Travel router possible?

rossi · January 2, 2023, 5:35pm

I’m trying to create a travel router setup and got recommended both GL-iNet and Mikrotik for this purpose.
Could you give some advice on whether this is possible?

We have a person who has a GlobalProtect IPSec-VPN running for work on their work laptop (Windows app handles the VPN).
He would also like to access his home network during the week, but he doesn’t have admin rights to install another VPN solution (eg Wireguard).
We thought about constructing the VPN before the laptop, so the company VPN gets incapsulated in his own VPN. (E.g. Wireguard, to avoid TCP on top of TCP).
An additional challenge is that his home connection is IPv4 CGNAT (but public IP can be gotten for a monthly fee), or IPv6.

There are plenty of guides on how to set up a Wireguard server on a multitude of devices, we’re comfortable with that.
Can we use RouterOS and a Mikrotik device to become a travel router, i.e.

set up a Wireguard client which will route everything through that tunnel
let a laptop connect through ethernet/wifi
can also connect to eg hotel wifi and let other wifi devices connect to the tunnel
drop/block the entire WAN-connection if the tunnel stops working

R1CH · January 2, 2023, 10:12pm

This is definitely possible, I have such a router myself. One thing to watch out for is by blocking non-tunneled traffic, if your hotel hotspot / Wi-Fi session expires you will never be redirected to the captive portal to login again.

Jotne · January 2, 2023, 10:33pm

Check out this thread for some wifi tips:
http://forum.mikrotik.com/t/caravan-wifi/122744/1

anav · January 30, 2023, 3:15pm

https://mikrotik.com/product/hap_ax_lite
hap ax lite

anovojr · August 13, 2024, 11:54am

Mikrotik’s RouterOS is robust and can handle a Wireguard client setup, allowing you to route traffic through the tunnel. You can also configure it to drop the WAN connection if the VPN fails, ensuring security.

For connecting multiple devices, both the router’s ethernet and WiFi interfaces can be used to establish a secure connection. This setup is particularly useful when you’re connecting through various networks, like in hotels or public WiFi.

Recently, I stayed at these resorts and the setup there was seamless for accessing various networks securely. This could give you a good reference for what to look for in network stability and security during your travels.

holvoetn · August 13, 2024, 12:51pm

1- yes
2- yes
3- yes
4- NO. You always need someWAN to have the tunnel working (proud of myself for that little joke )
But I get what you want to achieve. You want all connections from client devices dropped when tunnel goes out. So yes there too.

anav · August 13, 2024, 4:20pm

The last one point is key.
MT router knows nothing about if wireguard tunnel is up or down and thus
routing rule action of LOOKUP, will not do anything if the tunnel goes down on you.

Thus you need to monitor it recursively
add distance=1 dst-address=0.0.0.0/0 gateweay=ether1_IP distance=1 {if you dont have default route enabled in IP DHCP client}
add distance=2 dst-address=0.0.0.0/0 gateway=1.1.1.1 check-gateway=ping scope=10 target-scope=12
add distance=2 dst-address=1.1.1.1/32 gateway=wireguard-interface-name scope=10 target-scope=11
add dst-address=0.0.0.0/0 gateway=wireguard-interface-name routing-table=useWG