Mikrotik using wireguard as VPN client

mikro2sandwich · Mon Apr 28, 2025 11:20 pm

Greetings fellow Mikrotik adventurers. I wanted to use Mikrotik as a mobile VPN router of sorts to connect to a wireguard VPN provider in Dallas so I can have a local presence regardless of location.
I found this helpful setup, https://www.ivpn.net/setup/router/mikrotik-wireguard using wireguard and Mikrotik. However, once implemented the VPN conectivity works perfectly fine, but I can no longer ping the router or use the web interface. Of course Winbox can still connect to it using the MAC address. I am using RouterOS 7.18.2. Could someone please help me determine what is missing in order to enable local traffic to the router itself? Thank you!

Here is the config:

# 2025-04-28 14:28:16 by RouterOS 7.18.2
# software id = xxxx-xxxx
#
# model = E50UG
# serial number = xxxxxxxxxx
/interface bridge
add admin-mac=ff:ff:ff:ff:ff:FC auto-mac=no comment=defconf name=bridge
/interface wireguard
add listen-port=51820 mtu=1420 name=wireguard-proton-VPN
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/ip pool
add name=dhcp ranges=192.168.1.10-192.168.1.254
/routing table
add disabled=no fib name=wireguard-proton
/disk settings
set auto-media-interface=bridge auto-media-sharing=yes auto-smb-sharing=yes
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/interface wireguard peers
add allowed-address=0.0.0.0/0 client-dns=10.2.0.1 endpoint-address=\
    xx.xx.xx.xx endpoint-port=51820 interface=wireguard-proton-VPN name=\
    Proton_VPN_USA persistent-keepalive=25s public-key=\
    "nZYSLxxxxxxx7yE1qRLQRFC71xHVEAg="
/ip address
add address=192.168.1.1/24 comment=defconf interface=bridge network=\
    192.168.1.0
add address=10.2.0.2 interface=wireguard-proton-VPN network=10.2.0.2
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server
add address-pool=dhcp interface=bridge name=defconf
/ip dhcp-server network
add address=192.168.1.0/24 comment=defconf dns-server=9.9.9.9 gateway=\
    192.168.1.1 netmask=24
/ip dns
set allow-remote-requests=yes servers=9.9.9.9
/ip dns static
add address=192.168.1.1 comment=defconf name=router.lan type=A
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat out-interface=wireguard-proton-VPN \
    src-address=192.168.1.0/24
/ip route
add disabled=no dst-address=0.0.0.0/0 gateway=wireguard-proton-VPN \
    routing-table=wireguard-proton suppress-hw-offload=no
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" \
    dst-port=33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
add action=fasttrack-connection chain=forward comment="defconf: fasttrack6" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
/routing rule
add action=lookup-only-in-table disabled=no src-address=192.168.1.0/24 table=\
    wireguard-proton
/system clock
set time-zone-name=America/Chicago
/system note
set show-at-login=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

Tue Apr 29, 2025 8:06 am

Your "problem" is with this firewall rule:

add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN

Or better said ... the fact you do not allow traffic coming from wireguard right before this drop rule.
There is nothing accepting input to your router coming from that wireguard interface.

Add specific rule accepting this traffic coming from wireguard interface or as an alternative, add wireguard interface to LAN list.

mikro2sandwich · Tue Apr 29, 2025 3:51 pm

Your "problem" is with this firewall rule:
Code: Select all
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
Or better said ... the fact you do not allow traffic coming from wireguard right before this drop rule.
There is nothing accepting input to your router coming from that wireguard interface.

Add specific rule accepting this traffic coming from wireguard interface or as an alternative, add wireguard interface to LAN list.

Thanks holvoetn, to be more specific, I cannot ping the Mikrotik from the LAN, I cant use the Mikrotik web interface from the LAN. When you say "the fact you do not allow traffic coming from wireguard right before this drop rule.", isnt the ping traffic and web interface traffic already on the same subnet and not coming from the wireguard interface?

Tue Apr 29, 2025 4:10 pm

Ah, that's another thing indeed.
Looks like you route all your traffic first to Proton VPN ?
Also local traffic.

mikro2sandwich · Tue Apr 29, 2025 4:21 pm

Is this expected behavior? Is the Mikrotik supposed to be inaccessible when Wireguard is in use?

anav · Tue Apr 29, 2025 4:44 pm

No, you have configured the mikrotik to ensure that the communication you seek is not available. In other words self-inflicted due to lack of knowledge.
The firewall rules are not the problem. The basis of error is a missing routing rule..... Complete review follows.

You have not provided any of the information the 3rd party provided, and typically it should be
your wireguard ip address/32
endpoint address and port
private key for you to use when creating the MT wireguard interface (so that they already have your public key )
Public key to put in your MT peer settings.
Possibly DNS address.
++++++++++++++++++++++++++++++++++++++++++++

Be aware that if you route all traffic out the wireguard tunnel, then of course you wont be able tor each the router .....
So you need to articulate ALL user needs, and especially the admin. Which means the ability to configure the router while on the LAN.
You can circumvent this by taking one port off the bridge and making it accessible off bridge and thus not forced out the vpn internet.
This option will be provided at the very end.

In terms of the configuration........

1. Not wrong or a problem, but src address is not needed is the source nat for wireguard ( not a firewall or routing function ), should be
add action=masquerade chain=srcnat out-interface=wireguard-proton-VPN

2. Again not that it matters but the MT listening port doesnt have to match the endpoint port. It can be anything.

3. First real issue is the wireguard address on the MT
add address=10.2.0.2?? interface=wireguard-proton-VPN network=10.2.0.2
should be:
add address=10.2.0.2/24 interface=wireguard-proton-VPN network=10.2.0.0

4. If not using IPV6 then remove all associated noise (ipv6 firewall address lists)
/ipv6 settings
set disabled=yes
/ipv6 firewall filter
add chain=input action=drop
add chain=forward action=drop

5. Remove default static DNS setting!!
/ip dns static
add address=192.168.1.1 comment=defconf name=router.lan type=A

6. Remove remote requests:
/ip dns
set allow-remote-requests=yes servers=9.9.9.9
To:
/ip dns
set servers=9.9.9.9

7. Set DHCP server setting from:
/ip dhcp-server network
add address=192.168.1.0/24 comment=defconf dns-server=9.9.9.9 gateway=192.168.1.1 netmask=24
TO:
/ip dhcp-server network
add address=192.168.1.0/24 dns-server=10.2.0.1 gateway=192.168.1.1

8. Finally main issue, you need to add one rule to the routing rules ......... and order is important. So to get this as first rule without deleting the current rule simply copy the rule and accept, then after go back to the first rule and modify it from
/routing rule
add action=lookup-only-in-table disabled=no src-address=192.168.1.0/24 table=wireguard-proton
add action=lookup-only-in-table disabled=no src-address=192.168.1.0/24 table=wireguard-proton
TO:
/routing rule
add action=lookup-only-in-table dst-address=192.168.1.0/24 table=main
add action=lookup-only-in-table src-address=192.168.1.0/24 table=wireguard-proton

Now you should be able to access the router as required.
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Now to access the reqular internet through the local WAN, you will have to disable the wireguard interface and to go back to VPN internet, turn it back on, by enabling the wireguard interface.

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

OffBridge option.....
What i recommend is create an offbridge port for local emergency access.
So remove etherX from /interface bridge port settings.

Modify the following entry
/ethernet
set [ find default-name=etherX ] name=OffBridgeX

Give it an Ip address
/ip address
add address=192.168.77.1/30 interface=OffBridgeX network=192.168.77.0

Add it to the Interface List Members
/interface list member
add interface=OffBridgeX list=LAN

Now you should be able to plug your laptop into ether24, change the IPV4 settings on the laptop to 192.168.77.2, then using winbox enter the router with username and password.
Note the netmask of 30 on the address only allows two addresses to work on the router, .1 and .2.

mikro2sandwich · Tue Apr 29, 2025 5:39 pm

Spectacular. It works perfectly.
Thank you so much for your guidance Anav. I will be posting a working "Mikrotik wireguard howto" in the appropriate forum section soon, since there isn't currently an accurate working document anywhere on the internet. I will attribute your excellent contributions.

Tue Apr 29, 2025 10:32 pm

There used to be a quite good post (and other topics too) from a certain fire-spitting llama until he decided to remove all those posts for some obscure reason ...

Just saying the bar has been raised pretty high as far as quality of such instruction post is concerned (on the other hand, there is nothing anymore now so ...)

anav · Tue Apr 29, 2025 11:10 pm

Obscure, not, simple transaction issue: No one paid my tariff of 365 belgian chocolates ( one for every day ).

Mikrotik using wireguard as VPN client [SOLVED]

Mikrotik using wireguard as VPN client

Re: Mikrotik using wireguard as VPN client

Re: Mikrotik using wireguard as VPN client

Re: Mikrotik using wireguard as VPN client

Re: Mikrotik using wireguard as VPN client

Re: Mikrotik using wireguard as VPN client [SOLVED]

Re: Mikrotik using wireguard as VPN client

Re: Mikrotik using wireguard as VPN client

Re: Mikrotik using wireguard as VPN client