RouterOS 7.5 as Wireguard client

RouterOS Beginner Basics
1

Hi

My first post.:wink:
I’m new in playing with routeros on a new RB2011UiAS-2HnD. Since some weeks i’m running on docker a wireguard server with wg-easy gui.
Very nice. Adding clients is so easy. Ich have downloaded the .conf file für the mikrotik client, and honestly i’m not sure why there is no handshake.

Tried to find some tutorials, but in most cases, the mikrotik is the server. And thats not what i want to do…

The wg client seems to transmit, but no answer. Is is possible, the he can’t reach the remote server? The router itself can…

Thanks in advance…

2

https://forum.mikrotik.com/viewtopic.php?t=182340
http://forum.mikrotik.com/t/route-internet-traffic-mt-via-wireguard-tunnel-through-mt-wg-peer/154825/1

3

That looks extensive.

I thought I just have to set up a peer with the data provided by the Wireguard server.

My conf file for the wg client looks like this. My other clients (mobile, desktop…) don’t need more information like that…

[Interface]
PrivateKey = kBb/1TG3sQRoxxxxxxxxxxxxx31vB113+B9y52k=
Address = 10.8.0.13/24
DNS = 8.8.8.8

[Peer]
PublicKey = E1X0GkYMieiKNWzNudxxxxxxxxxxxxLbDBDE=
PresharedKey = B70hkZ/56/pdK9QVRxxxxxxxxxxxxxvDoPTDyjr7U=
AllowedIPs = 0.0.0.0/0, ::/0
PersistentKeepalive = 25
Endpoint = wg.mydomain.net:51820

4

Try an Ip address of 10.8.0.13/32 for client setting

5

Is it just me, or is there still no RouterOS config posted? It’s quite likely that you made some mistake there, when you entered data from WG config file, but if nobody else can see it, it’s difficult to help.

6

I’m afraid I still have to deal with posting the config… :wink:

7

Use the export command in terminal and it will show under files.
Download it to your puter, open it in notepad, remove serial number and any public WANIP info and keys and then paste in forum.
Use code tags on the config (next to bold underline etc. - black square with white square brackets,)

8

OK, learning by doing. I know, there are no firewallrules, but i don’t get the tunnel handshake running… And i don’t know, if that is the reason…

# sep/25/2022 13:31:51 by RouterOS 7.5
# software id = VE92-QR7V
#
# model = RB2011UiAS-2HnD
# serial number = xxxxxxxxxxxxxx
/interface bridge
add admin-mac=DC:2C:6E:3F:37:9F auto-mac=no comment=defconf name=bridge
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX \
    disabled=no distance=indoors frequency=auto installation=indoor mode=\
    ap-bridge ssid=MikroTik-3F37A8 wireless-protocol=802.11
/interface wireguard
add listen-port=51820 mtu=1420 name=wireguard-vpn
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=default-dhcp interface=bridge name=defconf
/port
set 0 name=serial0
/interface bridge port
add bridge=bridge comment=defconf ingress-filtering=no interface=ether2
add bridge=bridge comment=defconf ingress-filtering=no interface=ether3
add bridge=bridge comment=defconf ingress-filtering=no interface=ether4
add bridge=bridge comment=defconf ingress-filtering=no interface=ether5
add bridge=bridge comment=defconf ingress-filtering=no interface=ether6
add bridge=bridge comment=defconf ingress-filtering=no interface=ether7
add bridge=bridge comment=defconf ingress-filtering=no interface=ether8
add bridge=bridge comment=defconf ingress-filtering=no interface=ether9
add bridge=bridge comment=defconf ingress-filtering=no interface=ether10
add bridge=bridge comment=defconf ingress-filtering=no interface=sfp1
add bridge=bridge comment=defconf ingress-filtering=no interface=wlan1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ip settings
set max-neighbor-entries=8192
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=*13 list=LAN
/interface ovpn-server server
set auth=sha1,md5
/interface wireguard peers
add allowed-address=0.0.0.0/0 endpoint-address=wg.mydomain.net endpoint-port=\
    51820 interface=wireguard-vpn persistent-keepalive=25s public-key=\
    "E1X0GkYMieiKNWzxxxxxxxxxxx0rTwncA22LbDBDE="
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
    192.168.88.0
add address=10.8.0.13/24 interface=wireguard-vpn network=10.8.0.0
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
/lcd
set time-interval=hour
/lcd interface pages
set 0 interfaces="sfp1,ether1,ether2,ether3,ether4,ether5,ether6,ether7,ether8\
    ,ether9,ether10"
/system clock
set time-zone-name=Europe/Berlin
/system identity
set name=RouterOS
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
9

Hmmm, not much there.

(1) The mac-server by itself is not using a secure protocol and should be set to NONE.
/tool mac-server
set allowed-interface-list=LAN

(2) You are missing the fact that you need to send out your subnet through the tunnel.
I dont see any IP routes so assuming you set the route “add default route” in your IP DHCP client settings.
You need to uncheck that and make routes manually so it will all be clear.
something as simple as:
add dst-address=0.0.0.0/0 gwy=ISPgatewayIP

Then you need to add 3 thiings.
a. routing table
b. routing rule
c. route

/routing table add name=useWG fib
/routing rule add src-address=192.168.88.0/24 action=lookup table=useWG

note: If you used action=lookup-only-in-table, then if the wireguard connection was down, there would be no internet access at all. With the current setting I prescribed, the router if the wireguard is down, will go back to the main table and find the local route through the local WANIP and router users out to the internet.

YOUR ROUTES
add dst-address=0.0.0.0/0 gwy=ISPgatewayIP
add dst-address=0.0.0.0/0 gwy=wireguard-vpn table=useWG

(3) We also have to consider whether or not source nat is required for wireguard traffic.
WHERE ARE YOU SENDING THIS TRAFFIC TOO? If the mt router is a client what is the server???

a. if another mT router elsewhere and the allowed IPs include 192.168.88.0/24, no need for anything on sourcenat
b. if a third party VPN provider then they are expecting all traffic to have the IP 10.0.8.13 and thus you need this additional nat rule…

add chain=srcnat action=masquerade out-interface=wireguard-vpn

(4) As far as firewall rules go, there is nothing block your LAN to go out wireguard as the default rules are loosely goosey so its not clear what is or isnt allowed.
Better to be a tad more explicit at least in the forward chain.
FROM:
add action=accept chain=forward comment=“defconf: accept in ipsec policy”
ipsec-policy=in,ipsec
add action=accept chain=forward comment=“defconf: accept out ipsec policy”
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment=“defconf: fasttrack”
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=
“defconf: accept established,related, untracked” connection-state=
established,related,untracked
add action=drop chain=forward comment=“defconf: drop invalid”
connection-state=invalid
add action=drop chain=forward comment=
“defconf: drop all from WAN not DSTNATed” connection-nat-state=!dstnat
connection-state=new in-interface-list=WAN

TO:
add action=accept chain=forward comment=“defconf: accept in ipsec policy”
ipsec-policy=in,ipsec
add action=accept chain=forward comment=“defconf: accept out ipsec policy”
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment=“defconf: fasttrack”
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=
“defconf: accept established,related, untracked” connection-state=
established,related,untracked
add action=drop chain=forward comment=“defconf: drop invalid”
connection-state=invalid
add action=accept chain=forward comment=“allow normal internet” in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment=“to wg tunnel for internet” in-interface-list=LAN out-interface=wireguard-vpn
add action=accept chain=forward comment=“allow port forwarding” connection-nat-state=dstnat
add action=drop chain=forward comment=“drop all else”

10

Sorry, but this is nonsense. If you get address from ISP using DHCP, you also get default route the same way. You could set it manually and it would work, sure, but where would you even get the gateway address from? You can’t just take the one you see when default route from DHCP is enabled, because it can change.

11

Hmm,

I can’t say that I know more now than before. First I wanted to connect the Wireguard client to my Wireguard server.
The router will later be used for Hamradio connections. If Wireguard works, I could edit the configuration together with other radio amateurs.
My Wireguard server is publicly accessible on the Internet. Other peers in the Wireguard network should be able to access the MT’s web interface.

AT the end, the MT should work as follows:

eth1 or sfp1 - WAN1 Internet (dhcp client)
eth2 - WAN2 Hamradio 5 Ghz antenna to Hamnet (some kind of intranet of radioamateurs) (https://hamnetdb.net/map.cgi)
eth3-5 - Hamradio LAN (no NAT, the hamnet clients have its own v4 addressrange.)
eth6-10 Other LAN

The Idea.
The clients on eth3-5 can reach other hamnet client via eth2.
If eth2 has no connectivity, the clients on eth3-5 can choose itself the 2nd route via eth1/sfp1. Don’t know, if this is possible.. :wink:
The Clients in eth6-10 can only route via eth1/sfp1. (NAT, Public Internet)

The MT Interface should be accessible via Hamnet eth2, and via Wireguard from the public internet.

I assume there are other radio amateurs here in the forum. Maybe my idea is stupid.:wink:

12

Well True, we dont know what the IP DHCP client looks like, so follow sobs advice and keep the default route as is.
We can just assume its there… i prefer seeing ( as seeing is believing).

13

Not a bad idea at all.

However, I may have misread your intentions totally.
Are you meaning to use the mikrotik router as the server or the client…
All this time I thought you were using the router to connect to a remote wireguard server somewhere???
Now it appears you want the mt router to act as a server for incoming external clients…

Can you please add a network diagram to clear it up?

14

The MT should connect to my external Wireguard server. So i can reach him to make mods, without beeing on its position.
For now, we have only mobile LTE internet. No other way to connect from pub. internet.

Yes, the MT wireguard should only act as client (peer).
Via the wireguard interface (10.8.0.13) i want to reach the WebGUI of the MT.

Ur right. I will try it to make a diagram…

15

I see…
So the Server is off site, and you want to use the server to reach your MT whenever you are away from it for config purpose and other purposes.
So the Server is simply a conduit to all the users that need to reach your router.

16

Yes, my Wireguard Server is simply a Vserver with fixed v4 IP and domain. Running docker and wireguard in it…

17

In that case…

(1) Allowed IPs is too wide… 0.0.0.0/0 is typically for when local users are going out the internet of your server or some other wireguard location, and that does not appear to be the case.
SO…
You need to put the IP of the wireguard subnet and every subnet that you think will be coming into the router. I believe you will not have any subnets coming into or going out the router but only single wireguard clients and thus you only need the wireguard subnet info.

From
/interface wireguard peers
add allowed-address=0.0.0.0/0 endpoint-address=wg.mydomain.net endpoint-port=
51820 interface=wireguard-vpn persistent-keepalive=25s public-key=
“E1X0GkYMieiKNWzxxxxxxxxxxx0rTwncA22LbDBDE=”

TO:

/interface wireguard peers
add allowed-address=10.8.0.0/24 endpoint-address=wg.mydomain.net endpoint-port=
51820 interface=wireguard-vpn persistent-keepalive=25s public-key=
“E1X0GkYMieiKNWzxxxxxxxxxxx0rTwncA22LbDBDE=”

(2) Missing a rule for you as admin to configure the router remotely… Placing it before the last rule…
Note replace XX with whatever wireguard IP you set to the admin windows client or ipad client etc…

add action=accept chain=input in-interface=wireguard-vpn src-address=10.8.0.XX/32 comment=“admin remote access”
add action=drop chain=input comment=“defconf: drop all not coming from LAN”
in-interface-list=!LAN

(3) Missing firewall rules to ensure remote traffic works properly.
Replace this firewall
add action=drop chain=forward comment=
“defconf: drop all from WAN not DSTNATed” connection-nat-state=!dstnat
connection-state=new in-interface-list=WAN

As follows:
add action=accept chain=forward in-interface-list=LAN out-interface-list=WAN comment=“allow internet”
add action=accept chain=forward in-interface=wireguard-vpn dst-address=192.168.88.0/24 comment=“allow wireguard to lan”
add action=accept chain=forward comment=“allow port forwarding” connection-nat-state=dstnat
add action=drop comment=“drop all else”

(4) For routes, the default route created by the wireguard address will ensure that return traffic back through the tunnel will go out correctly. No other routes required as all incoming users have an IP address on the existing wireguard network and no remote lan subnets coming in NOR any local subnets going out.

(4) Source NAT, nothing special required as no local users going out at third party VPN provider.

18

Thanks for your work, will test it later this evening.
But, regardless of the firewall rules. Shouldn’t the Wireguard client establish the connection without these rules? There is no “handshake”. I can see only transmit traffic on the wg interface…

19

You should be able to see the initial traffic heading out the router wan on the wireguard port… unless the other end responds you wont see any handshaking.
I suspect at this point its your VS server the remote wireguard instance that is being the problem,
best to post all the config of that here…

20

Wireguard always transmits.
It is only when you see incoming, then you know it works.