Wireguard with relay

RouterOS General
1

Hi all
I have a Mikrotik router behind StarLink, so behind CGNAT. I want to connect to it from a windows machine for monitoring and administration. I planned to do this by using wireguard and its ability to run behind a NAT while using a relay.
So far, I have not been able to find any document or site that would describe the manual installation in detail…
Any good advice is welcome…

Thanks

2

Just for the case - if you activate the bypass mode on Starlink, you get a static global /56 on the LAN side of the Starlink dish (in addition to the CGNAT IP address).

But assuming you have your reasons to stick with IPv4, if by “relay” you mean a device on a public address that both the peers behind NAT use as a proxy of each other whilst the relay device is not a Wireguard peer itself, you can set this up manually e.g. the following way on a CHR (but you can do a similar thing using some Linux VM):

/interface bridge add name=br-lo
/ip address add interface=br-lo address=127.0.1.1/32
/interface ipip
add name=ipip-win2tik local-address=127.0.0.1 remote-addres=127.0.1.1 !keepalive
add name=ipip-tik2win local-address=127.0.1.1 remote-addres=127.0.0.1 !keepalive
/ip address
add interface=ipip-win2tik address=10.0.0.1/32 network=10.0.0.2
add interface=ipip-tik2win address=10.0.0.2/32 network=10.0.0.1
/ip firewall nat
add chain=dstnat in-interface-list=WAN protocol=udp dst-port=22222 action=dst-nat to-addresses=10.0.0.2 to-ports=13231
add chain=dstnat in-interface-list=WAN protocol=udp dst-port=11111 action=dst-nat to-addresses=10.0.0.1 to-ports=13231
add chain=srcnat out-interface=ipip-win2tik protocol=udp action=src-nat to-addresses=10.0.0.1 to-ports=13231
add chain=srcnat out-interface=ipip-tik2win protocol=udp action=src-nat to-addresses=10.0.0.2 to-ports=13231

The above are the configuration items required to provide the relay functionality. You have to take care about integrating them into the existing configuration of the VM and/or add some firewall functionality if you create the VM from scratch.

On the Windows PC, you configure the public IP of the CHR as the endpoint address and 22222 as the endpoint port; on the Mikrotik connected using Starlink, you configure also the public IP of the CHR as the endpoint address but 11111 as the endpoint port.

3

You can use the back to home functionality for exactly this purpose (WireGuard via relay)

See the following documentation for installation instructions:

https://help.mikrotik.com/docs/display/ROS/Back+To+Home


If the VPN server (your home router) has a public IP address, the VPN app will create a direct VPN connection between the phone and the router. However, if the router is not directly reachable from the internet, the connection will be made through the MikroTik relay servers. The connection is always end-to-end encrypted, the relay server or any other device does not have access to the encryption keys, in essence, the relay only helps your device to reach the router. The connection will appear as going out from your router, not from the relay. In case of going through relay, speed could be limited.

4

Hi,
BTH, as far as I can see, is intended for connecting androids and has specific requirements, namely, in order to configure it, I have to be in the same location (network) with the smartphone as the router and so on…
I’m miles away from the router and I want to make the same as BTH, but on Windows and without any wizards, so by directly typing the configuration parameters…


5

No problem, check the following section:

https://help.mikrotik.com/docs/display/ROS/Back+To+Home#BackToHome-ConfiguringBTHmanuallyinRouterOS(optional,ifnosmartphoneisavailabletoyou)


Configuring BTH manually in RouterOS (optional, if no smartphone is available to you)

  1. Connect to router
  2. Enable DDNS Cloud service: /ip/cloud/set ddns-enabled=yes
  3. Enable Back To Home: /ip/cloud/set back-to-home-vpn=enabled
  4. Print tunnel configuration: /ip/cloud/print
  5. Scan QR Code (vpn-wireguard-client-config-qrcode) or Copy config (vpn-wireguard-client-config) and enter in preferred WireGuard® client. Only one client at a time will be available to use this config.
6

YES, you are absolutely right!!
I didn’t notice that the configuration for the windows WG client is automatically generated.
This works great like all the other WG variants, but it has produced some other issues.
IP cloud works on all routers and BTH only on ARM processors?!?
I don’t know the mechanism that does it, but it seems to me that it should be similar in both variants. That part, of course like the IP cloud, is done by the router and it is up to the user to enable it or not.
So far my problem has been successfully solved, but I would like to read more about this above..
Thanks for the slap that got me back on track… :smiley:


Configuring BTH manually in RouterOS (optional, if no smartphone is available to you)

  1. Connect to router
  2. Enable DDNS Cloud service: /ip/cloud/set ddns-enabled=yes
  3. Enable Back To Home: /ip/cloud/set back-to-home-vpn=enabled
  4. Print tunnel configuration: /ip/cloud/print
  5. Scan QR Code (vpn-wireguard-client-config-qrcode) or Copy config (vpn-wireguard-client-config) and enter in preferred WireGuard® client. Only one client at a time will be available to use this config.

[/quote]

7

Yes, I wanted to solve it this way because it will also solve all other situations where I have CGNAT, but I didn’t know about this bypass on Strlink.
Thanks