User Tools
networking:router:mikrotik_vpn_wg
Table of Contents
Mikrotik WireGuard Site to Site VPN
Incomplete
http://wiki.mikrotik.com/wiki/Manual:IP/IPsec
https://help.mikrotik.com/docs/display/ROS/WireGuard
HowTo: https://forum.mikrotik.com/viewtopic.php?t=182340
Road Warrior HowTo: https://forum.mikrotik.com/viewtopic.php?p=899406
Why WireGuard?: https://restoreprivacy.com/vpn/wireguard-vs-openvpn/
Enable/Disable Peer by Comment: https://techoverflow.net/2022/04/18/how-to-enable-disable-wireguard-peer-by-comment-on-mikrotik/
Note that Windows workstations do not respond to pings by default, but will if you temporarily disable the firewall. Don't forget to turn it back on when you are done testing!
One End Dynamic
Server (Static IP)
Using CLI
# perform the next three commands only once
# allow wireguard connections to the router - move rule as needed
/ip firewall filter add action=accept chain=input comment="Allow WireGuard VPN" dst-port=51820 \
protocol=udp place-before=4
# add a wireguard interface - name is arbitrary - select UDP listen port not blocked by all ISPs
/interface wireguard add comment="WireGuard VPN Endpoint" listen-port=51820 mtu=1420 name=wg0
# set the address of the wireguard interface - the address is arbitrary
# we use a /24 netmask with peer wireguard interfaces to be assigned address in 172.16.2.0/24
# name must match interface name above
/ip address add address=172.16.2.1/24 comment="Wireguard VPN Endpoint" interface=wg0 network=172.16.2.0
# do the following for each remote site
# define remote wireguard peers - be sure to identify peer with comment
# allowed addresses are remote peer address and address ranges behind the remote peer
/interface wireguard peers add allowed-address=172.16.2.3/32,192.168.53.0/24 comment="Remote Site Name" \
interface=wg0 persistent-keepalive=25s public-key="<remote-peer-public-key"
# add a route to the subnet(s) behind the remote peers
/ip route add comment="Remote Site Name" dst-address=192.168.53.0/24 gateway=wg0
CPE (Dynamic IP)
Using Winbox
Here we configure a RB3011UiAS-RM client router on RouterOS 7.10 reset to factory defaults using Winbox.
First we configure the admin password:
Use Quick Set for basic router configuration:
Create the WireGuard VPN interface:
- The name of the interface is arbitrary and we use the default here
- The MTU matters, but we use the default here
- The UDP listen port probably doesn't matter, but we use the same port as on the server here
- This CPE router must initiate the VPN connections because it has a dynamic IP and is behind Carrier Grade NAT (double NAT)
- In at least one case, the default UDP port 13231 was blocked by the ISP
- You may need to find a UDP port that is not blocked by your ISP and use it on the server
Define a WireGuard VPN peer:
- The peer is the remote WireGuard endpoint (server, router)
- The public key is the public key from the remote WireGuard endpoint
- The endpoint address is the static public IP address of the remote WireGuard endpoint (server)
- The endpoint port is the UDP listen port of the remote WireGuard endpoint
- The allowed address is a list of remote IP addresses on or behind the remote WireGuard endpoint
- Remote WireGuard interface IP address
- Remote IP subnet behind the remote WireGuard endpoint
- The persistent keepalive is a timer to send an empty packet accross the tunnel to keep it open
- 25 seconds is a common recommendation for the keepalive timer
Show a connected peer:
- You should get a handshake and a few packets exchanged at this point
- If not, troubleshoot this first
- Check that the server firewall permits your selected UDP listen port
Add an IP address to the WireGuard interface:
- This IP address (of the remote) will be listed in a traceroute
- This VPN example uses an arbitrary subnet 172.16.2.0/24 for VPN endpoints
- Actually 172.16.2.1/24 for the server
- Actually 172.16.2.3/32 for the CPE
- If you had a hub and spoke VPN, you would use other 172.16.2.0/24 addresses for other endpoints
Add a static route for remote IP subnet behind peer:
- WireGuard will automatically route to the remote WireGuard IP address
- You can ping the remote (peer) WireGuard IP address
- WireGuard does not automatically add routes to the remote subnets
- Pings to the remote subnet will fail without the necessary static route
At this point, you should be able to ping devices to or from the subnets behind either router.
Using CLI
# the interface name is arbitrary - wg0, wg1 are common - wireguard1 is the default
# the port is also arbitrary - 51820 is customary - choose UDP port not blocked by ISP
# listen port probably doesn't matter on this end
/interface wireguard add listen-port=51820 mtu=1420 name=wireguard1
# the peer is the remote side definition - server in this case
# allowed addresses are addresses at the remote side - server in this case
# the public key is the public key of the remote side - server in this case
# endpoint port must match remote listen port - server in this case
/interface wireguard peers
add allowed-address=172.16.2.1/32,192.168.50.0/24 comment="Server Site Name" \
endpoint-address=<server-public-ip> endpoint-port=51820 interface=wireguard1 \
persistent-keepalive=25s public-key="<server-public-key>"
# assign an address to the wireguard interface - will show in traceroute
# address choice is arbitrary - /24 used to route multiple peers of /32
/ip address add address=172.16.2.3/24 interface=wireguard1 network=172.16.2.0
# you must add a static route to the subnet(s) behind the remote peer - server in this case
/ip route add disabled=no dst-address=192.168.50.0/24 gateway=wireguard1 \
routing-table=main suppress-hw-offload=no
networking/router/mikrotik_vpn_wg.txt · Last modified: 2023/07/10 10:36 by gcooper
Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution-Share Alike 4.0 International
