# sep/25/2022 13:31:51 by RouterOS 7.5
# software id = VE92-QR7V
#
# model = RB2011UiAS-2HnD
# serial number = xxxxxxxxxxxxxx
/interface bridge
add admin-mac=DC:2C:6E:3F:37:9F auto-mac=no comment=defconf name=bridge
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX \
disabled=no distance=indoors frequency=auto installation=indoor mode=\
ap-bridge ssid=MikroTik-3F37A8 wireless-protocol=802.11
/interface wireguard
add listen-port=51820 mtu=1420 name=wireguard-vpn
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=default-dhcp interface=bridge name=defconf
/port
set 0 name=serial0
/interface bridge port
add bridge=bridge comment=defconf ingress-filtering=no interface=ether2
add bridge=bridge comment=defconf ingress-filtering=no interface=ether3
add bridge=bridge comment=defconf ingress-filtering=no interface=ether4
add bridge=bridge comment=defconf ingress-filtering=no interface=ether5
add bridge=bridge comment=defconf ingress-filtering=no interface=ether6
add bridge=bridge comment=defconf ingress-filtering=no interface=ether7
add bridge=bridge comment=defconf ingress-filtering=no interface=ether8
add bridge=bridge comment=defconf ingress-filtering=no interface=ether9
add bridge=bridge comment=defconf ingress-filtering=no interface=ether10
add bridge=bridge comment=defconf ingress-filtering=no interface=sfp1
add bridge=bridge comment=defconf ingress-filtering=no interface=wlan1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ip settings
set max-neighbor-entries=8192
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=*13 list=LAN
/interface ovpn-server server
set auth=sha1,md5
/interface wireguard peers
add allowed-address=0.0.0.0/0 endpoint-address=wg.mydomain.net endpoint-port=\
51820 interface=wireguard-vpn persistent-keepalive=25s public-key=\
"E1X0GkYMieiKNWzxxxxxxxxxxx0rTwncA22LbDBDE="
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
192.168.88.0
add address=10.8.0.13/24 interface=wireguard-vpn network=10.8.0.0
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
/lcd
set time-interval=hour
/lcd interface pages
set 0 interfaces="sfp1,ether1,ether2,ether3,ether4,ether5,ether6,ether7,ether8\
,ether9,ether10"
/system clock
set time-zone-name=Europe/Berlin
/system identity
set name=RouterOS
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
Sorry, but this is nonsense. If you get address from ISP using DHCP, you also get default route the same way. You could set it manually and it would work, sure, but where would you even get the gateway address from? You can't just take the one you see when default route from DHCP is enabled, because it can change.I dont see any IP routes so assuming you set the route "add default route" in your IP DHCP client settings.
You need to uncheck that and make routes manually so it will all be clear.
something as simple as:
add dst-address=0.0.0.0/0 gwy=ISPgatewayIP
The MT should connect to my external Wireguard server. So i can reach him to make mods, without beeing on its position.However, I may have misread your intentions totally.
Are you meaning to use the mikrotik router as the server or the client...........................
Yes, the MT wireguard should only act as client (peer).All this time I thought you were using the router to connect to a remote wireguard server somewhere??????????????
Now it appears you want the mt router to act as a server for incoming external clients.........
Ur right. I will try it to make a diagram...Can you please add a network diagram to clear it up?
Yes, my Wireguard Server is simply a Vserver with fixed v4 IP and domain. Running docker and wireguard in it...I see....
So the Server is off site, and you want to use the server to reach your MT whenever you are away from it for config purpose and other purposes.
So the Server is simply a conduit to all the users that need to reach your router.
My Wireguard instance can't be the problem. There are 20 clients connected and running. As the WG is running in docker, there is no way to see logs. That is something i have to activate, and that is nothing i can do now, without disconnecting all clients.You should be able to see the initial traffic heading out the router wan on the wireguard port...................... unless the other end responds you wont see any handshaking.
I suspect at this point its your VS server the remote wireguard instance that is being the problem,
best to post all the config of that here...........
[Interface]
PrivateKey = kBb/1TG3sQRoESyB******************vB113+B9y52k=
Address = 10.8.0.13/24
DNS = 8.8.8.8
[Peer]
PublicKey = E1X0GkYMieiKN******************uTwncA22LbDBDE=
PresharedKey = B70hkZ/56/p******************HnbhJq/vDoPTDyjr7U=
AllowedIPs = 0.0.0.0/0, ::/0
PersistentKeepalive = 25
Endpoint = wg.domain.net:51820
Yes, the public system has many peers. The software running on it is:I have no clue what you mean by my PUBLIC wireguard PEER. If its the device with the Public IP it acts as a server for the connection. So it has multiple peers, whereas the rest of the clients have only one peer.
/interface wireguard
add <other options> private-key="key from Interface/PrivateKey"
/interface wireguard peers
add <other options> public-key="key from Peer/PublicKey" preshared-key="key from Peer/PresharedKey"
>>>>>>>>>> This file can downloaded from client (peer) or read by QR Code.
[Interface]
PrivateKey = cE9i1nynqEbAP5*****************DyQuuygHw=
Address = 10.8.0.13/24
DNS = 8.8.8.8
[Peer]
PublicKey = E1X0GkYMieiKNWz****************0rTwncA22LbDBDE=
PresharedKey = BMEQOgVJlMGd****************lvde194CZAZjIe0=
AllowedIPs = 0.0.0.0/0, ::/0
PersistentKeepalive = 25
Endpoint = wg.domain.net:51820
>>>>>>>>>>> Thats all. No more information for every peer.!!
##############################################################
##############################################################
>>>>>>>>>>> The "server", who all peers are connecting to, has two configs.
>>>>>>>>>>> None of the keys on that server i am able to change!
Server wg.conf (part of)
# Client: db0et-router (8c13e49d-****-4b34-9785-aebcfa84df99)
[Peer]
PublicKey = pjG9xABXlQvjyrF**************GdH8UfF51hnPEMKDM=
PresharedKey = BMEQOgVJlMG******************vde194CZAZjIe0=
AllowedIPs = 10.8.0.13/32
##############################################################
Server wg.json
{
"server": {
"privateKey": "WJI2xJ3VEB1TG************4ix8CJWqqEJDsWh38=",
"publicKey": "E1X0GkYMieiKNW***************rTwncA22LbDBDE=",
"address": "10.8.0.1"
},
##############################################################
On Peer MT:If the key-pairs are not correct, there will be no communication.
Take peer A and peer B (there is no client/server in wireguard, only peers).
On Peer A you enter Public key of interface of peer B.
On Peer B you enter Public key of interface of peer A.
See here for more info:
https://help.mikrotik.com/docs/display/ROS/WireGuard
There it is not possible to insert the pub key, that the mt interface should use...?? (no autogenerate)Keys should be like this:
Code: Select all/interface wireguard add <other options> private-key="key from Interface/PrivateKey"
DoneShoot me a config at <username> AT gmail DOT com
I'll set up a connection from my side on a MT device.
[xyz@mAPLite] /interface/wireguard> export show-sensitive
# sep/27/2022 09:23:25 by RouterOS 7.6beta8
# software id = IFN6-V3SY
#
# model = RBmAPL-2nD
# serial number = <serial>
/ip address
add address=10.8.0.14/24 interface=TESTWG network=10.8.0.0
/interface wireguard
add listen-port=51820 mtu=1420 name=TESTWG private-key=\
"<private key>"
/interface wireguard peers
add allowed-address=10.8.0.0/24 endpoint-address=<endpoint address> endpoint-port=51820 interface=\
TESTWG persistent-keepalive=25s preshared-key="rSgJ3NCQBn5rTjO1vmgTb5+tCWfG8A4mVoWB1LZxeYk=" \
public-key="E1X0GkYMieiKNWzNudK3xmQjI1ih0rTwncA22LbDBDE="
And you don't need to. Public key is derived from private key. So if you set private key for WG interface on client, then its public key will be the one that server expects.But the pub key from "Wireguard" interface setting is maybe the problem. I cannot change any keys on the server!!!
# sep/28/2022 15:46:47 by RouterOS 7.5
# software id = VE92-QR7V
#
# model = RB2011UiAS-2HnD
# serial number = C44F0F387D53
/interface bridge
add name=bridge-hamnet
add name=bridge-lan
/interface ethernet
set [ find default-name=ether1 ] name=ether1-wan1
set [ find default-name=ether2 ] name=ether2-hamnet-antenna
set [ find default-name=ether3 ] name=ether3-hamnet
set [ find default-name=ether4 ] name=ether4-hamnet
set [ find default-name=ether5 ] name=ether5-hamnet
set [ find default-name=ether6 ] name=ether6-hamnet
set [ find default-name=ether7 ] name=ether7-lan
set [ find default-name=ether8 ] name=ether8-lan
set [ find default-name=ether9 ] name=ether9-lan
set [ find default-name=ether10 ] name=ether10-lan
set [ find default-name=sfp1 ] name=sfp1-wan2
/interface wireless
set [ find default-name=wlan1 ] ssid=MikroTik
/interface wireguard
add listen-port=51820 mtu=1420 name=wireguard-vpn private-key=\
"sC6gdvCrND############a1JHirIxa+HM="
/interface list
add name=WAN
add name=HAMNET ????? Have deleted them... In export not????????
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_pool_hamnet ranges=192.168.88.10-192.168.88.25
add name=dhcp_pool_lan ranges=192.168.10.1-192.168.10.100
/ip dhcp-server
add address-pool=dhcp_pool_hamnet interface=bridge-hamnet name=dhcp1
add address-pool=dhcp_pool_lan interface=bridge-lan name=dhcp2
/port
set 0 name=serial0
/interface bridge port
add bridge=bridge-hamnet interface=ether3-hamnet
add bridge=bridge-hamnet interface=ether4-hamnet
add bridge=bridge-hamnet interface=ether5-hamnet
add bridge=bridge-hamnet interface=ether6-hamnet
add bridge=bridge-lan interface=ether7-lan
add bridge=bridge-lan interface=ether8-lan
add bridge=bridge-lan interface=ether9-lan
add bridge=bridge-lan interface=ether10-lan
add bridge=bridge-lan interface=wlan1
/interface wireguard peers
add allowed-address=10.8.0.0/24 endpoint-address=wg.domain.net \
endpoint-port=51820 interface=wireguard-vpn persistent-keepalive=25s \
preshared-key="BMEQOgVJlM################194CZAZjIe0=" public-key=\
"E1X0GkYMiei###########rTwncA22LbDBDE="
/ip address
add address=192.168.88.1/24 interface=bridge-hamnet network=192.168.88.0
add address=192.168.10.254/24 interface=bridge-lan network=192.168.10.0
add address=10.8.0.13/24 interface=wireguard-vpn network=10.8.0.0
/ip dhcp-client
add interface=ether1-wan1
/ip dhcp-server network
add address=192.168.10.0/24 dns-server=192.168.10.254 gateway=192.168.10.254 \
ntp-server=192.168.10.254
add address=192.168.88.0/24 dns-server=192.168.88.1 gateway=192.168.88.1 \
ntp-server=192.168.88.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8
/ip firewall filter
add action=drop chain=input comment="WAN > FW drop ping" in-interface=\
ether1-wan1 protocol=icmp
add action=accept chain=input comment="accept established,related,tracket" \
connection-state=established,related,untracked
add action=accept chain=input comment="LAN + Hamnet > FW accept" \
in-interface=bridge-lan
add action=accept chain=input in-interface=bridge-hamnet
add action=accept chain=input comment="Wireguard > FW accept" in-interface=\
wireguard-vpn
/ip firewall nat
add action=masquerade chain=srcnat ipsec-policy=out,none out-interface=\
ether1-wan1 src-address=192.168.10.0/24
/system clock
set time-zone-name=Europe/Berlin
/system ntp client
set enabled=yes
/system ntp server
set enabled=yes multicast=yes
/system ntp client servers
add address=de.pool.ntp.org
There is no such thing as good or bad, just choices and consequences)
For example, i have no Interface lists. Don't know, why i need them..