Virtual Architects Support Wiki

User Tools

Site Tools

You are here: start » networking » router » mikrotik_vpn_wg
Trace:
networking:router:mikrotik_vpn_wg

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision 		Previous revision
networking:router:mikrotik_vpn_wg [2023/07/01 21:01]
gcooper 		networking:router:mikrotik_vpn_wg [2023/07/10 10:36] (current)
gcooper
Line 12: Line 12:
  
 **Road Warrior HowTo**: https://forum.mikrotik.com/viewtopic.php?p=899406 **Road Warrior HowTo**: https://forum.mikrotik.com/viewtopic.php?p=899406
 +
 +**Why WireGuard?**: https://restoreprivacy.com/vpn/wireguard-vs-openvpn/
 +
 +**Enable/Disable Peer by Comment**: https://techoverflow.net/2022/04/18/how-to-enable-disable-wireguard-peer-by-comment-on-mikrotik/
  
 <note tip>Note that **Windows workstations do not respond to pings by default**, but will if you temporarily disable the firewall.  Don't forget to turn it back on when you are done testing!</note> <note tip>Note that **Windows workstations do not respond to pings by default**, but will if you temporarily disable the firewall.  Don't forget to turn it back on when you are done testing!</note>
Line 26: Line 30:
  
 <file> <file>
-add a wireguard interface - name is arbitrary - select port not blocked by all ISPs +perform the next three commands only once
-/interface wireguard +
-add comment="VA - WireGuard VPN Endpoint" listen-port=51820 mtu=1420 name=wg0+
  
-define remote wireguard peers - be sure to identify peer with comment +allow wireguard connections to the router - move rule as needed 
-# allowed addresses are remote peer address and address ranges behind the remote peer +/ip firewall filter add action=accept chain=input comment="Allow WireGuard VPNdst-port=51820 
-/interface wireguard peers +    protocol=udp place-before=
-add allowed-address=172.16.2.3/32,192.168.53.0/24 comment="Remote Siteinterface=wg0 + 
-    persistent-keepalive=25s public-key="<remote-peer-public-key"+# add a wireguard interface name is arbitrary select UDP listen port not blocked by all ISPs 
 +/interface wireguard add comment="WireGuard VPN Endpoint" listen-port=51820 mtu=1420 name=wg0
  
 # set the address of the wireguard interface - the address is arbitrary # set the address of the wireguard interface - the address is arbitrary
-# we use a /24 netmask to include all peers - name must match interface name above +# we use a /24 netmask with peer wireguard interfaces to be assigned address in 172.16.2.0/24 
-/ip address add address=172.16.2.1/24 comment="VA - Wireguard VPN Endpoint" interface=wg0 network=172.16.2.0+name must match interface name above 
 +/ip address add address=172.16.2.1/24 comment="Wireguard VPN Endpoint" interface=wg0 network=172.16.2.0 
 + 
 +# do the following for each remote site 
 + 
 +# define remote wireguard peers - be sure to identify peer with comment 
 +# allowed addresses are remote peer address and address ranges behind the remote peer 
 +/interface wireguard peers add allowed-address=172.16.2.3/32,192.168.53.0/24 comment="Remote Site Name" \ 
 +    interface=wg0 persistent-keepalive=25s public-key="<remote-peer-public-key"
  
-allow connections to wireguard - move to appropriate location +add a route to the subnet(s) behind the remote peers 
-/ip firewall filter add action=accept chain=input comment="Accept WireGuard" dst-port=51820 protocol=udp+/ip route add comment="Remote Site Name" dst-address=192.168.53.0/24 gateway=wg0
 </file> </file>
  
networking/router/mikrotik_vpn_wg.1688266909.txt.gz · Last modified: 2023/07/01 21:01 by gcooper

Page Tools

Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution-Share Alike 4.0 International
CC Attribution-Share Alike 4.0 International Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki