Hi All,
I wish to setup a simple WireGuard client on my router (hAP ax lite LTE6) that will give me a static external ip address from the host network.
I can get this working very simply on my windows laptop with the WireGuard Windows app by importing the below config file, but need this to be running on the router for all connected clients:
[Interface]
Address = DesiredExternalIPAddress/24
ListenPort = 51820
PrivateKey = CorrectPrivateKey
DNS = 8.8.8.8
[Peer]
PublicKey = CorrectPublicKey
AllowedIPs = 0.0.0.0/0, ::/0
Endpoint = DesiredEndpointIPAddress:51820
I have been at it for hours:
- added the wireguard interface.
- added the ip under "addresses".
- added the wireguard client.
- etc. etc.
and have reset the router to factory defaults multiple times, but still no joy I'm afraid.
The router does have internet connectivity when default with a working data sim.
End goal is that any client connected to wifi or lan will have access to the internet and the router/clients will have an external IP of "DesiredExternalIPAddress".
Any help would be greatly appreciated.
Re: RouterOS - Simple WireGuard Client Setup
Code: Select all
/interface wireguard
add listen-port=51820 name=wireguard1
/interace wireguard peers
add public-key=CorrectPublicKey allowed-address=DesiredExternalIPAddress/24,WireguardSubnetClientAddress/32 endpoint-address=DesiredEndpointIPAddress endpoint-port=DesiredEndpointPort interface=wireguard1
/ip address
add address=WireguardSubnetClientAddress/24 interface=wireguard1
/ip route
add dst-address=DesiredExternalIPAddress/24 gateway=WireguardSubnetGateway
/ip firewall filter
add chain=input protocol=udp dst-port=51820 action=accept
Re: RouterOS - Simple WireGuard Client Setup
Not really enough info.
It would seem you are saying you have purchased a third party VPN provider and wish to use that provider for internet access for some or all of the users on your router.
In other words the router is not the server for handshake but he wireguard client for handshake?
OR
You are connecting to another router???
One can conclude this by your opening statement: simple WireGuard client on my router (hAP ax lite LTE6)
It would seem you are saying you have purchased a third party VPN provider and wish to use that provider for internet access for some or all of the users on your router.
In other words the router is not the server for handshake but he wireguard client for handshake?
OR
You are connecting to another router???
One can conclude this by your opening statement: simple WireGuard client on my router (hAP ax lite LTE6)
Last edited by Mesquite on Sun Feb 18, 2024 9:44 pm, edited 2 times in total.
Re: RouterOS - Simple WireGuard Client Setup
In terms of setup, this is actually what it should look like, no offense to the previous poster but its in error.
One should be careful before providing bad information!!!!
/interface wireguard
add listen-port=51820 name=wireguard1 { port can be anything random no relation to port given to you by third party provider etc. }
/interface wireguard peers
allowed-address=0.0.0.0/0 { so your users can use internet through turnnel } , endpoint-address=publicIP of third party device or provider, endpoint-port=Port given by third party provider }DesiredEndpointPort interface=wireguard1 public-key=CorrectPublicKey { provided by third party device or provider }
persistent-keep-alive=35s { to ensure your router keeps the tunnel open }
/ip address
add address=WireguardSubnet-ClientAddress/24 interface=wireguard1 { given to your by third party provider }
/ip route
NOT required for the general wireguard subnet however we will add one for Sending local traffic on the router into the tunnel.
<dac> dst-address=wireguard subnet gateway=wireguard1 { this is created automatically by the router when you create the IP address for wireguard }
/ip firewall filter
add chain=input NOT REQUIRED, the router is not the servers for handshake....
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Okay that gets you to solid place to now consider how to force traffic into the tunnel. You will need three things..
a. firewall rule to allow traffic to enter tunnel ( permission function )
b. add table to use for our route setup
c. decide to use either mangling or routing rules for catching/forcing traffic into tunnel
d. ensure we source nat all traffic entering tunnel with WG ip address given to you by the third party provider as a their end they will not accept any other source IPs. !!
One should be careful before providing bad information!!!!
/interface wireguard
add listen-port=51820 name=wireguard1 { port can be anything random no relation to port given to you by third party provider etc. }
/interface wireguard peers
allowed-address=0.0.0.0/0 { so your users can use internet through turnnel } , endpoint-address=publicIP of third party device or provider, endpoint-port=Port given by third party provider }DesiredEndpointPort interface=wireguard1 public-key=CorrectPublicKey { provided by third party device or provider }
persistent-keep-alive=35s { to ensure your router keeps the tunnel open }
/ip address
add address=WireguardSubnet-ClientAddress/24 interface=wireguard1 { given to your by third party provider }
/ip route
NOT required for the general wireguard subnet however we will add one for Sending local traffic on the router into the tunnel.
<dac> dst-address=wireguard subnet gateway=wireguard1 { this is created automatically by the router when you create the IP address for wireguard }
/ip firewall filter
add chain=input NOT REQUIRED, the router is not the servers for handshake....
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Okay that gets you to solid place to now consider how to force traffic into the tunnel. You will need three things..
a. firewall rule to allow traffic to enter tunnel ( permission function )
b. add table to use for our route setup
c. decide to use either mangling or routing rules for catching/forcing traffic into tunnel
d. ensure we source nat all traffic entering tunnel with WG ip address given to you by the third party provider as a their end they will not accept any other source IPs. !!
Re: RouterOS - Simple WireGuard Client Setup
Will have to see your current full config to make any more recommendations.
PS where do you see to enter DNS on the mikrotik wireguard interface settings, not any such thing on my router ???
What DNS did the third party provider give you???
PS where do you see to enter DNS on the mikrotik wireguard interface settings, not any such thing on my router ???
What DNS did the third party provider give you???
Re: RouterOS - Simple WireGuard Client Setup
can you please elaborate on a-d as i have the same problem (i am on ros 7).In terms of setup, this is actually what it should look like, no offense to the previous poster but its in error.
One should be careful before providing bad information!!!!
/interface wireguard
add listen-port=51820 name=wireguard1 { port can be anything random no relation to port given to you by third party provider etc. }
/interface wireguard peers
allowed-address=0.0.0.0/0 { so your users can use internet through turnnel } , endpoint-address=publicIP of third party device or provider, endpoint-port=Port given by third party provider }DesiredEndpointPort interface=wireguard1 public-key=CorrectPublicKey { provided by third party device or provider }
persistent-keep-alive=35s { to ensure your router keeps the tunnel open }
/ip address
add address=WireguardSubnet-ClientAddress/24 interface=wireguard1 { given to your by third party provider }
/ip route
NOT required for the general wireguard subnet however we will add one for Sending local traffic on the router into the tunnel.
<dac> dst-address=wireguard subnet gateway=wireguard1 { this is created automatically by the router when you create the IP address for wireguard }
/ip firewall filter
add chain=input NOT REQUIRED, the router is not the servers for handshake....
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Okay that gets you to solid place to now consider how to force traffic into the tunnel. You will need three things..
a. firewall rule to allow traffic to enter tunnel ( permission function )
b. add table to use for our route setup
c. decide to use either mangling or routing rules for catching/forcing traffic into tunnel
d. ensure we source nat all traffic entering tunnel with WG ip address given to you by the third party provider as a their end they will not accept any other source IPs. !!
Re: RouterOS - Simple WireGuard Client Setup
Sure.
Think about it. The 3rd party VPN provider gives you ONE, a single IP address for wireguard.
Therefore all traffic, coming from the MT, with source address that is NOT that single address will be dropped, when it shows up at the 3rd party peer Server.
Similar to NAT, how all private LAN traffic leaving the router is given the source address of the WANIP, and thus appears as a single address to all recipients.
This is accomplished by the sourcenat rule.
add chain=srcnat action=masquerade out-interface-list=WAN
The same needs then to be applied to all traffic leaving the router and entering the tunnel (interface=wireguard1) for the other end 3rd party processing.
Hence we have two option to accomplish this:
A. add another sourcenat rule.
add chain=srcnat action=masquerade out-interface=wireguard1
B. add the wireguard interface as a WAN interface list member, and THEN the default rule above, automatically includes all outgoing traffic through the list interfaces (aka has the same functionality of the the additional rule).
/interface list member
add interface=wireguard1 list=WAN
Think about it. The 3rd party VPN provider gives you ONE, a single IP address for wireguard.
Therefore all traffic, coming from the MT, with source address that is NOT that single address will be dropped, when it shows up at the 3rd party peer Server.
Similar to NAT, how all private LAN traffic leaving the router is given the source address of the WANIP, and thus appears as a single address to all recipients.
This is accomplished by the sourcenat rule.
add chain=srcnat action=masquerade out-interface-list=WAN
The same needs then to be applied to all traffic leaving the router and entering the tunnel (interface=wireguard1) for the other end 3rd party processing.
Hence we have two option to accomplish this:
A. add another sourcenat rule.
add chain=srcnat action=masquerade out-interface=wireguard1
B. add the wireguard interface as a WAN interface list member, and THEN the default rule above, automatically includes all outgoing traffic through the list interfaces (aka has the same functionality of the the additional rule).
/interface list member
add interface=wireguard1 list=WAN