Hello everyone…
im new with configuration and work with Mikrotik routers so i need help and advice about how to configure WireGuard VPN, how to open ports, config firewall and nat.
i know that is a lot. i watched few youtoube videos how to configure wireguard so i did some config.
Dont have picture of my network but it is like this.
I have LAN with few subnets 192.168.2.0/24, 192.168.9.0/24 i have everying conneced to proxy on ip 192.168.9.7 on internet over public ip address.
I put ip adres of mikrotik router 192.168.2.50/24.
This mikrotik shoud be my VPN connecion on the same network from second public ip address.
My second public ip adress is 193.X.X.X
I open WG interface with ip 192.168.3.2/24.
When i try to make connecion over laptop to wg interface i dont get any handshake and cant ping anything. Cant iven ping wg interface… so i know that something is wrong.
Error is Handshake for peer ( 193.X.X.X:13231 ) did not complete. sending handshake to peer…and all over again
I open two wg peers… one shoud be for administrator, for me and i should see everything on LAN(from outside) inside my network( i connecting on users computers over VNC port 5900, connection on servers over RDC ), second peer shoud be just for connecting VPN users on server over RDC.
I read it but i think i didnt make good firewall ruls and nat.
When i connect i see on interface Rx packets but not Tx
so i think i didnt make good port fowarding or something on firewall i dont see it so i need help guys…
Because of that i thin i cant get handshake betweek wireguard VPN and laptop
I followed you until you used the word proxy which is like sayng xllcinnoinoinkltjeodcoc to me.
Do you or do you not have a public IP address on WAN side?
Do you have two ISPs, two wan connections?
Does your MT act as the WG server for initial handshake or are you connecting to an external WG instance?
What is the purpose of your WG connections..
Draw a diagram as your explanation is too confusing. We are not inside your head nor familiar with the network. “This mikrotik shoud be my VPN connecion on the same network from second public ip address.” ???
In terms of requirement you need to explain without any config talk or network talk,
a. identify the user(s)/device(s) or groups of users/devices that will be using the MT
b. identify the traffic flows they require including the admin.
yes i have posibility for 6 wan connection ( 6 public ip address ). for company we are using 1 at the time for internet, mail…
in config i send to you of MT i made virtual interface WireGuard with 2 peer on MT ( one or me administatior and second is for user)… i was hoping that i made server and i put on WG interface ip address 192.168.3.2/24. I tought that was config for WG server.
My purpose of VPN is to manage ( im IT administrator) to do some work from home and not ot use TeamViewer or Anydesk, and for my users who need to do some analitics on servers i wonna make better way to do jobs..
skip my explenation for proxy and my network who si working very good now and im sorry if i jdksghsdjkhsdjkfhsdjk do you
lets do MT config
i hope picture will show to what i wonna to do with MT and VPN
a. Primary router is not MT and your subnet behind that consists of a bunch of PCs and a MT device acting as a router (its LANIP on the ISP router is the WANIP of the MT device as well).
b. The purpose of installing the router there is to gain access to the ISP router for config purposes? To gain access to the PCs behind the ISP router?
c. what I dont understand is why you dont put the second IP on the ISP router as well and then simply forward the listening port to the MT router. It just seems weird to me to have a second ISP going to the separate MT device solely for the purpose of establishing a tunnel and not providing some benefit to the main network??
IN other words something doesnt seem right in this setup?
Why not replace ISP router with MT router ??
Primary router is CISCO given us by ISP from higher lvl our company
im sistem administrator and i wonna get access to my network from outside…for configuration, for helping users, all job i do at work… but im only one administrator i our company so i do work from home too.
i install MT router because im sick do paying licence to adydesk or teamviewer…they are go expencive… and compay dont wonna pay it… so im thinking to get solution for free if i have MT router who is in this point dont connected to anywhere…for my purpuse and purpuse few users for VPN should be fine..i think… so VPN purpose is to me gain acess to all network behind MT router, to our servers, pcs, switches… all other devices
i think that CISCO router (old cca 10 years ) dont have what it takes to make VPN. I should install some kind of VPN aplication or VPN server of server or somethnig like that if i wonna make port fowarding to him. I think simple solution is MT.
Every port on cisco where i have those 6 public ip addrees have very good speed and they dont interact with eath other. so i tought VPN over MT shoud be good… if i manage to confingure that
I can have benifits from second router but problem is that all Internet is going over optics and over one ISP so.-… if the break cables or make some mess… we lose all 6 public ip address. if we cound buy second saparate ISP then i cound route all my network from one isp to another if i have some problems with first ISP. Like i said … my company doesnt wont that.
so my idea was making VPN from second router MT to my newtork if is posibble
Well, it should be possible so this is an interesting scenario!!
One issue I see off the bat, is
→ even though we can WIREGUARD easily into the mikrotik router and ATTEMPT to access the various subnets on the CISCO, success will certainly depend on your ability to
configure the Cisco for firewall rules.
There will be no way for remote users to access all the subents unless the cisco allows that access??
So how much control do you have to allow such traffic!!
i can do static routes on Cisco…
With MT configuration i made and routes i can connect and ping MT from anywhere…
problem is i dont know did i make wg server good… i dont know how to port fowarding… 13231 to wg server… this is for start.. after i connect and vpn start working we can do problems one by one…
thx Anav for time spending on me
Okay lets setup the MT as router.
Subnet 192.168.40.0/24 ( just to have a subnet behind the router that is unique in case you need one )
Lets setup wireguard as subnet 10.10.40.0/24
MT router has either two WANS
Ether1 to ISP2 as you indicated was available.
Ether2 to CISCO router and the MT’s WANIP is also its statically assigned LANIP on the CIsco subnet 192.168.2.X
OR (what we will try)
MT router has one WAN
Ether1 to ISP2 as you indicated was available.
Ether2 is a port and possibly a vlan, basically assign the static IP address to the interface.
Note 1: I changed wireguard subnet to be distinct from all other subnets for clarity and to be able to make routes easier (see note 2).
Note 2: I described the route to ALL the subnets on the crisco, one one line as 192.168.0.0/20 covers 192.168.0.1-192.168.15.254 ( and thus the wireguard subnet was moved NOT to fall into this convenient rule.
Note 3: There is an issue on IP route for the actual ISP connection on the mT. You have an IP address for the ISP but you also have IP DHCP client enabled, its one or the other.
Anav it doesnt work
on laptop im still getting error and problemn with handskahe… i restart mt and it’s still the same
handshake for peer 1 (193.x.x.x:13231) did not complete after 5 sec
sending handshake initiation to peer 1
and again same error problem stih handshake
Should i port fowarding WAN public ip adress to WG server or this MT do automaticly when WAN port see some trafic on 13231 port?
(1) You can remove from interface list as they are covered by the fact you have the bridge listed as LAN interface. add interface=ether3 list=LAN
add interface=ether4 list=LAN
add interface=ether5 list=LAN
(2) Since this is a wireguard server for incoming folks,
Suggest you change this to LAN add comment=“Interface WireGuard” interface=wireguard1 list=WAN
It will have more utility in firewall rules!
(3) Your firewall rules are not grouped together which makes them harder to read and see where issues may be…!!!
They are also on the sparse side… suggest.
The only thing I would consider doing differently from the above is limit who can configure the router.
Right now all the LAN can access the router services including configuration. In reality only the admin needs full access so we can accomplish that with the following /ip firewall address-list ( using statically set leases )
add address=192.168.88.X list**=Authorized** comment=“admin desktop”
add address=192.168.88.Y list=Authorized comment=“admin laptop wired”
add address=192.168.88.Z list=Authorized comment=“admin ipad/smartphone wifi”
add address=10.10.10.2/32 list=Authorized comment=“remote admin wg IP”
etc…
Then change add action=accept chain=input in-interface-list=LAN TO:
