today I tried to use the MT router as wireguard client (peer) and worked really easy. I had problems with MTU (I guess), but with the mangle entry (see #fix MTU) it worked like a charm:
Afterwards I changed the default route to the IP 10.200.200.1 (wireguard server) and added a static router to reach the server itself without the tunnel (see viewtopic.php?t=73775). Now the whole traffic is tunneled.
Code: Select all
# add interface /interface wireguard add listen-port=5555 mtu=1420 name=wireguard1 private-key=\ "<private key MT peer>" # add peer /interface wireguard peers add allowed-address=0.0.0.0/0,::/0 endpoint=<ip of wireguard server>:5555 interface=\ wireguard1 public-key="<pub key wireguard server>" # add ip to interface /ip address add address=10.200.200.2/24 interface=wireguard1 network=10.200.200.0 # nat /ip firewall nat add action=masquerade chain=srcnat out-interface=wireguard1 # fix MTU /ip firewall mangle add action=change-mss chain=forward new-mss=clamp-to-pmtu out-interface=wireguard1 protocol=tcp tcp-flags=syn
For the benchmark, I used my internet connection (100mbit), with the following results:
* RB951G-2HnD - max. 65mbit/s at 99% CPU
* hEX (RB750Gr3) - max. 95mbit/s at 50-60% CPU