Page 1 of 1

MikroTik Wireguard server with Road Warrior clients

Posted: Wed Apr 14, 2021 2:47 am
by mducharme
This is just intended as a basic config example for how to set up wireguard VPN on MikroTik for road warrior clients like iOS devices:

MikroTik wireguard server config:
# a private and public key will be automatically generated when adding the wireguard interface
/interface wireguard
add listen-port=13231 mtu=1420 name=wireguard1
/interface wireguard peers
# the first client added here is ipv4 only
add allowed-address=192.168.66.2/32 interface=wireguard1 public-key="replace-with-public-key-of-first-client"
# this client is dual stack - public IPv6 should be used - replace 2001:db8:cafe:beef: with one of your /64 prefixes.
add allowed-address=192.168.66.3/32,2001:db8:cafe:beef::3/128 interface=wireguard1 public-key="replace-with-public-key-of-second-client-dual-stack"
/ip address
add address=192.168.66.1/24 interface=wireguard1 network=192.168.66.0
/ipv6 address
add address=2001:db8:cafe:beef::1/64 interface=wireguard1
iOS wireguard client config (acts as "second client" above):
Interface: (whatever name you want to specify)
Public key: the client should automatically generate this - add this to the server above replacing "replace-with-public-key-of-second-client-dual-stack"
Addresses: 192.168.66.3/24,2001:db8:cafe:beef::3/64          (note these are different subnet masks than in the server config)
DNS servers: as desired - if you want to use the wireguard server for dns, specify 192.168.66.1

Peer:
Public key - get the public key from the wireguard interface on the mikrotik and place here
Endpoint - mydyndns.whatever:13231
Allowed IPs: 0.0.0.0/0, ::/0
This config will result in the client sending all traffic through the MikroTik wireguard server. If you do not want all traffic sent through (i.e. split include), limit the peer's "Allowed IPs" to whatever subnets it should access through the tunnel rather than 0.0.0.0/0 and ::/0

Re: MikroTik Wireguard server with Road Warrior clients

Posted: Sun Apr 18, 2021 10:24 pm
by spongebob99
I would like to apply this setup on 7.1b5 in Webfig. However I'm not able to set the allowed-address for the server peer config, the field gets cleared when pressing Apply and is not saved when pressing OK. Is this some bug? Any other way to make this work? Thanks... I'm new to RouterOS.

Re: MikroTik Wireguard server with Road Warrior clients

Posted: Tue Apr 20, 2021 2:22 am
by mducharme
I would like to apply this setup on 7.1b5 in Webfig. However I'm not able to set the allowed-address for the server peer config, the field gets cleared when pressing Apply and is not saved when pressing OK. Is this some bug? Any other way to make this work? Thanks... I'm new to RouterOS.
Yes, I have had this happen a few times - you have to set them from the command line for now. For example:
/interface wireguard peers print
prints the list of wireguard peers - note the ID number of the peer you want to change, and then set it from the command line:
/interface wireguard peers set <ID> allowed-addresses=whatever,whateverelse

Re: MikroTik Wireguard server with Road Warrior clients

Posted: Fri May 28, 2021 8:18 pm
by intrepidsilence
Could you please explain the correct firewall addition to allow this to work? I have tried a number of things without success. Also, does it need a static route? Is WireGuard assigning the IP address to the client as the peer IP? Can it be on the same network as my DHCP subnet everything else is on? Thanks in advance!

Re: MikroTik Wireguard server with Road Warrior clients

Posted: Sat May 29, 2021 5:17 am
by mducharme
Could you please explain the correct firewall addition to allow this to work? I have tried a number of things without success. Also, does it need a static route? Is WireGuard assigning the IP address to the client as the peer IP? Can it be on the same network as my DHCP subnet everything else is on? Thanks in advance!
Four questions, four answers:

1. You will need a firewall rule like this:
/ip firewall filter add action=accept chain=input comment="Allow Wireguard" dst-port=13231 protocol=udp
2. It doesn't need a static route, no

3. No, wireguard has no means of dynamic address assignment for clients - everything is static and is specified on the client side too

4. No, it cannot

Re: MikroTik Wireguard server with Road Warrior clients

Posted: Sat May 29, 2021 7:20 pm
by anav
My Wireguard Diagram using Beta5.
A. IOS phone to RBG wireguard server
B. External PC behind an MT RB4011 router acting as a wireguard client connected to a different RBG wireguard server.
C. The iphone and external PC are associated with a different WG server Interface on the RBG (2 WG interfaces each with one peer, vice ONE interface and two peers).
D. The WireGuard interfaces do not require any subnet or IP address.

Notes:
1. Both MT wireguard devices (server and client) are behind a primary router.
2. The IOS smartphone connection is used to manage the CCR1009, the RBG and the RB4011 routers through the wireguard interfaces.
3. The IOS smartphone and external PC wireguard connections are used to provide internet through the CCR WAN connection.
4. Throughput is approx 300up and 300down with primary routers connected to the same 1Gig fiber network (within 15km).
5. Plan will be to remove RBG once wireguard is moved out of beta.
...
Drawingwireguardvers4.png

Re: MikroTik Wireguard server with Road Warrior clients

Posted: Sat May 29, 2021 7:43 pm
by saimens
Hi

Thanks for your example. Very appreciated.

Unfortunately I cannot replicate it. May you have any hint based on my configuration?

After activating the client in macOS (same applies to iOS), it shows "activated", but I cannot ping the wireguard server (nor access the webfig. I tried all ip-addresses). The keys are for test purpose only.

Wireguard-Server on Mikrotik hEX S, which is attached to ISP with fiber
mikrotik.jpeg
Wireguard-Client on macOS
macOS client.jpg
Thanks in advance.

Simon

This is just intended as a basic config example for how to set up wireguard VPN on MikroTik for road warrior clients like iOS devices:

MikroTik wireguard server config:
# a private and public key will be automatically generated when adding the wireguard interface
/interface wireguard
add listen-port=13231 mtu=1420 name=wireguard1
/interface wireguard peers
# the first client added here is ipv4 only
add allowed-address=192.168.66.2/32 interface=wireguard1 public-key="replace-with-public-key-of-first-client"
# this client is dual stack - public IPv6 should be used - replace 2001:db8:cafe:beef: with one of your /64 prefixes.
add allowed-address=192.168.66.3/32,2001:db8:cafe:beef::3/128 interface=wireguard1 public-key="replace-with-public-key-of-second-client-dual-stack"
/ip address
add address=192.168.66.1/24 interface=wireguard1 network=192.168.66.0
/ipv6 address
add address=2001:db8:cafe:beef::1/64 interface=wireguard1
iOS wireguard client config (acts as "second client" above):
Interface: (whatever name you want to specify)
Public key: the client should automatically generate this - add this to the server above replacing "replace-with-public-key-of-second-client-dual-stack"
Addresses: 192.168.66.3/24,2001:db8:cafe:beef::3/64          (note these are different subnet masks than in the server config)
DNS servers: as desired - if you want to use the wireguard server for dns, specify 192.168.66.1

Peer:
Public key - get the public key from the wireguard interface on the mikrotik and place here
Endpoint - mydyndns.whatever:13231
Allowed IPs: 0.0.0.0/0, ::/0
This config will result in the client sending all traffic through the MikroTik wireguard server. If you do not want all traffic sent through (i.e. split include), limit the peer's "Allowed IPs" to whatever subnets it should access through the tunnel rather than 0.0.0.0/0 and ::/0

Re: MikroTik Wireguard server with Road Warrior clients

Posted: Sat May 29, 2021 9:12 pm
by mducharme
Unfortunately I cannot replicate it. May you have any hint based on my configuration?
Your wireguard interface for roadwarriors should also be in the LAN interface list - make sure you have done that.

Re: MikroTik Wireguard server with Road Warrior clients

Posted: Sun May 30, 2021 1:27 am
by saimens
Thanks for your swift reply.

Still NOT working. Do you have any more ideas?

I added the following entry in the list section. Not sure if this is what you asked me to do.
LAN.jpg
I also tried to add it to the bridge, but this was not successful either. So I deleted it again.
BRIDGE.jpg
Looking forward to your feedback.

Best,
Simon
Your wireguard interface for roadwarriors should also be in the LAN interface list - make sure you have done that.

Re: MikroTik Wireguard server with Road Warrior clients

Posted: Sun May 30, 2021 2:00 am
by mducharme
Make sure the "allow wireguard" rule is above your drop rules on the input chain, specifically it should at least be above the "drop all" final input chain rule. It looks to me like you have it at the very end instead, which is too late. On mine I have it just above the "drop invalid" rule for the input chain, although that may not strictly be necessary.

Re: MikroTik Wireguard server with Road Warrior clients

Posted: Sun May 30, 2021 5:03 am
by anav
Server Router Key points:

1. The wireguard is a service on the router and thus one has to allow the initial unencrypted traffic to the router via the INPUT CHAIN, which entails the listening port, protocol UDP, interface (coming from) the wan. With a road warrior one cannot narrow it down further by source address. As stated already this needs to be right after the input chain default firewall rules (like after accept ICMP ping) and before any drop rules etc....

So what happens is that the client traffic will hit the internet, hit the server router and then be directed to the wireguard service. If you log this rule, you should get basically a one log entry if successful. The tunnel will be negotiated and established. Once that is done, the client will be able to travel through the tunnel to the wireguard interface. The traffic will be routed out the available main table routing already in place at the server router.

[2. Ensure one puts an IP Route on the MT Server Router that will direct return traffic from the internet back through the wireguard tunnel to the client device. Therefore the destination address is the lan subnet of the client device or the IP of the client device) and the gateway is the wireguard interface

Re: MikroTik Wireguard server with Road Warrior clients

Posted: Sun May 30, 2021 5:23 am
by mducharme
[2. Ensure one puts an IP Route on the MT Server Router that will direct return traffic from the internet back through the wireguard tunnel to the client device. Therefore the destination address is the lan subnet of the client device or the IP of the client device) and the gateway is the wireguard interface
This is only necessary if there isn't already one - for instance, if the wireguard is not being done by the same device. If it is being done by the same device (as in most cases), there will already be a connected route (C) to deliver the return traffic, and manually adding an extra route on the MikroTik is unnecessary and unhelpful.

Re: MikroTik Wireguard server with Road Warrior clients

Posted: Sun May 30, 2021 12:56 pm
by saimens
Thanks for your extensive support.

I will test this next Sunday and give you an update

Best,
Simon

Re: MikroTik Wireguard server with Road Warrior clients

Posted: Sun May 30, 2021 3:01 pm
by anav
[2. Ensure one puts an IP Route on the MT Server Router that will direct return traffic from the internet back through the wireguard tunnel to the client device. Therefore the destination address is the lan subnet of the client device or the IP of the client device) and the gateway is the wireguard interface
This is only necessary if there isn't already one - for instance, if the wireguard is not being done by the same device. If it is being done by the same device (as in most cases), there will already be a connected route (C) to deliver the return traffic, and manually adding an extra route on the MikroTik is unnecessary and unhelpful.
When the server router gets return packets from the internet for a subnet or IP address that is not known to the router (wg client devices using the tunnel) not configured on the router, the IP route tells the router, oh, for these packets send them to the WG interface. Without these routes for both my client MT device and associated PC, and the iphone, there is no other magic way for them to get the return traffic??

As far as I am aware, wireguard config does not automatically create IP routes?
Perhaps, my example is unique being behind another MT router?
In this case you can see that I have to create an IP Route for internet return traffic, on the CCR first router, specifically for the return traffic of the client devices (iphone or external pc) to the LANIP/WANIP of the secondary wireguard server router. Then I do the same at the Server Router to point the return packets back at the tunnel.

Are you saying this is all done automatically when using only a single router? I do have masquerade sourcenat on both routers but this is not enough!

Re: MikroTik Wireguard server with Road Warrior clients

Posted: Sun May 30, 2021 10:28 pm
by mducharme
Are you saying this is all done automatically when using only a single router? I do have masquerade sourcenat on both routers but this is not enough!
Yes, it is automatic when using a single router. Your situation is different in that your Wireguard server is behind another router.

As an example, the router as a wireguard server directly connected to the internet with a public IP as the main gateway will have an IP of, for instance, 192.168.66.1/24. As a result of having this address, the router has a connected route to the wireguard interface for the subnet 192.168.66.0/24. Suppose the client is assigned 192.168.66.2/32. The client goes to a website, and since allowed-ips on the client side are 0.0.0.0/0, it sends everything across Wireguard to the router. The router masquerades this (as long as the wireguard interface is in the LAN interface list) and sends it to the internet. The response coming back is received by the router which knows it has to get the packet back to 192.168.66.2. It checks its routing table to see where 192.168.66.2 is, and sees that it already has a connected route for that subnet and that it belongs to the wireguard interface.

Re: MikroTik Wireguard server with Road Warrior clients

Posted: Sun May 30, 2021 11:19 pm
by anav
No still dont see it nor agree but I think you are missing a key point ----> I do not assign an IP or IP address to the wireguard interface in my design. It is only an interface period.

Re: MikroTik Wireguard server with Road Warrior clients

Posted: Sun May 30, 2021 11:59 pm
by mducharme
No still dont see it nor agree but I think you are missing a key point ----> I do not assign an IP or IP address to the wireguard interface in my design. It is only an interface period.
OK I see. What benefit is there to not using an IP address on the wireguard interface? (Other than saving one IP address)

Re: MikroTik Wireguard server with Road Warrior clients

Posted: Mon May 31, 2021 12:21 am
by anav
No still dont see it nor agree but I think you are missing a key point ----> I do not assign an IP or IP address to the wireguard interface in my design. It is only an interface period.
OK I see. What benefit is there to not using an IP address on the wireguard interface? (Other than saving one IP address)
Why do you need an IP address? What functionality does adding an IP address on the WG provide??
Currently, from my iphone I can manage/configure every MT router attached somehow to Wireguard.
I can get internet from the WG server from my iphone.
The external PC connected to the wirguard server can get internet.
The external PC connected to the wireguard server can reach my printers on a different vlan if necessary...........

Re: MikroTik Wireguard server with Road Warrior clients

Posted: Mon May 31, 2021 1:20 am
by mducharme
Why do you need an IP address? What functionality does adding an IP address on the WG provide??
Currently, from my iphone I can manage/configure every MT router attached somehow to Wireguard.
I can get internet from the WG server from my iphone.
The external PC connected to the wirguard server can get internet.
The external PC connected to the wireguard server can reach my printers on a different vlan if necessary...........
I do not completely know, but it is present in all Wireguard documentation and tutorials that I have found to do this. You seem to have invented your own method that is different from all other Wireguard tutorials out there, and deviates from what the documentation states. I would suspect since all of the documentation shows to do this, that there is a reason for it, and it isn't just some completely useless practice.

Although I haven't tried it, something I suspect might not work with your setup is if you had two Wireguard clients connecting to your Wireguard server and you want them to be able to connect to each other. For instance, two iPhones connecting may not be able to ping each other, but be able to reach everything else. This works fine with an IP on the Wireguard server end, with one wireguard interface with 192.168.66.1/24 and two configured peers on 66.2 and 66.3.

Re: MikroTik Wireguard server with Road Warrior clients

Posted: Mon May 31, 2021 1:48 pm
by anav
I am not discounting your approach because their may be instances where it is useful, just haven't stumbled across them yet.
Out of curiosity do you just assign an IP address to a wireguard interface or do you assign a subnet and then give client devices an IP in that subnet??

When you say you can connect two clients together, what practical purpose is that used for?? Once folks have an internet connection through the server, they can use discord or a other apps to chat for example so looking for practical examples of why its necessary. I think its not a good idea for users to have a party on your wireguard server LOL, In fact having them on the same subnet if automatically allows connected client users to see each is bad security especially if you have no way of blocking them!!!!
I suspect that having two peers on the same interface WITHOUT an ip address structure probably prevents them from seeing each other automatically but not sure since havent tested it.

Re: MikroTik Wireguard server with Road Warrior clients

Posted: Mon May 31, 2021 9:54 pm
by mducharme
Out of curiosity do you just assign an IP address to a wireguard interface or do you assign a subnet and then give client devices an IP in that subnet??
The wireguard interface on the router gets 192.168.66.1/24, and the clients get 66.2/24, 66.3/24, etc. This is done exactly as described in the official wireguard documentation, including all of the major tutorials. If you are unfamiliar with this setup, I am guessing you have not read the documentation, as this is the normal wireguard setup.
When you say you can connect two clients together, what practical purpose is that used for?? Once folks have an internet connection through the server, they can use discord or a other apps to chat for example so looking for practical examples of why its necessary. I think its not a good idea for users to have a party on your wireguard server LOL, In fact having them on the same subnet if automatically allows connected client users to see each is bad security especially if you have no way of blocking them!!!!
There are a few scenarios where this could be important. You can have a roadwarrior-type setup to connect a main office and two branch offices, in the case where the branch offices are behind CG-NAT and cannot do a site-to-site as a result. In this case, it may not be desirable to block all communications from one branch office to the next.

Even with individual devices, certain applications (such as Skype) will attempt to establish the most direct link between the devices possible rather than sending everything through a central server. For instance, if you start a Skype call with someone on the same LAN or different subnets on the same corporate network, that traffic will not travel over the Internet, it goes directly between the two endpoints. In this event, if you are blocking traffic between the endpoints, this traffic will get blocked. Depending on the design of the collaboration app, it may have a means to detect this and fail over to using a central server as proxy, or it may not. If it does not, your employees connecting to the VPN may be prevented from video chatting with each other with certain apps while on the VPN, while being able to video chat perfectly fine with anybody outside of the company.

Re: MikroTik Wireguard server with Road Warrior clients

Posted: Thu Jun 03, 2021 10:36 am
by mducharme
There is another reason I can see for having IP addresses on the Wireguard interfaces themselves - easy troubleshooting. If Wireguard is not working and you don't know why, having the IPs on both sides on that interface, and using those to do ping tests, allows you eliminate certain kinds of routing issues and test the operation of the tunnel in a much more basic way.

Re: MikroTik Wireguard server with Road Warrior clients

Posted: Fri Jun 04, 2021 2:52 am
by anav
There is another reason I can see for having IP addresses on the Wireguard interfaces themselves - easy troubleshooting. If Wireguard is not working and you don't know why, having the IPs on both sides on that interface, and using those to do ping tests, allows you eliminate certain kinds of routing issues and test the operation of the tunnel in a much more basic way.
I do the same ping troubleshooting without IP address :-)
When the client pings they are pinging from a subnet so it you can test what the PC behind the subnet being directed can ping and then you can track it on the other end of the tunnel on the server end by IP address for example, not difficult, or any traffic for that matter.
All the troubles I've had (key some music), were stupid errors on my part that didnt need pinging in the end, it was simply not understanding packet flow.

Re: MikroTik Wireguard server with Road Warrior clients

Posted: Fri Jun 04, 2021 3:13 am
by mducharme
I do the same ping troubleshooting without IP address :-)
I know you do, but I am thinking more about what is easiest to understand for people who are not as technically proficient. If Wireguard does not seem to be working, it could be harder for them to trace down the issue if you do not have an address on both sides on the Wireguard interface. If you have an IP address the Wireguard interface on both sides, and they can't ping each other, you can be sure the issue is with Wireguard itself. If you set things up without any IP addresses and they can't ping each other, the problem could either be in the Wireguard configuration or in the routing.

Re: MikroTik Wireguard server with Road Warrior clients

Posted: Fri Jun 04, 2021 3:20 am
by anav
I do the same ping troubleshooting without IP address :-)
I know you do, but I am thinking more about what is easiest to understand for people who are not as technically proficient. If Wireguard does not seem to be working, it could be harder for them to trace down the issue if you do not have an address on both sides on the Wireguard interface. If you have an IP address the Wireguard interface on both sides, and they can't ping each other, you can be sure the issue is with Wireguard itself. If you set things up without any IP addresses and they can't ping each other, the problem could either be in the Wireguard configuration or in the routing.
Guaranteed the problem is routing LOL, Its not that difficult to put in the wireguard settings, although the tricky part is putting in 0.0.0.0/0 at the client site, peer entry for allowed IPs and to put in the endpoint with listening port appended at the client side, peer entry if there is not a separate entry for the port.

Re: MikroTik Wireguard server with Road Warrior clients

Posted: Tue Jun 08, 2021 6:43 am
by mducharme
Guaranteed the problem is routing LOL, Its not that difficult to put in the wireguard settings, although the tricky part is putting in 0.0.0.0/0 at the client site, peer entry for allowed IPs and to put in the endpoint with listening port appended at the client side, peer entry if there is not a separate entry for the port.
The problem is likely routing, but for people who are unfamiliar with wireguard they may not be aware of the need to specify the allowed addresses. I think it is simpler for most to just have the IPs on both sides of the interface You can do all sorts of weird/crazy things if you are experienced with wireguard, but those new to it are probably best off following the "standard" setups.