Hello,
I’m not so much into configuring Mikrotik but I know the basics. I’m having a bit of a problem. I set up Wireguard with PiVPN on my remote VPS server and created clients where my mikrotik home router has a copy too. I managed to forged the wireguard to work in the scenario I needed it to.
This is my config:
# 2024-07-11 00:57:59 by RouterOS 7.15.2
# software id = 03AH-40CU
#
# model = RB951Ui-2HnD
# serial number = ###
/interface bridge add name=bridge1 port-cost-mode=short
/interface wireless set [ find default-name=wlan1 ] band=2ghz-b/g/n country=uganda disabled=no frequency=auto mac-address=[MAC_REDACTED] mode=station-pseudobridge ssid=Mikrotik wps-mode=disabled
/interface wireguard add listen-port=13231 mtu=1420 name=wireguard1
/interface list add name=WAN
/interface list add name=LAN
/interface wireless security-profiles set [ find default=yes ] supplicant-identity=MikroTik
/interface wireless security-profiles add authentication-types=wpa2-psk mode=dynamic-keys name=. supplicant-identity=""
/interface wireless add disabled=no keepalive-frames=disabled mac-address=[MAC_REDACTED] master-interface=wlan1 multicast-buffering=disabled name=wlan2 security-profile=. ssid=. wds-cost-range=0 wds-default-cost=0 wps-mode=disabled
/ip pool add name=lan_pool ranges=10.10.10.2-10.10.10.254
/ip dhcp-server add address-pool=lan_pool interface=bridge1 name=dhcp1
/routing table add disabled=no fib name=to_vpn
/interface bridge port add bridge=bridge1 interface=ether2 internal-path-cost=10 path-cost=10
/interface bridge port add bridge=bridge1 interface=ether3 internal-path-cost=10 path-cost=10
/interface bridge port add bridge=bridge1 interface=ether4 internal-path-cost=10 path-cost=10
/interface bridge port add bridge=bridge1 interface=ether5 internal-path-cost=10 path-cost=10
/interface bridge port add bridge=bridge1 interface=wlan2 internal-path-cost=10 path-cost=10
/ip firewall connection tracking set udp-timeout=10s
/ip neighbor discovery-settings set protocol=""
/interface detect-internet set detect-interface-list=WAN internet-interface-list=WAN lan-interface-list=LAN wan-interface-list=WAN
/interface list member add interface=wlan1 list=WAN
/interface list member add interface=bridge1 list=LAN
/interface wireguard peers add allowed-address=0.0.0.0/0 endpoint-address=[REDACTED_ENDPOINT] endpoint-port=51820 interface=wireguard1 name=peer1 persistent-keepalive=10s preshared-key="*****" public-key="*****"
/ip address add address=10.10.10.1/24 interface=bridge1 network=10.10.10.0
/ip address add address=10.149.189.4/24 interface=wireguard1 network=10.149.189.0
/ip dhcp-client add add-default-route=no interface=wlan1 use-peer-dns=no
/ip dhcp-server network add address=0.0.0.0/24 dns-server=0.0.0.0 gateway=0.0.0.0 netmask=24
/ip dhcp-server network add address=10.10.10.0/24 gateway=10.10.10.1
/ip dns set allow-remote-requests=yes servers=10.149.189.1
/ip firewall address-list add address=0.0.0.0/0 list=LAN-IP
/ip firewall address-list add address=10.10.10.0/24 list=local_network
/ip firewall filter add action=accept chain=input comment="Allow WinBox from Ubuntu PC" dst-port=8291 in-interface=wireguard1 protocol=tcp src-address=10.149.189.5
/ip firewall filter add action=accept chain=input comment="Allow WinBox from iPhone" dst-port=8291 in-interface=wireguard1 protocol=tcp src-address=10.149.189.2
/ip firewall filter add action=accept chain=input comment="Allow Web Interface" dst-port=80 in-interface=wireguard1 protocol=tcp
/ip firewall filter add action=accept chain=forward comment="Allow WG to LAN" in-interface=wireguard1 out-interface=bridge1
/ip firewall filter add action=accept chain=forward comment="Allow LAN to WG" in-interface=bridge1 out-interface=wireguard1
/ip firewall mangle add action=change-ttl chain=prerouting in-interface=wlan1 new-ttl=increment:14 passthrough=yes protocol=!icmp
/ip firewall mangle add action=accept chain=prerouting dst-address-list=local_network
/ip firewall mangle add action=mark-routing chain=prerouting new-routing-mark=to_vpn passthrough=yes src-address-list=local_network
/ip firewall mangle add action=accept chain=output dst-address-list=local_network
/ip firewall mangle add action=mark-routing chain=output new-routing-mark=to_vpn passthrough=yes src-address-list=local_network
/ip firewall nat add action=masquerade chain=srcnat out-interface=wlan1
/ip firewall nat add action=masquerade chain=srcnat out-interface=ether1
/ip firewall nat add action=masquerade chain=srcnat out-interface=wireguard1
/ip route add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=172.20.8.1 routing-table=main scope=30 suppress-hw-offload=no target-scope=10
/ip route add disabled=no distance=2 dst-address=0.0.0.0/0 gateway=wireguard1 routing-table=to_vpn scope=30 suppress-hw-offload=no target-scope=10
/ip service set telnet disabled=yes
/ip service set ftp disabled=yes
/ip service set ssh disabled=yes
/ip service set api disabled=yes
/ip service set api-ssl disabled=yes
/system clock set time-zone-name=Africa/Kampala
/system identity set name=HomeMikrotik
/system note set show-at-login=no
/system ntp client set enabled=yes
/system ntp client servers add address=pool.ntp.org
/system ntp client servers add address=ug.pool.ntp.org
I don’t know if the config is a gamble or it fits well, but I wanted to access the Winbox and be able to allow the two remote Wireguard clients 10.149.189.5 and 10.149.189.2 to communicate with the devices on the Mikrotik 10.10.10.0/24 as I wanted to experiment casting remotely if that would work out but also needed to access my Winbox remotely.
The problem is that the current set up isn’t working. Am able to ping the wireguard 10.149.189.4 (Mikrotik) from my Ubuntu PC remotely, but I can’t ping any Wireguard client from my Mikrotik which makes the problem worst to say.
Not sure anyone gets my point but I’d be glad if I could solve this.
NOTES:
My ISP source is wlan1 with ip of 172.20.8.1 with TTL modification to increase the incoming TTL=1 traffic, virtual wlan2 for my 10.10.10.0/24 for the devices.
Eth1 reserved.
Thank you