First, apologies if my explanation is not clear. I’m very new to networking and trying to learn by doing. These terms and concepts are still unfamiliar.
My scenario is as follows:
I have a remote WireGuard server. I am able to successfully connect to this from individual devices (e.g., iPhone) and route internet traffic via the server.
I have just purchased my first Mikrotik router. I have successfully set it up so that all devices in my Home are connected and can access the internet.
I’m trying to configure WireGuard on the Mikrotik. I want to be able to switch on/off a connection between the Mikrotik and the WireGuard server, so that internet traffic from my Home is routed via WireGuard.
But I’m still finding myself confused by new terms and concepts. I keep misconfiguring the router, being unable to access its IP, and having to factory reset the configuration and start over.
Grateful if someone could take a look over my approach and let me know if I’m on the right track. Appreciate any pointers in the right direction.
# create Wireguard interface using keys provided by the Wireguard server
/interface/wireguard
add listen-port=13231 name=WGinterface private-key="client-private-key"
# add Wireguard peer using the endpoint address and port provided by the Wireguard server. Permit requests to any IP/ the internet by allowing 0.0.0.0/0
/interface/wireguard/peers
add allowed-address=0.0.0.0/0 endpoint-address=server.public.ip.address endpoint-port=51820 interface=WGinterface public-key="server-public-key"
# assign IP address to the Wireguard interface
# Currently set to the interface address provided by the WG server, but I'm not sure whether this is correct.
/ip address
add address=10.1.1.2/24 interface=WGinterface
# add a routing table to direct internet traffic via Wireguard server
/routing table
add name=useWG fib
# add a rule to direct traffic to the routing table. If WG is down/inaccessible users can access the internet locally (i.e., action=lookup rather than action=lookup-in-table).
# For testing purposes src-address = all devices on my local network. I will probably constrain this to one or two specific devices once things are working.
# After reading the guides linked above I'm unsure whether a route for return traffic (replies) is also needed, or whether this is only necessary under specific circumstances (e.g., if there is a second WG tunnel connecting to remote/ offsite users).
/routing rule
add src-address=192.168.1.0/24 action=lookup table=useWG
# add a route to the useWG table to force all requests to the internet (i.e., 0.0.0.0/0) to use the WG interface
/ip route
add dst-address=0.0.0.0/0 gateway=WGinterface routing-table=useWG
# The Wireguard server provided an interface address of 10.1.1.2/24. As the server is expecting traffic from 10.1.1.2/24 I think I need to sourcenat, is this correct? Does this need to be assigned to the the useWG table?
/ip firewall nat
add action=masquerade chain=srcnat out-interface=WGinterface
I really appreciate any help to get this working. Or at least to identify what I am doing wrong that causes me to lose local IP access and have to factory reset the Mikrotik router. Please let me know if any additional information is needed.
Lacking information.
a. complete config /export file=anynameyouwish ( minus router serial number, public WANIP information, keys etc..)
Assuming this is a third party provider , what information did they give you? Assuming:
private key ( for you to put into mikrotik so that they will know the public key generated)
Their public key to put in peer settings on router
endpoint address / endpoint port
YOUR wireguard ADDRESS ( this we need to know )
Any DNS?? ( this we need to know )
Thanks for this. Actually you already helped me immensely over on this post. Not sure why I have a duplicate or why I can’t delete this one.
LAN > Mikrotik > Wireguard provider > internet is now working for me.
I’m thinking about more advanced set ups, and getting ready to post a new question to this forum. Before I do, can I quickly check something with you?
If I have a LAN network:
LAN > Mikrotik > Wireguard provider > internet
and want to connect to this LAN from remote locations:
Roadwarrier laptop > internet > Wireguard provider > Mikrotik > LAN
If I’m using a 3rd party Wireguard provider for which I have no config access, is this possible? Or do I need to configure the Wireguard server to route traffic correctly?
Couple of points, one limitation is how any clients your Third Party provider gives you.
If its just one, then you can use the ROuter as a client.
If its more, then you can have the Router and X number of mobile clients connecting to the third party VPN.
The second limitation is that these third party providers are designed to provide hidden IP/location internet access and NOT necessarily for inter wireguard client communications.
Do you have any specific details from the 3rd party provider that they allow inter client communications if multiple clients are permitted??
A VPS wireguard server in the cloujd or even better Mikrotik ROS in the cloud ( server farm somewhere) will give you the control to make all of this happen.
In this type of setup we have control over the firewall rules and routing at the third party location so to speak.
A wireguard vps is definitely an option - I had been considering spinning up wireguard on Lightsail any way.
Just to check, if I went down this route, I would need to configure ip routes on the vps to handle this inter-client communication, right? I mean, this is more involved than a simple wireguard config option, correct?
Interesting, I had not thought about putting RouterOS in the cloud. I was thinking about ubuntu or amazon linux. Why do you say ROS would be “even better” (other than being an OS specifically designed for network config of course)
Because I know how to configure routes, firewall routes and wireguard on RoS, have no clue how to do that on a PC, or server… If you are comfortable doing so then no issues
Yes, for any subnets not local to the VPS, you need to provide routes.
Yes, for firewall rules on VPS will need to ensure traffic flow required is permitted.
I dont recommend connecting to the MT either way, especially when you have a working wireguard connection?
What you need is an additional input chain rule.
The optional bit is valid if you have other wireguard users beside yourself and if they have no need to access the router itself then you simply use the src-address-list to identify your remote devices ( smartphone, laptops etc.)
If your router is an arm64 device you would may want to consider zerotier as an option instead of a third party VPN provider.
No cost and full access in any direction. Its third party in a way, but would state its a slightly safer third party scenario.