Running Wireguard (Nordlynx) on RouterOS 7.11.2 (RB941-2nD)

hardrock · October 21, 2023, 1:23pm

Hi All,

Hope everyone is doing well!

For the past day or so, I’ve been trying to get Nordlynx (wireguard) working on my Mikrotik RB941-2nD. I am running the latest 7.11.2 firmware. Router is reset to default configuration, LAN and WLAN are bridged and i am loggin in as 192.168.88.1.

Having read various post on this forum, I have obtained my public / private keys for Wireguard and all is good.

The script i am using is as follows, but unfortunately i cannot get it to work. Can anyone spot what maybe wrong here or give a newbie some guidance?

/ip firewall address-list
add address=192.168.88.1 list=allow_vpn

/interface wireguard
add listen-port=38914 mtu=1420 name=wg0 private-key="ENTER PRIVATE KEY HERE "

/interface list
add name=WG

/routing table
add disabled=no fib name=useWG0

/interface list
member add interface=wg0 list=WG

/interface wireguard peers
add allowed-address=0.0.0.0/0 endpoint-address=uk1800.nordvpn.com endpoint-port=51820 interface=wg0 persistent-keepalive=25s public-key=“ENTER PUBLIC KEY HERE”

/ip address
add address=10.5.0.2/24 interface=wg0 network=10.5.0.0

/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=wg0 pref-src=0.0.0.0 routing-table=useWG0 scope=30 suppress-hw-offload=no target-scope=10

/ip firewall filter
add action=accept chain=forward comment=“defconf: accept in wireguard” connection-mark=useWG0 in-interface-list=WG out-interface-list=LAN place-before=[find where action=fasttrack-connection]

add action=accept chain=forward comment=“defconf: accept out wireguard” connection-mark=useWG0 in-interface-list=LAN out-interface-list=WG place-before=[find where action=fasttrack-connection]

/ip firewall mangle
add action=mark-connection chain=prerouting comment="defconf: wg0 mark (connection & routing) and mss change " new-connection-mark=useWG0 passthrough=yes src-address-list=allow_vpn
add action=mark-routing chain=prerouting connection-mark=useWG0 new-routing-mark=useWG0 passthrough=no src-address-list=allow_vpn
add action=change-mss chain=forward new-mss=clamp-to-pmtu out-interface-list=WG passthrough=yes protocol=tcp src-address-list=allow_vpn tcp-flags=syn

/ip firewall nat
add action=src-nat chain=srcnat comment=“defconf: lan → wg0 10.5.0.2” connection-mark=useWG0 out-interface-list=WG src-address=192.168.88.0/24 to-addresses=10.5.0.2 place-before=0

Thanks!

nediis · October 21, 2023, 4:56pm

Are you sure this is not a mistake?

i am loggin in as 192.168.88.1

192.168.88.1 this IP address is usually at Mikrotik itself after resetting the default configuration
if it’s an error then that’s the problem

address-list
add address=192.168.88.1 list=allow_vpn

May be 192.168.88.0/24 ?

/ip firewall mangle
add action=mark-connection chain=prerouting comment="defconf: wg0 mark (connection & routing) and mss change " new-connection-mark=useWG0 passthrough=yes src-address-list=allow_vpn

better use

add action=mark-connection chain=prerouting comment=".." connection-mark=no-mark new-connection-mark=useWG0 passthrough=yes src-address-list=allow_vpn

at first sight …

hardrock · October 22, 2023, 12:10am

Hi There, Thanks so much for the reply!. I’ve made the suggested changes, Updated script below - but still seeing my ISP IP on the connected PC and Wifi devices.

Any other suggestions i could try?

/ip firewall address-list
add address=192.168.88.0/24 list=allow_vpn

/interface wireguard
add listen-port=38914 mtu=1420 name=wg0 private-key="ENTER PRIVATE KEY HERE "

/interface list
add name=WG

/routing table
add disabled=no fib name=useWG0

/interface list
member add interface=wg0 list=WG

/interface wireguard peers
add allowed-address=0.0.0.0/0 endpoint-address=uk1800.nordvpn.com endpoint-port=51820 interface=wg0 persistent-keepalive=25s public-key=“ENTER PUBLIC KEY HERE”

/ip address
add address=10.5.0.2/24 interface=wg0 network=10.5.0.0

/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=wg0 pref-src=0.0.0.0 routing-table=useWG0 scope=30 suppress-hw-offload=no target-scope=10

/ip firewall filter
add action=accept chain=forward comment=“defconf: accept in wireguard” connection-mark=useWG0 in-interface-list=WG out-interface-list=LAN place-before=[find where action=fasttrack-connection]

add action=accept chain=forward comment=“defconf: accept out wireguard” connection-mark=useWG0 in-interface-list=LAN out-interface-list=WG place-before=[find where action=fasttrack-connection]

/ip firewall mangle
add action=mark-connection chain=prerouting comment=“..” connection-mark=no-mark new-connection-mark=useWG0 passthrough=yes src-address-list=allow_vpn

/ip firewall nat
add action=src-nat chain=srcnat comment=“defconf: lan → wg0 10.5.0.2” connection-mark=useWG0 out-interface-list=WG src-address=192.168.88.0/24 to-addresses=10.5.0.2 place-before=0

nediis · October 22, 2023, 3:17am

/ip route/pri without-paging proplist=dst-address,gateway,distance,routing-table

I’ll write just in case …
when the problem will be solved

/ip firewall address-list
add address=192.168.88.0/24 list=allow_vpn

Will send your entire home network via VPN, hope you understand this

hardrock · October 22, 2023, 8:48am

Hiya, that didn’t work either but i read a post on how another Wireguard provider does it and i’ve adptated it to work with Nordlynx. Happy to report this config works perfect 1st time

Required Dependancies:
1.Nordlynx PRIVATE AND PUBLIC KEY.
2. NORD connection address (Endpoint) converted into x.x.x.x format.

/interface wireguard add listen-port=38914 mtu=1420 name=wireguard-inet private-key=“ADD YOUR PRIVATE KEY HERE”

/ip address add address=10.5.0.2/30 interface=wireguard-inet network=10.5.0.0

#Add the endpoint address, endpoint port, and public key from the WireGuard config file. Look for the lines starting PublicKey= and Endpoint=.
#For example, if the config says Endpoint=x.x.x.x:51820, enter endpoint-address=x.x.x.2 and endpoint-port=51820

/interface wireguard peers add allowed-address=0.0.0.0/0 endpoint-address=x.x.x.x endpoint-port=51820 interface=wireguard-inet persistent-keepalive=25s public-key=“ADD YOUR PUBLIC KEY HERE”

/ip firewall nat add action=masquerade chain=srcnat out-interface=wireguard-inet src-address=192.168.88.0/24

#Redirect all internet traffic through WireGuard

/ip route
add disabled=no distance=1 dst-address=0.0.0.0/1 gateway=10.5.0.1 pref-src=“” routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add disabled=no distance=1 dst-address=128.0.0.0/1 gateway=10.5.0.1 pref-src=“” routing-table=main scope=30 suppress-hw-offload=no target-scope=10

/ip dns set servers=10.5.0.1

/ip dhcp-client set 0 use-peer-dns=no

#Redirect the WireGuard IP address through main provider’s gateway. Replace x.x.x.x with the endpoint address from the config file (Endpoint=).

/ip route add disabled=no dst-address=x.x.x.x/32 gateway=[/ip dhcp-client get [find interface=ether1] gateway] routing-table=main suppress-hw-offload=no

hardrock · October 22, 2023, 9:31am

This message deleted.

anav · October 22, 2023, 7:06pm

What is your intent.
a. one user go out wireguard for internet vice local WAN
b. all users go out wireguard for internet vice local WAN.

Also
expectations when wireguard is not working - fall back to local WAN or not at all.