Virtual Architects Support Wiki

User Tools

Site Tools

You are here: start » networking » router » mikrotik_vpn_wg
Trace: mikrotik_troubleshoot
networking:router:mikrotik_vpn_wg

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision 		Previous revision
networking:router:mikrotik_vpn_wg [2023/07/01 21:18]
gcooper 		networking:router:mikrotik_vpn_wg [2023/07/10 10:36] (current)
gcooper
Line 12: Line 12:
  
 **Road Warrior HowTo**: https://forum.mikrotik.com/viewtopic.php?p=899406 **Road Warrior HowTo**: https://forum.mikrotik.com/viewtopic.php?p=899406
 +
 +**Why WireGuard?**: https://restoreprivacy.com/vpn/wireguard-vs-openvpn/
 +
 +**Enable/Disable Peer by Comment**: https://techoverflow.net/2022/04/18/how-to-enable-disable-wireguard-peer-by-comment-on-mikrotik/
  
 <note tip>Note that **Windows workstations do not respond to pings by default**, but will if you temporarily disable the firewall.  Don't forget to turn it back on when you are done testing!</note> <note tip>Note that **Windows workstations do not respond to pings by default**, but will if you temporarily disable the firewall.  Don't forget to turn it back on when you are done testing!</note>
Line 26: Line 30:
  
 <file> <file>
-# allow connections to wireguard in the firewall - move to appropriate location +# perform the next three commands only once 
-# the port must match the wireguard interface UDP listen port + 
-/ip firewall filter add action=accept chain=input comment="Accept WireGuard VPN" dst-port=51820 protocol=udp+# allow wireguard connections to the router - move rule as needed 
 +/ip firewall filter add action=accept chain=input comment="Allow WireGuard VPN" dst-port=51820 
 +    protocol=udp place-before=4
  
 # add a wireguard interface - name is arbitrary - select UDP listen port not blocked by all ISPs # add a wireguard interface - name is arbitrary - select UDP listen port not blocked by all ISPs
-/interface wireguard add comment="VA - WireGuard VPN Endpoint" listen-port=51820 mtu=1420 name=wg0+/interface wireguard add comment="WireGuard VPN Endpoint" listen-port=51820 mtu=1420 name=wg0 
 + 
 +# set the address of the wireguard interface - the address is arbitrary 
 +# we use a /24 netmask with peer wireguard interfaces to be assigned address in 172.16.2.0/24 
 +# name must match interface name above 
 +/ip address add address=172.16.2.1/24 comment="Wireguard VPN Endpoint" interface=wg0 network=172.16.2.0 
 + 
 +# do the following for each remote site
  
 # define remote wireguard peers - be sure to identify peer with comment # define remote wireguard peers - be sure to identify peer with comment
Line 37: Line 50:
 /interface wireguard peers add allowed-address=172.16.2.3/32,192.168.53.0/24 comment="Remote Site Name" \ /interface wireguard peers add allowed-address=172.16.2.3/32,192.168.53.0/24 comment="Remote Site Name" \
     interface=wg0 persistent-keepalive=25s public-key="<remote-peer-public-key"     interface=wg0 persistent-keepalive=25s public-key="<remote-peer-public-key"
- 
-# set the address of the wireguard interface - the address is arbitrary 
-# we use a /24 netmask to include all peers - name must match interface name above 
-/ip address add address=172.16.2.1/24 comment="VA - Wireguard VPN Endpoint" interface=wg0 network=172.16.2.0 
  
 # add a route to the subnet(s) behind the remote peers # add a route to the subnet(s) behind the remote peers
networking/router/mikrotik_vpn_wg.1688267898.txt.gz · Last modified: 2023/07/01 21:18 by gcooper

Page Tools

Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution-Share Alike 4.0 International
CC Attribution-Share Alike 4.0 International Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki