wireguard vpn client on mikrotik
Could someone share config file of wireguard vpn client installation on mikrotik router? I want to do is to connect LAN client to the VPN server through the router. My wireguard server is installed on a VPS. May I get any idea?
Re: wireguard vpn client on mikrotik
create wireguard interface, any port can be chosen. if you are given a private key put in the private key here before generating the interface or hitting apply
Add wireguard interface to WAN interface list
Add allowed IPs = 0.0.0.0/0 name of wireguard interface and endpoint address and endpoint port and add persistent-keep-alive=35s
and public key
For IP address use the provided IP address ex. 192.168.54.8/24 interface=wireguard1 network=192.168.54.0
Thats the start anyway.
Add wireguard interface to WAN interface list
Add allowed IPs = 0.0.0.0/0 name of wireguard interface and endpoint address and endpoint port and add persistent-keep-alive=35s
and public key
For IP address use the provided IP address ex. 192.168.54.8/24 interface=wireguard1 network=192.168.54.0
Thats the start anyway.
Re: wireguard vpn client on mikrotik
yes brother, i already tried with many ways but it doesn't work. may i get the firewall rules?
Re: wireguard vpn client on mikrotik
After you provide your config I can comment constructively.
/export file=anynameyouwish ( minus router serial #, any public WANIP information, keys etc.)
/export file=anynameyouwish ( minus router serial #, any public WANIP information, keys etc.)
Re: wireguard vpn client on mikrotik
# 1970-01-02 03:44:58 by RouterOS 7.14.3
# software id = WRUL-0YXQ
#
# model = RB760iGS
# serial number =
/interface bridge
add name=bridge1
/interface wireguard
add listen-port=55407 mtu=1420 name=wireguard1
/interface list
add name=LAN
add name=WAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/ip pool
add name=dhcp_pool1 ranges=10.1.0.1-10.1.0.253
add name=dhcp_pool2 ranges=10.2.0.1-10.2.0.253
/ip dhcp-server
add address-pool=dhcp_pool1 interface=ether4 name=dhcp1
add address-pool=dhcp_pool2 interface=bridge1 name=dhcp2
/routing table
add disabled=no name=wg
/interface bridge port
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=ether3
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/interface list member
add interface=bridge1 list=LAN
add interface=ether1 list=WAN
/interface wireguard peers
add allowed-address=0.0.0.0/0 endpoint-address=54.179.142.27 endpoint-port=\
51820 interface=wireguard1 persistent-keepalive=25s public-key=\
"xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
/ip address
add address=10.1.0.254/24 interface=ether4 network=10.1.0.0
add address=10.2.0.254/24 interface=bridge1 network=10.2.0.0
add address=10.7.0.2/24 interface=wireguard1 network=10.7.0.0
/ip dhcp-client
add interface=ether1 use-peer-dns=no
/ip dhcp-server network
add address=10.1.0.0/24 dns-server=1.1.1.1,8.8.8.8 gateway=10.1.0.254
add address=10.2.0.0/24 dns-server=1.1.1.1,8.8.8.8 gateway=10.2.0.254
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=10.2.0.254 name=router.lan
/ip firewall filter
add action=accept chain=input in-interface=wireguard1 src-address-list=\
Authorized
add action=accept chain=forward out-interface=wireguard1 src-address=\
10.2.0.0/24
/ip firewall mangle
add action=mark-routing chain=prerouting new-routing-mark=*400 passthrough=no \
src-address=10.2.0.0/24
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1
add action=masquerade chain=srcnat out-interface=wireguard1
/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=wireguard1 pref-src="" \
routing-table=wg scope=30 suppress-hw-offload=no target-scope=10
add disabled=no distance=1 dst-address=54.179.142.27/32 gateway=10.0.0.1 \
pref-src="" routing-table=wg scope=30 suppress-hw-offload=no target-scope=\
10
/routing rule
add action=lookup disabled=no src-address=10.2.0.0/24 table=*400
/system note
set show-at-login=no
Here brother,
# software id = WRUL-0YXQ
#
# model = RB760iGS
# serial number =
/interface bridge
add name=bridge1
/interface wireguard
add listen-port=55407 mtu=1420 name=wireguard1
/interface list
add name=LAN
add name=WAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/ip pool
add name=dhcp_pool1 ranges=10.1.0.1-10.1.0.253
add name=dhcp_pool2 ranges=10.2.0.1-10.2.0.253
/ip dhcp-server
add address-pool=dhcp_pool1 interface=ether4 name=dhcp1
add address-pool=dhcp_pool2 interface=bridge1 name=dhcp2
/routing table
add disabled=no name=wg
/interface bridge port
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=ether3
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/interface list member
add interface=bridge1 list=LAN
add interface=ether1 list=WAN
/interface wireguard peers
add allowed-address=0.0.0.0/0 endpoint-address=54.179.142.27 endpoint-port=\
51820 interface=wireguard1 persistent-keepalive=25s public-key=\
"xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
/ip address
add address=10.1.0.254/24 interface=ether4 network=10.1.0.0
add address=10.2.0.254/24 interface=bridge1 network=10.2.0.0
add address=10.7.0.2/24 interface=wireguard1 network=10.7.0.0
/ip dhcp-client
add interface=ether1 use-peer-dns=no
/ip dhcp-server network
add address=10.1.0.0/24 dns-server=1.1.1.1,8.8.8.8 gateway=10.1.0.254
add address=10.2.0.0/24 dns-server=1.1.1.1,8.8.8.8 gateway=10.2.0.254
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=10.2.0.254 name=router.lan
/ip firewall filter
add action=accept chain=input in-interface=wireguard1 src-address-list=\
Authorized
add action=accept chain=forward out-interface=wireguard1 src-address=\
10.2.0.0/24
/ip firewall mangle
add action=mark-routing chain=prerouting new-routing-mark=*400 passthrough=no \
src-address=10.2.0.0/24
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1
add action=masquerade chain=srcnat out-interface=wireguard1
/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=wireguard1 pref-src="" \
routing-table=wg scope=30 suppress-hw-offload=no target-scope=10
add disabled=no distance=1 dst-address=54.179.142.27/32 gateway=10.0.0.1 \
pref-src="" routing-table=wg scope=30 suppress-hw-offload=no target-scope=\
10
/routing rule
add action=lookup disabled=no src-address=10.2.0.0/24 table=*400
/system note
set show-at-login=no
Here brother,
Re: wireguard vpn client on mikrotik
(1) Ether4 has an IP address and a Pool, but MISSING is dhcp server and dhcp-server network ?????
(2) I gather you want all bridge traffic to go out internet on VPS.
(3) On this note I would get rid of the static DNS setting and modify:
from:
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=10.2.0.254 name=router.lan
TO:
/ip dns
set allow-remote-requests=yes servers=1.1.1.1,8.8.8.8
(4) ROUTING RULE has a problem look at the *400
From:
/routing rule
add action=lookup disabled=no src-address=10.2.0.0/24 table=*400
TO:
/routing rule
add action=lookup-only-in-table Min-Prefix=0 table=main comment="ensures local lan traffic does not go out tunnel"
add action=lookup src-address=10.2.0.0/24 table=wg comment="force bridge traffic out tunnel"
(5) YOu have no firewall rules to speak of, are you behind an upstream router?
(6) Why are you mangling, also note the same *400 error.
(7) What type of VPS is provided a wireguard VPS or something else........
If you are not able to set the allowed IPs on the VPS to include the subnet of the bridge, then your wireguard sourcenat rule is a good idea........
(8) Routes look incomplete/wrong. Assuming ether1 is WAN and there is no mention of default route so you need at least two routes. The route to the VPS is not required.
/ip route
add dst-address=0.0.0.0/0 gateway=gatewayIP table=main
add dst-address=0.0.0.0/0 gateway=wireguard1 table=wg
(2) I gather you want all bridge traffic to go out internet on VPS.
(3) On this note I would get rid of the static DNS setting and modify:
from:
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=10.2.0.254 name=router.lan
TO:
/ip dns
set allow-remote-requests=yes servers=1.1.1.1,8.8.8.8
(4) ROUTING RULE has a problem look at the *400
From:
/routing rule
add action=lookup disabled=no src-address=10.2.0.0/24 table=*400
TO:
/routing rule
add action=lookup-only-in-table Min-Prefix=0 table=main comment="ensures local lan traffic does not go out tunnel"
add action=lookup src-address=10.2.0.0/24 table=wg comment="force bridge traffic out tunnel"
(5) YOu have no firewall rules to speak of, are you behind an upstream router?
(6) Why are you mangling, also note the same *400 error.
(7) What type of VPS is provided a wireguard VPS or something else........
If you are not able to set the allowed IPs on the VPS to include the subnet of the bridge, then your wireguard sourcenat rule is a good idea........
(8) Routes look incomplete/wrong. Assuming ether1 is WAN and there is no mention of default route so you need at least two routes. The route to the VPS is not required.
/ip route
add dst-address=0.0.0.0/0 gateway=gatewayIP table=main
add dst-address=0.0.0.0/0 gateway=wireguard1 table=wg
Re: wireguard vpn client on mikrotik
I tried as u suggest but still not working brother. here is my new config,
# 1970-01-02 01:19:38 by RouterOS 7.14.3
# software id = WRUL-0YXQ
#
# model = RB760iGS
# serial number =
/interface bridge
add name=bridge1
/interface wireguard
add listen-port=55407 mtu=1420 name=wireguard1
/interface list
add name=LAN
add name=WAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/ip pool
add name=dhcp_pool1 ranges=10.1.0.1-10.1.0.253
add name=dhcp_pool2 ranges=10.2.0.1-10.2.0.253
/ip dhcp-server
add address-pool=dhcp_pool1 interface=ether4 name=dhcp1
add address-pool=dhcp_pool2 interface=bridge1 name=dhcp2
/routing table
add disabled=no fib name=wg
/interface bridge port
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=ether3
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/interface list member
add interface=bridge1 list=LAN
add interface=ether1 list=WAN
/interface wireguard peers
add allowed-address=0.0.0.0/0 endpoint-address=54.179.142.27 endpoint-port=51820 interface=wireguard1 persistent-keepalive=\
25s public-key="NYXtAWsPqMdhbEDCCxRCJwiz5o3ZC9pA99gvKFLkuwY="
/ip address
add address=10.1.0.254/24 interface=ether4 network=10.1.0.0
add address=10.2.0.254/24 interface=bridge1 network=10.2.0.0
add address=10.7.0.2/24 interface=wireguard1 network=10.7.0.0
/ip dhcp-client
add interface=ether1 use-peer-dns=no
/ip dhcp-server network
add address=10.1.0.0/24 dns-server=1.1.1.1,8.8.8.8 gateway=10.1.0.254
add address=10.2.0.0/24 dns-server=1.1.1.1,8.8.8.8 gateway=10.2.0.254
/ip dns
set allow-remote-requests=yes servers=1.1.1.1,8.8.8.8
/ip dns static
add address=10.2.0.254 disabled=yes name=router.lan
/ip firewall filter
add action=accept chain=input in-interface=wireguard1 src-address-list=Authorized
add action=accept chain=forward out-interface=wireguard1 src-address=10.2.0.0/24
/ip firewall mangle
add action=mark-routing chain=prerouting disabled=yes new-routing-mark=wg passthrough=no src-address=10.2.0.0/24
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1
add action=masquerade chain=srcnat out-interface=wireguard1
/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=wireguard1 pref-src="" routing-table=wg scope=30 \
suppress-hw-offload=no target-scope=10
add disabled=yes distance=1 dst-address=54.179.142.27/32 gateway=10.0.0.1 pref-src="" routing-table=wg scope=30 \
suppress-hw-offload=no target-scope=10
/routing rule
add action=lookup disabled=yes src-address=10.2.0.0/24 table=wg
add action=lookup-only-in-table disabled=no min-prefix=0 table=main
add action=lookup disabled=no src-address=10.2.0.0/24 table=wg
/system note
set show-at-login=n
My router is behind a upstream router but another openwrt routers work well. Do I need to add other firewall filters. Actually I have no idea with that. Help me brother.
# 1970-01-02 01:19:38 by RouterOS 7.14.3
# software id = WRUL-0YXQ
#
# model = RB760iGS
# serial number =
/interface bridge
add name=bridge1
/interface wireguard
add listen-port=55407 mtu=1420 name=wireguard1
/interface list
add name=LAN
add name=WAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/ip pool
add name=dhcp_pool1 ranges=10.1.0.1-10.1.0.253
add name=dhcp_pool2 ranges=10.2.0.1-10.2.0.253
/ip dhcp-server
add address-pool=dhcp_pool1 interface=ether4 name=dhcp1
add address-pool=dhcp_pool2 interface=bridge1 name=dhcp2
/routing table
add disabled=no fib name=wg
/interface bridge port
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=ether3
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/interface list member
add interface=bridge1 list=LAN
add interface=ether1 list=WAN
/interface wireguard peers
add allowed-address=0.0.0.0/0 endpoint-address=54.179.142.27 endpoint-port=51820 interface=wireguard1 persistent-keepalive=\
25s public-key="NYXtAWsPqMdhbEDCCxRCJwiz5o3ZC9pA99gvKFLkuwY="
/ip address
add address=10.1.0.254/24 interface=ether4 network=10.1.0.0
add address=10.2.0.254/24 interface=bridge1 network=10.2.0.0
add address=10.7.0.2/24 interface=wireguard1 network=10.7.0.0
/ip dhcp-client
add interface=ether1 use-peer-dns=no
/ip dhcp-server network
add address=10.1.0.0/24 dns-server=1.1.1.1,8.8.8.8 gateway=10.1.0.254
add address=10.2.0.0/24 dns-server=1.1.1.1,8.8.8.8 gateway=10.2.0.254
/ip dns
set allow-remote-requests=yes servers=1.1.1.1,8.8.8.8
/ip dns static
add address=10.2.0.254 disabled=yes name=router.lan
/ip firewall filter
add action=accept chain=input in-interface=wireguard1 src-address-list=Authorized
add action=accept chain=forward out-interface=wireguard1 src-address=10.2.0.0/24
/ip firewall mangle
add action=mark-routing chain=prerouting disabled=yes new-routing-mark=wg passthrough=no src-address=10.2.0.0/24
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1
add action=masquerade chain=srcnat out-interface=wireguard1
/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=wireguard1 pref-src="" routing-table=wg scope=30 \
suppress-hw-offload=no target-scope=10
add disabled=yes distance=1 dst-address=54.179.142.27/32 gateway=10.0.0.1 pref-src="" routing-table=wg scope=30 \
suppress-hw-offload=no target-scope=10
/routing rule
add action=lookup disabled=yes src-address=10.2.0.0/24 table=wg
add action=lookup-only-in-table disabled=no min-prefix=0 table=main
add action=lookup disabled=no src-address=10.2.0.0/24 table=wg
/system note
set show-at-login=n
My router is behind a upstream router but another openwrt routers work well. Do I need to add other firewall filters. Actually I have no idea with that. Help me brother.
Re: wireguard vpn client on mikrotik
Okay you forgot to make some changes plus some more modifications. We should at least add default rules but for now no rules = everything passes so not in the way of success.
(1) Lets keep DHCP server-network standard.
/ip dhcp-server network
add address=10.1.0.0/24 dns-server=10.1.0.254 gateway=10.1.0.254
add address=10.2.0.0/24 dns-server=10.2.0.254 gateway=10.2.0.254
2. DELETE the static entry ( you will find it in winbox under IP DNS on the popup box under APPLY )
/ip dns static
add address=10.2.0.254 disabled=yes name=router.lan
(3) REMOVE MANGLE RULE not required!!
(4) REMOVE IP route to VPS.............. not required.
YOu only have one route, I said you needed TWO routes. The main table route for your WAN connection and one for wireguard.
Where is your main table route?? ( OR ) can you confirm default-route=YES on your IP DHCP client ??
+++++++++++++++++++++++++++++++++++
What are the VPS wireguard settings????
(1) Lets keep DHCP server-network standard.
/ip dhcp-server network
add address=10.1.0.0/24 dns-server=10.1.0.254 gateway=10.1.0.254
add address=10.2.0.0/24 dns-server=10.2.0.254 gateway=10.2.0.254
2. DELETE the static entry ( you will find it in winbox under IP DNS on the popup box under APPLY )
/ip dns static
add address=10.2.0.254 disabled=yes name=router.lan
(3) REMOVE MANGLE RULE not required!!
(4) REMOVE IP route to VPS.............. not required.
YOu only have one route, I said you needed TWO routes. The main table route for your WAN connection and one for wireguard.
Where is your main table route?? ( OR ) can you confirm default-route=YES on your IP DHCP client ??
+++++++++++++++++++++++++++++++++++
What are the VPS wireguard settings????