Community discussions

 
User avatar
bneijt
just joined
Topic Author
Posts: 3
Joined: Sun May 06, 2018 12:52 pm
Contact:

[Feature request] Wireguard

Sun May 06, 2018 1:40 pm

I would love to run Wireguard on my Mikrotik and decided, with all the news spread across the forum, to combine some posts in a new thread.


Wireguard is a encrypted tunnel technology, started in 2016 but not 1.0 yet. Wireguard will probably replace OpenVPN which is currencly only partially supported by Mikrotik anyway.
It is already being adopted: easily available in Linux, VPN providers like AzireVPN support it and open source routers like Ubiquity and OpenWRT show good performance.

Mikrotik, being Linux based but closed source, will start supporting it in the future and it may end up in v7. V7 may be an april fools joke from 2014, but it may also be in development for more then 3 years making the feature list very unpredictable at this point.

I have not been able to find any post by a Mikrotik employee on the subject yet, but interesting posts by other users are:
viewtopic.php?f=1&t=45934&p=602377&hili ... rd#p602377
viewtopic.php?f=1&t=45934&p=637573&hili ... rd#p637573
 
zaharmd
just joined
Posts: 2
Joined: Wed Oct 26, 2016 4:43 am

Re: [Feature request] Wireguard

Tue May 08, 2018 6:29 pm

+1 for WireGuard in MikroTik
MTCNA, MTCRE
 
User avatar
nz_monkey
Forum Guru
Forum Guru
Posts: 1767
Joined: Mon Jan 14, 2008 1:53 pm
Location: Straya
Contact:

Re: [Feature request] Wireguard

Wed May 09, 2018 11:19 am

+1 from me
http://thebrotherswisp.com/ | Mikrotik MTCNA, MTCRE, MTCINE | Fortinet FTCNA, FCNSP, FCT | Extreme Networks ENA
 
User avatar
bneijt
just joined
Topic Author
Posts: 3
Joined: Sun May 06, 2018 12:52 pm
Contact:

Re: [Feature request] Wireguard

Tue May 15, 2018 10:21 pm

I did a quick forum review to get a basic timeline we can expect for Wireguard support.

Going by OpenVPN:
In 2004 the first forum request was made for OpenVPN support.
With release 3.0 came the partial implementation there is today, which was around 2007.

The first Wireguard request was around Jun 11, 2017
This would mean that Mikrotik will probably release initial support around 2020
 
xtornado
just joined
Posts: 9
Joined: Sun Mar 07, 2010 8:02 pm

Re: [Feature request] Wireguard

Mon Jul 02, 2018 11:03 am

+1 for wireguard on routeros
 
User avatar
vecernik87
Member Candidate
Member Candidate
Posts: 233
Joined: Fri Nov 10, 2017 8:19 am

Re: [Feature request] Wireguard

Mon Jul 02, 2018 12:44 pm

I cannot imagine adding support before wireguard reach stable realease. Based on other similar requests, i think that mikrotik instantly refuse to implement anything what is alpha/beta stage.
 
R1CH
Long time Member
Long time Member
Posts: 661
Joined: Sun Oct 01, 2006 11:44 pm

Re: [Feature request] Wireguard

Mon Jul 02, 2018 5:35 pm

And please use the reference implementation! I'm getting tired of Mikrotik's re-implementations of software which introduce security bugs and miss important features.
 
andreax
just joined
Posts: 4
Joined: Sat Mar 07, 2015 12:16 pm

Re: [Feature request] Wireguard

Sun Jul 29, 2018 3:48 pm

+1
Waiting for it!
 
User avatar
Jotne
Member
Member
Posts: 475
Joined: Sat Dec 24, 2016 11:17 am

Re: [Feature request] Wireguard

Sun Jul 29, 2018 7:50 pm

I cannot imagine adding support before wireguard reach stable realease.
Agree that MT should not implement it before its stable, but coming with a request now is a good thing.
This will allow MT to test it and make sure it works fine when its stable and release it from day one.
 
Nefraim
just joined
Posts: 8
Joined: Fri Apr 13, 2018 10:01 pm

Re: [Feature request] Wireguard

Wed Aug 01, 2018 7:56 am

Since many of you guys were awaiting for a stable build for Wireguard, today we are even closer to that moment.
Yesterday Jason Donenfeld lead developer submited the required patches for including Wireguard into mainline linux kernels.

More info here http://lkml.iu.edu/hypermail/linux/kern ... 06622.html

While it's to late to include into Linux 4.19 which should arrive quite soon, we could see it in the next linux kernel builds.
Guess it's time for Mikrotik developers consider including Wireguard in a future release.
We want WPA3 support but also Wireguard support :roll: .
 
User avatar
vecernik87
Member Candidate
Member Candidate
Posts: 233
Joined: Fri Nov 10, 2017 8:19 am

Re: [Feature request] Wireguard

Wed Aug 01, 2018 8:41 am

Just because it gets into linux kernel does not mean it is stable, nor it is ready for implementation. Let me quote their own website:
WireGuard is not yet complete. You should not rely on this code. It has not undergone proper degrees of security auditing and the protocol is still subject to change. We're working toward a stable 1.0 release, but that time has not yet come. There are experimental snapshots tagged with "0.0.YYYYMMDD", but these should not be considered real releases and they may contain security vulnerabilities (which would not be eligible for CVEs, since this is pre-release snapshot software). If you are packaging WireGuard, you must keep up to date with the snapshots.

They are clearly warning AGAINST implementing their code right now. Also it is agreeable that making own implementation is not really efficient. With this in mind, there is simply nothing, what Mikrotik developers could do right now. I already adviced to wait with the request because for now, it is just waste of everyone's time. (including my own, when I have to repeatedly point out that wireguard is barely in experimental stage)
 
ofer
just joined
Posts: 21
Joined: Wed May 23, 2018 11:45 am

Re: [Feature request] Wireguard

Wed Aug 01, 2018 11:20 am

+1 for Wireguard reference as it's currently being reviewed for kernel inclusion
http://lkml.iu.edu/hypermail/linux/kern ... 06622.html
 
Sob
Forum Guru
Forum Guru
Posts: 3576
Joined: Mon Apr 20, 2009 9:11 pm

Re: [Feature request] Wireguard

Thu Aug 02, 2018 2:34 am

While it's to late to include into Linux 4.19 which should arrive quite soon, we could see it in the next linux kernel builds.
Now the interesting question is when RouterOS gets to use that future kernel with Wireguard. So far it looks like when MikroTik likes a version, they stick with it for quite some time. But there's still a chance that Wireguard will be easily portable to older kernels.
 
chrismfz
just joined
Posts: 13
Joined: Sat Apr 07, 2007 6:27 am
Contact:

Re: [Feature request] Wireguard

Fri Aug 03, 2018 7:48 pm

+1 for Wireguard reference as it's currently being reviewed for kernel inclusion
http://lkml.iu.edu/hypermail/linux/kern ... 06622.html
It's coming....

https://www.phoronix.com/scan.php?page= ... -WireGuard

Linus Torvalds Is Hoping WireGuard Will Be Merged Sooner Rather Than Later

But when we gonna see it in Mikrotik ?
 
R1CH
Long time Member
Long time Member
Posts: 661
Joined: Sun Oct 01, 2006 11:44 pm

Re: [Feature request] Wireguard

Mon Aug 06, 2018 5:44 pm

I've been playing around with Wireguard recently and it's so refreshingly simple and fast, it makes setup of a new VPN link so easy. And the fact it uses modern, fast crypto is great - I would love to see this in RouterOS so I can finally ditch ipsec with its huge complexity and outdated crypto.

And even though it won't be hardware accelerated, chacha20-poly1305 is almost 4x faster than software AES on arm architecture!
 
User avatar
space007
just joined
Posts: 22
Joined: Tue Dec 07, 2010 12:30 pm

Re: [Feature request] Wireguard

Thu Aug 09, 2018 8:07 am

+1

After testing ipsec eoip tunnels with Mikrotik, I was deluded of the hw encryption performance. To not mention the marketing hype and the missing replay regarding this issues put fort on the forum.

Although the RosOs was the thing with 2.x-3.x with features required and needed in the networking in that time which give popularity to this company, sadly that is not the case anymore. Hardly there is any new implementation or revolution.

There is more momentum in other products. Now with x86 getting smaller, other router implementations are getting within reach.

Off topic, I know..

Sent from my Moto G (5) Plus using Tapatalk

 
User avatar
Anumrak
Forum Veteran
Forum Veteran
Posts: 855
Joined: Fri Jul 28, 2017 2:53 pm

Re: [Feature request] Wireguard

Fri Aug 10, 2018 12:03 pm

I agree with the implementation of this protocol.
 
pe1chl
Forum Guru
Forum Guru
Posts: 4811
Joined: Mon Jun 08, 2015 12:09 pm

Re: [Feature request] Wireguard

Fri Aug 10, 2018 12:17 pm

While it's to late to include into Linux 4.19 which should arrive quite soon, we could see it in the next linux kernel builds.
Now the interesting question is when RouterOS gets to use that future kernel with Wireguard. So far it looks like when MikroTik likes a version, they stick with it for quite some time. But there's still a chance that Wireguard will be easily portable to older kernels.
For now it looks like the only realistic short-term implementation would be using a user mode daemon just like OpenVPN.
In fact the claims about requirement to have it in the kernel are quite hollow and do not add to the credibility of the developer.
 
florentrivoire
newbie
Posts: 43
Joined: Wed Feb 25, 2015 12:02 pm

Re: [Feature request] Wireguard

Sun Aug 12, 2018 1:33 pm

I would appreciate a lot a Wireguard implementation in RouterOS :)

The advantages that I see for my usage are :
  • it has a simplier VPN configuration
  • it should be faster than OpenVPN (in a single connection setup, where OpenVPN is mono-thread, I'm talking about the other endpoint which is on a Linux for me)
Last edited by florentrivoire on Mon Aug 27, 2018 3:20 pm, edited 1 time in total.
 
radiirr
just joined
Posts: 1
Joined: Tue Nov 28, 2017 9:13 pm

Re: [Feature request] Wireguard

Sun Aug 19, 2018 4:54 pm

+1 :)
 
chiem
just joined
Posts: 17
Joined: Fri Oct 24, 2014 4:48 pm

Re: [Feature request] Wireguard

Thu Aug 23, 2018 9:38 am

+1

Wireguard is supposed to be extremely simple. Please don't take 3+ years to support it.
 
TPecorella
just joined
Posts: 1
Joined: Mon Aug 27, 2018 3:07 pm

Re: [Feature request] Wireguard

Mon Aug 27, 2018 3:08 pm

+ 1, please add support asap
 
User avatar
mozerd
Member Candidate
Member Candidate
Posts: 107
Joined: Thu Oct 05, 2017 3:39 pm
Location: Canada
Contact:

Re: [Feature request] Wireguard

Mon Aug 27, 2018 3:35 pm

+1
I have been using wireguard on the Ubiquiti EdgeRouter-Lite and WOW in a site to site scenario -- amazing vpn performance.
I definitely would encourage MikroTik to take a very serious look at this.
 
User avatar
Steveocee
Forum Veteran
Forum Veteran
Posts: 763
Joined: Tue Jul 21, 2015 10:09 pm
Location: UK
Contact:

Re: [Feature request] Wireguard

Mon Aug 27, 2018 11:08 pm

+1 Was reading about this earlier. Would love to see the MikroTik finger "on the pulse".
Steve "Steveocee" Carter
PC Gamer, Airsofter, MikroTik Nerd
My Website - My MikroTik Tutorials
 
pe1chl
Forum Guru
Forum Guru
Posts: 4811
Joined: Mon Jun 08, 2015 12:09 pm

Re: [Feature request] Wireguard

Tue Aug 28, 2018 9:27 am

+1 Was reading about this earlier. Would love to see the MikroTik finger "on the pulse".
I rather would love to see MikroTik implement existing and long outstanding feature requests rather than to be swayed by the issues of the day!
 
Sob
Forum Guru
Forum Guru
Posts: 3576
Joined: Mon Apr 20, 2009 9:11 pm

Re: [Feature request] Wireguard

Tue Aug 28, 2018 6:23 pm

@pe1chl: It's generally true, but if this thing can be implemented as easily as authors claim:
WireGuard has been designed with ease-of-implementation and simplicity in mind. It is meant to be easily implemented in very few lines of code, and easily auditable for security vulnerabilities.
(even though "very few lines of code" sounds a little too optimistic), it might be worth to give it a higher priority. If implementing Wireguard would be easier than finishing OpenVPN implementation (I don't know, might be), I'd say to go for it. Not that it's a dream come true in complete package...

I have mixed feelings about roadwarrior use. It needs only single udp port (great) and even has some kind of roaming (I'm still not decided how much it helps). But inside config (addresses, routes) seems to be intentionally static-only. That's not great, because it means that it's not very usable when there's a lot of users and things can change. On the other hand, it's not much worse than what MikroTik's OpenVPN offers. For small SOHO use it could be good, as it seems to be otherwise quite easy to understand. Even working Windows client already exists.

For site to site, IPSec works great for me, but it's true that I do it mostly with static public addresses. When that's not available, Wireguard could work better. It should also have better performance on devices without HW acceleration. And it would provide interfaces for links, which would make it more clear for a lot of people than current tunnel-mode IPSec (I know about IPIP/GRE/EoIP inside IPSec, but it's extra step).
 
pe1chl
Forum Guru
Forum Guru
Posts: 4811
Joined: Mon Jun 08, 2015 12:09 pm

Re: [Feature request] Wireguard

Tue Aug 28, 2018 7:19 pm

I'm not sure it is so much better than L2TP/IPsec which is proven and has hardware acceleration on a lot of MikroTik routers.
It can also deal with roaming users with dynamic IP, static or dynamic user tunnel addresses, etc.
And we already know what happens when MikroTik quickly implement a protocol which then later continues to develop independently... see OpenVPN.

No, for me it is much more important that IPv6 is finally worked on again, and for others a multicore BGP solution is even more important.
Those things should be on top priority for MikroTik to work on (when they are not distracted by security issues), and new features like Wireguard should go below that.
When any work on VPN solutions is to be done, it should be to implement route pushing in existing protocols, according to (de-facto) standards.
When working between MikroTik routers one can use BGP, and I do so, but when using proprietary clients we need e.g. DHCP over L2TP (for Windows) and OpenVPN push route.
 
samael
just joined
Posts: 8
Joined: Tue Jan 01, 2008 1:57 pm
Location: Italy

Re: [Feature request] Wireguard

Thu Sep 06, 2018 10:47 am

+1.
 
flazzarini
just joined
Posts: 19
Joined: Thu Jun 13, 2013 11:05 am

Re: [Feature request] Wireguard

Mon Sep 10, 2018 8:44 pm

+1

Wireguard is so easy to setup and works on so many platforms already. On a side note though if implemented please make it more easier to use DNS names instead of IP addresses.
 
R1CH
Long time Member
Long time Member
Posts: 661
Joined: Sun Oct 01, 2006 11:44 pm

Re: [Feature request] Wireguard

Tue Sep 11, 2018 1:19 am

And we already know what happens when MikroTik quickly implement a protocol which then later continues to develop independently... see OpenVPN.
I know it's a lot to hope for, but this could easily be avoided if Mikrotik would stop re-implementing these features themselves and start using the open source implementations directly. They already use Linux kernel (GPL), I really don't see why they are so against using other open source packages and are instead re-inventing them with reduced features and more security bugs.

On that note, a large amount of the Wireguard code operates in the Linux kernel, so in the future if RouterOS upgrades to a modern kernel we could very easily see Wireguard support with minimal work required by Mikrotik since it comes "for free".
 
czb123
just joined
Posts: 2
Joined: Tue Jun 26, 2018 8:59 pm

Re: [Feature request] Wireguard

Mon Sep 24, 2018 11:25 pm

+1 from me
 
ofer
just joined
Posts: 21
Joined: Wed May 23, 2018 11:45 am

Re: [Feature request] Wireguard

Wed Sep 26, 2018 12:15 pm

+1 i hope it'll be included in the next major version
 
denisbondar
just joined
Posts: 2
Joined: Sat Apr 26, 2014 10:50 am

Re: [Feature request] Wireguard

Sun Oct 07, 2018 2:59 pm

+1 for Wireguard

Who is online

Users browsing this forum: avn, sindy, xvo and 49 guests