Hello everyone,

This week we played with the WireGuard VPN on the MikroTik v7, and we would like to have a bit of your experience about the "Best Practices" how to do it for road warriors (we have clients with about 40-50 road warriors, other with less than 10).
For now, we tested the following configurations:

Only one WireGuard "Server" with all clients

Pros

• One interface, one IP in the router, less firewall rules
• Only one port open on the router

Cons

• If "server" key need to be changed, you have to update all clients

.

Various WireGuard "Servers" with many clients (grouped by roles)
For example, one server for personal devices (BYOD), another one for company devices (laptops that user takes outside the office), etc.

Pros

• Few interfaces, different keys for different groups (better security)
• Few open ports on the router

Cons

• If "server" key need to be changed, you have to update few/many clients (at least not all devices)
• More firewall rules to add and maintain later (means as well more CPU in use)

.

One WireGuard "Server" per client (or per user)
For example, one "server" per user, thinking that a user own 4 devices (desktop, laptop, tablet, mobile). Each user has it's own WireGuard "server".

Pros

• Each user has a different "server" and "peer" key (better security)
• If "server" key need to be changed, you have to update only one user (4 devices in our example), other users are not affected

Cons

• Many interfaces, lot of work to configure everything
• Many ports open on the router
• More firewall rules to add and maintain later (means as well more CPU in use)

.

Other general questions

• What is the best practice for the CPU point of view (one interface vs many)?
• Does a "server" interface use only one CPU or more during encryption/decryption?
• Does many "server" interfaces are used in many CPUs at the same time?

.

If you have suggestions other "best practices" questions, please share!
(For other technical questions about WireGuard, please open a new topic)

Thanks for your participation!

+1 excellent questions !!

As we wrote this post during the end of the year, it's possible that many where in holidays.
We only write again to up this topic.

Please if you have any idea or comment, share!

After a quick review of your assumptions, I actually think that changing only one key for 50 clients is so much less daunting than having to change multiple public keys.

My question is really an assumption that every road warrior is behind a different IP and not using an MT device and thus its like 50 smartphones connecting to the MT Server Router.

(1) Option 1: 50+ phones, one Wireguard Interface, one listening port, one public key from WG server to manage, need 50+ smartphone public keys.
a. ensure all clients are in the same subnet range aka assign 192.268.100.AA to each phone from 2-5X
b. Ip address on WG Server is 192.168.100.1/24 network=192.168.100.0
c. firewall rules determine where the WG traffic is allowed to go.
d. smartphone rules determine which destination IPs are allowed to enter the Tunnel (allowed peer addresses)

(2) Option 2: 50+ phones, 50+ Wireguard Interfaces, 50+ listening ports, 50 public keys from WG Server, still need 50+ smartphone public keys
Already this sounds horrible.

(3) Better Option ??? ( you may have to break it down into groups for the purposes of isolating some users/information from others for security purposes or at least if some have a more expected frequency of required key change) aka to minimize disruptions/overhead overall ?

I think your question is the answer. It depends, doesn't it? At least until WireGuard is truly everywhere and automated tools are available to update clients somehow. I only have limited experience with WireGuard, but am currently using an RPi server, behind the router. I would of course like to see this moved to the router, and when I feel RouterOS v7 is ready, will do so. So, I have your first option in production: One WG Server with multiple clients all having the same server instance.

My concerns are about client side.
I'm struggling with the design when there is more than one physical device at the end user's remote location and how to keep clients on different VLAN's since WireGuard is L3 only. Say they have a laptop, a mobile phone, and a physical ethernet VoIP phone. In that scenario, I tested a local hAP AC style device with ROS v7 and was able, with firewall rules and behavior able to keep things segmented the way I needed. The device offered local Wifi and ethernet ports. So, this is basically, Site-To-Site VPN.

But, do I want to deploy hardware into user's homes, hotel's and the like? No way! Would I rather keep up with multiple certificates on their iPhone and laptops? Forget physical VoIP phones? So, its a catch-22. If you can put a certificate on everything (can the iPhone and laptop both be using the same certificate?) then when they change, well, you gotta make changes everywhere.

So, the answer is: this is how WireGuards works. You have certificates everywhere.

For more complicated setups perhaps look at Tailscale and Zerotier to make life easier as simple wireguard may not scale up appropriately ???

I 've tested Wireguard recently, looks and works nice... I 've not used it in production environment though yet...

So, what is the best practice ?

So, what is the best practice?

How many support engineers do you have? How many end users (total devices)?

• 1-100 end devices:
  Option A: Single server key.
• 100-1000 end devices:
  Option B: Multiple server key, 1 server per 100.
• 1000+ end devices:
  Option C: Multiple server key, 1 server per device, plus custom software.

Updates:
Replace the term certificate with key. Added software link.

@pcunite: Keys, not certificates. Proper infrastructure for certificates is relatively complicated, verification, CAs, revocation, nightmare for small users. WG's keys are downright primitive, I'll show you mine, you'll show me yours, and hooray, we have VPN. "Problem" with WG is that it's very low-level. All you get is static tunnels, no dynamic address assignment, no dynamic routing, nothing. It's perfectly fine if that's what you're looking for. But if you want more, you need something else to manage it, but currently there's no universal standard for that.

@Sob
Have you looked at TailScale … in a serious way ….. I dare say that you have not …. You and everyone here asking about best practices should examine TailScale

Is it fair to say, that wireguard to scale up needs Tailscale............sorry couldnt resist!!
I will of course have to say maybe zerotier is also a feasible option.

Used Wireguard to connect the office to the warehouse. The office is behind starlink. So no public IP. It took me a few minutes to wrap my head around it as I was use to having the office call out over L2TP. Then put the traffic in it, in IPSEC using the built in option in L2TP.

Once connected... I set up multiple peers on the warehouse.

Need to reach the office... VPN to the warehouse. Jumps you right over... Well after I figured out how Wireguard would allow addresses vs using a route to the termination address.

@pcunite thanks for the answer...
as @sob indicated i guess you mean Keys and not Certificates...

What would be the benefit of tailscale or zerotier along with wireguard ? Just asking..

Is it fair to say, that wireguard to scale up needs Tailscale............sorry couldnt resist!!
I will of course have to say maybe zerotier is also a feasible option.

I would state that ZeroTier is NOT a feasible option because TailScale IS WireGuard centric while ZeroTier is NOT --- which is one very big reason that TailScale performance metrics are far superior... Plus TailScale does make scaling WireGuard a non issue since it does manage ALL CERTIFICATES, KEYS and very much more --- a true ZERO configuration system

Some examples follow .... but many more are there for YOU to examine should you care to seriously examine TailScale
Provision TLS certificates for your internal Tailscale services
Machine certificates and device management

@pcunite: Keys, not certificates.

Thank you for the correction. Nebula is worth a look.

@mozerd: You're slightly missing the point. Wireguard is protocol, I can use it any way I like, everything is in my hands, no external party is involved. Some future standardized extension that will handle dynamic configuration for those who need it will also be protocol. TailScale is service, if I use it, I depend on someone else.

I'm not saying that it's bad service, no, I actually like the technical part, their blog about it is interesting read, they may be even nice people and everything. But I still don't want to depend on them. Also, the main strength of TailScale is when you need mesh network, where each node communicates directly with every other node. It's wonderful thing when you need it, but it's not always the case. For scenarios like "access to company network", the good old central server is all you need, no need for any fancy stuff.

@Sob
First, very nice retort
Second, also very glad that you took the time and effort o read their stuff
Third, I absolutely agree with your articulated points because that is also my POV !

Hi everybody

Thanks all for your answers!

We don't need (and don't want for security reasons) to use the Tailscale services. Their only advantage is to be a bridge between two points, what we can perfectly do through MikroTik if there is no NAT from the ISP (dynamic IP issue is fixed with /ip cloud).

For those who answered, how long is your experience with Wireguard (independent of MikroTik), and how many devices did you already configure?

Best Regards,

You don't wanna know. I did few tests with Linux and thought "nice, now if only RouterOS added it". And then I waited until RouterOS added it.