Differences

This shows you the differences between two versions of the page.

--- networking:router:mikrotik_vpn_wg [2023/07/01 09:17]
gcooper
+++ networking:router:mikrotik_vpn_wg [2023/07/10 10:36] (current)
gcooper
@@ Line 13: / Line 13: @@
 **Road Warrior HowTo**: https://forum.mikrotik.com/viewtopic.php?p=899406
-<note tip>Note that **Windows workstations do not respond to pings by default**, but will if you temporarily disable the firewall.  Don't forget to turn it back on when you are done testing!</note>
+**Why WireGuard?**: https://restoreprivacy.com/vpn/wireguard-vs-openvpn/
-===== Both Ends Static =====
+**Enable/Disable Peer by Comment**: https://techoverflow.net/2022/04/18/how-to-enable-disable-wireguard-peer-by-comment-on-mikrotik/
+<note tip>Note that **Windows workstations do not respond to pings by default**, but will if you temporarily disable the firewall.  Don't forget to turn it back on when you are done testing!</note>
 ===== One End Dynamic =====
@@ Line 25: / Line 27: @@
 ==== Server (Static IP) ====
+=== Using CLI ===
+<file>
+# perform the next three commands only once
+# allow wireguard connections to the router - move rule as needed
+/ip firewall filter add action=accept chain=input comment="Allow WireGuard VPN" dst-port=51820 \
+    protocol=udp place-before=4
+# add a wireguard interface - name is arbitrary - select UDP listen port not blocked by all ISPs
+/interface wireguard add comment="WireGuard VPN Endpoint" listen-port=51820 mtu=1420 name=wg0
+# set the address of the wireguard interface - the address is arbitrary
+# we use a /24 netmask with peer wireguard interfaces to be assigned address in 172.16.2.0/24
+# name must match interface name above
+/ip address add address=172.16.2.1/24 comment="Wireguard VPN Endpoint" interface=wg0 network=172.16.2.0
+# do the following for each remote site
+# define remote wireguard peers - be sure to identify peer with comment
+# allowed addresses are remote peer address and address ranges behind the remote peer
+/interface wireguard peers add allowed-address=172.16.2.3/32,192.168.53.0/24 comment="Remote Site Name" \
+    interface=wg0 persistent-keepalive=25s public-key="<remote-peer-public-key"
+# add a route to the subnet(s) behind the remote peers
+/ip route add comment="Remote Site Name" dst-address=192.168.53.0/24 gateway=wg0
+</file>
 ==== CPE (Dynamic IP) ====
@@ Line 94: / Line 123: @@
 At this point, you should be able to ping devices to or from the subnets behind either router.
-=== CLI ===
+=== Using CLI ===
+<file>
+# the interface name is arbitrary - wg0, wg1 are common - wireguard1 is the default
+# the port is also arbitrary - 51820 is customary - choose UDP port not blocked by ISP
+# listen port probably doesn't matter on this end
+/interface wireguard add listen-port=51820 mtu=1420 name=wireguard1
-/interface wireguard
+# the peer is the remote side definition - server in this case
-add listen-port=51820 mtu=1420 name=wireguard1
+# allowed addresses are addresses at the remote side - server in this case
+# the public key is the public key of the remote side - server in this case
+# endpoint port must match remote listen port - server in this case
+/interface wireguard peers
+add allowed-address=172.16.2.1/32,192.168.50.0/24 comment="Server Site Name" \
+    endpoint-address=<server-public-ip> endpoint-port=51820 interface=wireguard1 \
+    persistent-keepalive=25s public-key="<server-public-key>"
+# assign an address to the wireguard interface - will show in traceroute
+# address choice is arbitrary - /24 used to route multiple peers of /32
+/ip address add address=172.16.2.3/24 interface=wireguard1 network=172.16.2.0
+# you must add a static route to the subnet(s) behind the remote peer - server in this case
+/ip route add disabled=no dst-address=192.168.50.0/24 gateway=wireguard1 \
+    routing-table=main suppress-hw-offload=no
+</file>

Virtual Architects Support Wiki

User Tools

Site Tools

Differences

Page Tools