Community discussions

MikroTik App
 
DL7JP
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 85
Joined: Sat Oct 19, 2013 4:14 pm

Configuring RouterOS as a wireguard client

Sat Jun 19, 2021 3:00 am

Dear all,
I am quite excited about wireguard, and I successfully connect clients (Win, MacOS, Android, iOS) to a Miktrotik WG server. However, I fail to connect another Mikrotik router as a client, could some kind soul give me a hint how to do this? Here's a sample client configuration, how would it map into a RouterOS configuration? I am in particular unclear about the WG interface's listen port on the client side.
[Interface]
PrivateKey = PRIVKEY=
Address = 192.168.100.2/24

[Peer]
PublicKey = PUBKEY=
AllowedIPs = 0.0.0.0/0
Endpoint = 38.147.122.82:12345
 
User avatar
genesispro
Member Candidate
Member Candidate
Posts: 283
Joined: Fri Mar 14, 2014 12:33 pm

Re: Configuring RouterOS as a wireguard client

Sat Jun 19, 2021 1:04 pm

to tell you the truth I am also having the same problem and I THINK that I have followed the wiki 5 times without a mistake!
I am able to connect windows and android but not from a mikrotik (same version).

I am also wondering since this came up how can I tell when a client is connected on the server?
On l2tp sstp pptp ovpn we see the active clients in wireguard?
 
dragon2611
Member Candidate
Member Candidate
Posts: 179
Joined: Fri Sep 25, 2009 12:06 am

Re: Configuring RouterOS as a wireguard client

Sat Jun 19, 2021 3:45 pm

You add the remote wireguard peer in exactly the same way you would if it was a client connecting into the router.

However wireguard on routerOS doesn't automatically add routes so you will need to add any routes for remote networks you want to reach via wireguard.
The remote peer will either need your networks you want to be reachable behind your routerOS device it's allowedIP's or you'll need a NAT rule in the firewall on the router to make any traffic appear to have come from the router itself.

Also if you are planning to route 0.0.0.0/0 down wireguard you also need either a static route for the IP of the wireguard server or to use a different routing table for the tunneled traffic as you need to route the traffic for wireguard itself outside of the tunnel.

By the way you don't need to specify the IP/Port for the client side in the server side if you don't want to (Handy for Dynamic IP's), if Wireguard receives a packet with the correct encryption it will just respond to whichever IP:Port the packet came from. (It actually does this even if you specify an endpoint IP, the endpoint IP is just what it will try in the first instance)
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19099
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Configuring RouterOS as a wireguard client

Sat Jun 19, 2021 4:25 pm

viewtopic.php?f=23&t=174417&p=861477&hi ... rd#p861477
Check out the thread all your answers are in there.
 
DL7JP
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 85
Joined: Sat Oct 19, 2013 4:14 pm

Re: Configuring RouterOS as a wireguard client

Sat Jun 19, 2021 8:41 pm

Thanks, I am getting closer ... in viewtopic.php?f=23&t=174417&p=861477&hi ... rd#p861477 I did not find the configuration for a RouterOS WG client. So, here's what I tried (the sample client configuration for my new RouterOS client is shown in my first post):

RouterOS client device is configured first:
/interface/wireguard/add name=wireguard-client listen-port=12345
/interface/wireguard/peers add interface=wireguard-client public-key="WG_Server_PUBLIC_KEY=" allowed-address=192.168.100.0/24 endpoint-address=38.147.122.82 endpoint-port=12345
/ip/address/add interface=wireguard-client address=192.168.100.2/24
  • LIne 1: The wireguard interface; if I do not give a port, it generates a random one, so I use the same port the WG server listens to.
  • Line 2: A peer that connects to the WG server IP and port and holds the allowed subnet(s).
  • Line 3: The WG client interface gets the IP that is reserved for this client on the server.
On the server side I create a peer for my new RouterOS client and attach it to wireguard1 that listens on port 12345 and has the IP 192.168.100.1:
interface/wireguard/peers add allowed-address=192.168.100.2/24 interface=wireguard1 public-key="CLIENT_PUBKEY="
where CLIENT_PUBKEY is the pub. key of my wireguard-interface on the client.

And indeed: I can ping the 192.168.100.1 from 192.168.100.2, so this looks OK. I guess the only thing left to do is to set up routing/NATing correctly.

Is there anything I overlooked?

The confusing thing is the listen port on the client side, where the documentation says "Port for WireGuard service to listen on for incoming sessions". Since a client won't have incoming sessions it seems I guess it's irrelevant and any port will do.
 
dragon2611
Member Candidate
Member Candidate
Posts: 179
Joined: Fri Sep 25, 2009 12:06 am

Re: Configuring RouterOS as a wireguard client

Sat Jun 19, 2021 9:12 pm


The confusing thing is the listen port on the client side, where the documentation says "Port for WireGuard service to listen on for incoming sessions". Since a client won't have incoming sessions it seems I guess it's irrelevant and any port will do.
Not completely, it's also the source port any packets going out from wireguard will come from*

*Before any NAT translations change it.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19099
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Configuring RouterOS as a wireguard client

Sat Jun 19, 2021 10:42 pm

Thanks, I am getting closer ... in viewtopic.php?f=23&t=174417&p=861477&hi ... rd#p861477 I did not find the configuration for a RouterOS WG client. So, here's what I tried (the sample
Sure you did, look harder the RB4011 is a client WG device on the diagrams, its behind the Bell modem/router and thus is on a Bell Subnet but its a client.
 
DL7JP
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 85
Joined: Sat Oct 19, 2013 4:14 pm

Re: Configuring RouterOS as a wireguard client

Sat Jun 19, 2021 10:59 pm


The confusing thing is the listen port on the client side, where the documentation says "Port for WireGuard service to listen on for incoming sessions". Since a client won't have incoming sessions it seems I guess it's irrelevant and any port will do.
Not completely, it's also the source port any packets going out from wireguard will come from
I see, is there more detailed documentation than https://help.mikrotik.com/docs/display/ROS/WireGuard?
 
DL7JP
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 85
Joined: Sat Oct 19, 2013 4:14 pm

Re: Configuring RouterOS as a wireguard client

Sat Jun 19, 2021 11:03 pm

Thanks, I am getting closer ... in viewtopic.php?f=23&t=174417&p=861477&hi ... rd#p861477 I did not find the configuration for a RouterOS WG client. So, here's what I tried (the sample
Sure you did, look harder the RB4011 is a client WG device on the diagrams, its behind the Bell modem/router and thus is on a Bell Subnet but its a client.
OK taken ... but it's not straightforward how this translates into config commands :-).
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19099
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Configuring RouterOS as a wireguard client

Sat Jun 19, 2021 11:39 pm

Post your config
/export hide-sensitive file=anynameyouwish so I can see the rest of the config and not just snippets.

Also a network diagram to show the relationship of the two WG routers connected by internet, and the associated wireguard devices / subnets desired on the client side.
I am assuming you mean WG to WG where one is server and one is client??
 
DL7JP
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 85
Joined: Sat Oct 19, 2013 4:14 pm

Re: Configuring RouterOS as a wireguard client

Sat Jun 19, 2021 11:52 pm

... just to complete this for the audience: I set up a route on the client
/ip route add dst-address=X.X.X.X/N gateway=192.168.100.1
all works fine - after I remembered this target subnet also has to be listed under Allowed Addresses to the client side WG peer :-).
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19099
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Configuring RouterOS as a wireguard client

Sun Jun 20, 2021 12:34 am

In my case the IP route on the client wg router is as follows:
(1) dst=0.0.0.0/0 gateway=name of wg interface (as defined on the client router)
The Table is:
(2) table-wireguard
The Rule is:
(3) source address is the subnet my devices required wg connectivity are on.
src address=192.168.xx.0/24 / Lookup ONLY in table / Table=table-wireguard

I dont use an IP address for the WG itself on either the client or server.
 
DL7JP
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 85
Joined: Sat Oct 19, 2013 4:14 pm

Re: Configuring RouterOS as a wireguard client

Sun Jun 20, 2021 12:44 am

Post your config
/export hide-sensitive file=anynameyouwish so I can see the rest of the config and not just snippets.

Also a network diagram to show the relationship of the two WG routers connected by internet, and the associated wireguard devices / subnets desired on the client side.
I am assuming you mean WG to WG where one is server and one is client??
It actually turned out to be quite simple once I got it, here are the relevant parts of the client config:
# jun/19/2021 23:09:37 by RouterOS 7.1beta6
# software id = NMKX-MZTE
#
# model = 850Gx2
/interface wireguard add name=wireguard-client
/interface wireguard peers
add allowed-address=192.168.100.2/24,N.M.0.0/16 endpoint-address=<WG server IP> endpoint-port=12345 interface=wireguard-client public-key="Server Public Key="
/ip address add address=192.168.100.2/24 interface=wireguard-client network=192.168.100.0
/ip dhcp-client add disabled=no interface=ether1
/ip route add dst-address=N.M.0.0/16 gateway=192.168.100.1 
It's a test router, connected to the Internet via NAT, there are is nothing else of relevance. I removed the public IPs, since I do not want to see the Internet test their setups against them.

The WG server s pretty much standard as documented at various places, it listens at <WG server IP>:12345. 192.168.100.0/24 is the subnet for the tunnel and all end points, the server endpoint 192.168.100.1 is NATing WG traffic into the target networks.

As a result, N.M.0.0/16 is reachable from the client router, I guess this should be enough for others to successfully configure RouterOS as a WG client.

Overall, I'd like to remark that the WG documentation (at least the parts I found) is hard to understand and not very precise, so it's tough to get things working. It's also hard to debug a WG setup, since there is no direct indication if a peer successfully connects as with other VPNs. You can debug it to some extend by torch-ing the WG interface and enabling logs of corresponding fw rules firing, but it's not fun. More logging is badly needed. Besides this, speed is terrific, but deployment does not scale beyond toy scenarios with the implementation provided so far. So, I conclude with Dante Alighieri: Lasciate ogni speranza, voi ch'entrate :-).
 
viktorcode
just joined
Posts: 4
Joined: Sat Sep 21, 2019 1:51 pm

Re: Configuring RouterOS as a wireguard client

Wed Dec 08, 2021 7:27 pm

In my case the IP route on the client wg router is as follows:
(1) dst=0.0.0.0/0 gateway=name of wg interface (as defined on the client router)
The Table is:
(2) table-wireguard
The Rule is:
(3) source address is the subnet my devices required wg connectivity are on.
src address=192.168.xx.0/24 / Lookup ONLY in table / Table=table-wireguard

I dont use an IP address for the WG itself on either the client or server.
I tried this to make all internet requests go through my Wireguard tunnel, and it worked. But, it worked too good, sending all 192.168.x.x requests into Wireguard tunnel as well, effectively blocking me from accessing the router. Any idea how can I prevent local addresses going through the tunnel?
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: Configuring RouterOS as a wireguard client

Wed Dec 08, 2021 7:35 pm

Use another rule, for when destination is local subnet, then lookup only in table "main".
 
viktorcode
just joined
Posts: 4
Joined: Sat Sep 21, 2019 1:51 pm

Re: Configuring RouterOS as a wireguard client

Thu Dec 09, 2021 6:36 pm

Use another rule, for when destination is local subnet, then lookup only in table "main".
Thank you very much, that worked!

Who is online

Users browsing this forum: No registered users and 19 guests