Line 1,242: |
Line 1,242: |
| | | |
| *You can run it again to add/remove users or completely uninstall WireGuard | | *You can run it again to add/remove users or completely uninstall WireGuard |
| + | |
| + | === Mikrotik Road Warrior Config === |
| + | From: https://forum.mikrotik.com/viewtopic.php?t=174417# |
| + | |
| + | ==== Network topology ==== |
| + | The network used in this examples is 192.168.66.0/24. A Mikrotik device will be the server and client can be any device running the Wireguard software. |
| + | {| class="wikitable" style="text-align: center; width: 35%" |
| + | ! System |
| + | ! IP Address |
| + | |- |
| + | | Wireguard server |
| + | | 192.168.66.1 |
| + | |- |
| + | | Wireguard client(s) |
| + | | 192.168.66.[2-254] |
| + | |} |
| + | |
| + | ==== Mikrotik Configuration ==== |
| + | <syntaxhighlight lang="text"> |
| + | # a private and public key will be automatically generated when adding the wireguard interface |
| + | /interface wireguard |
| + | add listen-port=13231 mtu=1420 name=wireguard1 |
| + | |
| + | /interface wireguard peers |
| + | # the first client added here is ipv4 only |
| + | add allowed-address=192.168.66.2/32 interface=wireguard1 public-key="*** replace-with-public-key-of-first-client ***" |
| + | # this client is dual stack - public IPv6 should be used - replace 2001:db8:cafe:beef: with one of your /64 prefixes. |
| + | add allowed-address=192.168.66.3/32,2001:db8:cafe:beef::3/128 interface=wireguard1 public-key="*** replace-with-public-key-of-second-client-dual-stack ***" |
| + | |
| + | /ip address |
| + | add address=192.168.66.1/24 interface=wireguard1 network=192.168.66.0 |
| + | |
| + | /ipv6 address |
| + | add address=2001:db8:cafe:beef::1/64 interface=wireguard1 |
| + | </syntaxhighlight> |
| + | |
| + | ==== Client configuration ==== |
| + | <syntaxhighlight lang="text"> |
| + | Interface: (whatever name you want to specify) |
| + | Public key: the client should automatically generate this - add this to the server above replacing "replace-with-public-key-of-second-client-dual-stack" |
| + | Addresses: 192.168.66.3/24,2001:db8:cafe:beef::3/64 (note these are different subnet masks than in the server config) |
| + | DNS servers: as desired - if you want to use the wireguard server for dns, specify 192.168.66.1 |
| + | |
| + | Peer: |
| + | Public key - get the public key from the wireguard interface on the Mikrotik device and place here |
| + | Endpoint - mydyndns.whatever:13231 |
| + | Allowed IPs: 0.0.0.0/0, ::/0 |
| + | </syntaxhighlight> |
| + | |
| + | This client configuration will result in all traffic being forwarded via the Mikrotik Wireguard server. You will need to ensure: |
| + | *Create an input chain firewall rule to allow UDP traffic in on port 13231 |
| + | <syntaxhighlight lang="text"> |
| + | /ip firewall filter add action=accept chain=input comment="Allow Wireguard" dst-port=13231 protocol=udp |
| + | </syntaxhighlight> |
| + | *Ensure the Mikrotik firewall is allowing traffic from 192.168.66.0/24 and that you are NATing this traffic. If your device is based off the default Mikrotik config and using the LAN interface list, you can add the Wireguard interface to this list to allow traffic through and NATing it as it leaves your network. Otherwise, you will need to modify your configuration accordingly. |
| + | |
| + | ==== Get/Set Wireguard Peers ==== |
| + | *Get Mikrotik Wireguard peers list |
| + | <syntaxhighlight lang="text"> |
| + | /interface wireguard peers print |
| + | </syntaxhighlight> |
| + | |
| + | *Set Mikrotik Wireguard peers list |
| + | <syntaxhighlight lang="text"> |
| + | /interface wireguard peers set <ID> allowed-addresses=whatever,whateverelse |
| + | </syntaxhighlight> |
| | | |
| == VPNC == | | == VPNC == |