MikroTik Wireguard server with Road Warrior clients

Thanks for the prompt reply. I believe I’m missing something here:
I assigned the “wireguard1” interface to my LAN list as advised- by enabling wireguard on my phone while on LAN there’s some torch activity, however no activity is listed if I attempt to enable it via cellular (i.e. no obvious change following the LAN interface addition).
The following settings appear to produce some results:

/ip firewall filter add action=accept chain=input comment="Accept Wireguard" dst-port=13231 protocol=udp in-interface-list=WAN

results in the log barrage as indicated in my initial post, along with some torch activity,

/ip firewall filter add action=accept chain=input comment="Accept Wireguard" dst-port=13231 protocol=udp in-interface-list=LAN

results in no torch activity,

/ip firewall filter add action=accept chain=input comment="Accept Wireguard" dst-port=13231 protocol=udp out-interface-list=WAN

• no activity,

/ip firewall filter add action=accept chain=input comment="Accept Wireguard" dst-port=13231 protocol=udp in-interface=wireguard1

• no activity,

/ip firewall filter add action=accept chain=input comment="Accept Wireguard" dst-port=13231 protocol=udp out-interface=wireguard1

• no activity.

Apologies for the cluelessness, I’m a newbie in routeros yet constantly trying to learn.

I see another issue:

/interface wireguard peers
add allowed-address=10.0.0.1/32 interface=wireguard1 persistent-keepalive=25s \
    public-key="[i](sensitive)[/i]"

10.0.0.1 is the IP of your router itself. You cannot assign the same IP to your client device (phone etc) that you have assigned to the router.

No luck with changing the allowed address to 10.0.0.8/32 on routeros and the android client.
I’m somewhat confused by the fact that the log firewall entry shows input-in as “pppoe-outFEED” whenever there’s activity/handshake instead of the assigned interface “wireguard1”, it appears that the traffic is routed through WAN (pppoe-outFEED) instead of the previously assigned LAN (wireguard1) interface. Not sure if related to the solution, guess it’s worth noting.
Edit: I inserted an accept-forward rule for the in. interface “wireguard1”, log shows the above message along with WG: forward: in:wireguard1 out:bridge, proto UDP, 10.0.0.8:12117 (android peer)->192.168.88.98:53 (pihole).

The following configuration allows me to ping android peer ↔ LAN, while torch on the wireguard1 interface shows some packets towards 10.0.0.1 (router), 192.168.88.98 (pihole DNS), and some (I believe) external public IPs when opening youtube for example, however internet is still inaccessible.

# sep/27/2021 15:18:14 by RouterOS 7.1rc4
# software id = W9WG-AU8M
#
# model = 960PGS
# serial number = *
/interface bridge
add arp=proxy-arp comment="LAN Bridge" name=bridge
/interface ethernet
set [ find default-name=ether1 ] comment="WAN Primary   - Modem" speed=\
    100Mbps
set [ find default-name=ether2 ] advertise=1000M-half,1000M-full comment=\
    " - Minion" poe-out=off speed=100Mbps
set [ find default-name=ether3 ] comment=" - Unraid" poe-out=off speed=\
    100Mbps
set [ find default-name=ether4 ] comment=" - SHIELD" poe-out=off speed=\
    100Mbps
set [ find default-name=ether5 ] comment=" - Camera" poe-out=forced-on speed=\
    100Mbps
set [ find default-name=sfp1 ] advertise=1000M-half,1000M-full comment=\
    " - Switch"
/interface wireguard
add listen-port=13231 mtu=1420 name=wireguard1
/interface vlan
add interface=ether2 name=vlan4000-ether2 vlan-id=4000
add interface=ether3 name=vlan4000-ether3 vlan-id=4000
add interface=ether5 name=vlan4000-ether5 vlan-id=4000
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1 name=pppoe-outFEED \
    user= **
/interface list
add name=WAN
add name=LAN
/interface lte apn
set [ find default=yes ] ip-type=ipv4
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.88.3-192.168.88.254
add name=dhcp_pool2 ranges=10.10.102.2-10.10.102.254
add name=dhcp_pool3 ranges=10.10.105.2-10.10.105.254
add name=dhcp_pool4 ranges=10.10.113.2-10.10.113.254
add name=dhcp_pool5 ranges=10.10.117.2-10.10.117.254
add name=dhcp_pool6 ranges=10.10.119.2-10.10.119.254
/ip dhcp-server
add address-pool=dhcp interface=bridge lease-time=10m10s name=dhcp1
/queue simple
add name=Minion_QOS packet-marks=Minion_Packets priority=1/1 target=ether2
/queue tree
add limit-at=5M max-limit=7M name="Jelly Out" packet-mark=jellyfinout parent=\
    global
/queue type
add kind=sfq name=sfq-default sfq-perturb=10
/queue simple
add max-limit=10M/100M name=sfq-default queue=sfq-default/sfq-default target=\
    192.168.88.0/24 total-queue=sfq-default
/queue tree
add limit-at=10M max-limit=10M name="Minion Out" packet-mark=Minionout \
    parent=global priority=1 queue=sfq-default
/routing bgp template
set default as=65530 disabled=no name=default output.network=bgp-networks
/routing ospf instance
add in-filter-chain=ospf-in name=default-v2 out-filter-chain=ospf-out
/routing ospf area
add instance=default-v2 name=backbone-v2
/routing table
add fib name=""
/user group
set full policy="local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,pas\
    sword,web,sniff,sensitive,api,romon,dude,tikapp,rest-api"
add name=sniffer policy="ssh,read,!local,!telnet,!ftp,!reboot,!write,!policy,!\
    test,!winbox,!password,!web,!sniff,!sensitive,!api,!romon,!dude,!tikapp,!r\
    est-api"
/interface bridge port
add bridge=bridge ingress-filtering=no interface=ether2
add bridge=bridge ingress-filtering=no interface=ether3
add bridge=bridge ingress-filtering=no interface=ether4
add bridge=bridge ingress-filtering=no interface=ether5
add bridge=bridge ingress-filtering=no interface=sfp1
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/ip settings
set rp-filter=strict tcp-syncookies=yes
/ipv6 settings
set disable-ipv6=yes
/interface list member
add interface=ether1 list=WAN
add interface=bridge list=LAN
add interface=pppoe-outFEED list=WAN
add interface=wireguard1 list=LAN
/interface wireguard peers
add allowed-address=10.0.0.8/32 interface=wireguard1 persistent-keepalive=25s \
    public-key="**"
/ip address
add address=192.168.88.1/24 comment="LAN Primary" interface=bridge network=\
    192.168.88.0
add address=192.168.42.1/24 comment="IoT vlan (eth1,2,5)" interface=\
    vlan4000-ether3 network=192.168.42.0
add address=192.168.42.1/24 interface=vlan4000-ether5 network=192.168.42.0
add address=192.168.42.1/24 interface=vlan4000-ether2 network=192.168.42.0
add address=10.0.0.1/24 interface=wireguard1 network=10.0.0.0
add address=192.168.1.2/24 comment="ISP Gateway" interface=ether1 network=\
    192.168.1.0
/ip cloud
set ddns-enabled=yes ddns-update-interval=1m
/ip dhcp-server lease
add address=192.168.88.253 client-id=1:cc:2d:e0:aa:7:6e comment=WiFi \
    mac-address=** server=dhcp1
add address=192.168.88.252 client-id=1:cc:2d:e0:aa:7:70 comment=WiFi \
    mac-address=** server=dhcp1
add address=192.168.88.98 client-id=1:b8:27:eb:cd:dc:1d comment=PiHole \
    mac-address=** server=dhcp1
add address=192.168.88.57 client-id=1:0:4:4b:bd:d:5d comment="Nvidia Shield" \
    mac-address=** server=dhcp1
add address=192.168.88.88 client-id=1:b8:ac:6f:90:e0:f8 comment=Unraid \
    mac-address=** server=dhcp1
add address=192.168.88.8 client-id=1:b4:2e:99:3b:14:e5 comment=Minion \
    mac-address=** server=dhcp1
add address=192.168.88.125 comment=HomeAssistant mac-address=\
    ** server=dhcp1
add address=192.168.88.128 client-id=1:74:4d:28:75:6e:30 comment=Switch \
    mac-address=** server=dhcp1
add address=192.168.88.38 client-id=1:94:53:30:3b:99:9c comment=LaserPrinter \
    mac-address=** server=dhcp1
add address=192.168.88.10 client-id=1:52:54:0:52:63:75 comment=macOS \
    mac-address=** server=dhcp1
add address=192.168.88.20 comment="3D Printer" mac-address=** \
    server=dhcp1
add address=192.168.88.95 client-id=1:2c:44:fd:c1:2e:c8 comment=\
    "Color Printer" mac-address=** server=dhcp1
add address=192.168.88.19 client-id=1:b8:ac:6f:90:e1:0 comment=R710 \
    mac-address=** server=dhcp1
add address=192.168.88.4 client-id=1:ca:37:29:9:d8:a7 comment="Thanos Phone" \
    mac-address=** server=dhcp1
add address=192.168.88.11 client-id=1:30:a9:de:c3:52:bc comment=TV \
    mac-address=** server=dhcp1
add address=192.168.88.3 comment="Nintendo Switch" mac-address=\
    ** server=dhcp1
add address=192.168.88.9 client-id=1:8:ed:ed:5d:c6:8e comment=\
    "Dahua (camera)" mac-address=** server=dhcp1
add address=192.168.88.22 client-id=1:52:54:0:3a:7b:82 mac-address=\
    ** server=dhcp1
add address=192.168.88.141 client-id=1:50:1e:2d:3f:50:ba comment=Anthem \
    mac-address=** server=dhcp1
/ip dhcp-server network
add address=192.168.88.0/24 dns-server=192.168.88.98 gateway=192.168.88.1 \
    netmask=24
/ip dns
set allow-remote-requests=yes cache-max-ttl=10m cache-size=10240KiB servers=\
    192.168.88.98
/ip firewall address-list
add address=192.168.88.2-192.168.88.254 list=allowed-to-router
add address=192.168.88.98 list=Pihole
/ip firewall filter
add action=fasttrack-connection chain=forward connection-state=\
    established,related hw-offload=yes
add action=accept chain=forward comment=\
    "Accept established,related,untracked" connection-state=\
    established,related,untracked
add action=accept chain=input comment="Accept WireGuard" dst-port=13231 \
   log=yes log-prefix=WG: protocol=udp
    add action=accept chain=forward comment="Accept WireGuard"  \
    in-interface=wireguard1 log=yes log-prefix=WG:
add action=accept chain=input comment="Allow traffic from LAN" in-interface=\
    bridge 
add action=add-src-to-address-list address-list=Artillery-blacklist \
    address-list-timeout=1d chain=input comment="Artillery Blacklist TCP" \
    connection-state=new dst-port=\
    1433,8080,21,5060,5061,5900,110,1723,1337,10000,5800,44443,16993,8291,23 \
    in-interface-list=WAN log=yes log-prefix="Artillery-blacklist TCP" \
    protocol=tcp src-address-list=!whitelist tcp-flags=""
add action=add-src-to-address-list address-list=Artillery-blacklist \
    address-list-timeout=1d chain=input comment="Artillery Blacklist UPD" \
    dst-port=123,5060,5061,3478,8291,23,25,53 in-interface-list=WAN log=yes \
    log-prefix="Artillery-blacklist UDP" protocol=udp src-address-list=\
    !whitelist
add action=drop chain=input comment="Drop Artillery Blacklist input" \
    in-interface-list=WAN src-address-list=Artillery-blacklist
add action=drop chain=forward comment="Drop Artillery Blacklist Forward" \
    in-interface-list=WAN src-address-list=Artillery-blacklist
add action=accept chain=forward comment="Accept LAN >>> WAN" disabled=yes \
    out-interface=ether1 src-address=192.168.88.0/24
add action=drop chain=forward comment="drop all from WAN not DSTNATed" \
    connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
add action=accept chain=input comment="Accept to Router" in-interface=bridge
add action=accept chain=input comment="Accept ICMP" protocol=icmp
add action=accept chain=input connection-state=established disabled=yes
add action=accept chain=input comment="accept local loopback (for CAPsMAN)" \
    dst-address=127.0.0.1
add action=drop chain=forward comment="Drop invalid" connection-state=invalid
add action=drop chain=input
add action=drop chain=input comment="Drop Blacklisted Hosts through Router" \
    in-interface-list=WAN src-address-list=Artillery-blacklist
add action=drop chain=forward comment="Drop Blacklisted Hosts through Router" \
    in-interface-list=WAN src-address-list=Artillery-blacklist
add action=jump chain=forward comment="SYN Flood protect FORWARD" \
    connection-state=new jump-target=syn-attack protocol=tcp tcp-flags=syn
add action=jump chain=input comment="SYN Flood protect INPUT" \
    connection-state=new jump-target=syn-attack protocol=tcp tcp-flags=syn
add action=accept chain=syn-attack connection-state=new limit=400,5:packet \
    protocol=tcp tcp-flags=syn
add action=drop chain=syn-attack connection-state=new protocol=tcp tcp-flags=\
    syn
add action=drop chain=input protocol=tcp tcp-flags=syn
/ip firewall mangle
add action=mark-packet chain=forward comment=jellyfin_rx_mark \
    new-packet-mark=jellyfinout passthrough=yes src-address=192.168.88.88
add action=mark-packet chain=forward comment=Minion_rx_mark new-packet-mark=\
    Minionout passthrough=yes src-address=192.168.88.8
/ip firewall nat
add action=masquerade chain=srcnat comment="LAN - NAT (towards modem)" \
    out-interface=ether1
add action=masquerade chain=srcnat comment="LAN - NAT (towards web)" \
    out-interface=pppoe-outFEED
add action=dst-nat chain=dstnat comment=\
    "Pihole - run any udp traffic (except Pihole) through Pihole" \
    dst-address=!192.168.88.98 dst-port=53 in-interface=bridge protocol=udp \
    src-address=!192.168.88.98 to-addresses=!192.168.88.98
add action=dst-nat chain=dstnat comment=\
    "Pihole - run any tcp traffic (except Pihole) through Pihole" \
    dst-address=!192.168.88.98 dst-port=53 in-interface=bridge protocol=tcp \
    src-address=!192.168.88.98 to-addresses=!192.168.88.98
add action=masquerade chain=srcnat comment=Pihole disabled=yes dst-address=\
    192.168.88.98 dst-port=53 protocol=udp src-address=192.168.88.0/24
add action=masquerade chain=srcnat comment=Pihole disabled=yes dst-address=\
    192.168.88.98 dst-port=53 protocol=tcp src-address=192.168.88.0/24
add action=dst-nat chain=dstnat dst-port=443 in-interface=pppoe-outFEED protocol=tcp to-addresses=\
    192.168.88.88 to-ports=1444
add action=dst-nat chain=dstnat dst-port=443 in-interface=pppoe-outFEED protocol=udp to-addresses=\
    192.168.88.88 to-ports=1444
add action=dst-nat chain=dstnat 
/ip firewall raw
add action=drop chain=prerouting in-interface-list=WAN src-address-list=\
    Artillery-blacklist
add action=drop chain=prerouting comment=\
    "Blocks dns request udp/53 traffic from outside" dst-port=53 \
    in-interface-list=WAN protocol=udp
/ip route
add comment="192.168.1.254   ....modem router  ISP" disabled=yes \
    distance=5 dst-address=0.0.0.0/0 gateway=192.168.1.254 pref-src="" \
    routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=pppoe-outFEED \
    pref-src="" routing-table=main scope=30 suppress-hw-offload=no \
    target-scope=10
/ip service
set telnet disabled=yes
set ftp disabled=yes port=2121
set www disabled=yes port=8081
set ssh disabled=yes
set www-ssl disabled=no tls-version=only-1.2
set api disabled=yes
set api-ssl disabled=yes
/ip ssh
set forwarding-enabled=remote strong-crypto=yes
/ip upnp interfaces
add interface=ether1 type=external
add interface=bridge type=internal
/system clock
set time-zone-name=Europe/Athens
/system identity
set name="hex PoE"
/system package update
set channel=development

It looks like you have changed some rules from the defaults. Some of the default rules are configured to use the interface lists LAN and WAN instead of hardcoding a single interface. You have changed all of your firewall rules to use hardcoded “ether1” instead of interface list WAN and hardcoded “bridge” instead of LAN. This hardcoded setup only works as long as you only have a single LAN port and a single WAN port. In your case, you now have two LAN ports, bridge and wireguard1, so you should rethink this configuration.

Not sure I’m following here- I swapped any rules with in/out.interface=ether1 to in/out.interface list=WAN and any of those with in/out.interface=bridge to in/out.interface list=LAN. No firewall rule appears to be “hardcoded” at the moment, and I attempted to disable the interface wireguard1 from the LAN list for troubleshooting purposes.. End result was the same as previous post.
Thanks for your patience.

I strongly suspect the problem is in your firewall rules. Some of your rules don’t make any sense. At one point you have a drop all rule on the input chain, then after that you have more input chain rules that will never be matched because everything will hit that drop all rule instead.

Make a terminal window that is big enough and run:

/system default-configuration script print

That will print the default configuration including the default firewall. Take the default ip firewall and ip firewall nat rules and copy and paste them into your router, then disable or delete the rules that you have in filter, NAT, mangle, and raw tabs. Then add an input chain rule to allow udp to 13231 to that. The MikroTik default firewall should just plain work, with the addition of the UDP 13231 rule and adding the wireguard1 interface to the LAN interface list.

This should be a thread in either Ros7 beta or beginner or general.
Not troubleshooting your config. Specific questions about the wireguard implementation that may need explaining are fine but otherwise just clogs up a good reference document into a mess.

Hello Folks,

Since this is my first post on this forum, prior to ask about things, I’d like to say HI to you.

I am lacking some knownledge and I’d like to ask you for a help and understanding my case. I prepared small schematic (sorry about performance) of structure of my network. That’s first.

I am trying to get Wireguard working on my mt, but no luck. I tried all suggestions here and on yt posted but no luck.

Back in the days, when I managed old router (before mt) I just had to port forward, to my server with wireguard and all was fine. I suspect now is probably the same case.

Can you please give me some hints guys?

BR

Not here, start a new thread and I will have a look, this thread is for a reference document not individual issues.

Thank you so much!. I wanted to access my home network clients from outside.

Sticking points for me, were:

1. Stupidly forgetting to assign an ip address to wireguard interface in IP>Addresses
2. Add the route like you said, destination was the subnet of the wireguard ip, gateway was the wireguard interface name, not ip. (ie. put ‘wireguard1’ or whatever your wireguard interfaces name is in the gateway section
3. Allowing traffic to be forwarded from the wireguard interface to the local lan bridge and allowing traffic to flow from the wireguard interface to my internet connection interface

See my simplified double-NAT iOS configuration article, based on mducharme’s configuration.

I like the clean approach you had in the top of the post, easy to read/understand.

You may have not noticed my post and diagram at #6 that already cover your scenario. Both my wireguard routers ( the server [rb450Gx4] behind the ccr1009, and the client [RB4011] behind the ISPs modem router ). The main difference is that I do not use IP addresses for my wireguard, I only use the interface itself and a mix of rules.
The outcome is that I have to make an additional route etc… both worth equally well.

I saw it, but I couldn’t map the diagram to running RouterOS commands. Thus my triumphant post at having worked out the solution from the top post and other relevant examples and docs.

I’ve got a strange problem. I’m trying to do a client/server model with wireguard. In the “server” router, I have the peers added like this

/interface wireguard peers
add allowed-address=0.0.0.0/0 interface=awesomeguard public-key=PUBLIC_KEY_OF_CLIENT_1

This works perfectly if there is only one client. As soon as I add another peer, whole thing goes down. Handshake fails for both clients. The thing to note here is my clients don’t have static IPs and they are behind NATs in their ISPs. So I can’t set endpoint address in peers. I thought the different public-keys of different clients would be enough to connect multiple clients. But it doesn’t seem so. All devices are running routeros 7.1.1. Is this a bug in routeros’s wireguard implementation? Of am I doing something wrong? All devices has ip firewall rules empty. So its not firewall messing with anything either.

Any idea guys?

This is wrong - if you look at the server configuration above in the very top post, you see that the peers under /interface wireguard peers each have an allowed address that is their wireguard IP address /32. Allowed-address=0.0.0.0/0 will not work on the server if it has multiple clients.

Those two routes are unnecessary as the wireguard server device already has an IP on that /24 subnet and so a connected route will automatically exist for the entire /24 that will cover those two /32’s.

Thank you very much. This was my problem. I changed allowed address to 10.x.x.2/32, 10.x.x.3/32 etc… in adding peers and now all client can connect and its all working nicely

Is it just me or is it impossible to also add a “pre-shared” key ? (as an extra layer of post-quantum protection
Whatever I place in that field, I’m always getting “invalid preshared key (6)”
Winbox, CLI , does not matter.
I’ve tried disabling my peer before adapting the value, no luck.

Does anyone ever tried it ??
Running 7.2rc1

You probably need to go to a Linux box and run: wg genpsk

And use that key. Most likely it does not accept any string as a preshared key.

It needs to be exactly thirty-two base-64 encoded octets. Another alternative to using the wg command line tool, therefore, is something like this:

$ dd if=/dev/random bs=32 count=1 | base64 | pbcopy

You might not have a “bas64” filter installed, but if not, they’re pretty much available on all platforms.

The final part of that command is macOS-specific. Other platforms have tools for taking piped-in data and sending it to the clipboard so that you can paste it into a command like:

$ /interface/wireguard/peers/set 0 preshared-key="aNSNRaM8ASUncjCCNlrpr0SAaqRlqyuO4LnZLZ4fWCk="

BUT as of 7.1.1., this parameter appears to be completely ignored! As long as you either pass nothing or pass a correctly-formatted value, the clients will connect, regardless of the value on the client side. Sigh.