My RB4011 router is the "WG server" and Android mobile phones (cca 20+) will be the "WG clients" connecting to the server
to get (some will have access to LAN IP's 192.168.88.1/24 on that router and RB4011 WAN as a VPN access/connectivity for every client connected).
RB4011 router "WG server" has WAN public IPv4 address on "ether1" and bridge is LAN with ether2-10 + sfp-sfpplus1 on 192.168.88.1/24 [10-254]
range with various servers connected. No IPv6 connectivity yet from my ISP
I have accepted default "Firewall" config when setting up the router.
Code: Select all
/ip firewall filter export
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
.
Code: Select all
/ip firewall nat export
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
I have used the following settings, some of it borrowed from (connecting 2 sites via WG)
https://help.mikrotik.com/docs/display/ROS/WireGuard
Code: Select all
/interface wireguard add listen-port=13231 name=wireguard1
/interface wireguard print
Or use WinBox -> Wireguard - Publick key: "SERVER-PUB-KEY="
Then installed on Android Wireguard App
https://f-droid.org/en/packages/com.wireguard.android/
- Create from scratch -
-- Interface
--- Name: WG-VPN
--- Private key: ->/-> "generate"
--- Public key: (automatically generated in previous step - "PUB-KEY-ANDROID=" )
--- Addresses: 10.1.101.1/24
--- DNS servers: 1.0.0.1
- Add Peer -
-- Peer
--- Public key: "SERVER-PUB-KEY="
--- Pre-shared key: none
--- Persistent keepallive: none
--- Endpoint: RB4011-WAN-IP:13231
--- Allowed IP's: 0.0.0.0/0
Here is the rest of commands to get set up the Wireguard Client:
Code: Select all
/interface wireguard peers add allowed-address=10.1.101.0/24 endpoint-port=13231 interface=wireguard1 public-key="PUB-KEY-ANDROID="
/ip address add address=10.255.255.1/30 interface=wireguard1
/ip route add dst-address=10.1.101.0/24 gateway=wireguard1
/ip firewall filter add action=accept chain=input dst-port=13231 protocol=udp
I quite like the web generator for CloudFlare WRAP Clinets:
https://github.com/maple3142/cf-warp
Or the simple wireguard vpn user management script for IPv4/6
https://github.com/tmiklas/wg_config
that can easily re-generate in shell the QR code:
qrencode -t ansiutf8 < ~/wg_config/users/alice/client.conf
But what is not working is access to LAN IP's 192.168.88.1/24 [10-254] while connected.
I have tried accessing the MikroTik web page 192.168.88.1 and nothing, try using the Android Mikrotik app - (DISCOVERED) and nothing
Any help would be greatly appreciated.