❓ How to setup Wireguard VPN between Ubuntu and Mikrotik

RouterOS General
1

Hi guys
*sorry if this not a mikrotik only problem but this is a post after a week of nothing done :frowning:

I try to run a Ubuntu server as wireguard vpn server and get access to this VPN server via my local network on mikrotik router.

The wireguard IP range is 10.9.0.0/24
And the local network on my mikrotik is : 10.8.0.0/24

I want the local network have a gateway with wireguard only and use the Ubuntu server internet .

But : I try to config this but the more I try the less this happen .

What I do : is the wireguard tunnel is connected and both side can ping each other .
Ubuntu server can Ping my local network IP like 10.8.0.10 (a device in mikrotik network)
But when I try to traceroute the internet the last hop that can be seen by Mikrotik Local network is 10.8.0.1 and not reach after this.

#--------------------------

Ubuntu Configs :

root@ubuntu ~ # ip addr
2: enp0s31f6: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
    link/ether 90:1b:0e:ab:a6:d9 brd ff:ff:ff:ff:ff:ff
    inet 99.99.99.99/32 scope global enp0s31f6
19: wg0: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN group default qlen 1000
    link/none 
    inet 10.9.0.1/24 scope global wg0

Iptables :

iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -j MASQUERADE

Wireguard Config on Ubuntu :

[Interface]
Address = 10.9.0.1/24
SaveConfig = true
ListenPort = 9000
PrivateKey = xxxxxxxxxxxxxxxxxxxxx

[Peer]
PublicKey = yyyyyyyyyyyyyyyyyyyy
PresharedKey = zzzzzzzzzzzzzzzzzz
AllowedIPs = 10.9.0.0/24, 10.8.0.0/24
Endpoint = 88.88.88.88:9000 # My Mikrotik Public IP
PersistentKeepalive = 25

#--------------------------

Mikrotik Configs :

/interface wireguard
add listen-port=9000 mtu=1420 name=wireguard

/interface wireguard peers
add allowed-address=10.9.0.0/24,10.8.0.0/24 endpoint-address=99.99.99.99 \
    endpoint-port=9000 interface=wireguard persistent-keepalive=25s \
    public-key="ffffffffffffffffffffff"
	
/ip address
add address=10.9.0.2/24 interface=wireguard network=10.9.0.0
add address=10.8.0.1/24 interface=ether2 network=10.8.0.0

/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=wireguard \
    routing-table=wg scope=30 suppress-hw-offload=no target-scope=10
	
/routing rule
add action=lookup disabled=no src-address=10.8.0.0/24 table=wg
2

Your definition of allowed-addresses is wrong. The device having the default route set to the wireguard interface needs allowed-addresses set to 0.0.0.0/0.

3

Thank you @eworm , the problem has been solved on mikrotik (need to check on the network too that I don’t access right now).

I have another question, if is possible answer this too :
I have a another ubuntu that want I want to use it same as this Mikrotik device, that ubuntu is accessed by remote ssh and if I set the

allowed-addresses to 0.0.0.0/0

will be loose my ssh connection ?
( I’m say about the second ubuntu and not ubuntu wireguard server)

4

I guess the ssh packets reach the Ubuntu box, but that sends the replys via wireguard. So the replys do not reach the remote box.

Just find a way with correct routing… Via wireguard, or add a specific route, or policy routing, or whatever. Hard to tell without more details on your remote.

But this is a Mikrotik forum and we should stop here. I hope you have an idea how to fix this now.

5

Thank you @eworm