Community discussions

MikroTik App
 
go626201
just joined
Topic Author
Posts: 2
Joined: Thu Mar 07, 2019 11:52 am

Feature Request - Wireguard Protocol

Sun Jan 19, 2020 4:19 pm

Wireguard had been widely use by a lot of system. Speed Fast and stable for the vpn tunnel usage.
Cloudflare 1.1.1.1 Warp also using Wireguard as the tunnel for the argo tunnel.
 
alfredo
newbie
Posts: 42
Joined: Wed Jul 01, 2015 3:06 pm

Re: Feature Request - Wireguard Protocol

Mon Jan 20, 2020 8:45 am

+1 for WireGuard. This thing is fast! Also, much easier to deploy than OpenVPN.
 
dnordenberg
newbie
Posts: 36
Joined: Wed Feb 24, 2016 8:00 pm

Re: Feature Request - Wireguard Protocol

Mon Jan 20, 2020 7:03 pm

Would be really nice, bringing in some a fresh modern feeling and options...
Unfortunately to take full advantage of it you need a 5.6 kernel :(
Routeros 7 is on 4.14 as this is a super long LTS kernel. Wireguard just missed the 5.5 which is expected to be the next super long LTS kernel so for routeros we probably have to wait for the next super long LTS which include WG and that would probably be like 5.13-14 in 2 years :( And even after that it will probably take a while for mikrotik to adopt the new LTS kernel, they just adopted 4.14 which is already 2 years old so looking back it could be at least 2+2 years before we even see a WG kernel in routeros. If mikrotik don't decide to use the compat WG instead which could run on legacy kernels. I have no idea what the backside is of doing that instead of using a kernel with built in WG support...
 
Sob
Forum Guru
Forum Guru
Posts: 5611
Joined: Mon Apr 20, 2009 9:11 pm

Re: Feature Request - Wireguard Protocol

Tue Jan 21, 2020 3:49 am

If I understand it correctly, "compat" version of WG are simply backports to older kernels, so there shouldn't be any problem. Call me an optimist, but if WG continues to get popular, and if other things with RouterOS 7 go well, I believe that we can see WG in RouterOS before Christmas (yes, this year, but no, I probably wouldn't bet on it, my optimism has some limits ;)).
People who quote full posts should be spanked with ethernet cable. Some exceptions for multi-topic threads may apply. Not intended as incentive for masochists.
 
User avatar
eworm
Long time Member
Long time Member
Posts: 613
Joined: Wed Oct 22, 2014 9:23 am
Location: Oberhausen, Germany
Contact:

Re: Feature Request - Wireguard Protocol

Tue Jan 21, 2020 1:31 pm

The compat version (https://git.zx2c4.com/wireguard-linux-compat/) is the same as what goes into Linux 5.6, it's just the out-of-tree repository.
Manage RouterOS scripts and extend your devices' functionality: RouterOS Scripts
 
joda58
just joined
Posts: 1
Joined: Wed Nov 22, 2017 4:39 pm

Re: Feature Request - Wireguard Protocol

Wed Jan 22, 2020 4:48 pm

+1 for WireGuard.

Other routers are beginning to deliver...
I don't want to switch supplier.

/joda
 
go626201
just joined
Topic Author
Posts: 2
Joined: Thu Mar 07, 2019 11:52 am

Re: Feature Request - Wireguard Protocol

Wed Jan 22, 2020 7:39 pm

Hopefully ROS7 will include Wireguard within this year. :lol:
 
Wublide
just joined
Posts: 17
Joined: Sun Feb 18, 2018 11:00 pm

Re: Feature Request - Wireguard Protocol

Wed Jan 22, 2020 8:57 pm

it would be a dream because now i have a routerboard+raspberry(wireguard) for every single sites of my fullmesh vpn
 
Mulat
just joined
Posts: 6
Joined: Thu Nov 12, 2015 4:50 pm

Re: Feature Request - Wireguard Protocol

Sat Jan 25, 2020 1:50 pm

+1 for WireGuard.
 
User avatar
mozerd
Member
Member
Posts: 410
Joined: Thu Oct 05, 2017 3:39 pm
Location: Canada
Contact:

Re: Feature Request - Wireguard Protocol

Sat Jan 25, 2020 3:25 pm

it would be a dream because now i have a routerboard+raspberry(wireguard) for every single sites of my fullmesh vpn
Yes absolutely !!!
Dream along with me I am on the way to the STARS
 
User avatar
floaty
Member Candidate
Member Candidate
Posts: 189
Joined: Sat Oct 20, 2018 1:24 am
Location: 52°08'32.34"N 14°39'05.0"E

Re: Feature Request - Wireguard Protocol

Sat Jan 25, 2020 9:38 pm

I'm in.
+1 for WireGuard.
~~
We know what happens to people who stay in the middle of the road. They get run over.
 
erkexzcx
just joined
Posts: 15
Joined: Mon Oct 07, 2019 11:42 pm

Re: Feature Request - Wireguard Protocol

Sun Jan 26, 2020 11:48 am

+1. I also do have additional SBC next to Mikrotik router just for Wireguard VPN server.
 
User avatar
DmitryAVET
Member Candidate
Member Candidate
Posts: 100
Joined: Thu Mar 26, 2015 12:27 am
Location: Ukraine, Mukachevo
Contact:

Re: Feature Request - Wireguard Protocol

Sun Jan 26, 2020 3:58 pm

+1 for Wireguard https://www.wireguard.com/

MikroTik don't ignore us...

Keenetic allready have support WireGuard
https://help.keenetic.com/hc/ru/article ... eGuard-VPN
 
EchelonCA
just joined
Posts: 4
Joined: Thu May 10, 2018 4:54 am

Re: Feature Request - Wireguard Protocol

Tue Jan 28, 2020 6:00 pm

+1. The versatility that comes with wireguard, especially with roaming connections (i.e. swapping back and forth between mobile and wireless) is extremely useful, as well as the increased throughput provided by wireguard. It would be perfect to roll this in with rOS vs. having a separate appliance just to provide this functionality.
 
User avatar
eworm
Long time Member
Long time Member
Posts: 613
Joined: Wed Oct 22, 2014 9:23 am
Location: Oberhausen, Germany
Contact:

Re: Feature Request - Wireguard Protocol

Wed Jan 29, 2020 10:43 am

Linus just pulled the net-next branch from David Miller, thus Wireguard is now upstream:
Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net-next
Manage RouterOS scripts and extend your devices' functionality: RouterOS Scripts
 
User avatar
osc86
Frequent Visitor
Frequent Visitor
Posts: 93
Joined: Wed Aug 09, 2017 1:15 pm

Re: Feature Request - Wireguard Protocol

Wed Jan 29, 2020 6:12 pm

I really would like to have Wireguard Support in V7.
 
User avatar
rooted
Member Candidate
Member Candidate
Posts: 107
Joined: Tue Feb 04, 2020 5:58 pm

Re: Feature Request - Wireguard Protocol

Tue Feb 04, 2020 6:02 pm

+1 for wireguard, the performance can't be denied.
 
rooneybuk
just joined
Posts: 23
Joined: Fri Feb 20, 2015 12:09 pm

Re: Feature Request - Wireguard Protocol

Wed Feb 05, 2020 11:12 am

+1 for WireGuard.

I believe this is a must going forward for RouterOS 7 its is become a major player in the VPN space
 
ahtoh
just joined
Posts: 21
Joined: Fri Jan 25, 2013 3:10 pm

Re: Feature Request - Wireguard Protocol

Wed Feb 05, 2020 11:26 pm

Just bought another brand because Mikrotik is missing this feature.
https://www.gl-inet.com/products/gl-mv1000/
 
th0massin0
Member Candidate
Member Candidate
Posts: 148
Joined: Sun May 11, 2014 4:16 am
Location: Poland

Re: Feature Request - Wireguard Protocol

Fri Feb 07, 2020 2:46 pm

It would be more than great if we get only one tcp or udp vpn that using certs for encryption, service port could be changed and have windows client (may be third-party).
 
syadnom
Member
Member
Posts: 458
Joined: Thu Jan 27, 2011 7:29 am

Re: Feature Request - Wireguard Protocol

Sat Feb 15, 2020 1:12 am

just another vote for the fantastic wireguard kit..
 
User avatar
omidkosari
Trainer
Trainer
Posts: 634
Joined: Fri Sep 01, 2006 4:18 pm
Location: Iran , Karaj
Contact:

Re: Feature Request - Wireguard Protocol

Sun Feb 16, 2020 3:13 am

+1 for wireguard .
Please don't repeat the way you did with OpenVPN udp
MTCNA , MTCRE, MTCWE, Mikrotik Certified Trainer
 
User avatar
rooted
Member Candidate
Member Candidate
Posts: 107
Joined: Tue Feb 04, 2020 5:58 pm

Re: Feature Request - Wireguard Protocol

Sun Feb 16, 2020 5:41 am

+1 for wireguard .
Please don't repeat the way you did with OpenVPN udp
Wireguard is very simple compared to Ovpn, if I'm not mistaken it's only around 4000 lines of code.
 
msatter
Forum Guru
Forum Guru
Posts: 1715
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: Feature Request - Wireguard Protocol

Sun Feb 16, 2020 12:09 pm

He was writing OpenVPN UDP support by Mikrotik and not about OpenVPN itself.

A good alternative for now is IKEv2, in the time waiting for Wireguard being implemented by Mikrotik.
One RB4011 (cooled) and a RB760iGS (hEX S) in series. The 4011 Does PPPoE/IKEv2.
The cooler: viewtopic.php?f=3&t=138613&start=300#p799879
Running:
RouterOS 6.47 / Winbox 3.24 / MikroTik APP 1.3.14
 
User avatar
rooted
Member Candidate
Member Candidate
Posts: 107
Joined: Tue Feb 04, 2020 5:58 pm

Re: Feature Request - Wireguard Protocol

Sun Feb 16, 2020 8:14 pm

@msatter I know what he meant I should have been more clear about what I was trying to say, the reason Ovpn went the way it did is because MikroTik wrote their own implementation. With over a million lines of code in the open source implementation you can see how this would be an issue, but with the simplicity of wireguard even if they rewrite there should be no compatability issues.
 
fflo
newbie
Posts: 27
Joined: Wed Jan 02, 2019 7:59 am

Re: Feature Request - Wireguard Protocol

Sun Feb 23, 2020 6:51 pm

Implementation of something like https://github.com/burghardt/easy-wg-quick would be awesome.

This would allow secure and fast VPN client configuration using a simple QR code to scan.
 
mada3k
Member Candidate
Member Candidate
Posts: 234
Joined: Mon Jul 13, 2015 10:53 am
Location: Sweden

Re: Feature Request - Wireguard Protocol

Sun Feb 23, 2020 9:27 pm

Personally, I think that Wireguard is a bit of a joke, since it's hardcoded to use ChaCha20. So basiclly all systems with AES in hardware becomes useless and has to do it in software. Great work there.

But what about low-end PC's some said? Well... My Celeron N3150 ITX has AES-NI...

So bye bye all hardware offload.

https://www.wireguard.com/protocol/
https://www.reddit.com/r/WireGuard/comm ... use_aesni/

But I have to give it that looks really simple & nice to setup.
Manages some CCR's, RB750Gr3, RB922 and wAP's
 
User avatar
rooted
Member Candidate
Member Candidate
Posts: 107
Joined: Tue Feb 04, 2020 5:58 pm

Re: Feature Request - Wireguard Protocol

Mon Feb 24, 2020 12:59 am


So bye bye all hardware offload.
Wireguard is still faster than AES with offload on the same machine, CPU usage is low as well. The situation I could see this being an issue is with a lot of wireguard sessions, for the typical user needs there is no downside.
 
syadnom
Member
Member
Posts: 458
Joined: Thu Jan 27, 2011 7:29 am

Re: Feature Request - Wireguard Protocol

Mon Feb 24, 2020 5:08 am

There's good reason to skip AES-NI. It's a speed limit. The lowly atom with AES-NI has the same performance as a 6 core i7 with AES-NI because that little component is a speed limit.

Wireguard is FAST with it's ciphers. It's basically as fast as AES-NI on modest hardware but if you through a serious CPU at it, wireguard rips. A pair of modern i7 CPUs can run 10G over wireguard. There isn't a single AES-NI hardware that can do 1/20 of that consistently.

Wireguard between two raspberry pi is faster than an AES-NI link on everything.

(I've done a lot of testing with wireguard, it's next gen legit and makes AES-NI look like 'MMX'....
 
User avatar
rooted
Member Candidate
Member Candidate
Posts: 107
Joined: Tue Feb 04, 2020 5:58 pm

Re: Feature Request - Wireguard Protocol

Mon Feb 24, 2020 10:07 am


makes AES-NI look like 'MMX'....
Nice comparison, literally lol'd
 
User avatar
anthonws
newbie
Posts: 32
Joined: Sat Jan 09, 2016 6:46 pm

Re: Feature Request - Wireguard Protocol

Mon Feb 24, 2020 6:18 pm

I'm actually more interested in understanding the actually benefits from a server perspective (Mikrotik Router), like the benefits on a ar9344 CPU (which doesn't look like it has AES-NI alike instructions).

That is, *if* we ever get WireGuard in ROS.... LOLO

I'm honestly more geared towards changing my install over time to another brand (and even use OpenWRT) and while I'm doing so, I've started resorting more and more of RasbPI and Linux for all the stuff I want to do and eventually ROS can't (DoH, WireGuard, etc.).
 
justin0six
just joined
Posts: 1
Joined: Wed Oct 18, 2017 3:52 am

Re: Feature Request - Wireguard Protocol

Sun Mar 29, 2020 12:33 am

+1 for WireGuard!
 
nicolap
just joined
Posts: 2
Joined: Mon Sep 09, 2019 12:16 am

Re: Feature Request - Wireguard Protocol

Sun Mar 29, 2020 8:22 pm

Waiting for wireguard.npk or, at least, for an official statement...
 
Widmo
just joined
Posts: 2
Joined: Thu Sep 14, 2017 2:02 am

Re: Feature Request - Wireguard Protocol

Tue Mar 31, 2020 12:45 am

+3 for wireguard
 
mikrotiknoobfromeu
just joined
Posts: 7
Joined: Fri Jul 12, 2019 10:44 pm

Re: Feature Request - Wireguard Protocol

Tue Mar 31, 2020 12:49 am

yes YES YES
this is a must
 
rooneybuk
just joined
Posts: 23
Joined: Fri Feb 20, 2015 12:09 pm

Re: Feature Request - Wireguard Protocol

Tue Mar 31, 2020 11:30 am

Its good to see Wireguard is now "in-tree" on the latest kernel probably won't help here from a technical perspective as I believe RouterOS runs an old Kernel but from a support perspective Wireguard has some stability in the Linux community.

https://arstechnica.com/gadgets/2020/03 ... ux-kernel/
 
atakacs
newbie
Posts: 35
Joined: Mon Mar 07, 2016 5:39 pm

Re: Feature Request - Wireguard Protocol

Tue Mar 31, 2020 11:33 pm

Is there official position from Mikrotik about that ?

I think the overwhelming opinion of the community is very positive about Wireguard. Is it something you are exploring ? commiting to ? definitely not on the roadmap ?
 
Quasar
just joined
Posts: 20
Joined: Sun Oct 05, 2014 1:11 pm

Re: Feature Request - Wireguard Protocol

Fri Apr 03, 2020 1:53 pm

Its good to see Wireguard is now "in-tree" on the latest kernel probably won't help here from a technical perspective as I believe RouterOS runs an old Kernel but from a support perspective Wireguard has some stability in the Linux community.

https://arstechnica.com/gadgets/2020/03 ... ux-kernel/
RouterOS v7 has v4.14, which is supported by wireguard-linux-compat for what it's worth.

I find it hard to believe it hasn't made it to some (Internal) alpha yet. The kernel module is basically free, the userspace/winbox glue should be trivial to implement.
 
d3m0
newbie
Posts: 31
Joined: Mon May 31, 2010 10:21 am

Re: Feature Request - Wireguard Protocol

Sat Apr 04, 2020 11:57 am

+1 for WG support!
 
TORNADO
just joined
Posts: 2
Joined: Tue Nov 18, 2008 10:38 am

Re: Feature Request - Wireguard Protocol

Thu Apr 09, 2020 2:49 pm

+1 for WireGuard support
 
IGHOR
just joined
Posts: 3
Joined: Tue Oct 21, 2014 12:36 am

Re: Feature Request - Wireguard Protocol

Sat Apr 11, 2020 2:30 pm

+100 for Wireguard support
 
HotBlock
just joined
Posts: 11
Joined: Sun Apr 16, 2017 12:30 pm

Re: Feature Request - Wireguard Protocol

Sat Apr 11, 2020 11:00 pm

+1
Please support Wireguard
 
seriosha
just joined
Posts: 3
Joined: Tue Dec 19, 2017 5:25 am

Re: Feature Request - Wireguard Protocol

Sat Apr 11, 2020 11:55 pm

In one of the podcasts, Mikrotik said that he would not implement Wireguard Protocol. I can find it if necessary.
 
User avatar
mozerd
Member
Member
Posts: 410
Joined: Thu Oct 05, 2017 3:39 pm
Location: Canada
Contact:

Re: Feature Request - Wireguard Protocol

Wed Apr 15, 2020 1:41 pm

Rethinking VPN: Tailscale startup packages Wireguard with network security
A whole bunch of tunnels': Mesh networking with per-node permissions and OAuth security
.....
Tailscale's product includes several pieces. First, it's based on peer-to-peer VPNs rather than piping all VPN traffic through a single concentrator. WireGuard security uses public keys. One endpoint can connect to another if it knows the public key and the UDP endpoint (IP address and port) to connect to. Tailscale maintains a database of endpoints on its server, so that when client A needs to talk to client B, it fetches the endpoint details and then makes a direct connection. Tailscale calls this a mesh network.
.....
According to Pennarun, the company was initially more interested in network security than VPNs. An early customer, a bank, wanted to secure a old but critical Windows application, and rather than updating it to use two-factor authentication, he proposed: "Why not move the server into its own little network, so that people can only access that network after they've done two-factor authentication? That was the origin of building this tool. It wasn't intended as a remote access VPN, it was intended as a local access VPN. We did base it on WireGuard because WireGuard was an efficient data plane for their system. It turned out that the core thing we build, this multi-point VPN, was applicable to all sorts of other problems.
 
mhoungbo
just joined
Posts: 7
Joined: Wed Apr 11, 2012 4:04 pm

Re: Feature Request - Wireguard Protocol

Sat Apr 18, 2020 11:15 pm

Please, implement support of WireGuard.
 
petertosh
newbie
Posts: 36
Joined: Wed Mar 21, 2018 9:42 am

Re: Feature Request - Wireguard Protocol

Mon Apr 20, 2020 12:36 am

While I could use WG on a raspberrypi4, it would be so nice to have it in my CCR1009. Current experience with WG is extremely positive, compared to OpenVPN for LAN-LAN-connections.
 
User avatar
nz_monkey
Forum Guru
Forum Guru
Posts: 1871
Joined: Mon Jan 14, 2008 1:53 pm
Location: Straya
Contact:

Re: Feature Request - Wireguard Protocol

Mon Apr 20, 2020 9:57 am

Mikrotik have the development smarts to cleanly integrate WireGuard into RouterOS, and now that it has been mainlined I would not be surprised if we see it in the very near future.
http://thebrotherswisp.com/ | Mikrotik MTCNA, MTCRE, MTCINE | Fortinet FTCNA, FCNSP, FCT | Extreme Networks ENA
 
User avatar
floaty
Member Candidate
Member Candidate
Posts: 189
Joined: Sat Oct 20, 2018 1:24 am
Location: 52°08'32.34"N 14°39'05.0"E

Re: Feature Request - Wireguard Protocol

Mon Apr 20, 2020 2:55 pm

Mikrotik have the development smarts to cleanly integrate WireGuard into RouterOS, and now that it has been mainlined I would not be surprised if we see it in the very near future.
.
hear hear
~~
We know what happens to people who stay in the middle of the road. They get run over.
 
User avatar
manuzoli
Frequent Visitor
Frequent Visitor
Posts: 69
Joined: Mon Oct 03, 2016 6:47 pm

Re: Feature Request - Wireguard Protocol

Fri Apr 24, 2020 2:58 pm

+1 for Wireguard - keep RouterOS as awesome as it is!
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 24609
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: Feature Request - Wireguard Protocol

Fri Apr 24, 2020 3:14 pm

nz_monkey is spot on
No answer to your question? How to write posts
 
netbus
Frequent Visitor
Frequent Visitor
Posts: 50
Joined: Mon Sep 04, 2017 12:42 pm

Re: Feature Request - Wireguard Protocol

Fri Apr 24, 2020 3:43 pm

Since it's already reached Version 1.0
+1 for Wireguard
 
User avatar
Cha0s
Forum Veteran
Forum Veteran
Posts: 987
Joined: Tue Oct 11, 2005 4:53 pm

Re: Feature Request - Wireguard Protocol

Fri Apr 24, 2020 3:57 pm

nz_monkey is spot on
Is this an subtle acknowledgement that you are working on it? :D
 
richardtrip
just joined
Posts: 3
Joined: Tue Nov 27, 2012 2:19 pm

Re: Feature Request - Wireguard Protocol

Fri Apr 24, 2020 4:08 pm

nz_monkey is spot on
Is this an subtle acknowledgement that you are working on it? :D
Of course it is... We just don't know when. Waiting impatiently :-)

Verstuurd vanaf mijn MI 9 met Tapatalk

 
Paternot
Forum Veteran
Forum Veteran
Posts: 709
Joined: Thu Jun 02, 2016 4:01 am
Location: Niterói / Brazil

Re: Feature Request - Wireguard Protocol

Fri Apr 24, 2020 4:09 pm

nz_monkey is spot on
Is this an subtle acknowledgement that you are working on it? :D
I wouldn't call it "subtle"...
It is logic, after all. It works, is easy to use and (now) was accepted in the kernel tree. But it may take some time - they already have their hands full with RoS 7.
 
Jamesits
just joined
Posts: 24
Joined: Thu Jul 13, 2017 10:15 am

Re: Feature Request - Wireguard Protocol

Sat Apr 25, 2020 12:24 pm

Wireguard is a design disaster in every aspect if used on a router. I'm going to name some:

1. You can't just route packets across a wireguard tunnel using the routing table (which is the base of every router), but you have to have some sort of "key" attached to that route. All the dynamic routing thing will just fail. Plus you can't dynamically attach the key to a route at least in the official version of wireguard. (Well, you can provision a tunnel for every device pair but...)

2. No PKI or external AAA support. Since you are going to provision a lot tunnels and there are no "templates" or PKI available, you'll be going to manually add config for **every device**.

3. No support for packet types other than IPv4/IPv6. This means no MPLS support at all.

I would rather go for a better IPSec VTI implementation or ZeroTier integration.
 
rooneybuk
just joined
Posts: 23
Joined: Fri Feb 20, 2015 12:09 pm

Re: Feature Request - Wireguard Protocol

Sat Apr 25, 2020 1:11 pm

Wireguard is a design disaster in every aspect if used on a router. I'm going to name some:

1. You can't just route packets across a wireguard tunnel using the routing table (which is the base of every router), but you have to have some sort of "key" attached to that route. All the dynamic routing thing will just fail. Plus you can't dynamically attach the key to a route at least in the official version of wireguard. (Well, you can provision a tunnel for every device pair but...)

2. No PKI or external AAA support. Since you are going to provision a lot tunnels and there are no "templates" or PKI available, you'll be going to manually add config for **every device**.

3. No support for packet types other than IPv4/IPv6. This means no MPLS support at all.

I would rather go for a better IPSec VTI implementation or ZeroTier integration.
I currently used wireguard with VYOS and they seem to achieve this without a problem, I'm currently creating a wireguard tunnel to another provider (2 actually) and negotiating BGP over those.

https://vyos.readthedocs.io/en/latest/v ... guard.html

This is my workaround until Mikrotik implements this feature.
 
User avatar
mozerd
Member
Member
Posts: 410
Joined: Thu Oct 05, 2017 3:39 pm
Location: Canada
Contact:

Re: Feature Request - Wireguard Protocol

Sat Apr 25, 2020 3:15 pm

Wireguard is a design disaster in every aspect if used on a router. I'm going to name some:
Yes WireGuard does VPN a little differently -- actually a LOT differently. There is the Old way and now the NEW WireGuard way.

Yes, there is The Classic Solutions of Routing
BUT now there is
The New Namespace Solution .... and Yes it does take a little getting used to and from MY perspective its KISS.

Routing & Network Namespace Integration

Ordinary Containerization

Routing All Your Traffic

The Classic Solutions

The New Namespace Solution

Learning the new way is the future. :-)

RESISTANCE is futile !!! 100% guaranteed.
 
syadnom
Member
Member
Posts: 458
Joined: Thu Jan 27, 2011 7:29 am

Re: Feature Request - Wireguard Protocol

Sat Apr 25, 2020 4:27 pm

and you can always run a GRE tunnel across wg if you need other protocols, but I don't think that's widely needed.

wg offers a next-gen very capable vpn for road warriors which is probably the main reason for so many requests. Not to say that's the only use, but that's a big one and it suits that role very well.
 
User avatar
nz_monkey
Forum Guru
Forum Guru
Posts: 1871
Joined: Mon Jan 14, 2008 1:53 pm
Location: Straya
Contact:

Re: Feature Request - Wireguard Protocol

Mon Apr 27, 2020 2:06 pm

Wireguard is a design disaster in every aspect if used on a router. I'm going to name some:
It's horses for courses. WireGuard is extremely _SIMPLE_, it allows reliable connectivity from devices that roam networks, it is easy to audit, has low overhead and performs well on a wide range of devices.

I would rather go for a better IPSec VTI implementation or ZeroTier integration.
I agree, IPSEC VTI is needed in RouterOS but it has a different use-case to WireGuard. IPSEC VTI is the industry standard and will allow integration with a wide variety of other vendors.

ZeroTier is very cool, but I am not sure how Mikrotik would go with the legal side of integrating it.
http://thebrotherswisp.com/ | Mikrotik MTCNA, MTCRE, MTCINE | Fortinet FTCNA, FCNSP, FCT | Extreme Networks ENA
 
User avatar
rooted
Member Candidate
Member Candidate
Posts: 107
Joined: Tue Feb 04, 2020 5:58 pm

Re: Feature Request - Wireguard Protocol

Tue Apr 28, 2020 6:53 am

Thanks for the update @normis, it's great to know.
 
syadnom
Member
Member
Posts: 458
Joined: Thu Jan 27, 2011 7:29 am

Re: Feature Request - Wireguard Protocol

Tue Apr 28, 2020 7:42 pm

IPSEC VTI would also be welcome, but wireguard solves shortcomings in nat traversal and connectivity that no other VPN tech does. wireguard can roam seamlessly as end users switch networks without dropping for example. It doesn't care about the IP addresses packets are coming from and will update the destination to send packets to match the source address the last packet came from. I've tested this using PCC to send packets out different WANs and wireguard doesn't miss a beat.

I don't want to discount IPSEC VTI as that would be a very very good add... but I've lived without that using mikrotik for so long I don't really 'miss' it. On the other hand, mikrotik as the endpoint for road warrior VPNs is a complete fail right now for me as the only remotely reliable option is SSTP over TCP or OpenVPN over TCP. I run separate OpenVPN boxes behind my 'tiks for this. Integrated Wireguard would be immensely valuable for me.
 
gsbiz
just joined
Posts: 3
Joined: Sat Nov 17, 2018 5:18 pm

Re: Feature Request - Wireguard Protocol

Tue Apr 28, 2020 8:24 pm

+1 for Wireguard
 
dashkhaneh
just joined
Posts: 1
Joined: Tue Apr 28, 2020 9:59 pm

Re: Feature Request - Wireguard Protocol

Tue Apr 28, 2020 10:00 pm

+1 for Wireguard
 
dcavni
just joined
Posts: 22
Joined: Sun Mar 31, 2013 6:02 pm

Re: Feature Request - Wireguard Protocol

Wed Apr 29, 2020 7:40 pm

+1 Here also. Now i'm running wireguard on SBC behind Mikrotik.
 
ipcsolutions
just joined
Posts: 2
Joined: Fri Aug 07, 2015 1:58 am

Re: Feature Request - Wireguard Protocol

Thu Apr 30, 2020 4:57 am

+1 from me. Wireguard is fantastic for what I am doing
 
icsterm
newbie
Posts: 46
Joined: Sun Mar 11, 2018 11:11 pm

Re: Feature Request - Wireguard Protocol

Sun May 03, 2020 1:12 pm

+1 for Wireguard, it's the future of VPN, simplicity and high performance.
 
samael
just joined
Posts: 9
Joined: Tue Jan 01, 2008 1:57 pm
Location: Italy

Re: Feature Request - Wireguard Protocol

Mon May 04, 2020 11:20 pm

+1 absolutely.
i am running a dedicated openvpn/tcp server only for routeros clients (all others are on udp or wireguard already), it's a shame and i want to get rid of it!
 
reddin
just joined
Posts: 3
Joined: Mon May 04, 2020 11:46 pm

Re: Feature Request - Wireguard Protocol

Mon May 04, 2020 11:48 pm

I'm 100% sure that this is a must feature for ROS v7. Please, mikrotik, make my dreams come true 8)
 
steakikan
just joined
Posts: 1
Joined: Tue May 05, 2020 7:14 am

Re: Feature Request - Wireguard Protocol

Wed May 06, 2020 8:10 am

I second this, it would be a good alternative to something like OpenVPN for client connectivity, especially the multi thread capability which is useful on something like CCR. Other protocol are as important to be implemented, but with Covid-19 pandemic shows that any ways to provide better bandwidth tunnel for workers is better especially many choked on OpenVPN Server. It's not an alternative to IPSEC or IKE but will be a good alternative for OpenVPN (except if OpenVPN is actually multithreaded in the future). Hopefully rOS v7 has a lot of its foundation changes too to allow easier updating of modules for latest version.
 
User avatar
suloveoun
newbie
Posts: 33
Joined: Fri Sep 04, 2015 11:37 am

Re: Feature Request - Wireguard Protocol

Fri May 08, 2020 7:31 am

Hope Mikrotik implemented as possible.
 
jantypas
newbie
Posts: 28
Joined: Sun May 02, 2010 11:57 pm

Re: Feature Request - Wireguard Protocol

Wed May 13, 2020 5:56 pm

Not complaining here, but I'm beginning to wonder if we've got things all wrong. I, too, wanted the Uber Mikrotik box with everything on it, but Mikrotik hasn't even got OpenVPN with UDP, and I don't see it coming any time soon, even in RouterOS 7. But when I look at it, nearly everything we're asking for is a VPN extension -- RouterOS does fine at routing. That's what it is, that's what it's for. I finally realized I could "path the graps" by putting a $150 box next to it that handles OpenVPN, Wireguard, ZeroTier etc. It's not all in one box, but everything just works.
 
jantypas
newbie
Posts: 28
Joined: Sun May 02, 2010 11:57 pm

Re: Feature Request - Wireguard Protocol

Wed May 13, 2020 5:57 pm

I also finally realized I can't type today :-)
 
Sob
Forum Guru
Forum Guru
Posts: 5611
Joined: Mon Apr 20, 2009 9:11 pm

Re: Feature Request - Wireguard Protocol

Wed May 13, 2020 8:13 pm

It depends. It you need huge VPN server for many users, or have some special requirements, then dedicated machine makes sense. But if you need something for only handful of users, then anything external is overkill. Even if it would be the cheapest RasPi-like board, which would be ok price wise, it's another otherwise useless thing you need to manage. Simple VPN server on router is normal and expected feature. And once properly implemented, it should handle even more users on appropriate hardware.
People who quote full posts should be spanked with ethernet cable. Some exceptions for multi-topic threads may apply. Not intended as incentive for masochists.
 
syadnom
Member
Member
Posts: 458
Joined: Thu Jan 27, 2011 7:29 am

Re: Feature Request - Wireguard Protocol

Wed May 13, 2020 8:54 pm

The number of devices is an important part. Space, moving parts, complexity etc.

Wireguard is a very efficient tunnel, you can spin up a very large number of them without taxing a CPU all that much. Wireguard can beat hardware AES-NI in software with it's ChaCha encryption. Wireguard can handle over 1Gbps on an Atom N3000 CPU which is in the same class as the ARM chips in rb4011s. Wireguard scales out too so these many-core mikrotik boxes should handle a substantial amount of traffic, well more than their little AES hardware can today.

If you haven't played with it, you should. I've done some of my own testing running a tunnel to lightsail and I can pull 500Mbps speed tests on that with the little $3 instance's CPU barely in double digit CPU usage.

Proper support in RouterOS is a game changer for me with road warriors.
 
User avatar
nz_monkey
Forum Guru
Forum Guru
Posts: 1871
Joined: Mon Jan 14, 2008 1:53 pm
Location: Straya
Contact:

Re: Feature Request - Wireguard Protocol

Thu May 14, 2020 2:15 am

WireGuard is amazing and as you have seen above I support it being added to RouterOS.

But... WireGuard is still a very new technology, and is missing a lot of niceties, as an example it currently has no mechanism to dynamically assign IP addresses to remote clients.

So while the enthusiasm is great, don't let your expectations of WireGuard exceed reality or you will be disappointed.
http://thebrotherswisp.com/ | Mikrotik MTCNA, MTCRE, MTCINE | Fortinet FTCNA, FCNSP, FCT | Extreme Networks ENA
 
andrew13
just joined
Posts: 1
Joined: Sun May 17, 2020 11:07 am

Re: Feature Request - Wireguard Protocol

Sun May 17, 2020 11:10 am

+1 for Wireguard
Implementing this directly on our router would be the most reliable solution for us.
 
User avatar
rooted
Member Candidate
Member Candidate
Posts: 107
Joined: Tue Feb 04, 2020 5:58 pm

Re: Feature Request - Wireguard Protocol

Mon May 18, 2020 12:40 am

I don't think more +1's are necessary, it's being added ;)
 
User avatar
mutluit
Forum Veteran
Forum Veteran
Posts: 743
Joined: Wed Mar 25, 2020 4:04 am

Re: Feature Request - Wireguard Protocol

Mon May 18, 2020 1:25 pm

I don't think more +1's are necessary, it's being added ;)
But, me too! :-)
+1 for WireGuard.
WireGuard aims to provide a VPN that is both simple and highly effective. ... a codebase of around 4000 lines of pure kernel code,
about 1% of either OpenVPN or IPsec, making security audits easier, and praised by the Linux kernel creator Linus Torvalds
compared to OpenVPN and IPsec as a "work of art".
...
Oregon senator Ron Wyden has recommended to the National Institute of Standards and Technology (NIST) that they evaluate WireGuard
as a replacement for existing technologies like IPsec and OpenVPN.

Source https://en.wikipedia.org/wiki/WireGuard
 
santyx32
Frequent Visitor
Frequent Visitor
Posts: 60
Joined: Fri Oct 25, 2019 2:17 am

Re: Feature Request - Wireguard Protocol

Tue May 19, 2020 1:42 am

+1 for Wireguard, faster than anything else
 
blaggacao
just joined
Posts: 1
Joined: Tue May 26, 2020 2:08 am

Re: Feature Request - Wireguard Protocol

Tue May 26, 2020 2:12 am

> Wireguard just missed the 5.5 which is expected to be the next super long LTS kernel

Just want to add, ubuntu has backported it to 5.4, see here: https://git.launchpad.net/~ubuntu-kerne ... 2be3b7ed38
 
it2all
just joined
Posts: 1
Joined: Tue May 26, 2020 10:51 am

Re: Feature Request - Wireguard Protocol

Tue May 26, 2020 10:57 am

+1 .... yes, please
 
mniewiera
just joined
Posts: 7
Joined: Wed Dec 27, 2017 4:52 pm

Re: Feature Request - Wireguard Protocol

Tue May 26, 2020 4:33 pm

+1 for Wireguard support
 
schose
just joined
Posts: 6
Joined: Sun Mar 04, 2018 11:20 pm

Re: Feature Request - Wireguard Protocol

Tue May 26, 2020 5:20 pm

+1 for wireguard.

btw. German Telekom is placing wireguard into their end-user routers: https://www.en24.news/2020/05/telekom-t ... uters.html
 
User avatar
Kamaz
newbie
Posts: 35
Joined: Sun Apr 30, 2017 9:35 am

Re: Feature Request - Wireguard Protocol

Thu May 28, 2020 12:36 pm

+1 for Wireguard support
 
userid
just joined
Posts: 3
Joined: Wed May 27, 2020 9:50 am

Re: Feature Request - Wireguard Protocol

Thu May 28, 2020 3:13 pm

+1 for Wireguard support
 
Svenp
just joined
Posts: 4
Joined: Tue May 05, 2020 7:35 am

Re: Feature Request - Wireguard Protocol

Thu May 28, 2020 3:46 pm

+1 for Wireguard support
 
nchevrier
just joined
Posts: 1
Joined: Fri May 29, 2020 2:59 pm

Re: Feature Request - Wireguard Protocol

Fri May 29, 2020 3:00 pm

+1 for WireGuard :)
 
VogelFrei
just joined
Posts: 1
Joined: Wed Jul 17, 2019 2:42 pm

Re: Feature Request - Wireguard Protocol

Tue Jun 02, 2020 1:33 pm

+1 for wireguard!
 
evgenij
just joined
Posts: 2
Joined: Tue May 26, 2020 11:40 am

Re: Feature Request - Wireguard Protocol

Wed Jun 03, 2020 6:17 pm

+10 Guys :)

I really need wireguard to rebuid VPN links between networks
 
td32
Member Candidate
Member Candidate
Posts: 104
Joined: Fri Nov 18, 2016 5:55 am

Re: Feature Request - Wireguard Protocol

Thu Jun 04, 2020 1:35 pm

7.0beta7 (2020-Jun-3 16:31):
!) system kernel has been updated to version 5.6.3;
niceeeeeeeee, guess we are on the right path
 
User avatar
kiler129
Member Candidate
Member Candidate
Posts: 241
Joined: Tue Mar 31, 2015 4:32 pm
Contact:

Re: Feature Request - Wireguard Protocol

Fri Jun 05, 2020 9:53 pm

@normis Can we exchange a pizza fundraiser for a WG in upcoming beta(s)? ;)
 
markwien
Frequent Visitor
Frequent Visitor
Posts: 50
Joined: Sun Jul 22, 2018 10:49 am

Re: Feature Request - Wireguard Protocol

Sun Jun 07, 2020 7:34 am

I am against WireGuard - no Hardware offload.
I am used to ipsec that works great. If u need WireGuard better install it on a server with powerful cpu.
 
User avatar
kiler129
Member Candidate
Member Candidate
Posts: 241
Joined: Tue Mar 31, 2015 4:32 pm
Contact:

Re: Feature Request - Wireguard Protocol

Sun Jun 07, 2020 7:57 am

@markwien Have you ever used or familiarized yourself with WG? It doesn't use AES and thus cannot use hardware offload. However, this is only one side of the coin: the crypto WG uses is on par or faster than AES with acceleration, since it was designed to utilize features of modern CPUs.

Detailed benchmarks: https://an.undulating.space/post/181227 ... enchmarks/

TL;DR - on budget EdgeRouter Lite (dualcore, 500Mhz MIPS64):
Screen Shot 2020-06-06 at 11.56.00 PM.png

I really don't want to start a flamewar here, because it's not a place for it, but even folks maintaining IPSec subsystem in the Linux kernel subtree agree that WG is vastly superior in most of the scenarios.
You do not have the required permissions to view the files attached to this post.
 
User avatar
mozerd
Member
Member
Posts: 410
Joined: Thu Oct 05, 2017 3:39 pm
Location: Canada
Contact:

Re: Feature Request - Wireguard Protocol

Sun Jun 07, 2020 2:18 pm

If u need WireGuard better install it on a server with powerful cpu.
The opposite is true .... @markwien - ignorance is no excuse!
 
onnoossendrijver
Member
Member
Posts: 424
Joined: Mon Jul 14, 2008 11:10 am
Location: The Netherlands

Re: Feature Request - Wireguard Protocol

Mon Jun 08, 2020 12:28 am

@markwien
Detailed benchmarks: https://an.undulating.space/post/181227 ... enchmarks/

TL;DR - on budget EdgeRouter Lite (dualcore, 500Mhz MIPS64):
Screen Shot 2020-06-06 at 11.56.00 PM.png
I don't know how they did those benchmarks, but my edgerouter lite is just as fast when doing ipsec as these wireguard results.
On ipsec I get to choose the encryption. I get it that wireguard has its uses and is better than ipsec on some aspects. But to me it is absolutely not the one size fits all vpn.
Linux/network engineer: ITIL, LPI1, CCNA R+S, CCNP R+S, JNCIA, JNCIS-SEC
 
User avatar
kiler129
Member Candidate
Member Candidate
Posts: 241
Joined: Tue Mar 31, 2015 4:32 pm
Contact:

Re: Feature Request - Wireguard Protocol

Mon Jun 08, 2020 3:49 am

my edgerouter lite is just as fast when doing ipsec as these wireguard results.
It looks like on the standard OS they're comparable, OpenWRT has probably some newer (less stable?) implementation. Based on the date of the post it's also possible that OWRT used kernel module while EdgeOS used userland implementation.

I deliberately didn't want to bring benchmarks published by WG itself, since even the author puts the following warning as of today:
These benchmarks are old, crusty, and not super well conducted. In the intervening time, WireGuard and IPsec have both gotten faster, with WireGuard stil edging out IPsec in some cases due to its multi-threading, while OpenVPN remains extremely slow. It is a work in progress to replace the below benchmarks with newer data.
However, even there the numbers look promising:
Screen Shot 2020-06-07 at 7.43.29 PM.png
On ipsec I get to choose the encryption. I get it that wireguard has its uses and is better than ipsec on some aspects. But to me it is absolutely not the one size fits all vpn.
And I can agree with this 101%. WG is not a magical one-fits-all, and the author itself is aware of that. Even the fact that WG deliberately tunnels IP layer only is a limiting factor for many. However, as a general tunneling protocol for HTTP/SMB/AFP, especially for road warriors on mobile it's vastly better.
The biggest gripe with IPSec is not its configuration itself when you control both ends, but attempting to match both sides. Also, after you do you will get reports that "it doesn't work, I'm in hotel X" after which you see how many pseudoadmins do DROP ALL, ALLOW TCP+UDP.

It's worth listening to https://podcast.asknoahshow.com/177 (WG part starts 16:40) - the author has a very sane approach to limitations, goals, and challenges along the way, as well as how the Linux community approached the new "revolutionary" protocol.
You do not have the required permissions to view the files attached to this post.
 
User avatar
nz_monkey
Forum Guru
Forum Guru
Posts: 1871
Joined: Mon Jan 14, 2008 1:53 pm
Location: Straya
Contact:

Re: Feature Request - Wireguard Protocol

Mon Jun 08, 2020 5:34 am

@markwien
Detailed benchmarks: https://an.undulating.space/post/181227 ... enchmarks/

TL;DR - on budget EdgeRouter Lite (dualcore, 500Mhz MIPS64):
Screen Shot 2020-06-06 at 11.56.00 PM.png
I don't know how they did those benchmarks, but my edgerouter lite is just as fast when doing ipsec as these wireguard results.
On ipsec I get to choose the encryption. I get it that wireguard has its uses and is better than ipsec on some aspects. But to me it is absolutely not the one size fits all vpn.
I 100% Agree with @onnoossendrijver

WireGuard has a huge number of limitations in comparison with IPSEC, and quite a few with OpenVPN too.

It is a case of "Horses for Courses".

I will be using WireGuard for direct connectivity to VM's and Containers as it is MUCH simpler than IPSEC or OpenVPN. But for general site-to-site VPN's and for dial-in VPN's I will continue to use IPSEC.
http://thebrotherswisp.com/ | Mikrotik MTCNA, MTCRE, MTCINE | Fortinet FTCNA, FCNSP, FCT | Extreme Networks ENA
 
ferdytao
just joined
Posts: 22
Joined: Mon Sep 26, 2016 8:51 am

Re: Feature Request - Wireguard Protocol

Wed Jul 08, 2020 2:02 pm

+1 for Wireguard

Who is online

Users browsing this forum: rpingar and 9 guests