Newbie: Wireguard

For a long time I’ve used a Debian machine behind my Mikrotik router to host an L2TP VPN with good success. I have an Arch laptop that I setup as a client to the server, so when I’m away from home I can connect the L2CP client and access all the machines on my home network. I have been wanting to setup a VPN server on the Mikrotik device itself to simplify things and cut out the Debian machine middle man. Now with RouterOS 7, and all the good things I hear about Wireguard, it seems that time has come.

Really, I am very green behind the ears when it comes to networking, but I have learned some from owning a Mikrotik router (things like NAT hairpin that you take for granted on a consumer type router). I’ve read a hand full of tutorials on setting up Wireguard in RouterOS, and played around quite a bit but can’t seem to get it working. Most of the tutorials are about connecting two Mikrotik devices in remote locations to each other in a sort of permanent tunnel. That’s not what I am trying to do. What I am trying to do is setup a Wireguard server on my router, and then allow my Arch laptop and my iPhone to connect to that server and access my home networking from wherever my laptop or phone may be.

What I have done is create a Wireguard (server?) via the RouterOS GUI under WireGuard → WireGuard tab. This also created a wireguard interface for me (no address). I then created a peer under WireGuard → Peers. I then more-or-less followed this tutorial to create a configuration for my phone: https://wireguard.how/client/ios/ I used the public key for the server on the Mikrotik router, and used the private and public keys from the “Peer” I also made on the router. I can import that configuration into my phone, and it says that the Wireguard VPN connection is connected, but I can’t get any traffic through to the machines on the home network. In RouterOS if I go to WireGuard- > Peers → {the peer I made} it says “Last Handshake: 00:00:00”. I also tried setting up an address for the wireguard interface but haven’t had any more luck getting any traffic through (I have little idea what I am doing here…). My home network uses IPs in the space of 10.0.1.1, 10.0.1.2, 10.0.1.3, etc.

What are the major steps involved in doing what I want to do? E.g.

1. create a WG interface
2. create a WG server (WireGuard → WireGuard tab)
3. create a peer (WireGuard → Peers tab)
4. (create an address for the interface?)
5. (configure the routing of WG connections into the local network 0.0.1.1, 10.0.1.2, 10.0.1.3…?)
6. configure the client device (laptop or phone) as a peer connecting to the server

Any help appreciated and thanks for the patience.

Some thoughts.

Check your wireguard interface, and grab the Listen Port value.

You need an Input Rule for this UDP port to accept inbound wireguard traffic.
Probably right after the accept ICMP rule (Assuming config is based or similar to the default config)
You can then try a connection test from your phone, your rules counter should increment, even if nothing gets counted in wireguard.

The peer section on the Mikrotik should have the public key from the phone Interface, the Endpoint and Endpoint port should both be blank.
The peer section on the Phone should have the public key of the Mikrotik Wireguard interface, and the Mikrotik’s IP Address (DNS Name) and Listen Port.

Routing, Addresses etc, There are lots of ways to do this, the following is fairly simple, gives you an endpoint to ping,
and you don’t need to manually add routes into the Mikrotik.

My thought
On Phone
Give interface IP Address of 10.0.2.8/24 ** assumes you are not using .2.x elsewhere in your network **
Peer setting, set its allowed Address to be 10.0.2.0/24, and 10.0.1.0/24
(Could also set it to 10.0.2.1/32 and 10.0.1.0/24, but 10.0.2.0/24 might be good if Mikrotik becomes hub for other WG clients)

On Mikrotik
Give the wireguard interface an IP Address of 10.0.2.1/24
Peer setting, allowed address=10.0.2.8/32

** Update **
In Interfaces/Interface List, Add the wireguard interface as a LAN interface.

Hopefully can now ping the Mikrotik IP address of 10.0.2.1 from the phone.
Should also be able to ping 10.0.1.x from the phone.

Good Luck

Also try here

http://forum.mikrotik.com/t/mikrotik-wireguard-server-with-road-warrior-clients/148392/1

Thanks for your help.

I read through the above linked thread and toyed around some more, but still can’t get any traffic through to my home network via LTE on my phone. The Wireguard → Peers → Last Handshake field does populate now when I connect WG via my phone, though.

Here is the config I use on my phone:

[Interface]
PrivateKey = <...>
Address = 10.0.2.6/32

[Peer]
PublicKey = mavrijoUR9aB4qgvbeC2OwZGubXB3jahZSOgg1tc3nY=
AllowedIPs = 10.0.2.0/24, 10.0.1.0/24
Endpoint = <domain>:13231

Here are some screen shots of the router configuration and from the Wireguard app on my phone:

Your firewall is only allowing port 13231 from LAN - if you are connecting over LTE it will need to allow to 13231 from anywhere, not just LAN.

Fixed that, still no dice

Picture seven allows to extract your public address.

Update: fixed.

My iphone works fine via wireguard, check out the diagram, ( note I dont use any ip addresses for wireguard interface).
http://forum.mikrotik.com/t/mikrotik-wireguard-server-with-road-warrior-clients/148392/1

I thought the original poster fixed the issue but the messages have vanished into the ether when the forum was restored from a backup.

maybe his nick was ghost not goose

I had the same problem as the OP (I know that it’s a little late for this answer, but for others like me)… he should just masquerade the wireguard subnet

/ip firewall nat
add chain=srcnat action=masquerade src-address=10.0.2.0/24

and it would start to work… I was banging my head for some time before realising this

Thank you erikklavora. The masquerade solved my issue as well