What public VPN Server is better to use for this purpose? Is there free (without paid subscription) service?
You probably already have one at home, that is good enough if not for high speed connection, if you have a cabled connection.
If have a VDSL connection with ISP modem, where I can forward a port to one of my LAN devices. That’s all I need. That LAN device used is the cheapest MT (haP Lite) I have. It functions as VPN server, using the free MT DDNS registration to be found.
From my remote network (behind Starlink router and also doing load failover to CGNATted 4G networks), a MT router is the VPN client, connecting to my hAP Lite, with one or more of the many VPN possibilities.
I connect to my remote LAN this way. This is possible without modifications to that remote network, because the hAP Lite and the remote MT router both use NAT.
On the road I connect to the same hAP Lite (server) also, directly from my device or by using a mAP Lite as route warrior (and repeater) device with VPN client.
Everywhere I drop such a MT router and connect to the LAN which has Internet access, I remotely operate as member of that LAN. There may be “n” NAT or CGNAT, doesn’t matter.
If you connect to it, does it give you a public IP address? If so, then yes that helps. But the Surfshark has any stateful firewall or gives you a private address, then NO.
Fair enough. But enabling IP forwarding is a pretty big change that’s not the default on most OSes – I was thinking there was a ZT client option I’d missed. Doesn’t seem like it even help here however.
Unfortunately, it will be a real challenge to get everything to work on the same device with just that short time left. A few possible options:
Buy a new router that is able to run ZeroTier, Tailscale or similar.
Or configure a router (mikrotik, pc, rpi or whatever) at home using Wireguard with your own virtual network. Configure your travel device (hAP ac lite) to connect to your home router using Wireguard (like @bpwl explained)
Ps..
Sorry, Surfshark is just for “outgoing” traffic just as most regular vpn providers.
Perfect, that is all you need to setup wireguard.
I just setup my wireguard in a few minutes, and I could provide a host for your devices so it should be easy for you to do as well.
BUT is the static WAN a public IP. How do you get it? ISP modem provides it to you ?
When you go whats my IP, is it the same IP in your router settings???
Yes, I have static public IP at my RB3011. This is additional paid service of my ISP.
So If I understand correctly, I should perform such steps:
Setup Wireguard Server at my RB3011
Setup Wireguard Client at hAP ac lite (at Starlink’s end)
Honestly, I haven’t had any experience with WireGuard yet so please don’t be surprised by my stupid questions.
If I will connect 2 routers (contra spem spero) by WireGuard, how can I manage remote hAP ac lite via Winbox?
@vitaly2016, forget about Surfshark. Surfshark and other similar services are called VPN because they use the same technologies like “real” VPNs, but their purpose is different.
Even though you have an own router with a public address, in your case, spawning a virtual Mikrotik somewhere in a datacenter in EU might be a better option than using a home router, because in this case, the central node of your VPN will not depend on your home ISP which may suffer from power outages, and you can connect to that central node from your home using a Starlink terminal too if your wired ISP is down.
The Wireguard solution as proposed by @anav is currently the simplest VPN protocol to configure. Plus Wireguard (and also IPsec, but that one is the most complex one to configure) can use the central point only to forward the encrypted traffic without having to decrypt and re-encrypt it, which may be advantageous for your use case. Я таке вже робив.
If its a static WAN and public IP and you dont have time right now to organize a data center (SINDY is On point suggestion is great)…
Here is a sample of what you need to do on both MT devices.
Step 1
Need to ensure your RB3011 is at 7.6 or better 7.7 firmware ( latest stable).
Step2 - Wireguard Settings (On RB3011)
Add Wireguard Interface - name= WG-UKR
Add listening port = 15555 ( you choose )
Hit Enter
Router generates a hidden private key but a visible PUBLIC KEY.
( The public key is what you will insert at the MT HAP device and any remote devices you may wish to use on the road ( laptop, ipad, iphone etc as many as you want)
Step3 - Create Subnet
Add IP address with gateway=WG-UKR ex. 172.16.16.1/24
Step 4 - Create Peers in Wireguard (on RB3011)
allowed IPs = 172.16.16.2/32,MTHAPsubnet (if applicable) Public Key (insert public key generated by MT hap device in its wireguard settings ), COMMENT=“Peer1 - MTHAP”
allowed IPs= 172.16.16.3/32 Public Key (insert public key generated by device ), COMMENT=“Peer2 - Admin laptop remote”
allowed IPs=172.16.16.4/32 Public Key (insert public key generated by device ), COMMENT=“Peer3 - Admin iphone remote”
add chain=input action=accept in-interface=WG-UKR src-address-list=ADMIN { to enable access to RB3011 when you are remote }
Firewall address list
add IP address=172.16.16.3/32 list=ADMIN
add IP address=172.16.16.4/32 list=ADMIN
add chain=forward action=accept in-interface=WG-UKR out-interface=WG-UKR src-address-list=ADMIN { allows you after reaching 3011 remotely to then go to MTHAP }
add chain=forward action=accept in-interface=TrustedSubnet out-interface=WG-UKR src-address=IPAdmin { allows you on local subnet of RB3011 to go to MTHAP }
add chain=forward action=accept in-interface=WG-UKR dst-address=TrustedSubnet src-address-list=ADMIN { allows you after reaching 3011 remotely, to go to local 3011 subnet }
Step6 - Routes. ( default route takes care of all traffic )
dst-address=172.16.16.0/24 gwy=WG-URK table=main { created by router when entered in the wireguard IP address }
If applicable you want to be able to access a subnet on the MTHAP for any reason then you will need a route as follows.
dst-address=MTHAPSubnet gwy=WG-UKR routing-table=main
u]Step 7 [/u]
Need to ensure your MTHAP is at 7.6 or better 7.7 firmware ( latest stable).
Step8 - Wireguard Settings (On MTHAP)
Add Wireguard Interface - name= WG-CLIENT
Add listening port = 15555 ( put same as other )
Hit Enter - Router generates a hidden private key but a visible PUBLIC KEY.
( The public key is what you will insert at the RB3011 Router )
Step3 - Create Subnet
Add IP address with gateway=WG-CLIENT 172.16.16.2/24
Step 4 - Create Peer in Wireguard (on MTHAP)
allowed IPs = 172.16.16.0/24,TrustedSubnet (if applicable from RB3011)Public Key (insert public key generated by RB3011), COMMENT="Peer - RB3011, endpoint address=WANIP(rb3011), endpoint port=15555, keep alive=30 seconds
Step 5 - Create firewall Rules (in MTHAP)
add chain=input action=accept in-interface=WG-CLIENT src-address-list=TRUSTED { to enable access to MTHAP from RB3100 or when remote }
Firewall address list
add IP address=172.16.16.0/24 list=TRUSTED
add IP address=AdminIP ON RB3011 list=TRUSTED
add chain=forward action=accept in-interface=WG-CLIENT dst-address=MTHAPSubnet (if applicable for admin to reach MTHAP subnet)
(Assuming no need for LAN devices on MTHAP to reach LAN on RB3011)
Step6 - Routes. ( default route takes care of all traffic )
dst-address=172.16.16.0/24 gwy=WG-CLIENT table=main { created by router when entered in the wireguard IP address }
If you want to be able to access a subnet on the MTHAP from the RB 3011 then you need a return route for that traffic!!
dst-address=TrustedSubnet on RB3011 gwy=WG-CLIENT routing-table=main
++++++++++++++++++++++++++++++
example setup remote connection via iphone to RB3011
Name: WG-RB Public Key Generated by IPHONE ( need to put in peer settings for the iphone on the RB3011)
Address=172.16.16.4
MTU 1420
DNS Servers 1.1.1.1,9.9.9.9
PEER Public Key ( the public key inserted here that was generated by the RB3011 )
Endpoint address= FixedWANIP of rb3011
Endpoint port=15555
Allowed IPs=172.16.16.0/24,Trustedsubnet on RB3011, MTHAPSubnet { if applicable }
keep-alive=45 seconds
@Amm0: Yup, it’s a limitation theses settings are not handled directly by the member nodes (ZT nodes). Unfortunately, the same goes for almost all open source clients for Wireguard, TailScale etc. It’s almost like the FOSS community is bad at it cause they are bored by doing that kind of work.
I do understand there might be some challanges managing this directly in regular routers like Mikrotik, but it should definitely be standard on common clients for Windows, macOS and Linux.
Most proprietary solutions for SD-WAN are much better at handling that kind of client configuration changes in a uniform way but do it in slightly different ways, some just push configuration files, others use real-time APIs.
Good questions.
It gets a bit hard to predict what you will need without seeing the config.
If you can at least make an attempt at the wireguard setup and then post your RB3011 config
/export file=anynameyouwish ( minus router serial number and any public WANIP information or keys )
Then we can refine to ensure you have winbox access.
Right now the setup provided gives you access to winbox generally speaking to the MTHAP from both RB3011 and remotely, and from remote connections to RB3011.
However there are things you may have in your config that block such access.
Ensure in winbox Services list, you dont enter any IPs in the From column so that all are accepted at this location.
I do recommend using
/tool mac-server mac-winbox
set allowed-interface-list=Manage
Where on both the RB3011 and MTHAP you create an interface list
/interface
add name=Manage
RB3011
/interface list member
add interface=WG-UKR list=Manage ( remote access)
add interface=TrustedSubnet list=Manage (where the admin does his local work while at the RB3011)
MTHAP
/interface list member
add interface=WG-CLIENT list=Manage (remote access)
add interface=MTHAPSubnet list=Manage (where the admin does his local while at the MTHAP)
More annoyed that this be trivial with ZeroTier on MIPSBE. Drop the ZeroTier interface into the bridge and enabling bridging on ZT central**. Or use IP routing if perferred.
** Now to your point about the subtle details in OSS that get missed… ZT desktop client won’t accept a real DHCP response to assign an address, so ZT clients have to be assigned MT LAN address outside the MT DHCP scope making it slightly more complex to bridge ZT and ROS, but we digress…
But yes WG to a DC sounds like the way to go for sure here.
I haven’t been able to figure out myself why a minmal ZeroTier without the big controller on MIPSBE would be such a problem but maybe it’s because of some dependencies in the source tree they didn’t manage to get rid of. Since RoS v7 has become such a monolithic package it’s probably lack of system resources thus they probably don’t consider it’s worth the hassle to port it to MIPSBE devices that would actually be able to run it.
I’m not sure what the purpose should be? If it was enough to have command line access to the remote Tiks, the Telegram solution alone would be sufficient (but I fully agree with @Amm0’s remark regarding it’s fragility). But the OP wants to use Winbox so a command line solution is clearly insufficient. And if he’s got a router on a static public IP, there’s no point in using a complicated solution to change the address to connect to on the remote routers. Using a DNS rather that a fixed address would of course be more flexible; using of two or more routers on different public IPs makes it possible to change the address of one of them and reconfigure the remote routers using the other one(s).
Just a side note that might be useful in the future.
I’m aware OP has a static WAN address at home, but it’s worth noting that the current implementation of Wireguard doesn’t handle dynamic DNS addresses thus you might need a script that will monitor the public ip address at home if it of some reason would change.
Yes, concur in this case its easier as wanip is fixed.
In the dynamic case, one uses the iP Cloud address of the MT Server Router, on the MT Client device and as you note a script is required for any reason there is an interruption in the service at the Server end ( be it IP address change, power outage etc.. ).
Its a feature that MT should build into their code for wireguard, tied to the fact that if “KEEP ALIVE” has been set on the MT client device, then a script should run automatically when keep alive returns have not been sent back to the MT client device…
It could be simple as a script to keep attempting to resolve the IP cloud name entered… As there is no point trying the wireguard tunnel until its resolved…
1st iteration - 2 minutes
2nd iteration -5 minutes
3rd iteration - 10 min
4t iteration - 30 min
5th iteration 1 hr
6th iteration 6 hrs
7th iteration 24 hrs
8th iteration 48 hr
If no joy report dead WG connection.
