Community discussions

MikroTik App
 
User avatar
goosesensor
just joined
Topic Author
Posts: 8
Joined: Thu Apr 11, 2019 6:59 am
Location: Santa Cruz, USA

Newbie: Wireguard

Tue Dec 14, 2021 3:38 am

For a long time I've used a Debian machine behind my Mikrotik router to host an L2TP VPN with good success. I have an Arch laptop that I setup as a client to the server, so when I'm away from home I can connect the L2CP client and access all the machines on my home network. I have been wanting to setup a VPN server on the Mikrotik device itself to simplify things and cut out the Debian machine middle man. Now with RouterOS 7, and all the good things I hear about Wireguard, it seems that time has come.

Really, I am very green behind the ears when it comes to networking, but I have learned some from owning a Mikrotik router (things like NAT hairpin that you take for granted on a consumer type router). I've read a hand full of tutorials on setting up Wireguard in RouterOS, and played around quite a bit but can't seem to get it working. Most of the tutorials are about connecting two Mikrotik devices in remote locations to each other in a sort of permanent tunnel. That's not what I am trying to do. What I am trying to do is setup a Wireguard server on my router, and then allow my Arch laptop and my iPhone to connect to that server and access my home networking from wherever my laptop or phone may be.

What I have done is create a Wireguard (server?) via the RouterOS GUI under WireGuard -> WireGuard tab. This also created a wireguard interface for me (no address). I then created a peer under WireGuard -> Peers. I then more-or-less followed this tutorial to create a configuration for my phone: https://wireguard.how/client/ios/ I used the public key for the server on the Mikrotik router, and used the private and public keys from the "Peer" I also made on the router. I can import that configuration into my phone, and it says that the Wireguard VPN connection is connected, but I can't get any traffic through to the machines on the home network. In RouterOS if I go to WireGuard- > Peers -> {the peer I made} it says "Last Handshake: 00:00:00". I also tried setting up an address for the wireguard interface but haven't had any more luck getting any traffic through (I have little idea what I am doing here...). My home network uses IPs in the space of 10.0.1.1, 10.0.1.2, 10.0.1.3, etc.

What are the major steps involved in doing what I want to do? E.g.
1. create a WG interface
2. create a WG server (WireGuard -> WireGuard tab)
3. create a peer (WireGuard -> Peers tab)
4. (create an address for the interface?)
5. (configure the routing of WG connections into the local network 0.0.1.1, 10.0.1.2, 10.0.1.3...?)
6. configure the client device (laptop or phone) as a peer connecting to the server

Any help appreciated and thanks for the patience. :)
 
rplant
Member Candidate
Member Candidate
Posts: 282
Joined: Fri Sep 29, 2017 11:42 am

Re: Newbie: Wireguard

Tue Dec 14, 2021 11:07 am

Some thoughts.

Check your wireguard interface, and grab the Listen Port value.

You need an Input Rule for this UDP port to accept inbound wireguard traffic.
Probably right after the accept ICMP rule (Assuming config is based or similar to the default config)
You can then try a connection test from your phone, your rules counter should increment, even if nothing gets counted in wireguard.

The peer section on the Mikrotik should have the public key from the phone Interface, the Endpoint and Endpoint port should both be blank.
The peer section on the Phone should have the public key of the Mikrotik Wireguard interface, and the Mikrotik's IP Address (DNS Name) and Listen Port.

Routing, Addresses etc, There are lots of ways to do this, the following is fairly simple, gives you an endpoint to ping,
and you don't need to manually add routes into the Mikrotik.

My thought
On Phone
Give interface IP Address of 10.0.2.8/24 ** assumes you are not using .2.x elsewhere in your network **
Peer setting, set its allowed Address to be 10.0.2.0/24, and 10.0.1.0/24
(Could also set it to 10.0.2.1/32 and 10.0.1.0/24, but 10.0.2.0/24 might be good if Mikrotik becomes hub for other WG clients)

On Mikrotik
Give the wireguard interface an IP Address of 10.0.2.1/24
Peer setting, allowed address=10.0.2.8/32

** Update **
In Interfaces/Interface List, Add the wireguard interface as a LAN interface.
*****

Hopefully can now ping the Mikrotik IP address of 10.0.2.1 from the phone.
Should also be able to ping 10.0.1.x from the phone.

Good Luck
 
rplant
Member Candidate
Member Candidate
Posts: 282
Joined: Fri Sep 29, 2017 11:42 am

Re: Newbie: Wireguard

Thu Dec 16, 2021 12:21 am

 
User avatar
goosesensor
just joined
Topic Author
Posts: 8
Joined: Thu Apr 11, 2019 6:59 am
Location: Santa Cruz, USA

Re: Newbie: Wireguard

Fri Dec 17, 2021 11:41 pm

Thanks for your help.

I read through the above linked thread and toyed around some more, but still can't get any traffic through to my home network via LTE on my phone. The Wireguard -> Peers -> Last Handshake field does populate now when I connect WG via my phone, though.

Here is the config I use on my phone:
[Interface]
PrivateKey = <...>
Address = 10.0.2.6/32

[Peer]
PublicKey = mavrijoUR9aB4qgvbeC2OwZGubXB3jahZSOgg1tc3nY=
AllowedIPs = 10.0.2.0/24, 10.0.1.0/24
Endpoint = <domain>:13231

Here are some screen shots of the router configuration and from the Wireguard app on my phone:

Image

Image

Image

Image

Image

Image

Image

Image

Image

Image
 
mducharme
Trainer
Trainer
Posts: 1777
Joined: Tue Jul 19, 2016 6:45 pm
Location: Vancouver, BC, Canada

Re: Newbie: Wireguard

Sat Dec 18, 2021 12:12 am

Your firewall is only allowing port 13231 from LAN - if you are connecting over LTE it will need to allow to 13231 from anywhere, not just LAN.
 
User avatar
goosesensor
just joined
Topic Author
Posts: 8
Joined: Thu Apr 11, 2019 6:59 am
Location: Santa Cruz, USA

Re: Newbie: Wireguard

Sat Dec 18, 2021 12:16 am

Fixed that, still no dice :(
 
msatter
Forum Guru
Forum Guru
Posts: 2897
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: Newbie: Wireguard

Sat Dec 18, 2021 1:19 am

Picture seven allows to extract your public address.

Update: fixed.
Last edited by msatter on Tue Dec 21, 2021 12:05 am, edited 1 time in total.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Newbie: Wireguard

Mon Dec 20, 2021 6:11 pm

My iphone works fine via wireguard, check out the diagram, ( note I dont use any ip addresses for wireguard interface).
viewtopic.php?t=174417#p859788
 
mducharme
Trainer
Trainer
Posts: 1777
Joined: Tue Jul 19, 2016 6:45 pm
Location: Vancouver, BC, Canada

Re: Newbie: Wireguard

Mon Dec 20, 2021 11:23 pm

I thought the original poster fixed the issue but the messages have vanished into the ether when the forum was restored from a backup.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Newbie: Wireguard

Mon Dec 20, 2021 11:50 pm

maybe his nick was ghost not goose ;-)
 
erikklavora
just joined
Posts: 1
Joined: Mon Oct 14, 2019 3:59 pm

Re: Newbie: Wireguard

Thu Feb 24, 2022 8:26 pm

I had the same problem as the OP (I know that it's a little late for this answer, but for others like me)... he should just masquerade the wireguard subnet
/ip firewall nat
add chain=srcnat action=masquerade src-address=10.0.2.0/24
and it would start to work... I was banging my head for some time before realising this :? :D
 
jchernan
just joined
Posts: 1
Joined: Sun Mar 27, 2022 1:24 am

Re: Newbie: Wireguard

Fri Apr 08, 2022 3:40 pm

Thank you erikklavora. The masquerade solved my issue as well

Who is online

Users browsing this forum: No registered users and 26 guests