Which VPN to connect 2 MikroTiks overe WAN?

Dear experts,
asking for advice on different VPN styles, I’m using two hAP ac3 configured in the same way (basic config) with VLANs, one at my house and one at parent’s, there is a shared NAS to reach.

Until now I tested EoIP, GRE, IPIPI, WireGuard, ZeroTier but open to any alternative to try, connection must be encrypted and if possible available through NAT.
This is what I discovered testing the first 3 options:
EoIP:

• is Layer2 but could be used as Layer3
• support packet fragmentation
• 42 byte overhead
• more than 1 tunnel allowed to the same device using a different ID
• should be available through NAT
• can be encrypted using IPSec

GRE:

• is Layer3
• don’t know if supports packet fragmentation?
• 24 byte overhead
• can be encrypted using IPSec

IPIP:

• is Layer3 and supports just IP protocol
• packet fragmentation not supported
• 20 byte overhead?
• can be encrypted using IPSec

There is any relevant advantage in adding an interface to the bridge (L2) VS. routing (L3) other than extending the VLAN?
Extra: An EoIP interface added to the Bridge, should be considered edge? point-to-point?

Thanks!

Wireguard hands down, with SSTP backup connection (real easy with two MT devices).

Hi anav, why WireGuard?
AFAIK it has higher MTU overhead and is not hardware offload

To take advantage of hardware acceleration choose a tunnel type that uses IPsec encryption with AES but don’t expect blazing speeds with the hAP ac³, tho it’ll definitely be much faster than Wireguard. Regarding EoIP, it’s a LAN tunnel that transports Ethernet between two MikroTik routers (ie acting like a switch).

and in case you are using EoIP be VERY careful adding it to a bridge with active (R)STP - could mess up things really fast

As was stated WG will not be appreciably slower and its SOOOOOOOOO much easier to setup, especially for a person not familiar with setting up IPSEC.

Thanks to all!
@anav, WireGuard to me was much harder to config than EoIP for example, IPSec is just a password typed, super easy.
By the way as soon IPsec is enabled to EoIP/GRE/IPIP, MTU is lowered again and performance are like WG, good enough for me.

Depends on a persons background and experience.

I spent some time testing 3 alternatives,

• EoIP, MTU 1500, interface added to the Bridge, not sure if interface should be considered edge=no / point-to-point=yes but the interface became “root port”, for me was the slowest solution.
• GRE, MTU 1418, speedtest is around 50Mbps Down / 60Mbps Up
• WireGuard, MTU 1432, speedtest is around 70Mbps Down / 80Mbps Up

Surprisingly, WireGuard seems to be best performer!

in the constellation of those 3 options - expected

Then you are doing somthing wrong if you get better speed with WireGuard than IPsec with hardware acceraltion. Check hAP ac³ IPsec single tunnel test result

Not really it means wireguard is easy to setup the first time and it works great…

Haha Yeah, right?!

Sir @anav is always right, amen!
@Larsa, yeah it sounds strange but I have added CAKE to the WAN interface that is “eating” most the single core + GRE interface + IPSec (AES-256-CBC + SHA256 still Hardware Offloaded) + route & routing rule + lower MTU… CPU power is reaching it’s limit, can’t complain by the way.

To be honest, at the fist test comparing EoIP vs. GRE without IPSec vs. WireGuard (MTU 1412), GRE was way more stable in file transfer speed from Windows PC to NAS.
I will try IP-in-IP but open to any other solution suggested.

You still have some incorrect settings with those results. With the correct IPsec settings you should get at least 200 Mbps and the CPU usage should basically be zero with a hAP ac³ at both ends. What WAN speed does the ISP provide?

Btw, don’t run throughput tests with Cake enabled anyway.

There is also the option of L2TP/IPsec.
It performs well, and with the MRRU option it can provide 1500 byte MTU when properly configured (MLPPP fragmentation/reassembly).