[Wireguard} - Connecting router as client - [SOLVED]

RouterOS General
1

Hello everyone;

I have a router model RB941-2nD firmware 7.12.1, trying to connect to a Wireguard VPN server on AWS, however, when activating the Wireguard interface I completely lose the internet connection.

I am not an expert in networks.

I followed the following steps to configure my Mikrotik…

/interface wireguard
add listen-port=13231 mtu=1420 name=wireguard-inet private-key=“MyPrivateKey on VPNServer”

/ip address
add address=10.7.0.2/30 interface=wireguard-inet network=10.7.0.0

/interface wireguard peers
add allowed-address=0.0.0.0/0 endpoint-address=54.xxx.xx.xx endpoint-port=xxxxx interface=wireguard-inet persistent-keepalive=25s public-key=“MyPublicKey on VPNServer”

/ip firewall nat
add action=masquerade chain=srcnat out-interface=wireguard-inet src-address=192.168.88.0/24

/ip route
add disabled=no distance=1 dst-address=0.0.0.0/1 gateway=10.7.0.1 pref-src=“” routing-table=main scope=30 suppress-hw-offload=no target-scope=10

/ip dns
set servers=10.7.0.1
/ip dhcp-client
set 0 use-peer-dns=no

/ip route
add disabled=no dst-address=54.xxx.xx.xx/32 gateway=[/ip dhcp-client get [find interface=ether1] gateway] routing-table=main suppress-hw-offload=no

Using a Windows client for Wireguard works normally, however I would like to use the router directly, so that I can have several devices connected.
Can anyone help me?

2

In addition, here is the configuration I am using

2024-10-05 12:33:33 by RouterOS 7.12.1

software id = 9LKG-J3QY

model = RB941-2nD

serial number = xxxxxxxxx

/interface bridge
add admin-mac=xx:xx:xx:xx:xx:xx auto-mac=no comment=defconf name=bridge
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n country=“united states”
disabled=no distance=indoors frequency=auto installation=indoor mode=
ap-bridge ssid=xxxxxxxxxxxxx wireless-protocol=802.11
/interface wireguard
add listen-port=13231 mtu=1420 name=wireguard-inet
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk mode=
dynamic-keys supplicant-identity=MikroTik
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=default-dhcp interface=bridge lease-time=10m name=defconf
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=pwr-line1
add bridge=bridge comment=defconf interface=wlan1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=wireguard-inet list=WAN
/interface wireguard peers
add allowed-address=0.0.0.0/0 endpoint-address=54.xxx.xx.xx endpoint-port=
xxxxx interface=wireguard-inet persistent-keepalive=25s public-key=
“MyPubKey”
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=
192.168.88.0
add address=10.7.0.2/30 interface=wireguard-inet network=10.7.0.0
/ip dhcp-client
add comment=defconf interface=ether1 use-peer-dns=no
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf dns-server=8.8.8.8 gateway=
192.168.88.1
/ip dns
set allow-remote-requests=yes servers=10.7.0.1
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=
“defconf: accept established,related,untracked” connection-state=
established,related,untracked
add action=drop chain=input comment=“defconf: drop invalid” connection-state=
invalid
add action=accept chain=input comment=“defconf: accept ICMP” protocol=icmp
add action=accept chain=input comment=
“defconf: accept to local loopback (for CAPsMAN)” dst-address=127.0.0.1
add action=drop chain=input comment=“defconf: drop all not coming from LAN”
in-interface-list=!LAN
add action=accept chain=forward comment=“defconf: accept in ipsec policy”
ipsec-policy=in,ipsec
add action=accept chain=forward comment=“defconf: accept out ipsec policy”
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment=“defconf: fasttrack”
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=
“defconf: accept established,related, untracked” connection-state=
established,related,untracked
add action=drop chain=forward comment=“defconf: drop invalid”
connection-state=invalid
add action=drop chain=forward comment=
“defconf: drop all from WAN not DSTNATed” connection-nat-state=!dstnat
connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment=“defconf: masquerade”
ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat out-interface=wireguard-inet src-address=
192.168.88.0/24
/ip route
add disabled=no distance=1 dst-address=0.0.0.0/1 gateway=10.7.0.1 pref-src=“”
routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add disabled=no dst-address=54.xxx.xx.xx/32 gateway=192.168.15.1
routing-table=main suppress-hw-offload=no
/ipv6 firewall address-list
add address=::/128 comment=“defconf: unspecified address” list=bad_ipv6
add address=::1/128 comment=“defconf: lo” list=bad_ipv6
add address=fec0::/10 comment=“defconf: site-local” list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment=“defconf: ipv4-mapped” list=bad_ipv6
add address=::/96 comment=“defconf: ipv4 compat” list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment=“defconf: documentation” list=bad_ipv6
add address=2001:10::/28 comment=“defconf: ORCHID” list=bad_ipv6
add address=3ffe::/16 comment=“defconf: 6bone” list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=
“defconf: accept established,related,untracked” connection-state=
established,related,untracked
add action=drop chain=input comment=“defconf: drop invalid” connection-state=
invalid
add action=accept chain=input comment=“defconf: accept ICMPv6” protocol=
icmpv6
add action=accept chain=input comment=“defconf: accept UDP traceroute” port=
33434-33534 protocol=udp
add action=accept chain=input comment=
“defconf: accept DHCPv6-Client prefix delegation.” dst-port=546 protocol=
udp src-address=fe80::/10
add action=accept chain=input comment=“defconf: accept IKE” dst-port=500,4500
protocol=udp
add action=accept chain=input comment=“defconf: accept ipsec AH” protocol=
ipsec-ah
add action=accept chain=input comment=“defconf: accept ipsec ESP” protocol=
ipsec-esp
add action=accept chain=input comment=
“defconf: accept all that matches ipsec policy” ipsec-policy=in,ipsec
add action=drop chain=input comment=
“defconf: drop everything else not coming from LAN” in-interface-list=
!LAN
add action=accept chain=forward comment=
“defconf: accept established,related,untracked” connection-state=
established,related,untracked
add action=drop chain=forward comment=“defconf: drop invalid”
connection-state=invalid
add action=drop chain=forward comment=
“defconf: drop packets with bad src ipv6” src-address-list=bad_ipv6
add action=drop chain=forward comment=
“defconf: drop packets with bad dst ipv6” dst-address-list=bad_ipv6
add action=drop chain=forward comment=“defconf: rfc4890 drop hop-limit=1”
hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment=“defconf: accept ICMPv6” protocol=
icmpv6
add action=accept chain=forward comment=“defconf: accept HIP” protocol=139
add action=accept chain=forward comment=“defconf: accept IKE” dst-port=
500,4500 protocol=udp
add action=accept chain=forward comment=“defconf: accept ipsec AH” protocol=
ipsec-ah
add action=accept chain=forward comment=“defconf: accept ipsec ESP” protocol=
ipsec-esp
add action=accept chain=forward comment=
“defconf: accept all that matches ipsec policy” ipsec-policy=in,ipsec
add action=drop chain=forward comment=
“defconf: drop everything else not coming from LAN” in-interface-list=
!LAN
/system note
set show-at-login=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

3

  1. Although not blocked I would probably add an explicit allow rule in forward chain, prior to the last rule.
    add chain=forward action=accept src-address=192.168.88.0/24 out-interface=wireguard-inert

  2. This rule is NOT required
    add action=masquerade chain=srcnat out-interface=wireguard-inet src-address=192.168.88.0/24

The reason is you already added wireguard-inert to the WAN interface list and your existing default rule thus already accomplishes the rule you created.
/ip firewall nat
add action=masquerade chain=srcnat comment=“defconf: masquerade”
ipsec-policy=out,none out-interface-list=WAN

  1. To ensure ALL your traffic goes out WIREGUARD for internet you need to
    a.. create a table
    b. create a route
    c. create a couple of routing rules.

/routing table add fib name=useWG
/ip route add dst-address=0.0.0.0/0 gateway=wireguard-inert routing-table=useWG
and
/routing rule add min-prefix=0 action=lookup-only-in-table table=main comment=“allows any local traffic to occur”
/routing rule add src-address=192.168.88.0/24 action=lookup=only-in-table table=useWG

  1. REMOVE the static IP dns rule
    /ip dns static
    add address=192.168.88.1 comment=defconf name=router.lan

  2. Change the following
    /ip dhcp-server network
    add address=192.168.88.0/24 comment=defconf dns-server=10.7.0.1 gateway=
    192.168.88.1
    /ip dns
    set servers=10.7.0.1
    and finally one still has to be able to reach the external Server via DNS so make a static DNS with forward record

/ip dns static
add address=endpoint-server_IP forward-to=8.8.8.8 name=ReachWGServer type=FWD

4

Hello

I did this procedure and lost access to the router
I tried several times to do a hard reset without success.

I appreciate your response, but I ended up giving up on this process. And I’m going to use the Wireguard client for Windows, which will partially help me.

I think MK is definitely not intended for users like me.

Cheers

5

Certainly, assumed you were doing wireguard that you already had basic MT setup and use under your belt.
Not a good plan if not had some practical experience

6

Tks anav;
I understand and appreciate your willingness to help, but I have already solved my problem.

I destroyed the device, because it was not even possible to hard reset it.
Cheap devices from shitty brands like Mikrotik deserve to be thrown in the trash.
Next time, I will buy an Asus that works perfectly.

Hugs.

7

MTs are actually very cost effective, flexible and powerful devices, just needs a brain and some patience and they work just fine.
For anybody else, aka with a lobotomy and the attention span of gnat, yes, Asus is better.

& Kisses!