AmneziaWG in RouterOS?

ppsascha · April 11, 2024, 7:33am

Hello everyone! Is there a chance of adding AmneziaWG-protocol in future releases RouterOS? For example Keenetic already added this in beta-release.

Kanzler · April 11, 2024, 7:51am

+1
Necessary thing

normis · April 11, 2024, 8:28am

It uses Docker and takes a lot of space, it will not fit into most MikroTik routers

ppsascha · April 11, 2024, 8:54am

If keenetic who made routers for housewives can do this i can’t believe Mikrotik can’t.

Maybe at least someone can create a wiki article of how to do this docker and how to configure it in simply words. I found this on github but didn’t understand everything…

My RB450Gx4 can handle dockers but it seems i have not enough brains to make it work so i’ll be glad to every help to resist censorship.

Also sorry for my english, it’s not native language to me.

normis · April 11, 2024, 8:55am

Also it says 2GB of RAM is needed for the server

normis · April 11, 2024, 8:59am

Looks like it has everything needed. So all you need is a powerful ARM device with enough RAM

ppsascha · April 11, 2024, 9:15am

My server with 2 dockers (as far as i know new docker is created for every protocol and i have AWG and OpenVPN over Cloak installed) uses 500 Mb

Install Docker buildx subsystem

I made it but how to use i can’t understand
But that’s not the theme of this forum i guess. Probably i have to find someone who can show this to me on fingers.

pimmie · April 11, 2024, 9:20am

Their privacy policy starts with The company Amnezia (hereinafter – the “company”, “we”, “us”), but nowhere do they seem to give more information about that company, like where are they located (ie under which jurisdiction to they fall)? They say that data can be transferred outside of the EU, but not to which countries. They do say they use Yandex, so I assume they mean that data can be send to Russia?

Unless somebody has already shown that their apps adhere to https://reproducible-builds.org/ I wouldn’t put too much trust in them

That said, it would be nice if VPN configurations could be exported through a QR code in ROS.

system · June 13, 2024, 12:13pm

Sorry guys, I hijack this thread.

Hello, normis. Just do a bit deeper investigate to Amnezia, and found that you already implemented this . At least, about 95%.
How it can be possible. Well, Amnezia just a little fork of Wireguard. It allow some tuning to prevent, or, at least, make it difficult to chinese great firewall,russian and iraq censorship to shutdown this. And, most important, have a full backward compatibility with standart wireguard. If you don’t touch any values and leave itself by default, it works like standart wireguard.

https://github.com/amnezia-vpn/amneziawg-go

AmneziaWG is a fork of the WireGuard protocol. We have taken WireGuard as a basis and made some of its parameters (by which it is usually recognized by DPI systems) configurable, i.e. if we leave these parameters as default (equal to 0), AmneziaWG will work as a normal WireGuard.

AmneziaWG has changed the headers of all packages:
handshake packet (Initiator to Responder),
response packet (Responder to Initiator),
data packet, as well as special packet “Under Load” - by default they are random values, but you can change them in the settings.
Random bytes are added to each auth packet to change its size.

Thus “init and response packets” of the handshake additionally have “garbage” at the beginning of the data, the size of which is determined by the values S1 and S2. By default, the initiating handshake packet has a fixed size (148 bytes), and after adding garbage, its size will be 148 bytes +S1. The values for each packet are different for different users, so it is impossible to write a universal rule for tracking. In order to completely confuse DPI systems, Amnezia sends a certain number of “garbage” packets before starting a session. The number of such packets and their minimum and maximum size in bytes is also set in the settings, by the parameters Jc, Jmin and Jmax.

Chupaka · June 14, 2024, 9:30am

Well, if MikroTik uses native kernel module instead of user-space implementation of WireGuard - then probably less than 95%

anav · June 15, 2024, 2:43pm

Interesting concept. If some routers can be set to recognize vlan traffic and this rendition of WG, avoids that detection, would seem to have some value.

RomikB · July 22, 2024, 1:12pm

AmneziaWG also have a fork of wireguard linux kernel module.

https://github.com/amnezia-vpn/amneziawg-linux-kernel-module

Differences are very small.

The link in first post is not for AmneziaWG, the correct link is https://docs.amnezia.org/documentation/amnezia-wg/

anav · July 23, 2024, 12:41am

MY AV does not like your link!!

RomikB · July 27, 2024, 6:16pm

This link https://docs.amnezia.org/documentation/amnezia-wg/ ?
There is a short description of AmneziaWG on the page.
It is basically the same as avacha wrote a couple posts ago.

The main link is https://github.com/amnezia-vpn/amneziawg-linux-kernel-module
This is the source of kernel module based on original wireguard kernel module.

Keenetic add the AmneziaWG support (The WireGuard advanced security configuration (ASC) parameters) to KeeneticOS in 4.2 Alpha 2. https://docs.keenetic.com/eaeu/ultra/kn-1810/en/6319-latest-development-release.html
It is be great when Mikrotik do it too.

borr · July 29, 2024, 9:40am

I’m with everyone who wants to see this feature added to RouterOS. What’s more, if amneziawg already has a native kernel module, then porting it shouldn’t take much time or resources. Honestly, I can’t even begin to imagine how useful this would be in countries with authoritarian regimes.

optio · July 29, 2024, 12:59pm

There is a also a way to tunnel Wireguard trough other protocol obfuscation methods, for eg. Xray, it is possible to run it in ROS container if device has enough powerful CPU. I have setup in container similar to this setup for Linux - https://computerscot.github.io/wireguard-over-xray.html. Xray running in container and it is forwarding port to Wireguard running in ROS which port is not even exposed to WAN, only dstnat for Xray in container - TCP 443. But also it can be used in combination, Wireguard exposed on input for direct connection and forwarding from Xray. This only works for Wireguard clients running on desktop OS’es, since on mobile OS’es doesn’t allow multiple VPN’s running at same time. Also ti should be possible to connect 2 ROS devices like that, one running Xray server in container, other Xray client…

vldmik · August 4, 2024, 1:24pm

+1 for this feature, really interested in it. It would be really cool if this protocol was supported natively

Eugenn · August 13, 2024, 5:42am

+1
I want to support the initiative. The improvement doesn’t look very complicated, but it will make it possible to bypass blocking

andromed · August 24, 2024, 7:32am

+1
I’m also looking forward to native support.

stasnamco · August 27, 2024, 4:42am

+1
Very need it