Quick overview of setting up a MikroTik Router as a VPN appliance.<\/p>\n\n\n\n
- Configure WireGuard Interface on MikroTik Router
- Copy interface public key<\/li>
- Add IP address on WireGuard interface<\/li><\/ol><\/li>
- Create WireGuard client config
- Use above interface public key<\/li>
- Copy the client Public Key<\/li><\/ol><\/li>
- Create a WireGuard Peer on the MikroTik Router
- Use client Public Key<\/li>
- Assign proper IP address<\/li><\/ol><\/li><\/ol>\n\n\n\n
<\/p>\n\n\n\n
Configure WireGuard on Router<\/h2>\n\n\n\n
First we need to create a WireGuard interface to use.<\/p>\n\n\n\n
\/interface\/wireguard add listen-port=51820 mtu=1420 name=wireguard1<\/pre>\n\n\n\n
We’ll need to copy the public key, shown in the following command, for use in the client config.<\/p>\n\n\n\n
\/interfaces\/wireguard print<\/pre>\n\n\n\n
Next we’ll configure an IP address\/range for the new WireGuard interface. <\/p>\n\n\n\n
\/ip\/address add address=192.168.1.1\/24 network=192.168.1.0 interface=wireguard1<\/pre>\n\n\n\n
Configure WireGuard Client<\/h2>\n\n\n\n
Download and install the WireGuard application on your computer or phone.<\/p>\n\n\n\n
Create an empty config (Ctrl +N), click edit, add the following. <\/p>\n\n\n\n
Address = 192.168.1.2\/24\nDNS = 9.9.9.9\n\n[Peer]\nPublicKey = ReplaceWithInterfacePublicKeyFromMikrotik\nAllowedIPs = 0.0.0.0\/0\nEndpoint = endpointip:51820<\/pre>\n\n\n\n
Here is a screenshot as an example. We need to copy the public key. We’ll use that when we create the peer.<\/p>\n\n\n\n
![\"\"](\"https:\/\/www.incredigeek.com\/home\/wp-content\/uploads\/2022\/07\/image-1.png\")
<\/a>Configure WireGuard Client<\/figcaption><\/figure>\n\n\n\n <\/p>\n\n\n\n
Create WireGuard Peer<\/h2>\n\n\n\n
Now lets create a peer. Back on the MikroTik, run the following command. Change the allowed address and public key.<\/p>\n\n\n\n
\/interface\/wireguard\/peers add allowed-address=192.128.1.2\/32 interface=wireguard1 public-key=\"PublicKeyFromClientCreatedInNextStep\"<\/pre>\n\n\n\n
Note that the 192.168.1.2\/32 is important. If you have multiple clients connected and one of them is setup with a \/24 instead of a \/32, it will cause issues. I think this is because WireGuard tries to route the whole \/24 over that peer.<\/p>\n\n\n\n
Also note that you can not use DHCP with WireGuard. Each client will have a static IP address assigned in the config. In this example, 192.168.1.2.<\/p>\n\n\n\n
<\/p>\n\n\n\n
You should now be all set up and able to connect from your device.<\/p>\n\n\n\n
<\/p>\n\n\n\n
Troubleshooting<\/h2>\n\n\n\n
Some issues you may run into.<\/p>\n\n\n\n
Unable to have two devices connected at the same time.<\/strong><\/p>\n\n\n\n
First, you’ll need to have one Peer per Client connection. Either that, or do not connect at the same time.<\/p>\n\n\n\n
Second, check and verify that each peer has the ClientIP\/32 in the Allowed Address. <\/p>\n\n\n\n
For example, if the WireGuard interface is using 192.168.1.0\/24, and one of the peers has 192.168.1.4\/24 in the Allowed Address option, then only one client will work. It appears that the MikroTik will attempt to route all 192.168.1.0\/24 request to 192.168.1.4.<\/p>\n","protected":false},"excerpt":{"rendered":"
You may need to upgrade your MikroTik if the WireGuard options are not available. Quick overview of setting up a MikroTik Router as a VPN appliance. Configure WireGuard Interface on MikroTik Router Copy interface public key Add IP address on … Continue reading