, OpenVPN stopped to work on Asus routers for example (Broadcom chips).

This show that OpenVPN is not something simple.

I didn't check the OpenVPN status for OpenWRT Kamikaze, i suppose this has been solved now.

There is no "simple" and "kernel" in one sentence. What is simple is to get a headache. The Kernel could have things in it that help other things and programs run. If these things are "optimized" in a newer kernel, all the programs and stuff should be tested again and some would have to be fixed to work with the new kernel again. Often the kernel itself has to be re-"fixed" Happens all the time in Linux world it seems.

Another +1 request for UDP support in MT hardware for OpenVPN!

UDP! UDP! UDP!
if routeros can not do it, can someone comment an alternative to run on routerboard?
and if routerboard is not good enough, can someone comment good hardware to run openvpn?
we are using cisco 1841 routers for all our offices now, and we want to replace them with openvpn hardware.
thanks for help!!

It is possible to set up openwrt metarouter inside RouterOS. Openwrt will allow you to run OpenVPN with UDP support.
http://wiki.mikrotik.com/wiki/Metaroute ... al_machine

hi

i have a question, should i setup openwrt on metarouter, or i can setup on my original router OS.

if i dont setup openwrt on metarouter, i will find problem or not?

also i didnt understand some of wiki instruction.

can you help me moe about that?

thanks

If you want to keep RouterOS then openwrt should be set on metarouter.
If you don't need RouterOS at all you can try to install OpenWRT on routerboard.

Which part exactly you didn't understand? Easiest way is to download precompiled image and import it and Thats it - virtual OpenWRT is up and running

+1 for UDP
+1 for LZO

If you want to keep RouterOS then openwrt should be set on metarouter.
If you don't need RouterOS at all you can try to install OpenWRT on routerboard.

Which part exactly you didn't understand? Easiest way is to download precompiled image and import it and Thats it - virtual OpenWRT is up and running

so you mean if i start that on router OS my router only can service me in openWRT, and doesnt give me any service.

can you explain me about LZO ?

i will start my work and every where that i couldnt i will ask you.

another question is my clents should connect to router with openvpn clinet to openWRT or this openWRT has special client software?

thanks

If you want to keep RouterOS then openwrt should be set on metarouter.
If you don't need RouterOS at all you can try to install OpenWRT on routerboard.

Which part exactly you didn't understand? Easiest way is to download precompiled image and import it and Thats it - virtual OpenWRT is up and running

hi
i import the image and now setup on my router.

i wrote command in router from your wiki guide but when i arrive to mtarouter console 0 i connect but commands doesnt work.

and when i want to add interface for client system said that you should setup static interface , and doesnt match with wiki guide

thanks

If you want to keep RouterOS then openwrt should be set on metarouter.
If you don't need RouterOS at all you can try to install OpenWRT on routerboard.

Which part exactly you didn't understand? Easiest way is to download precompiled image and import it and Thats it - virtual OpenWRT is up and running

i think i should install patch because of some interface such as bridge doesnt support, but SVN doesnt work in the link that you said in wiki.

can you please help me.

when i type interface bridge in metarouter command doesnt work!!

when i type interface bridge in metarouter command doesnt work!!

OpenWRT is not RouterOS, so there is no interface bridge command.

when i type interface bridge in metarouter command doesnt work!!

OpenWRT is not RouterOS, so there is no interface bridge command.

so how can i configure my openwrt, i want to have UDP openvpn connection.

can you help me about that?

refer to openwrt documentation.
http://wiki.openwrt.org/doc/start

refer to openwrt documentation.
http://wiki.openwrt.org/doc/start

here there is nothing for mikrotik, or may be i didnt find, i want to setup this router that my users can connect to this router through udp by openvpn.

please help me i really need that

thanks

here there is nothing for mikrotik

exactly, openwrt is not RouterOS, it is not maintained by Mikrotik. It is completely different open source operating system that you can run virtually on RouterOs. And how to configure it you can find in their manual.

here there is nothing for mikrotik

exactly, openwrt is not RouterOS, it is not maintained by Mikrotik. It is completely different open source operating system that you can run virtually on RouterOs. And how to configure it you can find in their manual.

so can you give me more guide to find how can i configure that

thanks

I solved it with metarouter, openwrt works perfectly on rb450g, then you can install openvpn and luci to mnage it. Isn't the best option but for now there is no other with mikrotik...
I saw a fortinet seller after a pilot test vs openvpn going out with his expensive hardware, and I think the real difference was the compression and transmission udp.

hi

from where i can find openwrt configuration?

thanks

eghtedari2000, OPENWRT is a different operating system, please ask in their forum about how to configure it:
https://forum.openwrt.org/