Dear all,
I am quite excited about wireguard, and I successfully connect clients (Win, MacOS, Android, iOS) to a Miktrotik WG server. However, I fail to connect another Mikrotik router as a client, could some kind soul give me a hint how to do this? Here’s a sample client configuration, how would it map into a RouterOS configuration? I am in particular unclear about the WG interface’s listen port on the client side.
to tell you the truth I am also having the same problem and I THINK that I have followed the wiki 5 times without a mistake!
I am able to connect windows and android but not from a mikrotik (same version).
I am also wondering since this came up how can I tell when a client is connected on the server?
On l2tp sstp pptp ovpn we see the active clients in wireguard?
You add the remote wireguard peer in exactly the same way you would if it was a client connecting into the router.
However wireguard on routerOS doesn’t automatically add routes so you will need to add any routes for remote networks you want to reach via wireguard.
The remote peer will either need your networks you want to be reachable behind your routerOS device it’s allowedIP’s or you’ll need a NAT rule in the firewall on the router to make any traffic appear to have come from the router itself.
Also if you are planning to route 0.0.0.0/0 down wireguard you also need either a static route for the IP of the wireguard server or to use a different routing table for the tunneled traffic as you need to route the traffic for wireguard itself outside of the tunnel.
By the way you don’t need to specify the IP/Port for the client side in the server side if you don’t want to (Handy for Dynamic IP’s), if Wireguard receives a packet with the correct encryption it will just respond to whichever IP:Port the packet came from. (It actually does this even if you specify an endpoint IP, the endpoint IP is just what it will try in the first instance)
Thanks, I am getting closer … in viewtopic.php?f=23&t=174417&p=861477&hi … rd#p861477 I did not find the configuration for a RouterOS WG client. So, here’s what I tried (the sample client configuration for my new RouterOS client is shown in my first post):
where CLIENT_PUBKEY is the pub. key of my wireguard-interface on the client.
And indeed: I can ping the 192.168.100.1 from 192.168.100.2, so this looks OK. I guess the only thing left to do is to set up routing/NATing correctly.
Is there anything I overlooked?
The confusing thing is the listen port on the client side, where the documentation says “Port for WireGuard service to listen on for incoming sessions”. Since a client won’t have incoming sessions it seems I guess it’s irrelevant and any port will do.
Sure you did, look harder the RB4011 is a client WG device on the diagrams, its behind the Bell modem/router and thus is on a Bell Subnet but its a client.
Post your config
/export hide-sensitive file=anynameyouwish so I can see the rest of the config and not just snippets.
Also a network diagram to show the relationship of the two WG routers connected by internet, and the associated wireguard devices / subnets desired on the client side.
I am assuming you mean WG to WG where one is server and one is client??
In my case the IP route on the client wg router is as follows:
(1) dst=0.0.0.0/0 gateway=name of wg interface (as defined on the client router)
The Table is:
(2) table-wireguard
The Rule is:
(3) source address is the subnet my devices required wg connectivity are on.
src address=192.168.xx.0/24 / Lookup ONLY in table / Table=table-wireguard
I dont use an IP address for the WG itself on either the client or server.
It actually turned out to be quite simple once I got it, here are the relevant parts of the client config:
# jun/19/2021 23:09:37 by RouterOS 7.1beta6
# software id = NMKX-MZTE
#
# model = 850Gx2
/interface wireguard add name=wireguard-client
/interface wireguard peers
add allowed-address=192.168.100.2/24,N.M.0.0/16 endpoint-address=<WG server IP> endpoint-port=12345 interface=wireguard-client public-key="Server Public Key="
/ip address add address=192.168.100.2/24 interface=wireguard-client network=192.168.100.0
/ip dhcp-client add disabled=no interface=ether1
/ip route add dst-address=N.M.0.0/16 gateway=192.168.100.1
It’s a test router, connected to the Internet via NAT, there are is nothing else of relevance. I removed the public IPs, since I do not want to see the Internet test their setups against them.
The WG server s pretty much standard as documented at various places, it listens at :12345. 192.168.100.0/24 is the subnet for the tunnel and all end points, the server endpoint 192.168.100.1 is NATing WG traffic into the target networks.
As a result, N.M.0.0/16 is reachable from the client router, I guess this should be enough for others to successfully configure RouterOS as a WG client.
Overall, I’d like to remark that the WG documentation (at least the parts I found) is hard to understand and not very precise, so it’s tough to get things working. It’s also hard to debug a WG setup, since there is no direct indication if a peer successfully connects as with other VPNs. You can debug it to some extend by torch-ing the WG interface and enabling logs of corresponding fw rules firing, but it’s not fun. More logging is badly needed. Besides this, speed is terrific, but deployment does not scale beyond toy scenarios with the implementation provided so far. So, I conclude with Dante Alighieri: Lasciate ogni speranza, voi ch’entrate :-).
I tried this to make all internet requests go through my Wireguard tunnel, and it worked. But, it worked too good, sending all 192.168.x.x requests into Wireguard tunnel as well, effectively blocking me from accessing the router. Any idea how can I prevent local addresses going through the tunnel?
Thanks @anav and @Sob for your numerous efforts in helping with WireGuard for novices in it!
Your comments helped me as well, to deploy a rarer WG setup.
And thanks @DL7JP for sharing your story completion and the overall remark.