Yeah well don't hold your breath :(. Ubiquiti has been a cluster fuck for a while now and are busy redoing and downgrading the UI again for like the 3rd or 4th time in the last few years rather then add desperately needed basic features. They've released new gateway devices with their own new distro based around containerization, then not actually put that to work at all. DNS still a joke. Zero story for key&certificate management/let's encrypt/etc.
Maybe Pera will get hit by a bus and things will get turned around but otherwise it's a sad mess and waste of potential.
Can confirm, way back I wrote a small guide on how to install and configure Wireguard on the ER-X (and other EdgeRouters), and to date this article is still by far the most read one: https://merlinscholz.name/post/wireguard-on-erx/
Unfortunately 3rd party software installs are lost on updates, so you need to be local to the router before upgrading (or have a secondary VPN available).
Development of EdgeOS has really slowed down though, there hasnt been a stable firmware update in 6 months (and that was just a small hotfix).
One of the main selling points of Wireguard is that it runs much leaner than OpenVPN or IPSec tunnels, especially on embedded hardware, so there isn’t much of a workload in the first place.
Crypto used by IPSec (aes, sha) is often accelerated by hardware - and the above mentioned Ubiquiti has hardware for that. Chacha/Poly used by Wireguard are not.
Of course, benchmarks from random strangers are not gospel, and the results aren’t particularly damning. But even then, you’re assuming that you have the luxury of running on a chip that comes with a hardware crypto engine. Good luck trying to get AES encryption/decryption speeds at anywhere near line rate with a Raspberry Pi or a run-of-the-mill router.
Doesn't feel light to setup if you're trying to get a tunnel working between different providers. We had a strange dead peer issue between Fortigate and Mikrotik and could never figure it out as it happened so rarely. All phase 1 and phase 2 settings were identical. I can imagine that happens elsewhere too.
There are also benefits to running your VPN endpoint on your network gateway - otherwise it can be difficult to configure routing tables to allow a user connecting from outside the network to access both internal and Internet IPs from the tunnel endpoint.
"It's free!" they say, if you can get it to run
The Geeks say, "Hey, that's half the fun!"
Yeah, but I got a girlfriend, and things to get done
The Linux OS SUCKS
(I'm sorry to say it, but it does.)
I was about to be annoyed by this comment until I saw it in the context of a song about how every operating sucks, which, when framed like that, I can't help but agree with. ;) (although I will say that I've been having a better time w/ arch linux + dwm lately than any OS / setup I've ever used-- but then again I also love raspberry pis, have like 3 of them, and am, in fact, using one to run dnsmasq / wireguard, so... xD)
Maybe Pera will get hit by a bus and things will get turned around but otherwise it's a sad mess and waste of potential.