
Mikrotik router as OpenVPN Client - insertcoffee
https://github.com/missinglink/mikrotik-openvpn-client
======
Mic92
Mikrotik's support for OpenVPN/IPsec is a joke. They should just allow to
specify plain openvpn configuration instead. I would not recommend these
routers with original firmware.

~~~
r1ch
No UDP support after all these years is really quite shameful. Tunneling TCP
over TCP is insanely bad, the slightest packet loss and your connections are
toast.

~~~
snowwindwaves
still not? I was moaning about this in 2006. I can't imagine why Mikrotik
can't be bothered to implement UDP for OpenVPN when they have added so many
other features.

This is my #1 gripe with mikrotik, you can't figure out if the feature you
want to use is half-baked or not without testing it. And then once it works
you had better not upgrade versions or it may very well break.

Finding a version which has all the features you need working used to be a
nightmare.

~~~
sathackr
Yea...this is a problem with them.

I recently spent several hours trying to implement BFD...only to find out it's
broken on CCR, known to be broken, and won't be fixed any time soon [1]

But to be fair, I've run across similar things in Cisco land. Spend hours
trying to get something to work, when I finally run across an single line
somewhere on their site that says what I'm trying to do doesn't work with CEF
and I have to disable CEF if I want it to work. Which cuts my throughput by
10x.

[1]
[http://forum.mikrotik.com/viewtopic.php?t=108280](http://forum.mikrotik.com/viewtopic.php?t=108280)

------
nathanvanfleet
At one point I was kind of excited about Mikrotik routers. They seemed pretty
beefy, a bit pricey, but cool as a device support OpenWRT and having an OS
that they said was "even better" than OpenWRT.

However everything I looked at was somewhat disappointing. One router I was
looking at had an unpowered USB port, that was a low speed (USB 1), which just
seemed to be a weird caveat when consumer routers of the time were all USB-2
and capable of running at least a small pocket hard drive or at least mount a
USB key.

At this point there seems to be a lot of good commercial routers which are
strong, cheap, and don't require much blob code etc and are easy to find
(sometimes it was vague what kind of chips you'd get with different commercial
hardware).

~~~
zippergz
I guess I'm too used to Cisco and Juniper pricing, but "pricey" is the last
thing that comes to mind when I think of Microtik... When you say "good
commercial routers" that are cheaper, are you talking about consumer hardware?
I'm curious what you prefer.

I don't have any Microtik hardware at all, so I don't have any vested interest
here - I am just curious what people are liking these days. The vast majority
of the consumer networking gear I've tried has been terrible, even with
alternate firmware (e.g. OpenWRT doesn't keep crappy Linksys routers from
overheating).

~~~
atombender
I'm using a $50 Mikrotik hAP AC Lite (RB952Ui-5ac2nD-US) as a home router.
It's not the most high-powered router — it only has a single 5GHz radio, no
antenna, and the Ethernet port is 10/100 only — but it's stunningly solid.

Previously I had, over the span of 18 months, an ASUS "Dark Knight" (whose
5GHz network slowly faded and then _disappeared_, apparently a known issue),
an ASUS RT-AC66U (frequently just choked, requiring a reboot), an a Netgear
Nighthawk AC1900 (same, and also issues with unstable wifi).

By contrast, the Mikrotik has been rock stable for the time I've had it (6
months). I also love the WebFig UI. It's a lot more technical than consumer
routers, but it's responsive, consistent and doesn't hide any technical
details from me. I don't need 90% of the RouterOS features, but I know that if
I needed something obscure, I could set it up. You basically get an
industrial-quality Linux-based router/switch OS for almost nothing.

(I do like the fine-grained metrics, though. You can get bandwith and
connection data not just per interface, but also per NAT rule, for example.)

~~~
sathackr
I cut my teeth at an "ISP" that would order a business DSL line at a
MDU/Apartment complex, run it through a Linksys router, then over the phone
wiring using 2-wire "HomePNA" devices and charge each person $30/month for the
service.

The routers locked up so much they had one of those plug-in timers [1] set to
reboot the router each night during their 'daily maintenance period'. They
wouldn't even dispatch someone to do it when they started getting calls.

[1] [http://www.walmart.com/ip/GE-15153-GE-
Mechanical-24-Hour-1-O...](http://www.walmart.com/ip/GE-15153-GE-
Mechanical-24-Hour-1-Outlet-Plug-In-Timer/25524763)

~~~
atombender
That's the most ridiculous thing I've ever read on HN.

~~~
sathackr
I left after about 6 months. This was around 2001.

They also got in trouble with the LEC(and law enforcement) for using the LEC
copper to interconnect their equipment between buildings. It was a common
practice for them to tone out pairs in a neighborhood and patch their own
wires in using the LEC's boxes and wiring.

They are no longer in business.

------
ausjke
Mikrotik was pre-Ubnt and had excellent hardware lineups. These days Ubnt is
miles ahead in the router/wireless-board field, which puzzled me.

While Mikrotick sells its RouterOS, it's not that hard to install Openwrt on
it. Ubnt was quite Openwrt friendly at the start, not so any more.

These days I'm just assembling my own x86 routers. PCengines and Soekris do
not have the best performance/price ratio nowadays, and they somehow just feel
a bit out of date.

~~~
sathackr
I have personally deployed about 100 Mikrotik routers and can say they work
well for what they do.

They're not designed to be a home router and the learning curve if you want to
use one like that would be similar to someone without Cisco IOS knowledge
trying to configure a Cisco IOS device as a home router.

Not many routers can do 5-10gb/s+ throughput for the price. Their most recent
model has 8x10Gb ports, costs USD $2,500 and will route the full 80gb/s [1]

They have come a long way since the RB433 and running on Soekris/PCEngines
boards. UBNT is just getting started in the real router field(Not their Radio-
with-a-router, those are quite mature now but very limited in features) and I
do not care for their current EdgeRouter UI. It's a mess. For example: You
need local access just to add the interface you're accessing it from to a
bridge. (Because you can't add an interface WITH an IP on it to a bridge, and
you can't remove the IP from the interface without losing access. You can
apply multiple commands at once, but the command validation doesn't honor the
order that you enter them, thus tosses an error because it tries to add the
interface to the bridge before removing the IP)

Sure you can put something x86 together and run one of the many many
firewall/routing OSes, or even roll your own with (pick your flavor)Linux,
Zebra and IPTables, but I don't have time to make something work and prefer
something that just works and isn't priced at the Cisco/Juniper level.

I wouldn't recommend either for mission-critical ENTERPRISE grade routing,
without significant planning into redundancy, but, if you are doing things at
that level, then you probably have the funds to purchase enterprise grade
gear.

[1] [http://www.stubarea51.net/2015/10/09/mikrotik-
ccr1072-1g-8s-...](http://www.stubarea51.net/2015/10/09/mikrotik-
ccr1072-1g-8s-review-part-3-80-gbps-throughput-testing/)

~~~
walrus01
"Their most recent model has 8x10Gb ports, costs USD $2,500 and will route the
full 80gb/s"

No, it won't route 80Gbps, because any single flow on a CCR uses a single core
on their multi core Tilera CPUs. The CCRs struggle to really do 10Gbps of real
world IP transit traffic.

If you're pushing 5Gbps+ of your customers' IP traffic in a daily sine wave
pattern to/from upstream and adjacent BGP peers (paid IP transit and peering
at a local IX), and have $2,500 to spend, you will be MUCH better off buying a
proper routing platform that has things like hotswap fan trays, hotswap 1+1 or
N+1 power supplies, redundant hotswap routing engines, etc. You can do this
with a used/refurb Cisco or Juniper for the same price as the higher end
Mikrotiks. I can build a Cisco 7604 or 7606 with dual RSP720 for less than
$2000.

The CCRs have a single motherboard in them that is about the same quality as a
$85 PC motherboard. If you're running an ISP that is moving multi-Gbps of
customer traffic and have potentially thousands of singlehomed customers
downstream of you, do you want to rely on a 'core' router that has absolutely
zero hardware redundancy?

Mikrotiks have their place at edge and small aggregation but when you start
talking about things that are $2,000+, please, buy a real router.

~~~
sathackr
What ISP needs a single flow to exceed 1gb? I would venture to say _most_ non-
storage networks don't have single flow requirements in the Gb/s.

I can buy 3 CCR routers and run OSPF/BGP/etc... on them to provide redundancy.
The likelyhood of all 3 failing at once is slim and I'm still an order of
magnitude cheaper than an equivalent Cisco/Juniper setup. Yes, dynamic routing
takes a few seconds to converge, so an unplanned failure will result in a
short disruption in connectivity, but planned maintenance can be done
seamlessly, including power supply replacement(since only one model has hot-
swappable power supplies). I do not deploy any single-power models and have
not had a single router fail in the 2 years I have been deploying them. I have
had a $6500 Cisco ASA fail, twice.

I am a fan of all 3. Cisco and Juniper make great equipment. So does Mikrotik.
Each one is a tool that must be used properly and the right one needs to be
selected for the job and requirements.

~~~
walrus01
Thing is, it's not an 'order of magnitude' different in price... Three $2500
CCRs vs, what? I know somebody who recently bought a whole Juniper MX960 for
around $10,000. For a serious ISP that is a big jump in capability and
resiliency.

If looking at used/refurb core routing platforms these days, anything that is
not capable of being upgraded to a reasonable density of 100GbE is selling for
very affordable prices now. Even systems that are fully modular and redundant
and capable of more than 60 10GbE interfaces in one chassis, such as the MX480
or MX960. Or an ASR9006/ASR9010 with first generation linecards.

~~~
sathackr
I'm seeing used, empty, MX480s in the range of $13k on ebay[1]. Plus $3k for
add in 10g cards[2]

And I have to pay for support if I want to get updates, security patches,
etc... [3]

And I need 2+ of them if I want to multi-home.

So I'm buying a used device of unknown history, that someone is selling for
unknown reasons(could be a working pull, could be something with an obscure
problem that will surface 3 months later), without a hardware warranty or
support, with outdated software, and going to trust my entire network with it
and it's internal redundancy. If I could get 3 for that price I might consider
it.

I like the SpaceX approach. Don't trust one big expensive engine to get you
where you're going. It probably won't fail, but if it does, you're toast.
Trust 9 cheaper ones and have enough redundancy that if/when one does fail,
you shrug and keep going and just replace it before the next launch.

[1]
[http://www.ebay.com/itm/221776643106](http://www.ebay.com/itm/221776643106)

[2]
[http://www.ebay.com/itm/122004198861](http://www.ebay.com/itm/122004198861)

[3] [http://www.juniper.net/techpubs/en_US/release-
independent/ju...](http://www.juniper.net/techpubs/en_US/release-
independent/junos/topics/task/installation/software-packages-downloading.html)

------
girzel
I bought a Mikrotik a month or two ago, expressly so I could install OpenWRT
on it, and use it to get around the Chinese firewall with Shadowsocks. The
OpenWRT install never worked, so now I just have a (pretty nice) router, doing
what routers are supposed to do. It's long since that OpenVPN didn't work in
China, but this should provide a good learning experience, and who knows,
maybe it will lead me to something that works.

~~~
netheril96
To get around GFW, use openconnect instead. That is as or more secure than
OpenVPN, and not current filtered.

~~~
vetinari
> That is as or more secure than OpenVPN

How does it achieve that? They both use TLS, in both, you can pick your
ciphers.

Additionaly, they both use OpenSSL, which is often found buggy and the ciphers
are not hw accelerated.

~~~
zurn
OpenVPN uses its own non-TLS UDP protocol to carry traffic (with an optional
TCP fallback), and only uses TLS for connection setup. ref:
[https://wiki.wireshark.org/OpenVPN](https://wiki.wireshark.org/OpenVPN)

------
vxxzy
You can run OpenWRT as a virtual router (MetaRouter) on top of Mikrotik. That
would allow you to get around the TCP limit. Does anyone have any experience
with running OpenWRT as a MetaRouter?

~~~
tjohns
I've done it. It works fine. You just have to keep in mind that most of the
Routerboard products have limited RAM, like any other embedded device.

The only catch is that anything done inside of OpenWRT has to be configured by
hand from a terminal (obviously), instead of through Mikrotik's admin console.

------
pingec
Quite handy. If anyone has OpenWrt hardware like me, OpenVpn clients and
servers work good enough and the setup is well documented:
[https://wiki.openwrt.org/doc/howto/vpn.openvpn](https://wiki.openwrt.org/doc/howto/vpn.openvpn)

~~~
machbio
For a beginner - I would suggest DD-wrt as its more beginner friendly as
compared to Open-Wrt; OPENVPN documentation is pretty good - [https://www.dd-
wrt.com/wiki/index.php/OpenVPN](https://www.dd-wrt.com/wiki/index.php/OpenVPN)

As for Router support - the best one would be the Archer C7 from TPLink
([http://www.dd-wrt.com/wiki/index.php/Supported_Devices#TP-
Li...](http://www.dd-wrt.com/wiki/index.php/Supported_Devices#TP-Link))

~~~
vetinari
Just make sure, what batch of C7s are you buying from.

TPLink started to lock down the firmware, due to the new regulation about
locking down wifi devices. So if you get an unlocked C7, you are fine, if
locked, you get to keep their firmware on the device.

Currently, the only safe choices for OpenWRT are Linksys WRT1900ACS and Turris
Omnia. Both are a bit pricier.

~~~
machbio
They are selling the C7 v2's as of now from amazon - dd-wrt has the firmware
for it..

------
orf
I have a friend who's part of a startup here in the UK that makes routers for
gamers called NetDuma[1]. The routers they sell have a VPN client like this
ready to go, I've got one and it works well.

1\. [http://www.netduma.com/](http://www.netduma.com/)

~~~
r1ch
These are actually Mikrotik devices too, just with OpenWRT pre-installed
instead of their proprietary RouterOS.

------
fluential
Be aware that very few routers actually have enough power to do openvpn
encryption with higher bandwith (20Mbit+) links and 256CBC encryption. You may
get better results by downgrading your cipher (not every vpn provider supports
that) To achieve good performance you are looking for hardware with Intel
QuickAssist, I would recommend putting pfsense on something like
[http://store.netgate.com/ADI/RCC-
VE-2440.aspx](http://store.netgate.com/ADI/RCC-VE-2440.aspx)

~~~
kyrra
I actually just built one with a C2758 (8 core atom) supermicro board. I put
PFsense on it and it's been running great. I have gigabit internet at home, so
I opted for the more powerful box. A lot of people on the pfsense forums seem
to use one form of these boards.

2 core:
[http://www.supermicro.com/products/motherboard/Atom/X10/A1SR...](http://www.supermicro.com/products/motherboard/Atom/X10/A1SRi-2358F.cfm)

4 core:
[http://www.supermicro.com/products/motherboard/Atom/X10/A1SR...](http://www.supermicro.com/products/motherboard/Atom/X10/A1SRi-2558F.cfm)

8 core:
[http://www.supermicro.com/products/motherboard/Atom/X10/A1SR...](http://www.supermicro.com/products/motherboard/Atom/X10/A1SRi-2758F.cfm)

------
jeffdubin
I started using pfSense on itx Intel-based hardware and have been quite happy
with the results, though using it with modern hardware (recommended with
today's faster broadband speeds) means it's usually a little pricier than most
consumer devices. Now there's news that the pfSense team is working on a
small, ARM-based device which sounds like it'd give Miktotik devices
competition. If you can hold out a bit, it might be worth the wait.

------
machbio
just want to suggest this script for OPENVPN setup - much easier to setup for
multiple clients - [https://github.com/Nyr/openvpn-
install](https://github.com/Nyr/openvpn-install)

------
jlgaddis
I'm a network engineer for an ISP (5 years now; ~8 years in the same role at a
.edu before this) and I am very much in the Cisco/Juniper camp.

When I started at the ISP, I had never even heard of Mikrotik. Having been
using high-end Cisco/Juniper gear for years, I was quite skeptical that those
cheap little Mikrotiks were worth a damn.

I've actually been quite surprised. While all of my "critical" infrastructure
runs on Cisco, I've got several Mikrotik routers running in production, almost
exclusively as access concentrators (for PPPoE sessions). I really use very
little of their features, but they handle PPPoE and OSPF just fine.

We also have an MSP side, which is mostly our ISP customers whom we also
handle managing their local networks for. Our guys have deployed a handful of
Mikrotiks at the edge of these customer networks as well but, again, this is
just basic office router functionality (DHCP, NAT, firewalling, etc.).

For the price point, they're actually pretty decent devices. I don't own any
myself (excluding a couple in my "networking test lab" here at home, but those
belong to $work) and wouldn't personally use one. This is mostly on principle
-- I disagree with their beliefs when it comes to the GPL and compliance.

Also, I wouldn't recommend using them for anything you deem "critical" or even
"really important". Just read through the Changelogs for their firmware
releases -- some of the bugs/fixes do not instill confidence in their software
engineering.

FWIW, my router at home (on a fiber connection) is (was?) designed and sold as
a RouterOS device [0], although I removed the Mikrotik CF card and replaced it
with another one that I installed an OpenBSD image onto [1]. It's mounted
read-only (except when I want to modify things, of course) to preserve the
lifetime but lately, I've been considering installing an SSD into it. It's
actually a pretty powerful (albeit low-end) PC disguised as a router. It can
easily provided all the basic network services one might need at home (DHCP,
DNS, NAT, firewalling, TFTP, etc.). It wasn't cheap, though -- $600, IIRC, but
it's a few years old now. I wrote a bit more about it [2] a few months ago.

[0]:
[http://www.balticnetworks.com/docs/routermaxx%206%20port.pdf](http://www.balticnetworks.com/docs/routermaxx%206%20port.pdf)
(PDF)

[1]: [http://www.nmedia.net/flashrd/](http://www.nmedia.net/flashrd/)

[2]:
[https://news.ycombinator.com/item?id=10796573](https://news.ycombinator.com/item?id=10796573)

------
sarahtaylor01
good site

