Community discussions

MikroTik App
 
Mehrdadx
newbie
Topic Author
Posts: 49
Joined: Thu Mar 17, 2022 7:16 am

Wireguard Clinet on Mikrotik

Wed Sep 28, 2022 10:12 am

Hello

how we can setup a Wireguard Client on routeros ? i have two Router, Router A is Wireguard VPN Server and Router B must be Wireguard client. its possible ?
 
sindy
Forum Guru
Forum Guru
Posts: 10206
Joined: Mon Dec 04, 2017 9:19 pm

Re: Wireguard Clinet on Mikrotik

Wed Sep 28, 2022 10:33 am

Of course it is (if both routers run RouterOS 7.x). Just bear in mind that the Wireguard configuration itself is identical at both peers; what reduces their roles to a "client" and a "server" (or rather an "initiator" and a "responder") is the network topology.

Each peer acts as a responder by listening for incoming Wireguard transport packets on a particular UDP port; when a payload packet arrives from the "inside", the peer acts as an initiator by sending a transport packet to the address and port of the other peer from that same UDP port. In order that this worked, the network path from the initiator to the responder must be predictable, i.e. the responder must have a public IP address on itself, or there must be a port-forwarding rule on some other router through which the responder is connected to the internet.

So on the client (initiator), you configure the public IP address and port through which the responder is accessible; if the initiator runs on a non-public IP address and there's a dynamic NAT on its route to the internet, you can configure any random IP address and port on the responder to represent the initiator peer, as they will get rewritten by the actual ones once the first packet from that initiator arrives through that NAT.
 
Mehrdadx
newbie
Topic Author
Posts: 49
Joined: Thu Mar 17, 2022 7:16 am

Re: Wireguard Clinet on Mikrotik

Wed Sep 28, 2022 12:38 pm

Of course it is (if both routers run RouterOS 7.x). Just bear in mind that the Wireguard configuration itself is identical at both peers; what reduces their roles to a "client" and a "server" (or rather an "initiator" and a "responder") is the network topology.

Each peer acts as a responder by listening for incoming Wireguard transport packets on a particular UDP port; when a payload packet arrives from the "inside", the peer acts as an initiator by sending a transport packet to the address and port of the other peer from that same UDP port. In order that this worked, the network path from the initiator to the responder must be predictable, i.e. the responder must have a public IP address on itself, or there must be a port-forwarding rule on some other router through which the responder is connected to the internet.

So on the client (initiator), you configure the public IP address and port through which the responder is accessible; if the initiator runs on a non-public IP address and there's a dynamic NAT on its route to the internet, you can configure any random IP address and port on the responder to represent the initiator peer, as they will get rewritten by the actual ones once the first packet from that initiator arrives through that NAT.
problem is Router B doesnt have public IP, can i use Dynamic DNS ? however i think its impossible
 
User avatar
own3r1138
Long time Member
Long time Member
Posts: 681
Joined: Sun Feb 14, 2021 12:33 am
Location: Pleiades
Contact:

Re: Wireguard Clinet on Mikrotik

Wed Sep 28, 2022 1:09 pm

@Mehrdadx

A large number of public DNS servers are filtered. It is going to fail at resolving your DDNS record. You could order a public IP for a DVR or something like that.
 
Mehrdadx
newbie
Topic Author
Posts: 49
Joined: Thu Mar 17, 2022 7:16 am

Re: Wireguard Clinet on Mikrotik

Wed Sep 28, 2022 1:45 pm

@Mehrdadx

A large number of public DNS servers are filtered. It is going to fail at resolving your DDNS record. You could order a public IP for a DVR or something like that.

my random IP will stay on my router if i dont turn it off or disable the connection, right ?
 
User avatar
own3r1138
Long time Member
Long time Member
Posts: 681
Joined: Sun Feb 14, 2021 12:33 am
Location: Pleiades
Contact:

Re: Wireguard Clinet on Mikrotik

Wed Sep 28, 2022 1:48 pm

PPPOE ?
 
Mehrdadx
newbie
Topic Author
Posts: 49
Joined: Thu Mar 17, 2022 7:16 am

Re: Wireguard Clinet on Mikrotik

Wed Sep 28, 2022 1:52 pm

PPPOE ?
yes
 
User avatar
own3r1138
Long time Member
Long time Member
Posts: 681
Joined: Sun Feb 14, 2021 12:33 am
Location: Pleiades
Contact:

Re: Wireguard Clinet on Mikrotik

Wed Sep 28, 2022 1:56 pm

No, It is going to change. However, You could use a script to get the new one and set it as your site A peer endpoint. What do you want to do with WG? IP Tunnel is better :D
 
Mehrdadx
newbie
Topic Author
Posts: 49
Joined: Thu Mar 17, 2022 7:16 am

Re: Wireguard Clinet on Mikrotik

Wed Sep 28, 2022 2:02 pm

No, It is going to change. However, You could use a script to get the new one and set it as your site A peer endpoint. What do you want to do with WG? IP Tunnel is better :D
in fact Router A is a Mikrotik VM (Wireguard vpn server) in France and Router B is a mikrotik router in Iran, as you know our internet is completely restricted, only Wireguard and OPENVPN are available.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19113
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Wireguard Clinet on Mikrotik

Wed Sep 28, 2022 2:07 pm

 
User avatar
own3r1138
Long time Member
Long time Member
Posts: 681
Joined: Sun Feb 14, 2021 12:33 am
Location: Pleiades
Contact:

Re: Wireguard Clinet on Mikrotik

Wed Sep 28, 2022 2:13 pm

If both sides are MTs' you should use an IP Tunnel because WG and OVPN are UDP and are being targeted widely right now.
 
Mehrdadx
newbie
Topic Author
Posts: 49
Joined: Thu Mar 17, 2022 7:16 am

Re: Wireguard Clinet on Mikrotik

Wed Sep 28, 2022 2:37 pm

If both sides are MTs' you should use an IP Tunnel because WG and OVPN are UDP and are being targeted widely right now.
are you iranian ?

and IP Tunnel is encrypted ?
Last edited by Mehrdadx on Wed Sep 28, 2022 2:40 pm, edited 1 time in total.
 
Mehrdadx
newbie
Topic Author
Posts: 49
Joined: Thu Mar 17, 2022 7:16 am

Re: Wireguard Clinet on Mikrotik

Wed Sep 28, 2022 2:37 pm

 
User avatar
own3r1138
Long time Member
Long time Member
Posts: 681
Joined: Sun Feb 14, 2021 12:33 am
Location: Pleiades
Contact:

Re: Wireguard Clinet on Mikrotik

Wed Sep 28, 2022 3:00 pm

Yes, It could be secured with IPsec.
 
Mehrdadx
newbie
Topic Author
Posts: 49
Joined: Thu Mar 17, 2022 7:16 am

Re: Wireguard Clinet on Mikrotik

Thu Sep 29, 2022 7:48 am

Yes, It could be secured with IPsec.
i will try ip tunnel tonight
 
sindy
Forum Guru
Forum Guru
Posts: 10206
Joined: Mon Dec 04, 2017 9:19 pm

Re: Wireguard Clinet on Mikrotik

Thu Sep 29, 2022 11:24 am

Yes, It could be secured with IPsec.
@own3r1138, would you mind a private talk on this? I have some doubts, but I don't want to discuss them here on the forum as I'm sure the guys who are responsible for this whole topic monitor the forum too. If so, viewtopic.php?t=181564#p902082 .
 
User avatar
own3r1138
Long time Member
Long time Member
Posts: 681
Joined: Sun Feb 14, 2021 12:33 am
Location: Pleiades
Contact:

Re: Wireguard Clinet on Mikrotik

Thu Sep 29, 2022 12:04 pm

Hi,
I hope I did it right.
H7kjdkoHmfR8/XMTFcSzbs803y320YsVWN/WyzzY0yzRSoXiMD8oi4YoigxJMXaD
92Wo+KoU11BWsmYFg06b9z36O45KIjYc3nfsaE+vjA8NzG9elK7wft5WaCgW67qF
nAxgCJnCVgb5Y2FKbRJLZt0LJZHOdibJwnq31u1fQEizPslxzVnDkehxfEL9FTSd
OVF0E/MwCbYmWXIdV90PE6k4CM5WSmuV/YsWs6SxRg1+b0bVNjo+oqdANGfoOxXd
IqnFxScKuDAjGJn23NgUdUaa6QZx+26M4KtDscbpbOlKe7cRubALL/tv/WoiMZgy
nueyWFC33ObUrN5p7lviiy8ocLHuSnoFK/oBoQ7z3S4vIT/c6NLZlP+LpYqr+MKI
oKONnO6DBe87DhFQxam/C++zjYS2nv+Jfn+MtexnZiHnMwfsISXijknJbdAcT/UL
5qoYr+RZltvAKmsecTLbUDdRHTc7Vi9vwgESsTSsrT46u9tJFHknUbEyb1Eqxxd4
2qVOPpxy0Vl38ZktLtYy+U2fz5f6WU9yahkfId9qj5cvCNxFUyWB4fS8fN0A8S0e
iAhfbK0td6ncFT3dLkHzgyFh/OkiOxvoxAHPaOGr3hHfgafyH3DX4+6vM5RWEsq4
cOXXMzljWqw/K2+9dN8zZMM9IXaU1mICW7atpStK8zY=
2022-09-29_12-30-44.jpg
You do not have the required permissions to view the files attached to this post.
 
gotsprings
Forum Guru
Forum Guru
Posts: 2103
Joined: Mon May 14, 2012 9:30 pm

Re: Wireguard Clinet on Mikrotik

Fri Sep 30, 2022 1:35 pm

One side has to have a public IP address.

I have a Wireguard VPN from the office to the warehouse. Warehouse has cable internet with a publicly reachable IP address.

The office is behind Starlink with carrier grade NAT.

Connection has been running for months at this point.

The warehouse is the relay for when we are in the field. Open Wireguard tunnel to warehouse... You can browse right to the office server.
 
Mehrdadx
newbie
Topic Author
Posts: 49
Joined: Thu Mar 17, 2022 7:16 am

Re: Wireguard Clinet on Mikrotik

Sat Oct 01, 2022 8:25 am

One side has to have a public IP address.

I have a Wireguard VPN from the office to the warehouse. Warehouse has cable internet with a publicly reachable IP address.

The office is behind Starlink with carrier grade NAT.

Connection has been running for months at this point.

The warehouse is the relay for when we are in the field. Open Wireguard tunnel to warehouse... You can browse right to the office server.
both sides are mikrotik ? one side is server and one side is client, right ? how you setup client side ?

However Wireguard is blocked in Iran.
 
gotsprings
Forum Guru
Forum Guru
Posts: 2103
Joined: Mon May 14, 2012 9:30 pm

Re: Wireguard Clinet on Mikrotik

Sat Oct 01, 2022 3:44 pm

Both sides are Mikrotik.

The warehouse is the "server".

We use the Wireguard program on windows or the App on our Androids.
 
Mehrdadx
newbie
Topic Author
Posts: 49
Joined: Thu Mar 17, 2022 7:16 am

Re: Wireguard Clinet on Mikrotik

Fri Oct 21, 2022 11:40 am

hello again

GRE and IPIP tunnels are blocked in iran, what is alternative solution for these tunnels ? i think we dont have alternative, right ?
 
sindy
Forum Guru
Forum Guru
Posts: 10206
Joined: Mon Dec 04, 2017 9:19 pm

Re: Wireguard Clinet on Mikrotik

Fri Oct 21, 2022 6:52 pm

The only remaining "solution" is SSTP which looks like normal HTTPS traffic, but once they block the destination addresses (all non-iranian ones), the only way is satellite internet for getting the traffic across the border, and frequently changing iranian public addresses providing the gateways. And there is only a limited number of public addresses available. Plus SSTP only works on computers, not on mobile phones, limiting the practical usability, but that's no difference to GRE and IPIP.
 
SeppBlattered
just joined
Posts: 5
Joined: Sat Feb 05, 2022 2:18 pm

Re: Wireguard Clinet on Mikrotik

Mon Oct 24, 2022 4:02 am

If both sides are MTs' you should use an IP Tunnel because WG and OVPN are UDP and are being targeted widely right now.
Can you elaborate on attacks against these services?
 
Mehrdadx
newbie
Topic Author
Posts: 49
Joined: Thu Mar 17, 2022 7:16 am

Re: Wireguard Clinet on Mikrotik

Mon Oct 24, 2022 2:19 pm

The only remaining "solution" is SSTP which looks like normal HTTPS traffic, but once they block the destination addresses (all non-iranian ones), the only way is satellite internet for getting the traffic across the border, and frequently changing iranian public addresses providing the gateways. And there is only a limited number of public addresses available. Plus SSTP only works on computers, not on mobile phones, limiting the practical usability, but that's no difference to GRE and IPIP.
there is a way, OpenWRT, i must test it on a router.
we are at War with a terrorist state.
 
Mehrdadx
newbie
Topic Author
Posts: 49
Joined: Thu Mar 17, 2022 7:16 am

Re: Wireguard Clinet on Mikrotik

Tue Oct 25, 2022 1:25 pm

hello again

i have a RouterOS vm in OVHCloud, can i install OpenWRT on that ?
 
sindy
Forum Guru
Forum Guru
Posts: 10206
Joined: Mon Dec 04, 2017 9:19 pm

Re: Wireguard Clinet on Mikrotik

Tue Oct 25, 2022 2:27 pm

Unless you can run OpenWRT in a container, you'll have to install an OpenWRT x86/64 instead of/next to the CHR.

But I'm quite pessimistic regarding any benefit. The guys whose business is to cut you off seem to be quite flexible (and most likely they monitor this forum too).
 
Mehrdadx
newbie
Topic Author
Posts: 49
Joined: Thu Mar 17, 2022 7:16 am

Re: Wireguard Clinet on Mikrotik

Sat Oct 29, 2022 10:09 am

Unless you can run OpenWRT in a container, you'll have to install an OpenWRT x86/64 instead of/next to the CHR.

But I'm quite pessimistic regarding any benefit. The guys whose business is to cut you off seem to be quite flexible (and most likely they monitor this forum too).
yea, that's why i dont say anything about available protocols

Who is online

Users browsing this forum: blue, jaclaz, pajapatak and 87 guests