====== Mikrotik WireGuard Site to Site VPN ======

FIXME Incomplete

http://wiki.mikrotik.com/wiki/Manual:IP/IPsec

https://www.wireguard.com/

https://help.mikrotik.com/docs/display/ROS/WireGuard

**HowTo**: https://forum.mikrotik.com/viewtopic.php?t=182340

**Road Warrior HowTo**: https://forum.mikrotik.com/viewtopic.php?p=899406

**Why WireGuard?**: https://restoreprivacy.com/vpn/wireguard-vs-openvpn/

**Enable/Disable Peer by Comment**: https://techoverflow.net/2022/04/18/how-to-enable-disable-wireguard-peer-by-comment-on-mikrotik/

<note tip>Note that **Windows workstations do not respond to pings by default**, but will if you temporarily disable the firewall.  Don't forget to turn it back on when you are done testing!</note>

===== One End Dynamic =====

https://www.youtube.com/watch?v=P6f8Qc4EItc

{{ :networking:router:wg_vpn_one_side_dynamic.png?750 |Example VPN One Side Dynamic}}

==== Server (Static IP) ====

=== Using CLI ===

<file>
# perform the next three commands only once

# allow wireguard connections to the router - move rule as needed
/ip firewall filter add action=accept chain=input comment="Allow WireGuard VPN" dst-port=51820 \
    protocol=udp place-before=4

# add a wireguard interface - name is arbitrary - select UDP listen port not blocked by all ISPs
/interface wireguard add comment="WireGuard VPN Endpoint" listen-port=51820 mtu=1420 name=wg0

# set the address of the wireguard interface - the address is arbitrary
# we use a /24 netmask with peer wireguard interfaces to be assigned address in 172.16.2.0/24
# name must match interface name above
/ip address add address=172.16.2.1/24 comment="Wireguard VPN Endpoint" interface=wg0 network=172.16.2.0

# do the following for each remote site

# define remote wireguard peers - be sure to identify peer with comment
# allowed addresses are remote peer address and address ranges behind the remote peer
/interface wireguard peers add allowed-address=172.16.2.3/32,192.168.53.0/24 comment="Remote Site Name" \
    interface=wg0 persistent-keepalive=25s public-key="<remote-peer-public-key"

# add a route to the subnet(s) behind the remote peers
/ip route add comment="Remote Site Name" dst-address=192.168.53.0/24 gateway=wg0
</file>

==== CPE (Dynamic IP) ====

=== Using Winbox ===

<note>Here we configure a RB3011UiAS-RM client router on RouterOS 7.10 reset to factory defaults using Winbox.</note>

First we configure the ''admin'' password:

{{ :networking:router:winbox_cpe_wg_1.png?direct&400 |Set the Admin Password}}

Use Quick Set for basic router configuration:

{{ :networking:router:winbox_cpe_wg_2.png?direct&500 |Use Quick Set for Basic Configuration}}

Create the WireGuard VPN interface:

  * The name of the interface is arbitrary and we use the default here
  * The MTU matters, but we use the default here
  * The UDP listen port probably doesn't matter, but we use the same port as on the server here
    * This CPE router **must initiate the VPN connections** because it has a dynamic IP and is behind Carrier Grade NAT (double NAT)
    * In at least one case, the default UDP port 13231 was blocked by the ISP
    * You may need to find a UDP port that is not blocked by your ISP and use it on the server

{{ :networking:router:winbox_cpe_wg_3.png?direct&500 |Create a WireGuard Interface}}

Define a WireGuard VPN peer:

  * The peer is the **remote** WireGuard endpoint (server, router)
  * The public key is the public key from the **remote** WireGuard endpoint
  * The endpoint address is the **static public IP address** of the **remote** WireGuard endpoint (server)
  * The endpoint port is the UDP listen port of the **remote** WireGuard endpoint
  * The allowed address is a list of remote IP addresses **on or behind the remote** WireGuard endpoint
    * Remote WireGuard interface IP address
    * Remote IP subnet behind the remote WireGuard endpoint
  * The persistent keepalive is a timer to send an empty packet accross the tunnel to keep it open
    * 25 seconds is a common recommendation for the keepalive timer

{{ :networking:router:winbox_cpe_wg_4.png?direct&500 |Define a WireGuard Peer}}

Show a connected peer:

  * You should get a handshake and a few packets exchanged at this point
    * If not, troubleshoot this first
    * Check that the server firewall permits your selected UDP listen port

{{ :networking:router:winbox_cpe_wg_5.png?direct&750 |Connected Peer}}

Add an IP address to the WireGuard interface:

  * This IP address (of the remote) will be listed in a traceroute
  * This VPN example uses an arbitrary subnet 172.16.2.0/24 for VPN endpoints
    * Actually 172.16.2.1/24 for the server
    * Actually 172.16.2.3/32 for the CPE
    * If you had a hub and spoke VPN, you would use other 172.16.2.0/24 addresses for other endpoints

{{ :networking:router:winbox_cpe_wg_6.png?direct&400 |Add IP Address to WireGuard Interface}}

Add a static route for remote IP subnet behind peer:

  * WireGuard will automatically route to the remote WireGuard IP address
    * You can ping the remote (peer) WireGuard IP address 
  * WireGuard does **not** automatically add routes to the remote subnets
    * Pings to the remote subnet will fail without the necessary static route

{{ :networking:router:winbox_cpe_wg_7.png?direct&500 |Add a Static Route for Remote Subnet}}

At this point, you should be able to ping devices to or from the subnets behind either router.

=== Using CLI ===

<file>
# the interface name is arbitrary - wg0, wg1 are common - wireguard1 is the default
# the port is also arbitrary - 51820 is customary - choose UDP port not blocked by ISP
# listen port probably doesn't matter on this end
/interface wireguard add listen-port=51820 mtu=1420 name=wireguard1

# the peer is the remote side definition - server in this case
# allowed addresses are addresses at the remote side - server in this case
# the public key is the public key of the remote side - server in this case
# endpoint port must match remote listen port - server in this case
/interface wireguard peers
add allowed-address=172.16.2.1/32,192.168.50.0/24 comment="Server Site Name" \
    endpoint-address=<server-public-ip> endpoint-port=51820 interface=wireguard1 \
    persistent-keepalive=25s public-key="<server-public-key>"

# assign an address to the wireguard interface - will show in traceroute
# address choice is arbitrary - /24 used to route multiple peers of /32
/ip address add address=172.16.2.3/24 interface=wireguard1 network=172.16.2.0

# you must add a static route to the subnet(s) behind the remote peer - server in this case
/ip route add disabled=no dst-address=192.168.50.0/24 gateway=wireguard1 \
    routing-table=main suppress-hw-offload=no
</file>