AmneziaWG in RouterOS?

ppsascha · Thu Apr 11, 2024 10:33 am

Hello everyone! Is there a chance of adding AmneziaWG-protocol in future releases RouterOS? For example Keenetic already added this in beta-release.

Kanzler · Thu Apr 11, 2024 10:51 am

+1
Necessary thing

Thu Apr 11, 2024 11:28 am

It uses Docker and takes a lot of space, it will not fit into most MikroTik routers

ppsascha · Thu Apr 11, 2024 11:54 am

It uses Docker and takes a lot of space, it will not fit into most MikroTik routers

If keenetic who made routers for housewives can do this i can't believe Mikrotik can't.

Maybe at least someone can create a wiki article of how to do this docker and how to configure it in simply words. I found this on github but didn't understand everything...

My RB450Gx4 can handle dockers but it seems i have not enough brains to make it work so i'll be glad to every help to resist censorship.

Also sorry for my english, it's not native language to me.

Thu Apr 11, 2024 11:55 am

Also it says 2GB of RAM is needed for the server

Thu Apr 11, 2024 11:59 am

I found this on github but didn't understand everything...

Looks like it has everything needed. So all you need is a powerful ARM device with enough RAM

ppsascha · Thu Apr 11, 2024 12:15 pm

Also it says 2GB of RAM is needed for the server

My server with 2 dockers (as far as i know new docker is created for every protocol and i have AWG and OpenVPN over Cloak installed) uses 500 Mb

i.png

I found this on github but didn't understand everything...

Looks like it has everything needed. So all you need is a powerful ARM device with enough RAM

Install Docker buildx subsystem

I made it but how to use i can't understand

But that's not the theme of this forum i guess. Probably i have to find someone who can show this to me on fingers.

pimmie · Thu Apr 11, 2024 12:20 pm

Their privacy policy starts with The company Amnezia (hereinafter – the "company", "we", "us"), but nowhere do they seem to give more information about that company, like where are they located (ie under which jurisdiction to they fall)? They say that data can be transferred outside of the EU, but not to which countries. They do say they use Yandex, so I assume they mean that data can be send to Russia?

Unless somebody has already shown that their apps adhere to https://reproducible-builds.org/ I wouldn't put too much trust in them

That said, it would be nice if VPN configurations could be exported through a QR code in ROS.

avacha · Thu Jun 13, 2024 3:13 pm

t uses Docker and takes a lot of space, it will not fit into most MikroTik routers

Sorry guys, I hijack this thread.

Hello, normis. Just do a bit deeper investigate to Amnezia, and found that you already implemented this

. At least, about 95%.
How it can be possible. Well, Amnezia just a little fork of Wireguard. It allow some tuning to prevent, or, at least, make it difficult to chinese great firewall,russian and iraq censorship to shutdown this. And, most important, have a full backward compatibility with standart wireguard. If you don't touch any values and leave itself by default, it works like standart wireguard.

https://github.com/amnezia-vpn/amneziawg-go

AmneziaWG is a fork of the WireGuard protocol. We have taken WireGuard as a basis and made some of its parameters (by which it is usually recognized by DPI systems) configurable, i.e. if we leave these parameters as default (equal to 0), AmneziaWG will work as a normal WireGuard.

AmneziaWG has changed the headers of all packages:
handshake packet (Initiator to Responder),
response packet (Responder to Initiator),
data packet, as well as special packet "Under Load" - by default they are random values, but you can change them in the settings.
Random bytes are added to each auth packet to change its size.

Thus "init and response packets" of the handshake additionally have "garbage" at the beginning of the data, the size of which is determined by the values S1 and S2. By default, the initiating handshake packet has a fixed size (148 bytes), and after adding garbage, its size will be 148 bytes +S1. The values for each packet are different for different users, so it is impossible to write a universal rule for tracking. In order to completely confuse DPI systems, Amnezia sends a certain number of "garbage" packets before starting a session. The number of such packets and their minimum and maximum size in bytes is also set in the settings, by the parameters Jc, Jmin and Jmax.

Chupaka · Fri Jun 14, 2024 12:30 pm

At least, about 95%.

Well, if MikroTik uses native kernel module instead of user-space implementation of WireGuard - then probably less than 95%

anav · Sat Jun 15, 2024 5:43 pm

Interesting concept. If some routers can be set to recognize vlan traffic and this rendition of WG, avoids that detection, would seem to have some value.

RomikB · Mon Jul 22, 2024 4:12 pm

AmneziaWG also have a fork of wireguard linux kernel module.

https://github.com/amnezia-vpn/amneziaw ... nel-module

Differences are very small.

The link in first post is not for AmneziaWG, the correct link is https://docs.amnezia.org/documentation/amnezia-wg/

anav · Tue Jul 23, 2024 3:41 am

MY AV does not like your link!!

RomikB · Sat Jul 27, 2024 9:16 pm

This link https://docs.amnezia.org/documentation/amnezia-wg/ ?
There is a short description of AmneziaWG on the page.
It is basically the same as avacha wrote a couple posts ago.

The main link is https://github.com/amnezia-vpn/amneziaw ... nel-module
This is the source of kernel module based on original wireguard kernel module.

Keenetic add the AmneziaWG support (The WireGuard advanced security configuration (ASC) parameters) to KeeneticOS in 4.2 Alpha 2. https://docs.keenetic.com/eaeu/ultra/kn ... lease.html
It is be great when Mikrotik do it too.

borr · Mon Jul 29, 2024 12:40 pm

I'm with everyone who wants to see this feature added to RouterOS. What's more, if amneziawg already has a native kernel module, then porting it shouldn't take much time or resources. Honestly, I can't even begin to imagine how useful this would be in countries with authoritarian regimes.

optio · Mon Jul 29, 2024 3:59 pm

There is a also a way to tunnel Wireguard trough other protocol obfuscation methods, for eg. Xray, it is possible to run it in ROS container if device has enough powerful CPU. I have setup in container similar to this setup for Linux - https://computerscot.github.io/wireguard-over-xray.html. Xray running in container and it is forwarding port to Wireguard running in ROS which port is not even exposed to WAN, only dstnat for Xray in container - TCP 443. But also it can be used in combination, Wireguard exposed on input for direct connection and forwarding from Xray. This only works for Wireguard clients running on desktop OS'es, since on mobile OS'es doesn't allow multiple VPN's running at same time. Also ti should be possible to connect 2 ROS devices like that, one running Xray server in container, other Xray client...

vldmik · Sun Aug 04, 2024 4:24 pm

+1 for this feature, really interested in it. It would be really cool if this protocol was supported natively

Eugenn · Tue Aug 13, 2024 8:42 am

+1
I want to support the initiative. The improvement doesn't look very complicated, but it will make it possible to bypass blocking

andromed · Sat Aug 24, 2024 10:32 am

+1
I'm also looking forward to native support.

stasnamco · Tue Aug 27, 2024 7:42 am

+1
Very need it

anettoph · Tue Aug 27, 2024 1:51 pm

It uses Docker and takes a lot of space, it will not fit into most MikroTik routers

It has linux-kernel-module fyi

And awg tun interface can be linked to vanilla wireguard:

Jc = 1 ≤ Jc ≤ 128; recommended range is from 3 to 10 inclusive
Jmin = Jmin < Jmax; recommended value is 50
Jmax = Jmin < Jmax ≤ 1280; recommended value is 1000
S1 = 0
S2 = 0
H1 = 1
H2 = 2
H3 = 3
H4 = 4

bunkerfox · Fri Aug 30, 2024 7:46 am

Really needed, will help with remote employees to provide continuous stable communication

MerEsc · Sat Sep 07, 2024 9:56 pm

+1
This feature very useful in non free country and help to bypass VPN blocking.

IsSeMi · Fri Sep 13, 2024 8:56 pm

Hi guys, I'm trying to run the container with amnezia wg. Why do I get error: could not find image manifest in archive. What am I doing wrong?

Byran · Sat Sep 14, 2024 2:53 pm

+1
Perhaps the developers will be able to compile the awg kernel for RoS. It will be very cool, because all VPN protocols that Mikrotik supports already can be blocked by DPI. So if you want to have a VPN tunnel with which the router can work, you need a separate server with this VPN.

killersoft · Sun Sep 15, 2024 5:10 am

Last I checked, there's plenty of vpn or equivalent sneaky ways to get a MT to bypass a state based vpn block, that doesnt require some 'magic' plugin for MT that "would work", but other existing mechanisms already onboard dont...

sequtan · Mon Sep 23, 2024 1:18 pm

+1
I'm also looking forward to native support.

anav · Mon Sep 23, 2024 5:03 pm

Last I checked, there's plenty of vpn or equivalent sneaky ways to get a MT to bypass a state based vpn block, that doesnt require some 'magic' plugin for MT that "would work", but other existing mechanisms already onboard dont...

Please enlighten us as most States have ways of detecting VPN patterns regardless of tricks. This solution seems unique in its ability to appear random.

wiktorbgu · Sat Oct 19, 2024 6:49 pm

https://hub.docker.com/r/wiktorbgu/amneziawg-mikrotik
I compiled the images and wrote instructions for launching.
Works both in client and server mode.
If Mikrotik had also implemented the driver into the kernel, it would have been much better.

elijahwood · Mon Oct 21, 2024 9:24 pm

+1 you just need to allow overriding the standard values of some wg fields in order for amneziawg to work. It's not difficult! We are really waiting

adroman · Wed Oct 23, 2024 6:00 am

anav · Wed Oct 23, 2024 2:19 pm

You know people who join just to PLUS1 this thread are either bots, trolls, or the original poster LOL.............. no one is fooled by this stupidity.

EDIT: the stupidity continues see below.

Vapix · Wed Oct 23, 2024 5:49 pm

dcavni · Sat Oct 26, 2024 3:25 pm

https://hub.docker.com/r/wiktorbgu/amneziawg-mikrotik
I compiled the images and wrote instructions for launching.
Works both in client and server mode.
If Mikrotik had also implemented the driver into the kernel, it would have been much better.

Is there any firewall rule needed to send incoming port 51820 to the VETH IP of the AmneziaWG container? Nothing about that in the manual.

I created VETH 172.17.0.6 with gateway 172.17.0.1 and also added NAT rule, to send incoming packets on 51820 to 51820 on 172.17.0.6 and configured everything as in manual.

I'm trying to get this to work, but no luck for now. I can see incoming packets on 51820 if i add rule in Firewall NAT, but nothing afterwards.

Trying to help a friend who want's to watch home television (SLO) when he works all over the world and also in Russia, but no luck for now. All other protocols are practicaly cripled and unusable there.

mada3k · Sat Oct 26, 2024 4:34 pm

yet another properitary shortlived VPN solution - no thanks.

anav · Sun Oct 27, 2024 2:51 am

yet another properitary shortlived VPN solution - no thanks.

sounds like a shortsighted opinion............. the concept has validity whether or not we will ever see a viable rendition is anyones guess.

dcavni · Wed Oct 30, 2024 11:56 am

I added this in awg0.conf

[Interface]
Address = 10.0.0.1/24
ListenPort = 51820
PrivateKey = 2ONX7xNsinRtVLG5STJwGkA1T57sX1SJ8Sy898rB6Us=
Jc = 4
Jmin = 50
Jmax = 1000
S1 = 146
S2 = 42
H1 = 532916466
H2 = 2096090865
H3 = 406337014
H4 = 57583056

# Add IP masquerading
PostUp = iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
# Del IP masquerading
PostDown = iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE

[Peer]
PublicKey = kY6T9/56TWyaWg2uKIZynED7uOdJWR5ygOyG60OEZHA=
AllowedIPs = 10.0.0.2/32

And this in awg.conf

[Interface]
PrivateKey = sFMkMpJqU+8fzsKFiUvmZs64GzpafAPDJgSlil9HslE=
Address = 10.0.0.2/24
DNS = 8.8.8.8, 1.1.1.1
MTU = 1440
Jc = 6
Jmin = 50
Jmax = 1000
S1 = 0
S2 = 0
H1 = 1
H2 = 2
H3 = 3
H4 = 4

# Add IP masquerading
PostUp = iptables -t nat -A POSTROUTING -o %i -j MASQUERADE
# Del IP masquerading
PostDown = iptables -t nat -D POSTROUTING -o %i -j MASQUERADE

# Replace 192.168.254.1 with your router IP address in the bridge where the container is located
# exclude local networks
PreUp = ip route add 10.0.0.0/8 via 192.168.254.1 dev eth0

# Here is the IP of the Endpoint
PreUp = ip route add IP via 192.168.254.1 dev eth0

[Peer]
PublicKey = z7tnHzJqSqwtkt4MiqfoQAZW4f5YM0JUR3elbOr8bh0=
AllowedIPs =  0.0.0.0/1, 128.0.0.0/1 # don't use 0.0.0.0/0
PersistentKeepalive = 25
Endpoint = IP:51820

also i added firewall rule, that sends all packets comming in on 51820 to VETH IP of AmneziaWG

add action=dst-nat chain=dstnat comment=AmneziaTEST dst-port=51820 in-interface=ether1 protocol=udp to-addresses=172.17.0.6 to-ports=51820

Test client is a HapAX Lite LTE6 on mobile network.

Trying to ping server from client... nothing

[admin@MikroTik] > /container shell 0
MikroTik:/# ping 10.0.0.1
PING 10.0.0.1 (10.0.0.1): 56 data bytes
^C

Also i tried with this on my phone with Amnezia app and found Handshake did not complete after 5 seconds somewhere in logs.

[Interface]
PrivateKey = sFMkMpJqU+8fzsKFiUvmZs64GzpafAPDJgSlil9HslE=
Address = 10.0.0.2/24
ListenPort = 51820
DNS = 10.0.0.1
MTU = 1440
Jc = 6
Jmin = 50
Jmax = 1000
S1 = 0
S2 = 0
H1 = 1
H2 = 2
H3 = 3
H4 = 4

[Peer]
PublicKey = z7tnHzJqSqwtkt4MiqfoQAZW4f5YM0JUR3elbOr8bh0=
AllowedIPs =  0.0.0.0/1, 128.0.0.0/1
Endpoint = X.sn.mynetname.net:51820

ifconfig on server:

[admin@MikroTik] > /container shell 4
MikroTik:/# ifconfig
awg0      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  
          inet addr:10.0.0.1  P-t-P:10.0.0.1  Mask:255.255.255.0
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1420  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:7 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:500 
          RX bytes:0 (0.0 B)  TX bytes:588 (588.0 B)

eth0      Link encap:Ethernet  HWaddr 7E:52:ED:6D:79:4F  
          inet addr:172.17.0.6  Bcast:0.0.0.0  Mask:255.255.255.0
          inet6 addr: fe80::7c52:edff:fe6d:794f/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:160861 errors:0 dropped:0 overruns:0 frame:0
          TX packets:1612 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:39345228 (37.5 MiB)  TX bytes:71888 (70.2 KiB)

lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:65536  Metric:1
          RX packets:25 errors:0 dropped:0 overruns:0 frame:0
          TX packets:25 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:2658 (2.5 KiB)  TX bytes:2658 (2.5 KiB)

ifconfig on client:

[admin@MikroTik] > /container shell 0
MikroTik:/# ifconfig
awg       Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-0
0  
          inet addr:10.0.0.2  P-t-P:10.0.0.2  Mask:255.255.255.0
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1440  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:500 
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

eth0      Link encap:Ethernet  HWaddr A6:63:14:35:17:B7  
          inet addr:192.168.254.4  Bcast:0.0.0.0  Mask:255.255.255.0
          inet6 addr: fe80::a463:14ff:fe35:17b7/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:56128 errors:0 dropped:0 overruns:0 frame:0
          TX packets:69314 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:2742689 (2.6 MiB)  TX bytes:34784346 (33.1 MiB)

lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:65536  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

Any idea what i am doing wrong, wiktorbgu or anyone else?

ali321 · Fri Nov 01, 2024 2:32 pm

I have the same problem, it's necessary feature to add on routeros

Nartov · Wed Nov 06, 2024 8:45 am

I confirm that Amnesia WG is running on Keenetic and DPI does not detect packets. I would really like to implement it on Mikrotik.

Anastasia · Thu Nov 07, 2024 5:31 pm

It's a big mystery to me why the company hasn't added this protocol AmneziaWG to its products yet. to implement this protocol you need a minimum of effort, and the benefit will be colossal. I think marketers should be fired because they do not understand the market requirements and are poorly oriented in the needs of users. If you have the opportunity, write to the company at support@mikrotik.com and say that you need to have this protocol, they do not read this forum and it will not help us what we write here.

Nartov · Fri Nov 08, 2024 10:37 am

I wrote in support and even gave a link to this topic in the text of the letter here.

dcavni · Sun Nov 10, 2024 3:41 pm

So, after some help from wiktorbgu we managed to get this docker instance working using following options:

awg.conf

[Interface]
PrivateKey = sFMkMpJqU+8fzsKFiUvmZs64GzpafAPDJgSlil9HslE=
Address = 10.0.0.2/24
MTU = 1440
Jc = 4
Jmin = 50
Jmax = 1000
S1 = 146
S2 = 42
H1 = 532916466
H2 = 2096090865
H3 = 406337014
H4 = 57583056


# Add IP masquerading
PostUp = iptables -t nat -A POSTROUTING -o %i -j MASQUERADE
# Del IP masquerading
PostDown = iptables -t nat -D POSTROUTING -o %i -j MASQUERADE

Table = awg
PostUp = ip rule add priority 300 from all iif eth0 lookup awg || true
PostDown = ip rule del from all iif eth0 lookup awg || true

[Peer]
PublicKey = z7tnHzJqSqwtkt4MiqfoQAZW4f5YM0JUR3elbOr8bh0=
AllowedIPs =  0.0.0.0/1, 128.0.0.0/1 # don't use 0.0.0.0/0
PersistentKeepalive = 25
Endpoint = *.sn.mynetname.net:51820

Replace * with your DNS name.

This is for server, awg0.conf

[Interface]
Address = 10.0.0.1/24
ListenPort = 51820
PrivateKey = 2ONX7xNsinRtVLG5STJwGkA1T57sX1SJ8Sy898rB6Us=
Jc = 4
Jmin = 50
Jmax = 1000
S1 = 146
S2 = 42
H1 = 532916466
H2 = 2096090865
H3 = 406337014
H4 = 57583056

# Add IP masquerading
PostUp = iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
# Del IP masquerading
PostDown = iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE

Table = awg
PostUp = ip rule add priority 300 from all iif eth0 lookup awg || true
PostDown = ip rule del from all iif eth0 lookup awg || true

[Peer]
PublicKey = kY6T9/56TWyaWg2uKIZynED7uOdJWR5ygOyG60OEZHA=
AllowedIPs = 0.0.0.0/0

VVL · Thu Nov 28, 2024 10:48 am

Hello! I wrote to technical support and received the following response:

Hello,

Thank you for contacting MikroTik Support.

We do not have any plans to add such a feature at the moment, but if more users will request it, we will see how this can be implemented.

Best regards,

Therefore, if you are interested in adding the protocol, also write to technical support with a request to add amneziawg

obscurus · Tue Jan 07, 2025 3:12 pm

https://hub.docker.com/r/wiktorbgu/amneziawg-mikrotik
I compiled the images and wrote instructions for launching.
Works both in client and server mode.
If Mikrotik had also implemented the driver into the kernel, it would have been much better.

On my Mikrotik RB5009, your container started without problems, but on the Mikrotik CHR it doesn't start. Start and immediately stop occurs without recording in the logs. I think it's because i need an amd64 docker image. Please add an amd64 image.

wiktorbgu · Tue Jan 07, 2025 3:42 pm

Please add an amd64 image.

Initially, everything is done and tested for all Mikrotik arm, arm64 and amd64.
https://hub.docker.com/r/wiktorbgu/amne ... rotik/tags

obscurus · Wed Jan 08, 2025 11:29 am

Yes, you're right, I didn't see this tag.sorry
Your container starts only if there is a 'usb1' root folder in the files didectory.
For example if dir is '/usb1/docker/pull' - all is ok, if dir is '/docker/pull' - image not starting.
I think there is no need to set the 'usb1' root directory in Mikrotik CHR....but for this image it is necessary.