I'm trying to get my router to act as a wireguard client for NordVPN so that all the internet traffic from local network gets routed through the VPN. There are a few posts on the forum that all reference this post: viewtopic.php?t=182340 . I have attempted to read through it and I'm afraid it might as well be written in Chinese - I have zero idea where I should even start. Does anyone know of an idiot-proof step-by-step guide that doesn't require extensive understanding of networking to make sense?
Thanks!
Re: Idiots guide to setting up Wireguard client
Ok, so piecing together various different tutorials from around the internet I've ended up with this config, which I think is more or less correct for the NordVPN side, but I'm still stuck on exactly how I should setup the NAT/routing side so that all my traffic goes via the Wireguard connection:
Code: Select all
# 2023-09-28 17:28:23 by RouterOS 7.11.2
# software id = DNSC-DX1W
#
# model = RB750Gr3
/interface bridge
add admin-mac=18:FD:74:74:08:BC auto-mac=no comment=defconf name=bridge
/interface pppoe-client
add add-default-route=yes dial-on-demand=yes disabled=no interface=ether1 \
max-mru=1492 max-mtu=1480 name=pppoe-out1 user=XXXXXXX
/interface wireguard
add listen-port=37728 mtu=1420 name=nordvpn
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.1.10-192.168.1.254
/ip dhcp-server
add address-pool=dhcp interface=bridge lease-time=10m name=defconf
/port
set 0 name=serial0
/routing bgp template
set default disabled=no output.network=bgp-networks
/routing ospf instance
add disabled=no name=default-v2
/routing ospf area
add disabled=yes instance=default-v2 name=backbone-v2
/interface bridge port
add bridge=bridge comment=defconf ingress-filtering=no interface=ether2
add bridge=bridge comment=defconf ingress-filtering=no interface=ether3
add bridge=bridge comment=defconf ingress-filtering=no interface=ether4
add bridge=bridge comment=defconf ingress-filtering=no interface=ether5
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface list member
add comment=defconf interface=bridge list=LAN
add interface=pppoe-out1 list=WAN
/interface ovpn-server server
set auth=sha1,md5
/interface wireguard peers
add allowed-address=0.0.0.0/0 comment=uk2220.nordvpn.com endpoint-address=\
178.239.162.243 endpoint-port=51820 interface=nordvpn \
persistent-keepalive=40s public-key=\
"K53l2wOIHU3262sX5N/5kAvCvt4r55lNui30EbvaDlE="
/ip address
add address=192.168.1.1/24 comment=defconf interface=bridge network=\
192.168.1.0
add address=10.5.0.2/24 interface=nordvpn network=10.5.0.0
/ip dhcp-client
add comment=defconf disabled=yes interface=ether1
/ip dhcp-server network
add address=192.168.1.0/24 comment=defconf dns-server=192.168.1.1 gateway=\
192.168.1.1 netmask=24
/ip dns
set allow-remote-requests=yes servers=8.8.8.8
/ip dns static
add address=192.168.1.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN src-address=192.168.1.0/24
add action=masquerade chain=srcnat comment="defconf: allow nordvpn" \
out-interface=nordvpn
/routing bfd configuration
add disabled=no interfaces=all min-rx=200ms min-tx=200ms multiplier=5
/system clock
set time-zone-name=Europe/Madrid
/system identity
set name=RouterOS
/system note
set show-at-login=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
Re: Idiots guide to setting up Wireguard client
Note: I don't use nordvpn nor wireguard, so this message is a best effort to put you on the right track.
1) extract nordvpn configuration to be used with wireguard. Follow these steps : https://www.reddit.com/r/PFSENSE/commen ... tup_works/ (there is a link to an image which tells you which information to use)
2) read documentation: https://help.mikrotik.com/docs/display/ROS/WireGuard as next steps depend on it
3) set up wireguard interface (check above image to get listen port, private and publik keys)
4) set up peer configuration (check above image to get endpoint address, port and peer public key) + define allowed addresses
5) configure ip and routing
6) configure firewall
It does'nt seem that complicated once you have done step 1.
Good luck !
1) extract nordvpn configuration to be used with wireguard. Follow these steps : https://www.reddit.com/r/PFSENSE/commen ... tup_works/ (there is a link to an image which tells you which information to use)
2) read documentation: https://help.mikrotik.com/docs/display/ROS/WireGuard as next steps depend on it
3) set up wireguard interface (check above image to get listen port, private and publik keys)
4) set up peer configuration (check above image to get endpoint address, port and peer public key) + define allowed addresses
5) configure ip and routing
6) configure firewall
It does'nt seem that complicated once you have done step 1.
Good luck !
Re: Idiots guide to setting up Wireguard client
Yeah so I’ve done 1-4, I think. But I really don’t understand routing or ip configuration, especially in router OS so I was hoping someone could just tell me what I needed to do :-/ The documentation all seems to assume a level of networking knowledge that I just don’t have…
Re: Idiots guide to setting up Wireguard client
Well the link at step 2 explains what to do... "IP and routing configuration" and "Firewall considerations" sections, you just need to replace the IP addresses with the ones of your context.
If you want more it's not an "idiot guide" you're looking for but an "idiot doing the configuration for you".
Note: in your configuration, you don't seem to have set the private/public keys for the interface, so add them (without pasting them here) + make sure that you use values you extract from the client's configuration and not values you find on the internet.
If you want more it's not an "idiot guide" you're looking for but an "idiot doing the configuration for you".
Note: in your configuration, you don't seem to have set the private/public keys for the interface, so add them (without pasting them here) + make sure that you use values you extract from the client's configuration and not values you find on the internet.
Re: Idiots guide to setting up Wireguard client
I did try reading this page but the big problem I have is that basically all the information relates to either mutually peering two office networks which are both connected directly to the public internet with public ips on the routers; or a RoadWarrior setup where the router is acting as a Wireguard server. I want neither of these and I'm struggling to see which bits relate to my requirement (router as a wireguard client routing all external traffic over the VPN; router connected to the internet with PPPoE behind double NATWell the link at step 2 explains what to do... "IP and routing configuration" and "Firewall considerations" sections, you just need to replace the IP addresses with the ones of your context.
I'm not sure what happened with my config export here but I do have this setup. It's possible that I was over-zealous when pruning the config for public posting. I extracted the keys using the nordvpn linux client.Note: in your configuration, you don't seem to have set the private/public keys for the interface, so add them (without pasting them here) + make sure that you use values you extract from the client's configuration and not values you find on the internet.
I'm going to try to fiddle with this again and see I can make it work, but I still feel like I'm semi-randomly changing settings without having an real understanding of what I'm doing. As best as I can tell:
- Firewall considerations: this is irrelevant to me. I don't need anything to establish an inbound tunnel so I don't need to poke a hole in my firewall for this. Or have I got this wrong? Does Wireguard require a mutual connection in every scenario? I think the same applies to the forward chain because I'm not routing specific subnets
- Routing considerations: I've added an address for the VPN: but the routing information from the manual page clearly isn't relevant to me because it relates to routing a specific subnet over the VPN. This is the bit that I'm really struggling with. I'm guessing I need to fiddle with my NAT configuration but I can't find an examples of how to do this that are sufficiently close to what I have (WAN routed over PPPoE with NAT)Code: Select all
/ip address add address=10.5.0.2/24 interface=nordvpn network=10.5.0.0
Re: Idiots guide to setting up Wireguard client
I'm inching towards understanding this/getting it working but there's still one piece of the puzzle missing i think. Here's my config so far:
Things that I've done:
Now obviously it doesn't do anything yet because I haven't actually added a route to the new routing table. And this is where I'm stuck. If I do this:
My entire network dies and I can't even reach the router any more. The first time I did this, I didn't have winbox setup and I had to factory reset the router and rebuild my network from scratch. So that was fun.
I'm wondering if this has something to do with the strange double NAT setup that my ISP has. Here's my current list of routes before adding the extra route for wireguard:
Can anyone suggest what I need to add as a route to get just my public internet traffic to leave via the VPN?
Code: Select all
# 2023-09-30 12:11:50 by RouterOS 7.11.2
# software id = DNSC-DX1W
#
# model = RB750Gr3
/interface bridge
add admin-mac=18:FD:74:74:08:BC auto-mac=no comment=defconf name=bridge
/interface pppoe-client
add add-default-route=yes dial-on-demand=yes disabled=no interface=ether1 \
max-mru=1492 max-mtu=1480 name=pppoe-out1 use-peer-dns=\
yes user=XXXXXXXXXXXXX
/interface wireguard
add listen-port=37728 mtu=1420 name=nordvpn private-key=\
"XXXXXXXXXXXXXXXXXXXXXX"
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/ip pool
add name=dhcp ranges=192.168.1.10-192.168.1.254
/ip dhcp-server
add address-pool=dhcp interface=bridge lease-time=10m name=defconf
/port
set 0 name=serial0
/routing table
add fib name=useNordVPN
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ipv6 settings
set disable-ipv6=yes
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=pppoe-out1 list=WAN
add interface=nordvpn list=WAN
/interface wireguard peers
add allowed-address=0.0.0.0/0 comment=uk2220.nordvpn.com endpoint-address=\
" 178.239.162.243" endpoint-port=51820 interface=nordvpn \
persistent-keepalive=40s public-key=\
"K53l2wOIHU3262sX5N/5kAvCvt4r55lNui30EbvaDlE="
/ip address
add address=192.168.1.1/24 comment=defconf interface=bridge network=\
192.168.1.0
add address=10.5.0.2/24 interface=nordvpn network=10.5.0.0
/ip dhcp-client
add comment=defconf disabled=yes interface=ether1
/ip dhcp-server network
add address=192.168.1.0/24 comment=defconf dns-server=192.168.1.1 gateway=\
192.168.1.1 netmask=24
/ip dns
set allow-remote-requests=yes servers=8.8.8.8
/ip dns static
add address=192.168.1.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=forward in-interface-list=LAN out-interface=nordvpn
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
33434-33534 protocol=udp
add action=accept chain=input comment=\
"defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
ipsec-esp
add action=accept chain=input comment=\
"defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
"defconf: drop everything else not coming from LAN" in-interface-list=\
!LAN
add action=accept chain=forward comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
"defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
ipsec-esp
add action=accept chain=forward comment=\
"defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
"defconf: drop everything else not coming from LAN" in-interface-list=\
!LAN
/routing rule
add action=lookup src-address=192.168.1.0/24 table=useNordVPN
/system clock
set time-zone-name=Europe/Madrid
/system note
set show-at-login=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
Things that I've done:
- Added the wireguard interface + peer with appropriate keys pulled from the nordvpn linux client. I believe this part is working correctly
- Added a 10.0.5.2/24 address for the nordvpn tunnel
- Added a forward firewall rule to allow LAN traffic into the tunnel
- Added the nordvpn interface to the WAN interface list so that the existing src-nat masquerade rule will apply to it
- Added a routing table + routing rule as specified in 7.4 of this: viewtopic.php?p=906311#p906311
Now obviously it doesn't do anything yet because I haven't actually added a route to the new routing table. And this is where I'm stuck. If I do this:
Code: Select all
/ip route add distance=1 dst-address=0.0.0.0/0 gateway=nordvpn pref-src="" routing-table=useNordVPN scope=30 suppress-hw-offload=no target-scope=10
I'm wondering if this has something to do with the strange double NAT setup that my ISP has. Here's my current list of routes before adding the extra route for wireguard:
Code: Select all
Av afi=ip4 contribution=active dst-address=0.0.0.0/0 routing-table=main pref-src="" gateway=pppoe-out1 immediate-gw=pppoe-out1 distance=1 scope=30 target-scope=10 vrf-interface=pppoe-out1 belongs-to="vpn"
debug.fwp-ptr=0x20242000
Ac afi=ip4 contribution=active dst-address=10.5.0.0/24 routing-table=main gateway=nordvpn immediate-gw=nordvpn distance=0 scope=10 belongs-to="connected" local-address=10.5.0.2%nordvpn
debug.fwp-ptr=0x20242120
Ac afi=ip4 contribution=active dst-address=192.168.1.0/24 routing-table=main gateway=bridge immediate-gw=bridge distance=0 scope=10 belongs-to="connected" local-address=192.168.1.1%bridge
debug.fwp-ptr=0x20242060
Ac afi=ip4 contribution=active dst-address=192.168.207.1/32 routing-table=main gateway=pppoe-out1 immediate-gw=pppoe-out1 distance=0 scope=10 belongs-to="connected" local-address=192.168.207.239%pppoe-out1
debug.fwp-ptr=0x202420C0
A H afi=link contribution=active dst-address=ether1 routing-table=main distance=0 belongs-to="interface"
A H afi=link contribution=active dst-address=ether2 routing-table=main distance=0 belongs-to="interface"
A H afi=link contribution=active dst-address=ether3 routing-table=main distance=0 belongs-to="interface"
A H afi=link contribution=active dst-address=ether4 routing-table=main distance=0 belongs-to="interface"
A H afi=link contribution=active dst-address=ether5 routing-table=main distance=0 belongs-to="interface"
A H afi=link contribution=active dst-address=bridge routing-table=main distance=0 belongs-to="interface"
A H afi=link contribution=active dst-address=pppoe-out1 routing-table=main distance=0 belongs-to="interface"
A H afi=link contribution=active dst-address=nordvpn routing-table=main distance=0 belongs-to="interface"
Can anyone suggest what I need to add as a route to get just my public internet traffic to leave via the VPN?
Re: Idiots guide to setting up Wireguard client
Gah ok so I had a space in front of the endpoint address for my wireguard peer. Removing that, it now works - sort of. The VPN is active, and traffic is routing via it as expected. But there's one remaining problem: I can't reach the router by IP address. I can reach other machines on the local network, but while the VPN route is enabled, pinging or opening 192.168.1.1 in a web browser doesn't work. Any ideas?
Re: Idiots guide to setting up Wireguard client
Can I get your running config file for the wireguard client on mikrotik router?
Re: Idiots guide to setting up Wireguard client
Can I get your running config file for the wireguard client on mikrotik router?
Who is online
Users browsing this forum: No registered users and 29 guests