Tag Archives: vpn

Configure MikroTik Router as WireGuard VPN Appliance

Posted on by
Reply

You may need to upgrade your MikroTik if the WireGuard options are not available.

Quick overview of setting up a MikroTik Router as a VPN appliance.

  1. Configure WireGuard Interface on MikroTik Router
    1. Copy interface public key
    2. Add IP address on WireGuard interface
  2. Create WireGuard client config
    1. Use above interface public key
    2. Copy the client Public Key
  3. Create a WireGuard Peer on the MikroTik Router
    1. Use client Public Key
    2. Assign proper IP address

Configure WireGuard on Router

First we need to create a WireGuard interface to use.

/interface/wireguard add listen-port=51820 mtu=1420 name=wireguard1

We’ll need to copy the public key, shown in the following command, for use in the client config.

/interfaces/wireguard print

Next we’ll configure an IP address/range for the new WireGuard interface. 

/ip/address add address=192.168.1.1/24 network=192.168.1.0 interface=wireguard1

Configure WireGuard Client

Download and install the WireGuard application on your computer or phone.

Create an empty config (Ctrl +N), click edit, add the following. 

Address = 192.168.1.2/24
DNS = 9.9.9.9

[Peer]
PublicKey = ReplaceWithInterfacePublicKeyFromMikrotik
AllowedIPs = 0.0.0.0/0
Endpoint = endpointip:51820

Here is a screenshot as an example. We need to copy the public key. We’ll use that when we create the peer.

Configure WireGuard Client

Create WireGuard Peer

Now lets create a peer. Back on the MikroTik, run the following command. Change the allowed address and public key.

/interface/wireguard/peers add allowed-address=192.128.1.2/32 interface=wireguard1 public-key="PublicKeyFromClientCreatedInNextStep"

Note that the 192.168.1.2/32 is important. If you have multiple clients connected and one of them is setup with a /24 instead of a /32, it will cause issues. I think this is because WireGuard tries to route the whole /24 over that peer.

Also note that you can not use DHCP with WireGuard. Each client will have a static IP address assigned in the config. In this example, 192.168.1.2.

You should now be all set up and able to connect from your device.

Troubleshooting

Some issues you may run into.

Unable to have two devices connected at the same time.

First, you’ll need to have one Peer per Client connection. Either that, or do not connect at the same time.

Second, check and verify that each peer has the ClientIP/32 in the Allowed Address.

For example, if the WireGuard interface is using 192.168.1.0/24, and one of the peers has 192.168.1.4/24 in the Allowed Address option, then only one client will work. It appears that the MikroTik will attempt to route all 192.168.1.0/24 request to 192.168.1.4.

How To setup a L2TP vpn in Mikrotik

Posted on by
Reply

Open up PPP and select L2TP Server. Set it to Enabled, set IPsec to yes, and set the IPsec secret.

Add L2TP Server

Next go to PPP -> Profiles and modify the default-encryption one. You can setup an IP Pool to use for the VPN clients when they connect.

Setup Profiles

Next go to the PPP -> Secrets and configure the user to connect.

Setup User

Setup your VPN client and connect.

OpenVPN on Mikrotik Router

Posted on by
Reply

Create Certificate

Can look here to set a certificate up in Winbox
or here to configure from command line

Enable OpenVPN server

To setup a OpenVPN server on a router there are a few things that need to be done.

  1. Create certificates (See top of post)
  2. Create IP pool for clients to use
  3. Configure default-encryption profile
  4. Create User
  5. Configure OpenVPN server

Create IP Pool

Create an IP pool that clients can pull and address from when they connect

Setup VPN IP pool

Modify Profiles

Modify the default-encryptoin Profile and specify the VPN IP pool.

Specify IP pool in profile

Create User

Create new user, specify the default-encryptio profile

Create VPN user

Turn OVPN Server on

Enable the OVPN server. Specify the “Default Profile:” to be the default-encyption, specify the certificate to be the server-template, or whatever the name is of the certificate you created.

Enable OpenVPN server