Have a CCR1009 at the centre right now, CCR1036 will be going back soon, not a large difference between them VPN wise.
6 sites connecting to the primary router, the sites are using a variety of internet connections. Some DHCP that frequently change IPs, some DHCP that rarely change, some CGNAT, plus some road-warrior connections. CCR1009, RB750Gr3, and RBD52G-5HacD2HnD-TC at the sites.
Currently using L2TP with encryption disabled (SSTP as backup if L2TP won’t connect) to try and get some more speed out of it, but the maximum data transfer is ~150 mbps. ~30 mbps between sites.
Which VPN technology should I be using to get the best transfer rates between Mikrotik routers?
If it is L2TP/IPSec I’ll dig into the configurations to figure out what is slowing it down but wanting to make sure I’m starting out correctly.
I'll go out on a limb and say Wireguard. You can probably just barely beat it with IPsec if both sides are hw accelerated. But as soon as you add a client without he acceleration or other compromising variables, Wireguard is likely to beat it.
Now it may not have the features you want. But that's another story.
Since you have TILE architecture, I would use IPSEC with AES-CTR/128 and SHA256, wich is compatible with all of the devices you mentioned. The devices you have are not so powerful with WG, too little CPUs, that is the reason I strongly suggest using IPSec.
All of your devices you have listed supports this IPSEC encryption in hardware.
I would do:
L2TPv3/udp
sha1+4byte cookie
MTU 1400
MRU 1500/1492 just try wich works better since you have pppoe.
From the configuration now, those L2TP settings are a minor change, will try making those changes overnight tonight. Any advice on MRRU? Currently have set at 1600, my understanding is that it will make multiple transparent sessions so that 1500 MTU packets will appear as not fragmented.
WireGuard is possible, if it is best, but a significant configuration change.
Not sure where this comes from ?
I have tested HW offloaded IPSEC between a couple Mikrotik devices capable to use IPSEC HW offload and each time WG came out on top.
For me WG is also a lot easier to setup, IPSEC just doesn't "wire" with me (I do have a couple of IPSEC connections to Azure environments so I know how it needs to be done for that type of thing).
This comes from the fact that you should have read carefully the initial post. With the devices that the user has, it is better ipsec 100% with hardware offload. Their cpu are too small to successfully elaborate WG in medium traffic.
IPsec is really easy when you understand its logic. Also with l2tp+ipsec is really straightforward
I suspect there are some other config things in the shadow. Did you use MRRU? If yes, you fragments packets in CPU which doesn’t fits the tunnel MTU. Did you measure the correct MTUs to prevent fragmentation?
I using L2TPv2 with IPSec on RB4011s and site2site rate is above 300Mbps, just for comparison. Without IPSec it hits way more, I have a hEX also, and it can deliver easily n x 100Mbps with raw L2TPv2. Again, without encryption.
OpenVPN for compatibility between devices, network setups (ie home user, differnt isp) running it on udp offers a fair amount of speed boost compared to old ROS6 where we were limited to TCP only.
Both have use cases and limitations for example
Openvpn you can use dhcp server
Wiregaurd requires setting static ip in your configs per user/device
I have tried on field these devices since we have in the network. WG will suffer a lot on tile because of the single low-freq tile processor… I gave my advice that is proven in the field. We connect remote branches via ipsec hw offload using devices similar to the OP and I suggested the right solution from my point of view.
I am not a fan of WG expecially on older devices with lower tier cpus, and I love the way HW offloaded ipsec works. Everywhere where I have IPSEC offload capacity, I choose IPSEC.
