Method: RoadWarrior WireGuard tunnel
Reference: https://help.mikrotik.com/docs/display/ROS/WireGuard
Here is my network architecture:
Mac → Internet → non ISP managed cable modem (bring your own modem, not managed, no firewall) → Mikrotik hap ac
Here is my intended use with RoadWarrior setup:
- Login remotely from Internet into my Mikrotik VPN server,
- Access internal NAS on my home network.
- Route Internet traffic through Wireguard VPN server, geolocation hiding.
Once activated the client on my Mac, I am not able to ping Wireguard Peer and no internet access. I also checked Wireguard interface
on the router and there was no traffic.
The instruction listed does not specify firewall rules in details for public IP access. My Mikrotik router is using default setting in most cases.
Please let me know how I can enable the access from public IP.
Here is what I got from ChatGPT, tried but still not working.
To enable access for a WireGuard road warrior setup on a MikroTik router from the internet using the router’s public IP, you need to set up the appropriate firewall rules. Here’s a step-by-step guide to achieving this:
- Add NAT Rule (Port Forwarding)
You need to forward incoming WireGuard traffic from the router’s public IP to the internal IP address of the WireGuard server. This allows the user to connect to the WireGuard server from the internet.
/ip firewall nat
add chain=dstnat dst-port=51820 protocol=udp action=dst-nat \
to-addresses=<INTERNAL_WG_SERVER_IP> to-ports=51820
Replace <INTERNAL_WG_SERVER_IP> with the internal IP address of your WireGuard server (the IP that your WireGuard server listens on).
- Add Firewall Filter Rules
These rules allow incoming WireGuard traffic and also establish a connection tracking entry so that the response packets can be correctly routed back to the client.
/ip firewall filter
add chain=input protocol=udp dst-port=51820 action=accept
add chain=forward connection-state=established,related action=accept
add chain=forward connection-state=invalid action=drop
- Enable Fasttrack (Optional)
If your router has Fasttrack enabled, you can add an exception to allow WireGuard traffic to bypass Fasttrack, as it may interfere with WireGuard’s operation.
/ip firewall filter
add chain=forward action=fasttrack-connection connection-state=established,related
add chain=forward action=accept protocol=udp port=51820
Remember that enabling Fasttrack may impact other aspects of your firewall rules, so test your setup thoroughly after making this change.
- Apply Configuration
After you have added the necessary rules, they should be active immediately. You can now connect to your WireGuard server using the router’s public IP address.
Please note that security is crucial when exposing services to the internet. Ensure that you have strong authentication methods in place for your WireGuard setup, such as strong keys or certificates, to prevent unauthorized access.
Also, consider restricting the source IP addresses allowed to connect if possible. If you have a static IP, you can change the first rule (NAT rule) to include a “src-address” parameter to restrict access to your server from a specific IP address.
For example, if your static IP is 203.0.113.100:
/ip firewall nat
add chain=dstnat dst-port=51820 protocol=udp src-address=203.0.113.100 \
action=dst-nat to-addresses=<INTERNAL_WG_SERVER_IP> to-ports=51820
This way, only connections from your specific static IP will be forwarded to the WireGuard server.
