Hi,

considering a setup where you have a central wireguard concentrator (eg. a ccr2116_12g_4s) where all wireguard road-warriors connect to ( offices spread around the country with no fixed ips). Let's say you have up to 500 branch offices you would like to connect:

When configuring the central device what are the resource and system implications of actually generating a new wg-sub-intrerface per office?
In the end there will be about 500 wg interfaces? Do you have any experience with setups like this and are there any non obvious heads-up?

Thx 1000x,
Mischa

I don't know, good question. I suspect it be worse that the publish IPSec specs since WG has no hardware encryption support. How much, no clue, be curious myself...

I agree, how well it scales is an unknown but concur that sounds like routing with hardware encryption territory.

Don't think I will reach anywhere close to 500, but I am using a RB100AHx4 with ~30 roadwarriors.
The router is interconnected via WG with 45 other Mikrotiks, but traffic is minimal most of the time, with spikes to several hundred Mb/s from each peer twice a day, lasting anywhere from 15 to 30 minutes.
Resource utilization while traffic is under 100 Mb/s is minimal. When pushing close to 600-700 Mb/s WG traffic, my poor 1100AHx4 shows its age and is pretty much maxed out.
WIth no traffic, I see no diference between with or without WG peers.
If you are not going to have large transfers 24/7 between offices, I dare to say a CCR2116 will handle it pretty well.