Hello everyone, as the title says I’m trying to configure a Wireguard tunnel, my router (Chateau LTE12) is the client and it has to redirect all the internet traffic (coming from a 4G SIM with a dynamic public IP) to my VPS server. After many and many failed attempts I managed to get something working by following anav’s great guide (https://forum.mikrotik.com/viewtopic.php?p=906311&hilit=wireguard+client#p906311), the only extra thing I did was adding the Wireguard interface to the WAN list. But, despite seeing the public IP address of my VPS server and getting the speeds I was expecting, web pages take an insane amount of time to load (sometimes they don’t even load at all) and I have no idea what’s causing it. I’m running RouterOS 7.1.1 stable, my firewall and NAT settings are set to default.
Could anyone help me? Thanks in advance.
Well its a work in progress and the part TBC is probably the part you need LOL.
In any case without seeing your config its hard to say.
/export hide-sensitive file=anynameyouwish
Also from the last part of the article “NETWORK DIAGRAM” can you provide a network diagram that shows the WG relationships??
This might be an MTU issue.
http://forum.mikrotik.com/t/route-internet-traffic-mt-via-wireguard-tunnel-through-mt-wg-peer/154825/1
You can check my config as I was doing the same thing.
If so, for one application I was using I had to use an MTU setting of 1500 at both ends of the tunnel - see if that makes a difference!
Thank you for your replies!
Here’s my configuration, I’ve just hid the public IP and key of my VPS server:
# jan/18/2022 17:49:50 by RouterOS 7.1.1
# software id = ZSTJ-AJBS
#
# model = RBD53G-5HacD2HnD
# serial number = C8CA0CD5C253
/interface bridge
add admin-mac=48:8F:5A:11:29:A5 auto-mac=no comment=defconf name=bridge
/interface ethernet
set [ find default-name=ether1 ] speed=10Mbps
set [ find default-name=ether2 ] speed=10Mbps
set [ find default-name=ether3 ] full-duplex=no speed=10Mbps
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-eC \
country=italy disabled=no distance=indoors frequency=auto installation=\
indoor mode=ap-bridge ssid=MikroTik-2.4G wireless-protocol=802.11
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=\
20/40/80mhz-eeeC country=italy disabled=no distance=indoors frequency=\
auto installation=indoor mode=ap-bridge ssid=MikroTik-5G \
wireless-protocol=802.11
/interface wireguard
add listen-port=51820 mtu=1420 name=wg0
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface lte apn
add apn=myinternet.wind default-route-distance=1 ip-type=ipv4 name=WindTre \
use-network-apn=no use-peer-dns=no
/interface lte
set [ find ] allow-roaming=no apn-profiles=WindTre band=1,3 name=lte1 \
network-mode=lte
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk mode=\
dynamic-keys supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=dhcp interface=bridge name=defconf
/queue simple
add name="All Bandwith" priority=1/1 target="192.168.88.10/32,192.168.88.11/32\
,192.168.88.12/32,192.168.88.17/32,192.168.88.18/32,192.168.88.23/32"
add max-limit=128k/17M name=TV target=\
192.168.88.19/32,192.168.88.20/32,192.168.88.21/32,192.168.88.22/32
add max-limit=1M/10M name=Phones target=\
192.168.88.13/32,192.168.88.14/32,192.168.88.15/32,192.168.88.16/32
/routing table
add disabled=no fib name=wg
/interface bridge port
add bridge=bridge comment=defconf interface=ether1
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=wlan1
add bridge=bridge comment=defconf interface=wlan2
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=lte1 list=WAN
add interface=wg0 list=WAN
/interface wireguard peers
add allowed-address=0.0.0.0/0 endpoint-address=<VPS PUBLIC IP> endpoint-port=\
51820 interface=wg0 persistent-keepalive=20s public-key=\
"<VPS SERVER PUBLIC KEY>"
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
192.168.88.0
add address=10.6.0.2/24 interface=wg0 network=10.6.0.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-server lease
add address=192.168.88.20 client-id=1:74:a7:ea:7e:8b:9f mac-address=\
74:A7:EA:7E:8B:9F server=defconf
add address=192.168.88.10 client-id=1:30:9c:23:84:63:ba mac-address=\
30:9C:23:84:63:BA server=defconf
add address=192.168.88.15 client-id=1:58:20:59:16:f:ab mac-address=\
58:20:59:16:0F:AB server=defconf
add address=192.168.88.22 mac-address=38:A6:CE:CB:7F:7C server=defconf
add address=192.168.88.21 mac-address=D0:58:FC:03:50:92 server=defconf
add address=192.168.88.13 client-id=1:7e:60:bb:7a:b0:42 mac-address=\
7E:60:BB:7A:B0:42 server=defconf
add address=192.168.88.19 client-id=1:54:bd:79:12:a6:6a mac-address=\
54:BD:79:12:A6:6A server=defconf
add address=192.168.88.14 client-id=1:a4:4b:d5:c8:c6:d8 mac-address=\
A4:4B:D5:C8:C6:D8 server=defconf
add address=192.168.88.17 client-id=1:0:e4:21:15:ce:ae mac-address=\
00:E4:21:15:CE:AE server=defconf
add address=192.168.88.11 client-id=1:d0:50:99:99:66:5a mac-address=\
D0:50:99:99:66:5A server=defconf
add address=192.168.88.12 client-id=1:e4:be:ed:20:cd:aa mac-address=\
E4:BE:ED:20:CD:AA server=defconf
add address=192.168.88.18 client-id=1:80:60:b7:b1:24:b mac-address=\
80:60:B7:B1:24:0B server=defconf
add address=192.168.88.16 client-id=1:e0:cc:f8:82:1c:36 mac-address=\
E0:CC:F8:82:1C:36 server=defconf
add address=192.168.88.23 client-id=1:0:24:d6:f6:aa:4 mac-address=\
00:24:D6:F6:AA:04 server=defconf
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf dns-server=1.1.1.1,1.0.0.1 \
gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes servers=1.1.1.1,1.0.0.1
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=wg0 pref-src="" \
routing-table=wg scope=30 suppress-hw-offload=no target-scope=10
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
33434-33534 protocol=udp
add action=accept chain=input comment=\
"defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
ipsec-esp
add action=accept chain=input comment=\
"defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
"defconf: drop everything else not coming from LAN" in-interface-list=\
!LAN
add action=accept chain=forward comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
"defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
ipsec-esp
add action=accept chain=forward comment=\
"defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
"defconf: drop everything else not coming from LAN" in-interface-list=\
!LAN
/routing rule
add action=lookup-only-in-table disabled=no src-address=192.168.88.1/24 \
table=wg
/system clock
set time-zone-name=Europe/Rome
/system routerboard settings
set auto-upgrade=yes cpu-frequency=auto
/system routerboard mode-button
set enabled=yes on-event=dark-mode
/system scheduler
add interval=1d name="LTE Disable" on-event="interface disable lte1" policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
start-date=dec/20/2021 start-time=03:59:55
add interval=1d name="LTE Enable" on-event="interface enable lte1" policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
start-date=dec/20/2021 start-time=04:00:00
/system script
add comment=defconf dont-require-permissions=no name=dark-mode owner=*sys \
policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
source="\r\
\n :if ([system leds settings get all-leds-off] = \"never\") do={\r\
\n /system leds settings set all-leds-off=immediate \r\
\n } else={\r\
\n /system leds settings set all-leds-off=never \r\
\n }\r\
\n "
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool sms
set port=lte1 receive-enabled=yes
Network diagram (hope it’s clear enough):
192.168.88.0/24 (default subnet, all devices connected to the router) ----> Chateau LTE12 (Router, WAN is the lte1 interface) —> Wireguard Tunnel —> VPS Server
Regarding the Wireguard Tunnel:
- (Client) Router’s IP: 10.6.0.2/24
- (Server) Server’s IP: 10.6.0.1/24
- Tunnel: 10.6.0.0
I just tried to change the MTU on my router, default for Wireguard is 1420 while for lte1 is 1500. Now they’re both at 1500 but it doesn’t look like there’s much of a difference so far… But I’ll definetely give a proper look to your config own3r, thanks for sharing it!
@Elleh
Can you share your other routes too?
/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=wg0 pref-src="" routing-table=wg scope=30 suppress-hw-offload=no target-scope=10
I think this is wrong.
/routing rule
add action=lookup-only-in-table disabled=no src-address=192.168.88.1/24 \
table=wg
/routing rule add action=lookup-only-in-table disabled=no dst-address=10.10.12.0/24 src-address=10.10.12.0/24 table=main
/routing rule add action=lookup-only-in-table disabled=no dst-address=0.0.0.0/0 src-address=10.10.12.0/24 table=via-wg
you have to add your WG to your LAN interface list
You need NAT also if your ISP doing a DNS filtering you need a DST nat for that too.
For web access over the tunnel, I had to set my MTU to 1320 any higher than that would not work for me. This is might not be the case for you. My connection is PPPOE for WAN.
Sure, here are the other routes:
But I don’t think the problem is here, I can ping 10.6.0.1 from the router and my PC without any packets lost. I tried setting the MTU to 1320 and lower values, but nothing changes, so I reverted it to default (Wireguard: 1420, LTE: 1500). If I add the Wireguard interface to both LAN and WAN the connection drops, the only way I managed to have it somehow working is by either:
- Adding it only to WAN
- Creating a NAT masquerade rule for the Wireguard interface
I gave a look at your configuration, but I think it’s more complex than what I’m trying to achieve. The Wireguard tunnel should be configuered correctly considering I can ping the server and I have access to the internet, I there’s just something that is making requests time out or take way too much time.
The ping inside your private IP is okay but can you check your client route to the outside if it passed your private IP to VPS? I would recommend using torch to see if the outgoing traffic from MT will match at the VPS WG interface.
I read your first topic its looks like we had the same goal noting more than usual. the WG interface must be a LAN member, not WAN or you could create a new list and add it to that list and then add your interface list to be accepted in the input chain before the drop !LAN.
My problem is more basic (slow learner), I still dont understand what is the topology.
Audience ROUTER connected to the internet via ISP modem locally ?
LTE ROUTER at some remote location??
I just dont see the relationship between LTE and Audience, and further I have no clue of the relationship between a server and internet traffic…
Totally lost dont have an iota of a sense of what you want to do or how you are attempting to address it.
He wants to pass his internet traffic VIA WG to a WG server( The VPS ).
Uhm ok I’ll try to be a bit more clear about my situation.
I have a Chateau LTE12, it’s a standard Mikrotik router with the addition of a 4G modem, unfortunately the area where I live is not well covered by the various ISPs, so 4G is my only available option. I have my SIM (unlimited data + dynamic public IP) in the Chateau LTE12, all my internet traffic comes from that. Since my ISP is applying any sort of shaping and filters to my connection (which is fair, in the end a 4G SIM isn’t supposed to replace a standard wired connection), I’m trying to route all my traffic to my VPS server through a Wireguard tunnel.
Thats a start.
You have a chateau LTE router with a sim card supplying internet to your network.
You dont have an ISP, you have a cellular connection?
Where is your VPS server in all of this??
Why would a VPS server have any sort of ability to run wireguard ??
Well my ISP is the SIM provider in this case. The VPS server is outside my network, it has a public IP, it runs on Ubuntu and an instance of Wireguard has been installed on that machine. I need to redirect all my internet traffic to avoid all the various filters of my ISP, I chose Wireguard as it’s a light protocol and it gives an overall good performance.
So you need exactly what I have done. except, my VPS was a CHR. then you should add your entire DHCP IP Pool to your address list with a connection/Packet mark/route mark
SO the MT Router is the client initially connecting to the VPS Ubuntu?
Well thats now much clearer and you want to run the users out the VPS server for internet.
My issue is all your IP addresses look the same, lets GET OFF That train…
First off on the client you dont need an ip address at all.
Nothing special on the MT WIREGUARD SETTINGS
On the Peer settings…
allowed address=0.0.0.0/0
Endpoint address=public IP of your vbs/ubuntu
Port: is the active listening port on the vbs/ubuntu wireguard settings
Set persistant keep alive like to 25 seconds…
On the MT router
REMOVE THIS WRONG!! - add interface=wg0 list=WAN
REMOVE THIS NOT NEEDED - add address=10.6.0.2/24 interface=wg0 network=10.6.0.0
For IP routes, I am assuming there is already a route for LTE that works, so currently all users go out the internet.
Okay I see it good!
Therefore your right in having the extra IP Route rule to ensure all users get sent to the tunnel for internet.
/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=wg0 pref-src=“”
routing-table=wg scope=30 suppress-hw-offload=no target-scope=10
Clearly you figured out the making of the table aspect!
/routing table
add disabled=no fib name=wg
The IP route rule looks okay WAIT A MINUTE>>>>>>>>>>>>>>>>>>>>>
/routing rule
add action=lookup-only-in-table disabled=no src-address=192.168.88**.1/**24
table=wg
should be
/routing rule
add action=lookup-only-in-table disabled=no src-address=192.168.88****.0**/**24
table=wg
First of all I want to thank you both for your help, as you can see I’m still a beginner with RouterOS.
@anav, I followed your advice, unfortunately I didn’t manage to get it working and I lost the ability of pinging the server inside the Wireguard tunnel. I did a few tests and I think this was actually necessary: add address=10.6.0.2/24 (even without the /24 it works) interface=wg0 network=10.6.0.0
@own3r1138, I gave an in depth look at your configuration and I tried to replicate it. I managed to understand what you’ve done until your second last post, the last one has commands that involve lists and I don’t know what interfaces/IPs are in there. The only thing I changed in the mark routing rule was the source address where I put my entire subnet (192.168.88.0/24), but I haven’t understood the “!LOCAL” in destination address list that you added in your second last post. Now the Wireguard tunnel works like it did with my config with the difference that I can’t ping the VPS (which isn’t really a problem for me), I still get a few time out requests but I now have the Wireguard interface only in the LAN list, so that’s a positive. I guess your last post could be the key for making this whole thing working correctly.
Hi Elleh,
Please post your current config on the ROUTER
AND!!!
The wireguard config on the ubuntu
@Elleh
!LOCAL means everything that is not in the LOCAL address list will be marked to route through the WireGuard tunnel.
for the ping, I think it’s something to do with your allowed address in the peers.
even without the /24 it works
so actually, It’s a 10.6.0.2/32 when you didn’t use a /24 CIDR.
For using a 0.0.0.0 at the ubuntu Peer. I think none of the peers at the server should have a 0.0.0.0/0 as an allowed address. Every peer is a client-server like. That Peer should have a specified /32 IP address as an allowed address, if there is any other connectivity is needed for that connection then it should be allowed at the client peer and pass through a tunnel with the client src IP (10.6.0.2/32) So no bogus peer could use the same IP as the Peer IP.
But I’m usually more wrong than right so that’s just my assumption.
LIke I said, need to see the latest config on the MT (client end)
and the Wireguard settings from ubuntu…(server end), speculating is a waste of time. 
I think I did it, and I can even choose to pass only certain devices to the Wireguard tunnel and leaving the others on my regular network! So far I’m not getting any timed out requests and the speeds are very comparable to a Windows client. Of course a big thank you to anav for your great guide and to own3r1138 for sharing your configuration from which I took a lot of inspiration 
Since I think this could be helpful to others, I’m sharing my configuration (which is built on top of the Mikrotik default settings)…
- Wireguard
- Wireguard interface:
- Name: wg0
- MTU: 1420 (default)
- Listen port: doesn't matter as the router is a client
- Private and public key: automatically generated
- Peers:
- Interface: wg0
- Public key: <Server public IP address>
- Endpoint port: listening port of the server
- Allowed adresses: 0.0.0.0/0
- Persistent keepalive: 20 secs
- Interfaces / Interface List
- Added the wg0 interface to the LAN list
- IP / Addresses
- Address: 10.6.0.2 (address of the router in the Wireguard tunnel)
- Network: 10.6.0.0 (Wireguard tunnel)
- Interface: wg0
- IP / DNS
- Servers: favourite DNS servers
- IP / DHCP Server / Networks
- DNS Servers: same as the above ones
- Routing / Tables
- Name: wg
- FIB: yes
- IP / Firewall / Mangle
- Rule 1:
- Chain: prerouting
- Protocol: 6 (tcp)
- Dst. Port: 53
- Src. Address List: DHCP Pool or Address list of allowed devices
- Action: mark connection
- New Connection Mark: wg-dns
- Passthrough: yes
- Rule 2:
- Chain: prerouting
- Protocol: 17 (udp)
- Dst. Port: 53
- Src. Address List: DHCP Pool or Address list of allowed devices
- Action: mark connection
- New Connection Mark: wg-dns
- Passthrough: yes
- Rule 3:
- Chain: prerouting
- Connection Mark: wg-dns
- Action: mark routing
- New Routing Mark: wg
- Passthrough: yes
- Rule 4:
- Chain: prerouting
- Dst. Address: ! 192.168.88.0/24
- Src. Address List: DHCP Pool or Address list of allowed devices
- Action: mark connection
- New Connection Mark: wg
- Passthrough: yes
- Rule 5:
- Chain: prerouting
- Connection Mark: wg
- Src. Address List: DHCP Pool or Address list of allowed devices
- Action: mark routing
- New Routing Mark: wg
- Passthrough: no
- Rule 6:
- Chain: forward
- Protocol: 6 (tcp)
- Connection Mark: wg
- TCP Flags: syn
- Action: change MSS
- New TCP MSS: clamp to pmtu
- Passthrough: yes
- IP / Firewall / NAT
- Rule 1:
- Chain: dstnat
- Connection Mark: wg-dns
- Action: dst-nat
- To Addresses: 10.6.0.1 (Address of the server in the Wireguard tunnel)
- Rule 2:
- Chain: srcnat
- Out. Interface: wg0
- Action: masquerade
- IP / Routes / Routes
- Dst. Address: 0.0.0.0/0
- Gateway: wg0
- Distance: 1
- Routing Table: wg
- IP / Routes / Rules
- Rule 1:
- Src. Address: 10.6.0.0/24 (Wireguard tunnel)
- Dst. Address: 10.6.0.0/24 (Wireguard tunnel)
- Action: lookup only in table
- Table: main
- Rule 2:
- Src. Address: 10.6.0.0/24 (Wireguard tunnel)
- Dst. Address: 0.0.0.0/0
- Action: lookup only in table
- Table: wg