Community discussions

MikroTik App
 
User avatar
bneijt
just joined
Topic Author
Posts: 3
Joined: Sun May 06, 2018 12:52 pm
Contact:

[Feature request] Wireguard

Sun May 06, 2018 1:40 pm

I would love to run Wireguard on my Mikrotik and decided, with all the news spread across the forum, to combine some posts in a new thread.


Wireguard is a encrypted tunnel technology, started in 2016 but not 1.0 yet. Wireguard will probably replace OpenVPN which is currencly only partially supported by Mikrotik anyway.
It is already being adopted: easily available in Linux, VPN providers like AzireVPN support it and open source routers like Ubiquity and OpenWRT show good performance.

Mikrotik, being Linux based but closed source, will start supporting it in the future and it may end up in v7. V7 may be an april fools joke from 2014, but it may also be in development for more then 3 years making the feature list very unpredictable at this point.

I have not been able to find any post by a Mikrotik employee on the subject yet, but interesting posts by other users are:
viewtopic.php?f=1&t=45934&p=602377&hili ... rd#p602377
viewtopic.php?f=1&t=45934&p=637573&hili ... rd#p637573
 
zaharmd
just joined
Posts: 6
Joined: Wed Oct 26, 2016 4:43 am

Re: [Feature request] Wireguard

Tue May 08, 2018 6:29 pm

+1 for WireGuard in MikroTik
 
User avatar
nz_monkey
Forum Guru
Forum Guru
Posts: 2095
Joined: Mon Jan 14, 2008 1:53 pm
Location: Over the Rainbow
Contact:

Re: [Feature request] Wireguard

Wed May 09, 2018 11:19 am

+1 from me
 
User avatar
bneijt
just joined
Topic Author
Posts: 3
Joined: Sun May 06, 2018 12:52 pm
Contact:

Re: [Feature request] Wireguard

Tue May 15, 2018 10:21 pm

I did a quick forum review to get a basic timeline we can expect for Wireguard support.

Going by OpenVPN:
In 2004 the first forum request was made for OpenVPN support.
With release 3.0 came the partial implementation there is today, which was around 2007.

The first Wireguard request was around Jun 11, 2017
This would mean that Mikrotik will probably release initial support around 2020
 
xtornado
newbie
Posts: 31
Joined: Sun Mar 07, 2010 8:02 pm

Re: [Feature request] Wireguard

Mon Jul 02, 2018 11:03 am

+1 for wireguard on routeros
 
User avatar
vecernik87
Forum Veteran
Forum Veteran
Posts: 882
Joined: Fri Nov 10, 2017 8:19 am

Re: [Feature request] Wireguard

Mon Jul 02, 2018 12:44 pm

I cannot imagine adding support before wireguard reach stable realease. Based on other similar requests, i think that mikrotik instantly refuse to implement anything what is alpha/beta stage.
 
R1CH
Forum Guru
Forum Guru
Posts: 1098
Joined: Sun Oct 01, 2006 11:44 pm

Re: [Feature request] Wireguard

Mon Jul 02, 2018 5:35 pm

And please use the reference implementation! I'm getting tired of Mikrotik's re-implementations of software which introduce security bugs and miss important features.
 
andreax
just joined
Posts: 10
Joined: Sat Mar 07, 2015 12:16 pm

Re: [Feature request] Wireguard

Sun Jul 29, 2018 3:48 pm

+1
Waiting for it!
 
User avatar
Jotne
Forum Guru
Forum Guru
Posts: 3279
Joined: Sat Dec 24, 2016 11:17 am
Location: Magrathean

Re: [Feature request] Wireguard

Sun Jul 29, 2018 7:50 pm

I cannot imagine adding support before wireguard reach stable realease.
Agree that MT should not implement it before its stable, but coming with a request now is a good thing.
This will allow MT to test it and make sure it works fine when its stable and release it from day one.
 
Nefraim
just joined
Posts: 8
Joined: Fri Apr 13, 2018 10:01 pm

Re: [Feature request] Wireguard

Wed Aug 01, 2018 7:56 am

Since many of you guys were awaiting for a stable build for Wireguard, today we are even closer to that moment.
Yesterday Jason Donenfeld lead developer submited the required patches for including Wireguard into mainline linux kernels.

More info here http://lkml.iu.edu/hypermail/linux/kern ... 06622.html

While it's to late to include into Linux 4.19 which should arrive quite soon, we could see it in the next linux kernel builds.
Guess it's time for Mikrotik developers consider including Wireguard in a future release.
We want WPA3 support but also Wireguard support :roll: .
 
User avatar
vecernik87
Forum Veteran
Forum Veteran
Posts: 882
Joined: Fri Nov 10, 2017 8:19 am

Re: [Feature request] Wireguard

Wed Aug 01, 2018 8:41 am

Just because it gets into linux kernel does not mean it is stable, nor it is ready for implementation. Let me quote their own website:
WireGuard is not yet complete. You should not rely on this code. It has not undergone proper degrees of security auditing and the protocol is still subject to change. We're working toward a stable 1.0 release, but that time has not yet come. There are experimental snapshots tagged with "0.0.YYYYMMDD", but these should not be considered real releases and they may contain security vulnerabilities (which would not be eligible for CVEs, since this is pre-release snapshot software). If you are packaging WireGuard, you must keep up to date with the snapshots.

They are clearly warning AGAINST implementing their code right now. Also it is agreeable that making own implementation is not really efficient. With this in mind, there is simply nothing, what Mikrotik developers could do right now. I already adviced to wait with the request because for now, it is just waste of everyone's time. (including my own, when I have to repeatedly point out that wireguard is barely in experimental stage)
 
ofer
Frequent Visitor
Frequent Visitor
Posts: 59
Joined: Wed May 23, 2018 11:45 am

Re: [Feature request] Wireguard

Wed Aug 01, 2018 11:20 am

+1 for Wireguard reference as it's currently being reviewed for kernel inclusion
http://lkml.iu.edu/hypermail/linux/kern ... 06622.html
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: [Feature request] Wireguard

Thu Aug 02, 2018 2:34 am

While it's to late to include into Linux 4.19 which should arrive quite soon, we could see it in the next linux kernel builds.
Now the interesting question is when RouterOS gets to use that future kernel with Wireguard. So far it looks like when MikroTik likes a version, they stick with it for quite some time. But there's still a chance that Wireguard will be easily portable to older kernels.
 
chrismfz
just joined
Posts: 15
Joined: Sat Apr 07, 2007 6:27 am
Contact:

Re: [Feature request] Wireguard

Fri Aug 03, 2018 7:48 pm

+1 for Wireguard reference as it's currently being reviewed for kernel inclusion
http://lkml.iu.edu/hypermail/linux/kern ... 06622.html
It's coming....

https://www.phoronix.com/scan.php?page= ... -WireGuard

Linus Torvalds Is Hoping WireGuard Will Be Merged Sooner Rather Than Later

But when we gonna see it in Mikrotik ?
 
R1CH
Forum Guru
Forum Guru
Posts: 1098
Joined: Sun Oct 01, 2006 11:44 pm

Re: [Feature request] Wireguard

Mon Aug 06, 2018 5:44 pm

I've been playing around with Wireguard recently and it's so refreshingly simple and fast, it makes setup of a new VPN link so easy. And the fact it uses modern, fast crypto is great - I would love to see this in RouterOS so I can finally ditch ipsec with its huge complexity and outdated crypto.

And even though it won't be hardware accelerated, chacha20-poly1305 is almost 4x faster than software AES on arm architecture!
 
User avatar
space007
just joined
Posts: 23
Joined: Tue Dec 07, 2010 12:30 pm

Re: [Feature request] Wireguard

Thu Aug 09, 2018 8:07 am

+1

After testing ipsec eoip tunnels with Mikrotik, I was deluded of the hw encryption performance. To not mention the marketing hype and the missing replay regarding this issues put fort on the forum.

Although the RosOs was the thing with 2.x-3.x with features required and needed in the networking in that time which give popularity to this company, sadly that is not the case anymore. Hardly there is any new implementation or revolution.

There is more momentum in other products. Now with x86 getting smaller, other router implementations are getting within reach.

Off topic, I know..

Sent from my Moto G (5) Plus using Tapatalk

 
User avatar
Anumrak
Forum Guru
Forum Guru
Posts: 1174
Joined: Fri Jul 28, 2017 2:53 pm

Re: [Feature request] Wireguard

Fri Aug 10, 2018 12:03 pm

I agree with the implementation of this protocol.
 
pe1chl
Forum Guru
Forum Guru
Posts: 10183
Joined: Mon Jun 08, 2015 12:09 pm

Re: [Feature request] Wireguard

Fri Aug 10, 2018 12:17 pm

While it's to late to include into Linux 4.19 which should arrive quite soon, we could see it in the next linux kernel builds.
Now the interesting question is when RouterOS gets to use that future kernel with Wireguard. So far it looks like when MikroTik likes a version, they stick with it for quite some time. But there's still a chance that Wireguard will be easily portable to older kernels.
For now it looks like the only realistic short-term implementation would be using a user mode daemon just like OpenVPN.
In fact the claims about requirement to have it in the kernel are quite hollow and do not add to the credibility of the developer.
 
florentrivoire
newbie
Posts: 44
Joined: Wed Feb 25, 2015 12:02 pm

Re: [Feature request] Wireguard

Sun Aug 12, 2018 1:33 pm

I would appreciate a lot a Wireguard implementation in RouterOS :)

The advantages that I see for my usage are :
  • it has a simplier VPN configuration
  • it should be faster than OpenVPN (in a single connection setup, where OpenVPN is mono-thread, I'm talking about the other endpoint which is on a Linux for me)
Last edited by florentrivoire on Mon Aug 27, 2018 3:20 pm, edited 1 time in total.
 
radiirr
just joined
Posts: 1
Joined: Tue Nov 28, 2017 9:13 pm

Re: [Feature request] Wireguard

Sun Aug 19, 2018 4:54 pm

+1 :)
 
chiem
newbie
Posts: 41
Joined: Fri Oct 24, 2014 4:48 pm

Re: [Feature request] Wireguard

Thu Aug 23, 2018 9:38 am

+1

Wireguard is supposed to be extremely simple. Please don't take 3+ years to support it.
 
TPecorella
just joined
Posts: 1
Joined: Mon Aug 27, 2018 3:07 pm

Re: [Feature request] Wireguard

Mon Aug 27, 2018 3:08 pm

+ 1, please add support asap
 
User avatar
mozerd
Forum Veteran
Forum Veteran
Posts: 871
Joined: Thu Oct 05, 2017 3:39 pm
Location: Canada
Contact:

Re: [Feature request] Wireguard

Mon Aug 27, 2018 3:35 pm

+1
I have been using wireguard on the Ubiquiti EdgeRouter-Lite and WOW in a site to site scenario -- amazing vpn performance.
I definitely would encourage MikroTik to take a very serious look at this.
 
User avatar
Steveocee
Forum Guru
Forum Guru
Posts: 1120
Joined: Tue Jul 21, 2015 10:09 pm
Location: UK
Contact:

Re: [Feature request] Wireguard

Mon Aug 27, 2018 11:08 pm

+1 Was reading about this earlier. Would love to see the MikroTik finger "on the pulse".
 
pe1chl
Forum Guru
Forum Guru
Posts: 10183
Joined: Mon Jun 08, 2015 12:09 pm

Re: [Feature request] Wireguard

Tue Aug 28, 2018 9:27 am

+1 Was reading about this earlier. Would love to see the MikroTik finger "on the pulse".
I rather would love to see MikroTik implement existing and long outstanding feature requests rather than to be swayed by the issues of the day!
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: [Feature request] Wireguard

Tue Aug 28, 2018 6:23 pm

@pe1chl: It's generally true, but if this thing can be implemented as easily as authors claim:
WireGuard has been designed with ease-of-implementation and simplicity in mind. It is meant to be easily implemented in very few lines of code, and easily auditable for security vulnerabilities.
(even though "very few lines of code" sounds a little too optimistic), it might be worth to give it a higher priority. If implementing Wireguard would be easier than finishing OpenVPN implementation (I don't know, might be), I'd say to go for it. Not that it's a dream come true in complete package...

I have mixed feelings about roadwarrior use. It needs only single udp port (great) and even has some kind of roaming (I'm still not decided how much it helps). But inside config (addresses, routes) seems to be intentionally static-only. That's not great, because it means that it's not very usable when there's a lot of users and things can change. On the other hand, it's not much worse than what MikroTik's OpenVPN offers. For small SOHO use it could be good, as it seems to be otherwise quite easy to understand. Even working Windows client already exists.

For site to site, IPSec works great for me, but it's true that I do it mostly with static public addresses. When that's not available, Wireguard could work better. It should also have better performance on devices without HW acceleration. And it would provide interfaces for links, which would make it more clear for a lot of people than current tunnel-mode IPSec (I know about IPIP/GRE/EoIP inside IPSec, but it's extra step).
 
pe1chl
Forum Guru
Forum Guru
Posts: 10183
Joined: Mon Jun 08, 2015 12:09 pm

Re: [Feature request] Wireguard

Tue Aug 28, 2018 7:19 pm

I'm not sure it is so much better than L2TP/IPsec which is proven and has hardware acceleration on a lot of MikroTik routers.
It can also deal with roaming users with dynamic IP, static or dynamic user tunnel addresses, etc.
And we already know what happens when MikroTik quickly implement a protocol which then later continues to develop independently... see OpenVPN.

No, for me it is much more important that IPv6 is finally worked on again, and for others a multicore BGP solution is even more important.
Those things should be on top priority for MikroTik to work on (when they are not distracted by security issues), and new features like Wireguard should go below that.
When any work on VPN solutions is to be done, it should be to implement route pushing in existing protocols, according to (de-facto) standards.
When working between MikroTik routers one can use BGP, and I do so, but when using proprietary clients we need e.g. DHCP over L2TP (for Windows) and OpenVPN push route.
 
samael
just joined
Posts: 9
Joined: Tue Jan 01, 2008 1:57 pm
Location: Italy

Re: [Feature request] Wireguard

Thu Sep 06, 2018 10:47 am

+1.
 
flazzarini
just joined
Posts: 19
Joined: Thu Jun 13, 2013 11:05 am

Re: [Feature request] Wireguard

Mon Sep 10, 2018 8:44 pm

+1

Wireguard is so easy to setup and works on so many platforms already. On a side note though if implemented please make it more easier to use DNS names instead of IP addresses.
 
R1CH
Forum Guru
Forum Guru
Posts: 1098
Joined: Sun Oct 01, 2006 11:44 pm

Re: [Feature request] Wireguard

Tue Sep 11, 2018 1:19 am

And we already know what happens when MikroTik quickly implement a protocol which then later continues to develop independently... see OpenVPN.
I know it's a lot to hope for, but this could easily be avoided if Mikrotik would stop re-implementing these features themselves and start using the open source implementations directly. They already use Linux kernel (GPL), I really don't see why they are so against using other open source packages and are instead re-inventing them with reduced features and more security bugs.

On that note, a large amount of the Wireguard code operates in the Linux kernel, so in the future if RouterOS upgrades to a modern kernel we could very easily see Wireguard support with minimal work required by Mikrotik since it comes "for free".
 
czb123
just joined
Posts: 3
Joined: Tue Jun 26, 2018 8:59 pm

Re: [Feature request] Wireguard

Mon Sep 24, 2018 11:25 pm

+1 from me
 
ofer
Frequent Visitor
Frequent Visitor
Posts: 59
Joined: Wed May 23, 2018 11:45 am

Re: [Feature request] Wireguard

Wed Sep 26, 2018 12:15 pm

+1 i hope it'll be included in the next major version
 
denisbondar
just joined
Posts: 3
Joined: Sat Apr 26, 2014 10:50 am

Re: [Feature request] Wireguard

Sun Oct 07, 2018 2:59 pm

+1 for Wireguard
 
bakshtay
just joined
Posts: 2
Joined: Thu Nov 08, 2018 11:55 am

Re: [Feature request] Wireguard

Thu Nov 08, 2018 11:57 am

+1 for wireguard on routeros
 
moneron
Trainer
Trainer
Posts: 3
Joined: Wed Oct 29, 2014 2:16 pm

Re: [Feature request] Wireguard

Thu Nov 08, 2018 3:34 pm

I think this is a good idea.
+1 for WireGuard.
 
shopping
just joined
Posts: 2
Joined: Thu Jul 07, 2016 11:43 am

Re: [Feature request] Wireguard

Wed Nov 14, 2018 7:17 pm

+1 wireguard asap
 
User avatar
SaurVLZ
just joined
Posts: 2
Joined: Thu Nov 29, 2018 12:02 am

Re: [Feature request] Wireguard

Mon Dec 10, 2018 7:44 pm

+1 for Wireguard
 
dakobg
Member Candidate
Member Candidate
Posts: 120
Joined: Mon Nov 06, 2017 8:58 am

Re: [Feature request] Wireguard

Tue Dec 11, 2018 9:00 am

+1

Изпратено от моят SM-G903F с помощта на Tapatalk

 
User avatar
32768
just joined
Posts: 23
Joined: Fri Mar 16, 2018 3:59 pm
Location: Switzerland
Contact:

Re: [Feature request] Wireguard

Mon Dec 31, 2018 3:52 pm

+1 for Wireguard
 
User avatar
BDF
just joined
Posts: 1
Joined: Mon Jan 07, 2019 10:29 am

Re: [Feature request] Wireguard

Mon Jan 07, 2019 11:18 am

+1 for WG
 
pioh
just joined
Posts: 1
Joined: Wed Jan 09, 2019 12:06 pm

Re: [Feature request] Wireguard

Wed Jan 09, 2019 12:07 pm

+1 for Wireguard
 
wwek
just joined
Posts: 1
Joined: Fri Jan 18, 2019 10:08 am

Re: [Feature request] Wireguard

Fri Jan 18, 2019 10:11 am

+1 for WireGuard in MikroTik
 
nik3600
just joined
Posts: 1
Joined: Tue Dec 18, 2018 12:37 pm

Re: [Feature request] Wireguard

Mon Jan 21, 2019 3:56 pm

+1 for WireGuard
 
pe1chl
Forum Guru
Forum Guru
Posts: 10183
Joined: Mon Jun 08, 2015 12:09 pm

Re: [Feature request] Wireguard

Mon Jan 21, 2019 5:54 pm

There is no need for posting "+1 for wireguard".
It is wellknown from other topics that this has ZERO effect on it getting implemented.
I think you better contact sales with a use case and projected number of sold units.
 
User avatar
Chexov
just joined
Posts: 1
Joined: Sat Nov 10, 2018 1:07 pm
Location: Fi

Re: [Feature request] Wireguard

Sat Jan 26, 2019 11:40 am

+1 for WireGuard
 
kumos
just joined
Posts: 1
Joined: Thu Jan 31, 2019 1:20 pm

Re: [Feature request] Wireguard

Thu Jan 31, 2019 1:24 pm

+1 за WireGuard
 
wfalcon
just joined
Posts: 24
Joined: Thu Mar 23, 2017 3:03 pm

Re: [Feature request] Wireguard

Thu Feb 07, 2019 3:46 pm

+1 For WireGuard
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 26287
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: [Feature request] Wireguard

Thu Feb 07, 2019 3:50 pm

 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: [Feature request] Wireguard

Thu Feb 07, 2019 3:57 pm

So you already have new RouterOS with kernel 4.20, but that's too bad Wireguard isn't there, therefore it can't be in RouterOS yet. I'm wondering if I'm reading it right. ;)
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11381
Joined: Thu Mar 03, 2016 10:23 pm

Re: [Feature request] Wireguard

Thu Feb 07, 2019 4:05 pm

Too bad ROS 7 doesn't support DKMS kernel modules :(
 
pe1chl
Forum Guru
Forum Guru
Posts: 10183
Joined: Mon Jun 08, 2015 12:09 pm

Re: [Feature request] Wireguard

Thu Feb 07, 2019 4:19 pm

Wireguard does not need to be in the kernel, it can be implemented in a user process.
 
Kaeltis
just joined
Posts: 13
Joined: Fri Sep 14, 2018 1:03 am

Re: [Feature request] Wireguard

Mon Feb 11, 2019 8:23 pm

Would love to see official wireguard support as well.
 
Quasar
newbie
Posts: 33
Joined: Sun Oct 05, 2014 1:11 pm

Re: [Feature request] Wireguard

Mon Feb 11, 2019 8:33 pm

By the time we get v7 it'll be merged ;)
Wireguard does not need to be in the kernel, it can be implemented in a user process.
One of the selling points is performance. Especially on embedded devices userspace is not okay.
 
User avatar
nz_monkey
Forum Guru
Forum Guru
Posts: 2095
Joined: Mon Jan 14, 2008 1:53 pm
Location: Over the Rainbow
Contact:

Re: [Feature request] Wireguard

Tue Feb 12, 2019 10:05 pm


One of the selling points is performance. Especially on embedded devices userspace is not okay.
Most high performance packet forwarding is done in user space!

Check out VPP, DPDK and OFP
 
Quasar
newbie
Posts: 33
Joined: Sun Oct 05, 2014 1:11 pm

Re: [Feature request] Wireguard

Sat Feb 16, 2019 7:47 pm


One of the selling points is performance. Especially on embedded devices userspace is not okay.
Most high performance packet forwarding is done in user space!

Check out VPP, DPDK and OFP
Well, that's cheating in the sense that it's accompanied by drivers allowing you to bypass the kernel stack and write a tailored userspace processing application.

It doesn't hold for a naive userspace application (such as the Golang Wireguard implementation). I'm sure you could make it fly in userspace using DPDK, but that's besides the point ;)
 
Kampfwurst
Member Candidate
Member Candidate
Posts: 107
Joined: Mon Mar 24, 2014 2:53 pm

Re: [Feature request] Wireguard

Thu Feb 21, 2019 1:00 pm

+1 from my side
 
marcrisse
just joined
Posts: 24
Joined: Tue Feb 16, 2016 9:16 pm
Location: Germany

Re: [Feature request] Wireguard

Fri Mar 08, 2019 1:08 pm

+1 from me

I hate running Linux-VMs behind all my Mikrotik-Devices only for WG!
 
User avatar
Anastasia
Frequent Visitor
Frequent Visitor
Posts: 55
Joined: Wed Oct 28, 2015 7:12 pm

Re: [Feature request] Wireguard

Mon Mar 11, 2019 9:10 pm

+1
it will soon be added to the linux kernel and it will become the VPN standard
 
mms101
just joined
Posts: 14
Joined: Fri Apr 07, 2017 5:45 pm

Re: [Feature request] Wireguard

Tue Mar 12, 2019 11:35 pm

+1 from me.
 
limaunion
just joined
Posts: 18
Joined: Sun Sep 03, 2017 5:51 pm

Re: [Feature request] Wireguard

Thu Mar 28, 2019 12:50 pm

++1
 
User avatar
BG4DRL
just joined
Posts: 7
Joined: Sat Jan 26, 2019 4:00 pm

Re: [Feature request] Wireguard

Tue Apr 02, 2019 7:28 pm

+1
Waiting
 
pe1chl
Forum Guru
Forum Guru
Posts: 10183
Joined: Mon Jun 08, 2015 12:09 pm

Re: [Feature request] Wireguard

Wed Apr 03, 2019 12:10 pm

+1
Waiting
I don't recommend that! Users requesting updates in OpenVPN have been waiting for over 5 years already...
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: [Feature request] Wireguard

Wed Apr 03, 2019 5:55 pm

So what's the best plan? Pleas, prayers, bribes, threats, ...? :)
 
pe1chl
Forum Guru
Forum Guru
Posts: 10183
Joined: Mon Jun 08, 2015 12:09 pm

Re: [Feature request] Wireguard

Wed Apr 03, 2019 11:20 pm

So what's the best plan? Pleas, prayers, bribes, threats, ...? :)
A Raspberry Pi or similar to handle the features you wish to be in RouterOS but never appear...
 
User avatar
Paternot
Forum Veteran
Forum Veteran
Posts: 953
Joined: Thu Jun 02, 2016 4:01 am
Location: Niterói / Brazil

Re: [Feature request] Wireguard

Thu Apr 04, 2019 12:58 am

So what's the best plan? Pleas, prayers, bribes, threats, ...? :)
A Raspberry Pi or similar to handle the features you wish to be in RouterOS but never appear...
That's quite cumbersome. Maybe a short term solution - but complaining is a long term solution. How can Mikrotik knows what we want, if no one speaks?

True, they don't always implement it. But we try. :D
 
pe1chl
Forum Guru
Forum Guru
Posts: 10183
Joined: Mon Jun 08, 2015 12:09 pm

Re: [Feature request] Wireguard

Thu Apr 04, 2019 12:00 pm

They should implement the feature to allow user processes to run on a router in a chroot jail under nonprivileged
router, with only network interfaces imported via sockets (tun/tap or listening sockets for specific ports), similar
to the concept of MetaROUTER found on old models, but much lighter (just a user process instead of full virtualisation).
This allows third parties to add functionality that the company itself does not have resources to develop, like a better
OpenVPN and also a user-mode implementation of Wireguard (which will of course work just fine, don't believe those that
claim it can only be done in the kernel!)
Also other things, like a full-featured DNS server, a webserver, and other things we have been asking about for many
years but that never arrive.
There is no need to open up RouterOS for this, and should it expose security problems that is only good because those
would have bitten us sometime anyway.
 
reinerotto
Long time Member
Long time Member
Posts: 519
Joined: Thu Dec 04, 2008 2:35 am

Re: [Feature request] Wireguard

Sun Apr 07, 2019 11:33 pm

Why so complicated ?
Use MT for "plain and simple" routing/networking.
And an openwrt-box for the missing functions, like wireguard, squid proxy, nginx web server etc.
Or, just use openwrt devices for routing/networking, too.
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: [Feature request] Wireguard

Mon Apr 08, 2019 5:21 am

It depends. If you're big business, then get routers for routing and dedicated servers for other stuff. It's the right way, and costs (both for buying all devices and taking care of them) won't be a problem for you. If you're extreme hobbyist, then get your 10+ different devices, create all kinds of servers and have great fun with them.

But anyone in betweeen (SOHO, etc) wants one device for all basic stuff. Full-blown Linux distribution (OpenWrt also qualifies) is one possible way, there are no limits what you can do with that, but it's also too complicated for most. RouterOS (and mainly WinBox) found the perfect spot. It gives you less freedom compared to Linux, but it's as friedly as it can be, while still remaining powerful enough. It's just awesome.

Unfortunately, sometimes it's not enough, and you may want a little bit more. But if RouterOS device provides >90% of what you need, getting another device for the rest is something you'd rather avoid. Realistically, MikroTik can't add all possible features, that's clear. There is/was MetaRouter, but it seems like a dead end now. And it was too heavy anyway. Something lighter as suggested by @pe1chl (and I suggested it in the past too) could be the solution that could make most people happy.

My only fear is that it could enable MikroTik to become "lazy" and refuse to implement some features, because "hey, we don't want to bother, when there's already a third-party package for that", even though it can be some half-working thing. I'd really like to have something like this as a way how to add some really exotic stuff that MikroTik would never add. But things like Wireguard should eventually be directly in RouterOS and supported by MikroTik.
 
robertpenz
Member Candidate
Member Candidate
Posts: 104
Joined: Mon Oct 10, 2011 8:41 am

Re: [Feature request] Wireguard

Wed Apr 10, 2019 8:44 pm

We did some performance Tests with Wireguard and man it is faster than any other VPN with much less CPU load! And for Android Phones the battery is not used more than without VPN, which is not true for all other VPNs - It makes a VPN almost transparent performance wise. Please implement!!
 
mutinsa
just joined
Posts: 24
Joined: Tue Feb 06, 2018 4:55 am
Location: Plettenberg Bay, South Africa
Contact:

Re: [Feature request] Wireguard

Mon May 06, 2019 11:31 am

+1.
 
User avatar
ErfanDL
Member
Member
Posts: 366
Joined: Thu Sep 29, 2016 9:13 am

Re: [Feature request] Wireguard

Mon May 06, 2019 2:38 pm

Now you can install wireguard on any linux with pihole.
https://www.reddit.com/r/pihole/comment ... wireguard/

Sent from my C6833 using Tapatalk

 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18959
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: [Feature request] Wireguard

Mon May 06, 2019 8:05 pm

Thanks Erfan, are you saying I can attach my pi-hole to a port on my MT router and have it act as my wifeguard server (and then connect to it from my iphone for example)?
I hope the pi-hole works better on this then it did for me on DNS. I ended up bypassing the pi-hole and router DNS and now strictly use public DNS servers, otherwise too many funky DNS things were happening and I couldnt sort them out.
 
Samot
Member Candidate
Member Candidate
Posts: 113
Joined: Sat Nov 25, 2017 10:01 pm

Re: [Feature request] Wireguard

Thu May 09, 2019 3:26 pm

Soooo, we're all begging for Mikrotik to implement something that has never (in 2.5 years) hit an actual v1 release or anything stable. It's also a project surviving off of VC funding so what happens when their next round comes up with a goose egg?

Funny considering how much people complain about Mikrotik already having things in it that are incomplete and/or don't follow current standards, etc..
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18959
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: [Feature request] Wireguard

Thu May 09, 2019 8:58 pm

"+1 for pe1chi" suggestion to stop posting +1 WG LOL. Shit I just posted it anyway! ;-)
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: [Feature request] Wireguard

Thu May 09, 2019 10:22 pm

"+1 for pe1chi" suggestion to stop posting +1
Except that his suggestion was to stop waiting, not stop posting +1 :-)
 
msatter
Forum Guru
Forum Guru
Posts: 2897
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: [Feature request] Wireguard

Mon May 13, 2019 12:29 pm

Wireguard was tested by INRIA

Source: https://www.security.nl/posting/608796/ ... eGuard-vpn

Abstract : WireGuard is a free and open source Virtual Private Network (VPN) that aims to replace IPsec and OpenVPN. It is based on a new cryptographic protocol derived from the Noise Protocol Framework. This paper presents the first mechanised cryptographic proof of the protocol underlying WireGuard, using the CryptoVerif proof assistant. We analyse the entire WireGuard protocol as it is, including transport data messages, in an ACCE-style model. We contribute proofs for correctness, message secrecy, forward secrecy, mutual authentication, session uniqueness, and resistance against key compromise impersonation, identity mis-binding, and replay attacks. We also discuss the strength of the identity hiding provided by WireGuard. Our work also provides novel theoretical contributions that are reusable beyond WireGuard. First, we extend CryptoVerif to account for the absence of public key validation in popular Diffie-Hellman groups like Curve25519, which is used in many modern protocols including WireGuard. To our knowledge, this is the first mechanised cryptographic proof for any protocol employing such a precise model. Second, we prove several indifferentiability lemmas that are useful to simplify the proofs for sequences of key derivations.

Complete results: https://hal.inria.fr/hal-02100345
 
User avatar
anthonws
Frequent Visitor
Frequent Visitor
Posts: 76
Joined: Sat Jan 09, 2016 6:46 pm

Re: [Feature request] Wireguard

Mon May 13, 2019 1:19 pm

Wireguard was tested by INRIA

Source: https://www.security.nl/posting/608796/ ... eGuard-vpn

Abstract : WireGuard is a free and open source Virtual Private Network (VPN) that aims to replace IPsec and OpenVPN. It is based on a new cryptographic protocol derived from the Noise Protocol Framework. This paper presents the first mechanised cryptographic proof of the protocol underlying WireGuard, using the CryptoVerif proof assistant. We analyse the entire WireGuard protocol as it is, including transport data messages, in an ACCE-style model. We contribute proofs for correctness, message secrecy, forward secrecy, mutual authentication, session uniqueness, and resistance against key compromise impersonation, identity mis-binding, and replay attacks. We also discuss the strength of the identity hiding provided by WireGuard. Our work also provides novel theoretical contributions that are reusable beyond WireGuard. First, we extend CryptoVerif to account for the absence of public key validation in popular Diffie-Hellman groups like Curve25519, which is used in many modern protocols including WireGuard. To our knowledge, this is the first mechanised cryptographic proof for any protocol employing such a precise model. Second, we prove several indifferentiability lemmas that are useful to simplify the proofs for sequences of key derivations.

Complete results: https://hal.inria.fr/hal-02100345
WireGuard is vaporware and Mikrotik knows that pretty darn well! Hence why they are not doing anything in regards to it.

Just look at Ubiquiti... They got community support, from the main developer of WG back in 2017!! https://community.ubnt.com/t5/EdgeRoute ... -p/1904764

What a waste of time and energy... None of this is standard stuff and due to that all of their users are miserable because they can now run new-gen VPNs... After a while a new feeling hit them! They are now missing their dearly PPTP and OpenVPN (not a hacked version from Ubiquiti of course!)...

They even started a PPTP + OpenVPN movement! "Make PPTP & OpenVPN Great Again!"

/S
 
phouzva
just joined
Posts: 1
Joined: Thu Jan 10, 2019 4:39 pm

Re: [Feature request] Wireguard

Fri May 24, 2019 3:09 pm

+1.
 
User avatar
aaronvonawesome
just joined
Posts: 10
Joined: Mon Jul 18, 2016 7:44 pm
Location: Columbus, OH

Re: [Feature request] Wireguard

Sat May 25, 2019 8:10 pm

Would love to see official wireguard support as well.
+1
 
User avatar
m4dmike
just joined
Posts: 5
Joined: Fri Mar 08, 2019 1:38 am

Re: [Feature request] Wireguard

Wed Jun 19, 2019 10:07 am

+1 for Wireguard
 
marcrisse
just joined
Posts: 24
Joined: Tue Feb 16, 2016 9:16 pm
Location: Germany

Re: [Feature request] Wireguard

Wed Jun 19, 2019 11:34 am

+1 and €100 for coffee ;)
 
schose
just joined
Posts: 8
Joined: Sun Mar 04, 2018 11:20 pm

Re: [Feature request] Wireguard

Fri Jun 21, 2019 1:31 am

+1 and a good bottle of german schnaps
 
huntermic
Member Candidate
Member Candidate
Posts: 111
Joined: Wed Oct 26, 2016 3:42 pm

Re: [Feature request] Wireguard

Fri Jun 28, 2019 11:32 am

I bought a Raspberry Pi4 and use that for wireguard, it gives me wirespeed vpn on a 500Mbit connection
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18959
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: [Feature request] Wireguard

Fri Jun 28, 2019 2:12 pm

I bought a Raspberry Pi4 and use that for wireguard, it gives me wirespeed vpn on a 500Mbit connection
Is all your internet traffic done via wireguard through the Raspberry PI or are you talking a specific tunnel??
 
huntermic
Member Candidate
Member Candidate
Posts: 111
Joined: Wed Oct 26, 2016 3:42 pm

Re: [Feature request] Wireguard

Fri Jun 28, 2019 2:46 pm

I bought a Raspberry Pi4 and use that for wireguard, it gives me wirespeed vpn on a 500Mbit connection
Is all your internet traffic done via wireguard through the Raspberry PI or are you talking a specific tunnel??
I'm using it in a roadwarrior setup so for instance when i'm at work i can use my home nas at full speed, so i'm talking about 500Mbit inside the tunnel
 
mwittchen
just joined
Posts: 4
Joined: Tue Jul 10, 2018 5:47 pm

Re: [Feature request] Wireguard

Mon Aug 19, 2019 1:10 pm

+1 and a good bottle of german schnaps
+1
 
User avatar
metalcated
just joined
Posts: 17
Joined: Fri Apr 19, 2013 3:07 pm
Contact:

Re: [Feature request] Wireguard

Thu Aug 29, 2019 6:05 pm

Waiting for this too! Right now I am running a WG Server on a VM in my basement rack and its pretty darn nice.

Any Linux folks out there who are running it and want a simple GUI --> https://github.com/metalcated/Wireguard-Bravo (more development to happen soon hopefully as I have time).

Going to watch this thread and pray it comes soon!

Thanks
 
Grosen
just joined
Posts: 2
Joined: Thu Aug 01, 2019 10:58 am

Re: [Feature request] Wireguard

Sat Sep 07, 2019 8:26 am

definitively +1
 
Lebzul
Member Candidate
Member Candidate
Posts: 110
Joined: Wed Feb 21, 2018 12:54 am

Re: [Feature request] Wireguard

Sun Sep 08, 2019 5:46 am

Thanks Erfan, are you saying I can attach my pi-hole to a port on my MT router and have it act as my wifeguard server (and then connect to it from my iphone for example)?
I hope the pi-hole works better on this then it did for me on DNS. I ended up bypassing the pi-hole and router DNS and now strictly use public DNS servers, otherwise too many funky DNS things were happening and I couldnt sort them out.
I'd like to have a "wife"guard too. (Just joking)

+1
 
netflow
Frequent Visitor
Frequent Visitor
Posts: 94
Joined: Sat Oct 01, 2016 3:53 pm

Re: [Feature request] Wireguard

Sun Sep 15, 2019 11:34 am

+1 for Wireguard in ROS. A good, fast, secure built-in vpn is a must!
Also interested by some community driven plugins. I cannot consider metarouter as an usable solution. It would require more flash on device, broader architecture support and then it is still a burden to manage additional vm and config!
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: [Feature request] Wireguard

Sun Sep 15, 2019 12:05 pm

Also interested by some community driven plugins.
That's against the idea of RouterOS. If you want 3rd party plugins, go OpenWRT (which is available even for some Mikrotik hardware) and forget about manufacturer's responsibility. If you want manufacturer's responsibility for the product, stay RouterOS and forget about 3rd party plugins. There is no middle way.
 
pe1chl
Forum Guru
Forum Guru
Posts: 10183
Joined: Mon Jun 08, 2015 12:09 pm

Re: [Feature request] Wireguard

Sun Sep 15, 2019 1:17 pm

I don't consider that really true, there would be some way for MikroTik to offer user-contributed plugins when they run in a sandbox environment e.g. as a user process.
But apparently MikroTik is not interested in doing this.
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: [Feature request] Wireguard

Sun Sep 15, 2019 1:39 pm

there would be some way for MikroTik to offer user-contributed plugins when they run in a sandbox environment e.g. as a user process.
I may be old-fashioned but I still perceive Mikrotik as a router, not an application server. So I can imagine e.g. a more flexible DNS process running in a sandbox, but not processes directly involved in packet forwarding, such as stacks implementing new routing protocols or new VPN types. Leaving aside things like hardware encryption for other VPN types than IPsec (OpenVPN, SSTP to stay with those currently implemented) which might be really useful for some but I cannot imagine sandboxing them.
 
vigor5
just joined
Posts: 1
Joined: Tue Sep 24, 2019 1:14 pm

Re: [Feature request] Wireguard

Wed Sep 25, 2019 11:22 am

Waiting for this too
 
avacha
newbie
Posts: 29
Joined: Thu Jan 25, 2018 9:12 pm

Re: [Feature request] Wireguard

Thu Sep 26, 2019 9:54 am

I'm also interesting about Wireguard impementation in Mikrotik devices.

P.S. Yesterday Cloudflare release free VPN service:
WARP is an ambitious project. We set out to secure Internet connections from mobile devices to the edge of Cloudflare's network. In doing so, however, we didn't want to slow devices down or burn excess battery. We wanted it to just work. We also wanted to bet on the technology of the future, not the technology of the past. Specifically, we wanted to build not around legacy protocols like IPsec, but instead around the hyper-efficient WireGuard protocol.
 
Intnernetz
just joined
Posts: 2
Joined: Mon Nov 09, 2015 12:24 pm

Re: [Feature request] Wireguard

Thu Oct 24, 2019 9:26 am

++1
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18959
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: [Feature request] Wireguard

Thu Oct 24, 2019 4:22 pm

I'm also interesting about Wireguard implementation in Mikrotik devices.

P.S. Yesterday Cloudflare release free VPN service:
WARP is an ambitious project. We set out to secure Internet connections from mobile devices to the edge of Cloudflare's network. In doing so, however, we didn't want to slow devices down or burn excess battery. We wanted it to just work. We also wanted to bet on the technology of the future, not the technology of the past. Specifically, we wanted to build not around legacy protocols like IPsec, but instead around the hyper-efficient WireGuard protocol.
Very Interesting and thanks. Within the last year I added wireguard to my cell phone and streaming devices for fun. Seeing as cloudfare uses wireguard (which is not a surprise) I have deleted most if not all other VPNs i have been experimenting with, save wireguard (solely kept for source country changes although rarely required). Initial results for the WARP service are very good in terms of throughput. I have been trying to clean up my apps and just deleted 3 for 1. :-)

+1 for adding wireguard for a method of VPN for mikrotik aka another protocol to choose from in the mix.

There is a bit of technical blog which was dumbed down enough for me to read it......
https://blog.cloudflare.com/warp-technical-challenges/
 
msatter
Forum Guru
Forum Guru
Posts: 2897
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: [Feature request] Wireguard

Wed Nov 06, 2019 3:56 pm

NordVPN does now support Wireguard since a while and it would be great if RouterOS 7 would going to support Wireguard while that is also is still in development.

NordVPN have added a 'double NAT' at their side to improve anonymity of the customer.

And we found it. We developed something called a double NAT (Network Address Translation) system.

To put it simply, the double NAT system creates two local network interfaces for each user. The first interface assigns a local IP address to all users connected to a server. Unlike in the original WireGuard protocol, each user gets the same IP address.

Once a VPN tunnel is established, the second network interface with a dynamic NAT system kicks in. The system assigns a unique IP address for each tunnel. This way, internet packets can travel between the user and their desired destination without getting mixed up.

Source: https://nordvpn.com/blog/nordlynx-protocol-wireguard/
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18959
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: [Feature request] Wireguard

Wed Nov 06, 2019 4:01 pm

I bought a Raspberry Pi4 and use that for wireguard, it gives me wirespeed vpn on a 500Mbit connection
Is all your internet traffic done via wireguard through the Raspberry PI or are you talking a specific tunnel??
I'm using it in a roadwarrior setup so for instance when i'm at work i can use my home nas at full speed, so i'm talking about 500Mbit inside the tunnel
hey huntermic would you be interested in sharing your raspberry pi setup and steps to get there?.......... if so please email me (click on my name to get details).
 
Solear
just joined
Posts: 6
Joined: Sat Jun 08, 2019 9:27 pm

Re: [Feature request] Wireguard

Thu Nov 14, 2019 9:14 pm

+1 for Wireguard

Actually I connect 3 different locations with 3 raspberrys and Wireguard over the internet. It would be nice to connect the MikroTik routers directly Foto a lan to lan to lan network :)
 
FutileNetworks
newbie
Posts: 36
Joined: Tue Jan 15, 2013 9:14 pm

Re: [Feature request] Wireguard

Fri Nov 22, 2019 2:21 am

+1 Wireguard

MikroTik, we've replaced all our site-to-site IPSEC vpns with wireguard, in most cases 3-4x performance increase and approaching gigabit speeds, each time we bring up a new wireguard vpn that is one less sale of a ccr1009, rb4011 or hEX.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18959
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: [Feature request] Wireguard

Fri Nov 22, 2019 7:00 am

+1 for Wireguard

Actually I connect 3 different locations with 3 raspberrys and Wireguard over the internet. It would be nice to connect the MikroTik routers directly Foto a lan to lan to lan network :)
Could you email me with how you setup a raspberry pi for wireguard connected to a MT router.
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 26287
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: [Feature request] Wireguard

Fri Nov 22, 2019 8:52 am

+1 Wireguard

MikroTik, we've replaced all our site-to-site IPSEC vpns with wireguard, in most cases 3-4x performance increase and approaching gigabit speeds, each time we bring up a new wireguard vpn that is one less sale of a ccr1009, rb4011 or hEX.
Wireguard by definition is slower and can't support HW acceleration. IPsec will definitely be faster.
 
User avatar
dynek
Member Candidate
Member Candidate
Posts: 221
Joined: Tue Jan 21, 2014 10:03 pm

Re: [Feature request] Wireguard

Fri Nov 22, 2019 9:29 am

Wireguard by definition is slower and can't support HW acceleration. IPsec will definitely be faster.
That is no reason to not implement WireGuard at some point which is much easier to setup & lightweight.

And don't forget that Linus himself, loves it:
https://lists.openwall.net/netdev/2018/08/02/124

Can I just once again state my love for it and hope it gets merged soon? Maybe the code isn't perfect, but I've skimmed it, and compared to the horrors that are OpenVPN and IPSec, it's a work of art.
 
marcrisse
just joined
Posts: 24
Joined: Tue Feb 16, 2016 9:16 pm
Location: Germany

Re: [Feature request] Wireguard

Fri Nov 22, 2019 10:52 am

Wireguard by definition is slower and can't support HW acceleration. IPsec will definitely be faster.
By definition?? Sorry, Wireguard is definitely faster than (secure) IPSec in real life! That's why we migrated to Linux-Servers and WG.
 
Solear
just joined
Posts: 6
Joined: Sat Jun 08, 2019 9:27 pm

Re: [Feature request] Wireguard

Fri Nov 22, 2019 11:40 am

+1 for Wireguard

Actually I connect 3 different locations with 3 raspberrys and Wireguard over the internet. It would be nice to connect the MikroTik routers directly Foto a lan to lan to lan network :)
Could you email me with how you setup a raspberry pi for wireguard connected to a MT router.
You need to route wireguard from your router to your raspberry (check port and IP-address)
/ip firewall filter
add action=accept chain=forward dst-port=51820 protocol=udp
/ip firewall nat
add action=dst-nat chain=dstnat dst-port=51820 in-interface=wan protocol=udp to-addresses=192.168.150.200 to-ports=51820
credits to https://www.bachmann-lan.de/raspberry-p ... wireguard/
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 26287
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: [Feature request] Wireguard

Fri Nov 22, 2019 11:59 am

Yes, IPsec is faster, because it is hardware accelerated and Wireguard can't be accelerated. If your Wireguard is faster, then maybe your IPsec config is wrong, or the HW doesn't support HW encryption.
 
User avatar
dynek
Member Candidate
Member Candidate
Posts: 221
Joined: Tue Jan 21, 2014 10:03 pm

Re: [Feature request] Wireguard

Fri Nov 22, 2019 12:28 pm

https://www.wireguard.com/performance/
https://calomel.org/aesni_ssl_performance.html

Hopefully hardware acceleration gives better performance, true. But Wireguard uses ChaCha20 which according to my findings isn't doing too bad against HW accelerated AES.
Not on par with AES but definitely not too far from AES-256-GCM and better than AES-256-CBC. Drawback is CPU usage though.
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 26287
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: [Feature request] Wireguard

Fri Nov 22, 2019 12:49 pm

Of course, I am only referring to RouterBOARD devices. if you have plenty of CPU power, you can make it fast.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18959
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: [Feature request] Wireguard

Fri Nov 22, 2019 4:54 pm

Of course, I am only referring to RouterBOARD devices. if you have plenty of CPU power, you can make it fast.
Normis, can you perhaps comment on comparing Wireguard to the Road Warrior VPN scenario?
Does the hw accelerated MT device still have the edge?
 
User avatar
mozerd
Forum Veteran
Forum Veteran
Posts: 871
Joined: Thu Oct 05, 2017 3:39 pm
Location: Canada
Contact:

Re: [Feature request] Wireguard

Fri Nov 22, 2019 8:33 pm

Of course, I am only referring to RouterBOARD devices. if you have plenty of CPU power, you can make it fast.
Normis, can you perhaps comment on comparing Wireguard to the Road Warrior VPN scenario?
Does the hw accelerated MT device still have the edge?
Normis cannot provide that analysis without running Wireguard on RouterBOARD.

I have run Wireguard on Ubiquiti EdgeMax Routers, stated much earlier in this thread, and Wireguard beats the heck out of IPSec regardless of hw acceleration. Wireguard does not need hw acceleration — it just needs a capable CPU.
 
huntermic
Member Candidate
Member Candidate
Posts: 111
Joined: Wed Oct 26, 2016 3:42 pm

Re: [Feature request] Wireguard

Fri Nov 22, 2019 9:01 pm

Speed of wireguard is indeed amazing, but not only the speed. Wireguard is also very simple to configure and deals much better with roaming situations.
 
Engitech
Trainer
Trainer
Posts: 69
Joined: Mon Feb 13, 2012 1:59 pm
Location: Geneva - Switzerland
Contact:

Re: [Feature request] Wireguard

Fri Nov 22, 2019 11:26 pm

+1000 for Wireguard - performance,stability and simplicity
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18959
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: [Feature request] Wireguard

Fri Nov 22, 2019 11:34 pm

How is one to measure if ones CPU is up to the task to handle Wireguard without HW acceleration and meet or beat performance of ipsec with hw acceleration.??
For example your Ubiquiti vs HEX
Architecture MMIPS
CPU MT7621A
CPU core count 2
CPU nominal frequency 880 MHz
CPU Threads count 4
Dimensions 113x89x28mm
License level 4
Operating System RouterOS
Size of RAM 256 MB
Storage size 16 MB
Storage type FLASH

Or vs.........
RB450Gx4
Architecture ARM 32bit
CPU IPQ-4019
CPU core count 4
CPU nominal frequency 716 MHz
Dimensions 90 x 115 mm
License level 5
Operating System RouterOS
Size of RAM 1 GB
Storage size 512 MB
Storage type NAND
 
huntermic
Member Candidate
Member Candidate
Posts: 111
Joined: Wed Oct 26, 2016 3:42 pm

Re: [Feature request] Wireguard

Sat Nov 23, 2019 10:59 am

Keep in mind, the most basic version of the raspberry pi 4 wil run wireguard at full gigabit speeds and won't cost you the world........
 
User avatar
mozerd
Forum Veteran
Forum Veteran
Posts: 871
Joined: Thu Oct 05, 2017 3:39 pm
Location: Canada
Contact:

Re: [Feature request] Wireguard

Sat Nov 23, 2019 6:54 pm

How is one to measure if ones CPU is up to the task to handle Wireguard without HW acceleration and meet or beat performance of ipsec with hw acceleration.??
My experience with WireGuard is only on the Ubiquiti EdgeMax product line and I can categorically state that WireGuard runs faster that any other vpn protocol that requires Hardware acceleration.

They key to WireGuard performance is its efficiency so regardless of the CPU capability comparatively speaking WireGuard is faster. A much more capable CPU will provide much better results without taxing the CPU — that is what makes WireGuard very unique.

The PROOF is in the pudding 😀 ..... I do not know of anyone in my field who has actually tried WireGuard and compared it to IPSec [HA] that did not comeback with amazement.
 
User avatar
omidkosari
Trainer
Trainer
Posts: 640
Joined: Fri Sep 01, 2006 4:18 pm
Location: Canada, Toronto

Re: [Feature request] Wireguard

Mon Nov 25, 2019 1:25 pm

Apart from comparing comparing speed, let's assume we want to provide vpn connection to end users. For example 1000 vpn clients (including mobile phones) on single router. In that case the best available solution is wireguard because even if router supports hardware encryption for ipsec, but client doesn't have hardware acceleration then the result will not so good.

router (hardware encryption) <----ipsec----> mobile phone clients
VS
router <----wireguard----> mobile phone clients

I think this is a better comparing.
 
pe1chl
Forum Guru
Forum Guru
Posts: 10183
Joined: Mon Jun 08, 2015 12:09 pm

Re: [Feature request] Wireguard

Mon Nov 25, 2019 2:29 pm

You forget that many CPU cores used in devices like mobile phones already support AES acceleration and when the software developer has been careful it is used by IPsec VPN.
On the other hand, "special" encryption types as used in Wireguard are not accelerated on those devices.
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: [Feature request] Wireguard

Mon Nov 25, 2019 2:44 pm

...and more than that, the CPU in the phone has about the same (or even higher) power than the CPUs used in SOHO Mikrotik models, and it deals with a single tunnel whereas the Mikrotik deals with 1000 in your example.
 
User avatar
dynek
Member Candidate
Member Candidate
Posts: 221
Joined: Tue Jan 21, 2014 10:03 pm

Re: [Feature request] Wireguard

Mon Nov 25, 2019 4:05 pm

Give us Metarouter, RB1100AHx2 here 👍
 
pe1chl
Forum Guru
Forum Guru
Posts: 10183
Joined: Mon Jun 08, 2015 12:09 pm

Re: [Feature request] Wireguard

Mon Nov 25, 2019 4:25 pm

Give us Metarouter, RB1100AHx2 here 👍
MikroTik should add the capability for chrooted/privilege separated user processes that have network access like Metarouter but do not have virtual machine overhead (both in CPU cycles and in development effort)...
This can be used to run special features, Wireguard is only one of them.
(don't listen to people claiming that Wireguard has to run in kernel, it can also run in an user process)
 
 
User avatar
Nitrotoluol
just joined
Posts: 1
Joined: Thu Jan 30, 2020 8:35 am

Re: [Feature request] Wireguard

Thu Jan 30, 2020 8:37 am

Wireguard is now in Linus' tree! So WireGuard is now officially upstream. Yeah!
https://lists.zx2c4.com/pipermail/wireg ... 04906.html
 
avacha
newbie
Posts: 29
Joined: Thu Jan 25, 2018 9:12 pm

Re: [Feature request] Wireguard

Tue Feb 04, 2020 9:31 pm

Well, if nothing happen - WG seems to be "out-of-box" for many Linux systems.
@Normis, can it be also implemented as "yet-another-vpn" in Ros? Standart implementation, compatible with ofticial specs, as-is? Sometimes stable connection is much better that faster. hEX ann ARM models can be effective with WG for SOHO installations.
 
dkorzhevin
just joined
Posts: 6
Joined: Mon Jul 22, 2019 2:05 pm

Re: [Feature request] Wireguard

Tue Feb 11, 2020 11:13 am

+1 for Wireguard request, please
 
msatter
Forum Guru
Forum Guru
Posts: 2897
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: [Feature request] Wireguard

Tue Feb 11, 2020 12:15 pm

Newshosting is also going to offer Wireguard VPN through Privado soon. It was a bit of a search to find the correct Lets Encrypt Root certificate for IKEv2 (Digital Signature Trust Co - X3).

Lets hope Wireguard will not have the same history as OpenVPN with Mikrotik. Once is was usable in ROS, it was succeeded.
 
ak1001
just joined
Posts: 8
Joined: Wed Jan 23, 2013 10:48 pm

Re: [Feature request] Wireguard

Tue Mar 31, 2020 4:01 am

So... 2 years past and Mikrotik team did what all this time?
Now , when Wireguard is officially in kernel , and for some times in zyxel routers and in openwrt -
i cant call Mikrotik as innovative cool product company - they are [redacted]
Last edited by krisjanisj on Tue Mar 31, 2020 9:12 am, edited 1 time in total.
Reason: Lets not start with the cursing, ok?
 
User avatar
Steveocee
Forum Guru
Forum Guru
Posts: 1120
Joined: Tue Jul 21, 2015 10:09 pm
Location: UK
Contact:

Re: [Feature request] Wireguard

Tue Mar 31, 2020 4:31 am

So... 2 years past and Mikrotik team did what all this time?
Now , when Wireguard is officially in kernel , and for some times in zyxel routers and in openwrt -
i cant call Mikrotik as innovative cool product company - they are [redacted]
They were probably fixing real problems rather than bending to the requests of mindless abusive morons.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18959
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: [Feature request] Wireguard

Tue Mar 31, 2020 5:56 am

So... 2 years past and Mikrotik team did what all this time?
Now , when Wireguard is officially in kernel , and for some times in zyxel routers and in openwrt -
i cant call Mikrotik as innovative cool product company - they are [redacted]
They were probably fixing real problems rather than bending to the requests of mindless abusive morons.
Couldn't have said it better myself.......... Not bad for a Brexit LOL.
 
kozaksv
just joined
Posts: 1
Joined: Fri May 01, 2020 1:23 pm

Re: [Feature request] Wireguard

Fri May 01, 2020 1:23 pm

+1 for Wireguard
 
Yanncd
just joined
Posts: 6
Joined: Thu Mar 12, 2020 11:35 am

Re: [Feature request] Wireguard

Tue May 05, 2020 8:21 pm

+1 for the best VPN ever exist
 
bakemono
just joined
Posts: 2
Joined: Sun Sep 16, 2018 1:00 am

Re: [Feature request] Wireguard

Mon May 11, 2020 12:16 am

Plus 1 my voice for wireguard.
I hope it will be implemented in Ros 7
 
User avatar
Kamaz
Frequent Visitor
Frequent Visitor
Posts: 62
Joined: Sun Apr 30, 2017 9:35 am

Re: [Feature request] Wireguard

Tue May 12, 2020 12:21 am

+1 for WireGuard
 
Paganatron
just joined
Posts: 1
Joined: Wed Feb 28, 2018 4:18 pm

Re: [Feature request] Wireguard

Tue May 26, 2020 7:34 pm

Most definitely: +1 for WireGuard please!
 
alex32c
just joined
Posts: 19
Joined: Tue Apr 07, 2020 1:53 am

Re: [Feature request] Wireguard

Wed May 27, 2020 11:12 pm

+1 for WireGuard
 
evgenij
just joined
Posts: 10
Joined: Tue May 26, 2020 11:40 am

Re: [Feature request] Wireguard

Wed Jun 03, 2020 8:57 pm

+one more for WireGuard!
 
User avatar
NAB
Trainer
Trainer
Posts: 542
Joined: Tue Feb 10, 2009 4:08 pm
Location: UK
Contact:

Re: [Feature request] Wireguard

Tue Jun 09, 2020 11:33 am

Just wanted to add my comments and my frustration to this post.

We've just lost a bid to supply equipment for a remote secure VoIP and data project. That's an awful lot of Routerboards and a whole load of consultancy we've lost out on. All because the client wanted to standardise on WireGuard.
 
andersonpem
just joined
Posts: 2
Joined: Fri Jul 15, 2016 10:28 am

Re: [Feature request] Wireguard

Fri Jul 03, 2020 5:43 pm

+1 for this feature. Mikrotik uses the Linux Kernel if I remember. Wireguard is fast, modern and uses the Linux kernel directly. Also it's very easy to set up in comparison to the nightmare of OpenVPN.
 
msatter
Forum Guru
Forum Guru
Posts: 2897
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: [Feature request] Wireguard

Fri Jul 03, 2020 8:47 pm

+1 for this feature. Mikrotik uses the Linux Kernel if I remember. Wireguard is fast, modern and uses the Linux kernel directly. Also it's very easy to set up in comparison to the nightmare of OpenVPN.
Mikrotik just changed to a kernel version for Beta 7, supporting Wireguard.
 
twarnick
just joined
Posts: 1
Joined: Thu May 29, 2008 4:24 pm

Re: [Feature request] Wireguard

Sun Jul 12, 2020 12:24 am

++1
me too, i need this.
 
pe1chl
Forum Guru
Forum Guru
Posts: 10183
Joined: Mon Jun 08, 2015 12:09 pm

Re: [Feature request] Wireguard

Sun Jul 12, 2020 12:31 am

++1
me too, i need this.
And you thought "hey, let's make a forum account so I can put this request there, maybe mine will make the difference"??
Oh boy....
 
jm1973
just joined
Posts: 9
Joined: Fri Jul 07, 2017 4:59 pm

Re: [Feature request] Wireguard

Sun Jul 26, 2020 3:27 am

+1 wireguard
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18959
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: [Feature request] Wireguard

Sun Jul 26, 2020 7:56 pm

Now that firefox will provide vpn by wireguard, we dont need it on the router. jajajajaja
Normis in another thread already said its coming, so no need to keep adding +1s lol.
 
User avatar
Smakodak
just joined
Posts: 10
Joined: Mon Aug 13, 2012 1:53 pm

Re: [Feature request] Wireguard

Wed Feb 03, 2021 6:33 pm

What's new in 7.1beta2 (2020-Aug-21 12:29):

!) added "bgp-network" output filter flag;
!) added bonding interface support for Layer3 hardware offloading;
!) added IPv6 nexthop support for IPv4 routes;
!) added Layer3 hardware offloading support for CRS309-1G-8S+IN, CRS312-4C+8XG-RM and CRS326-24S+2Q+RM;
!) added WireGuard support;
*) disk - improved external disk read/write speed;
*) ospf - fixed point to point routes becoming inactive;
*) route - fixed source address selection of outgoing packets;
*) other minor fixes and improvements;
 
MoT
just joined
Posts: 6
Joined: Fri Oct 05, 2018 11:59 am

Re: [Feature request] Wireguard

Wed May 26, 2021 12:46 am

Hey so how is Wireguard working on RouterOS 7? Is it stable, functional, or has decent performance?
  • But anyway, can anyone say something after some testing? Or can the Mikrotik support tell how is it going?


And a very important question - does Wireguard support push route to the client? And does IPsec support it too?
I am asking both for the standard protocol (WG IPSec) and if it is supported in RouterOS 7.x (in case of IPsec also in 6.x)? I haven't tried them yet, but I wanted to ask in advance if someone knows. I know about OpenVPN that the standard support push route, but RouterOS does not support it (at least in 6.x, in 7.x I am not sure)

Thank you so much in advance with this information, it will mean much to me! :)
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18959
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: [Feature request] Wireguard

Wed May 26, 2021 12:50 pm

I am using wg on beta5, basic implementation, works for both site to site and Iphone to site.
I gave the iphone its own wg interface as it was for testing mainly and didnt want to interfere or break the established wg connection.
Normally one could have just added another peer.
You do not have the required permissions to view the files attached to this post.
 
allogic
just joined
Posts: 4
Joined: Tue Jan 12, 2021 3:06 pm

Re: [Feature request] Wireguard

Tue Jul 06, 2021 9:46 pm

Newshosting is also going to offer Wireguard VPN through Privado soon. It was a bit of a search to find the correct Lets Encrypt Root certificate for IKEv2 (Digital Signature Trust Co - X3).

Lets hope Wireguard will not have the same history as OpenVPN with Mikrotik. Once is was usable in ROS, it was succeeded.
Hey msatter,

I was able to download the certificate and this worked for a while, but I upgraded my router to 6.48.3 but since then I get the following error :
15:52:35 ipsec,error unable to get issuer certificate(2) at depth:1 cert:CN=R3,C=US,ST=,L=,O=Let's Encrypt,OU=,SN=
15:52:35 ipsec,error can't verify peer's certificate from store
15:52:35 ipsec,info,account peer failed to authorize: xx.xx.xx.xx[4500]-xx.xx.xx.xx[4500] spi:09b45a05cfefa384:fcb899e854f308fd
15:52:35 ipsec send notify: AUTHENTICATION_FAILED
15:52:35 ipsec adding notify: AUTHENTICATION_FAILED
Do you know if they have changed anything on the certificates, or why i've started getting this error?

Cheers,
 
allogic
just joined
Posts: 4
Joined: Tue Jan 12, 2021 3:06 pm

Re: [Feature request] Wireguard

Tue Jul 06, 2021 9:49 pm

Newshosting is also going to offer Wireguard VPN through Privado soon. It was a bit of a search to find the correct Lets Encrypt Root certificate for IKEv2 (Digital Signature Trust Co - X3).

Lets hope Wireguard will not have the same history as OpenVPN with Mikrotik. Once is was usable in ROS, it was succeeded.

I contacted them regarding this :


New reply for the ticket

Hello,

Unfortunately we will not be offering Wireguard for the foreseeable future and are currently focused on supporting our current protocols of OpenVPN and IKEv2.
Please let us know if there is anything further we can assist you with.

Regards,
PrivadoVPN Support
 
msatter
Forum Guru
Forum Guru
Posts: 2897
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: [Feature request] Wireguard

Wed Jan 12, 2022 10:01 pm

Newshosting is also going to offer Wireguard VPN through Privado soon. It was a bit of a search to find the correct Lets Encrypt Root certificate for IKEv2 (Digital Signature Trust Co - X3).

Lets hope Wireguard will not have the same history as OpenVPN with Mikrotik. Once is was usable in ROS, it was succeeded.

I contacted them regarding this :


New reply for the ticket

Hello,

Unfortunately we will not be offering Wireguard for the foreseeable future and are currently focused on supporting our current protocols of OpenVPN and IKEv2.
Please let us know if there is anything further we can assist you with.

Regards,
PrivadoVPN Support
I managed today to take over a Wireguard conection with the router. Creating the conection was done by their client and I had look in the connection conf file for the private key, local IP, external Ip and the port. These changes every connect so using that in the router not easy.

I have to see if parts can be automated however better hope Privado will make it simpler, like NordVPN did.

Update: adapted an old script to make this easier. See: viewtopic.php?t=182190

Who is online

Users browsing this forum: No registered users and 63 guests