Hello
how we can setup a Wireguard Client on routeros ? i have two Router, Router A is Wireguard VPN Server and Router B must be Wireguard client. its possible ?
Re: Wireguard Clinet on Mikrotik
Of course it is (if both routers run RouterOS 7.x). Just bear in mind that the Wireguard configuration itself is identical at both peers; what reduces their roles to a "client" and a "server" (or rather an "initiator" and a "responder") is the network topology.
Each peer acts as a responder by listening for incoming Wireguard transport packets on a particular UDP port; when a payload packet arrives from the "inside", the peer acts as an initiator by sending a transport packet to the address and port of the other peer from that same UDP port. In order that this worked, the network path from the initiator to the responder must be predictable, i.e. the responder must have a public IP address on itself, or there must be a port-forwarding rule on some other router through which the responder is connected to the internet.
So on the client (initiator), you configure the public IP address and port through which the responder is accessible; if the initiator runs on a non-public IP address and there's a dynamic NAT on its route to the internet, you can configure any random IP address and port on the responder to represent the initiator peer, as they will get rewritten by the actual ones once the first packet from that initiator arrives through that NAT.
Each peer acts as a responder by listening for incoming Wireguard transport packets on a particular UDP port; when a payload packet arrives from the "inside", the peer acts as an initiator by sending a transport packet to the address and port of the other peer from that same UDP port. In order that this worked, the network path from the initiator to the responder must be predictable, i.e. the responder must have a public IP address on itself, or there must be a port-forwarding rule on some other router through which the responder is connected to the internet.
So on the client (initiator), you configure the public IP address and port through which the responder is accessible; if the initiator runs on a non-public IP address and there's a dynamic NAT on its route to the internet, you can configure any random IP address and port on the responder to represent the initiator peer, as they will get rewritten by the actual ones once the first packet from that initiator arrives through that NAT.
Re: Wireguard Clinet on Mikrotik
problem is Router B doesnt have public IP, can i use Dynamic DNS ? however i think its impossibleOf course it is (if both routers run RouterOS 7.x). Just bear in mind that the Wireguard configuration itself is identical at both peers; what reduces their roles to a "client" and a "server" (or rather an "initiator" and a "responder") is the network topology.
Each peer acts as a responder by listening for incoming Wireguard transport packets on a particular UDP port; when a payload packet arrives from the "inside", the peer acts as an initiator by sending a transport packet to the address and port of the other peer from that same UDP port. In order that this worked, the network path from the initiator to the responder must be predictable, i.e. the responder must have a public IP address on itself, or there must be a port-forwarding rule on some other router through which the responder is connected to the internet.
So on the client (initiator), you configure the public IP address and port through which the responder is accessible; if the initiator runs on a non-public IP address and there's a dynamic NAT on its route to the internet, you can configure any random IP address and port on the responder to represent the initiator peer, as they will get rewritten by the actual ones once the first packet from that initiator arrives through that NAT.
Re: Wireguard Clinet on Mikrotik
@Mehrdadx
A large number of public DNS servers are filtered. It is going to fail at resolving your DDNS record. You could order a public IP for a DVR or something like that.
A large number of public DNS servers are filtered. It is going to fail at resolving your DDNS record. You could order a public IP for a DVR or something like that.
Re: Wireguard Clinet on Mikrotik
@Mehrdadx
A large number of public DNS servers are filtered. It is going to fail at resolving your DDNS record. You could order a public IP for a DVR or something like that.
my random IP will stay on my router if i dont turn it off or disable the connection, right ?
Re: Wireguard Clinet on Mikrotik
PPPOE ?
Re: Wireguard Clinet on Mikrotik
No, It is going to change. However, You could use a script to get the new one and set it as your site A peer endpoint. What do you want to do with WG? IP Tunnel is better 
Re: Wireguard Clinet on Mikrotik
in fact Router A is a Mikrotik VM (Wireguard vpn server) in France and Router B is a mikrotik router in Iran, as you know our internet is completely restricted, only Wireguard and OPENVPN are available.No, It is going to change. However, You could use a script to get the new one and set it as your site A peer endpoint. What do you want to do with WG? IP Tunnel is better
Re: Wireguard Clinet on Mikrotik
If both sides are MTs' you should use an IP Tunnel because WG and OVPN are UDP and are being targeted widely right now.
Re: Wireguard Clinet on Mikrotik
are you iranian ?If both sides are MTs' you should use an IP Tunnel because WG and OVPN are UDP and are being targeted widely right now.
and IP Tunnel is encrypted ?
Last edited by Mehrdadx on Wed Sep 28, 2022 2:40 pm, edited 1 time in total.
Re: Wireguard Clinet on Mikrotik
Yes, It could be secured with IPsec.
Re: Wireguard Clinet on Mikrotik
i will try ip tunnel tonightYes, It could be secured with IPsec.
Re: Wireguard Clinet on Mikrotik
@own3r1138, would you mind a private talk on this? I have some doubts, but I don't want to discuss them here on the forum as I'm sure the guys who are responsible for this whole topic monitor the forum too. If so, viewtopic.php?t=181564#p902082 .Yes, It could be secured with IPsec.
Re: Wireguard Clinet on Mikrotik
Hi,
I hope I did it right.
I hope I did it right.
Code: Select all
H7kjdkoHmfR8/XMTFcSzbs803y320YsVWN/WyzzY0yzRSoXiMD8oi4YoigxJMXaD
92Wo+KoU11BWsmYFg06b9z36O45KIjYc3nfsaE+vjA8NzG9elK7wft5WaCgW67qF
nAxgCJnCVgb5Y2FKbRJLZt0LJZHOdibJwnq31u1fQEizPslxzVnDkehxfEL9FTSd
OVF0E/MwCbYmWXIdV90PE6k4CM5WSmuV/YsWs6SxRg1+b0bVNjo+oqdANGfoOxXd
IqnFxScKuDAjGJn23NgUdUaa6QZx+26M4KtDscbpbOlKe7cRubALL/tv/WoiMZgy
nueyWFC33ObUrN5p7lviiy8ocLHuSnoFK/oBoQ7z3S4vIT/c6NLZlP+LpYqr+MKI
oKONnO6DBe87DhFQxam/C++zjYS2nv+Jfn+MtexnZiHnMwfsISXijknJbdAcT/UL
5qoYr+RZltvAKmsecTLbUDdRHTc7Vi9vwgESsTSsrT46u9tJFHknUbEyb1Eqxxd4
2qVOPpxy0Vl38ZktLtYy+U2fz5f6WU9yahkfId9qj5cvCNxFUyWB4fS8fN0A8S0e
iAhfbK0td6ncFT3dLkHzgyFh/OkiOxvoxAHPaOGr3hHfgafyH3DX4+6vM5RWEsq4
cOXXMzljWqw/K2+9dN8zZMM9IXaU1mICW7atpStK8zY=
You do not have the required permissions to view the files attached to this post.
-
-
gotsprings
Forum Guru
- Posts: 2326
- Joined:
Re: Wireguard Clinet on Mikrotik
One side has to have a public IP address.
I have a Wireguard VPN from the office to the warehouse. Warehouse has cable internet with a publicly reachable IP address.
The office is behind Starlink with carrier grade NAT.
Connection has been running for months at this point.
The warehouse is the relay for when we are in the field. Open Wireguard tunnel to warehouse... You can browse right to the office server.
I have a Wireguard VPN from the office to the warehouse. Warehouse has cable internet with a publicly reachable IP address.
The office is behind Starlink with carrier grade NAT.
Connection has been running for months at this point.
The warehouse is the relay for when we are in the field. Open Wireguard tunnel to warehouse... You can browse right to the office server.
Re: Wireguard Clinet on Mikrotik
both sides are mikrotik ? one side is server and one side is client, right ? how you setup client side ?One side has to have a public IP address.
I have a Wireguard VPN from the office to the warehouse. Warehouse has cable internet with a publicly reachable IP address.
The office is behind Starlink with carrier grade NAT.
Connection has been running for months at this point.
The warehouse is the relay for when we are in the field. Open Wireguard tunnel to warehouse... You can browse right to the office server.
However Wireguard is blocked in Iran.
-
-
gotsprings
Forum Guru
- Posts: 2326
- Joined:
Re: Wireguard Clinet on Mikrotik
Both sides are Mikrotik.
The warehouse is the "server".
We use the Wireguard program on windows or the App on our Androids.
The warehouse is the "server".
We use the Wireguard program on windows or the App on our Androids.
Re: Wireguard Clinet on Mikrotik
hello again
GRE and IPIP tunnels are blocked in iran, what is alternative solution for these tunnels ? i think we dont have alternative, right ?
GRE and IPIP tunnels are blocked in iran, what is alternative solution for these tunnels ? i think we dont have alternative, right ?
Re: Wireguard Clinet on Mikrotik
The only remaining "solution" is SSTP which looks like normal HTTPS traffic, but once they block the destination addresses (all non-iranian ones), the only way is satellite internet for getting the traffic across the border, and frequently changing iranian public addresses providing the gateways. And there is only a limited number of public addresses available. Plus SSTP only works on computers, not on mobile phones, limiting the practical usability, but that's no difference to GRE and IPIP.
-
-
SeppBlattered
just joined
- Posts: 5
- Joined:
Re: Wireguard Clinet on Mikrotik
Can you elaborate on attacks against these services?If both sides are MTs' you should use an IP Tunnel because WG and OVPN are UDP and are being targeted widely right now.
Re: Wireguard Clinet on Mikrotik
there is a way, OpenWRT, i must test it on a router.The only remaining "solution" is SSTP which looks like normal HTTPS traffic, but once they block the destination addresses (all non-iranian ones), the only way is satellite internet for getting the traffic across the border, and frequently changing iranian public addresses providing the gateways. And there is only a limited number of public addresses available. Plus SSTP only works on computers, not on mobile phones, limiting the practical usability, but that's no difference to GRE and IPIP.
we are at War with a terrorist state.
Re: Wireguard Clinet on Mikrotik
hello again
i have a RouterOS vm in OVHCloud, can i install OpenWRT on that ?
i have a RouterOS vm in OVHCloud, can i install OpenWRT on that ?
Re: Wireguard Clinet on Mikrotik
Unless you can run OpenWRT in a container, you'll have to install an OpenWRT x86/64 instead of/next to the CHR.
But I'm quite pessimistic regarding any benefit. The guys whose business is to cut you off seem to be quite flexible (and most likely they monitor this forum too).
But I'm quite pessimistic regarding any benefit. The guys whose business is to cut you off seem to be quite flexible (and most likely they monitor this forum too).
Re: Wireguard Clinet on Mikrotik
yea, that's why i dont say anything about available protocolsUnless you can run OpenWRT in a container, you'll have to install an OpenWRT x86/64 instead of/next to the CHR.
But I'm quite pessimistic regarding any benefit. The guys whose business is to cut you off seem to be quite flexible (and most likely they monitor this forum too).