
WireGuard support in Mikrotik RouterOS v7.1beta2 - pozibrothers
https://forum.mikrotik.com/viewtopic.php?f=1&t=165248
======
BeefySwain
We have been waiting for years for UDP OpenVPN, but we get WireGaurd before
most major distros. That's something

~~~
zx2c4
Actually, WireGuard has first class support now on a large number of distros,
without the need for any additional compilation: Ubuntu 16.04, 18.04, 20.04,
Fedora, Debian, OpenSUSE, Arch, Mandriva, Alpine, Nix, Void, OpenWRT, and
others. Check out www.wireguard.com/install/ for the whole list.

~~~
WGH_
AFAIK most of these are DKMS, so compilation (although automated and supported
by distro) is still necessary.

~~~
lima
At least it will eventually propagate to all distros now that it's in the
stable kernel!

Fedora and other distros with recent kernels already have it.

------
dgemm
That was actually really fast considering how long wireguard has(n't) been
around. We don't even have it in stable Linux distributions yet.

I guess there is some significant demand for it from Mikrotik's customers.
I'll probably use it.

~~~
chromedev
There are lots of stable Linux distros running the stable kernel which is 5.8.
it is just distros like RHEL that call themselves stable, but are actually
antiquated and honestly just give users a bad experience because most of the
software is outdated. Wouldn't expect anything less from IBM.

~~~
aidenn0
And it's somewhat silly to freeze the kernel. The Linux kernel is meticulous
about backwards compatibility. Spin up any distribution user space in docker,
and watch it work.

~~~
corty
Freezing the RH kernel is mostly to keep closed source kernel modules working.
Some proprietary software has those, unfortunately.

~~~
gravitas
Red Hat also customizes the kernel they've standardized on to disable hardware
functionality which they do not want to support under SLA; they have two
general ways of doing it, disable compilation of the entire module (where
possible) or add the specific PCI ID to a filter-out on that module's
supported hardware. The methods tend to route through a custom routine in
their kernel patches which notify the user the hardware has been seen but will
not function/be supported by their kernel.

This goes the other way around a well, they often cherry-pick new code and
pull it back into their curated kernels to support the latest hardware
offerings of their partners (Dell, HP, Broadcom, etc.) without pulling in
possible unstable newer kernel code around it; they have contractors from
those hardware companies assisting in the work to backport hardware module
features.

------
ghostpepper
The ball's in your court, Ubiquiti

~~~
Proven
It's not.

Why would one want that workload on their router when they can offload it to a
$35 Pi?

~~~
10000truths
One of the main selling points of Wireguard is that it runs much leaner than
OpenVPN or IPSec tunnels, especially on embedded hardware, so there isn’t much
of a workload in the first place.

~~~
vetinari
Crypto used by IPSec (aes, sha) is often accelerated by hardware - and the
above mentioned Ubiquiti has hardware for that. Chacha/Poly used by Wireguard
are not.

~~~
10000truths
There’s a benchmark done with the EdgeRouter that shows that Wireguard’s
throughput exceeds that of hardware accelerated AES + IPSec:

[https://an.undulating.space/post/181227-er_alternate_firmwar...](https://an.undulating.space/post/181227-er_alternate_firmware_vpn_benchmarks/)

Of course, benchmarks from random strangers are not gospel, and the results
aren’t particularly damning. But even then, you’re assuming that you have the
luxury of running on a chip that comes with a hardware crypto engine. Good
luck trying to get AES encryption/decryption speeds at anywhere near line rate
with a Raspberry Pi or a run-of-the-mill router.

------
jlgaddis
Has MikroTik ever made _any_ source code available?

~~~
m463
who knows, but I run openwrt on my mikrotik rb2011* switches.

~~~
stragies
Do you happen to know, if the RB2011 will be stuck on the (dead-end) ar71xx
release, or whether somebody is working on porting it to the newer ath79
platform with LTS?

~~~
m463
This is the first I've heard of this. I didn't know it could map to a new
platform.

I have two and just got them working and haven't updated in maybe a year. I
use them as internal switches and only really use vlans + dhcp.

It might be interesting to see if porting is a big deal. I have one annoying
weirdness where ports are labeled sfp,1-5,6-10, but the logical mapping is
really screwed up switch0:6, switch0:1,2,3,4,5, then switch1:5,4,3,2,1
(reversed)

------
chromedev
OpenWRT has support for WireGuard as well.

~~~
jvolkman
As does VyOS.

~~~
kube-system
Anyone have any experience here with getting wireguard running on pfsense?

~~~
867-5309
I don't think *BSD supports wg yet. would love to see this

~~~
rjsw
It was added to NetBSD yesterday.

~~~
cpach
Nice :)

------
floatboth
> added Layer3 hardware offloading support for CRS309-1G-8S+IN, CRS312-4C+8XG-
> RM, CRS326-24S+2Q+RM and CRS354-48G-4S+2Q+RM

The Marvell switch chip supports IPv6 but for now Mikrotik only implemented
support for v4 offload.. :/

