I'm trying to set up Mikrotik router as a WireGuard peer and then route requests to specific addresses via the WireGuard peer on a VPS in a datacenter. It seems to work, but very slow. Strange enough, if I'm running some sort of speedtest, i.e. fast.com, it gets up to 50-70Mbps, but general web browsing its extremely slow.
I've tried playing around with MTU with little success. Added change-mss in the mangle chain like some suggested on the internet, but it did not help either. I've connected with my phone to the same wg peer as the router to test the experience and everything is as fast as without wg.
What I'm trying to achieve:
General internet access
LAN(192.168.11.0)->ether1->target website
Access to VPNLISTed sites:
LAN(192.168.11.0)->ether1->wg0->VPS wg peer->target website
Access from VPNed addresses in LAN:
LAN(192.168.11.0)->ether1->wg0->target website
Clients reaching home network via wghome should be able to access 192.168.11.0/24 and access internet like they are part of the LAN.
I'm new to the forum, but it seems that the configuration is the first thing that gets asked, so here is the /export compact from the router
Code: Select all
# sep/03/2022 16:03:00 by RouterOS 7.4.1
/interface bridge
add admin-mac=2C:C8:1B:58:D0:27 auto-mac=no comment=defconf name=bridge
add name=bridge-iot
/interface ethernet
set [ find default-name=ether1 ] comment="Internet access"
set [ find default-name=ether2 ] comment=LAN
/interface wireguard
add comment="gate.homedomain.com outgoing WireGuard interface" listen-port=29411 mtu=1420 name=wg0
add comment="incoming WireGuard interface" listen-port=55800 mtu=1420 name=wghome
/caps-man security
add authentication-types=wpa2-psk encryption=aes-ccm group-encryption=aes-ccm name=tikapp-sec
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
add authentication-types=wpa2-psk comment=defconf disable-pmkid=yes mode=dynamic-keys name=GATE supplicant-identity=MikroTik
add authentication-types=wpa2-psk mode=dynamic-keys name=IoT supplicant-identity=MikroTik
add authentication-types=wpa2-psk disable-pmkid=yes mode=dynamic-keys name=loopwpa2 supplicant-identity=MikroTik
/interface wireless
set [ find default-name=wlan1 ] disabled=no frequency=auto installation=outdoor mode=ap-bridge security-profile=loopwpa2 ssid=loop24
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=20/40mhz-Ce disabled=no frequency=auto installation=indoor mode=ap-bridge security-profile=loopwpa2 ssid=loop
set [ find default-name=wlan3 ] band=5ghz-a/n/ac channel-width=20/40mhz-XX disabled=no hide-ssid=yes installation=indoor mode=bridge security-profile=GATE ssid=SYNC-58D02A \
wireless-protocol=nv2
add default-forwarding=no disabled=no mac-address=2E:C8:1B:58:D0:28 master-interface=wlan1 name=wlan4 security-profile=IoT ssid=IoT24 wds-default-bridge=bridge-iot wps-mode=\
disabled
/interface wireless nstreme
set wlan3 enable-nstreme=yes enable-polling=no
/ip pool
add comment="Default local clients pool" name=dhcp ranges=192.168.11.100-192.168.11.200
add comment="iot virtual wireless interface DHCP" name=iot-pool ranges=192.168.111.100-192.168.111.200
/ip dhcp-server
add address-pool=dhcp interface=bridge lease-time=1h name=defconf
add address-pool=iot-pool interface=bridge-iot lease-time=1h name=iot-dhcp
/queue type
add kind=pfifo name=pfifo250 pfifo-limit=250
/routing bgp template
set default disabled=no output.network=bgp-networks
/routing ospf instance
add disabled=no name=default-v2
/routing ospf area
add disabled=yes instance=default-v2 name=backbone-v2
/routing table
add disabled=no fib name=wg-route
/caps-man manager interface
set [ find default=yes ] forbid=yes
add comment=defconf disabled=no interface=bridge
/interface bridge port
add bridge=bridge comment=defconf ingress-filtering=no interface=ether2
add bridge=bridge comment=defconf ingress-filtering=no interface=wlan1
add bridge=bridge comment=defconf ingress-filtering=no interface=wlan2
add bridge=bridge comment=defconf ingress-filtering=no interface=wlan3
add bridge=bridge-iot ingress-filtering=no interface=wlan4
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add comment="WireGuard is a way to get to the internet" interface=wg0 list=WAN
add comment="WireGuard gateway for external clients to connect home" interface=wghome list=LAN
/interface wireguard peers
add allowed-address=0.0.0.0/0,::/0 comment=gate.homedomain.com endpoint-address=88.99.77.55 endpoint-port=55670 interface=wg0 persistent-keepalive=25s public-key=\
"publickey1"
add allowed-address=10.0.20.2/32 comment=MacBook interface=wghome public-key="publickey2"
add allowed-address=10.0.20.3/32 comment=iPhone interface=wghome public-key="publickey3"
/interface wireless cap
set caps-man-addresses=127.0.0.1 interfaces=wlan1,wlan2
/ip address
add address=192.168.11.1/24 comment=defconf interface=ether2 network=192.168.11.0
add address=192.168.111.1/24 interface=bridge-iot network=192.168.111.0
add address=10.8.0.5/24 comment="WireGuard peer address provided by VPS" interface=wg0 network=10.8.0.0
add address=10.0.20.1/24 comment="Wireguard interface for home calling" interface=wghome network=10.0.20.0
/ip dhcp-client
add comment=defconf interface=ether1 use-peer-dns=no
/ip dhcp-server lease
add address=192.168.11.167 client-id=1:cc:d2:81:80:9:2 mac-address=CC:D2:81:80:09:02 server=defconf
/ip dhcp-server network
add address=192.168.11.0/24 comment=defconf dns-server=192.168.11.1 domain=homedomain.com gateway=192.168.11.1 netmask=24
add address=192.168.111.0/24 comment="IoT DHCP Server" dns-server=1.1.1.1 gateway=192.168.111.1 netmask=24
/ip dns
set allow-remote-requests=yes max-concurrent-tcp-sessions=50 use-doh-server=https://one.one.one.one/dns-query verify-doh-cert=yes
/ip firewall address-list
add address=twitter.com list=VPNLIST
add address=192.168.11.0/24 list=allowed-ips
add address=10.0.20.0/24 list=allowed-ips
add address=192.168.11.167 comment=AlwaysViaWG list=VPNed
/ip firewall filter
add action=jump chain=forward comment="jump to kid-control rules" jump-target=kid-control
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=input comment="Drop wrong interface incoming" in-interface-list=!LAN src-address-list=allowed-ips
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=accept chain=input comment="Accept ICMP" protocol=icmp
add action=accept chain=input comment="WireGuard incoming interface wghome" dst-port=55800 protocol=udp
add action=accept chain=input comment="Allow router access from allowed-ips list" src-address-list=allowed-ips
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" disabled=yes dst-address=127.0.0.1
add action=drop chain=input comment="Drop all undefined above"
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward dst-address=192.168.11.0/24 src-address=192.168.111.0/24
add action=drop chain=forward connection-nat-state=!dstnat connection-state=new disabled=yes in-interface=wg0
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall mangle
add action=change-mss chain=forward new-mss=1380 out-interface=wg0 protocol=tcp tcp-flags=syn tcp-mss=1381-65535
add action=mark-routing chain=prerouting connection-nat-state=!dstnat dst-address=!192.168.11.0/24 new-routing-mark=wg-route passthrough=no src-address-list=VPNed
add action=mark-routing chain=prerouting comment="Mark packets to be routed via WireGuard" connection-nat-state=!dstnat dst-address-list=VPNLIST new-routing-mark=wg-route \
passthrough=no
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat comment="Vaultwarden internet access" disabled=yes dst-port=31281 in-interface=all-ethernet protocol=tcp to-addresses=192.168.11.11 to-ports=\
31281
add action=dst-nat chain=dstnat comment="Re-route all DNS requests back to Mikrotik. Except for one device" dst-address=!192.168.11.1 dst-port=53 log-prefix=dns-route \
protocol=udp src-address=!192.168.11.167 to-addresses=192.168.11.1 to-ports=53
/ip route
add disabled=no distance=1 dst-address="" gateway=*C routing-table=*400 scope=30 suppress-hw-offload=no target-scope=10
add comment="Route all marked via WireGuard interface" disabled=no distance=1 dst-address=0.0.0.0/0 gateway=wg0 pref-src="" routing-table=wg-route suppress-hw-offload=no
/routing rule
add action=lookup-only-in-table routing-mark=wg-route table=wg-route