I really like WireGuard for it's simplicity and ease of setup. I use it at home on my RB3011 as the "hub" and I have several peers that connect to it.
I haven't really put it to test in terms of throughput/performance because my WAN link is only 60 Mbps, but the latency/responsivness and reliability/stability of the communication looks good.
I have a Pihole server that serves as a main DNS for all devices at home. I manage two more networks (my mom's and a kindergarten in a nearby village). I have configured WireGuard to connect those two networks to my home and configured the Pihole as their DNS server too. So, they can also benefit from some blocked adds and stuff. I can also easily connect to those remote networks for maintenance, updates and troubleshooting when needed.
I also use WireGuard to connect to my home network from my iPhone when I'm away from home.
I do not have a public IP address. My ISP only forwards one UDP port to my router, and that's how the WireGuard is exposed to the Internet.
There will be probably many things that can be done better or differently. I am open for suggestions and constructive criticism.
Here are some key things that I have learned along the way:
- One IP address and one UDP port on the Hub is sufficient to get the WireGuard working
- When both devices have public IP and port, anyone can establish the tunnel
- When a device (a MikroTik router that participates on the tunnel) is hidden (it doesn't have a public IP and port because it's behind a NAT), the VPN tunnel can be established only by triggering the communication from the "hiden device" to the "public device"
- The tunnel is only established when there's some communication pointed/routed to it, therefore it's good to use persistent-keepalive on the "hidden device", so that it keeps the tunnel active and the "public device" can access the other side at any time (more in the example below)
- One WireGuard interface (a Hub) can handle multiple Peers but the allowed-address play a key role in where the traffic will go. If more than one Peers is configured with allowed-address=0.0.0.0/0, only the first one in the list will get all the traffic routed to it and the other Peers will be inaccessible.
- Use pref-src in routes on Peers that have dst-address other than 0.0.0.0/0 (Kindergarten and Mom in my case). Without it, the ping or DNS requests from the Peer to the Hub won't work. (I don't know why exactly. Someone here will surely be able to explain )
- Firewall rules can block the WireGuard communication
- Add the WireGuard interface to the LAN interface list if you use the default "defconf: drop all not coming from LAN" firewall rule
- Keep track of the IPs you have used in the WireGuard network (10.254.254.0/24 in my case) so you don't assign already used IP to a new device
Example:
(I will share only the WireGuard relevant bits here. If you are interested in the DNS/Pihole setup or something else, let me know)
Since the kindergarten and my mom's routers are behind a NAT, they are they ones who have to start the VPN tunnel. Therefore the persistent-keepalive on their side is a must.
My home RB3011 (ROS 7.1.1) as the Hub for all the VPN tunnels:
Code: Select all
/interface wireguard
add listen-port=8360 mtu=1420 name=wireguard-out
/interface wireguard peers
add allowed-address=10.254.254.2/32 comment=iPhone interface=wireguard-out public-key="xxx="
add allowed-address=192.168.88.0/24,10.254.254.4/32 comment=Mom interface=wireguard-out public-key="yyy="
add allowed-address=192.168.150.0/24,10.254.254.3/32 comment=Kindergarten interface=wireguard-out public-key="zzz="
/interface list member
add interface=wireguard-out list=LAN
/ip address
add address=192.168.111.1/24 comment=my_net interface=bridge network=192.168.111.0
add address=192.168.17.24/24 interface=ether1 network=192.168.17.0 comment=WAN
add address=10.254.254.1/24 interface=wireguard-out network=10.254.254.0 comment=WireGuard
/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=192.168.17.1 pref-src="" routing-table=main suppress-hw-offload=no comment=WAN
add disabled=no distance=1 dst-address=192.168.150.0/24 gateway=wireguard-out pref-src=192.168.111.1 routing-table=main suppress-hw-offload=no comment=Kindergarten
add disabled=no distance=1 dst-address=192.168.88.0/24 gateway=wireguard-out pref-src=192.168.111.1 routing-table=main suppress-hw-offload=no comment=Mom
My mom's RB941-2nD (ROS 7.1.1) as the Peer (hidden behind it's ISP's NAT, no public IP or port):
Code: Select all
/interface wireguard
add listen-port=13231 mtu=1420 name=wireguard1
/interface wireguard peers
add allowed-address=0.0.0.0/0 endpoint-address=public_IP_address_of_my_ISP endpoint-port=8360 interface=wireguard1 persistent-keepalive=2m public-key="aaa="
# my ISP forwards UDP port 8360 to my router
/interface list member
add interface=wireguard1 list=LAN
/ip address
add address=192.168.88.1/24 comment=my_net interface=ether2 network=192.168.88.0
add address=10.254.254.4/24 interface=wireguard1 network=10.254.254.0
# WAN IP obtained from DHCP
/ip route
# default route as per DHCP
add disabled=no distance=1 dst-address=192.168.111.0/24 gateway=wireguard1 pref-src=192.168.88.1 routing-table=main suppress-hw-offload=no
Kindergarten RB2011iL (ROS 7.1.1) as the Peer (hidden behind it's ISP's NAT, no public IP or port):
Code: Select all
/interface wireguard
add listen-port=13231 mtu=1420 name=wireguard1
/interface wireguard peers
add allowed-address=0.0.0.0/0 endpoint-address=public_IP_address_of_my_ISP endpoint-port=8360 interface=wireguard1 persistent-keepalive=2m public-key="aaa="
# my ISP forwards UDP port 8360 to my router
/interface list member
add interface=wireguard1 list=LAN
/ip address
add address=192.168.150.1/24 comment=my_net interface=ether2 network=192.168.150.0
add address=192.168.50.16/24 comment=WAN interface=ether1 network=192.168.50.0
add address=10.254.254.3/24 interface=wireguard1 network=10.254.254.0
/ip route
add disabled=no dst-address=0.0.0.0/0 gateway=192.168.50.100 comment=WAN
add disabled=no distance=1 dst-address=192.168.111.0/24 gateway=wireguard1 pref-src=192.168.150.1 routing-table=main suppress-hw-offload=no