How to connect to a WireGuard server?

RouterOS Beginner Basics
1

First, apologies if my explanation is not clear. I’m very new to networking and trying to learn by doing. These terms and concepts are still unfamiliar.

My scenario is as follows:

  1. I have a remote WireGuard server. I am able to successfully connect to this from individual devices (e.g., iPhone) and route internet traffic via the server.
  2. I have just purchased my first Mikrotik router. I have successfully set it up so that all devices in my Home are connected and can access the internet.
  3. I’m trying to configure WireGuard on the Mikrotik. I want to be able to switch on/off a connection between the Mikrotik and the WireGuard server, so that internet traffic from my Home is routed via WireGuard.

I’ve learned a lot from information on this site, especially
https://help.mikrotik.com/docs/display/ROS/WireGuard and
https://forum.mikrotik.com/viewtopic.php?t=182340

But I’m still finding myself confused by new terms and concepts. I keep misconfiguring the router, being unable to access its IP, and having to factory reset the configuration and start over.

Grateful if someone could take a look over my approach and let me know if I’m on the right track. Appreciate any pointers in the right direction.

# create Wireguard interface using keys provided by the Wireguard server
/interface/wireguard
add listen-port=13231 name=WGinterface private-key="client-private-key"

# add Wireguard peer using the endpoint address and port provided by the Wireguard server. Permit requests to any IP/ the internet by allowing 0.0.0.0/0
/interface/wireguard/peers
add allowed-address=0.0.0.0/0 endpoint-address=server.public.ip.address endpoint-port=51820 interface=WGinterface public-key="server-public-key"

# assign IP address to the Wireguard interface 
# Currently set to the interface address provided by the WG server, but I'm not sure whether this is correct. 
/ip address
add address=10.1.1.2/24 interface=WGinterface

# add a routing table to direct internet traffic via Wireguard server
/routing table 
add name=useWG fib

# add a rule to direct traffic to the routing table. If WG is down/inaccessible users can access the internet locally (i.e., action=lookup rather than  action=lookup-in-table). 
# For testing purposes src-address = all devices on my local network. I will probably constrain this to one or two specific devices once things are working. 
# After reading the guides linked above I'm unsure whether a route for return traffic (replies) is also needed, or whether this is only necessary under specific circumstances (e.g., if there is a second WG tunnel connecting to remote/ offsite users). 
/routing rule 
add src-address=192.168.1.0/24 action=lookup table=useWG

# add a route to the useWG table to force all requests to the internet (i.e., 0.0.0.0/0) to use the WG interface
/ip route
add dst-address=0.0.0.0/0 gateway=WGinterface routing-table=useWG

# The Wireguard server provided an interface address of 10.1.1.2/24. As the server is expecting traffic from 10.1.1.2/24 I think I need to sourcenat, is this correct? Does this need to be assigned to the the useWG table?
/ip firewall nat
add action=masquerade chain=srcnat out-interface=WGinterface

I really appreciate any help to get this working. Or at least to identify what I am doing wrong that causes me to lose local IP access and have to factory reset the Mikrotik router. Please let me know if any additional information is needed.

2

You are lacking information about this remote wireguard server. Did it fall from the sky ??
Do you mean a third party VPN service such as mullvad?
Do you mean a virtual server you or a friend own in some server farm CHR, in the cloud?
Do you mean a friend with a mikortik or pfsense or some other wireguard server in their home??

3

Thanks Anav

It is a VPN service provider. I only have the following information: client private key, server public key, endpoint IP and port, allowed connected IPs. I don’t have ability to configure the server.

4

Okay so they didnt provide you with any DNS info then??
So the private key is for you to enter in when configuring the wireguard interface on the router vice letting the mikrotik generate one.
This is so that the provider knows your public IP.

Need to see full config of router
/export file=anynameyouwish ( minus router serial number, public WANIP information, keys etc. )

I highly recommend by the way that you configure one port OFF bridge, so that you can configure without getting bumped off so much.
https://forum.mikrotik.com/viewtopic.php?t=181718

5

Sorry, you are correct. I do have DNS info too.

My config is as follows. But I have not yet added any WireGuard config since the last reset. The config at that time is in my original post above.

Thanks for taking the time to help me with this!

# jun/13/2023 07:09:03 by RouterOS 7.9.2
# software id = 1DAE-CJNN
#
# model = C53UiG+5HPaxD2HPaxD
# serial number = HE309TRDA97
/interface bridge
add admin-mac=48:A9:8A:4A:CB:53 auto-mac=no comment=defconf name=bridge
/interface wifiwave2
set [ find default-name=wifi1 ] channel.skip-dfs-channels=10min-cac \
    configuration.country=Indonesia .mode=ap .ssid=ThePromisedLAN disabled=no \
    security.authentication-types=wpa2-psk,wpa3-psk
set [ find default-name=wifi2 ] channel.skip-dfs-channels=10min-cac \
    configuration.country=Indonesia .mode=ap .ssid=ThePromisedLAN disabled=no \
    security.authentication-types=wpa2-psk,wpa3-psk
add configuration.ssid=503 disabled=no mac-address=4A:A9:8A:4A:CB:57 \
    master-interface=wifi1 name=wifi3
add configuration.ssid=503 disabled=no mac-address=4A:A9:8A:4A:CB:58 \
    master-interface=wifi2 name=wifi4
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/ip pool
add name=dhcp ranges=192.168.1.10-192.168.1.254
/ip dhcp-server
add address-pool=dhcp interface=bridge name=defconf
/interface bridge filter
add action=drop chain=forward in-interface=wifi3
add action=drop chain=forward out-interface=wifi3
add action=drop chain=forward in-interface=wifi4
add action=drop chain=forward out-interface=wifi4
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=wifi1
add bridge=bridge comment=defconf interface=wifi2
add bridge=bridge interface=wifi3
add bridge=bridge interface=wifi4
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/ip address
add address=192.168.1.1/24 comment=defconf interface=bridge network=\
    192.168.1.0
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server lease
add address=192.168.1.48 client-id=1:dc:a6:32:cb:ff:cc comment=\
    "Home Controller" mac-address=DC:A6:32:CB:FF:CC server=defconf
/ip dhcp-server network
add address=192.168.1.0/24 comment=defconf dns-server=192.168.1.1 gateway=\
    192.168.1.1 netmask=24
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.1.1 comment=defconf name=router.lan
add address=192.168.1.1 comment=defconf name=router.home
add address=192.168.1.48 name=homebridge.home
add address=192.168.1.145 name=synology.home
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
    33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
/system clock
set time-zone-name=Asia/Jakarta
/system note
set show-at-login=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
6

(1) Define wireguard interface. what you have above is fine.
/interface/wireguard
add listen-port=13231 name=WGinterface private-key=“client-private-key”

(2) Define wireguard IP address as provided by the third party provider…
/ip address
add address=10.1.1.2/24 interface=WGinterface

(3) Define PEER SETTINGS as you have with one addition:
/interface/wireguard/peers
add allowed-address=0.0.0.0/0 endpoint-address=server.public.ip.address endpoint-port=51820 interface=WGinterface public-key=“server-public-key” persistent-keep-alive=30s

(4) Allow LAN users to enter tunnel via forward chain firewall rules.
add action=accept chain=forward in-interface-list=LAN out-interface=WGinterface

(5) Ensure a source nat rule exists for the tunnel
add chain=srcnat action=masquerade out-interface=WGinterface

Now the tought part is what users do you want to go out internet.
The best bet to do this (no such flipping switch capability), one shouldnt have to enter the router to make things work as desired.
As noted below use different subnets for such purposes.
For example make a WIFI SSID or two, the ones people can log into if they want to go out Wireguard. etc..
So before we can make progress you need to better define requirements and user groups as per the below as well.

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
As an aside not wireguard related, REMOVE bridge filters, not required. Tells me the design is not right for the requirements.
Dont use bridge filters its an advanced setting NOT for newbies or even intermediate users, as the normal firewall rules suffice for most traffic.

what are you trying to achieve with wifi3 and wifi4 ???
If you are looking to have three different subnets then create the subnets and use them appropriately and if more complex ( more than one subnet to go out an ether port ) then create vlans.

7

Thanks Anav, this is really useful. Appreciate your guidance.

For users, one IP address on the LAN should connect to the WireGuard server. Everything else should access the internet as normal/ directly. This would get everything working for now. I may explore the extra subnet approach in the future, if my needs change.

As to wifi3 and wifi4, these come from enabling “guest network” on the router’s Quick Set page. Same with the bridge filters, I have not configured these manually.

8

if you have guest networks, what are your expectations?
You only have one subnet so everyone is using that one subnet!

As far as the the one IP goes, easy peasy.
Ensure its a static IP DHCP lease.

Three items…
add table
/routing table add fib name=toWG

add route
add dst-address=0.0.0.0 gateway=WGinterface table=main

add routing rules
add src-address=SINGLE_LANIP action=lookup table=toWG

++++++++++++++++++++++
Two notes,
1 - if you never want the single IP to use the Local WAN in case the third party server is down, then change action to “lookup-only-in-table
2 - If the IP address needs to reach local LAN members or Local LAN members need to reach the single IP then you will need additional routing rules before traffic coming from the single IP gets forced out Wireguard.

9

Thanks Anav, this should get things working. I will test later this week.

Grateful if you can help me improve my understanding.

Question 1

add route
add dst-address=0.0.0.0 gateway=WGinterface table=main

Am I correct this means that any request to the internet (i.e., 0.0.0.0/ any IP) should be routed to WGinterface? But why is this assigned to the main table, and not to the toWG table?

Question 2

As per your second scenario, let’s say this single IP does need to reach and to be reachable by other members of the LAN.

I assume in this case I would need a rule that directs all requests from LAN IPs to the single IP, and from the single IP to LAN IPs to use the main table. Something like:

add routing rules
add src-address=192.168.1.1/24 dest-address=single.ip action=lookup table=main
add src-address=single.ip dest-address=192.168.1.1/24 action=lookup table=main

Is this (conceptually at least) the right approach? I’m still trying to understand routing tables!

Guest networks

My idea here was to have a network that keeps guests isolated from e.g., NAS on the main network. However, I’m really still just experimenting with the capabilities of RouterOS, and have not yet tested this in any detail.

10

(1) You are correct, I had a brain fart. The correct format is:
dst-address=0.0.0.0/0 gateway=WGinterface routing-table=toWG

(2) Well not really, the ability for users from one subnet to another is predicated mostly by the firewall rules (forward chain). Lets say subnet B is for wireguard only and A is another subnet using local WAN. For subnet A users to reach subnet B, or if the intent is for Subnet B users to reach Subnet A. YOu need to ensure the forward chain rules allow the direction based on originator to recipient. The return traffic does not need a firewall rule.

Now lets consider the two cases for wireguard “interference” and assuming firewall rules exist… Lets find the common denominator!
(a) Subnet A users have to reach Subnet B single IP. ( traffic reaches single User B, but RETURN Traffic goes out wireguard ! )
(b) Subnet B single user needs to reach Subnet A. ( ORIGINATING traffic goes out wireguard ! )

In both cases the traffic from the single user B, be it originating or return traffic, according to the rules we made, go out the wireguard tunnel. Therefore the key here is, or at least the most efficient approach is to consider all traffic heading to subnet A.

Solution (and order is important):

add dst-address=subnetA action=lookup-only-in-table table=main
add src-address=SINGLE_LANIP action=lookup table=toWG

11

Thanks, this is starting to make a lot more sense!

I just want to make 100% sure that we are talking about the same scenario (I’m still getting to grips with some of the unfamiliar terminology).

In my scenario:

  • The single IP connects to the internet via Wireguard;


  • All other IPs on the network connect to the internet via local WAN;


  • But all IPs on the network (including the single IP) can communicate with each other directly as if they were on the same LAN.

Is this correct?


And final question. With the WireGuard config that we’ve specified above, if I wanted to have the toggle on/off capability, is it best to disable the firewall items or the routing rule. (I appreciate what you said before about should not need to enter the router settings to do this, but for testing and general admin its useful to know how best to disable the WG route temporarily)

12

(1) In your case you dont have different subnets and thus one should put.

add dst-address=192.168.1.0/24 action=lookup-only-in-table table=main
add src-address=192.168.1.X action=lookup table=toWG

(2) Regarding turning off and on… so many choices LOL.

a. disable wireguard interface, enable wireguard interface
( If the network is not available, then the routing rule action=lookup means the router will then go to the main table and find routing there and your single IP will go out through local WAN
b. disable WG route
c. disable Routing Rule

13

Hi Anav

Happy to report that my WireGuard interface is now working as expected.

I’m very, very grateful for all of your help with this, and for your excellent post at viewtopic.php?t=182340. Its really helped me learn a lot.

Thank you!!

14

is it not possible to use /32 here instead, since traffic is masqueraded anyway? i’ve always felt using smallest possible subnet is better, more efficient and secure?

15

Its internal to the router, there is no risk. Habit?
Im not much of a networking guru so I stick with what I know and what I know works. :slight_smile:

16

Hi Anav,

I’m very new to VPN stuff and I have a similar case but with a bit different requirements.

I have a Wireguard VPN server running in Proxmox LXC at home (with TP-Link router). I’ve set it up with port fw and I confirmed that I am able to reach it from my phone. I also have an old RB951Ui-2HnD at a remote location without static IP and with no port fw options. (just for clarity - that remote Mikrotik router gets its internet connection from an ADSL router that I have limited control to).

What I wish to achieve is:

  1. for the remote Mikrotik router to remain permanently connected to the Wireguard VPN server
  2. to ideally not route the remote Mikrotik router traffic through the Wireguard VPN (not needed)
  3. any of the clients connected to the Wireguard VPN server should be able to reach any of the clients connected to the remote Mikrotik’s network.

Here’s my current config:

/interface bridge
add admin-mac=D4:CA:6D:C7:B8:1B auto-mac=no comment=defconf name=bridge
/interface ethernet
set [ find default-name=ether1 ] advertise=\
    10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
set [ find default-name=ether2 ] advertise=\
    10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full name=\
    ether2-master
set [ find default-name=ether3 ] advertise=\
    10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
set [ find default-name=ether4 ] advertise=\
    10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
set [ find default-name=ether5 ] advertise=\
    10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-Ce \
    country=bulgaria disabled=no distance=indoors mode=ap-bridge ssid=\
    *hidden* station-roaming=enabled wireless-protocol=802.11
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add exclude=dynamic name=discover
add name=mactel
add name=mac-winbox
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk mode=\
    dynamic-keys supplicant-identity=MikroTik wpa-pre-shared-key=*hidden* \
    wpa2-pre-shared-key=*hidden*
/ip pool
add name=dhcp ranges=192.168.0.2-192.168.0.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
/user group
set full policy="local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,pas\
    sword,web,sniff,sensitive,api,romon,dude,tikapp"
/interface bridge port
add bridge=bridge comment=defconf interface=ether2-master
add bridge=bridge comment=defconf interface=wlan1
add bridge=bridge interface=ether3
add bridge=bridge interface=ether4
add bridge=bridge interface=ether5
/ip neighbor discovery-settings
set discover-interface-list=discover
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=ether2-master list=discover
add interface=ether3 list=discover
add interface=ether4 list=discover
add interface=ether5 list=discover
add interface=wlan1 list=discover
add interface=bridge list=discover
add interface=bridge list=mactel
add interface=bridge list=mac-winbox
/ip address
add address=192.168.0.1/24 comment=defconf interface=bridge network=\
    192.168.0.0
add address=192.168.8.2/8 interface=ether1 network=192.0.0.0
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server lease
/ip dhcp-server network
add address=192.168.0.0/24 comment=defconf gateway=192.168.0.1 netmask=24
/ip dns
set allow-remote-requests=yes servers=8.8.8.8
/ip dns static
add address=192.168.0.1 name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
/ip route
add distance=1 gateway=192.168.8.1
/system clock
set time-zone-name=Europe/***
/tool mac-server
set allowed-interface-list=mactel
/tool mac-server mac-winbox
set allowed-interface-list=mac-winbox

Any idea what amendments I should make to achieve it?

17

So to be clear what you need is for the remote mt client router to connect to the local home VPN server.
YOu want admin to be able to reach the MT remote router for config purposes and users on the home router to reach subnets on the remote client router.
There is no requirement for users on the remote client router to see subnets on the home router?

First ensure you are using an up to date firmware, much of the setup reeks of old default settings that are no longer used, better to start from scratch I think.
As for the setup read this for ideas… https://forum.mikrotik.com/viewtopic.php?t=182340

18

Thanks Anav,

All your assumptions are correct. The FW though looks to be the latest (no newer version in the Upgrade menu). 6.49.6, ar9344 for fw type. Thanks for the useful links - will go through them.

19

I believe wireguard is only available on vers7 and onwards…