Hello,
Has anyone here set up a router (mine is hEX S) to work as a Wireguard VPN client towards Mullvad service (https://mullvad.net) and could give me a helping hand how to configure such setup, please?
BR,
Mike
/interface wireguard
add comment=Mullvad listen-port=44875 mtu=1420 name=wg3 private-key="******************"
/interface wireguard peers
add allowed-address=0.0.0.0/0 comment=Mullvad endpoint-address=************** endpoint-port=51820 interface=wg3 public-key="*******************"
/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=wg3 pref-src="" routing-table=vrf_mullvad scope=30 suppress-hw-offload=no target-scope=10
/ip vrf
add list=vrf_mullvad name=vrf_mullvad
/interface list member
add interface=2_vlan3 list=vrf_mullvad
add interface=wg3 list=vrf_mullvad
/ip firewall nat
add action=masquerade chain=srcnat comment="Mullvad NAT" ipsec-policy=out,none out-interface=wg3
/ip vrf
add list=vrf_mullvad name=vrf_mullvad
/routing rule
add action=lookup disabled=no interface=2_vlan3 table=vrf_mullvad
# 2.2.2.2 - far wg endpoint address
# 172.128.1.0/31 - wg tunnel network, local - 172.128.1.0, remote - 172.128.1.1
# 192.168.129.0/24 - local LAN subnet, 192.168.129.1/24 - local LAN bridge interface
#
/interface bridge add name=bridge-vpn
/interface wireguard add listen-port=7887 mtu=1420 name=wg0 private-key="BlaBlaBla1"
/interface wireguard peers add allowed-address=0.0.0.0/0 endpoint-address=2.2.2.2 endpoint-port=7887 interface=wg0 public-key="BlaBlaBla2"
#
/ip address add address=192.168.129.1/24 interface=bridge-vpn network=192.168.129.0
/ip address add address=172.128.1.0/31 interface=wg0 network=172.128.1.0
#
/interface list add name=VPN-rm
/interface list member add interface=bridge-vpn list=VPN-rm
/interface list member add interface=wg0 list=VPN-rm
#
/ip vrf add list=VPN-rm name=VPN-rm
#
/ip route add dst-address=0.0.0.0/0 gateway=wg0@VPN-rm routing-table=VPN-rm
# The following not working in case using /31 network for wg tunnel
# https://forum.mikrotik.com/viewtopic.php?t=93746
#/ip route add dst-address=0.0.0.0/0 gateway=172.128.1.1@VPN-rm routing-table=VPN-rm
#
/routing rule add action=lookup-only-in-table dst-address=0.0.0.0/0 interface=bridge-vpn src-address=192.168.129.0/24 table=VPN-rm
/routing rule add action=lookup-only-in-table dst-address=192.168.129.0/24 interface=wg0 src-address=0.0.0.0/0 table=VPN-rm
#
/ip firewall mangle add action=change-mss chain=postrouting new-mss=1380 out-interface=wg0 passthrough=no protocol=tcp tcp-flags=syn
/ip firewall nat add action=masquerade chain=srcnat out-interface=wg0
I actually like the VRF concept. In fact, I could/should have presented my question differently: When using a VRF, why is it necessary to create extra routing rules. Shouldn't the router just automatically pull the rules in the VRF routing table for all interfaces linked to it?