Wireguard is working well, except for that minor winbox issue with the endpoint port. With how easy it was to setup, I totally get the Wireguard hype now. IPSEC has a frustrating amount of knobs to turn.
Between a couple hAP ac² routers, I was getting about 280 Mbps UDP. When I changed out one of those hAP ac² routers with an older RB951G-2HnD, I was getting about 75 Mbps. That’s probably better than I’d get out of IPSEC on the same device!
P.S. One thing I would really like to see in the new RouterOS v7 MPLS implementation is MPLS mangle for QoS purposes - specifically, “mark packet” and “set priority” actions for MPLS. Right now to do MPLS QoS on RouterOS we have to create a bunch of extra bridges and use bridge filters for QoS. A simple MPLS mangle table would allow us to get rid of those extra bridges.
Also, please add “set priority” to the IPv6 Mangle. We have to use bridge filters as a workaround for that too at the moment.
Here is the preliminary testing we have done on this version with two CHRs on ProxMox that are each on a different VLAN and the CRS317 routes between the VLANs
This is very quick UDP test - we will do more work using TCP with traffic generator and iperf3
I have no problem pushing ~9.3Gbit/s IPv4 in a single thread using iperf3 between two hosts routed on the CRS317 with L3 offloading enabled. IPv6 is, as expected, another story - it gives me ~370Mbit/s.
You’d be a fool to reimplement it yourself. Have a look at the Wireguard site and code and see for yourself how carefully it’s been developed. Mikrotik would/might have only done some interface changes to make it work the ROS way.
OpenVPN UDP still broken in this release.
For anyone else wondering, 7.0beta5 is the latest version that has OpenVPN UDP working. 7.1beta1 and and 7.1beta2 both have kernel crashes when you attempt to use it.
I reported it to Mikrotik and it has been acknowledged but it seemingly did not make it into this release.
Is there any examples on how to configure wireguard as client on mikrotik? I’d like to connect my mikrotik router to an existing wireguard server. Also, while setting up the peer endpoint, only IP addresses are allowed? Can’t I use a domain name?
When you don’t like that, just don’t turn the knobs!
It is always easy (at least at first) to create something as a single supplier and focus on a single use-case, and make it look simple. Look at Microsoft Windows.
But as more and more features are added (e.g. multiple different encryption methods, as in IPsec), it becomes more complicated over time.
See how it went with OpenVPN, that was also simple at first but got more complicated on the way, especially because there was little forethought on how to accomodate future flexibility in the initial protocol.
IMHO the same will happen with wireguard.
In IPsec it happened right from the start because lots of options for lots of selections were there all the time. But without that, it would have been even more difficult to introduce stronger encryption and hashing protocols, for example.
One thing that need to be done is to allow Wireguard to use FQDN instead of just IP addresses. For two reasons, basically:
Not everyone have a static IP
With IPv6, DNS names will make a huge difference. So much easier to remember and to check the spelling…
Yes, yes, I know. Wireguard doesn’t do FQDNs. It doesn’t matter: just put the name on the configuration, and do a DNS lookup at connection time. Exactly like we have with IPSEC today.