Wireguard s

sokolnewMan · October 5, 2024, 11:04pm

Hello, Mikrotik fans
I have a problem creating a client to connect to the server
I get a white IP address from the provider, I have the following settings in the router
The problem is the following, after I reboot Mikrotik, I need to wait from 2 to 4 minutes and periodically switch the slider on my phone so that the connection to the server from my mobile network occurs, if I just leave it on, it will never connect, only when I move the slider, I want to have access to the Internet from this Android phone, I saved the public and private key from the phone, inserted it into the configuration on the router and then connected using the QR code. Please tell me what else I could have done wrong, maybe the NAT rules still need to be added?

anav · October 6, 2024, 2:35pm

What ts a white IP…

Need config of the router
/export file=anynameyouwish ( minus router serial number, any public WANIP information, keys etc. )

Kanzler · October 6, 2024, 2:39pm

What ts a white IP…

He meant public IP

sokolnewMan · October 6, 2024, 2:43pm

ok guys, I’ll try to do it in a few days) school starts tomorrow, I won’t have time today(

Yes, I meant about public IP)

sokolnewMan · October 6, 2024, 2:44pm

ok, I’ll try to do it in a few days) school starts tomorrow, I won’t have time today(

BrateloSlava · October 8, 2024, 9:46am

In one simple option, to configure the WireGuard server and connect clients to it in RoadWarrior mode, you only need to run a few commands in the terminal.

Select the IPv4 subnet for the server and clients to “communicate”. In the example it is 10.19.99.0/24.
Let the server have the address 10.19.99.1, and the next addresses will be assigned to clients.
All settings will be made on the server, and on the client will be loaded via QR code.
Depending on the configuration of your firewall, you may need to make additional rules and place them in the list in the right places.

Here we go.

/interface list add name=VPN-WG

/interface wireguard add listen-port=13232 mtu=1420 name=wireguard1

/interface list member add interface=wireguard1 list=VPN-WG

/ip firewall address-list add address=10.19.99.0/24 list=WG-VPN

/ip address add address=10.19.99.1/24 interface=wireguard1 network=10.19.99.0

Some additional rules may be needed:

# after Handle (input) already established, related, untracked connections
/ip firewall filter add action=accept chain=input comment=WG-Input in-interface-list=VPN-WG log-prefix=WG src-address-list=WG-VPN

# after other VPN protocols
/ip firewall filter add action=accept chain=input comment=WireGuard dst-port=13232 in-interface-list=WAN protocol=udp

# after Handle (forward) already established, related, untracked connections
/ip firewall filter add action=accept chain=forward comment=WG-Forward in-interface-list=VPN-WG log-prefix=WG src-address-list=WG-VPN

#
/ip firewall nat add action=masquerade chain=srcnat comment=Wireguard out-interface=!bridge-LAN src-address-list=WG-VPN place-before=0

Adding a client:

/interface wireguard peers add allowed-address=10.19.99.2/32 client-address=10.19.99.2/32 client-dns=10.19.99.1 client-endpoint=Your_DNS_Name_Or_IP interface=wireguard1 name=Your_Phone_1 comment="My Mobile" private-key=auto

After that we go to the properties of the created client and at the very bottom we see a QR code, which can be downloaded as a configuration of WireGuard on the phone.

All public and private keys necessary for server and client operation will be created automatically in this configuration method.

sokolnewMan · October 10, 2024, 5:00am

In one simple option, to configure the WireGuard server and connect clients to it in RoadWarrior mode, you only need to run a few commands in the terminal.

Select the IPv4 subnet for the server and clients to “communicate”. In the example it is 10.19.99.0/24.

Let the server have the address 10.19.99.1, and the next addresses will be assigned to clients.

All settings will be made on the server, and on the client will be loaded via QR code.

Depending on the configuration of your firewall, you may need to make additional rules and place them in the list in the right places.

Here we go.
/interface list add name=VPN-WG

/interface wireguard add listen-port=13232 mtu=1420 name=wireguard1

/interface list member add interface=wireguard1 list=VPN-WG

/ip firewall address-list add address=10.19.99.0/24 list=WG-VPN

/ip address add address=10.19.99.1/24 interface=wireguard1 network=10.19.99.0
Some additional rules may be needed:
# after Handle (input) already established, related, untracked connections
/ip firewall filter add action=accept chain=input comment=WG-Input in-interface-list=VPN-WG log-prefix=WG src-address-list=WG-VPN

# after other VPN protocols
/ip firewall filter add action=accept chain=input comment=WireGuard dst-port=13232 in-interface-list=WAN protocol=udp

# after Handle (forward) already established, related, untracked connections
/ip firewall filter add action=accept chain=forward comment=WG-Forward in-interface-list=VPN-WG log-prefix=WG src-address-list=WG-VPN

#
/ip firewall nat add action=masquerade chain=srcnat comment=Wireguard out-interface=!bridge-LAN src-address-list=WG-VPN place-before=0
Adding a client:
/interface wireguard peers add allowed-address=10.19.99.2/32 client-address=10.19.99.2/32 client-dns=10.19.99.1 client-endpoint=Your_DNS_Name_Or_IP interface=wireguard1 name=Your_Phone_1 comment="My Mobile" private-key=auto
After that we go to the properties of the created client and at the very bottom we see a QR code, which can be downloaded as a configuration of WireGuard on the phone.

All public and private keys necessary for server and client operation will be created automatically in this configuration method.

Thank you very much!!! I kind of did it, and it kind of works) okay, I’ll study it in more detail, thanks Friend!

edepalos · December 4, 2024, 1:01pm

Hi BrateloSlava,

A few questions I have:

VPN-WG and WG-VPN are the same thing in Your config? I see VPN-WG declared in the first line, but WG-VPN I can’t figure out…;
the ip 10.19.99.1 is the servers wireguard interface ip or LAN ip?

Thanks!
Br.,
Ede

In one simple option, to configure the WireGuard server and connect clients to it in RoadWarrior mode, you only need to run a few commands in the terminal.

Select the IPv4 subnet for the server and clients to “communicate”. In the example it is 10.19.99.0/24.

Let the server have the address 10.19.99.1, and the next addresses will be assigned to clients.

All settings will be made on the server, and on the client will be loaded via QR code.

Depending on the configuration of your firewall, you may need to make additional rules and place them in the list in the right places.

Here we go.
/interface list add name=VPN-WG

/interface wireguard add listen-port=13232 mtu=1420 name=wireguard1

/interface list member add interface=wireguard1 list=VPN-WG

/ip firewall address-list add address=10.19.99.0/24 list=WG-VPN

/ip address add address=10.19.99.1/24 interface=wireguard1 network=10.19.99.0
Some additional rules may be needed:
# after Handle (input) already established, related, untracked connections
/ip firewall filter add action=accept chain=input comment=WG-Input in-interface-list=VPN-WG log-prefix=WG src-address-list=WG-VPN

# after other VPN protocols
/ip firewall filter add action=accept chain=input comment=WireGuard dst-port=13232 in-interface-list=WAN protocol=udp

# after Handle (forward) already established, related, untracked connections
/ip firewall filter add action=accept chain=forward comment=WG-Forward in-interface-list=VPN-WG log-prefix=WG src-address-list=WG-VPN

#
/ip firewall nat add action=masquerade chain=srcnat comment=Wireguard out-interface=!bridge-LAN src-address-list=WG-VPN place-before=0
Adding a client:
/interface wireguard peers add allowed-address=10.19.99.2/32 client-address=10.19.99.2/32 client-dns=10.19.99.1 client-endpoint=Your_DNS_Name_Or_IP interface=wireguard1 name=Your_Phone_1 comment="My Mobile" private-key=auto
After that we go to the properties of the created client and at the very bottom we see a QR code, which can be downloaded as a configuration of WireGuard on the phone.

All public and private keys necessary for server and client operation will be created automatically in this configuration method.

anav · December 4, 2024, 1:39pm

Basically a typo.
From this:
/interface list add name=VPN-WG
/interface wireguard add listen-port=13232 mtu=1420 name=wireguard1
/interface list member add interface=wireguard1 list=VPN-WG
/ip firewall address-list add address=10.19.99.0/24 list=WG-VPN
TO
/interface list add name=VPN-WG
/interface wireguard add listen-port=13232 mtu=1420 name=wireguard1
/interface list member add interface=wireguard1 list=VPN-WG
/ip firewall address-list add address=10.19.99.0/24 list=VPN-WG

What I dont understand is the need for a wireguard interface list to begin with.
The wireguard interface is usually part of the LAN or WAN interface list…

edepalos · December 4, 2024, 1:57pm

“What I dont understand is the need for a wireguard interface list to begin with.” - Yes, in my config it’s in the LAN list…

Anyway, I do struggle with my a config, but I’ll post it in a new thread.