Virtual Architects Support Wiki

User Tools

Site Tools

You are here: start » networking » router » mikrotik_vpn_wg
Trace: mikrotik_troubleshoot
networking:router:mikrotik_vpn_wg

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision 		Previous revision
networking:router:mikrotik_vpn_wg [2023/07/01 21:16]
gcooper 		networking:router:mikrotik_vpn_wg [2023/07/10 10:36] (current)
gcooper
Line 12: Line 12:
  
 **Road Warrior HowTo**: https://forum.mikrotik.com/viewtopic.php?p=899406 **Road Warrior HowTo**: https://forum.mikrotik.com/viewtopic.php?p=899406
 +
 +**Why WireGuard?**: https://restoreprivacy.com/vpn/wireguard-vs-openvpn/
 +
 +**Enable/Disable Peer by Comment**: https://techoverflow.net/2022/04/18/how-to-enable-disable-wireguard-peer-by-comment-on-mikrotik/
  
 <note tip>Note that **Windows workstations do not respond to pings by default**, but will if you temporarily disable the firewall.  Don't forget to turn it back on when you are done testing!</note> <note tip>Note that **Windows workstations do not respond to pings by default**, but will if you temporarily disable the firewall.  Don't forget to turn it back on when you are done testing!</note>
Line 26: Line 30:
  
 <file> <file>
-# allow connections to wireguard in the firewall - move to appropriate location +# perform the next three commands only once 
-# the port must match the wireguard interface UDP listen port + 
-/ip firewall filter add action=accept chain=input comment="Accept WireGuard VPN" dst-port=51820 protocol=udp+# allow wireguard connections to the router - move rule as needed 
 +/ip firewall filter add action=accept chain=input comment="Allow WireGuard VPN" dst-port=51820 
 +    protocol=udp place-before=4
  
 # add a wireguard interface - name is arbitrary - select UDP listen port not blocked by all ISPs # add a wireguard interface - name is arbitrary - select UDP listen port not blocked by all ISPs
-/interface wireguard +/interface wireguard add comment="WireGuard VPN Endpoint" listen-port=51820 mtu=1420 name=wg0 
-add comment="VA - WireGuard VPN Endpoint" listen-port=51820 mtu=1420 name=wg0+ 
 +# set the address of the wireguard interface - the address is arbitrary 
 +# we use a /24 netmask with peer wireguard interfaces to be assigned address in 172.16.2.0/24 
 +# name must match interface name above 
 +/ip address add address=172.16.2.1/24 comment="Wireguard VPN Endpoint" interface=wg0 network=172.16.2.0 
 + 
 +# do the following for each remote site
  
 # define remote wireguard peers - be sure to identify peer with comment # define remote wireguard peers - be sure to identify peer with comment
 # allowed addresses are remote peer address and address ranges behind the remote peer # allowed addresses are remote peer address and address ranges behind the remote peer
-/interface wireguard peers +/interface wireguard peers add allowed-address=172.16.2.3/32,192.168.53.0/24 comment="Remote Site Name" 
-add allowed-address=172.16.2.3/32,192.168.53.0/24 comment="Remote Site Name" interface=wg0 +    interface=wg0 persistent-keepalive=25s public-key="<remote-peer-public-key"
-    persistent-keepalive=25s public-key="<remote-peer-public-key" +
- +
-# set the address of the wireguard interface - the address is arbitrary +
-# we use a /24 netmask to include all peers - name must match interface name above +
-/ip address add address=172.16.2.1/24 comment="VA - Wireguard VPN Endpoint" interface=wg0 network=172.16.2.0+
  
 # add a route to the subnet(s) behind the remote peers # add a route to the subnet(s) behind the remote peers
networking/router/mikrotik_vpn_wg.1688267814.txt.gz · Last modified: 2023/07/01 21:16 by gcooper

Page Tools

Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution-Share Alike 4.0 International
CC Attribution-Share Alike 4.0 International Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki