Feature Request: Junk Packet Options for WireGuard in RouterOS

Resulted98 · June 18, 2025, 3:56am

writing from Iran, where internet restrictions are quite severe and network filtering is becoming increasingly aggressive. Many users rely on MikroTik devices to stay connected and maintain privacy, especially by using VPN technologies like WireGuard.

I would like to request the addition of the following options to the WireGuard interface in RouterOS:

junk-packet-count

junk-packet-min-size

junk-packet-max-size

These options would allow users to inject obfuscated dummy traffic into WireGuard tunnels, helping to reduce the detectability of WireGuard packets by deep packet inspection (DPI) systems and fingerprinting tools. It would greatly increase the protocol’s resilience in censored or hostile environments.

Such a feature would be a major improvement for users in countries with internet censorship, and I believe it could make MikroTik an even more valuable solution for freedom of access and secure communications.

CGGXANNX · June 18, 2025, 5:26am

You can petition MikroTik to add support for AmneziaWG, which has the features you require. Or install it in a container. See this thread:

ppsascha · June 18, 2025, 9:38am

Hi, this script works in Russia, try it. Insert it into scheduler every 1 or 2 minutes.

:global Tx
:global Rx
/interface/wireguard/peers

:foreach i in=[find where disabled=no and responder!=yes] do={
  :local LocalTx [get $i tx]
  :local LocalRx [get $i rx]
  :local LastHandshake [get $i last-handshake]
  :if (([:tostr $LastHandshake] = "") or (($LastHandshake > [:totime "2m30s"]) and ($Rx->[:tostr $i] = $LocalRx))) do={
    :local rawHeader [:rndstr length=4 from=123456789abcdef]
    :local EndpointAddress [get $i endpoint-address]
    :local EndpointAddressIP $EndpointAddress
    :local EndpointAddressIP [get $i current-endpoint-address]
    :local name [get $i name]
    :local wgDstPort [get $i current-endpoint-port]
    :local interface [get $i interface]
    
    # Сбрасываем исходящий порт на уровне интерфейса
    /interface wireguard set $interface listen-port=0
    :local srcport [/interface/wireguard/get $interface listen-port];

    :log info ("WG name is $name, EndpointAddress $EndpointAddress , LastHandshake $LastHandshake, LastTx " . $Tx->[:tostr $i] . ", CurrentTx $LocalTx, LastRx " . $Rx->[:tostr $i] . ", CurrentRx $LocalRx")
    :log info ("WG Currentinterface $interface, srcport $srcport, EndpointAddressIP $EndpointAddressIP, DstPort $wgDstPort")
    :log info ("Generating spam for RKN")
    set $i disabled=yes
    /tool traffic-generator stream remove [find]
    /tool traffic-generator packet-template remove [find]
    :delay 1
    /tool/traffic-generator/packet-template/add header-stack=mac,ip,udp,raw ip-dst=$EndpointAddressIP name=packet-template-wg raw-header=$rawHeader special-footer=no udp-dst-port=$wgDstPort udp-src-port=$srcport
    :delay 1
    /tool traffic-generator stream add disabled=no mbps=1 name=stream1 id=3 packet-size=1450 pps=0 tx-template=packet-template-wg
    :delay 1
    /tool traffic-generator quick duration=4
    :delay 1

    :log info ("Starting WG $EndpointAddress")
    set $i endpoint-address=$EndpointAddress
    set $i disabled=no
  }
  :set ($Tx->[:tostr $i]) $LocalTx
  :set ($Rx->[:tostr $i]) $LocalRx
}

Resulted98 · June 25, 2025, 5:03am

tnx, I’ll try it out