just another vote for the fantastic wireguard kit..
+1 for wireguard .
Please don’t repeat the way you did with OpenVPN udp
Wireguard is very simple compared to Ovpn, if I’m not mistaken it’s only around 4000 lines of code.
He was writing OpenVPN UDP support by Mikrotik and not about OpenVPN itself.
A good alternative for now is IKEv2, in the time waiting for Wireguard being implemented by Mikrotik.
@msatter I know what he meant I should have been more clear about what I was trying to say, the reason Ovpn went the way it did is because MikroTik wrote their own implementation. With over a million lines of code in the open source implementation you can see how this would be an issue, but with the simplicity of wireguard even if they rewrite there should be no compatability issues.
Implementation of something like https://github.com/burghardt/easy-wg-quick would be awesome.
This would allow secure and fast VPN client configuration using a simple QR code to scan.
Personally, I think that Wireguard is a bit of a joke, since it’s hardcoded to use ChaCha20. So basiclly all systems with AES in hardware becomes useless and has to do it in software. Great work there.
But what about low-end PC’s some said? Well… My Celeron N3150 ITX has AES-NI…
So bye bye all hardware offload.
https://www.wireguard.com/protocol/
https://www.reddit.com/r/WireGuard/comments/c7mjxg/does_wireguard_use_aesni/
But I have to give it that looks really simple & nice to setup.
Wireguard is still faster than AES with offload on the same machine, CPU usage is low as well. The situation I could see this being an issue is with a lot of wireguard sessions, for the typical user needs there is no downside.
There’s good reason to skip AES-NI. It’s a speed limit. The lowly atom with AES-NI has the same performance as a 6 core i7 with AES-NI because that little component is a speed limit.
Wireguard is FAST with it’s ciphers. It’s basically as fast as AES-NI on modest hardware but if you through a serious CPU at it, wireguard rips. A pair of modern i7 CPUs can run 10G over wireguard. There isn’t a single AES-NI hardware that can do 1/20 of that consistently.
Wireguard between two raspberry pi is faster than an AES-NI link on everything.
(I’ve done a lot of testing with wireguard, it’s next gen legit and makes AES-NI look like ‘MMX’…
Nice comparison, literally lol’d
I’m actually more interested in understanding the actually benefits from a server perspective (Mikrotik Router), like the benefits on a ar9344 CPU (which doesn’t look like it has AES-NI alike instructions).
That is, if we ever get WireGuard in ROS… LOLO
I’m honestly more geared towards changing my install over time to another brand (and even use OpenWRT) and while I’m doing so, I’ve started resorting more and more of RasbPI and Linux for all the stuff I want to do and eventually ROS can’t (DoH, WireGuard, etc.).
+1 for WireGuard!
Waiting for wireguard.npk or, at least, for an official statement…
+3 for wireguard
yes YES YES
this is a must
Its good to see Wireguard is now “in-tree” on the latest kernel probably won’t help here from a technical perspective as I believe RouterOS runs an old Kernel but from a support perspective Wireguard has some stability in the Linux community.
Is there official position from Mikrotik about that ?
I think the overwhelming opinion of the community is very positive about Wireguard. Is it something you are exploring ? commiting to ? definitely not on the roadmap ?
RouterOS v7 has v4.14, which is supported by wireguard-linux-compat for what it’s worth.
I find it hard to believe it hasn’t made it to some (Internal) alpha yet. The kernel module is basically free, the userspace/winbox glue should be trivial to implement.
+1 for WG support!
+1 for WireGuard support