MikroTik Wireguard server with Road Warrior clients

The wireguard interface on the router gets 192.168.66.1/24, and the clients get 66.2/24, 66.3/24, etc. This is done exactly as described in the official wireguard documentation, including all of the major tutorials. If you are unfamiliar with this setup, I am guessing you have not read the documentation, as this is the normal wireguard setup.

There are a few scenarios where this could be important. You can have a roadwarrior-type setup to connect a main office and two branch offices, in the case where the branch offices are behind CG-NAT and cannot do a site-to-site as a result. In this case, it may not be desirable to block all communications from one branch office to the next.

Even with individual devices, certain applications (such as Skype) will attempt to establish the most direct link between the devices possible rather than sending everything through a central server. For instance, if you start a Skype call with someone on the same LAN or different subnets on the same corporate network, that traffic will not travel over the Internet, it goes directly between the two endpoints. In this event, if you are blocking traffic between the endpoints, this traffic will get blocked. Depending on the design of the collaboration app, it may have a means to detect this and fail over to using a central server as proxy, or it may not. If it does not, your employees connecting to the VPN may be prevented from video chatting with each other with certain apps while on the VPN, while being able to video chat perfectly fine with anybody outside of the company.

There is another reason I can see for having IP addresses on the Wireguard interfaces themselves - easy troubleshooting. If Wireguard is not working and you don’t know why, having the IPs on both sides on that interface, and using those to do ping tests, allows you eliminate certain kinds of routing issues and test the operation of the tunnel in a much more basic way.

I do the same ping troubleshooting without IP address
When the client pings they are pinging from a subnet so it you can test what the PC behind the subnet being directed can ping and then you can track it on the other end of the tunnel on the server end by IP address for example, not difficult, or any traffic for that matter.
All the troubles I’ve had (key some music), were stupid errors on my part that didnt need pinging in the end, it was simply not understanding packet flow.

I know you do, but I am thinking more about what is easiest to understand for people who are not as technically proficient. If Wireguard does not seem to be working, it could be harder for them to trace down the issue if you do not have an address on both sides on the Wireguard interface. If you have an IP address the Wireguard interface on both sides, and they can’t ping each other, you can be sure the issue is with Wireguard itself. If you set things up without any IP addresses and they can’t ping each other, the problem could either be in the Wireguard configuration or in the routing.

Guaranteed the problem is routing LOL, Its not that difficult to put in the wireguard settings, although the tricky part is putting in 0.0.0.0/0 at the client site, peer entry for allowed IPs and to put in the endpoint with listening port appended at the client side, peer entry if there is not a separate entry for the port.

The problem is likely routing, but for people who are unfamiliar with wireguard they may not be aware of the need to specify the allowed addresses. I think it is simpler for most to just have the IPs on both sides of the interface You can do all sorts of weird/crazy things if you are experienced with wireguard, but those new to it are probably best off following the “standard” setups.

Hi Guys,

I am nowhere close to an expert, rather hobbyist.
I have WireGuard Server on RB4011 to which I can connect from my mobile.
I can even see my requests being routed from my mobile to other devices in my network using torch- like through VPN trying to load Audience AP WebFig.
So it is like: Mobile —WG over Internet—> RB4011 Router → Audience.
As said, on Audience I can see requests coming from mobile, however torch is only showing RX and nothing is being sent back at all which I am finding very weird and WG definitely works.

Now I am trying to avoid WG to have its own network, but instead added WG interface to my bridge and client is using IP from my main home network subnet.
I am using VLANs, but this doesn’t seem to be a problem as pockets are leaving RB4011 to Audience and reported by Torch on Audience, but Audience is not responding with any pockets back.
How come? I am not running any fw on it and it is reachable from other ips in same subnet.

I am sure I am missing something stupid or not understand some basics here, but just can’t crack it and wondering if can get some help.

It works with dedicated subnet for WG, but I am still not sure why do I need dedicated subnet at all, knowing packets were actually reaching my Audience.

Wireguard is a layer 3 tunnel, not layer 2, so it will not work adding it as a bridge port like that.

MikroTik should not even allow adding layer-3-only interface types to a bridge, and they do not in the case of GRE, so the fact that they incorrectly include wireguard in this list is probably a bug.

mducharme covered the salient points.
Cannot help further without seeing both configs…
/export hide-sensitive file=anynameyouwish

I am using 7.1b6 and CCR1009-7G-1C-1S+ and I also cannot get wireguard VPN to work with road warriors.

I have verified that the public / private keys are definitely setup correctly as once I change it at either the road warrior or the Mikrotik router, I only have transmitted packets on the client. However, if they are setup correctly, I have transmit and receive.

I added the corresponding forward rules and wireguard rules at the top of my firewall list to ensure this isn’t an issue.allowed forward in both directions to be sure.
I tried once adding an IP for the router in the corresponding wireguard subnet, this will automatically create the route, it didn’t work. I cannot access any device in one of my target subnets/allowed IPs.
Then I tried to remove the router IP for wireguard and add the route static, didn’t work either. I don’t have any forward traffic.

What I also noticed is that doing some changes to an active wireguard interface, especially deleting a peer or interface, results in the router partly freezeing, sometimes a reboot works, sometimes even that freezes and I need to cut power to it to get it working again which makes all these tests even more difficult.

I have done some furher testing and it might be an issue to the used router/hardware, see my post in another thread: http://forum.mikrotik.com/t/wireguard-7-1beta6-cant-get-it-to-work-howto-setup/149424/19

I was able to get it working fine immediately with the same settings on a different Mikrotik router which is a RBwAPR-2nD vs my default router CCR1009-7G-1C-1S+

The RBwAPR-2nD is a a MIPSBE type router and the CCR1009-7G-1C-1S+ is a TILE based one. So maybe it is related to the used base architecture or maybe a more specialized router issue?

I experienced same issue , same wireguard setting x86 vs ccr1009.

CCR 1009 is not working at all with beta 6.
It’s only one way traffic

Is this strictly for iOS?

I tried replicating the settings. My android phone looks like it connects, but I have no WAN/LAN.

Also, I’m trying to understand the need for the different IPs in this set up.

I do not have an Android device, but this should work in the same way as iOS.

Wireguard is like a series of point to point tunnels, but the same IP can be used on the side of the wireguard system itself. So in this case there is a wireguard subnet 192.168.66.0/24 and you end up with the following point to point tunnels formed:

192.168.66.1 (the wireguard router itself) <-----------> wireguard client on 192.168.66.2
192.168.66.1 (the wireguard router itself) <-----------> wireguard client on 192.168.66.3
etc.

The traffic you send when connected to wireguard will come from your wireguard client IP, 192.168.66.x in my example. So you have to make sure that your firewall is allowing this traffic, that it is being NATted etc. If your config is based on the mikrotik default configuration, one way you can do this is by adding the wireguard interface itself to your LAN interface list

Thank you very much for the explanation. It actually helped me understand and fix the issue.

And now I have it working, it is actually very easy to set up.

So I finally got Wireguard on a Road Warrior (macOS Monterey) working. The problem was that firewall rule was not in the proper position (see above). In addition the “WebFig” UI I used to configure the firewall seems to be buggy in 7.1 (I tired beta6 and rc3). It only worked after deleting the rule and re-adding it via the terminal.

Thanks for your help @anav @mducharme.
Cheers
Simon

Is it possible to have ROS automatically kill WireGuard sessions when clients rejoin the LAN?

Your question is to vague but if it can it would be a script…

Hi there, thanks for the guide! Would like to ask for some assistance however, as am struggling to set this up over the weekend while following several guides.
I’ve managed to successfully establish a handshake between my android phone and the Tik, but there’s no internet access and the log shows a barrage of the following message when enabling wireguard on my phone:

Buffer: memory Topics: Firewall, info WG: input: in:pppoe-outFEED out:(unknown 0), src-mac (phone mac), proto UDP, > (sensitive, phone public IP) > → > (sensitive, Tik public IP)> , len 124

.
The “no-internet-access” issue resolves if I configure the android client Allowed Addresses to my LAN subnet instead of 0.0.0.0/0, but I’m still getting the log barrage and I’m not certain that the traffic is properly routed through my pihole.

My network setup is as follows: ISP<-> ISP modem (bridge mode) ↔ Mikrotik router (PPPoE) ↔ LAN (Pihole DNS server)

# sep/26/2021 10:46:55 by RouterOS 7.1rc4
# software id = W9WG-AU8M
#
# model = 960PGS
# serial number = (sensitive)
/interface bridge
add arp=proxy-arp comment="LAN Bridge" name=bridge
/interface ethernet
set [ find default-name=ether1 ] comment="WAN Primary   - Modem" speed=\
    100Mbps
set [ find default-name=ether2 ] advertise=1000M-half,1000M-full comment=\
    " - Minion" poe-out=off speed=100Mbps
set [ find default-name=ether3 ] comment=" - Unraid" poe-out=off speed=\
    100Mbps
set [ find default-name=ether4 ] comment=" - SHIELD" poe-out=off speed=\
    100Mbps
set [ find default-name=ether5 ] comment=" - Camera" poe-out=forced-on speed=\
    100Mbps
set [ find default-name=sfp1 ] advertise=1000M-half,1000M-full comment=\
    " - Switch"
/interface wireguard
add listen-port=13231 mtu=1420 name=wireguard1
/interface vlan
add interface=ether2 name=vlan4000-ether2 vlan-id=4000
add interface=ether3 name=vlan4000-ether3 vlan-id=4000
add interface=ether5 name=vlan4000-ether5 vlan-id=4000
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1 name=pppoe-outFEED \
    user=(sensitive)
/interface list
add name=WAN
add name=LAN
/interface lte apn
set [ find default=yes ] ip-type=ipv4
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.88.3-192.168.88.254
add name=dhcp_pool2 ranges=10.10.102.2-10.10.102.254
add name=dhcp_pool3 ranges=10.10.105.2-10.10.105.254
add name=dhcp_pool4 ranges=10.10.113.2-10.10.113.254
add name=dhcp_pool5 ranges=10.10.117.2-10.10.117.254
add name=dhcp_pool6 ranges=10.10.119.2-10.10.119.254
/ip dhcp-server
add address-pool=dhcp interface=bridge lease-time=10m10s name=dhcp1
/queue simple
add name=Minion_QOS packet-marks=Minion_Packets priority=1/1 target=ether2
/queue tree
add limit-at=5M max-limit=7M name="Jelly Out" packet-mark=jellyfinout parent=\
    global
/queue type
add kind=sfq name=sfq-default sfq-perturb=10
/queue simple
add max-limit=10M/100M name=sfq-default queue=sfq-default/sfq-default target=\
    192.168.88.0/24 total-queue=sfq-default
/queue tree
add limit-at=10M max-limit=10M name="Minion Out" packet-mark=Minionout \
    parent=global priority=1 queue=sfq-default
/routing bgp template
set default as=65530 disabled=no name=default output.network=bgp-networks
/routing ospf instance
add in-filter-chain=ospf-in name=default-v2 out-filter-chain=ospf-out
/routing ospf area
add instance=default-v2 name=backbone-v2
/routing table
add fib name=""
/user group
set full policy="local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,pas\
    sword,web,sniff,sensitive,api,romon,dude,tikapp,rest-api"
add name=sniffer policy="ssh,read,!local,!telnet,!ftp,!reboot,!write,!policy,!\
    test,!winbox,!password,!web,!sniff,!sensitive,!api,!romon,!dude,!tikapp,!r\
    est-api"
/interface bridge port
add bridge=bridge ingress-filtering=no interface=ether2
add bridge=bridge ingress-filtering=no interface=ether3
add bridge=bridge ingress-filtering=no interface=ether4
add bridge=bridge ingress-filtering=no interface=ether5
add bridge=bridge ingress-filtering=no interface=sfp1
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/ip settings
set rp-filter=strict
/ipv6 settings
set disable-ipv6=yes
/interface list member
add interface=ether1 list=WAN
add interface=bridge list=LAN
add interface=pppoe-outFEED list=WAN
/interface wireguard peers
add allowed-address=10.0.0.1/32 interface=wireguard1 persistent-keepalive=25s \
    public-key="[i](sensitive)[/i]"
/ip address
add address=192.168.88.1/24 comment="LAN Primary" interface=bridge network=\
    192.168.88.0
add address=192.168.42.1/24 comment="IoT vlan (eth1,2,5)" interface=\
    vlan4000-ether3 network=192.168.42.0
add address=192.168.42.1/24 interface=vlan4000-ether5 network=192.168.42.0
add address=192.168.42.1/24 interface=vlan4000-ether2 network=192.168.42.0
add address=10.0.0.1/24 interface=wireguard1 network=10.0.0.0
add address=192.168.1.2/24 comment="Modem Gateway" interface=ether1 network=\
    192.168.1.0
/ip cloud
set ddns-enabled=yes ddns-update-interval=1m
/ip dhcp-server lease
add address=192.168.88.253 client-id=1:cc:2d:e0:aa:7:6e comment=WiFi \
    mac-address=[i](sensitive) [/i]server=dhcp1
add address=192.168.88.252 client-id=1:cc:2d:e0:aa:7:70 comment=WiFi \
    mac-address=[i](sensitive) [/i]server=dhcp1
add address=192.168.88.98 client-id=1:b8:27:eb:cd:dc:1d comment=PiHole \
    mac-address=[i](sensitive) [/i]server=dhcp1
add address=192.168.88.57 client-id=1:0:4:4b:bd:d:5d comment="Nvidia Shield" \
    mac-address=[i](sensitive)[/i] server=dhcp1
add address=192.168.88.88 client-id=1:b8:ac:6f:90:e0:f8 comment=Unraid \
    mac-address=[i](sensitive) [/i]server=dhcp1
add address=192.168.88.8 client-id=1:b4:2e:99:3b:14:e5 comment=Minion \
    mac-address=[i](sensitive) [/i]server=dhcp1
add address=192.168.88.125 comment=HomeAssistant mac-address=\
    (sensitive) server=dhcp1
add address=192.168.88.128 client-id=1:74:4d:28:75:6e:30 comment=Switch \
    mac-address=[i](sensitive) [/i]server=dhcp1
add address=192.168.88.38 client-id=1:94:53:30:3b:99:9c comment=LaserPrinter \
    mac-address=[i](sensitive)[/i] server=dhcp1
add address=192.168.88.10 client-id=1:52:54:0:52:63:75 comment=macOS \
    mac-address=[i](sensitive) [/i]server=dhcp1
add address=192.168.88.20 comment="3D Printer" mac-address=[i](sensitive) [/i]\
    server=dhcp1
add address=192.168.88.95 client-id=1:2c:44:fd:c1:2e:c8 comment=\
    "Color Printer" mac-address=[i](sensitive)[/i] server=dhcp1
add address=192.168.88.19 client-id=1:b8:ac:6f:90:e1:0 comment=R710 \
    mac-address=[i](sensitive) [/i]server=dhcp1
add address=192.168.88.4 client-id=1:ca:37:29:9:d8:a7 comment="Phone" \
    mac-address=[i](sensitive) [/i]server=dhcp1
add address=192.168.88.11 client-id=1:30:a9:de:c3:52:bc comment=TV \
    mac-address=[i](sensitive) [/i]server=dhcp1
add address=192.168.88.3 comment="Nintendo Switch" mac-address=\
    [i](sensitive)[/i] server=dhcp1
add address=192.168.88.9 client-id=1:8:ed:ed:5d:c6:8e comment=\
    "Dahua (camera)" mac-address=[i](sensitive) [/i]server=dhcp1
add address=192.168.88.22 client-id=1:52:54:0:3a:7b:82 mac-address=\
  [i]  (sensitive) [/i]server=dhcp1
add address=192.168.88.141 client-id=1:50:1e:2d:3f:50:ba comment=Anthem \
    mac-address=[i](sensitive) [/i]server=dhcp1
/ip dhcp-server network
add address=192.168.88.0/24 dns-server=192.168.88.98 gateway=192.168.88.1 \
    netmask=24
/ip dns
set allow-remote-requests=yes cache-max-ttl=1m servers=192.168.88.98
/ip firewall address-list
add address=192.168.88.2-192.168.88.254 list=allowed-to-router
/ip firewall filter
add action=fasttrack-connection chain=forward connection-state=\
    established,related hw-offload=yes
add action=accept chain=input comment="Accept WireGuard" dst-port=13231 \
    in-interface-list=WAN log=yes log-prefix=WG: protocol=udp
add action=accept chain=forward comment="Accept WireGuard" connection-state=\
    established,new disabled=yes dst-port=13231 in-interface=pppoe-outFEED \
    log=yes log-prefix=WG: protocol=udp
add action=accept chain=forward comment=\
    "Accept established,related,untracked" connection-state=\
    established,related,untracked
add action=accept chain=forward comment="Accept LAN >>> WAN" disabled=yes \
    out-interface=ether1 src-address=192.168.88.0/24
add action=drop chain=forward comment="drop all from WAN not DSTNATed" \
    connection-state=new in-interface-list=WAN
add action=drop chain=forward comment="Drop invalid" connection-state=invalid
add action=drop chain=input in-interface-list=!LAN
add action=drop chain=input comment="Drop Blacklisted Hosts through Router" \
    in-interface=ether1 src-address-list=BlackList
add action=drop chain=forward comment="Drop Blacklisted Hosts through Router" \
    in-interface=ether1 src-address-list=BlackList
add action=accept chain=input comment="Accept to Router" src-address-list=\
    allowed_to_router
add action=accept chain=input comment="Accept ICMP" protocol=icmp
add action=accept chain=input connection-state=established disabled=yes
add action=accept chain=input comment="accept local loopback (for CAPsMAN)" \
    dst-address=127.0.0.1
/ip firewall mangle
add action=mark-packet chain=forward comment=jellyfin_rx_mark \
    new-packet-mark=jellyfinout passthrough=yes src-address=192.168.88.88
add action=mark-packet chain=forward comment=Minion_rx_mark new-packet-mark=\
    Minionout passthrough=yes src-address=192.168.88.8
/ip firewall nat
add action=masquerade chain=srcnat comment="LAN - NAT (towards modem)" \
    out-interface=ether1
add action=masquerade chain=srcnat comment="LAN - NAT (towards web)" \
    out-interface=pppoe-outFEED
add action=dst-nat chain=dstnat comment=\
    "Pihole - run any upd traffic (except Pihole) through Pihole" \
    dst-address=!192.168.88.98 dst-port=53 protocol=udp src-address=\
    !192.168.88.98 to-addresses=192.168.88.98
add action=dst-nat chain=dstnat comment=\
    "Pihole - run any tcp traffic (except Pihole) through Pihole" \
    dst-address=192.168.88.98 dst-port=53 protocol=tcp src-address=\
    !192.168.88.98 to-addresses=192.168.88.98
add action=masquerade chain=srcnat comment=Pihole dst-address=192.168.88.98 \
    dst-port=53 protocol=udp src-address=192.168.88.0/24
add action=masquerade chain=srcnat comment=Pihole dst-address=192.168.88.98 \
    dst-port=53 protocol=tcp src-address=192.168.88.0/24
add action=dst-nat chain=dstnat comment="TCP inbound to port 443 >> 192.168.88.88:1444
    dst-port=443 in-interface=pppoe-outFEED protocol=tcp to-addresses=\
    192.168.88.88 to-ports=1444
add action=dst-nat chain=dstnat comment="UDP inbound to port 443 >> 192.168.88.88:1444
    dst-port=443 in-interface=pppoe-outFEED protocol=udp to-addresses=\
    192.168.88.88 to-ports=1444
add action=dst-nat chain=dstnat disabled=yes dst-port=13231 in-interface=pppoe-outFEED protocol=udp \
    src-port="" to-addresses=192.168.88.1 to-ports=13231
/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=pppoe-outFEED \
    pref-src="" routing-table=main scope=30 suppress-hw-offload=no \
    target-scope=10
/ip service
set telnet disabled=yes
set ftp disabled=yes port=2121
set www disabled=yes port=8081
set ssh disabled=yes
set www-ssl disabled=no tls-version=only-1.2
set api disabled=yes
set api-ssl disabled=yes
/ip ssh
set forwarding-enabled=remote strong-crypto=yes
/ip upnp interfaces
add interface=ether1 type=external
add interface=bridge type=internal
/system clock
set time-zone-name=Europe/Athens
/system identity
set name="hex PoE"
/system package update
set channel=development

x.rsc (10.5 KB)

Your wireguard interface is not in the Interface List called “LAN”. Please see the last paragraph of this reply: http://forum.mikrotik.com/t/mikrotik-wireguard-server-with-road-warrior-clients/148392/39