Mikrotik router should connect to Opnsense via WG.

Kampfwurst · October 27, 2024, 7:08pm

Hello everyone,

I have been working with Mikrotik routers for over 15 years and have the problem that I cannot connect the Opnsense to a Mikrotik.

The Mikrotik router has a SIM card and no fixed IP. I have set up WG on the Opnsense and it also works with the WG client on the PC and mobile phone. Has anyone managed to do this with an MK router as the counterpart?

Kind regards, Chris

kleshki · October 27, 2024, 7:14pm

MikroTik can be WG peer (as there’s no transparent server or client in WG terminology) to any other WG device.
Check if you have

Correct keys on both sides
Assigned IP address to WG interface
WG port allowed in input firewall chain

If you still couldn’t spot the issue, post your config with sensitive details omitted.

Kampfwurst · October 28, 2024, 10:09am

Hi this is the WG config what i get from the Opnsense

[Interface]
PrivateKey = uPHkMadAU6rz4GsMDlpFIE11HTKivlPYzyctuWHrZUA=
Address = 10.90.200.4/32
DNS = 10.99.99.254

[Peer]
PublicKey = j4o1UyX3hWvaLhVL2Co9TLO19tBQAVgPzKtqBLv2vkI=
AllowedIPs = 0.0.0.0/0, ::/0
Endpoint = 80.108.xxx.xxx:51820

Why does the client Config looks different to the settings?

Kind regard
Chris

erlinden · October 28, 2024, 10:27am

You should set the correct IP address information to the wireguard interface.
It should be 10.90.200.4/32 but is currently 192.168.177.2/24

Also, Allowed IP’s should be set to 0.0.0.0/0, ::/0, currently you only set ::/0.

Kampfwurst · October 28, 2024, 12:24pm

I have still the same problem.

The network behind the opnsense is the "10.99.99.0/254. so i have set a route.

kleshki · October 28, 2024, 1:09pm

In peer config, set persistent keepalive to something like 20s and check if it works. Your Opnsense seems to be configured as responder and doesn’t initiate connection on it’s own.

Kampfwurst · October 28, 2024, 2:03pm

thanks, the tunnel seems to be up. I think we are near the solution

The last problem is that i cant get the routing working

I gave the wireguard1 interface the IP: 10.55.55.254/24
and then i set the routing for the 10.99.99.0/24 over the 10.55.55.254

kleshki · October 28, 2024, 2:14pm

It’s not clear for me, you posted a config where interface should have 10.90.200.4/32. Now you tell us it’s 10.55.55.254/24.
For the route, you should set gateway IP to the address of the peer, so if Opnsense peer is 10.55.55.253 - this is your gateway. Also you can consider using smaller networks for ptp links.
You can also check ping of the other side of tunnel first, before setuping routing

anav · October 28, 2024, 3:19pm

Full config of MT
/export file=anynameyouwish ( minus router serial number, any public WANIP information, keys etc. )

For opensense, the wireguard settings and any applicable firewall rules and routing rules ( with the same caveats as above. )