[Feature request] Wireguard

bneijt · Sun May 06, 2018 1:40 pm

I would love to run Wireguard on my Mikrotik and decided, with all the news spread across the forum, to combine some posts in a new thread.

Wireguard is a encrypted tunnel technology, started in 2016 but not 1.0 yet. Wireguard will probably replace OpenVPN which is currencly only partially supported by Mikrotik anyway.
It is already being adopted: easily available in Linux, VPN providers like AzireVPN support it and open source routers like Ubiquity and OpenWRT show good performance.

Mikrotik, being Linux based but closed source, will start supporting it in the future and it may end up in v7. V7 may be an april fools joke from 2014, but it may also be in development for more then 3 years making the feature list very unpredictable at this point.

I have not been able to find any post by a Mikrotik employee on the subject yet, but interesting posts by other users are:
viewtopic.php?f=1&t=45934&p=602377&hili ... rd#p602377
viewtopic.php?f=1&t=45934&p=637573&hili ... rd#p637573

zaharmd · Tue May 08, 2018 6:29 pm

+1 for WireGuard in MikroTik

Wed May 09, 2018 11:19 am

+1 from me

bneijt · Tue May 15, 2018 10:21 pm

I did a quick forum review to get a basic timeline we can expect for Wireguard support.

Going by OpenVPN:
In 2004 the first forum request was made for OpenVPN support.
With release 3.0 came the partial implementation there is today, which was around 2007.

The first Wireguard request was around Jun 11, 2017
This would mean that Mikrotik will probably release initial support around 2020

xtornado · Mon Jul 02, 2018 11:03 am

+1 for wireguard on routeros

vecernik87 · Mon Jul 02, 2018 12:44 pm

I cannot imagine adding support before wireguard reach stable realease. Based on other similar requests, i think that mikrotik instantly refuse to implement anything what is alpha/beta stage.

R1CH · Mon Jul 02, 2018 5:35 pm

And please use the reference implementation! I'm getting tired of Mikrotik's re-implementations of software which introduce security bugs and miss important features.

andreax · Sun Jul 29, 2018 3:48 pm

+1
Waiting for it!

Jotne · Sun Jul 29, 2018 7:50 pm

I cannot imagine adding support before wireguard reach stable realease.

Agree that MT should not implement it before its stable, but coming with a request now is a good thing.
This will allow MT to test it and make sure it works fine when its stable and release it from day one.

Nefraim · Wed Aug 01, 2018 7:56 am

Since many of you guys were awaiting for a stable build for Wireguard, today we are even closer to that moment.
Yesterday Jason Donenfeld lead developer submited the required patches for including Wireguard into mainline linux kernels.

More info here http://lkml.iu.edu/hypermail/linux/kern ... 06622.html

While it's to late to include into Linux 4.19 which should arrive quite soon, we could see it in the next linux kernel builds.
Guess it's time for Mikrotik developers consider including Wireguard in a future release.
We want WPA3 support but also Wireguard support

.

vecernik87 · Wed Aug 01, 2018 8:41 am

Just because it gets into linux kernel does not mean it is stable, nor it is ready for implementation. Let me quote their own website:

WireGuard is not yet complete. You should not rely on this code. It has not undergone proper degrees of security auditing and the protocol is still subject to change. We're working toward a stable 1.0 release, but that time has not yet come. There are experimental snapshots tagged with "0.0.YYYYMMDD", but these should not be considered real releases and they may contain security vulnerabilities (which would not be eligible for CVEs, since this is pre-release snapshot software). If you are packaging WireGuard, you must keep up to date with the snapshots.

They are clearly warning AGAINST implementing their code right now. Also it is agreeable that making own implementation is not really efficient. With this in mind, there is simply nothing, what Mikrotik developers could do right now. I already adviced to wait with the request because for now, it is just waste of everyone's time. (including my own, when I have to repeatedly point out that wireguard is barely in experimental stage)

ofer · Wed Aug 01, 2018 11:20 am

+1 for Wireguard reference as it's currently being reviewed for kernel inclusion
http://lkml.iu.edu/hypermail/linux/kern ... 06622.html

Sob · Thu Aug 02, 2018 2:34 am

While it's to late to include into Linux 4.19 which should arrive quite soon, we could see it in the next linux kernel builds.

Now the interesting question is when RouterOS gets to use that future kernel with Wireguard. So far it looks like when MikroTik likes a version, they stick with it for quite some time. But there's still a chance that Wireguard will be easily portable to older kernels.

chrismfz · Fri Aug 03, 2018 7:48 pm

+1 for Wireguard reference as it's currently being reviewed for kernel inclusion
http://lkml.iu.edu/hypermail/linux/kern ... 06622.html

It's coming....

https://www.phoronix.com/scan.php?page= ... -WireGuard

Linus Torvalds Is Hoping WireGuard Will Be Merged Sooner Rather Than Later

But when we gonna see it in Mikrotik ?

R1CH · Mon Aug 06, 2018 5:44 pm

I've been playing around with Wireguard recently and it's so refreshingly simple and fast, it makes setup of a new VPN link so easy. And the fact it uses modern, fast crypto is great - I would love to see this in RouterOS so I can finally ditch ipsec with its huge complexity and outdated crypto.

And even though it won't be hardware accelerated, chacha20-poly1305 is almost 4x faster than software AES on arm architecture!

space007 · Thu Aug 09, 2018 8:07 am

+1

After testing ipsec eoip tunnels with Mikrotik, I was deluded of the hw encryption performance. To not mention the marketing hype and the missing replay regarding this issues put fort on the forum.

Although the RosOs was the thing with 2.x-3.x with features required and needed in the networking in that time which give popularity to this company, sadly that is not the case anymore. Hardly there is any new implementation or revolution.

There is more momentum in other products. Now with x86 getting smaller, other router implementations are getting within reach.

Off topic, I know..

Sent from my Moto G (5) Plus using Tapatalk

Anumrak · Fri Aug 10, 2018 12:03 pm

I agree with the implementation of this protocol.

pe1chl · Fri Aug 10, 2018 12:17 pm

While it's to late to include into Linux 4.19 which should arrive quite soon, we could see it in the next linux kernel builds.
Now the interesting question is when RouterOS gets to use that future kernel with Wireguard. So far it looks like when MikroTik likes a version, they stick with it for quite some time. But there's still a chance that Wireguard will be easily portable to older kernels.

For now it looks like the only realistic short-term implementation would be using a user mode daemon just like OpenVPN.
In fact the claims about requirement to have it in the kernel are quite hollow and do not add to the credibility of the developer.

florentrivoire · Sun Aug 12, 2018 1:33 pm

I would appreciate a lot a Wireguard implementation in RouterOS

The advantages that I see for my usage are :

it has a simplier VPN configuration
it should be faster than OpenVPN (in a single connection setup, where OpenVPN is mono-thread, I'm talking about the other endpoint which is on a Linux for me)

radiirr · Sun Aug 19, 2018 4:54 pm

chiem · Thu Aug 23, 2018 9:38 am

+1

Wireguard is supposed to be extremely simple. Please don't take 3+ years to support it.

TPecorella · Mon Aug 27, 2018 3:08 pm

+ 1, please add support asap

mozerd · Mon Aug 27, 2018 3:35 pm

+1
I have been using wireguard on the Ubiquiti EdgeRouter-Lite and WOW in a site to site scenario -- amazing vpn performance.
I definitely would encourage MikroTik to take a very serious look at this.

Steveocee · Mon Aug 27, 2018 11:08 pm

+1 Was reading about this earlier. Would love to see the MikroTik finger "on the pulse".

pe1chl · Tue Aug 28, 2018 9:27 am

+1 Was reading about this earlier. Would love to see the MikroTik finger "on the pulse".

I rather would love to see MikroTik implement existing and long outstanding feature requests rather than to be swayed by the issues of the day!

Sob · Tue Aug 28, 2018 6:23 pm

@pe1chl: It's generally true, but if this thing can be implemented as easily as authors claim:

WireGuard has been designed with ease-of-implementation and simplicity in mind. It is meant to be easily implemented in very few lines of code, and easily auditable for security vulnerabilities.

(even though "very few lines of code" sounds a little too optimistic), it might be worth to give it a higher priority. If implementing Wireguard would be easier than finishing OpenVPN implementation (I don't know, might be), I'd say to go for it. Not that it's a dream come true in complete package...

I have mixed feelings about roadwarrior use. It needs only single udp port (great) and even has some kind of roaming (I'm still not decided how much it helps). But inside config (addresses, routes) seems to be intentionally static-only. That's not great, because it means that it's not very usable when there's a lot of users and things can change. On the other hand, it's not much worse than what MikroTik's OpenVPN offers. For small SOHO use it could be good, as it seems to be otherwise quite easy to understand. Even working Windows client already exists.

For site to site, IPSec works great for me, but it's true that I do it mostly with static public addresses. When that's not available, Wireguard could work better. It should also have better performance on devices without HW acceleration. And it would provide interfaces for links, which would make it more clear for a lot of people than current tunnel-mode IPSec (I know about IPIP/GRE/EoIP inside IPSec, but it's extra step).

pe1chl · Tue Aug 28, 2018 7:19 pm

I'm not sure it is so much better than L2TP/IPsec which is proven and has hardware acceleration on a lot of MikroTik routers.
It can also deal with roaming users with dynamic IP, static or dynamic user tunnel addresses, etc.
And we already know what happens when MikroTik quickly implement a protocol which then later continues to develop independently... see OpenVPN.

No, for me it is much more important that IPv6 is finally worked on again, and for others a multicore BGP solution is even more important.
Those things should be on top priority for MikroTik to work on (when they are not distracted by security issues), and new features like Wireguard should go below that.
When any work on VPN solutions is to be done, it should be to implement route pushing in existing protocols, according to (de-facto) standards.
When working between MikroTik routers one can use BGP, and I do so, but when using proprietary clients we need e.g. DHCP over L2TP (for Windows) and OpenVPN push route.

samael · Thu Sep 06, 2018 10:47 am

flazzarini · Mon Sep 10, 2018 8:44 pm

+1

Wireguard is so easy to setup and works on so many platforms already. On a side note though if implemented please make it more easier to use DNS names instead of IP addresses.

R1CH · Tue Sep 11, 2018 1:19 am

And we already know what happens when MikroTik quickly implement a protocol which then later continues to develop independently... see OpenVPN.

I know it's a lot to hope for, but this could easily be avoided if Mikrotik would stop re-implementing these features themselves and start using the open source implementations directly. They already use Linux kernel (GPL), I really don't see why they are so against using other open source packages and are instead re-inventing them with reduced features and more security bugs.

On that note, a large amount of the Wireguard code operates in the Linux kernel, so in the future if RouterOS upgrades to a modern kernel we could very easily see Wireguard support with minimal work required by Mikrotik since it comes "for free".

czb123 · Mon Sep 24, 2018 11:25 pm

+1 from me

ofer · Wed Sep 26, 2018 12:15 pm

+1 i hope it'll be included in the next major version

denisbondar · Sun Oct 07, 2018 2:59 pm

+1 for Wireguard

bakshtay · Thu Nov 08, 2018 11:57 am

+1 for wireguard on routeros

moneron · Thu Nov 08, 2018 3:34 pm

I think this is a good idea.
+1 for WireGuard.

shopping · Wed Nov 14, 2018 7:17 pm

+1 wireguard asap

SaurVLZ · Mon Dec 10, 2018 7:44 pm

+1 for Wireguard

dakobg · Tue Dec 11, 2018 9:00 am

+1

Изпратено от моят SM-G903F с помощта на Tapatalk

32768 · Mon Dec 31, 2018 3:52 pm

+1 for Wireguard

BDF · Mon Jan 07, 2019 11:18 am

+1 for WG

pioh · Wed Jan 09, 2019 12:07 pm

+1 for Wireguard

wwek · Fri Jan 18, 2019 10:11 am

+1 for WireGuard in MikroTik

nik3600 · Mon Jan 21, 2019 3:56 pm

+1 for WireGuard

pe1chl · Mon Jan 21, 2019 5:54 pm

There is no need for posting "+1 for wireguard".
It is wellknown from other topics that this has ZERO effect on it getting implemented.
I think you better contact sales with a use case and projected number of sold units.

Chexov · Sat Jan 26, 2019 11:40 am

+1 for WireGuard

kumos · Thu Jan 31, 2019 1:24 pm

+1 за WireGuard

wfalcon · Thu Feb 07, 2019 3:46 pm

+1 For WireGuard

Thu Feb 07, 2019 3:50 pm

Well ... https://www.phoronix.com/scan.php?page= ... ot-In-4.20

Sob · Thu Feb 07, 2019 3:57 pm

So you already have new RouterOS with kernel 4.20, but that's too bad Wireguard isn't there, therefore it can't be in RouterOS yet. I'm wondering if I'm reading it right.

mkx · Thu Feb 07, 2019 4:05 pm

Too bad ROS 7 doesn't support DKMS kernel modules

pe1chl · Thu Feb 07, 2019 4:19 pm

Wireguard does not need to be in the kernel, it can be implemented in a user process.

Kaeltis · Mon Feb 11, 2019 8:23 pm

Would love to see official wireguard support as well.

Quasar · Mon Feb 11, 2019 8:33 pm

Well ... https://www.phoronix.com/scan.php?page= ... ot-In-4.20

By the time we get v7 it'll be merged

Wireguard does not need to be in the kernel, it can be implemented in a user process.

One of the selling points is performance. Especially on embedded devices userspace is not okay.

Tue Feb 12, 2019 10:05 pm

One of the selling points is performance. Especially on embedded devices userspace is not okay.

Most high performance packet forwarding is done in user space!

Check out VPP, DPDK and OFP

Quasar · Sat Feb 16, 2019 7:47 pm

One of the selling points is performance. Especially on embedded devices userspace is not okay.
Most high performance packet forwarding is done in user space!

Check out VPP, DPDK and OFP

Well, that's cheating in the sense that it's accompanied by drivers allowing you to bypass the kernel stack and write a tailored userspace processing application.

It doesn't hold for a naive userspace application (such as the Golang Wireguard implementation). I'm sure you could make it fly in userspace using DPDK, but that's besides the point

Kampfwurst · Thu Feb 21, 2019 1:00 pm

+1 from my side

marcrisse · Fri Mar 08, 2019 1:08 pm

+1 from me

I hate running Linux-VMs behind all my Mikrotik-Devices only for WG!

Anastasia · Mon Mar 11, 2019 9:10 pm

+1
it will soon be added to the linux kernel and it will become the VPN standard

mms101 · Tue Mar 12, 2019 11:35 pm

+1 from me.

limaunion · Thu Mar 28, 2019 12:50 pm

BG4DRL · Tue Apr 02, 2019 7:28 pm

+1
Waiting

pe1chl · Wed Apr 03, 2019 12:10 pm

+1
Waiting

I don't recommend that! Users requesting updates in OpenVPN have been waiting for over 5 years already...

Sob · Wed Apr 03, 2019 5:55 pm

So what's the best plan? Pleas, prayers, bribes, threats, ...?

pe1chl · Wed Apr 03, 2019 11:20 pm

So what's the best plan? Pleas, prayers, bribes, threats, ...?

A Raspberry Pi or similar to handle the features you wish to be in RouterOS but never appear...

Paternot · Thu Apr 04, 2019 12:58 am

So what's the best plan? Pleas, prayers, bribes, threats, ...?
A Raspberry Pi or similar to handle the features you wish to be in RouterOS but never appear...

That's quite cumbersome. Maybe a short term solution - but complaining is a long term solution. How can Mikrotik knows what we want, if no one speaks?

True, they don't always implement it. But we try.

pe1chl · Thu Apr 04, 2019 12:00 pm

They should implement the feature to allow user processes to run on a router in a chroot jail under nonprivileged
router, with only network interfaces imported via sockets (tun/tap or listening sockets for specific ports), similar
to the concept of MetaROUTER found on old models, but much lighter (just a user process instead of full virtualisation).
This allows third parties to add functionality that the company itself does not have resources to develop, like a better
OpenVPN and also a user-mode implementation of Wireguard (which will of course work just fine, don't believe those that
claim it can only be done in the kernel!)
Also other things, like a full-featured DNS server, a webserver, and other things we have been asking about for many
years but that never arrive.
There is no need to open up RouterOS for this, and should it expose security problems that is only good because those
would have bitten us sometime anyway.

reinerotto · Sun Apr 07, 2019 11:33 pm

Why so complicated ?
Use MT for "plain and simple" routing/networking.
And an openwrt-box for the missing functions, like wireguard, squid proxy, nginx web server etc.
Or, just use openwrt devices for routing/networking, too.

Sob · Mon Apr 08, 2019 5:21 am

It depends. If you're big business, then get routers for routing and dedicated servers for other stuff. It's the right way, and costs (both for buying all devices and taking care of them) won't be a problem for you. If you're extreme hobbyist, then get your 10+ different devices, create all kinds of servers and have great fun with them.

But anyone in betweeen (SOHO, etc) wants one device for all basic stuff. Full-blown Linux distribution (OpenWrt also qualifies) is one possible way, there are no limits what you can do with that, but it's also too complicated for most. RouterOS (and mainly WinBox) found the perfect spot. It gives you less freedom compared to Linux, but it's as friedly as it can be, while still remaining powerful enough. It's just awesome.

Unfortunately, sometimes it's not enough, and you may want a little bit more. But if RouterOS device provides >90% of what you need, getting another device for the rest is something you'd rather avoid. Realistically, MikroTik can't add all possible features, that's clear. There is/was MetaRouter, but it seems like a dead end now. And it was too heavy anyway. Something lighter as suggested by @pe1chl (and I suggested it in the past too) could be the solution that could make most people happy.

My only fear is that it could enable MikroTik to become "lazy" and refuse to implement some features, because "hey, we don't want to bother, when there's already a third-party package for that", even though it can be some half-working thing. I'd really like to have something like this as a way how to add some really exotic stuff that MikroTik would never add. But things like Wireguard should eventually be directly in RouterOS and supported by MikroTik.

robertpenz · Wed Apr 10, 2019 8:44 pm

We did some performance Tests with Wireguard and man it is faster than any other VPN with much less CPU load! And for Android Phones the battery is not used more than without VPN, which is not true for all other VPNs - It makes a VPN almost transparent performance wise. Please implement!!

mutinsa · Mon May 06, 2019 11:31 am

ErfanDL · Mon May 06, 2019 2:38 pm

Now you can install wireguard on any linux with pihole.
https://www.reddit.com/r/pihole/comment ... wireguard/

Sent from my C6833 using Tapatalk

anav · Mon May 06, 2019 8:05 pm

Thanks Erfan, are you saying I can attach my pi-hole to a port on my MT router and have it act as my wifeguard server (and then connect to it from my iphone for example)?
I hope the pi-hole works better on this then it did for me on DNS. I ended up bypassing the pi-hole and router DNS and now strictly use public DNS servers, otherwise too many funky DNS things were happening and I couldnt sort them out.

Samot · Thu May 09, 2019 3:26 pm

Soooo, we're all begging for Mikrotik to implement something that has never (in 2.5 years) hit an actual v1 release or anything stable. It's also a project surviving off of VC funding so what happens when their next round comes up with a goose egg?

Funny considering how much people complain about Mikrotik already having things in it that are incomplete and/or don't follow current standards, etc..

anav · Thu May 09, 2019 8:58 pm

"+1 for pe1chi" suggestion to stop posting +1 WG LOL. Shit I just posted it anyway!

sindy · Thu May 09, 2019 10:22 pm

"+1 for pe1chi" suggestion to stop posting +1

Except that his suggestion was to stop waiting, not stop posting +1

msatter · Mon May 13, 2019 12:29 pm

Wireguard was tested by INRIA

Source: https://www.security.nl/posting/608796/ ... eGuard-vpn

Abstract : WireGuard is a free and open source Virtual Private Network (VPN) that aims to replace IPsec and OpenVPN. It is based on a new cryptographic protocol derived from the Noise Protocol Framework. This paper presents the first mechanised cryptographic proof of the protocol underlying WireGuard, using the CryptoVerif proof assistant. We analyse the entire WireGuard protocol as it is, including transport data messages, in an ACCE-style model. We contribute proofs for correctness, message secrecy, forward secrecy, mutual authentication, session uniqueness, and resistance against key compromise impersonation, identity mis-binding, and replay attacks. We also discuss the strength of the identity hiding provided by WireGuard. Our work also provides novel theoretical contributions that are reusable beyond WireGuard. First, we extend CryptoVerif to account for the absence of public key validation in popular Diffie-Hellman groups like Curve25519, which is used in many modern protocols including WireGuard. To our knowledge, this is the first mechanised cryptographic proof for any protocol employing such a precise model. Second, we prove several indifferentiability lemmas that are useful to simplify the proofs for sequences of key derivations.

Complete results: https://hal.inria.fr/hal-02100345

anthonws · Mon May 13, 2019 1:19 pm

Wireguard was tested by INRIA

Source: https://www.security.nl/posting/608796/ ... eGuard-vpn

Abstract : WireGuard is a free and open source Virtual Private Network (VPN) that aims to replace IPsec and OpenVPN. It is based on a new cryptographic protocol derived from the Noise Protocol Framework. This paper presents the first mechanised cryptographic proof of the protocol underlying WireGuard, using the CryptoVerif proof assistant. We analyse the entire WireGuard protocol as it is, including transport data messages, in an ACCE-style model. We contribute proofs for correctness, message secrecy, forward secrecy, mutual authentication, session uniqueness, and resistance against key compromise impersonation, identity mis-binding, and replay attacks. We also discuss the strength of the identity hiding provided by WireGuard. Our work also provides novel theoretical contributions that are reusable beyond WireGuard. First, we extend CryptoVerif to account for the absence of public key validation in popular Diffie-Hellman groups like Curve25519, which is used in many modern protocols including WireGuard. To our knowledge, this is the first mechanised cryptographic proof for any protocol employing such a precise model. Second, we prove several indifferentiability lemmas that are useful to simplify the proofs for sequences of key derivations.

Complete results: https://hal.inria.fr/hal-02100345

WireGuard is vaporware and Mikrotik knows that pretty darn well! Hence why they are not doing anything in regards to it.

Just look at Ubiquiti... They got community support, from the main developer of WG back in 2017!! https://community.ubnt.com/t5/EdgeRoute ... -p/1904764

What a waste of time and energy... None of this is standard stuff and due to that all of their users are miserable because they can now run new-gen VPNs... After a while a new feeling hit them! They are now missing their dearly PPTP and OpenVPN (not a hacked version from Ubiquiti of course!)...

They even started a PPTP + OpenVPN movement! "Make PPTP & OpenVPN Great Again!"

/S

phouzva · Fri May 24, 2019 3:09 pm

aaronvonawesome · Sat May 25, 2019 8:10 pm

Would love to see official wireguard support as well.

+1

m4dmike · Wed Jun 19, 2019 10:07 am

+1 for Wireguard

marcrisse · Wed Jun 19, 2019 11:34 am

+1 and €100 for coffee

schose · Fri Jun 21, 2019 1:31 am

+1 and a good bottle of german schnaps

huntermic · Fri Jun 28, 2019 11:32 am

I bought a Raspberry Pi4 and use that for wireguard, it gives me wirespeed vpn on a 500Mbit connection

anav · Fri Jun 28, 2019 2:12 pm

I bought a Raspberry Pi4 and use that for wireguard, it gives me wirespeed vpn on a 500Mbit connection

Is all your internet traffic done via wireguard through the Raspberry PI or are you talking a specific tunnel??

huntermic · Fri Jun 28, 2019 2:46 pm

I bought a Raspberry Pi4 and use that for wireguard, it gives me wirespeed vpn on a 500Mbit connection
Is all your internet traffic done via wireguard through the Raspberry PI or are you talking a specific tunnel??

I'm using it in a roadwarrior setup so for instance when i'm at work i can use my home nas at full speed, so i'm talking about 500Mbit inside the tunnel

mwittchen · Mon Aug 19, 2019 1:10 pm

+1 and a good bottle of german schnaps

+1

metalcated · Thu Aug 29, 2019 6:05 pm

Waiting for this too! Right now I am running a WG Server on a VM in my basement rack and its pretty darn nice.

Any Linux folks out there who are running it and want a simple GUI --> https://github.com/metalcated/Wireguard-Bravo (more development to happen soon hopefully as I have time).

Going to watch this thread and pray it comes soon!

Thanks

Grosen · Sat Sep 07, 2019 8:26 am

definitively +1

Lebzul · Sun Sep 08, 2019 5:46 am

Thanks Erfan, are you saying I can attach my pi-hole to a port on my MT router and have it act as my wifeguard server (and then connect to it from my iphone for example)?
I hope the pi-hole works better on this then it did for me on DNS. I ended up bypassing the pi-hole and router DNS and now strictly use public DNS servers, otherwise too many funky DNS things were happening and I couldnt sort them out.

I'd like to have a "wife"guard too. (Just joking)

+1

netflow · Sun Sep 15, 2019 11:34 am

+1 for Wireguard in ROS. A good, fast, secure built-in vpn is a must!
Also interested by some community driven plugins. I cannot consider metarouter as an usable solution. It would require more flash on device, broader architecture support and then it is still a burden to manage additional vm and config!

sindy · Sun Sep 15, 2019 12:05 pm

Also interested by some community driven plugins.

That's against the idea of RouterOS. If you want 3rd party plugins, go OpenWRT (which is available even for some Mikrotik hardware) and forget about manufacturer's responsibility. If you want manufacturer's responsibility for the product, stay RouterOS and forget about 3rd party plugins. There is no middle way.

pe1chl · Sun Sep 15, 2019 1:17 pm

I don't consider that really true, there would be some way for MikroTik to offer user-contributed plugins when they run in a sandbox environment e.g. as a user process.
But apparently MikroTik is not interested in doing this.

sindy · Sun Sep 15, 2019 1:39 pm

there would be some way for MikroTik to offer user-contributed plugins when they run in a sandbox environment e.g. as a user process.

I may be old-fashioned but I still perceive Mikrotik as a router, not an application server. So I can imagine e.g. a more flexible DNS process running in a sandbox, but not processes directly involved in packet forwarding, such as stacks implementing new routing protocols or new VPN types. Leaving aside things like hardware encryption for other VPN types than IPsec (OpenVPN, SSTP to stay with those currently implemented) which might be really useful for some but I cannot imagine sandboxing them.

vigor5 · Wed Sep 25, 2019 11:22 am

Waiting for this too

avacha · Thu Sep 26, 2019 9:54 am

I'm also interesting about Wireguard impementation in Mikrotik devices.

P.S. Yesterday Cloudflare release free VPN service:

WARP is an ambitious project. We set out to secure Internet connections from mobile devices to the edge of Cloudflare's network. In doing so, however, we didn't want to slow devices down or burn excess battery. We wanted it to just work. We also wanted to bet on the technology of the future, not the technology of the past. Specifically, we wanted to build not around legacy protocols like IPsec, but instead around the hyper-efficient WireGuard protocol.

Intnernetz · Thu Oct 24, 2019 9:26 am

anav · Thu Oct 24, 2019 4:22 pm

I'm also interesting about Wireguard implementation in Mikrotik devices.

P.S. Yesterday Cloudflare release free VPN service:
WARP is an ambitious project. We set out to secure Internet connections from mobile devices to the edge of Cloudflare's network. In doing so, however, we didn't want to slow devices down or burn excess battery. We wanted it to just work. We also wanted to bet on the technology of the future, not the technology of the past. Specifically, we wanted to build not around legacy protocols like IPsec, but instead around the hyper-efficient WireGuard protocol.

Very Interesting and thanks. Within the last year I added wireguard to my cell phone and streaming devices for fun. Seeing as cloudfare uses wireguard (which is not a surprise) I have deleted most if not all other VPNs i have been experimenting with, save wireguard (solely kept for source country changes although rarely required). Initial results for the WARP service are very good in terms of throughput. I have been trying to clean up my apps and just deleted 3 for 1.

+1 for adding wireguard for a method of VPN for mikrotik aka another protocol to choose from in the mix.

There is a bit of technical blog which was dumbed down enough for me to read it......
https://blog.cloudflare.com/warp-technical-challenges/

msatter · Wed Nov 06, 2019 3:56 pm

NordVPN does now support Wireguard since a while and it would be great if RouterOS 7 would going to support Wireguard while that is also is still in development.

NordVPN have added a 'double NAT' at their side to improve anonymity of the customer.

And we found it. We developed something called a double NAT (Network Address Translation) system.

To put it simply, the double NAT system creates two local network interfaces for each user. The first interface assigns a local IP address to all users connected to a server. Unlike in the original WireGuard protocol, each user gets the same IP address.

Once a VPN tunnel is established, the second network interface with a dynamic NAT system kicks in. The system assigns a unique IP address for each tunnel. This way, internet packets can travel between the user and their desired destination without getting mixed up.

Source: https://nordvpn.com/blog/nordlynx-protocol-wireguard/

anav · Wed Nov 06, 2019 4:01 pm

I bought a Raspberry Pi4 and use that for wireguard, it gives me wirespeed vpn on a 500Mbit connection
Is all your internet traffic done via wireguard through the Raspberry PI or are you talking a specific tunnel??
I'm using it in a roadwarrior setup so for instance when i'm at work i can use my home nas at full speed, so i'm talking about 500Mbit inside the tunnel

hey huntermic would you be interested in sharing your raspberry pi setup and steps to get there?.......... if so please email me (click on my name to get details).

Solear · Thu Nov 14, 2019 9:14 pm

+1 for Wireguard

Actually I connect 3 different locations with 3 raspberrys and Wireguard over the internet. It would be nice to connect the MikroTik routers directly Foto a lan to lan to lan network

FutileNetworks · Fri Nov 22, 2019 2:21 am

+1 Wireguard

MikroTik, we've replaced all our site-to-site IPSEC vpns with wireguard, in most cases 3-4x performance increase and approaching gigabit speeds, each time we bring up a new wireguard vpn that is one less sale of a ccr1009, rb4011 or hEX.

anav · Fri Nov 22, 2019 7:00 am

+1 for Wireguard

Actually I connect 3 different locations with 3 raspberrys and Wireguard over the internet. It would be nice to connect the MikroTik routers directly Foto a lan to lan to lan network

Could you email me with how you setup a raspberry pi for wireguard connected to a MT router.

Fri Nov 22, 2019 8:52 am

+1 Wireguard

MikroTik, we've replaced all our site-to-site IPSEC vpns with wireguard, in most cases 3-4x performance increase and approaching gigabit speeds, each time we bring up a new wireguard vpn that is one less sale of a ccr1009, rb4011 or hEX.

Wireguard by definition is slower and can't support HW acceleration. IPsec will definitely be faster.

dynek · Fri Nov 22, 2019 9:29 am

Wireguard by definition is slower and can't support HW acceleration. IPsec will definitely be faster.

That is no reason to not implement WireGuard at some point which is much easier to setup & lightweight.

And don't forget that Linus himself, loves it:
https://lists.openwall.net/netdev/2018/08/02/124

Can I just once again state my love for it and hope it gets merged soon? Maybe the code isn't perfect, but I've skimmed it, and compared to the horrors that are OpenVPN and IPSec, it's a work of art.

marcrisse · Fri Nov 22, 2019 10:52 am

Wireguard by definition is slower and can't support HW acceleration. IPsec will definitely be faster.

By definition?? Sorry, Wireguard is definitely faster than (secure) IPSec in real life! That's why we migrated to Linux-Servers and WG.

Solear · Fri Nov 22, 2019 11:40 am

+1 for Wireguard

Actually I connect 3 different locations with 3 raspberrys and Wireguard over the internet. It would be nice to connect the MikroTik routers directly Foto a lan to lan to lan network
Could you email me with how you setup a raspberry pi for wireguard connected to a MT router.

You need to route wireguard from your router to your raspberry (check port and IP-address)

/ip firewall filter
add action=accept chain=forward dst-port=51820 protocol=udp
/ip firewall nat
add action=dst-nat chain=dstnat dst-port=51820 in-interface=wan protocol=udp to-addresses=192.168.150.200 to-ports=51820

credits to https://www.bachmann-lan.de/raspberry-p ... wireguard/

Fri Nov 22, 2019 11:59 am

Yes, IPsec is faster, because it is hardware accelerated and Wireguard can't be accelerated. If your Wireguard is faster, then maybe your IPsec config is wrong, or the HW doesn't support HW encryption.

dynek · Fri Nov 22, 2019 12:28 pm

https://www.wireguard.com/performance/
https://calomel.org/aesni_ssl_performance.html

Hopefully hardware acceleration gives better performance, true. But Wireguard uses ChaCha20 which according to my findings isn't doing too bad against HW accelerated AES.
Not on par with AES but definitely not too far from AES-256-GCM and better than AES-256-CBC. Drawback is CPU usage though.

Fri Nov 22, 2019 12:49 pm

Of course, I am only referring to RouterBOARD devices. if you have plenty of CPU power, you can make it fast.

anav · Fri Nov 22, 2019 4:54 pm

Of course, I am only referring to RouterBOARD devices. if you have plenty of CPU power, you can make it fast.

Normis, can you perhaps comment on comparing Wireguard to the Road Warrior VPN scenario?
Does the hw accelerated MT device still have the edge?

mozerd · Fri Nov 22, 2019 8:33 pm

Of course, I am only referring to RouterBOARD devices. if you have plenty of CPU power, you can make it fast.
Normis, can you perhaps comment on comparing Wireguard to the Road Warrior VPN scenario?
Does the hw accelerated MT device still have the edge?

Normis cannot provide that analysis without running Wireguard on RouterBOARD.

I have run Wireguard on Ubiquiti EdgeMax Routers, stated much earlier in this thread, and Wireguard beats the heck out of IPSec regardless of hw acceleration. Wireguard does not need hw acceleration — it just needs a capable CPU.

huntermic · Fri Nov 22, 2019 9:01 pm

Speed of wireguard is indeed amazing, but not only the speed. Wireguard is also very simple to configure and deals much better with roaming situations.

Engitech · Fri Nov 22, 2019 11:26 pm

+1000 for Wireguard - performance,stability and simplicity

anav · Fri Nov 22, 2019 11:34 pm

How is one to measure if ones CPU is up to the task to handle Wireguard without HW acceleration and meet or beat performance of ipsec with hw acceleration.??
For example your Ubiquiti vs HEX
Architecture MMIPS
CPU MT7621A
CPU core count 2
CPU nominal frequency 880 MHz
CPU Threads count 4
Dimensions 113x89x28mm
License level 4
Operating System RouterOS
Size of RAM 256 MB
Storage size 16 MB
Storage type FLASH

Or vs.........
RB450Gx4
Architecture ARM 32bit
CPU IPQ-4019
CPU core count 4
CPU nominal frequency 716 MHz
Dimensions 90 x 115 mm
License level 5
Operating System RouterOS
Size of RAM 1 GB
Storage size 512 MB
Storage type NAND

huntermic · Sat Nov 23, 2019 10:59 am

Keep in mind, the most basic version of the raspberry pi 4 wil run wireguard at full gigabit speeds and won't cost you the world........

mozerd · Sat Nov 23, 2019 6:54 pm

How is one to measure if ones CPU is up to the task to handle Wireguard without HW acceleration and meet or beat performance of ipsec with hw acceleration.??

My experience with WireGuard is only on the Ubiquiti EdgeMax product line and I can categorically state that WireGuard runs faster that any other vpn protocol that requires Hardware acceleration.

They key to WireGuard performance is its efficiency so regardless of the CPU capability comparatively speaking WireGuard is faster. A much more capable CPU will provide much better results without taxing the CPU — that is what makes WireGuard very unique.

The PROOF is in the pudding

..... I do not know of anyone in my field who has actually tried WireGuard and compared it to IPSec [HA] that did not comeback with amazement.

omidkosari · Mon Nov 25, 2019 1:25 pm

Apart from comparing comparing speed, let's assume we want to provide vpn connection to end users. For example 1000 vpn clients (including mobile phones) on single router. In that case the best available solution is wireguard because even if router supports hardware encryption for ipsec, but client doesn't have hardware acceleration then the result will not so good.

router (hardware encryption) <----ipsec----> mobile phone clients
VS
router <----wireguard----> mobile phone clients

I think this is a better comparing.

pe1chl · Mon Nov 25, 2019 2:29 pm

You forget that many CPU cores used in devices like mobile phones already support AES acceleration and when the software developer has been careful it is used by IPsec VPN.
On the other hand, "special" encryption types as used in Wireguard are not accelerated on those devices.

sindy · Mon Nov 25, 2019 2:44 pm

...and more than that, the CPU in the phone has about the same (or even higher) power than the CPUs used in SOHO Mikrotik models, and it deals with a single tunnel whereas the Mikrotik deals with 1000 in your example.

dynek · Mon Nov 25, 2019 4:05 pm

Give us Metarouter, RB1100AHx2 here

pe1chl · Mon Nov 25, 2019 4:25 pm

Give us Metarouter, RB1100AHx2 here

MikroTik should add the capability for chrooted/privilege separated user processes that have network access like Metarouter but do not have virtual machine overhead (both in CPU cycles and in development effort)...
This can be used to run special features, Wireguard is only one of them.
(don't listen to people claiming that Wireguard has to run in kernel, it can also run in an user process)

dynek · Mon Dec 09, 2019 8:09 pm

https://git.kernel.org/pub/scm/linux/ke ... 9d2857adfd

https://arstechnica.com/gadgets/2019/12 ... -adoption/

Nitrotoluol · Thu Jan 30, 2020 8:37 am

Wireguard is now in Linus' tree! So WireGuard is now officially upstream. Yeah!
https://lists.zx2c4.com/pipermail/wireg ... 04906.html

avacha · Tue Feb 04, 2020 9:31 pm

Well, if nothing happen - WG seems to be "out-of-box" for many Linux systems.
@Normis, can it be also implemented as "yet-another-vpn" in Ros? Standart implementation, compatible with ofticial specs, as-is? Sometimes stable connection is much better that faster. hEX ann ARM models can be effective with WG for SOHO installations.

dkorzhevin · Tue Feb 11, 2020 11:13 am

+1 for Wireguard request, please

msatter · Tue Feb 11, 2020 12:15 pm

Newshosting is also going to offer Wireguard VPN through Privado soon. It was a bit of a search to find the correct Lets Encrypt Root certificate for IKEv2 (Digital Signature Trust Co - X3).

Lets hope Wireguard will not have the same history as OpenVPN with Mikrotik. Once is was usable in ROS, it was succeeded.

ak1001 · Tue Mar 31, 2020 4:01 am

So... 2 years past and Mikrotik team did what all this time?
Now , when Wireguard is officially in kernel , and for some times in zyxel routers and in openwrt -
i cant call Mikrotik as innovative cool product company - they are [redacted]

Steveocee · Tue Mar 31, 2020 4:31 am

So... 2 years past and Mikrotik team did what all this time?
Now , when Wireguard is officially in kernel , and for some times in zyxel routers and in openwrt -
i cant call Mikrotik as innovative cool product company - they are [redacted]

They were probably fixing real problems rather than bending to the requests of mindless abusive morons.

anav · Tue Mar 31, 2020 5:56 am

So... 2 years past and Mikrotik team did what all this time?
Now , when Wireguard is officially in kernel , and for some times in zyxel routers and in openwrt -
i cant call Mikrotik as innovative cool product company - they are [redacted]
They were probably fixing real problems rather than bending to the requests of mindless abusive morons.

Couldn't have said it better myself.......... Not bad for a Brexit LOL.

kozaksv · Fri May 01, 2020 1:23 pm

+1 for Wireguard

Yanncd · Tue May 05, 2020 8:21 pm

+1 for the best VPN ever exist

bakemono · Mon May 11, 2020 12:16 am

Plus 1 my voice for wireguard.
I hope it will be implemented in Ros 7

Kamaz · Tue May 12, 2020 12:21 am

+1 for WireGuard

Paganatron · Tue May 26, 2020 7:34 pm

Most definitely: +1 for WireGuard please!

alex32c · Wed May 27, 2020 11:12 pm

+1 for WireGuard

evgenij · Wed Jun 03, 2020 8:57 pm

+one more for WireGuard!

NAB · Tue Jun 09, 2020 11:33 am

Just wanted to add my comments and my frustration to this post.

We've just lost a bid to supply equipment for a remote secure VoIP and data project. That's an awful lot of Routerboards and a whole load of consultancy we've lost out on. All because the client wanted to standardise on WireGuard.

andersonpem · Fri Jul 03, 2020 5:43 pm

+1 for this feature. Mikrotik uses the Linux Kernel if I remember. Wireguard is fast, modern and uses the Linux kernel directly. Also it's very easy to set up in comparison to the nightmare of OpenVPN.

msatter · Fri Jul 03, 2020 8:47 pm

+1 for this feature. Mikrotik uses the Linux Kernel if I remember. Wireguard is fast, modern and uses the Linux kernel directly. Also it's very easy to set up in comparison to the nightmare of OpenVPN.

Mikrotik just changed to a kernel version for Beta 7, supporting Wireguard.

twarnick · Sun Jul 12, 2020 12:24 am

++1
me too, i need this.

pe1chl · Sun Jul 12, 2020 12:31 am

++1
me too, i need this.

And you thought "hey, let's make a forum account so I can put this request there, maybe mine will make the difference"??
Oh boy....

jm1973 · Sun Jul 26, 2020 3:27 am

+1 wireguard

anav · Sun Jul 26, 2020 7:56 pm

Now that firefox will provide vpn by wireguard, we dont need it on the router. jajajajaja
Normis in another thread already said its coming, so no need to keep adding +1s lol.

Smakodak · Wed Feb 03, 2021 6:33 pm

What's new in 7.1beta2 (2020-Aug-21 12:29):

!) added "bgp-network" output filter flag;
!) added bonding interface support for Layer3 hardware offloading;
!) added IPv6 nexthop support for IPv4 routes;
!) added Layer3 hardware offloading support for CRS309-1G-8S+IN, CRS312-4C+8XG-RM and CRS326-24S+2Q+RM;
!) added WireGuard support;
*) disk - improved external disk read/write speed;
*) ospf - fixed point to point routes becoming inactive;
*) route - fixed source address selection of outgoing packets;
*) other minor fixes and improvements;

MoT · Wed May 26, 2021 12:46 am

Hey so how is Wireguard working on RouterOS 7? Is it stable, functional, or has decent performance?

For example, here I see someone had trouble with routing/DNS when fasttrack was enabled - but I didn't check it exactly, but seems that Wireguard is not stablen on ROS 7
https://www.reddit.com/r/mikrotik/comme ... wireguard/

But anyway, can anyone say something after some testing? Or can the Mikrotik support tell how is it going?

And a very important question - does Wireguard support push route to the client? And does IPsec support it too?
I am asking both for the standard protocol (WG IPSec) and if it is supported in RouterOS 7.x (in case of IPsec also in 6.x)? I haven't tried them yet, but I wanted to ask in advance if someone knows. I know about OpenVPN that the standard support push route, but RouterOS does not support it (at least in 6.x, in 7.x I am not sure)

Thank you so much in advance with this information, it will mean much to me! :)

anav · Wed May 26, 2021 12:50 pm

I am using wg on beta5, basic implementation, works for both site to site and Iphone to site.
I gave the iphone its own wg interface as it was for testing mainly and didnt want to interfere or break the established wg connection.
Normally one could have just added another peer.

allogic · Tue Jul 06, 2021 9:46 pm

Newshosting is also going to offer Wireguard VPN through Privado soon. It was a bit of a search to find the correct Lets Encrypt Root certificate for IKEv2 (Digital Signature Trust Co - X3).

Lets hope Wireguard will not have the same history as OpenVPN with Mikrotik. Once is was usable in ROS, it was succeeded.

Hey msatter,

I was able to download the certificate and this worked for a while, but I upgraded my router to 6.48.3 but since then I get the following error :

15:52:35 ipsec,error unable to get issuer certificate(2) at depth:1 cert:CN=R3,C=US,ST=,L=,O=Let's Encrypt,OU=,SN=
15:52:35 ipsec,error can't verify peer's certificate from store
15:52:35 ipsec,info,account peer failed to authorize: xx.xx.xx.xx[4500]-xx.xx.xx.xx[4500] spi:09b45a05cfefa384:fcb899e854f308fd
15:52:35 ipsec send notify: AUTHENTICATION_FAILED
15:52:35 ipsec adding notify: AUTHENTICATION_FAILED

Do you know if they have changed anything on the certificates, or why i've started getting this error?

Cheers,

allogic · Tue Jul 06, 2021 9:49 pm

Newshosting is also going to offer Wireguard VPN through Privado soon. It was a bit of a search to find the correct Lets Encrypt Root certificate for IKEv2 (Digital Signature Trust Co - X3).

Lets hope Wireguard will not have the same history as OpenVPN with Mikrotik. Once is was usable in ROS, it was succeeded.

I contacted them regarding this :

New reply for the ticket

Hello,

Unfortunately we will not be offering Wireguard for the foreseeable future and are currently focused on supporting our current protocols of OpenVPN and IKEv2.
Please let us know if there is anything further we can assist you with.

Regards,
PrivadoVPN Support

msatter · Wed Jan 12, 2022 10:01 pm

Newshosting is also going to offer Wireguard VPN through Privado soon. It was a bit of a search to find the correct Lets Encrypt Root certificate for IKEv2 (Digital Signature Trust Co - X3).

Lets hope Wireguard will not have the same history as OpenVPN with Mikrotik. Once is was usable in ROS, it was succeeded.

I contacted them regarding this :

New reply for the ticket

Hello,

Unfortunately we will not be offering Wireguard for the foreseeable future and are currently focused on supporting our current protocols of OpenVPN and IKEv2.
Please let us know if there is anything further we can assist you with.

Regards,
PrivadoVPN Support

I managed today to take over a Wireguard conection with the router. Creating the conection was done by their client and I had look in the connection conf file for the private key, local IP, external Ip and the port. These changes every connect so using that in the router not easy.

I have to see if parts can be automated however better hope Privado will make it simpler, like NordVPN did.

Update: adapted an old script to make this easier. See: viewtopic.php?t=182190