Community discussions

MikroTik App
  4. RouterOS
  5. Beginner Basics

Private Internet Access (PIA) Wireguard with RouterOS

Post Reply
 
chiem
newbie
Topic Author
Posts: 42
Joined: Fri Oct 24, 2014 4:48 pm

Private Internet Access (PIA) Wireguard with RouterOS

Sun Mar 03, 2024 6:42 am

Someone wrote a python script to generate a Wireguard config file using PIA credentials and a chosen region:

https://github.com/hsand/pia-wg

I took that and added some features to it a while ago, along with a new script to send a Wireguard config to RouterOS:

https://github.com/kchiem/pia-wg

NOTE: The Wireguard config to RouterOS script can be used for any vpn, not just PIA.

Usage is documented at the url above, and as mentioned, it's up to you from there on to decide what traffic you want to route through the new interface. Here's an example on how to do split tunneling and only route certain destinations through the vpn:

1. Create an address list for the sites you want to route through the vpn:
Code: Select all
/ip/firewall/address-list/add list=vpn-list address=wtfismyip.com
(add an entry for each destination you want to use the vpn)

2. Mark your connections and packets:

a. mark the connections to the address list above with the connection mark "vpn-connections"
Code: Select all
/ip/firewall/mangle/add action=mark-connection chain=prerouting connection-mark=no-mark dst-address-list=vpn-list new-connection-mark=vpn-connections
b. mark your packets from those connections with the routing mark "vpn-routing"
Code: Select all
/ip/firewall/mangle/add action=mark-routing chain=prerouting connection-mark=vpn-connections in-interface-list=bridge-local new-routing-mark=vpn-routing
3. Route marked packets to the new interface:

a. create a new routing table to use
Code: Select all
/routing/table/add fib name=vpn-table
b. add a route for the routing table above (using the new interface from the example in the url, wg-pia-il)
Code: Select all
/ip/route/add check-gateway=none distance=1 dst-address=0.0.0.0/0 gateway=wg-pia-il routing-table=vpn-table
c. add a rule for packets with a routing mark of "vpn-routing" to use the routing table "vpn-table"
Code: Select all
/routing/rule/add action=lookup routing-mark=vpn-routing table=vpn-table
4. Make sure traffic out of that interface is NAT'ed. I use an interface list to NAT all my WAN ports like:
Code: Select all
/interface/list/add name=WAN
/interface/list/member/add interface=wg-pia-il list=WAN

/ip/firewall/nat/add action=masquerade chain=srcnat out-interface-list=WAN
But you could also do it per-interface:
Code: Select all
/ip/firewall/nat/add action=masquerade chain=srcnat out-interface=wg-pia-il
Now if you point your browser to wtfismyip.com, or run:
Code: Select all
curl http://wtfismyip.com/text
it should return an IP from the VPN.
Top
 
mbach
just joined
Posts: 3
Joined: Mon Jul 29, 2024 11:15 pm

Re: Private Internet Access (PIA) Wireguard with RouterOS

Wed Aug 07, 2024 11:25 pm

Initially, I set up a PIA VPN using your setup, generating the config with the Python script and adding it to route specific traffic through the interface. However, in my instance, I modified the mark command to target traffic from a specific subnet not destined for the LAN address list, which allows all traffic from that subnet to be routed through the VPN:
Code: Select all
/ip/firewall/mangle/add action=mark-connection dst-address-list=!LAN chain=prerouting src-address-list=wireguard-vpn new-connection-mark=vpn-pia-connections connection-mark=no-mark

As an alternative to running a Python script, I created a RouterOS script that can run directly on the router to create and manage the VPN connection: https://github.com/madsbacha/routeros-vpn

This script also regenerates the WireGuard config when the PIA connection is reset, allowing you to easily obtain a new configuration without manual intervention.
Top
Post Reply
  4. RouterOS
  5. Beginner Basics