I would love to run Wireguard on my Mikrotik and decided, with all the news spread across the forum, to combine some posts in a new thread.
Wireguard is a encrypted tunnel technology, started in 2016 but not 1.0 yet. Wireguard will probably replace OpenVPN which is currencly only partially supported by Mikrotik anyway.
It is already being adopted: easily available in Linux, VPN providers like AzireVPN support it and open source routers like Ubiquity and OpenWRT show good performance.
Mikrotik, being Linux based but closed source, will start supporting it in the future and it may end up in v7. V7 may be an april fools joke from 2014, but it may also be in development for more then 3 years making the feature list very unpredictable at this point.
I did a quick forum review to get a basic timeline we can expect for Wireguard support.
Going by OpenVPN:
In 2004 the first forum request was made for OpenVPN support.
With release 3.0 came the partial implementation there is today, which was around 2007.
The first Wireguard request was around Jun 11, 2017
This would mean that Mikrotik will probably release initial support around 2020
I cannot imagine adding support before wireguard reach stable realease. Based on other similar requests, i think that mikrotik instantly refuse to implement anything what is alpha/beta stage.
And please use the reference implementation! I’m getting tired of Mikrotik’s re-implementations of software which introduce security bugs and miss important features.
Agree that MT should not implement it before its stable, but coming with a request now is a good thing.
This will allow MT to test it and make sure it works fine when its stable and release it from day one.
Since many of you guys were awaiting for a stable build for Wireguard, today we are even closer to that moment.
Yesterday Jason Donenfeld lead developer submited the required patches for including Wireguard into mainline linux kernels.
While it’s to late to include into Linux 4.19 which should arrive quite soon, we could see it in the next linux kernel builds.
Guess it’s time for Mikrotik developers consider including Wireguard in a future release.
We want WPA3 support but also Wireguard support .
Just because it gets into linux kernel does not mean it is stable, nor it is ready for implementation. Let me quote their own website:
WireGuard is not yet complete. You should not rely on this code. It has not undergone proper degrees of security auditing and the protocol is still subject to change. We’re working toward a stable 1.0 release, but that time has not yet come. There are experimental snapshots tagged with “0.0.YYYYMMDD”, but these should not be considered real releases and they may contain security vulnerabilities (which would not be eligible for CVEs, since this is pre-release snapshot software). If you are packaging WireGuard, you must keep up to date with the snapshots.
They are clearly warning AGAINST implementing their code right now. Also it is agreeable that making own implementation is not really efficient. With this in mind, there is simply nothing, what Mikrotik developers could do right now. I already adviced to wait with the request because for now, it is just waste of everyone’s time. (including my own, when I have to repeatedly point out that wireguard is barely in experimental stage)
Now the interesting question is when RouterOS gets to use that future kernel with Wireguard. So far it looks like when MikroTik likes a version, they stick with it for quite some time. But there’s still a chance that Wireguard will be easily portable to older kernels.
I’ve been playing around with Wireguard recently and it’s so refreshingly simple and fast, it makes setup of a new VPN link so easy. And the fact it uses modern, fast crypto is great - I would love to see this in RouterOS so I can finally ditch ipsec with its huge complexity and outdated crypto.
And even though it won’t be hardware accelerated, chacha20-poly1305 is almost 4x faster than software AES on arm architecture!
After testing ipsec eoip tunnels with Mikrotik, I was deluded of the hw encryption performance. To not mention the marketing hype and the missing replay regarding this issues put fort on the forum.
Although the RosOs was the thing with 2.x-3.x with features required and needed in the networking in that time which give popularity to this company, sadly that is not the case anymore. Hardly there is any new implementation or revolution.
There is more momentum in other products. Now with x86 getting smaller, other router implementations are getting within reach.
For now it looks like the only realistic short-term implementation would be using a user mode daemon just like OpenVPN.
In fact the claims about requirement to have it in the kernel are quite hollow and do not add to the credibility of the developer.
I would appreciate a lot a Wireguard implementation in RouterOS
The advantages that I see for my usage are :
it has a simplier VPN configuration
it should be faster than OpenVPN (in a single connection setup, where OpenVPN is mono-thread, I’m talking about the other endpoint which is on a Linux for me)
.