This is an old revision of the document!

Mikrotik WireGuard Site to Site VPN

Incomplete

http://wiki.mikrotik.com/wiki/Manual:IP/IPsec

https://www.wireguard.com/

https://help.mikrotik.com/docs/display/ROS/WireGuard

HowTo: https://forum.mikrotik.com/viewtopic.php?t=182340

Road Warrior HowTo: https://forum.mikrotik.com/viewtopic.php?p=899406

Note that Windows workstations do not respond to pings by default, but will if you temporarily disable the firewall. Don't forget to turn it back on when you are done testing!

Both Ends Static

One End Dynamic

https://www.youtube.com/watch?v=P6f8Qc4EItc

Server (Static IP)

CPE (Dynamic IP)

Using Winbox

Here we configure a RB3011UiAS-RM client router on RouterOS 7.10 reset to factory defaults using Winbox.

First we configure the admin password:

Use Quick Set for basic router configuration:

Create the WireGuard VPN interface:

The name of the interface is arbitrary and we use the default here
The MTU matters, but we use the default here
The UDP listen port probably doesn't matter, but we use the same port as on the server here
- This CPE router must initiate the VPN connections because it has a dynamic IP and is behind Carrier Grade NAT (double NAT)
- In at least one case, the default UDP port 13231 was blocked by the ISP
- You may need to find a UDP port that is not blocked by your ISP and use it on the server

Define a WireGuard VPN peer:

The peer is the remote WireGuard endpoint (server, router)
The public key is the public key from the remote WireGuard endpoint
The endpoint address is the static public IP address of the remote WireGuard endpoint (server)
The endpoint port is the UDP listen port of the remote WireGuard endpoint
The allowed address is a list of remote IP addresses on or behind the remote WireGuard endpoint
- Remote WireGuard interface IP address
- Remote IP subnet behind the remote WireGuard endpoint
The persistent keepalive is a timer to send an empty packet accross the tunnel to keep it open
- 25 seconds is a common recommendation for the keepalive timer

Show a connected peer:

You should get a handshake and a few packets exchanged at this point
- If not, troubleshoot this first
- Check that the server firewall permits your selected UDP listen port

Add an IP address to the WireGuard interface:

This IP address (of the remote) will be listed in a traceroute
This VPN example uses an arbitrary subnet 172.16.2.0/24 for VPN endpoints
- Actually 172.16.2.1/24 for the server
- Actually 172.16.2.3/32 for the CPE
- If you had a hub and spoke VPN, you would use other 172.16.2.0/24 addresses for other endpoints

Add a static route for remote IP subnet behind peer:

WireGuard will automatically route to the remote WireGuard IP address
- You can ping the remote (peer) WireGuard IP address
WireGuard does not automatically add routes to the remote subnets
- Pings to the remote subnet will fail without the necessary static route

At this point, you should be able to ping devices to or from the subnets behind either router.

Using CLI

# the interface name is arbitrary - wg0, wg1 are common - wireguard1 is the default
/interface wireguard add listen-port=51820 mtu=1420 name=wireguard1

# the peer is the remote side definition - server in this case
# allowed addresses are addresses at the remote side - server in this case
# the public key is the public key of the remote side - server in this case
/interface wireguard peers
add allowed-address=172.16.2.1/32,192.168.50.0/24 comment="Server Site Name" \
    endpoint-address=<server-public-ip> endpoint-port=51820 interface=wireguard1 \
    persistent-keepalive=25s public-key="<server-public-key>"

# you must add a static route to the subnet(s) behind the remote peer - server in this case
/ip route add disabled=no dst-address=192.168.50.0/24 gateway=wireguard1 \
    routing-table=main suppress-hw-offload=no

Virtual Architects Support Wiki

Table of Contents

Mikrotik WireGuard Site to Site VPN

Both Ends Static