Community discussions

 
User avatar
bneijt
just joined
Topic Author
Posts: 3
Joined: Sun May 06, 2018 12:52 pm
Contact:

[Feature request] Wireguard

Sun May 06, 2018 1:40 pm

I would love to run Wireguard on my Mikrotik and decided, with all the news spread across the forum, to combine some posts in a new thread.


Wireguard is a encrypted tunnel technology, started in 2016 but not 1.0 yet. Wireguard will probably replace OpenVPN which is currencly only partially supported by Mikrotik anyway.
It is already being adopted: easily available in Linux, VPN providers like AzireVPN support it and open source routers like Ubiquity and OpenWRT show good performance.

Mikrotik, being Linux based but closed source, will start supporting it in the future and it may end up in v7. V7 may be an april fools joke from 2014, but it may also be in development for more then 3 years making the feature list very unpredictable at this point.

I have not been able to find any post by a Mikrotik employee on the subject yet, but interesting posts by other users are:
viewtopic.php?f=1&t=45934&p=602377&hili ... rd#p602377
viewtopic.php?f=1&t=45934&p=637573&hili ... rd#p637573
 
zaharmd
just joined
Posts: 2
Joined: Wed Oct 26, 2016 4:43 am

Re: [Feature request] Wireguard

Tue May 08, 2018 6:29 pm

+1 for WireGuard in MikroTik
MTCNA, MTCRE
 
User avatar
nz_monkey
Forum Guru
Forum Guru
Posts: 1818
Joined: Mon Jan 14, 2008 1:53 pm
Location: Straya
Contact:

Re: [Feature request] Wireguard

Wed May 09, 2018 11:19 am

+1 from me
http://thebrotherswisp.com/ | Mikrotik MTCNA, MTCRE, MTCINE | Fortinet FTCNA, FCNSP, FCT | Extreme Networks ENA
 
User avatar
bneijt
just joined
Topic Author
Posts: 3
Joined: Sun May 06, 2018 12:52 pm
Contact:

Re: [Feature request] Wireguard

Tue May 15, 2018 10:21 pm

I did a quick forum review to get a basic timeline we can expect for Wireguard support.

Going by OpenVPN:
In 2004 the first forum request was made for OpenVPN support.
With release 3.0 came the partial implementation there is today, which was around 2007.

The first Wireguard request was around Jun 11, 2017
This would mean that Mikrotik will probably release initial support around 2020
 
xtornado
just joined
Posts: 21
Joined: Sun Mar 07, 2010 8:02 pm

Re: [Feature request] Wireguard

Mon Jul 02, 2018 11:03 am

+1 for wireguard on routeros
 
User avatar
vecernik87
Long time Member
Long time Member
Posts: 644
Joined: Fri Nov 10, 2017 8:19 am

Re: [Feature request] Wireguard

Mon Jul 02, 2018 12:44 pm

I cannot imagine adding support before wireguard reach stable realease. Based on other similar requests, i think that mikrotik instantly refuse to implement anything what is alpha/beta stage.
 
R1CH
Forum Veteran
Forum Veteran
Posts: 896
Joined: Sun Oct 01, 2006 11:44 pm

Re: [Feature request] Wireguard

Mon Jul 02, 2018 5:35 pm

And please use the reference implementation! I'm getting tired of Mikrotik's re-implementations of software which introduce security bugs and miss important features.
 
andreax
just joined
Posts: 4
Joined: Sat Mar 07, 2015 12:16 pm

Re: [Feature request] Wireguard

Sun Jul 29, 2018 3:48 pm

+1
Waiting for it!
 
User avatar
Jotne
Forum Guru
Forum Guru
Posts: 1303
Joined: Sat Dec 24, 2016 11:17 am
Location: jo.overland at gmail.com

Re: [Feature request] Wireguard

Sun Jul 29, 2018 7:50 pm

I cannot imagine adding support before wireguard reach stable realease.
Agree that MT should not implement it before its stable, but coming with a request now is a good thing.
This will allow MT to test it and make sure it works fine when its stable and release it from day one.
 
How to use Splunk to monitor your MikroTik Router

MikroTik->Splunk
 
 
Nefraim
just joined
Posts: 8
Joined: Fri Apr 13, 2018 10:01 pm

Re: [Feature request] Wireguard

Wed Aug 01, 2018 7:56 am

Since many of you guys were awaiting for a stable build for Wireguard, today we are even closer to that moment.
Yesterday Jason Donenfeld lead developer submited the required patches for including Wireguard into mainline linux kernels.

More info here http://lkml.iu.edu/hypermail/linux/kern ... 06622.html

While it's to late to include into Linux 4.19 which should arrive quite soon, we could see it in the next linux kernel builds.
Guess it's time for Mikrotik developers consider including Wireguard in a future release.
We want WPA3 support but also Wireguard support :roll: .
 
User avatar
vecernik87
Long time Member
Long time Member
Posts: 644
Joined: Fri Nov 10, 2017 8:19 am

Re: [Feature request] Wireguard

Wed Aug 01, 2018 8:41 am

Just because it gets into linux kernel does not mean it is stable, nor it is ready for implementation. Let me quote their own website:
WireGuard is not yet complete. You should not rely on this code. It has not undergone proper degrees of security auditing and the protocol is still subject to change. We're working toward a stable 1.0 release, but that time has not yet come. There are experimental snapshots tagged with "0.0.YYYYMMDD", but these should not be considered real releases and they may contain security vulnerabilities (which would not be eligible for CVEs, since this is pre-release snapshot software). If you are packaging WireGuard, you must keep up to date with the snapshots.

They are clearly warning AGAINST implementing their code right now. Also it is agreeable that making own implementation is not really efficient. With this in mind, there is simply nothing, what Mikrotik developers could do right now. I already adviced to wait with the request because for now, it is just waste of everyone's time. (including my own, when I have to repeatedly point out that wireguard is barely in experimental stage)
 
ofer
Frequent Visitor
Frequent Visitor
Posts: 55
Joined: Wed May 23, 2018 11:45 am

Re: [Feature request] Wireguard

Wed Aug 01, 2018 11:20 am

+1 for Wireguard reference as it's currently being reviewed for kernel inclusion
http://lkml.iu.edu/hypermail/linux/kern ... 06622.html
 
Sob
Forum Guru
Forum Guru
Posts: 4676
Joined: Mon Apr 20, 2009 9:11 pm

Re: [Feature request] Wireguard

Thu Aug 02, 2018 2:34 am

While it's to late to include into Linux 4.19 which should arrive quite soon, we could see it in the next linux kernel builds.
Now the interesting question is when RouterOS gets to use that future kernel with Wireguard. So far it looks like when MikroTik likes a version, they stick with it for quite some time. But there's still a chance that Wireguard will be easily portable to older kernels.
People who quote full posts should be spanked with ethernet cable. Some exceptions for multi-topic threads may apply.
 
chrismfz
just joined
Posts: 14
Joined: Sat Apr 07, 2007 6:27 am
Contact:

Re: [Feature request] Wireguard

Fri Aug 03, 2018 7:48 pm

+1 for Wireguard reference as it's currently being reviewed for kernel inclusion
http://lkml.iu.edu/hypermail/linux/kern ... 06622.html
It's coming....

https://www.phoronix.com/scan.php?page= ... -WireGuard

Linus Torvalds Is Hoping WireGuard Will Be Merged Sooner Rather Than Later

But when we gonna see it in Mikrotik ?
 
R1CH
Forum Veteran
Forum Veteran
Posts: 896
Joined: Sun Oct 01, 2006 11:44 pm

Re: [Feature request] Wireguard

Mon Aug 06, 2018 5:44 pm

I've been playing around with Wireguard recently and it's so refreshingly simple and fast, it makes setup of a new VPN link so easy. And the fact it uses modern, fast crypto is great - I would love to see this in RouterOS so I can finally ditch ipsec with its huge complexity and outdated crypto.

And even though it won't be hardware accelerated, chacha20-poly1305 is almost 4x faster than software AES on arm architecture!
 
User avatar
space007
just joined
Posts: 23
Joined: Tue Dec 07, 2010 12:30 pm

Re: [Feature request] Wireguard

Thu Aug 09, 2018 8:07 am

+1

After testing ipsec eoip tunnels with Mikrotik, I was deluded of the hw encryption performance. To not mention the marketing hype and the missing replay regarding this issues put fort on the forum.

Although the RosOs was the thing with 2.x-3.x with features required and needed in the networking in that time which give popularity to this company, sadly that is not the case anymore. Hardly there is any new implementation or revolution.

There is more momentum in other products. Now with x86 getting smaller, other router implementations are getting within reach.

Off topic, I know..

Sent from my Moto G (5) Plus using Tapatalk

 
User avatar
Anumrak
Forum Guru
Forum Guru
Posts: 1033
Joined: Fri Jul 28, 2017 2:53 pm

Re: [Feature request] Wireguard

Fri Aug 10, 2018 12:03 pm

I agree with the implementation of this protocol.
 
pe1chl
Forum Guru
Forum Guru
Posts: 5830
Joined: Mon Jun 08, 2015 12:09 pm

Re: [Feature request] Wireguard

Fri Aug 10, 2018 12:17 pm

While it's to late to include into Linux 4.19 which should arrive quite soon, we could see it in the next linux kernel builds.
Now the interesting question is when RouterOS gets to use that future kernel with Wireguard. So far it looks like when MikroTik likes a version, they stick with it for quite some time. But there's still a chance that Wireguard will be easily portable to older kernels.
For now it looks like the only realistic short-term implementation would be using a user mode daemon just like OpenVPN.
In fact the claims about requirement to have it in the kernel are quite hollow and do not add to the credibility of the developer.
 
florentrivoire
newbie
Posts: 44
Joined: Wed Feb 25, 2015 12:02 pm

Re: [Feature request] Wireguard

Sun Aug 12, 2018 1:33 pm

I would appreciate a lot a Wireguard implementation in RouterOS :)

The advantages that I see for my usage are :
  • it has a simplier VPN configuration
  • it should be faster than OpenVPN (in a single connection setup, where OpenVPN is mono-thread, I'm talking about the other endpoint which is on a Linux for me)
Last edited by florentrivoire on Mon Aug 27, 2018 3:20 pm, edited 1 time in total.
 
radiirr
just joined
Posts: 1
Joined: Tue Nov 28, 2017 9:13 pm

Re: [Feature request] Wireguard

Sun Aug 19, 2018 4:54 pm

+1 :)
 
chiem
just joined
Posts: 19
Joined: Fri Oct 24, 2014 4:48 pm

Re: [Feature request] Wireguard

Thu Aug 23, 2018 9:38 am

+1

Wireguard is supposed to be extremely simple. Please don't take 3+ years to support it.
 
TPecorella
just joined
Posts: 1
Joined: Mon Aug 27, 2018 3:07 pm

Re: [Feature request] Wireguard

Mon Aug 27, 2018 3:08 pm

+ 1, please add support asap
 
User avatar
mozerd
Member Candidate
Member Candidate
Posts: 262
Joined: Thu Oct 05, 2017 3:39 pm
Location: Canada
Contact:

Re: [Feature request] Wireguard

Mon Aug 27, 2018 3:35 pm

+1
I have been using wireguard on the Ubiquiti EdgeRouter-Lite and WOW in a site to site scenario -- amazing vpn performance.
I definitely would encourage MikroTik to take a very serious look at this.
 
User avatar
Steveocee
Forum Guru
Forum Guru
Posts: 1110
Joined: Tue Jul 21, 2015 10:09 pm
Location: UK
Contact:

Re: [Feature request] Wireguard

Mon Aug 27, 2018 11:08 pm

+1 Was reading about this earlier. Would love to see the MikroTik finger "on the pulse".
Steve "Steveocee" Carter
PC Gamer, Airsofter, MikroTik Nerd
My Website - My MikroTik Tutorials
 
pe1chl
Forum Guru
Forum Guru
Posts: 5830
Joined: Mon Jun 08, 2015 12:09 pm

Re: [Feature request] Wireguard

Tue Aug 28, 2018 9:27 am

+1 Was reading about this earlier. Would love to see the MikroTik finger "on the pulse".
I rather would love to see MikroTik implement existing and long outstanding feature requests rather than to be swayed by the issues of the day!
 
Sob
Forum Guru
Forum Guru
Posts: 4676
Joined: Mon Apr 20, 2009 9:11 pm

Re: [Feature request] Wireguard

Tue Aug 28, 2018 6:23 pm

@pe1chl: It's generally true, but if this thing can be implemented as easily as authors claim:
WireGuard has been designed with ease-of-implementation and simplicity in mind. It is meant to be easily implemented in very few lines of code, and easily auditable for security vulnerabilities.
(even though "very few lines of code" sounds a little too optimistic), it might be worth to give it a higher priority. If implementing Wireguard would be easier than finishing OpenVPN implementation (I don't know, might be), I'd say to go for it. Not that it's a dream come true in complete package...

I have mixed feelings about roadwarrior use. It needs only single udp port (great) and even has some kind of roaming (I'm still not decided how much it helps). But inside config (addresses, routes) seems to be intentionally static-only. That's not great, because it means that it's not very usable when there's a lot of users and things can change. On the other hand, it's not much worse than what MikroTik's OpenVPN offers. For small SOHO use it could be good, as it seems to be otherwise quite easy to understand. Even working Windows client already exists.

For site to site, IPSec works great for me, but it's true that I do it mostly with static public addresses. When that's not available, Wireguard could work better. It should also have better performance on devices without HW acceleration. And it would provide interfaces for links, which would make it more clear for a lot of people than current tunnel-mode IPSec (I know about IPIP/GRE/EoIP inside IPSec, but it's extra step).
People who quote full posts should be spanked with ethernet cable. Some exceptions for multi-topic threads may apply.
 
pe1chl
Forum Guru
Forum Guru
Posts: 5830
Joined: Mon Jun 08, 2015 12:09 pm

Re: [Feature request] Wireguard

Tue Aug 28, 2018 7:19 pm

I'm not sure it is so much better than L2TP/IPsec which is proven and has hardware acceleration on a lot of MikroTik routers.
It can also deal with roaming users with dynamic IP, static or dynamic user tunnel addresses, etc.
And we already know what happens when MikroTik quickly implement a protocol which then later continues to develop independently... see OpenVPN.

No, for me it is much more important that IPv6 is finally worked on again, and for others a multicore BGP solution is even more important.
Those things should be on top priority for MikroTik to work on (when they are not distracted by security issues), and new features like Wireguard should go below that.
When any work on VPN solutions is to be done, it should be to implement route pushing in existing protocols, according to (de-facto) standards.
When working between MikroTik routers one can use BGP, and I do so, but when using proprietary clients we need e.g. DHCP over L2TP (for Windows) and OpenVPN push route.
 
samael
just joined
Posts: 8
Joined: Tue Jan 01, 2008 1:57 pm
Location: Italy

Re: [Feature request] Wireguard

Thu Sep 06, 2018 10:47 am

+1.
 
flazzarini
just joined
Posts: 19
Joined: Thu Jun 13, 2013 11:05 am

Re: [Feature request] Wireguard

Mon Sep 10, 2018 8:44 pm

+1

Wireguard is so easy to setup and works on so many platforms already. On a side note though if implemented please make it more easier to use DNS names instead of IP addresses.
 
R1CH
Forum Veteran
Forum Veteran
Posts: 896
Joined: Sun Oct 01, 2006 11:44 pm

Re: [Feature request] Wireguard

Tue Sep 11, 2018 1:19 am

And we already know what happens when MikroTik quickly implement a protocol which then later continues to develop independently... see OpenVPN.
I know it's a lot to hope for, but this could easily be avoided if Mikrotik would stop re-implementing these features themselves and start using the open source implementations directly. They already use Linux kernel (GPL), I really don't see why they are so against using other open source packages and are instead re-inventing them with reduced features and more security bugs.

On that note, a large amount of the Wireguard code operates in the Linux kernel, so in the future if RouterOS upgrades to a modern kernel we could very easily see Wireguard support with minimal work required by Mikrotik since it comes "for free".
 
czb123
just joined
Posts: 3
Joined: Tue Jun 26, 2018 8:59 pm

Re: [Feature request] Wireguard

Mon Sep 24, 2018 11:25 pm

+1 from me
 
ofer
Frequent Visitor
Frequent Visitor
Posts: 55
Joined: Wed May 23, 2018 11:45 am

Re: [Feature request] Wireguard

Wed Sep 26, 2018 12:15 pm

+1 i hope it'll be included in the next major version
 
denisbondar
just joined
Posts: 2
Joined: Sat Apr 26, 2014 10:50 am

Re: [Feature request] Wireguard

Sun Oct 07, 2018 2:59 pm

+1 for Wireguard
 
bakshtay
just joined
Posts: 1
Joined: Thu Nov 08, 2018 11:55 am

Re: [Feature request] Wireguard

Thu Nov 08, 2018 11:57 am

+1 for wireguard on routeros
 
moneron
Trainer
Trainer
Posts: 3
Joined: Wed Oct 29, 2014 2:16 pm

Re: [Feature request] Wireguard

Thu Nov 08, 2018 3:34 pm

I think this is a good idea.
+1 for WireGuard.
 
shopping
just joined
Posts: 2
Joined: Thu Jul 07, 2016 11:43 am

Re: [Feature request] Wireguard

Wed Nov 14, 2018 7:17 pm

+1 wireguard asap
 
User avatar
SaurVLZ
just joined
Posts: 2
Joined: Thu Nov 29, 2018 12:02 am

Re: [Feature request] Wireguard

Mon Dec 10, 2018 7:44 pm

+1 for Wireguard
 
dakobg
just joined
Posts: 10
Joined: Mon Nov 06, 2017 8:58 am

Re: [Feature request] Wireguard

Tue Dec 11, 2018 9:00 am

+1

Изпратено от моят SM-G903F с помощта на Tapatalk

 
User avatar
32768
just joined
Posts: 16
Joined: Fri Mar 16, 2018 3:59 pm
Location: Switzerland
Contact:

Re: [Feature request] Wireguard

Mon Dec 31, 2018 3:52 pm

+1 for Wireguard
 
User avatar
BDF
just joined
Posts: 1
Joined: Mon Jan 07, 2019 10:29 am

Re: [Feature request] Wireguard

Mon Jan 07, 2019 11:18 am

+1 for WG
 
pioh
just joined
Posts: 1
Joined: Wed Jan 09, 2019 12:06 pm

Re: [Feature request] Wireguard

Wed Jan 09, 2019 12:07 pm

+1 for Wireguard
 
wwek
just joined
Posts: 1
Joined: Fri Jan 18, 2019 10:08 am

Re: [Feature request] Wireguard

Fri Jan 18, 2019 10:11 am

+1 for WireGuard in MikroTik
 
nik3600
just joined
Posts: 1
Joined: Tue Dec 18, 2018 12:37 pm

Re: [Feature request] Wireguard

Mon Jan 21, 2019 3:56 pm

+1 for WireGuard
 
pe1chl
Forum Guru
Forum Guru
Posts: 5830
Joined: Mon Jun 08, 2015 12:09 pm

Re: [Feature request] Wireguard

Mon Jan 21, 2019 5:54 pm

There is no need for posting "+1 for wireguard".
It is wellknown from other topics that this has ZERO effect on it getting implemented.
I think you better contact sales with a use case and projected number of sold units.
 
User avatar
Chexov
just joined
Posts: 1
Joined: Sat Nov 10, 2018 1:07 pm
Location: Fi

Re: [Feature request] Wireguard

Sat Jan 26, 2019 11:40 am

+1 for WireGuard
 
kumos
just joined
Posts: 1
Joined: Thu Jan 31, 2019 1:20 pm

Re: [Feature request] Wireguard

Thu Jan 31, 2019 1:24 pm

+1 за WireGuard
 
wfalcon
just joined
Posts: 19
Joined: Thu Mar 23, 2017 3:03 pm

Re: [Feature request] Wireguard

Thu Feb 07, 2019 3:46 pm

+1 For WireGuard
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 24206
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: [Feature request] Wireguard

Thu Feb 07, 2019 3:50 pm

No answer to your question? How to write posts
 
Sob
Forum Guru
Forum Guru
Posts: 4676
Joined: Mon Apr 20, 2009 9:11 pm

Re: [Feature request] Wireguard

Thu Feb 07, 2019 3:57 pm

So you already have new RouterOS with kernel 4.20, but that's too bad Wireguard isn't there, therefore it can't be in RouterOS yet. I'm wondering if I'm reading it right. ;)
People who quote full posts should be spanked with ethernet cable. Some exceptions for multi-topic threads may apply.
 
mkx
Forum Guru
Forum Guru
Posts: 2955
Joined: Thu Mar 03, 2016 10:23 pm

Re: [Feature request] Wireguard

Thu Feb 07, 2019 4:05 pm

Too bad ROS 7 doesn't support DKMS kernel modules :(
BR,
Metod
 
pe1chl
Forum Guru
Forum Guru
Posts: 5830
Joined: Mon Jun 08, 2015 12:09 pm

Re: [Feature request] Wireguard

Thu Feb 07, 2019 4:19 pm

Wireguard does not need to be in the kernel, it can be implemented in a user process.
 
Kaeltis
just joined
Posts: 13
Joined: Fri Sep 14, 2018 1:03 am

Re: [Feature request] Wireguard

Mon Feb 11, 2019 8:23 pm

Would love to see official wireguard support as well.
 
Quasar
just joined
Posts: 19
Joined: Sun Oct 05, 2014 1:11 pm

Re: [Feature request] Wireguard

Mon Feb 11, 2019 8:33 pm

By the time we get v7 it'll be merged ;)
Wireguard does not need to be in the kernel, it can be implemented in a user process.
One of the selling points is performance. Especially on embedded devices userspace is not okay.
 
User avatar
nz_monkey
Forum Guru
Forum Guru
Posts: 1818
Joined: Mon Jan 14, 2008 1:53 pm
Location: Straya
Contact:

Re: [Feature request] Wireguard

Tue Feb 12, 2019 10:05 pm


One of the selling points is performance. Especially on embedded devices userspace is not okay.
Most high performance packet forwarding is done in user space!

Check out VPP, DPDK and OFP
http://thebrotherswisp.com/ | Mikrotik MTCNA, MTCRE, MTCINE | Fortinet FTCNA, FCNSP, FCT | Extreme Networks ENA
 
Quasar
just joined
Posts: 19
Joined: Sun Oct 05, 2014 1:11 pm

Re: [Feature request] Wireguard

Sat Feb 16, 2019 7:47 pm


One of the selling points is performance. Especially on embedded devices userspace is not okay.
Most high performance packet forwarding is done in user space!

Check out VPP, DPDK and OFP
Well, that's cheating in the sense that it's accompanied by drivers allowing you to bypass the kernel stack and write a tailored userspace processing application.

It doesn't hold for a naive userspace application (such as the Golang Wireguard implementation). I'm sure you could make it fly in userspace using DPDK, but that's besides the point ;)
 
Kampfwurst
Frequent Visitor
Frequent Visitor
Posts: 68
Joined: Mon Mar 24, 2014 2:53 pm

Re: [Feature request] Wireguard

Thu Feb 21, 2019 1:00 pm

+1 from my side
 
marcrisse
just joined
Posts: 23
Joined: Tue Feb 16, 2016 9:16 pm
Location: Germany

Re: [Feature request] Wireguard

Fri Mar 08, 2019 1:08 pm

+1 from me

I hate running Linux-VMs behind all my Mikrotik-Devices only for WG!
 
User avatar
Anastasia
newbie
Posts: 32
Joined: Wed Oct 28, 2015 7:12 pm

Re: [Feature request] Wireguard

Mon Mar 11, 2019 9:10 pm

+1
it will soon be added to the linux kernel and it will become the VPN standard
 
mms101
just joined
Posts: 11
Joined: Fri Apr 07, 2017 5:45 pm

Re: [Feature request] Wireguard

Tue Mar 12, 2019 11:35 pm

+1 from me.
 
limaunion
just joined
Posts: 18
Joined: Sun Sep 03, 2017 5:51 pm

Re: [Feature request] Wireguard

Thu Mar 28, 2019 12:50 pm

++1
 
User avatar
BG4DRL
just joined
Posts: 7
Joined: Sat Jan 26, 2019 4:00 pm

Re: [Feature request] Wireguard

Tue Apr 02, 2019 7:28 pm

+1
Waiting
 
pe1chl
Forum Guru
Forum Guru
Posts: 5830
Joined: Mon Jun 08, 2015 12:09 pm

Re: [Feature request] Wireguard

Wed Apr 03, 2019 12:10 pm

+1
Waiting
I don't recommend that! Users requesting updates in OpenVPN have been waiting for over 5 years already...
 
Sob
Forum Guru
Forum Guru
Posts: 4676
Joined: Mon Apr 20, 2009 9:11 pm

Re: [Feature request] Wireguard

Wed Apr 03, 2019 5:55 pm

So what's the best plan? Pleas, prayers, bribes, threats, ...? :)
People who quote full posts should be spanked with ethernet cable. Some exceptions for multi-topic threads may apply.
 
pe1chl
Forum Guru
Forum Guru
Posts: 5830
Joined: Mon Jun 08, 2015 12:09 pm

Re: [Feature request] Wireguard

Wed Apr 03, 2019 11:20 pm

So what's the best plan? Pleas, prayers, bribes, threats, ...? :)
A Raspberry Pi or similar to handle the features you wish to be in RouterOS but never appear...
 
Paternot
Long time Member
Long time Member
Posts: 607
Joined: Thu Jun 02, 2016 4:01 am
Location: Niterói / Brazil

Re: [Feature request] Wireguard

Thu Apr 04, 2019 12:58 am

So what's the best plan? Pleas, prayers, bribes, threats, ...? :)
A Raspberry Pi or similar to handle the features you wish to be in RouterOS but never appear...
That's quite cumbersome. Maybe a short term solution - but complaining is a long term solution. How can Mikrotik knows what we want, if no one speaks?

True, they don't always implement it. But we try. :D
 
pe1chl
Forum Guru
Forum Guru
Posts: 5830
Joined: Mon Jun 08, 2015 12:09 pm

Re: [Feature request] Wireguard

Thu Apr 04, 2019 12:00 pm

They should implement the feature to allow user processes to run on a router in a chroot jail under nonprivileged
router, with only network interfaces imported via sockets (tun/tap or listening sockets for specific ports), similar
to the concept of MetaROUTER found on old models, but much lighter (just a user process instead of full virtualisation).
This allows third parties to add functionality that the company itself does not have resources to develop, like a better
OpenVPN and also a user-mode implementation of Wireguard (which will of course work just fine, don't believe those that
claim it can only be done in the kernel!)
Also other things, like a full-featured DNS server, a webserver, and other things we have been asking about for many
years but that never arrive.
There is no need to open up RouterOS for this, and should it expose security problems that is only good because those
would have bitten us sometime anyway.
 
reinerotto
Member
Member
Posts: 437
Joined: Thu Dec 04, 2008 2:35 am

Re: [Feature request] Wireguard

Sun Apr 07, 2019 11:33 pm

Why so complicated ?
Use MT for "plain and simple" routing/networking.
And an openwrt-box for the missing functions, like wireguard, squid proxy, nginx web server etc.
Or, just use openwrt devices for routing/networking, too.
 
Sob
Forum Guru
Forum Guru
Posts: 4676
Joined: Mon Apr 20, 2009 9:11 pm

Re: [Feature request] Wireguard

Mon Apr 08, 2019 5:21 am

It depends. If you're big business, then get routers for routing and dedicated servers for other stuff. It's the right way, and costs (both for buying all devices and taking care of them) won't be a problem for you. If you're extreme hobbyist, then get your 10+ different devices, create all kinds of servers and have great fun with them.

But anyone in betweeen (SOHO, etc) wants one device for all basic stuff. Full-blown Linux distribution (OpenWrt also qualifies) is one possible way, there are no limits what you can do with that, but it's also too complicated for most. RouterOS (and mainly WinBox) found the perfect spot. It gives you less freedom compared to Linux, but it's as friedly as it can be, while still remaining powerful enough. It's just awesome.

Unfortunately, sometimes it's not enough, and you may want a little bit more. But if RouterOS device provides >90% of what you need, getting another device for the rest is something you'd rather avoid. Realistically, MikroTik can't add all possible features, that's clear. There is/was MetaRouter, but it seems like a dead end now. And it was too heavy anyway. Something lighter as suggested by @pe1chl (and I suggested it in the past too) could be the solution that could make most people happy.

My only fear is that it could enable MikroTik to become "lazy" and refuse to implement some features, because "hey, we don't want to bother, when there's already a third-party package for that", even though it can be some half-working thing. I'd really like to have something like this as a way how to add some really exotic stuff that MikroTik would never add. But things like Wireguard should eventually be directly in RouterOS and supported by MikroTik.
People who quote full posts should be spanked with ethernet cable. Some exceptions for multi-topic threads may apply.
 
robertpenz
Frequent Visitor
Frequent Visitor
Posts: 80
Joined: Mon Oct 10, 2011 8:41 am

Re: [Feature request] Wireguard

Wed Apr 10, 2019 8:44 pm

We did some performance Tests with Wireguard and man it is faster than any other VPN with much less CPU load! And for Android Phones the battery is not used more than without VPN, which is not true for all other VPNs - It makes a VPN almost transparent performance wise. Please implement!!
 
mutinsa
just joined
Posts: 21
Joined: Tue Feb 06, 2018 4:55 am
Location: Moscow, Russia
Contact:

Re: [Feature request] Wireguard

Mon May 06, 2019 11:31 am

+1.
Sergey Mutin
Certified Mikrotik Consultant
MikroTik: MTCNA, MTCRE, MTCIPv6E, MTCTCE, MTCUME, MTCINE, MTCWE | Cisco: CCNA R&S | Juniper: JNCIA-Junos | Zabbix: ZCU | Asterisk: dCAA | IPv6 Forum Certified Network Engineer (Silver) | HE.net IPv6: Sage
 
User avatar
ErfanDL
Member Candidate
Member Candidate
Posts: 276
Joined: Thu Sep 29, 2016 9:13 am
Location: IRAN
Contact:

Re: [Feature request] Wireguard

Mon May 06, 2019 2:38 pm

Now you can install wireguard on any linux with pihole.
https://www.reddit.com/r/pihole/comment ... wireguard/

Sent from my C6833 using Tapatalk

 
anav
Forum Guru
Forum Guru
Posts: 2969
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada

Re: [Feature request] Wireguard

Mon May 06, 2019 8:05 pm

Thanks Erfan, are you saying I can attach my pi-hole to a port on my MT router and have it act as my wifeguard server (and then connect to it from my iphone for example)?
I hope the pi-hole works better on this then it did for me on DNS. I ended up bypassing the pi-hole and router DNS and now strictly use public DNS servers, otherwise too many funky DNS things were happening and I couldnt sort them out.
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
 
Samot
Member Candidate
Member Candidate
Posts: 109
Joined: Sat Nov 25, 2017 10:01 pm

Re: [Feature request] Wireguard

Thu May 09, 2019 3:26 pm

Soooo, we're all begging for Mikrotik to implement something that has never (in 2.5 years) hit an actual v1 release or anything stable. It's also a project surviving off of VC funding so what happens when their next round comes up with a goose egg?

Funny considering how much people complain about Mikrotik already having things in it that are incomplete and/or don't follow current standards, etc..
 
anav
Forum Guru
Forum Guru
Posts: 2969
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada

Re: [Feature request] Wireguard

Thu May 09, 2019 8:58 pm

"+1 for pe1chi" suggestion to stop posting +1 WG LOL. Shit I just posted it anyway! ;-)
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
 
sindy
Forum Guru
Forum Guru
Posts: 3811
Joined: Mon Dec 04, 2017 9:19 pm

Re: [Feature request] Wireguard

Thu May 09, 2019 10:22 pm

"+1 for pe1chi" suggestion to stop posting +1
Except that his suggestion was to stop waiting, not stop posting +1 :-)
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
msatter
Forum Guru
Forum Guru
Posts: 1240
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: [Feature request] Wireguard

Mon May 13, 2019 12:29 pm

Wireguard was tested by INRIA

Source: https://www.security.nl/posting/608796/ ... eGuard-vpn

Abstract : WireGuard is a free and open source Virtual Private Network (VPN) that aims to replace IPsec and OpenVPN. It is based on a new cryptographic protocol derived from the Noise Protocol Framework. This paper presents the first mechanised cryptographic proof of the protocol underlying WireGuard, using the CryptoVerif proof assistant. We analyse the entire WireGuard protocol as it is, including transport data messages, in an ACCE-style model. We contribute proofs for correctness, message secrecy, forward secrecy, mutual authentication, session uniqueness, and resistance against key compromise impersonation, identity mis-binding, and replay attacks. We also discuss the strength of the identity hiding provided by WireGuard. Our work also provides novel theoretical contributions that are reusable beyond WireGuard. First, we extend CryptoVerif to account for the absence of public key validation in popular Diffie-Hellman groups like Curve25519, which is used in many modern protocols including WireGuard. To our knowledge, this is the first mechanised cryptographic proof for any protocol employing such a precise model. Second, we prove several indifferentiability lemmas that are useful to simplify the proofs for sequences of key derivations.

Complete results: https://hal.inria.fr/hal-02100345
Two RB760iGS (hEX S) in series. One does PPPoE and both do IKEv2.
Running:
RouterOS 6.46Beta / Winbox 3.20 / MikroTik APP 1.3.4
Having an Android device, use https://github.com/M66B/NetGuard/releases (no root required)
 
User avatar
anthonws
just joined
Posts: 21
Joined: Sat Jan 09, 2016 6:46 pm

Re: [Feature request] Wireguard

Mon May 13, 2019 1:19 pm

Wireguard was tested by INRIA

Source: https://www.security.nl/posting/608796/ ... eGuard-vpn

Abstract : WireGuard is a free and open source Virtual Private Network (VPN) that aims to replace IPsec and OpenVPN. It is based on a new cryptographic protocol derived from the Noise Protocol Framework. This paper presents the first mechanised cryptographic proof of the protocol underlying WireGuard, using the CryptoVerif proof assistant. We analyse the entire WireGuard protocol as it is, including transport data messages, in an ACCE-style model. We contribute proofs for correctness, message secrecy, forward secrecy, mutual authentication, session uniqueness, and resistance against key compromise impersonation, identity mis-binding, and replay attacks. We also discuss the strength of the identity hiding provided by WireGuard. Our work also provides novel theoretical contributions that are reusable beyond WireGuard. First, we extend CryptoVerif to account for the absence of public key validation in popular Diffie-Hellman groups like Curve25519, which is used in many modern protocols including WireGuard. To our knowledge, this is the first mechanised cryptographic proof for any protocol employing such a precise model. Second, we prove several indifferentiability lemmas that are useful to simplify the proofs for sequences of key derivations.

Complete results: https://hal.inria.fr/hal-02100345
WireGuard is vaporware and Mikrotik knows that pretty darn well! Hence why they are not doing anything in regards to it.

Just look at Ubiquiti... They got community support, from the main developer of WG back in 2017!! https://community.ubnt.com/t5/EdgeRoute ... -p/1904764

What a waste of time and energy... None of this is standard stuff and due to that all of their users are miserable because they can now run new-gen VPNs... After a while a new feeling hit them! They are now missing their dearly PPTP and OpenVPN (not a hacked version from Ubiquiti of course!)...

They even started a PPTP + OpenVPN movement! "Make PPTP & OpenVPN Great Again!"

/S
 
phouzva
just joined
Posts: 1
Joined: Thu Jan 10, 2019 4:39 pm

Re: [Feature request] Wireguard

Fri May 24, 2019 3:09 pm

+1.
 
User avatar
aaronvonawesome
just joined
Posts: 10
Joined: Mon Jul 18, 2016 7:44 pm
Location: Columbus, OH

Re: [Feature request] Wireguard

Sat May 25, 2019 8:10 pm

Would love to see official wireguard support as well.
+1
 
User avatar
m4dmike
just joined
Posts: 5
Joined: Fri Mar 08, 2019 1:38 am

Re: [Feature request] Wireguard

Wed Jun 19, 2019 10:07 am

+1 for Wireguard
MTCRE
 
marcrisse
just joined
Posts: 23
Joined: Tue Feb 16, 2016 9:16 pm
Location: Germany

Re: [Feature request] Wireguard

Wed Jun 19, 2019 11:34 am

+1 and €100 for coffee ;)
 
schose
just joined
Posts: 5
Joined: Sun Mar 04, 2018 11:20 pm

Re: [Feature request] Wireguard

Fri Jun 21, 2019 1:31 am

+1 and a good bottle of german schnaps
 
huntermic
newbie
Posts: 40
Joined: Wed Oct 26, 2016 3:42 pm

Re: [Feature request] Wireguard

Fri Jun 28, 2019 11:32 am

I bought a Raspberry Pi4 and use that for wireguard, it gives me wirespeed vpn on a 500Mbit connection
 
anav
Forum Guru
Forum Guru
Posts: 2969
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada

Re: [Feature request] Wireguard

Fri Jun 28, 2019 2:12 pm

I bought a Raspberry Pi4 and use that for wireguard, it gives me wirespeed vpn on a 500Mbit connection
Is all your internet traffic done via wireguard through the Raspberry PI or are you talking a specific tunnel??
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
 
huntermic
newbie
Posts: 40
Joined: Wed Oct 26, 2016 3:42 pm

Re: [Feature request] Wireguard

Fri Jun 28, 2019 2:46 pm

I bought a Raspberry Pi4 and use that for wireguard, it gives me wirespeed vpn on a 500Mbit connection
Is all your internet traffic done via wireguard through the Raspberry PI or are you talking a specific tunnel??
I'm using it in a roadwarrior setup so for instance when i'm at work i can use my home nas at full speed, so i'm talking about 500Mbit inside the tunnel
 
mwittchen
just joined
Posts: 4
Joined: Tue Jul 10, 2018 5:47 pm

Re: [Feature request] Wireguard

Mon Aug 19, 2019 1:10 pm

+1 and a good bottle of german schnaps
+1
 
metalcated
just joined
Posts: 4
Joined: Fri Apr 19, 2013 3:07 pm

Re: [Feature request] Wireguard

Thu Aug 29, 2019 6:05 pm

Waiting for this too! Right now I am running a WG Server on a VM in my basement rack and its pretty darn nice.

Any Linux folks out there who are running it and want a simple GUI --> https://github.com/metalcated/Wireguard-Bravo (more development to happen soon hopefully as I have time).

Going to watch this thread and pray it comes soon!

Thanks
 
Grosen
just joined
Posts: 2
Joined: Thu Aug 01, 2019 10:58 am

Re: [Feature request] Wireguard

Sat Sep 07, 2019 8:26 am

definitively +1
 
Lebzul
Frequent Visitor
Frequent Visitor
Posts: 68
Joined: Wed Feb 21, 2018 12:54 am

Re: [Feature request] Wireguard

Sun Sep 08, 2019 5:46 am

Thanks Erfan, are you saying I can attach my pi-hole to a port on my MT router and have it act as my wifeguard server (and then connect to it from my iphone for example)?
I hope the pi-hole works better on this then it did for me on DNS. I ended up bypassing the pi-hole and router DNS and now strictly use public DNS servers, otherwise too many funky DNS things were happening and I couldnt sort them out.
I'd like to have a "wife"guard too. (Just joking)

+1
 
netflow
Frequent Visitor
Frequent Visitor
Posts: 61
Joined: Sat Oct 01, 2016 3:53 pm

Re: [Feature request] Wireguard

Sun Sep 15, 2019 11:34 am

+1 for Wireguard in ROS. A good, fast, secure built-in vpn is a must!
Also interested by some community driven plugins. I cannot consider metarouter as an usable solution. It would require more flash on device, broader architecture support and then it is still a burden to manage additional vm and config!
 
sindy
Forum Guru
Forum Guru
Posts: 3811
Joined: Mon Dec 04, 2017 9:19 pm

Re: [Feature request] Wireguard

Sun Sep 15, 2019 12:05 pm

Also interested by some community driven plugins.
That's against the idea of RouterOS. If you want 3rd party plugins, go OpenWRT (which is available even for some Mikrotik hardware) and forget about manufacturer's responsibility. If you want manufacturer's responsibility for the product, stay RouterOS and forget about 3rd party plugins. There is no middle way.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
pe1chl
Forum Guru
Forum Guru
Posts: 5830
Joined: Mon Jun 08, 2015 12:09 pm

Re: [Feature request] Wireguard

Sun Sep 15, 2019 1:17 pm

I don't consider that really true, there would be some way for MikroTik to offer user-contributed plugins when they run in a sandbox environment e.g. as a user process.
But apparently MikroTik is not interested in doing this.
 
sindy
Forum Guru
Forum Guru
Posts: 3811
Joined: Mon Dec 04, 2017 9:19 pm

Re: [Feature request] Wireguard

Sun Sep 15, 2019 1:39 pm

there would be some way for MikroTik to offer user-contributed plugins when they run in a sandbox environment e.g. as a user process.
I may be old-fashioned but I still perceive Mikrotik as a router, not an application server. So I can imagine e.g. a more flexible DNS process running in a sandbox, but not processes directly involved in packet forwarding, such as stacks implementing new routing protocols or new VPN types. Leaving aside things like hardware encryption for other VPN types than IPsec (OpenVPN, SSTP to stay with those currently implemented) which might be really useful for some but I cannot imagine sandboxing them.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
vigor5
just joined
Posts: 1
Joined: Tue Sep 24, 2019 1:14 pm

Re: [Feature request] Wireguard

Wed Sep 25, 2019 11:22 am

Waiting for this too
 
avacha
newbie
Posts: 28
Joined: Thu Jan 25, 2018 9:12 pm

Re: [Feature request] Wireguard

Thu Sep 26, 2019 9:54 am

I'm also interesting about Wireguard impementation in Mikrotik devices.

P.S. Yesterday Cloudflare release free VPN service:
WARP is an ambitious project. We set out to secure Internet connections from mobile devices to the edge of Cloudflare's network. In doing so, however, we didn't want to slow devices down or burn excess battery. We wanted it to just work. We also wanted to bet on the technology of the future, not the technology of the past. Specifically, we wanted to build not around legacy protocols like IPsec, but instead around the hyper-efficient WireGuard protocol.

Who is online

Users browsing this forum: MSN [Bot] and 83 guests