Using Wireguard with my Commercial VPN Provider - Please Help :)

RouterOS Beginner Basics
1

Hello,

I am trying to get WIreguard to work on my haP ac2 so that all WAN traffic goes through my commercial VPN provider.

Basically I want the router to do the job that my provider’s Windows software is doing right now, except I want it to handle also traffic from my other connected devices, not just the Windows PC.

This is what I have done so far:

I got the .conf files from my provider for my chosen endpoint locations. I didn’t find any way to import them directly into ROS v7.2Rc1, so I transfered the information manually.

The files have the following format:

[Interface]
PrivateKey = xxx
Address = xxx/32
DNS = xxx

[Peer]
PublicKey = xxx
AllowedIPs = 0.0.0.0/0
Endpoint = xxx:443
PresharedKey = xxx

Then I setup a Wireguard Interface and Peer and added it to the LAN group like this:

/interface wireguard
add listen-port=13231 mtu=1420 name=VPNProvider
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=VPNProvider list=LAN
/interface ovpn-server server
set auth=sha1,md5
/interface wireguard peers
add allowed-address=0.0.0.0/0 comment="BKK" disabled=yes \
    endpoint-address=xxx endpoint-port=443 \
    interface=VPNProvider persistent-keepalive=25s public-key=\
    "xxx"
add allowed-address=0.0.0.0/0 comment=FRA endpoint-address=\
    xxx endpoint-port=443 interface=VPNProvider \
    persistent-keepalive=25s public-key=\
    "xxx"

Ok, that’s how far I have come. The Peer seems to handshake, but the connection isn’t working as planned.

I am not surprised, because from what I have read, I also need to set up a route and some firewall rules and maybe something else too.

And so here I would like some help from the more experienced members, because these are very sensitive areas and I don’t want to do anything wrong.

Also I hope that this thread with your help could be an asset for other people who simply would like to set up their VPN provider in their MikroTik router, since I could not find any tutorial on various provider’s websites.

Actually it would be great if MikroTik could add this to the Quick Set since I think this would be of great interest to the home user.

Thank you for your kind help.

2

Make that WAN: add interface=VPNProvider list=LAN

I am working on script to read those kind of config files.

Hope changing the LAN to WAN helps.

You need also to add an masquerade to NAT.

/ip/firewall/nat
add action=masquerade chain=srcnat out-interface=VPNProvider

In /ip/address you have to add the Address = xxx/32 from the file.


/ip/address
add address=xxxx network=xxxx interface=VPNProvider
3

Thank you for your suggestion.

I did this:

/interface wireguard
add listen-port=13231 mtu=1420 name=VPNProvider
/interface list member
add interface=VPNProvider list=WAN

But I still see no traffic.

Such a script would be great!

4

I was still editing my post and have a new go at it.

To test the connection directly if you can ping an external IP on your new VPNProvider interface.

5

Ok, thank you.

Could it be that you meant

add action=masquerade chain=srcnat out-interface=VPNProvider

instead of:
add action=masquerade chain=srcnat out-interface**-list**=VPNProvider

???

6

Yes, that works for you and I have now also the address part complete for you. This creates the routing entries you need.

Update:
I use the -list because of more than one connection.

7

You should have also a /interface/wireguard where you can enter the private key:

/interface/wireguard
add name="VPNprovider" mtu=1420 listen-port=13231 private-key="XXXXXXXXXXXXXX"

You have also a pre-shared key and use it, to have even better encyption of you traffic.

8

Ok, I now did this:

/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat out-interface=VPNProvider

/ip address
add address=xxx.xx.xxx.31 interface=VPNProvider network=xxx.xx.xxx.0

I tried to enter:

/ip address
add address=xxx.xx.xxx.31[b]/32[/b] interface=VPNProvider network=xxx.xx.xxx.0

but it wouldn’t take it. Maybe there was a fault in the configuration file with the network and I must enter another number instead of “/32”?

Regarding

add action=masquerade chain=srcnat out-interface=VPNProvider

I suggested to use this, because the “Out.Interface List” selection box only showed the choices: “LAN, WAN, all, dynamic, none, and static”. So I couldn’t select VPNProvider and also it wasn’t accepted in Terminal until I changed it to “out-interface=VPNProvider”.

I tried pinging 8.8.8.8 on the new interface, and it is working.

However, when I open my browser and use https://www.doileak.com/classic.html I still see all the information of my local ISP.

9

Yes, that is strange, because when I do " /interface/wireguard print" I see the private and public keys, as well as in the GUI.

I have a preshared key and I entered in the Peers section. There is no entry for a pre-shared key in the Wireguard section.

But when I do “/interface/wireguard export” the keys don’t show. Maybe a bug in 7.2Rc1?

Both peers are different locations of the same provider. My thinking was to disable all peers (locations, f.e. Chicago, USA) and enable only the one I want to tunnel through, f.e. France. This way I can chose what location to tunnel through. Is there a mistake in this logic?

So in other words, the first peer is disabled, the second peer is enabled.

10

Switch these:

add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat out-interface=VPNProvider

And make in /interface/list a new list WireGuard and use that like I do to differentiate traffic. Because VPNProvider is a member of list WAN the first NAT you have now grabs it and it goes unencrypted to your current ISP.
Swapping those lines solve that but better is to make a separate interface list WireGuard as I did.

11

It not a bug but a feature. If you want to export your keys then use: export show-sensitive

Thank you Mikrotik for this extra protection! :slight_smile:

Yes that could work and the proof is in eating the pudding. :wink:

12

Ok, thanks for your input.

So I did this:

/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add name=WireguardVPN
/interface list member
add interface=VPNProvider list=WireguardVPN
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WireguardVPN
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN

But still no pudding! :smiley:

Doileak still shows my local ISP even with the masquerade rules changed.

13

I don’t remember if this is also needed:

/ip/route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=VPNProvider pref-src="" routing-table=VPNProvider scope=30 suppress-hw-offload=yes \
    target-scope=10
    
 /routing/table/
 add disabled=no fib name=VPNProvider

Now can you decide which traffic has to trough WireGuard by new-mark-routing in Mangle.

This should complete it and it should now work for you.

Update: it should work now and it a lot to setup and there could be simpler configs with VRF but I did not use that, or better I got it not working correctly. :wink:

The script I am making does only set the values in /interface/wireguard and /ip/address and adding the configuration above is still manual work.

Update 2: Try without this:

add action=masquerade chain=srcnat comment=“defconf: masquerade”
ipsec-policy=out,none out-interface-list=WAN

…because it also matches WireGuard traffic on the WAN. We have changed traffic that to an other interface…

14

Ok, I have done the following changes:

/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=VPNProvider \
    pref-src="" routing-table=main scope=30 suppress-hw-offload=yes \
    target-scope=10
/routing table
 add disabled=no fib name=VPNProvider

and it now works! Thank you so so much for your wonderful and patient help, msatter! :mrgreen:

I can also switch locations by disabling the currently active peer and enabling another one as planned, but in addition I also have to briefly disable and reenable the VPNprovider Wireguard Interface. GREAT!!!

Couple of loose ends which hopefully you can help me with too:
1.) My question about
"I tried to enter:

/ip address
add address=xxx.xx.xxx.31[b]/32[/b] interface=VPNProvider network=xxx.xx.xxx.0

but it wouldn’t take it. Maybe there was a fault in the configuration file with the network and I must enter another number instead of “/32”?"

2.) Doileak still shows my ISP DNS instead of my VPN provider’s DNS. How can I change it, so that ONLY when I have the Wireguard interface enabled - INCLUDING the corresponding Peer (since every Peer will have a different DNS), only then will the DNS change.
And if I don’t use my VPN provider, then I have the usual ISP default peer or 9.9.9.9 / 1.1.1.1 DNS active?

EDIT: On point 2.) - I just noticed that it is not the Peer DNS that needs to change, but my VPN provider gives the DNS in the Wireguard Interface, not the Peer. However, I suspect there must be something going on behind the scenes on my provider’s server and then a different DNS is added via the server depending on location.

15

The address is the same as for network, both without the range /32.

Redirecting (ROS7) the local DNS client through the WireGuard connection. Hope it works.

/routing rule
add action=lookup disabled=no dst-address=1.1.1.1/32 interface=VPNProvider table=VPNProvider
add action=lookup disabled=no dst-address=9.9.9.9/32 interface=VPNProvider table=VPNProvider

Update to point 2. The DNS server of your provider is mostly only accessible from the ISP network. So going through your VPN to that DNS mostly does not work.
Using the two DNS servers provided by the VPN provider works only inside the VPN. So switching over to external DNS severs should solve both problems.

Update 3: if you enable the rules then youneed to have the WireGuard running.

16

Right now, Winbox shows

/ip address
add address=xxx.xx.xxx.31 interface=VPNProvider network=xxx.xx.xxx.0

in red and as invalid when I have the VPNProvider interface disabled.

When I enable the VPNProvider interface it becomes enabled and apparently valid.

I am concerned I would be doing something wrong when I would change

/ip address
add address=xxx.xx.xxx.31 interface=VPNProvider network=xxx.xx.xxx.0

to

/ip address
add address=xxx.xx.xxx.0 interface=VPNProvider network=xxx.xx.xxx.0

as I understand it you have suggested. I would think there must be a reason the provider gave the specific IP address with a 31 at the end.

Regarding the DNS situation, I did add

/routing rule
add action=lookup disabled=no dst-address=1.1.1.1/32 interface=VPNProvider table=VPNProvider
add action=lookup disabled=no dst-address=9.9.9.9/32 interface=VPNProvider table=VPNProvider

yet, it has no effect and still shows my ISP’s NS server.

My regular DNS settings are:

/ip dns
set allow-remote-requests=yes servers=1.1.1.1,9.9.9.9
/ip dns static
add address=192.168.82.1 comment=defconf name=router.lan

but it should be noted, that I am currently at a hotel and my personal haP ac2 is behind the hotel’s router - which of course would be the main use case of this VPN configuration.

17

Combining this and using Netwatch:

/routing rule
add action=lookup disabled=no dst-address=198.0.0.1/32 interface=VPNProvider table=VPNProvider
/tool netwatch
add disabled=no down-script="# DNS ISP\r\
    \n/ip dns\r\
    \nset server=123.3.4.5,123.3.4.6" host=198.0.0.1 interval=10s up-script=\
    "# VPN DNS\r\
    \n/ip dns\r\
    \nset server=198.0.01,198.0.0.2"

Every 10 seconds Netwatch looks if the VPN is up by checking if it can reach the DNS of the VPN provider. If available then it switches to those DNS servers. If not reachable it will switch in 10 seconds to the ISP DNS servers.
You have to change the dummy IP addresses to the correct ones of the ISP and the VPN provider.

I can’t make it any easier… :wink:

18

Should I delete

/routing rule
add action=lookup disabled=no dst-address=1.1.1.1/32 interface=VPNProvider table=VPNProvider
add action=lookup disabled=no dst-address=9.9.9.9/32 interface=VPNProvider table=VPNProvider

these routing rules before I try the new Netwatch solution?

19

It is not a big deal and the address you use is and range of /32 or one IP. The network can have a wider range and the xxx.0 at the end means a range of /24. Better is as I wrote to have also the network as an range of /32 and that is done by replacing xxx.0 by xxx.31 in your case. Creating just a little window.

When the WG interface goes down the the line in routing changes to red, indicating it not active.

Extra, change the packet size to 1232 as recommended these days. It ‘will’ then fit any VPN tunnel it has to go trough:

/ip dns
set max-udp-packet-size=1232

I have made extra posting above for the DNS and disable the earlier added rules. Disable first and test. If it the Netwatch works then delete.

Let me know if that works and it is also new stuff for me.

20

Interesting for one of my clients I had bump up the MTU to 1500 to get his particular set of applications to work. (both sides of the tunnel have to match).