RouterOS as a wireguard Client and Routing from Local Network (NOT Site-to-Site)

RouterOS
1

RouterOS as a wireguard Client and Routing from Local Network (NOT Site-to-Site)

Hi all,

I have a software WireGuard solution set up remotely that works great on Windows, iOS, and Linux clients. When I import a similar WireGuard configuration into RouterOS (using wg-import in WinBox), created specifically for this setup just like on the other clients, it appears to connect fine. I can even ping through the wg1 interface:



ping 10.77.1.1 interface=wg1

I’m not new to MikroTik, but I’ve only been using it for about a year—overall with great success.

I’ve been reading a lot about routing and understand that I need to create routes so that local clients on the MikroTik’s network (bridge) can access the WireGuard tunnel when using a specific IP range (for example, 10.78.1.0/24).

I’ve been experimenting with both normal routes and VRFs. Below is what I’ve done so far:

  • Imported the WireGuard configuration via WinBox using wg-import.
    The tunnel connects successfully on the remote end, and I can ping through it.

  • Added a firewall rule:

    

  • /ip firewall filter add chain=input protocol=udp dst-port=51820 action=accept

  • Created VRF routes (I’m honestly not sure what I’m doing here—just experimenting).

  • Tried using the VRF under routes with the WireGuard gateway IP.

I could paste a lot of other commands here, but I’ve tried so many different things at this point.

I know I’m doing something wrong. I’ve searched the MikroTik forum, Google, and even asked friends who are more fluent with MikroTik, but no luck so far. Almost all guides I find are for site-to-site setups, which isn’t very helpful from what i can see( they don’t really separate witch side).

Any guidance would be greatly appreciated.

hardware is heX refresh (bought for testing purpose) my main router is mikrotik hap ax3.

remote wireguard is a linux server (where other clients work fine.)

2

I’m not new to Mikrotik either (though still inexperienced) but this is what I did - add the details from your config file - and it works wonders on a non-refresh Hex:

/interface wireguard
add name=wg1 private-key=”…”

/interface wireguard peers
add name=peer1 interface=wg1 endpoint-address=”…” endpoint-port=443 preshared-key=”…” public-key="…“ allowed-address="0.0.0.0/0" persistent-keepalive="25s"

/ip address
add address=<IP-address-from-your-config> interface=wg1 network=<same-as-IP-address>

/routing table
add name=rtab-1 fib

/ip firewall nat
add chain=srcnat out-interface=wg1 action=masquerade

/ip route
add dst-address=0.0.0.0/0 gateway=wg1 routing-table=rtab-1

/routing rule
add action=lookup-only-in-table src-address=<your-subnet-to-route-over-wireguard> table=rtab-1
3

Conceptually the key points in the above post are :

  1. setup the wireguard interface (that you have already done)
  2. create a dedicated fib routing table
  3. create a suitable route in that table
  4. create a routing rule to make the intended traffic use the dedicated (not main) routing table
    to this you should add the
  5. add a suitable NAT rule for the interface

This latter (it depends on your configuration) can be omitted if you categorize the wg1 interface as WAN (which is advised, if you are using the default configuration for nat and firewall, that makes use of interface-list members).

No need to go VRF in this case, the added, dedicated routing table will do, it is simpler and less likely to have unwanted side effects.

But it depends, if your destination (the other end of the wireguard tunnel) is a definite subnet, you can do with just an added route to that subnet in main with the wg1 as gateway.

4

I fixed this by treating WireGuard as a normal WAN and using policy routing, not VRF. I created a separate routing table with a default route via wg1, added a routing rule to send only my local subnet through that table, and added src-nat masquerade on wg1. Once I did that, clients on my LAN could route traffic through the WireGuard tunnel without issues.