Wireguard Road Warrior Hotspot

RouterOS General
1

I was looking to setup a mikrotik wifi router to hook up to wifi at motel, VPN with wireguard to home, then broadcast that internet back out on wifi.

I can easily connect to motel 2.4ghz wifi, it has no encryption. Get 192.168.3.x

I can easily setup the wireguard vpn to reach home router.

I also setup DHCP server and 5ghz wifi on the router to use remotely. Using the 192.168.80.0/24

How do I force all the traffic on the 5ghz remote wifi to masquerade/route through the wireguard vpn rather then the motel wifi? Basically force all the 192.168.80.0/24 subnet to masquerade through the wireguard interface. I assume this must be done through mangle, routing tables and routing rules, I was just looking for a simpler way?

2

I am looking to do the same. Rather than start a new thread, I am adding my question as a comment.

BTW, I think that the following thread title would describe it better: “How to configure a RoadWarrior Wireguard Hotspot with RouterOS 7.15”

This was my starting point:

I have a hAP AX2 running 7.15. I have a Wireguard tunnel set up between this hAP AX2 & my home RB5009. Wireguard works as expected. My issue is routing all traffic from the hAP AX2 through the Wireguard interface. The hAP AX2 is connected to the hotel’s network via ethernet. eth1 uses dhcp-client which automatically assigns the following dynamic route:

DAd   dst-address=0.0.0.0/0 routing-table=main gateway=172.22.27.254 immediate-gw=172.22.27.254%ether1 distance=1 scope=30 target-scope=10 vrf-interface=ether1 suppress-hw-offload=no

The dynamic route mentioned above takes precedence over the following static route:

As   dst-address=0.0.0.0/0 routing-table=WG-WAN1 gateway=WG-WAN1 immediate-gw=WG-WAN1 distance=1 scope=30 target-scope=10 suppress-hw-offload=no

If there is a way to disable adding a default route when using dhcp-client, I couldn’t find how. I also couldn’t find anywhere how to change the default route distance. FWIW:

 1 D ;;; internet detect
     interface=ether1 add-default-route=yes default-route-distance=1 use-peer-dns=yes use-peer-ntp=yes dhcp-options=hostname,clientid status=bound address=172.22.27.250/24 gateway=172.22.27.254 dhcp-server=172.22.27.254 primary-dns=8.8.8.8
     secondary-dns=9.9.9.9 expires-after=6h22m13s
[admin@MikroTik.hAP.ax2] > /ip/dhcp-client/set default-route-distance=2 numbers=1
failure: can't edit dynamic object

Does someone know what is the correct approach here? Thank you!

3

For the dhcp-client options

/ip/dhcp-client/
set 0 default-route-distance=1
set 0 add-default-route=yes

There are plenty of wireguard road warrior examples using ios and android and I have done that already I just cannot find any that just create a wifi access point of the VPN.

4

This is easy peasy.
I would rather get wired connectivity on the router if possible but understand you are limitted.
On the Mikrotik TWO VLANS
One vlan is for a local port going out hotel wifi internet
One vlan is for other ports going out home internet AND 5ghz wifi.
Do config from off bridge port once setup. Setup PC ipv4 settings to 192.168.55.2 and your in.

\

serial number = ***

/interface bridge
add name=bridge vlan-filtering=no { change to yes at end of config }

/wireguard
add name=wireguardHotel mtu=1420 listening-port=XXXXX does not have to be same as home setting.

/interface ethernet
set [ find default-name=ether1 ] name=wan1 disabled=yes { enable if using for wired input from hotel }
set [ find default-name=ether2 ] name=localPort2
set [ find default-name=ether3 ] name=homePort3
set [ find default-name=ether4 ] name=homePort4
set [ find default-name=ether5 ] name=OffBridge5
/interface vlan
add interface=bridge name=vlanLocal vlan-id=5
add interface=bridge name=vlanHome vlan-id=10

/interface list
add name=WAN
add name=LAN
add name=TRUSTED

/interface wireless
SETUP AS REQUIRED
2GHZ for WAN connectivity
5GHZ for normal AP type activity.

_/ip pool
add name=dhcp_pool5 ranges=192.168.5.11-192.168.88.254
add name=dhcp_pool10 ranges=192.168.10.11-192.168.77.254
/ip dhcp-server
add address-pool=dhcp_pool3 interface=bridge name=dhcp5
add address-pool=dhcp_pool10 interface=bridge name=dhc_p10
/routing table
add disabled=no fib name=via-home

/interface bridge port
add bridge=bridge ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged
interface=localPort2 pvid=5
add bridge=bridge ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged
interface=homePort3 pvid=10
add bridge=bridge ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged
interface=homePort4 pvid=10
add bridge=bridge ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged
interface=5GHzwifiName pvid=10

/ip neighbor discovery-settings
set discover-interface-list=TRUSTED
/interface bridge vlan
add bridge=bridge tagged=bridge untagged=localPort2 vlan-id=5
add bridge=bridge tagged=bridge untagged=homePort3,homePort4,5GHz-wifiName vlan-ids=10

/interface list member
add interface=2GHz-wifiName list=WAN
add interface=wan1 list=WAN disabled-yes { enable if connecting wired to hotel }
add interface=vlanLocal list=LAN
add interface=vlanHome list=LAN
add interface=vlanHome list=TRUSTED
add interface=Offbridge5 list=TRUSTED

/ip address
add address=198.168.5.1/24 interface=vlanLocal network=198.168.5.0
add address=192.168.10.1/24 interface=vlanHome network=192.168.10.0
add address=10.10.20.2/24 interface=wireguardHotel network=10.10.20.0

/interface wireguard peers
add allowed-address=10.10.20.0/24 interface=wireguardHotel endpoint-address=mynetnameHomeMT.net
endpoint-port=ABCDE public-key="......." persistant-keep-alive=35s
/ip dhcp-server network
add address=192.168.5.0/24 dns-server=192.168.5.1 gateway=192.168.5.1
add address=192.168.10.0/24 dns-server=10.10.20.1 gateway=192.168.10.1

/ip dns
add set allow remote servers, servers=1.1.1.1,8.8.8.8

/ip dhcp-client
add interface=ether1 use-peer-dns=no use-default-route=yes disable=yes { enable if wired connection to Hotel }
add interface=2GHzwifiName use-peer-dns=no use-default-route=yes

/ip firewall filter
add action=accept chain=input connection-state=established,related,untracked
add action=drop chain=input connection-state=invalid
add action=accept chain=input protocol=icmp
add action=accept chain=input comment="admin access" in-interface-list=TRUSTED
add action=accept chain=input comment="users to services" dst-port=53
in-interface-list=LAN protocol=udp
add action=accept chain=input comment="users to services" dst-port=53
in-interface-list=LAN protocol=tcp
add action=drop chain=input comment="drop all else" { put this rule in last }
+++++++++++++
add action=fasttrack-connection chain=forward connection-state=established,related
add action=accept chain=forward connection-state=established,related,untracked
add action=accept chain=forward comment=users to home internet" src-address=192.168.10.0/24 out-interface=wireguard1
add action=accept chain=forward comment="local internet" in-interface-list=LAN out-interface-list=WAN
add action=drop chain=forward comment="drop all else"
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN
add action=dstnat chain=dstnat src-address=192.168.10.0/24 dst-port=53 protocol=udp to-address=10.10.20.1
add action=dstnat chain=dstnat src-address=192.168.10.0/24 dst-port=53 protocol=tcp to-address=10.10.20.1
/ip route
add dst-address=0.0.0.0/0 gateway=wireguardHotel routing-table=via-home

/routing rule
add action=lookup-only-in-table src-address=192.168.10.0/24 table=via-home

{ if you want local access if tunnel is not working change action to simply: lookup
/tool mac-server
set allowed-interface-list=NONE
/tool mac-server mac-winbox
set allowed-interface-list=TRUSTED

5

any questions???

6

Thank you for the quick reply! The following does not work for me:

/ip/dhcp-client/
set 1 default-route-distance=2
failure: can't edit dynamic object

As I mentioned in my previous comment, this is a dynamic route which gets created automatically when the interface gets assigned an IP via DHCP. This dynamic route cannot be edited. I couldn’t find how to:

  • disable default route addition when using dhcp-client
  • set a default route distance for all routes that get created via dhcp-client, including all future routes

I think that my use case is the same as yours since I am connecting all my devices to my travel router (hAP AX2) which in turn connects via WireGuard to RB5009. The only difference is that I am currently using hAP AX2 ethernet1 to plug into the hotel’s Ruckus H320 AP, which is not an option in all places. The 2GHz client is my fallback mechanism.

I got the first part solved: Wireguard is OK, all devices connect to hAP AX2 5GHz network & they are able to access all devices on the network run by RB5009.

The part which I was not yet able to figure out is how to configure all traffic to route through the Wireguard connection. I think that I am making progress since setting the following changes the behaviour, but not in a way that I expect it to.

The routes look right now:

[admin@MikroTik.hAP.ax2] /ip/dhcp-client> /ip/route/print detail
Flags: D - dynamic; X - disabled, I - inactive, A - active; c - connect, s - static, r - rip, b - bgp, o - ospf, i - is-is, d - dhcp, v - vpn, m - modem, y - bgp-mpls-vpn; H - hw-offloaded; + - ecmp
 0  As + dst-address=0.0.0.0/0 routing-table=main gateway=WG-WAN1 immediate-gw=WG-WAN1 distance=1 scope=30 target-scope=10 suppress-hw-offload=no

   DAd + dst-address=0.0.0.0/0 routing-table=main gateway=172.22.27.254 immediate-gw=172.22.27.254%ether1 distance=1 scope=30 target-scope=10 vrf-interface=ether1 suppress-hw-offload=no

   DAc   dst-address=10.24.6.0/24 routing-table=main gateway=bridge immediate-gw=bridge distance=0 scope=10 suppress-hw-offload=no local-address=10.24.6.1%bridge

   DAc   dst-address=10.222.2.0/24 routing-table=main gateway=WG-WAN1 immediate-gw=WG-WAN1 distance=0 scope=10 suppress-hw-offload=no local-address=10.222.2.2%WG-WAN1

   DAc   dst-address=172.22.27.0/24 routing-table=main gateway=ether1 immediate-gw=ether1 distance=0 scope=10 suppress-hw-offload=no local-address=172.22.27.250%ether1

 1  As   dst-address=192.168.1.0/24 routing-table=main gateway=WG-WAN1 immediate-gw=WG-WAN1 distance=2 scope=30 target-scope=10 suppress-hw-offload=no

 2  As   dst-address=192.168.88.0/24 routing-table=main gateway=WG-WAN1 immediate-gw=WG-WAN1 distance=2 scope=30 target-scope=10 suppress-hw-offload=no

 3  As   dst-address=192.168.99.0/24 routing-table=main gateway=WG-WAN1 immediate-gw=WG-WAN1 distance=2 scope=30 target-scope=10 suppress-hw-offload=no

I would expect this to work, but it doesn’t:

[admin@MikroTik.hAP.ax2] /ip/dhcp-client> /tool/traceroute address=8.8.8.8
Columns: ADDRESS, LOSS, SENT, LAST, AVG, BEST, WORST, STD-DEV, STATUS
#  ADDRESS     LOSS  SENT  LAST   AVG  BEST  WORST  STD-DEV  STATUS
1  10.222.2.2  0%       4  0.2ms  0.2  0.1   0.2    0.1      host unreachable from 10.222.2.2
2              0%       0  0ms

What am I missing?

7

You need to post your complete config for any feedback.

/export file=anythingyouwish (minus router serial number, any public WANIP information, keys etc.)

8

IP DHCP client is not that complicated, no need to do anything overly fancy…

what.jpg

You dont want to set anything in terms of route distances or the like, keep it simple.
We are using routing rules to move traffic to wireguard.

9

Thank you @anav, your replies helped me figure out my issue.

I got too hung up on the automatic dhcp-client config. As soon as I configured this explicitly, I was able to configure my default route. The only other thing that I needed to do was to add an explicit route for the WireGuard endpoint, so that the default route would work correctly, i.e. :

/ip/route

add comment="update this to the DHCP gateway" disabled=no distance=1 \
    dst-address=195.144.8.28/32 gateway=192.168.99.1 routing-table=main \
    scope=30 suppress-hw-offload=no target-scope=10

add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=WG-WAN1 \
    routing-table=main scope=30 suppress-hw-offload=no target-scope=10

Here is a high-level summary of the steps required to get this working with a wired connection to the hotel’s access point:

  1. Configure WireGuard
  2. Configure 5GHz radio as an access point
  3. Configure ether1 dhcp-client before plugging anything in. Disable Peer DNS, Peer NTP & do not add default route.
  4. Add explicit route via DHCP gateway IP for the WireGuard public endpoint route (see config example above)
  5. Route all traffic via WireGuard interface (see config example above)

As a next step, I will configure the 2GHz radio as a client and attach that config as well in case it helps others.

The next thing on my list is to configure a slave WiFi network which is child-friendly. For me that means https://blog.cloudflare.com/introducing-1-1-1-1-for-families + WiFi scheduler.

I am attaching a trimmed export file=wireguard-roadwarrior-wired-hotspot.rsc. That’s the simplest config that I managed to pull off. Do you see anything in the attached config @anav that could be improved?

# 2024-07-28 20:45:48 by RouterOS 7.15.3
/interface bridge
add admin-mac=78:9A:18:2A:55:55 auto-mac=no comment=defconf name=bridge \
    port-cost-mode=short
/interface wireguard
add listen-port=13231 mtu=1420 name=WG-WAN1
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wifi configuration
add channel.band=5ghz-ax .width=20/40/80mhz country="United Kingdom" \
    disabled=no mode=ap name=hax2-5GHz-AX security.authentication-types="" \
    ssid=home
/interface wifi
set [ find default-name=wifi1 ] channel.skip-dfs-channels=all configuration=\
    hax2-5GHz-AX configuration.mode=ap datapath.bridge=bridge disabled=no \
    name=5GHz security.authentication-types=wpa2-psk,wpa3-psk \
    .connect-priority=0
/ip pool
add name=dhcp ranges=10.24.6.10-10.24.6.254
/ip dhcp-server
add address-pool=dhcp interface=bridge lease-time=12h name=defconf
/interface bridge port
add bridge=bridge comment=defconf interface=ether2 internal-path-cost=10 \
    path-cost=10
add bridge=bridge comment=defconf interface=ether3 internal-path-cost=10 \
    path-cost=10
add bridge=bridge comment=defconf interface=ether4 internal-path-cost=10 \
    path-cost=10
add bridge=bridge comment=defconf interface=ether5 internal-path-cost=10 \
    path-cost=10
add bridge=bridge comment=defconf interface=5GHz internal-path-cost=10 \
    path-cost=10
/ip firewall connection tracking
set udp-timeout=10s
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface detect-internet
set detect-interface-list=all internet-interface-list=WAN lan-interface-list=\
    LAN wan-interface-list=WAN
/interface list member
add comment=defconf interface=bridge list=LAN
/interface wireguard peers
add allowed-address=\
    10.222.2.1/32,0.0.0.0/0 \
    comment="https://www.youtube.com/watch\?v=P6f8Qc4EItc" endpoint-address=\
    195... endpoint-port=13231 interface=WG-WAN1 name=rb5009 \
    persistent-keepalive=25s public-key="rX...="
/ip address
add address=10.24.6.1/24 comment=defconf interface=bridge network=10.24.6.0
add address=10.222.2.2/24 interface=WG-WAN1 network=10.222.2.0
/ip dhcp-client
add add-default-route=no interface=ether1
/ip dhcp-server network
add address=10.24.6.0/24 comment=defconf dns-server=10.24.6.1 gateway=\
    10.24.6.1 netmask=24
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=10.24.6.1 comment=defconf name=hax2
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=WG-WAN1 \
    routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add comment="update this to the DHCP gateway" disabled=no distance=1 \
    dst-address=195.../32 gateway=192.168.99.1 routing-table=main \
    scope=30 suppress-hw-offload=no target-scope=10
/system clock
set time-zone-name=Europe/London
/system identity
set name=MikroTik.hAP.ax2
/system note
set show-at-login=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
10

Couple of comments…

  1. The allowed IPs are a bit confused.
    If you are going to visit the LAN subnets of the host router you are connecting to ( presumably at thome)
    then you need two things
    a.. the subnet of wiregard l .0/24 and the local subnets on the home router being reache subnetA,subnetB etc.

b. If you intend to to use the internet of the home router then the ONLY entry is 0.0.0.0/0
This also covers off the need to visit local routers.

  1. The routes are not quite there… This appears due to the fact that you didnt create a second subnet behind the router as recommended and you still have one flat subnet.
    Its not clear to me what your intentions are because the setup has become vague.

You have to decide which WAN route has priority in the main table and clearly to establish the tunnel first you need the hotel connection to be primary.
Then you have the WIREGUARD option as secondary in main. This will not work ( or at least not work properly, as expected all the time).

You need to forget the wireguard and main route and add as I stated.
a.. a table
b. a corresponding route using the table
c. a corresponding routing rule forcing traffic to that route/table