Community discussions

MikroTik App
 
User avatar
satman1w
Member Candidate
Member Candidate
Topic Author
Posts: 279
Joined: Mon Oct 02, 2006 11:47 am

Will the wireguard ever become usefull vpn server / client

Thu Mar 03, 2022 1:26 pm

Hi all, ...

I would like to know if Wireguard will ever become something more than "proof of concept"?
Will we ever have a simple way to create and track users?
Will we be able to allow users other than "administrators" to establish the connection?
Will we ever be able to protect client configuration from tampering?

If all of that will not be enabled, what is the point of speed, security, simplicity and so on...

regards
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 26322
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: Will the wireguard ever become usefull vpn server / client

Thu Mar 03, 2022 2:23 pm

Maybe wrong place to ask? See Wireguard forums and reddit community
 
User avatar
eworm
Forum Guru
Forum Guru
Posts: 1070
Joined: Wed Oct 22, 2014 9:23 am
Location: Oberhausen, Germany
Contact:

Re: Will the wireguard ever become usefull vpn server / client

Thu Mar 03, 2022 2:53 pm

I do not get your point... Using Wireguard for a lot of things and it works really well.
Just keep track of user and key assignment...
 
pe1chl
Forum Guru
Forum Guru
Posts: 10195
Joined: Mon Jun 08, 2015 12:09 pm

Re: Will the wireguard ever become usefull vpn server / client

Thu Mar 03, 2022 3:04 pm

I agree with the general sentiment of that posting. Wireguard's author is proud that his project "does not have the bloat" that other VPN solutions have, but unfortunately that means it also lacks a lot of the functionality, which has to be provided by additional software and tricks.
We can only hope that it either changes when wireguard gets more adoption, or there is a widely agreed second layer "on top of" wireguard that hides these issues.
(what I am referring to is not mainly the MikroTik implementation but more the general "no bloat" principle)
 
User avatar
mozerd
Forum Veteran
Forum Veteran
Posts: 872
Joined: Thu Oct 05, 2017 3:39 pm
Location: Canada
Contact:

Re: Will the wireguard ever become usefull vpn server / client

Thu Mar 03, 2022 3:23 pm

1... I would like to know if Wireguard will ever become something more than "proof of concept"?
2... Will we ever have a simple way to create and track users?
3... Will we be able to allow users other than "administrators" to establish the connection?
4... Will we ever be able to protect client configuration from tampering?
First and Foremast ---- WireGuard is NOT a vpn server / client system PERIOD ..... WireGuard is a VPN Peer to Peer Protocol without ANY oxymoronic conversions.

A 3rd Party Tool is required to accomplish points 2,3,4 ... a Tool like PRO CUTODIBUS

OR if one is smart enough produce a WireGuard Management System.

Re Your Point 1 ... WireGuard is a PRODUCTION PROTOCOL that works extremely well and no longer a proof of concept ... Idiots can think of WireGuard as a proof of concept.4sure.
 
User avatar
Znevna
Forum Guru
Forum Guru
Posts: 1347
Joined: Mon Sep 23, 2019 1:04 pm

Re: Will the wireguard ever become usefull vpn server / client

Thu Mar 03, 2022 5:17 pm

The pro cuttybus guy gives you a share of the sales?
 
pe1chl
Forum Guru
Forum Guru
Posts: 10195
Joined: Mon Jun 08, 2015 12:09 pm

Re: Will the wireguard ever become usefull vpn server / client

Thu Mar 03, 2022 5:37 pm

He is well known for recurring advertisement of commercial services (including his own) on the MikroTik Forum...
 
User avatar
mozerd
Forum Veteran
Forum Veteran
Posts: 872
Joined: Thu Oct 05, 2017 3:39 pm
Location: Canada
Contact:

Re: Will the wireguard ever become usefull vpn server / client

Thu Mar 03, 2022 5:39 pm

The pro cuttybus guy gives you a share of the sales?
I have no affiliation with PRO CUTODIBUS of what-so-ever-nature ...

I do however respect PRO CUTODIBUS and their exceptional tech team especially engineer Justin Ludwig
 
404Network
Member Candidate
Member Candidate
Posts: 285
Joined: Wed Feb 16, 2022 2:04 pm

Re: Will the wireguard ever become usefull vpn server / client

Thu Mar 03, 2022 6:20 pm

pe1chl, please do not feed the troll znevna whenever his obvious jealousy or some personal issue rears its ugly head.

Perhaps instead of jumping on his silly bandwagon you realize that Mozerd provided:
a. a very practical and instructive message (at least for me) of what type of VPN wireguard was designed to be
AND
b. a path to solve some of the issues that the OP originally raised.

The MT rep giNormus (although I never peaked just a rumour), even stated its not a topic germane to the MT forums, and not a problem or issue of the MT wireguard functionality.
Certainly I am sure that if there are 'useful' additions to the wireguard protocol that the MT RoS can provide, feel free to suggest new ideas!!!

In summary I will continue take you to task for uncalled for comments because I know you are capable of better and often have great posts, as for the other guy, lost cause, head in the sand, no point!
 
User avatar
Znevna
Forum Guru
Forum Guru
Posts: 1347
Joined: Mon Sep 23, 2019 1:04 pm

Re: Will the wireguard ever become usefull vpn server / client

Thu Mar 03, 2022 6:28 pm

mozerd provided nothing, as usual.
The OPs post isn't even aimed at MikroTik.
Pro cuttygastronomicusbus has nothing to do with MikroTik, does not manage the wireguard config of RouterOS.
Please state how pro cuttybus is related in anyway to RouterOS.
I'm not a fan of advertising private wonky closed source services in these forums.
moab, cloudsomething something, cuttybus whatever.
And I'll always mock such posts.
mozerd is a special one, please read viewtopic.php?t=173628
Last edited by Znevna on Thu Mar 03, 2022 6:36 pm, edited 1 time in total.
 
404Network
Member Candidate
Member Candidate
Posts: 285
Joined: Wed Feb 16, 2022 2:04 pm

Re: Will the wireguard ever become usefull vpn server / client

Thu Mar 03, 2022 6:34 pm

mozerd provided nothing, as usual.
The OPs post isn't even aimed at MikroTik.
Pro cuttygastronomicusbus has nothing to do with MikroTik, does not manage the wireguard config of RouterOS.
Please state how pro cuttybus is related in anyway to RouterOS.
You continue to display a complete lack of sense and logic.

If your basis of discussion is that the orginal post is not aimed at MT, then you have no leg to stand on regarding whether or not pro..... has anything to do with RoS.
Further, the OP was outlining some shortfalls in wireguard in general, Mozerd provided a path to potentially address such things, quite reasonable.

Its clear you have a petty bias that clouds your thinking. Best to quit while your only slightly behind. :-)
 
User avatar
Znevna
Forum Guru
Forum Guru
Posts: 1347
Joined: Mon Sep 23, 2019 1:04 pm

Re: Will the wireguard ever become usefull vpn server / client

Thu Mar 03, 2022 6:37 pm

Yes, I'll get right on it. Stay tuned!
 
User avatar
Amm0
Forum Guru
Forum Guru
Posts: 3253
Joined: Sun May 01, 2016 7:12 pm
Location: California

Re: Will the wireguard ever become usefull vpn server / client

Thu Mar 03, 2022 7:42 pm

If all of that will not be enabled, what is the point of speed, security, simplicity and so on...
mozerd provided nothing, as usual.
You continue to display a complete lack of sense and logic.
This a case of a network protocol looking for a solution, based on buzzwords. So if we remove the buzzwords... What's missing here is the problem with the existing solutions?

Mikrotik steers you to L2TP and SSTP (& ironically PPTP) when you check "VPN" in QuickSet – I'd take that as MT's recommended VPN servers. While Mikrotik's Wireguard docs has example for "site-to-site", this forum is replete with examples of Wireguard being "useful". Similarly WG isn't as useful if you need to bridge L2, why RouterOS has many protocols to solve various needs (L2TP, ZeroTier, MPLS, etc).

The simple fact is Wireguard, by design, does not concern itself with users, only keys. How someone/something want to manage the key is NOT WG's concern/design. That's not a defect in Wireguard, it's a strength – it allow a variety of architectures to uses a secure efficient L3 tunnels in variety of ways, VPN client/server being one possibility. @mozard has suggested a few commercial services that make WG at least more "user friendly", and that's the idea behind the separation of tunnel+key from "use cases": you can use WG as protocol anywhere, but without some layer ON TOP of WG, a "VPN client user" is dealing with keys to setup a tunnel. That may or may not work for some cases.
 
User avatar
satman1w
Member Candidate
Member Candidate
Topic Author
Posts: 279
Joined: Mon Oct 02, 2006 11:47 am

Re: Will the wireguard ever become usefull vpn server / client

Fri Mar 04, 2022 8:21 am

Maybe wrong place to ask? See Wireguard forums and reddit community
Hi Normis,

as for the windows client, you are right, but I believe that a lot of things could be solved in ROS.

regards
 
User avatar
satman1w
Member Candidate
Member Candidate
Topic Author
Posts: 279
Joined: Mon Oct 02, 2006 11:47 am

Re: Will the wireguard ever become usefull vpn server / client

Fri Mar 04, 2022 8:24 am

I do not get your point... Using Wireguard for a lot of things and it works really well.
Just keep track of user and key assignment...
try to create 200 accounts for remote users and manage them on daily basis...
and then try the same with...PPTP, or L2TP... and you will understand
Last edited by satman1w on Fri Mar 04, 2022 8:43 am, edited 1 time in total.
 
User avatar
satman1w
Member Candidate
Member Candidate
Topic Author
Posts: 279
Joined: Mon Oct 02, 2006 11:47 am

Re: Will the wireguard ever become usefull vpn server / client

Fri Mar 04, 2022 8:28 am

I agree with the general sentiment of that posting. Wireguard's author is proud that his project "does not have the bloat" that other VPN solutions have, but unfortunately that means it also lacks a lot of the functionality, which has to be provided by additional software and tricks.
We can only hope that it either changes when wireguard gets more adoption, or there is a widely agreed second layer "on top of" wireguard that hides these issues.
(what I am referring to is not mainly the MikroTik implementation but more the general "no bloat" principle)
...thanks for the sympathy...

:-)
 
User avatar
satman1w
Member Candidate
Member Candidate
Topic Author
Posts: 279
Joined: Mon Oct 02, 2006 11:47 am

Re: Will the wireguard ever become usefull vpn server / client

Fri Mar 04, 2022 8:35 am

1... I would like to know if Wireguard will ever become something more than "proof of concept"?
2... Will we ever have a simple way to create and track users?
3... Will we be able to allow users other than "administrators" to establish the connection?
4... Will we ever be able to protect client configuration from tampering?
First and Foremast ---- WireGuard is NOT a vpn server / client system PERIOD ..... WireGuard is a VPN Peer to Peer Protocol without ANY oxymoronic conversions.

A 3rd Party Tool is required to accomplish points 2,3,4 ... a Tool like PRO CUTODIBUS

OR if one is smart enough produce a WireGuard Management System.

Re Your Point 1 ... WireGuard is a PRODUCTION PROTOCOL that works extremely well and no longer a proof of concept ... Idiots can think of WireGuard as a proof of concept.4sure.
first and foremost - The first sentence on "www.wireguard.com" reads: "WireGuard® is an extremely simple yet fast and modern VPN that utilizes state-of-the-art cryptography"
so it is not intended for me to decide whether it is vpn or not

as for 2,3,4 I would expect some simple tools in ROS and Do not want any third party tool

And about point 1... i don't know you personally and i don't know if you're an idiot or not but it certainly takes one to know one ..

thanks for your useless answer
 
User avatar
satman1w
Member Candidate
Member Candidate
Topic Author
Posts: 279
Joined: Mon Oct 02, 2006 11:47 am

Re: Will the wireguard ever become usefull vpn server / client

Fri Mar 04, 2022 8:39 am

mozerd provided nothing, as usual.
The OPs post isn't even aimed at MikroTik.
Pro cuttygastronomicusbus has nothing to do with MikroTik, does not manage the wireguard config of RouterOS.
Please state how pro cuttybus is related in anyway to RouterOS.
I'm not a fan of advertising private wonky closed source services in these forums.
moab, cloudsomething something, cuttybus whatever.
And I'll always mock such posts.
mozerd is a special one, please read viewtopic.php?t=173628
exactly

thanks
 
holvoetn
Forum Guru
Forum Guru
Posts: 5405
Joined: Tue Apr 13, 2021 2:14 am
Location: Belgium

Re: Will the wireguard ever become usefull vpn server / client

Fri Mar 04, 2022 8:50 am

Satman1w
You need to read better as well.
Mozerd did not say wireguard is no vpn, he said its not a client server model.
Everything is a peer.

I largely agree with most of your concerns but do not agree it only needs to be solved by Mikrotik/ROS.

How long did it take to have a decent windows ovpn client ?
There are even vpns existing for years were you still today need to modify registry on win to get it working.

Give it some time.
Those things will come.
 
User avatar
Znevna
Forum Guru
Forum Guru
Posts: 1347
Joined: Mon Sep 23, 2019 1:04 pm

Re: Will the wireguard ever become usefull vpn server / client

Fri Mar 04, 2022 9:08 am

I don't know how arguing that wireguard isn't server/client helped anyone.
Yes we know that wireguard only has peers, but some of us still think of the peer behind a cgnat or nat or double/triple nat as a "client", and the peer to which it connects as a "server" (the one with at least a nice shiny udp port forwarded to it).
This solves nothing.
I don't know if the wireguard config from RouterOS is completly exposed via API? I never touched that.
Because if it is, a tool could be written for this, an open source tool, just for managing wireguard.
 
fragtion
Member Candidate
Member Candidate
Posts: 257
Joined: Fri Nov 13, 2009 10:08 pm
Location: Johannesburg, South Africa

Re: Will the wireguard ever become usefull vpn server / client

Fri Mar 04, 2022 9:18 am

I'm using wireguard prolifically since RouterOS v7, for multiple site-to-site links and road warrior setups and it's been a total gamechanger just as it is. Faster and easier to setup than all of the other VPN solutions in mikrotik IMO, except maybe zerotier. I've purchased hundreds of new mikrotik devices for various projects purely to create site-to-site vpn's with wireguard.

Right now my biggest gripes with wireguard are:

1. At least one endpoint must have an open port / lack of NAT traversal (in which case I fall back on zerotier). I guess MikroTik aren't going to prioritize some solution for wg NAT hole punching due to their partnership with zerotier now which would be somewhat unfortunate if true. I think support for tailscale would be an ideal/wonderful solution. Actually I think tailscale is precisely the solution that OP of this thread envisions when they say that wireguard is like a skeleton proof of concept and needs a layer of more configuration flexibility on top. So here's my vote anyway for tailscale support in MikroTik

2. Lack of TCP support for unstable connections. Yes UDP is faster in general but sometimes TCP can help stabilize the connection. In such cases I fall back to SSTP where required

3. Manual MTU configuration that is required, and need to run GRE/EOIP over the WG tunnel in order to achieve 1500 MTU link / true Layer-2 bridging. The added overhead means reduced throughput efficiency, not to mention more configuration and IP addresses just to establish a single link

And a few other small issues which could be specific to MikroTik's implementation, such as need to disable & re-enable a wg interface+peer pair if a remote endpoint IP address changes (dynamic DNS). But scripts can help with this. Overall I think zerotier and tailscale are more elegant and complete solutions which make wireguard's configuration seem somehow archaic (and extremely limited, in spite of its modern and simplistic approach) in my opinion. It should become possible to use one mikrotik as a "cloud relay" type of server for the other nodes to get basic authentication and peer information and pass this on to the two endpoints so they can find each other and bypass NAT firewalls etc without dynamic dns and other legacy solutions. Then we're really talking
Last edited by fragtion on Fri Mar 04, 2022 9:50 am, edited 8 times in total.
 
User avatar
satman1w
Member Candidate
Member Candidate
Topic Author
Posts: 279
Joined: Mon Oct 02, 2006 11:47 am

Re: Will the wireguard ever become usefull vpn server / client

Fri Mar 04, 2022 9:19 am

Satman1w
You need to read better as well.
Mozerd did not say wireguard is no vpn, he said its not a client server model.
Everything is a peer.
If you are using it to connect your client to company HQ, and you see the HQ network as you would if you were there, it is VPN for me...
and technology behind does not make any difference from the users point of view...
I largely agree with most of your concerns but do not agree it only needs to be solved by Mikrotik/ROS.
Of course, not only by Mikrotik, but creating and managing users within ROS is certainly something that I expect...
How long did it take to have a decent windows ovpn client ?
There are even vpns existing for years were you still today need to modify registry on win to get it working.

Give it some time.
Those things will come.
You are probably right, but it does not hurt to ask... :-)
Last edited by satman1w on Fri Mar 04, 2022 10:52 am, edited 1 time in total.
 
User avatar
Znevna
Forum Guru
Forum Guru
Posts: 1347
Joined: Mon Sep 23, 2019 1:04 pm

Re: Will the wireguard ever become usefull vpn server / client

Fri Mar 04, 2022 9:22 am

@fragtion: Your ISP supports MTU that high that you can fit wireguard and gre/eoip over it or you just like terrible performance?
 
fragtion
Member Candidate
Member Candidate
Posts: 257
Joined: Fri Nov 13, 2009 10:08 pm
Location: Johannesburg, South Africa

Re: Will the wireguard ever become usefull vpn server / client

Fri Mar 04, 2022 9:36 am

@fragtion: Your ISP supports MTU that high that you can fit wireguard and gre/eoip over it or you just like terrible performance?
Any other solutions you can suggest (because no , it's definitely not my choice/preference to have terrible performance)? I'm referring to running a wg tunnel over things like pppoe connections where (at least with mikrotik currently) max MTU possible is 1480, or mobile/3g connections where MTU could be even lower, such as 1350 etc. That means the wg tunnel must run at 1400 MTU (or even lower) instead of the default 1420. What am I missing?
I guess with cases where CHR is used on cloud setups and jumbo frames is available, then this isn't much of a problem. But in most use cases we're talking about 1500 MTU or lower, in which case the wg tunnel will always run at a compromised lower MTU which will affect some applications and websites especially over SSL. I've seen several threads right here on the mikrotik forums (and elsewhere) of users running into issues where the problem seems to be MTU related (I faced the same issue, luckily EOIP came to the rescue)
 
User avatar
Znevna
Forum Guru
Forum Guru
Posts: 1347
Joined: Mon Sep 23, 2019 1:04 pm

Re: Will the wireguard ever become usefull vpn server / client

Fri Mar 04, 2022 9:50 am

I didn't find a need for running such a bad setup, yet.
My WG endpoints sit at the lowest ISP MTU-60 just fine (IPv4 endpoints). Can't think why I would need EOIP or l2 bridging between sites.
The fragmentation on your setup is stellar.
 
fragtion
Member Candidate
Member Candidate
Posts: 257
Joined: Fri Nov 13, 2009 10:08 pm
Location: Johannesburg, South Africa

Re: Will the wireguard ever become usefull vpn server / client

Fri Mar 04, 2022 10:03 am

Can't think why I would need EOIP or l2 bridging between sites.
Lol classic case of "just because I don't need it, no one else should". How do you achieve a layer2 broadcast plane for device discovery etc with your routed setups? Exactly, you don't. Sometimes there's a need for site-to-site bridging even if you don't realise this yet. My config might seem convoluted to you (don't worry, it does to me too which is why I'm posting my feedback and suggestions) but it works perfectly and all the devices handle whatever I throw at them, so any issue you perceive seems to be irrelevant really. I'm still waiting for your better suggestions on how to achieve a more maximally efficient 1500mtu layer-2 bridge between Mikrotik devices constrained by lower-mtu transit interfaces, besides for my approach? I expect to wait for an answer indefinitely
 
User avatar
Znevna
Forum Guru
Forum Guru
Posts: 1347
Joined: Mon Sep 23, 2019 1:04 pm

Re: Will the wireguard ever become usefull vpn server / client

Fri Mar 04, 2022 10:13 am

I don't need any of that between sites, and never will, hence I won't search for a solution for something that I don't need.
I only rely on L3 between sites.
Probably there isn't a better solution to what you're trying to achieve: viewtopic.php?t=181674
But still you can't ignore the fragmenting.
I did some tests a while ago with proper MTU set in wireguard and .. not, the performance drop was terrible with bad MTU, no L2 bridging is worth that.
And it's not something MikroTik specific, there isn't any magical solution to your "problem", there will be fragments.
 
fragtion
Member Candidate
Member Candidate
Posts: 257
Joined: Fri Nov 13, 2009 10:08 pm
Location: Johannesburg, South Africa

Re: Will the wireguard ever become usefull vpn server / client

Fri Mar 04, 2022 10:29 am

I don't need any of that between sites, and never will, hence I won't search for a solution for something that I don't need.
I only rely on L3 between sites.
Probably there isn't a better solution to what you're trying to achieve: viewtopic.php?t=181674
But still you can't ignore the fragmenting.
I did some tests a while ago with proper MTU set in wireguard and .. not, the performance drop was terrible with bad MTU, no L2 bridging is worth that.
And it's not something MikroTik specific, there isn't any magical solution to your "problem", there will be fragments.
Agreed. Fragmentation is a problem, as is WG's own overhead provoking that very problem and causing the very MTU issues (which users invariably run into and then think the protocol itself is buggy, which you and me both know isn't the case) as alluded to in my earlier posts. Fortunately, technologies like EOIP can solve the problem, albeit at the cost of even *more* overhead. But if that's what it takes to defy the physical limitations and get the job done, so be it :) Something like a checkbox in Mikrotik's wireguard configuration to "transparently" implement an EOIP layer over the tunnel would make configuration much easier, but obviously not go down too well with any routing-only purists around here xD I guess that's why we have these conversations and how technologies evolve on a fundamental level at the end of the day

Who is online

Users browsing this forum: No registered users and 15 guests