Wow ! RouterOS 7 now supports UDP OpenVPN. After so many years, what a miracle !
Joking aside, this is so ridiculous. Stop wasting your time on OpenVPN and give us proper modern WireGuard before the next century, please !
Re: forget about OpenVPN give us WIREGUARD
It's not so long since last turn of the century and very long until next one. You should go down to at least "before next decade". 
Re: forget about OpenVPN give us WIREGUARD
Wireguard is the future and that means that mikrotik will implement it after a decade like uses to. They do not have even an SQM qos package yet and u ask for wireguard.................? lol
Re: forget about OpenVPN give us WIREGUARD
Wake up man, you can't run any proper routing protocols on wireguard due to its awkward design, so there is literally no use to implement it on a router.
To those who want to argue: yes there are some patches allowing wireguard peer routes to be added/removed dynamically but they just make wireguard a fancier IPSec.
To those who want to argue: yes there are some patches allowing wireguard peer routes to be added/removed dynamically but they just make wireguard a fancier IPSec.
Re: forget about OpenVPN give us WIREGUARD
It's not like you need routing protocols for all VPNs. They can be useful for more complex deployments, but if it's simple road warrior config, WG's simplicity looks really good.
Yes, it's all static, but is it really a problem? Static client's address is fine, I require that anyway. Static routes from client to server are less fine, because sometimes it's useful to be able to push new routes to clients. But with smaller networks it's usually possible to live without that. And in case I'm currently using RouterOS as VPN server, I don't have that anyway, except with IKEv2 (and I'm not sure how's the compatibility with all clients). But configuration of IPSec in general is not exactly simple. With WG you can start from zero and have working VPN under a minute. A trained monkey could probably do it under two. It's hard to not like it.
Yes, it's all static, but is it really a problem? Static client's address is fine, I require that anyway. Static routes from client to server are less fine, because sometimes it's useful to be able to push new routes to clients. But with smaller networks it's usually possible to live without that. And in case I'm currently using RouterOS as VPN server, I don't have that anyway, except with IKEv2 (and I'm not sure how's the compatibility with all clients). But configuration of IPSec in general is not exactly simple. With WG you can start from zero and have working VPN under a minute. A trained monkey could probably do it under two. It's hard to not like it.
Re: forget about OpenVPN give us WIREGUARD
really ? we're running OSPF routing protocol over wireguard on ubiquiti edgerouters and low-cost x86 systems with vyos (Open source router and firewall platform) just fine, thank you!
Wake up man, you can't run any proper routing protocols on wireguard due to its awkward design, so there is literally no use to implement it on a router.
To those who want to argue: yes there are some patches allowing wireguard peer routes to be added/removed dynamically but they just make wireguard a fancier IPSec.
Re: forget about OpenVPN give us WIREGUARD
+1
need to implement
need to implement
Re: forget about OpenVPN give us WIREGUARD
The post is very old and questionable...
Any case for a lot of people WG is a very good thing!
Re: forget about OpenVPN give us WIREGUARD
Feb 26? Isn't it like 1 month old?The post is very old
Re: forget about OpenVPN give us WIREGUARD
Arguments against WG in that article are, in short:
1) Big vendors like Cisco won't support it
2) It's not dynamic enough for road warriors
3) It's not easy, at least not easier than IPSec
4) It's tied to one set of algorithms, so future upgrades will be problematic
5) If you want fancy new cryptography, IPSec supports it too
6) It's not as fast as authors say
It depends on what you're after. When I need VPN for little guy (SOHO use), mostly for road warriors, then:
1) All I need is client for popular OSes and server support in my favourite router. I couldn't care less about big vendors. I see MikroTik as relatively big too, but not as much and hopefully more flexible, although sometimes things take them a little longer.
2) It depends:
- WG is actually very dynamic in some aspects, endpoint addresses are updated automatically (when it's possible to reach peer from new address), so e.g. client changing addresses all the time is no problem at all.
- I don't need nor want dynamic addresses in tunnel, each client should have own static one.
- Server-controlled routes would be nice in some cases, but currently it's not possible (regular clients don't run any routing protocols), so that's a downside. But very often it's not needed.
- According to article, "It does not, for example, allow using a dynamic IP address on the server side of the tunnel which breaks a whole use-case".
I don't care much about dynamic server address, servers should have static one. But when it's not possible, WG can use hostname as endpoint, so basic support is there. I can use DDNS and I will always be able to connect.
Only problem seems to be when server address changes while client is connected. Usually the server won't be able to connect to client from new address, so client won't update remote endpoint automatically. But it surprised me that even with enabled keepalive and when client doesn't get any response, it doesn't try to resolve hostname again. Assuming that it's not my fault, it's a little annoying, but there's always the magic "turn it off and on again". And it's not like the server should change address too often.
3) It depends what person sees as easy, but with less then ten options in total, WG is good candidate for easy. How many does IPSec have?
4) True. But it's the future. And when I have few tens of clients at most, all-at-once upgrade is easily doable.
5) Yes, IPSec as standard may support it, but if you want interoperability, you'll be lucky if you don't have to use things like sha1. Not that the average user would care too much, and as long as it's not broken...
6) Can I squeeze few tens of megabits through it? Yes? Then it's good.
If RouterOS implemented WG, I wouldn't throw out everything I have now, because in mosts cases it works reliably and there's no reason to change it just for fun. But it would be nice to have it as option.
1) Big vendors like Cisco won't support it
2) It's not dynamic enough for road warriors
3) It's not easy, at least not easier than IPSec
4) It's tied to one set of algorithms, so future upgrades will be problematic
5) If you want fancy new cryptography, IPSec supports it too
6) It's not as fast as authors say
It depends on what you're after. When I need VPN for little guy (SOHO use), mostly for road warriors, then:
1) All I need is client for popular OSes and server support in my favourite router. I couldn't care less about big vendors. I see MikroTik as relatively big too, but not as much and hopefully more flexible, although sometimes things take them a little longer.
2) It depends:
- WG is actually very dynamic in some aspects, endpoint addresses are updated automatically (when it's possible to reach peer from new address), so e.g. client changing addresses all the time is no problem at all.
- I don't need nor want dynamic addresses in tunnel, each client should have own static one.
- Server-controlled routes would be nice in some cases, but currently it's not possible (regular clients don't run any routing protocols), so that's a downside. But very often it's not needed.
- According to article, "It does not, for example, allow using a dynamic IP address on the server side of the tunnel which breaks a whole use-case".
I don't care much about dynamic server address, servers should have static one. But when it's not possible, WG can use hostname as endpoint, so basic support is there. I can use DDNS and I will always be able to connect.
Only problem seems to be when server address changes while client is connected. Usually the server won't be able to connect to client from new address, so client won't update remote endpoint automatically. But it surprised me that even with enabled keepalive and when client doesn't get any response, it doesn't try to resolve hostname again. Assuming that it's not my fault, it's a little annoying, but there's always the magic "turn it off and on again". And it's not like the server should change address too often.
3) It depends what person sees as easy, but with less then ten options in total, WG is good candidate for easy. How many does IPSec have?
4) True. But it's the future. And when I have few tens of clients at most, all-at-once upgrade is easily doable.
5) Yes, IPSec as standard may support it, but if you want interoperability, you'll be lucky if you don't have to use things like sha1. Not that the average user would care too much, and as long as it's not broken...
6) Can I squeeze few tens of megabits through it? Yes? Then it's good.
If RouterOS implemented WG, I wouldn't throw out everything I have now, because in mosts cases it works reliably and there's no reason to change it just for fun. But it would be nice to have it as option.