Hello, I have a Mikrotik RB750Gr2 router and I have upgraded it to RouterOS v7.12.1.
I have been setting up the router as a WireGuard Server (with endpoint IP) and access it through Windows Client.
So far my setup is something like this:
A cable from my ISP router is coming to the internet port (ether1). I have assigned static IP address (from my ISP router’s DHCP range) and internet connectivity is working.
I have another cable coming into 2nd port (ether2) with a local IP assigned, this cable is connected to a switch that has all my local devices that I want to access over the tunnel at client’s end.
I have setup the WireGuard interface and peer both in Mikrotik router and Windows client.
When I activate the tunnel on client side, the connection is successfully established (handshake success). I can ping the IP of WireGuard interface at Mikrotik router and the IP I have assigned to ether2 interface (local LAN at router side). And from Mikrotik router’s terminal I can ping the WireGuard interface IP of the client.
I can ping and access the devices on my LAN through Mikrotik router’s terminal.
What I want to achieve is to be able to ping and access those device in my local LAN from Windows client side when I am connected to the tunnel.
For ease I have allowed all the traffic from both sides (0.0.0.0/0 for allowed IPs).
These configurations were done on a freshly reset router, no default configuration (hence no firewall or other settings).
I have tried adding static routes, firewall rules, changing allowed IPs but nothing seems to be working.
Anyone here who could point out if something else needs to be done will be really helping a lot.
First you need to backup and make a coherent plan and before that read this → https://forum.mikrotik.com/viewtopic.php?t=182340
You will quickly surmize that putting 0.0.0.0/0 at both ends is not the right approach.
Once reading, you may make some changes to the config. Give it a try. If still not working
then post your config here… and wireguard settings for windows client.
/export file=anynameyouwish ( minus router serial number, any public WANIP information, keys etc…)
The below will help. I had the same problem. Put this in the input chain section, above “drop all else” in that section, of the firewall filter rules. You may not need the second one.
I took a look at the link provided by Anav. It’s a lot to soak in. Great writeup and worth the read! It works better than what I posted previously. The below allows access to LAN & WAN.
A bit of advise, use the Mikrotik WG Peer in Winbox to add the peers. When configuring the peers, leave the Public Key blank, Private Key & PreShared Key set to auto. Fill in the rest. Click Apply & the keys will be generated for the client. In the same window, scroll down to the client config & copy if over (or set the client accordingly). You can also use the generated QR code for easy setup.
For reference, my WG setup is below. Client addresses are as example only:
Lets be clear on the advice…
/ip firewall filter
add action=accept chain=input comment=“Rule: allow WireGuard” dst-port=your WG port
protocol=udp
add action=accept chain=input comment=“Rule: allow WireGuard traffic”
src-address=your.LAN.network dst-address=your.LAN.network
\
The first rule is a user rule that basically states allow the handshake from a client device to the wireguard service ON the router. Not necessary if the router is not the server for handshake.
In a dual or multi-wan scenario, this gets a bit trickier depending upon priority and setup of WANS.
The second rule is BS…
If you want client devices coming to the router to access your LAN, then you need a forward chain rule allowing this
examples add chain=forward action=accept in-interface=wireguard1 dst-address=localsubnet { limit to single subnet }
add chain=forward action=accept in-interface=wireguard1 out-interface-list=LAN { allow to all LAN subnets }
add chain=forward action=accept in-interface=wireguard1 out-interface=bridge-home { allow to subnets on the bridge }
you can also, if required limit access to only one of the wireguard clients add chain=forward action=accept in-interface=wireguard1 src-address=wireguard-remote-client-IP out-interface-list=LAN { allow remote admin to all LAN subnets }
Looking at the rule more closely, its nonsensical because the input chain is for traffic TO the router.
The rule looks at traffic from a LAN to LAN basis, and thus is misplaced at least in this scenario.
On the client device it should look like add allowed-address=192.168.50.0/24,routersubnetA,routersubnetB interface=wireguard1 endpoint-address=xxxxx endpoint-port=yyyyyy
persistent-keep-alive=35s public-key="="[/b]
OR if part of the deal is the client is using the internet of the router only or also the LAN,. should look like… add allowed-address=0.0.0.0/0 interface=wireguard1 endpoint=xxxxx endpoint-port=yyyyyy
persistent-keep-alive=35s public-key="="[/b][/i