See here, did a quite interesting discovery yesterday when toying with AX Lite:
viewtopic.php?p=1012490#p1012490
From the devices I have at home, I could only verify this on AX3 and AX Lite device running 7.11b4.
Not on AX2 ??
Neither on RB5009, Hex, mAP, mAP Lite,...
Looks like they made a wizard for wireguard VPN to home.
Already asked support about it (and obviously some more documentation).
Re: Wireguard Wizard - 7.11b4
Yeah, NO! More people setting up wireguard without a clue of what they actually did or why.
Re: Wireguard Wizard - 7.11b4
This function is not available on the hAP ac3. It would be interesting to test.
Additionally, I would like to have the ability to connect to the router remotely through the cloud since not everyone has the option of having a public IP. I understand that this can be implemented using a VPS, but it's not always convenient.
Additionally, I would like to have the ability to connect to the router remotely through the cloud since not everyone has the option of having a public IP. I understand that this can be implemented using a VPS, but it's not always convenient.
Re: Wireguard Wizard - 7.11b4
You can still do that with your VPN of choice ( but Anav and myself vote wireguard).
Only if using WG, you can for now not use this wizard.
How odd it is present on AX Lite but not AX2 ?
Only if using WG, you can for now not use this wizard.
How odd it is present on AX Lite but not AX2 ?
Re: Wireguard Wizard - 7.11b4
Thank you.
But if you're behind NAT and have a grey IP, then the only way is through a VPS. That's why I'm saying it would be nice to have a cloud feature, like tp-link, for example. Considering the fact that it's not always secure, it should be disabled by default.
But if you're behind NAT and have a grey IP, then the only way is through a VPS. That's why I'm saying it would be nice to have a cloud feature, like tp-link, for example. Considering the fact that it's not always secure, it should be disabled by default.
Re: Wireguard Wizard - 7.11b4
Not quite.
The only thing you need to have, is the ability to forward ports from your ISP router to your device where WG-tunnel will be terminated.
That's how I have my setup at home as well, using DDNS since my IP is dynamic (though in practice I have never seen it change the past years).
CGNAT, that's something else. Then you can only start the tunnel outbound, never inbound.
The only thing you need to have, is the ability to forward ports from your ISP router to your device where WG-tunnel will be terminated.
That's how I have my setup at home as well, using DDNS since my IP is dynamic (though in practice I have never seen it change the past years).
CGNAT, that's something else. Then you can only start the tunnel outbound, never inbound.
Re: Wireguard Wizard - 7.11b4
@ holvoetn
and I could imagine that your line rate never below 75 percent of your service plan? maybe 1:1 subscription?
it's good for you(though in practice I have never seen it change the past years).
and I could imagine that your line rate never below 75 percent of your service plan? maybe 1:1 subscription?
Re: Wireguard Wizard - 7.11b4
Not sure what you mean with 1:1.
I came from 200/20, during the years that was changed to 300/30 and now it is 500/30.
Quite a mismatch between up/down.
For some applications I would prefer to have more upstream, since that would allow me to use my home VPN pivot point a lot more (now it's rather restricted because of the 30-up-limit).
And yes, when testing (stopped doing that some time ago since it was pointless) I rarely saw line rate going below 80-90% of contractual speed.
If it happened, it was usually very temporarily (one measurement, tested every hour).
If it was 0, then there were other issues
I came from 200/20, during the years that was changed to 300/30 and now it is 500/30.
Quite a mismatch between up/down.
For some applications I would prefer to have more upstream, since that would allow me to use my home VPN pivot point a lot more (now it's rather restricted because of the 30-up-limit).
And yes, when testing (stopped doing that some time ago since it was pointless) I rarely saw line rate going below 80-90% of contractual speed.
If it happened, it was usually very temporarily (one measurement, tested every hour).
If it was 0, then there were other issues
Re: Wireguard Wizard - 7.11b4
Here is the first documentation about our new Back to Home VPN service: https://help.mikrotik.com/docs/display/ROS/Back+To+Home
Provides easy VPN to your router, even if behind NAT. Android app is being published today, iPhone app coming this or next week. Main use - take the phone app and enable it. Then use the same phone app to go "back to home" when you are away. Use internet through your home network, to have pihole block ads, or just to change your IP.
Gradual rollout to see what our relays are capable of, to slowly test load.
Supported now:
"L41G-2axD"
"L41G-2axD&FG621-EA"
"C52iG-5HaxD2HaxD-TC"
"C53UiG+5HPaxD2HPaxD"
"S53UG+5HaxD2HaxD-TC&FG621-EA"
"S53UG+5HaxD2HaxD-TC&EG18-EA"
"S53UG+M-5HaxD2HaxD-TC&RG502Q-EA"
"L009UiGS-2HaxD-IN";
Provides easy VPN to your router, even if behind NAT. Android app is being published today, iPhone app coming this or next week. Main use - take the phone app and enable it. Then use the same phone app to go "back to home" when you are away. Use internet through your home network, to have pihole block ads, or just to change your IP.
Gradual rollout to see what our relays are capable of, to slowly test load.
Supported now:
"L41G-2axD"
"L41G-2axD&FG621-EA"
"C52iG-5HaxD2HaxD-TC"
"C53UiG+5HPaxD2HPaxD"
"S53UG+5HaxD2HaxD-TC&FG621-EA"
"S53UG+5HaxD2HaxD-TC&EG18-EA"
"S53UG+M-5HaxD2HaxD-TC&RG502Q-EA"
"L009UiGS-2HaxD-IN";
Re: Wireguard Wizard - 7.11b4
why on the link is not written the supported devices?
Re: Wireguard Wizard - 7.11b4
@ holvoetn
500/30 - 1/6 compression. i think it's above normal for home subscription, don't you think?
ok. back to the topic..
so, is this wg wizard only available on hw platform or bundled with ros releases?
interesting
as dedicated 1 ip 1 user (exact measurements of dhcp pool allocation). and the line being not over crowded/over subscribedNot sure what you mean with 1:1.
500/30 - 1/6 compression. i think it's above normal for home subscription, don't you think?
ok. back to the topic..
so, is this wg wizard only available on hw platform or bundled with ros releases?
interesting
-
-
Valerio5000
Member Candidate
- Posts: 113
- Joined:
Re: Wireguard Wizard - 7.11b4
+100 for MikrotikHere is the first documentation about our new Back to Home VPN service: https://help.mikrotik.com/docs/display/ROS/Back+To+Home
Provides easy VPN to your router, even if behind NAT. Android app is being published today, iPhone app coming this or next week. Main use - take the phone app and enable it. Then use the same phone app to go "back to home" when you are away. Use internet through your home network, to have pihole block ads, or just to change your IP.
Gradual rollout to see what our relays are capable of, to slowly test load.
Supported now:
"L41G-2axD"
"L41G-2axD&FG621-EA"
"C52iG-5HaxD2HaxD-TC"
"C53UiG+5HPaxD2HPaxD"
"S53UG+5HaxD2HaxD-TC&FG621-EA"
"S53UG+5HaxD2HaxD-TC&EG18-EA"
"S53UG+M-5HaxD2HaxD-TC&RG502Q-EA"
"L009UiGS-2HaxD-IN";
Great feature!
I am happy to see that Mikrotik is slowly "embracing" the home user with its excellent products
Keep it up !
Re: Wireguard Wizard - 7.11b4
I am curious how this creates a connection without any modifications at the router end?
a. input chain rule (and this assumes that if there is no public IP on the router, the upstream router has port forwarded the port to the MT)??
Ahh I see this is only useful if you setup the smartphone when in proximity to the MT wifi.
a. input chain rule (and this assumes that if there is no public IP on the router, the upstream router has port forwarded the port to the MT)??
Ahh I see this is only useful if you setup the smartphone when in proximity to the MT wifi.
Re: Wireguard Wizard - 7.11b4
Nah ... you can perfectly set it up without mobile app.Ahh I see this is only useful if you setup the smartphone when in proximity to the MT wifi.
Just did using Winbox, terminal, print QR code on screen using /ip cloud print (and make sure your terminal is zoomed out a lot using CTRL - minus)
Use QR code in Wireguard app on phone and done.
Could have done that perfectly from where ever in the world having access to that device.
Did diff check on AX3 (base setting, only using as AP with VLANs, so no firewall, nada).
2 lines were added:
/interface wireguard
add comment="cloud vpn" listen-port=54272 mtu=1420 name=freevpn-wg \
private-key="<edited>"
and
/ip cloud
set back-to-home-vpn=enabled ddns-enabled=yes update-time=no
Which is odd ... because in winbox I see the relay IP address being mentioned but it's not in export ?
Or it is once again one of those oddities with export where defaults are not shown.
Hmm ...
Re: Wireguard Wizard - 7.11b4
What I meant is that you have to set it up locally first and cannot magically do it when away for the first time.
But I see some benefits here.
But I see some benefits here.
Re: Wireguard Wizard - 7.11b4
And yet you can ... sort of.
I can set it up, send YOU the QR code and off you go.
Did you touch my router then ? I don't think so. I can even do so from Timbuktu.
My point being: "someone" needs to have access to the device to set it up. That's a fact, true.
But you don't need to be in the same LAN, nor do you need to be next to it.
There can be a zerotier connection or any other VPN (always safe to have a fallback solution, no ? )
The reason for being in the same LAN as the device is only when there is no alternative connection available YET.
But if there is an alternative, the world is your playground for setting it up ...
I can set it up, send YOU the QR code and off you go.
Did you touch my router then ? I don't think so. I can even do so from Timbuktu.
My point being: "someone" needs to have access to the device to set it up. That's a fact, true.
But you don't need to be in the same LAN, nor do you need to be next to it.
There can be a zerotier connection or any other VPN (always safe to have a fallback solution, no ?
)The reason for being in the same LAN as the device is only when there is no alternative connection available YET.
But if there is an alternative, the world is your playground for setting it up ...
Re: Wireguard Wizard - 7.11b4
We have now widened supported device list, ARM/ARM64/TILE are now supported in 7.11beta6. Please test 
Re: Wireguard Wizard - 7.11b4
Well done, Although It would be awesome if Mikrotik could implant the WG Wizard in the main Wireguard section so one could use it for peer config generation like what we have now in OVPN.
Re: Wireguard Wizard - 7.11b4
Correct!
It should be a function available in the main section, and the quickset dummy capability then made available, build the core function first then the quickie way.
It should be a function available in the main section, and the quickset dummy capability then made available, build the core function first then the quickie way.
Re: Wireguard Wizard - 7.11b4
Quick...what ?
Are you promoting quickset now ?
Are you promoting quickset now ?
Re: Wireguard Wizard - 7.11b4
Then WG needs more enties to do that. The external IP-address/domain and the allowed address range to be able to generate such a config file:Well done, Although It would be awesome if Mikrotik could implant the WG Wizard in the main Wireguard section so one could use it for peer config generation like what we have now in OVPN.
Code: Select all
[Interface]
PrivateKey = yAnz5TF+lXXJte14tji3zlMNq+hd2rYUIgJBgB3fBmk=
ListenPort = 51820
[Peer]
PublicKey = gN65BkIKy1eCE9pP1wdc8ROUtkHLF2PfAqYdyYBz6EA=
Endpoint = test.wireguard.com:18981
AllowedIPs = 10.10.10.230/32For those who have a fixed public address, then a generator would be welcome.
Re: Wireguard Wizard - 7.11b4
Quickies are for Latvians and Belgians ;-PPQuick...what ?
Are you promoting quickset now ?
Re: Wireguard Wizard - 7.11b4
Worked fine in "direct" mode from an RB1100-Dude.We have now widened supported device list, ARM/ARM64/TILE are now supported in 7.11beta6. Please test
But please say [SM]MIPS[BE] is coming at some point. It is exactly the cases where ZeroTier is not available (e.g. no ZeroTier package on MIPS) where BTH VPN be most useful... e.g. KNOT RBM33G, and, granted older, RB9xx's with LTE where there isn't a great solution for CGNAT LTE upstream.
Re: Wireguard Wizard - 7.11b4
Concur AMMO, speaking my language --> Zerotrust Cloudflare Tunnel in RoS or options package FOR ALL DEVICES!!
Re: Wireguard Wizard - 7.11b4
If they are relaying WG traffic for BTH... A proxy is a proxy. So nothing stopping Mikrotik from adding "more tabs" to /ip/cloud to offer different proxies (e.g. like https which is what cloudflare offers e.g. abcdefg123456.https.mynetname.net)Concur AMMO, speaking my language --> Zerotrust Cloudflare Tunnel in RoS or options package FOR ALL DEVICES!!
Re: Wireguard Wizard - 7.11b4
The DNS record option is well-suited for many users, as well as my situation in which we have a dynamic valid IP address.Then WG needs more entities to do that. The external IP-address/domain and the allowed address range to be able to generate such a config file:
Not everybody knows their public IP address. A dynamic domain is then easier and then we are back with the original APP by MT.
For those who have a fixed public address, then a generator would be welcome.
Perhaps it could be constructed with two tabs. The first tab contains the original functionality. For the second tab, through the use of peer configuration. Moreover, Wireguard and WAN IP addresses could be selected via their interfaces. It should also have an Allowed address list and a DNS server on the road-warrior peer configuration.
Or completely manually with a QR code at the end.
Re: Wireguard Wizard - 7.11b4
Might be missing something but if BTH detects/has status of "reachable directly", <sn>.vpn.mynetname.net resolve to route's IP, not the proxy. And should be able to add a new "static" peer that use the BTH WG interface, but with different allowed addresses.
But now that BTH WG VPN has the QR and client config, that be nice addition to show on a "normal" WG peer. Or have some "Tool" to generate the WG config/QR for based on provided fields.
If you have multiple WAN... one option is to steer IP cloud to using the desired WAN, e.g. force cloud2/cloud.mikrotik.com out a particular WAN via routing-rule/firewall mangle+address-list. That cause the /ip/cloud to use a different WAN, which BTH then also use.
But now that BTH WG VPN has the QR and client config, that be nice addition to show on a "normal" WG peer. Or have some "Tool" to generate the WG config/QR for based on provided fields.
If you have multiple WAN... one option is to steer IP cloud to using the desired WAN, e.g. force cloud2/cloud.mikrotik.com out a particular WAN via routing-rule/firewall mangle+address-list. That cause the /ip/cloud to use a different WAN, which BTH then also use.
Re: Wireguard Wizard - 7.11b4
@own3r1138
When completely manual then there should still be a sanity check applied and also any DNS stated checked, that the returned IP is matching any of the local addresses of that router.
When completely manual then there should still be a sanity check applied and also any DNS stated checked, that the returned IP is matching any of the local addresses of that router.