Page 1 of 1

[Feature request] Wireguard

Posted: Sun May 06, 2018 1:40 pm
by bneijt
I would love to run Wireguard on my Mikrotik and decided, with all the news spread across the forum, to combine some posts in a new thread.


Wireguard is a encrypted tunnel technology, started in 2016 but not 1.0 yet. Wireguard will probably replace OpenVPN which is currencly only partially supported by Mikrotik anyway.
It is already being adopted: easily available in Linux, VPN providers like AzireVPN support it and open source routers like Ubiquity and OpenWRT show good performance.

Mikrotik, being Linux based but closed source, will start supporting it in the future and it may end up in v7. V7 may be an april fools joke from 2014, but it may also be in development for more then 3 years making the feature list very unpredictable at this point.

I have not been able to find any post by a Mikrotik employee on the subject yet, but interesting posts by other users are:
viewtopic.php?f=1&t=45934&p=602377&hili ... rd#p602377
viewtopic.php?f=1&t=45934&p=637573&hili ... rd#p637573

Re: [Feature request] Wireguard

Posted: Tue May 08, 2018 6:29 pm
by zaharmd
+1 for WireGuard in MikroTik

Re: [Feature request] Wireguard

Posted: Wed May 09, 2018 11:19 am
by nz_monkey
+1 from me

Re: [Feature request] Wireguard

Posted: Tue May 15, 2018 10:21 pm
by bneijt
I did a quick forum review to get a basic timeline we can expect for Wireguard support.

Going by OpenVPN:
In 2004 the first forum request was made for OpenVPN support.
With release 3.0 came the partial implementation there is today, which was around 2007.

The first Wireguard request was around Jun 11, 2017
This would mean that Mikrotik will probably release initial support around 2020

Re: [Feature request] Wireguard

Posted: Mon Jul 02, 2018 11:03 am
by xtornado
+1 for wireguard on routeros

Re: [Feature request] Wireguard

Posted: Mon Jul 02, 2018 12:44 pm
by vecernik87
I cannot imagine adding support before wireguard reach stable realease. Based on other similar requests, i think that mikrotik instantly refuse to implement anything what is alpha/beta stage.

Re: [Feature request] Wireguard

Posted: Mon Jul 02, 2018 5:35 pm
by R1CH
And please use the reference implementation! I'm getting tired of Mikrotik's re-implementations of software which introduce security bugs and miss important features.

Re: [Feature request] Wireguard

Posted: Sun Jul 29, 2018 3:48 pm
by andreax
+1
Waiting for it!

Re: [Feature request] Wireguard

Posted: Sun Jul 29, 2018 7:50 pm
by Jotne
I cannot imagine adding support before wireguard reach stable realease.
Agree that MT should not implement it before its stable, but coming with a request now is a good thing.
This will allow MT to test it and make sure it works fine when its stable and release it from day one.

Re: [Feature request] Wireguard

Posted: Wed Aug 01, 2018 7:56 am
by Nefraim
Since many of you guys were awaiting for a stable build for Wireguard, today we are even closer to that moment.
Yesterday Jason Donenfeld lead developer submited the required patches for including Wireguard into mainline linux kernels.

More info here http://lkml.iu.edu/hypermail/linux/kern ... 06622.html

While it's to late to include into Linux 4.19 which should arrive quite soon, we could see it in the next linux kernel builds.
Guess it's time for Mikrotik developers consider including Wireguard in a future release.
We want WPA3 support but also Wireguard support :roll: .

Re: [Feature request] Wireguard

Posted: Wed Aug 01, 2018 8:41 am
by vecernik87
Just because it gets into linux kernel does not mean it is stable, nor it is ready for implementation. Let me quote their own website:
WireGuard is not yet complete. You should not rely on this code. It has not undergone proper degrees of security auditing and the protocol is still subject to change. We're working toward a stable 1.0 release, but that time has not yet come. There are experimental snapshots tagged with "0.0.YYYYMMDD", but these should not be considered real releases and they may contain security vulnerabilities (which would not be eligible for CVEs, since this is pre-release snapshot software). If you are packaging WireGuard, you must keep up to date with the snapshots.

They are clearly warning AGAINST implementing their code right now. Also it is agreeable that making own implementation is not really efficient. With this in mind, there is simply nothing, what Mikrotik developers could do right now. I already adviced to wait with the request because for now, it is just waste of everyone's time. (including my own, when I have to repeatedly point out that wireguard is barely in experimental stage)

Re: [Feature request] Wireguard

Posted: Wed Aug 01, 2018 11:20 am
by ofer
+1 for Wireguard reference as it's currently being reviewed for kernel inclusion
http://lkml.iu.edu/hypermail/linux/kern ... 06622.html

Re: [Feature request] Wireguard

Posted: Thu Aug 02, 2018 2:34 am
by Sob
While it's to late to include into Linux 4.19 which should arrive quite soon, we could see it in the next linux kernel builds.
Now the interesting question is when RouterOS gets to use that future kernel with Wireguard. So far it looks like when MikroTik likes a version, they stick with it for quite some time. But there's still a chance that Wireguard will be easily portable to older kernels.

Re: [Feature request] Wireguard

Posted: Fri Aug 03, 2018 7:48 pm
by chrismfz
+1 for Wireguard reference as it's currently being reviewed for kernel inclusion
http://lkml.iu.edu/hypermail/linux/kern ... 06622.html
It's coming....

https://www.phoronix.com/scan.php?page= ... -WireGuard

Linus Torvalds Is Hoping WireGuard Will Be Merged Sooner Rather Than Later

But when we gonna see it in Mikrotik ?

Re: [Feature request] Wireguard

Posted: Mon Aug 06, 2018 5:44 pm
by R1CH
I've been playing around with Wireguard recently and it's so refreshingly simple and fast, it makes setup of a new VPN link so easy. And the fact it uses modern, fast crypto is great - I would love to see this in RouterOS so I can finally ditch ipsec with its huge complexity and outdated crypto.

And even though it won't be hardware accelerated, chacha20-poly1305 is almost 4x faster than software AES on arm architecture!

Re: [Feature request] Wireguard

Posted: Thu Aug 09, 2018 8:07 am
by space007
+1

After testing ipsec eoip tunnels with Mikrotik, I was deluded of the hw encryption performance. To not mention the marketing hype and the missing replay regarding this issues put fort on the forum.

Although the RosOs was the thing with 2.x-3.x with features required and needed in the networking in that time which give popularity to this company, sadly that is not the case anymore. Hardly there is any new implementation or revolution.

There is more momentum in other products. Now with x86 getting smaller, other router implementations are getting within reach.

Off topic, I know..

Sent from my Moto G (5) Plus using Tapatalk


Re: [Feature request] Wireguard

Posted: Fri Aug 10, 2018 12:03 pm
by Anumrak
I agree with the implementation of this protocol.

Re: [Feature request] Wireguard

Posted: Fri Aug 10, 2018 12:17 pm
by pe1chl
While it's to late to include into Linux 4.19 which should arrive quite soon, we could see it in the next linux kernel builds.
Now the interesting question is when RouterOS gets to use that future kernel with Wireguard. So far it looks like when MikroTik likes a version, they stick with it for quite some time. But there's still a chance that Wireguard will be easily portable to older kernels.
For now it looks like the only realistic short-term implementation would be using a user mode daemon just like OpenVPN.
In fact the claims about requirement to have it in the kernel are quite hollow and do not add to the credibility of the developer.

Re: [Feature request] Wireguard

Posted: Sun Aug 12, 2018 1:33 pm
by florentrivoire
I would appreciate a lot a Wireguard implementation in RouterOS :)

The advantages that I see for my usage are :
  • it has a simplier VPN configuration
  • it should be faster than OpenVPN (in a single connection setup, where OpenVPN is mono-thread, I'm talking about the other endpoint which is on a Linux for me)

Re: [Feature request] Wireguard

Posted: Sun Aug 19, 2018 4:54 pm
by radiirr
+1 :)

Re: [Feature request] Wireguard

Posted: Thu Aug 23, 2018 9:38 am
by chiem
+1

Wireguard is supposed to be extremely simple. Please don't take 3+ years to support it.

Re: [Feature request] Wireguard

Posted: Mon Aug 27, 2018 3:08 pm
by TPecorella
+ 1, please add support asap

Re: [Feature request] Wireguard

Posted: Mon Aug 27, 2018 3:35 pm
by mozerd
+1
I have been using wireguard on the Ubiquiti EdgeRouter-Lite and WOW in a site to site scenario -- amazing vpn performance.
I definitely would encourage MikroTik to take a very serious look at this.

Re: [Feature request] Wireguard

Posted: Mon Aug 27, 2018 11:08 pm
by Steveocee
+1 Was reading about this earlier. Would love to see the MikroTik finger "on the pulse".

Re: [Feature request] Wireguard

Posted: Tue Aug 28, 2018 9:27 am
by pe1chl
+1 Was reading about this earlier. Would love to see the MikroTik finger "on the pulse".
I rather would love to see MikroTik implement existing and long outstanding feature requests rather than to be swayed by the issues of the day!

Re: [Feature request] Wireguard

Posted: Tue Aug 28, 2018 6:23 pm
by Sob
@pe1chl: It's generally true, but if this thing can be implemented as easily as authors claim:
WireGuard has been designed with ease-of-implementation and simplicity in mind. It is meant to be easily implemented in very few lines of code, and easily auditable for security vulnerabilities.
(even though "very few lines of code" sounds a little too optimistic), it might be worth to give it a higher priority. If implementing Wireguard would be easier than finishing OpenVPN implementation (I don't know, might be), I'd say to go for it. Not that it's a dream come true in complete package...

I have mixed feelings about roadwarrior use. It needs only single udp port (great) and even has some kind of roaming (I'm still not decided how much it helps). But inside config (addresses, routes) seems to be intentionally static-only. That's not great, because it means that it's not very usable when there's a lot of users and things can change. On the other hand, it's not much worse than what MikroTik's OpenVPN offers. For small SOHO use it could be good, as it seems to be otherwise quite easy to understand. Even working Windows client already exists.

For site to site, IPSec works great for me, but it's true that I do it mostly with static public addresses. When that's not available, Wireguard could work better. It should also have better performance on devices without HW acceleration. And it would provide interfaces for links, which would make it more clear for a lot of people than current tunnel-mode IPSec (I know about IPIP/GRE/EoIP inside IPSec, but it's extra step).

Re: [Feature request] Wireguard

Posted: Tue Aug 28, 2018 7:19 pm
by pe1chl
I'm not sure it is so much better than L2TP/IPsec which is proven and has hardware acceleration on a lot of MikroTik routers.
It can also deal with roaming users with dynamic IP, static or dynamic user tunnel addresses, etc.
And we already know what happens when MikroTik quickly implement a protocol which then later continues to develop independently... see OpenVPN.

No, for me it is much more important that IPv6 is finally worked on again, and for others a multicore BGP solution is even more important.
Those things should be on top priority for MikroTik to work on (when they are not distracted by security issues), and new features like Wireguard should go below that.
When any work on VPN solutions is to be done, it should be to implement route pushing in existing protocols, according to (de-facto) standards.
When working between MikroTik routers one can use BGP, and I do so, but when using proprietary clients we need e.g. DHCP over L2TP (for Windows) and OpenVPN push route.

Re: [Feature request] Wireguard

Posted: Thu Sep 06, 2018 10:47 am
by samael
+1.

Re: [Feature request] Wireguard

Posted: Mon Sep 10, 2018 8:44 pm
by flazzarini
+1

Wireguard is so easy to setup and works on so many platforms already. On a side note though if implemented please make it more easier to use DNS names instead of IP addresses.

Re: [Feature request] Wireguard

Posted: Tue Sep 11, 2018 1:19 am
by R1CH
And we already know what happens when MikroTik quickly implement a protocol which then later continues to develop independently... see OpenVPN.
I know it's a lot to hope for, but this could easily be avoided if Mikrotik would stop re-implementing these features themselves and start using the open source implementations directly. They already use Linux kernel (GPL), I really don't see why they are so against using other open source packages and are instead re-inventing them with reduced features and more security bugs.

On that note, a large amount of the Wireguard code operates in the Linux kernel, so in the future if RouterOS upgrades to a modern kernel we could very easily see Wireguard support with minimal work required by Mikrotik since it comes "for free".

Re: [Feature request] Wireguard

Posted: Mon Sep 24, 2018 11:25 pm
by czb123
+1 from me

Re: [Feature request] Wireguard

Posted: Wed Sep 26, 2018 12:15 pm
by ofer
+1 i hope it'll be included in the next major version

Re: [Feature request] Wireguard

Posted: Sun Oct 07, 2018 2:59 pm
by denisbondar
+1 for Wireguard

Re: [Feature request] Wireguard

Posted: Thu Nov 08, 2018 11:57 am
by bakshtay
+1 for wireguard on routeros

Re: [Feature request] Wireguard

Posted: Thu Nov 08, 2018 3:34 pm
by moneron
I think this is a good idea.
+1 for WireGuard.

Re: [Feature request] Wireguard

Posted: Wed Nov 14, 2018 7:17 pm
by shopping
+1 wireguard asap

Re: [Feature request] Wireguard

Posted: Mon Dec 10, 2018 7:44 pm
by SaurVLZ
+1 for Wireguard

Re: [Feature request] Wireguard

Posted: Tue Dec 11, 2018 9:00 am
by dakobg
+1

Изпратено от моят SM-G903F с помощта на Tapatalk


Re: [Feature request] Wireguard

Posted: Mon Dec 31, 2018 3:52 pm
by 32768
+1 for Wireguard

Re: [Feature request] Wireguard

Posted: Mon Jan 07, 2019 11:18 am
by BDF
+1 for WG

Re: [Feature request] Wireguard

Posted: Wed Jan 09, 2019 12:07 pm
by pioh
+1 for Wireguard

Re: [Feature request] Wireguard

Posted: Fri Jan 18, 2019 10:11 am
by wwek
+1 for WireGuard in MikroTik

Re: [Feature request] Wireguard

Posted: Mon Jan 21, 2019 3:56 pm
by nik3600
+1 for WireGuard

Re: [Feature request] Wireguard

Posted: Mon Jan 21, 2019 5:54 pm
by pe1chl
There is no need for posting "+1 for wireguard".
It is wellknown from other topics that this has ZERO effect on it getting implemented.
I think you better contact sales with a use case and projected number of sold units.

Re: [Feature request] Wireguard

Posted: Sat Jan 26, 2019 11:40 am
by Chexov
+1 for WireGuard

Re: [Feature request] Wireguard

Posted: Thu Jan 31, 2019 1:24 pm
by kumos
+1 за WireGuard

Re: [Feature request] Wireguard

Posted: Thu Feb 07, 2019 3:46 pm
by wfalcon
+1 For WireGuard

Re: [Feature request] Wireguard

Posted: Thu Feb 07, 2019 3:50 pm
by normis

Re: [Feature request] Wireguard

Posted: Thu Feb 07, 2019 3:57 pm
by Sob
So you already have new RouterOS with kernel 4.20, but that's too bad Wireguard isn't there, therefore it can't be in RouterOS yet. I'm wondering if I'm reading it right. ;)

Re: [Feature request] Wireguard

Posted: Thu Feb 07, 2019 4:05 pm
by mkx
Too bad ROS 7 doesn't support DKMS kernel modules :(

Re: [Feature request] Wireguard

Posted: Thu Feb 07, 2019 4:19 pm
by pe1chl
Wireguard does not need to be in the kernel, it can be implemented in a user process.

Re: [Feature request] Wireguard

Posted: Mon Feb 11, 2019 8:23 pm
by Kaeltis
Would love to see official wireguard support as well.

Re: [Feature request] Wireguard

Posted: Mon Feb 11, 2019 8:33 pm
by Quasar
By the time we get v7 it'll be merged ;)
Wireguard does not need to be in the kernel, it can be implemented in a user process.
One of the selling points is performance. Especially on embedded devices userspace is not okay.

Re: [Feature request] Wireguard

Posted: Tue Feb 12, 2019 10:05 pm
by nz_monkey

One of the selling points is performance. Especially on embedded devices userspace is not okay.
Most high performance packet forwarding is done in user space!

Check out VPP, DPDK and OFP

Re: [Feature request] Wireguard

Posted: Sat Feb 16, 2019 7:47 pm
by Quasar

One of the selling points is performance. Especially on embedded devices userspace is not okay.
Most high performance packet forwarding is done in user space!

Check out VPP, DPDK and OFP
Well, that's cheating in the sense that it's accompanied by drivers allowing you to bypass the kernel stack and write a tailored userspace processing application.

It doesn't hold for a naive userspace application (such as the Golang Wireguard implementation). I'm sure you could make it fly in userspace using DPDK, but that's besides the point ;)

Re: [Feature request] Wireguard

Posted: Thu Feb 21, 2019 1:00 pm
by Kampfwurst
+1 from my side

Re: [Feature request] Wireguard

Posted: Fri Mar 08, 2019 1:08 pm
by marcrisse
+1 from me

I hate running Linux-VMs behind all my Mikrotik-Devices only for WG!

Re: [Feature request] Wireguard

Posted: Mon Mar 11, 2019 9:10 pm
by Anastasia
+1
it will soon be added to the linux kernel and it will become the VPN standard

Re: [Feature request] Wireguard

Posted: Tue Mar 12, 2019 11:35 pm
by mms101
+1 from me.

Re: [Feature request] Wireguard

Posted: Thu Mar 28, 2019 12:50 pm
by limaunion
++1

Re: [Feature request] Wireguard

Posted: Tue Apr 02, 2019 7:28 pm
by BG4DRL
+1
Waiting

Re: [Feature request] Wireguard

Posted: Wed Apr 03, 2019 12:10 pm
by pe1chl
+1
Waiting
I don't recommend that! Users requesting updates in OpenVPN have been waiting for over 5 years already...

Re: [Feature request] Wireguard

Posted: Wed Apr 03, 2019 5:55 pm
by Sob
So what's the best plan? Pleas, prayers, bribes, threats, ...? :)

Re: [Feature request] Wireguard

Posted: Wed Apr 03, 2019 11:20 pm
by pe1chl
So what's the best plan? Pleas, prayers, bribes, threats, ...? :)
A Raspberry Pi or similar to handle the features you wish to be in RouterOS but never appear...

Re: [Feature request] Wireguard

Posted: Thu Apr 04, 2019 12:58 am
by Paternot
So what's the best plan? Pleas, prayers, bribes, threats, ...? :)
A Raspberry Pi or similar to handle the features you wish to be in RouterOS but never appear...
That's quite cumbersome. Maybe a short term solution - but complaining is a long term solution. How can Mikrotik knows what we want, if no one speaks?

True, they don't always implement it. But we try. :D

Re: [Feature request] Wireguard

Posted: Thu Apr 04, 2019 12:00 pm
by pe1chl
They should implement the feature to allow user processes to run on a router in a chroot jail under nonprivileged
router, with only network interfaces imported via sockets (tun/tap or listening sockets for specific ports), similar
to the concept of MetaROUTER found on old models, but much lighter (just a user process instead of full virtualisation).
This allows third parties to add functionality that the company itself does not have resources to develop, like a better
OpenVPN and also a user-mode implementation of Wireguard (which will of course work just fine, don't believe those that
claim it can only be done in the kernel!)
Also other things, like a full-featured DNS server, a webserver, and other things we have been asking about for many
years but that never arrive.
There is no need to open up RouterOS for this, and should it expose security problems that is only good because those
would have bitten us sometime anyway.

Re: [Feature request] Wireguard

Posted: Sun Apr 07, 2019 11:33 pm
by reinerotto
Why so complicated ?
Use MT for "plain and simple" routing/networking.
And an openwrt-box for the missing functions, like wireguard, squid proxy, nginx web server etc.
Or, just use openwrt devices for routing/networking, too.

Re: [Feature request] Wireguard

Posted: Mon Apr 08, 2019 5:21 am
by Sob
It depends. If you're big business, then get routers for routing and dedicated servers for other stuff. It's the right way, and costs (both for buying all devices and taking care of them) won't be a problem for you. If you're extreme hobbyist, then get your 10+ different devices, create all kinds of servers and have great fun with them.

But anyone in betweeen (SOHO, etc) wants one device for all basic stuff. Full-blown Linux distribution (OpenWrt also qualifies) is one possible way, there are no limits what you can do with that, but it's also too complicated for most. RouterOS (and mainly WinBox) found the perfect spot. It gives you less freedom compared to Linux, but it's as friedly as it can be, while still remaining powerful enough. It's just awesome.

Unfortunately, sometimes it's not enough, and you may want a little bit more. But if RouterOS device provides >90% of what you need, getting another device for the rest is something you'd rather avoid. Realistically, MikroTik can't add all possible features, that's clear. There is/was MetaRouter, but it seems like a dead end now. And it was too heavy anyway. Something lighter as suggested by @pe1chl (and I suggested it in the past too) could be the solution that could make most people happy.

My only fear is that it could enable MikroTik to become "lazy" and refuse to implement some features, because "hey, we don't want to bother, when there's already a third-party package for that", even though it can be some half-working thing. I'd really like to have something like this as a way how to add some really exotic stuff that MikroTik would never add. But things like Wireguard should eventually be directly in RouterOS and supported by MikroTik.

Re: [Feature request] Wireguard

Posted: Wed Apr 10, 2019 8:44 pm
by robertpenz
We did some performance Tests with Wireguard and man it is faster than any other VPN with much less CPU load! And for Android Phones the battery is not used more than without VPN, which is not true for all other VPNs - It makes a VPN almost transparent performance wise. Please implement!!

Re: [Feature request] Wireguard

Posted: Mon May 06, 2019 11:31 am
by mutinsa
+1.

Re: [Feature request] Wireguard

Posted: Mon May 06, 2019 2:38 pm
by ErfanDL
Now you can install wireguard on any linux with pihole.
https://www.reddit.com/r/pihole/comment ... wireguard/

Sent from my C6833 using Tapatalk


Re: [Feature request] Wireguard

Posted: Mon May 06, 2019 8:05 pm
by anav
Thanks Erfan, are you saying I can attach my pi-hole to a port on my MT router and have it act as my wifeguard server (and then connect to it from my iphone for example)?
I hope the pi-hole works better on this then it did for me on DNS. I ended up bypassing the pi-hole and router DNS and now strictly use public DNS servers, otherwise too many funky DNS things were happening and I couldnt sort them out.

Re: [Feature request] Wireguard

Posted: Thu May 09, 2019 3:26 pm
by Samot
Soooo, we're all begging for Mikrotik to implement something that has never (in 2.5 years) hit an actual v1 release or anything stable. It's also a project surviving off of VC funding so what happens when their next round comes up with a goose egg?

Funny considering how much people complain about Mikrotik already having things in it that are incomplete and/or don't follow current standards, etc..

Re: [Feature request] Wireguard

Posted: Thu May 09, 2019 8:58 pm
by anav
"+1 for pe1chi" suggestion to stop posting +1 WG LOL. Shit I just posted it anyway! ;-)

Re: [Feature request] Wireguard

Posted: Thu May 09, 2019 10:22 pm
by sindy
"+1 for pe1chi" suggestion to stop posting +1
Except that his suggestion was to stop waiting, not stop posting +1 :-)

Re: [Feature request] Wireguard

Posted: Mon May 13, 2019 12:29 pm
by msatter
Wireguard was tested by INRIA

Source: https://www.security.nl/posting/608796/ ... eGuard-vpn

Abstract : WireGuard is a free and open source Virtual Private Network (VPN) that aims to replace IPsec and OpenVPN. It is based on a new cryptographic protocol derived from the Noise Protocol Framework. This paper presents the first mechanised cryptographic proof of the protocol underlying WireGuard, using the CryptoVerif proof assistant. We analyse the entire WireGuard protocol as it is, including transport data messages, in an ACCE-style model. We contribute proofs for correctness, message secrecy, forward secrecy, mutual authentication, session uniqueness, and resistance against key compromise impersonation, identity mis-binding, and replay attacks. We also discuss the strength of the identity hiding provided by WireGuard. Our work also provides novel theoretical contributions that are reusable beyond WireGuard. First, we extend CryptoVerif to account for the absence of public key validation in popular Diffie-Hellman groups like Curve25519, which is used in many modern protocols including WireGuard. To our knowledge, this is the first mechanised cryptographic proof for any protocol employing such a precise model. Second, we prove several indifferentiability lemmas that are useful to simplify the proofs for sequences of key derivations.

Complete results: https://hal.inria.fr/hal-02100345

Re: [Feature request] Wireguard

Posted: Mon May 13, 2019 1:19 pm
by anthonws
Wireguard was tested by INRIA

Source: https://www.security.nl/posting/608796/ ... eGuard-vpn

Abstract : WireGuard is a free and open source Virtual Private Network (VPN) that aims to replace IPsec and OpenVPN. It is based on a new cryptographic protocol derived from the Noise Protocol Framework. This paper presents the first mechanised cryptographic proof of the protocol underlying WireGuard, using the CryptoVerif proof assistant. We analyse the entire WireGuard protocol as it is, including transport data messages, in an ACCE-style model. We contribute proofs for correctness, message secrecy, forward secrecy, mutual authentication, session uniqueness, and resistance against key compromise impersonation, identity mis-binding, and replay attacks. We also discuss the strength of the identity hiding provided by WireGuard. Our work also provides novel theoretical contributions that are reusable beyond WireGuard. First, we extend CryptoVerif to account for the absence of public key validation in popular Diffie-Hellman groups like Curve25519, which is used in many modern protocols including WireGuard. To our knowledge, this is the first mechanised cryptographic proof for any protocol employing such a precise model. Second, we prove several indifferentiability lemmas that are useful to simplify the proofs for sequences of key derivations.

Complete results: https://hal.inria.fr/hal-02100345
WireGuard is vaporware and Mikrotik knows that pretty darn well! Hence why they are not doing anything in regards to it.

Just look at Ubiquiti... They got community support, from the main developer of WG back in 2017!! https://community.ubnt.com/t5/EdgeRoute ... -p/1904764

What a waste of time and energy... None of this is standard stuff and due to that all of their users are miserable because they can now run new-gen VPNs... After a while a new feeling hit them! They are now missing their dearly PPTP and OpenVPN (not a hacked version from Ubiquiti of course!)...

They even started a PPTP + OpenVPN movement! "Make PPTP & OpenVPN Great Again!"

/S

Re: [Feature request] Wireguard

Posted: Fri May 24, 2019 3:09 pm
by phouzva
+1.

Re: [Feature request] Wireguard

Posted: Sat May 25, 2019 8:10 pm
by aaronvonawesome
Would love to see official wireguard support as well.
+1

Re: [Feature request] Wireguard

Posted: Wed Jun 19, 2019 10:07 am
by m4dmike
+1 for Wireguard

Re: [Feature request] Wireguard

Posted: Wed Jun 19, 2019 11:34 am
by marcrisse
+1 and €100 for coffee ;)

Re: [Feature request] Wireguard

Posted: Fri Jun 21, 2019 1:31 am
by schose
+1 and a good bottle of german schnaps

Re: [Feature request] Wireguard

Posted: Fri Jun 28, 2019 11:32 am
by huntermic
I bought a Raspberry Pi4 and use that for wireguard, it gives me wirespeed vpn on a 500Mbit connection

Re: [Feature request] Wireguard

Posted: Fri Jun 28, 2019 2:12 pm
by anav
I bought a Raspberry Pi4 and use that for wireguard, it gives me wirespeed vpn on a 500Mbit connection
Is all your internet traffic done via wireguard through the Raspberry PI or are you talking a specific tunnel??

Re: [Feature request] Wireguard

Posted: Fri Jun 28, 2019 2:46 pm
by huntermic
I bought a Raspberry Pi4 and use that for wireguard, it gives me wirespeed vpn on a 500Mbit connection
Is all your internet traffic done via wireguard through the Raspberry PI or are you talking a specific tunnel??
I'm using it in a roadwarrior setup so for instance when i'm at work i can use my home nas at full speed, so i'm talking about 500Mbit inside the tunnel

Re: [Feature request] Wireguard

Posted: Mon Aug 19, 2019 1:10 pm
by mwittchen
+1 and a good bottle of german schnaps
+1

Re: [Feature request] Wireguard

Posted: Thu Aug 29, 2019 6:05 pm
by metalcated
Waiting for this too! Right now I am running a WG Server on a VM in my basement rack and its pretty darn nice.

Any Linux folks out there who are running it and want a simple GUI --> https://github.com/metalcated/Wireguard-Bravo (more development to happen soon hopefully as I have time).

Going to watch this thread and pray it comes soon!

Thanks

Re: [Feature request] Wireguard

Posted: Sat Sep 07, 2019 8:26 am
by Grosen
definitively +1

Re: [Feature request] Wireguard

Posted: Sun Sep 08, 2019 5:46 am
by Lebzul
Thanks Erfan, are you saying I can attach my pi-hole to a port on my MT router and have it act as my wifeguard server (and then connect to it from my iphone for example)?
I hope the pi-hole works better on this then it did for me on DNS. I ended up bypassing the pi-hole and router DNS and now strictly use public DNS servers, otherwise too many funky DNS things were happening and I couldnt sort them out.
I'd like to have a "wife"guard too. (Just joking)

+1

Re: [Feature request] Wireguard

Posted: Sun Sep 15, 2019 11:34 am
by netflow
+1 for Wireguard in ROS. A good, fast, secure built-in vpn is a must!
Also interested by some community driven plugins. I cannot consider metarouter as an usable solution. It would require more flash on device, broader architecture support and then it is still a burden to manage additional vm and config!

Re: [Feature request] Wireguard

Posted: Sun Sep 15, 2019 12:05 pm
by sindy
Also interested by some community driven plugins.
That's against the idea of RouterOS. If you want 3rd party plugins, go OpenWRT (which is available even for some Mikrotik hardware) and forget about manufacturer's responsibility. If you want manufacturer's responsibility for the product, stay RouterOS and forget about 3rd party plugins. There is no middle way.

Re: [Feature request] Wireguard

Posted: Sun Sep 15, 2019 1:17 pm
by pe1chl
I don't consider that really true, there would be some way for MikroTik to offer user-contributed plugins when they run in a sandbox environment e.g. as a user process.
But apparently MikroTik is not interested in doing this.

Re: [Feature request] Wireguard

Posted: Sun Sep 15, 2019 1:39 pm
by sindy
there would be some way for MikroTik to offer user-contributed plugins when they run in a sandbox environment e.g. as a user process.
I may be old-fashioned but I still perceive Mikrotik as a router, not an application server. So I can imagine e.g. a more flexible DNS process running in a sandbox, but not processes directly involved in packet forwarding, such as stacks implementing new routing protocols or new VPN types. Leaving aside things like hardware encryption for other VPN types than IPsec (OpenVPN, SSTP to stay with those currently implemented) which might be really useful for some but I cannot imagine sandboxing them.

Re: [Feature request] Wireguard

Posted: Wed Sep 25, 2019 11:22 am
by vigor5
Waiting for this too

Re: [Feature request] Wireguard

Posted: Thu Sep 26, 2019 9:54 am
by avacha
I'm also interesting about Wireguard impementation in Mikrotik devices.

P.S. Yesterday Cloudflare release free VPN service:
WARP is an ambitious project. We set out to secure Internet connections from mobile devices to the edge of Cloudflare's network. In doing so, however, we didn't want to slow devices down or burn excess battery. We wanted it to just work. We also wanted to bet on the technology of the future, not the technology of the past. Specifically, we wanted to build not around legacy protocols like IPsec, but instead around the hyper-efficient WireGuard protocol.

Re: [Feature request] Wireguard

Posted: Thu Oct 24, 2019 9:26 am
by Intnernetz
++1

Re: [Feature request] Wireguard

Posted: Thu Oct 24, 2019 4:22 pm
by anav
I'm also interesting about Wireguard implementation in Mikrotik devices.

P.S. Yesterday Cloudflare release free VPN service:
WARP is an ambitious project. We set out to secure Internet connections from mobile devices to the edge of Cloudflare's network. In doing so, however, we didn't want to slow devices down or burn excess battery. We wanted it to just work. We also wanted to bet on the technology of the future, not the technology of the past. Specifically, we wanted to build not around legacy protocols like IPsec, but instead around the hyper-efficient WireGuard protocol.
Very Interesting and thanks. Within the last year I added wireguard to my cell phone and streaming devices for fun. Seeing as cloudfare uses wireguard (which is not a surprise) I have deleted most if not all other VPNs i have been experimenting with, save wireguard (solely kept for source country changes although rarely required). Initial results for the WARP service are very good in terms of throughput. I have been trying to clean up my apps and just deleted 3 for 1. :-)

+1 for adding wireguard for a method of VPN for mikrotik aka another protocol to choose from in the mix.

There is a bit of technical blog which was dumbed down enough for me to read it......
https://blog.cloudflare.com/warp-technical-challenges/

Re: [Feature request] Wireguard

Posted: Wed Nov 06, 2019 3:56 pm
by msatter
NordVPN does now support Wireguard since a while and it would be great if RouterOS 7 would going to support Wireguard while that is also is still in development.

NordVPN have added a 'double NAT' at their side to improve anonymity of the customer.

And we found it. We developed something called a double NAT (Network Address Translation) system.

To put it simply, the double NAT system creates two local network interfaces for each user. The first interface assigns a local IP address to all users connected to a server. Unlike in the original WireGuard protocol, each user gets the same IP address.

Once a VPN tunnel is established, the second network interface with a dynamic NAT system kicks in. The system assigns a unique IP address for each tunnel. This way, internet packets can travel between the user and their desired destination without getting mixed up.

Source: https://nordvpn.com/blog/nordlynx-protocol-wireguard/

Re: [Feature request] Wireguard

Posted: Wed Nov 06, 2019 4:01 pm
by anav
I bought a Raspberry Pi4 and use that for wireguard, it gives me wirespeed vpn on a 500Mbit connection
Is all your internet traffic done via wireguard through the Raspberry PI or are you talking a specific tunnel??
I'm using it in a roadwarrior setup so for instance when i'm at work i can use my home nas at full speed, so i'm talking about 500Mbit inside the tunnel
hey huntermic would you be interested in sharing your raspberry pi setup and steps to get there?.......... if so please email me (click on my name to get details).

Re: [Feature request] Wireguard

Posted: Thu Nov 14, 2019 9:14 pm
by Solear
+1 for Wireguard

Actually I connect 3 different locations with 3 raspberrys and Wireguard over the internet. It would be nice to connect the MikroTik routers directly Foto a lan to lan to lan network :)

Re: [Feature request] Wireguard

Posted: Fri Nov 22, 2019 2:21 am
by FutileNetworks
+1 Wireguard

MikroTik, we've replaced all our site-to-site IPSEC vpns with wireguard, in most cases 3-4x performance increase and approaching gigabit speeds, each time we bring up a new wireguard vpn that is one less sale of a ccr1009, rb4011 or hEX.

Re: [Feature request] Wireguard

Posted: Fri Nov 22, 2019 7:00 am
by anav
+1 for Wireguard

Actually I connect 3 different locations with 3 raspberrys and Wireguard over the internet. It would be nice to connect the MikroTik routers directly Foto a lan to lan to lan network :)
Could you email me with how you setup a raspberry pi for wireguard connected to a MT router.

Re: [Feature request] Wireguard

Posted: Fri Nov 22, 2019 8:52 am
by normis
+1 Wireguard

MikroTik, we've replaced all our site-to-site IPSEC vpns with wireguard, in most cases 3-4x performance increase and approaching gigabit speeds, each time we bring up a new wireguard vpn that is one less sale of a ccr1009, rb4011 or hEX.
Wireguard by definition is slower and can't support HW acceleration. IPsec will definitely be faster.

Re: [Feature request] Wireguard

Posted: Fri Nov 22, 2019 9:29 am
by dynek
Wireguard by definition is slower and can't support HW acceleration. IPsec will definitely be faster.
That is no reason to not implement WireGuard at some point which is much easier to setup & lightweight.

And don't forget that Linus himself, loves it:
https://lists.openwall.net/netdev/2018/08/02/124

Can I just once again state my love for it and hope it gets merged soon? Maybe the code isn't perfect, but I've skimmed it, and compared to the horrors that are OpenVPN and IPSec, it's a work of art.

Re: [Feature request] Wireguard

Posted: Fri Nov 22, 2019 10:52 am
by marcrisse
Wireguard by definition is slower and can't support HW acceleration. IPsec will definitely be faster.
By definition?? Sorry, Wireguard is definitely faster than (secure) IPSec in real life! That's why we migrated to Linux-Servers and WG.

Re: [Feature request] Wireguard

Posted: Fri Nov 22, 2019 11:40 am
by Solear
+1 for Wireguard

Actually I connect 3 different locations with 3 raspberrys and Wireguard over the internet. It would be nice to connect the MikroTik routers directly Foto a lan to lan to lan network :)
Could you email me with how you setup a raspberry pi for wireguard connected to a MT router.
You need to route wireguard from your router to your raspberry (check port and IP-address)
/ip firewall filter
add action=accept chain=forward dst-port=51820 protocol=udp
/ip firewall nat
add action=dst-nat chain=dstnat dst-port=51820 in-interface=wan protocol=udp to-addresses=192.168.150.200 to-ports=51820
credits to https://www.bachmann-lan.de/raspberry-p ... wireguard/

Re: [Feature request] Wireguard

Posted: Fri Nov 22, 2019 11:59 am
by normis
Yes, IPsec is faster, because it is hardware accelerated and Wireguard can't be accelerated. If your Wireguard is faster, then maybe your IPsec config is wrong, or the HW doesn't support HW encryption.

Re: [Feature request] Wireguard

Posted: Fri Nov 22, 2019 12:28 pm
by dynek
https://www.wireguard.com/performance/
https://calomel.org/aesni_ssl_performance.html

Hopefully hardware acceleration gives better performance, true. But Wireguard uses ChaCha20 which according to my findings isn't doing too bad against HW accelerated AES.
Not on par with AES but definitely not too far from AES-256-GCM and better than AES-256-CBC. Drawback is CPU usage though.

Re: [Feature request] Wireguard

Posted: Fri Nov 22, 2019 12:49 pm
by normis
Of course, I am only referring to RouterBOARD devices. if you have plenty of CPU power, you can make it fast.

Re: [Feature request] Wireguard

Posted: Fri Nov 22, 2019 4:54 pm
by anav
Of course, I am only referring to RouterBOARD devices. if you have plenty of CPU power, you can make it fast.
Normis, can you perhaps comment on comparing Wireguard to the Road Warrior VPN scenario?
Does the hw accelerated MT device still have the edge?

Re: [Feature request] Wireguard

Posted: Fri Nov 22, 2019 8:33 pm
by mozerd
Of course, I am only referring to RouterBOARD devices. if you have plenty of CPU power, you can make it fast.
Normis, can you perhaps comment on comparing Wireguard to the Road Warrior VPN scenario?
Does the hw accelerated MT device still have the edge?
Normis cannot provide that analysis without running Wireguard on RouterBOARD.

I have run Wireguard on Ubiquiti EdgeMax Routers, stated much earlier in this thread, and Wireguard beats the heck out of IPSec regardless of hw acceleration. Wireguard does not need hw acceleration — it just needs a capable CPU.

Re: [Feature request] Wireguard

Posted: Fri Nov 22, 2019 9:01 pm
by huntermic
Speed of wireguard is indeed amazing, but not only the speed. Wireguard is also very simple to configure and deals much better with roaming situations.

Re: [Feature request] Wireguard

Posted: Fri Nov 22, 2019 11:26 pm
by Engitech
+1000 for Wireguard - performance,stability and simplicity

Re: [Feature request] Wireguard

Posted: Fri Nov 22, 2019 11:34 pm
by anav
How is one to measure if ones CPU is up to the task to handle Wireguard without HW acceleration and meet or beat performance of ipsec with hw acceleration.??
For example your Ubiquiti vs HEX
Architecture MMIPS
CPU MT7621A
CPU core count 2
CPU nominal frequency 880 MHz
CPU Threads count 4
Dimensions 113x89x28mm
License level 4
Operating System RouterOS
Size of RAM 256 MB
Storage size 16 MB
Storage type FLASH

Or vs.........
RB450Gx4
Architecture ARM 32bit
CPU IPQ-4019
CPU core count 4
CPU nominal frequency 716 MHz
Dimensions 90 x 115 mm
License level 5
Operating System RouterOS
Size of RAM 1 GB
Storage size 512 MB
Storage type NAND

Re: [Feature request] Wireguard

Posted: Sat Nov 23, 2019 10:59 am
by huntermic
Keep in mind, the most basic version of the raspberry pi 4 wil run wireguard at full gigabit speeds and won't cost you the world........

Re: [Feature request] Wireguard

Posted: Sat Nov 23, 2019 6:54 pm
by mozerd
How is one to measure if ones CPU is up to the task to handle Wireguard without HW acceleration and meet or beat performance of ipsec with hw acceleration.??
My experience with WireGuard is only on the Ubiquiti EdgeMax product line and I can categorically state that WireGuard runs faster that any other vpn protocol that requires Hardware acceleration.

They key to WireGuard performance is its efficiency so regardless of the CPU capability comparatively speaking WireGuard is faster. A much more capable CPU will provide much better results without taxing the CPU — that is what makes WireGuard very unique.

The PROOF is in the pudding 😀 ..... I do not know of anyone in my field who has actually tried WireGuard and compared it to IPSec [HA] that did not comeback with amazement.

Re: [Feature request] Wireguard

Posted: Mon Nov 25, 2019 1:25 pm
by omidkosari
Apart from comparing comparing speed, let's assume we want to provide vpn connection to end users. For example 1000 vpn clients (including mobile phones) on single router. In that case the best available solution is wireguard because even if router supports hardware encryption for ipsec, but client doesn't have hardware acceleration then the result will not so good.

router (hardware encryption) <----ipsec----> mobile phone clients
VS
router <----wireguard----> mobile phone clients

I think this is a better comparing.

Re: [Feature request] Wireguard

Posted: Mon Nov 25, 2019 2:29 pm
by pe1chl
You forget that many CPU cores used in devices like mobile phones already support AES acceleration and when the software developer has been careful it is used by IPsec VPN.
On the other hand, "special" encryption types as used in Wireguard are not accelerated on those devices.

Re: [Feature request] Wireguard

Posted: Mon Nov 25, 2019 2:44 pm
by sindy
...and more than that, the CPU in the phone has about the same (or even higher) power than the CPUs used in SOHO Mikrotik models, and it deals with a single tunnel whereas the Mikrotik deals with 1000 in your example.

Re: [Feature request] Wireguard

Posted: Mon Nov 25, 2019 4:05 pm
by dynek
Give us Metarouter, RB1100AHx2 here 👍

Re: [Feature request] Wireguard

Posted: Mon Nov 25, 2019 4:25 pm
by pe1chl
Give us Metarouter, RB1100AHx2 here 👍
MikroTik should add the capability for chrooted/privilege separated user processes that have network access like Metarouter but do not have virtual machine overhead (both in CPU cycles and in development effort)...
This can be used to run special features, Wireguard is only one of them.
(don't listen to people claiming that Wireguard has to run in kernel, it can also run in an user process)

Re: [Feature request] Wireguard

Posted: Mon Dec 09, 2019 8:09 pm
by dynek