Virtual Architects Support Wiki

User Tools

Site Tools

You are here: start » networking » router » mikrotik_vpn_wg
Trace: mikrotik_vpn_gw mikrotik_reboot mikrotik_dyndns mikrotik_vpn_wg
networking:router:mikrotik_vpn_wg

This is an old revision of the document!

Table of Contents

Mikrotik WireGuard Site to Site VPN

http://wiki.mikrotik.com/wiki/Manual:IP/IPsec

https://www.wireguard.com/

https://help.mikrotik.com/docs/display/ROS/WireGuard

HowTo: https://forum.mikrotik.com/viewtopic.php?t=182340

Road Warrior HowTo: https://forum.mikrotik.com/viewtopic.php?p=899406

Both Ends Static

One End Dynamic

https://www.youtube.com/watch?v=P6f8Qc4EItc

Example VPN One Side Dynamic

Server (Static IP)

CPE (Dynamic IP)

Winbox

Here we configure a RB3011UiAS-RM client router on RouterOS 7.10 reset to factory defaults using Winbox.

First we configure the admin password:

Set the Admin Password

Use Quick Set for basic router configuration:

Use Quick Set for Basic Configuration

Create the WireGuard VPN interface:

  • The name of the interface is arbitrary and we use the default here
  • The MTU matters, but we use the default here
  • The UDP listen port probably doesn't matter, but we use the same port as on the server here
    • This CPE router must initiate the VPN connections because it has a dynamic IP and is behind Carrier Grade NAT (double NAT)
    • In at least one case, the default UDP port 13231 was blocked by the ISP
    • You may need to find a UDP port that is not blocked by your ISP and use it on the server

Create a WireGuard Interface

Define a WireGuard VPN peer:

  • The peer is the remote WireGuard endpoint (server, router)
  • The public key is the public key from the remote WireGuard endpoint
  • The endpoint address is the static public IP address of the remote WireGuard endpoint (server)
  • The endpoint port is the UDP listen port of the remote WireGuard endpoint
  • The allowed address is a list of remote IP addresses on or behind the remote WireGuard endpoint
    • Remote WireGuard interface IP address
    • Remote IP subnet behind the remote WireGuard endpoint
  • The persistent keepalive is a timer to send an empty packet accross the tunnel to keep it open
    • 25 seconds is a common recommendation for the keepalive timer

Define a WireGuard Peer

Show a connected peer:

  • You should get a handshake and a few packets exchanged at this point
    • If not, troubleshoot this first
    • Check that the server firewall permits your selected UDP listen port

Connected Peer

Add an IP address to the WireGuard interface:

  • This IP address (of the remote) will be listed in a traceroute
  • This VPN example uses an arbitrary subnet 172.16.2.0/24 for VPN endpoints
    • Actually 172.16.2.1/24 for the server
    • Actually 172.16.2.3/32 for the CPE
    • If you had a hub and spoke VPN, you would use other 172.16.2.0/24 addresses for other endpoints

Add IP Address to WireGuard Interface

Add a static route for remote IP subnet behind peer:

  • WireGuard will automatically route to the remote WireGuard IP address
    • You can ping the remote (peer) WireGuard IP address
  • WireGuard does not automatically add routes to the remote subnets
    • Pings to the remote subnet will fail without the necessary static route

Add a Static Route for Remote Subnet

At this point, you should be able to ping devices to or from the subnets behind either router.

Note that Windows workstations do not respond to pings by default, but will if you temporarily disable the firewall. Don't forget to turn it back on when you are done testing!
networking/router/mikrotik_vpn_wg.1688152310.txt.gz · Last modified: 2023/06/30 13:11 by gcooper

Page Tools

Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution-Share Alike 4.0 International
CC Attribution-Share Alike 4.0 International Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki