Get a cloud VM with public IP, host wireguard server on it, connect to it from Mikrotik router, port forward everything from VM to Mikrotik via wireguard tunnel.
Other notes:
- Linode provider offers cheapest instance for 5$/month and you get 4TB of monthly TX data. RX data is not counted (free).
- ip/cloud assigned ddns no longer works. Consider using your own domain or free DDNS duckdns.org.
- By using below method you won't be able to use ports 22/tcp and 51820/udp (they can be changed tho).
Your ISP (so basically anyone who lives on mobile data) does not have public IP and therefore cannot host anything on their home network. My specific use case was Homeassistant server at home and I wanted my phone to send my location to it, but it was not possible when there is no direct connectivity. Solution - I needed direct connectivity from the internet to my router which port forwards to my server.
Instructions
Go to linode.com and order cheapest (shared CPU, 1 core, 1GB of RAM, 5$/month) instance with latest Rocky Linux. At the time of writing I used Rocky Linux 8.
Connect to the instance via SSH, root user and execute the following commands by literally copying & pasting them all into the terminal:
Code: Select all
# Update system
dnf update -y --refresh
# Install additional repos
dnf install -y elrepo-release epel-release
# Install wireguard tools
dnf install -y kmod-wireguard wireguard-tools
# Stop & disable firewalld
systemctl disable --now firewalld.service
# Enable IP forwarding
sysctl -w net.ipv4.ip_forward=1
sysctl -w net.ipv6.conf.all.forwarding=1
sysctl -a | grep all.forwarding > /etc/sysctl.conf
# Generate wireguard keys
cd /etc/wireguard && wg genkey | (umask 0077 && tee server.key) | wg pubkey > server.pub
cd /etc/wireguard && wg genkey | (umask 0077 && tee client.key) | wg pubkey > client.pub
# Create wireguard server config file /etc/wireguard/wg0.conf
cat <<EOT > /etc/wireguard/wg0.conf
[Interface]
Address = 10.200.200.1/24
ListenPort = 51820
PrivateKey = $(</etc/wireguard/server.key)
PostUp = iptables -t nat -A PREROUTING -p tcp --dport 22 -j ACCEPT; iptables -t nat -A PREROUTING -p udp --dport 51820 -j ACCEPT; iptables -t nat -A PREROUTING -j DNAT --to-destination 10.200.200.2; iptables -t nat -A POSTROUTING -j MASQUERADE
PostDown = iptables -t nat -D PREROUTING -p tcp --dport 22 -j ACCEPT; iptables -t nat -D PREROUTING -p udp --dport 51820 -j ACCEPT; iptables -t nat -D PREROUTING -j DNAT --to-destination 10.200.200.2; iptables -t nat -D POSTROUTING -j MASQUERADE
# Mikrotik router
[Peer]
PublicKey = $(</etc/wireguard/client.pub)
AllowedIPs = 10.200.200.2/32
EOT
# Generate Mikrotik commands list by executing below multiline command
cat <<EOT > /etc/wireguard/mikrotik_commands.txt
# Create wireguard interface
/interface wireguard add listen-port=13235 mtu=1420 name=wg99 private-key="$(</etc/wireguard/client.key)"
# Connect to the wireguard server
/interface wireguard peers add allowed-address=10.200.200.0/24 endpoint-address=$(curl -sL https://ipv4.wtfismyip.com/text) endpoint-port=51820 interface=wg99 persistent-keepalive=25s public-key="$(</etc/wireguard/server.pub)"
# Set IP for wireguard interface
/ip address add address=10.200.200.2/24 interface=wg99 network=10.200.200.0
# Exclude such traffic from fasttrack/allow in firewall
/ip firewall filter add action=accept chain=forward in-interface=wg99 place-before=[find where action=fasttrack-connection]
/ip firewall filter add action=accept chain=forward out-interface=wg99 place-before=[find where action=fasttrack-connection]
EOT
# Enable wireguard server on boot
systemctl enable wg-quick@wg0.service
# Reboot the system
reboot
Code: Select all
/etc/wireguard/mikrotik_commands.txt
Code: Select all
cat /etc/wireguard/mikrotik_commands.txt
Once done, you should have connectivity from Linode's instance public IP address. Try port forwarding port in your Mikrotik router and checking port on your Linode's instance IP - it should return what your router is supposed to return.
Note that the traffic is coming from wg99 interface, IP 10.200.200.1, so you might need to adjust your port forwarding rules accordingly.