Community discussions

MikroTik App
 
mducharme
Trainer
Trainer
Topic Author
Posts: 1267
Joined: Tue Jul 19, 2016 6:45 pm

MikroTik Wireguard server with Road Warrior clients

Wed Apr 14, 2021 2:47 am

This is just intended as a basic config example for how to set up wireguard VPN on MikroTik for road warrior clients like iOS devices:

MikroTik wireguard server config:
# a private and public key will be automatically generated when adding the wireguard interface
/interface wireguard
add listen-port=13231 mtu=1420 name=wireguard1
/interface wireguard peers
# the first client added here is ipv4 only
add allowed-address=192.168.66.2/32 interface=wireguard1 public-key="replace-with-public-key-of-first-client"
# this client is dual stack - public IPv6 should be used - replace 2001:db8:cafe:beef: with one of your /64 prefixes.
add allowed-address=192.168.66.3/32,2001:db8:cafe:beef::3/128 interface=wireguard1 public-key="replace-with-public-key-of-second-client-dual-stack"
/ip address
add address=192.168.66.1/24 interface=wireguard1 network=192.168.66.0
/ipv6 address
add address=2001:db8:cafe:beef::1/64 interface=wireguard1
iOS wireguard client config (acts as "second client" above):
Interface: (whatever name you want to specify)
Public key: the client should automatically generate this - add this to the server above replacing "replace-with-public-key-of-second-client-dual-stack"
Addresses: 192.168.66.3/24,2001:db8:cafe:beef::3/64          (note these are different subnet masks than in the server config)
DNS servers: as desired - if you want to use the wireguard server for dns, specify 192.168.66.1

Peer:
Public key - get the public key from the wireguard interface on the mikrotik and place here
Endpoint - mydyndns.whatever:13231
Allowed IPs: 0.0.0.0/0, ::/0
This config will result in the client sending all traffic through the MikroTik wireguard server. If you do not want all traffic sent through (i.e. split include), limit the peer's "Allowed IPs" to whatever subnets it should access through the tunnel rather than 0.0.0.0/0 and ::/0
 
spongebob99
just joined
Posts: 2
Joined: Sun Apr 18, 2021 10:01 pm

Re: MikroTik Wireguard server with Road Warrior clients

Sun Apr 18, 2021 10:24 pm

I would like to apply this setup on 7.1b5 in Webfig. However I'm not able to set the allowed-address for the server peer config, the field gets cleared when pressing Apply and is not saved when pressing OK. Is this some bug? Any other way to make this work? Thanks... I'm new to RouterOS.
 
mducharme
Trainer
Trainer
Topic Author
Posts: 1267
Joined: Tue Jul 19, 2016 6:45 pm

Re: MikroTik Wireguard server with Road Warrior clients

Tue Apr 20, 2021 2:22 am

I would like to apply this setup on 7.1b5 in Webfig. However I'm not able to set the allowed-address for the server peer config, the field gets cleared when pressing Apply and is not saved when pressing OK. Is this some bug? Any other way to make this work? Thanks... I'm new to RouterOS.
Yes, I have had this happen a few times - you have to set them from the command line for now. For example:
/interface wireguard peers print
prints the list of wireguard peers - note the ID number of the peer you want to change, and then set it from the command line:
/interface wireguard peers set <ID> allowed-addresses=whatever,whateverelse

Who is online

Users browsing this forum: No registered users and 4 guests