Your own VPN with Mikrotik + Wireguard
In this article we will cover the idea of having a VPN with Wireguard, for those who have a Mikrotik already. Since routerOS 7+ has a wireguard module included and it’s quite easy to setup.
Requirements
Basic networking knowledge
Mikrotik Router with RouterOS 7+
Access to your ISP Router (Optional)
Understand your network
Why I’m saying this? because things could change depending on the state of your network, I’m my case I have the router of the ISP and the mikrotik one and since I’m not doing a bridge, I have 2 networks in the home, which I don’t use one of them (the ISP one) but I have to port forward things from it into the mikrotik when I’m trying to expose things to the internet.
So what about your case? well if you are using your mikrotik with the ISP one and doing a bridge, you could probably skip the port forwarding thing since you manage everything from mikrotik and the ISP one is only giving internet and becomes a brick.
As for hardware itself I’m using
Prepare your router/s
If everything is already plug in the way you want, go ahead and access each of them at least for the first time, in case you want to do a bridge configuration I’m not covering this topic here :)
ISP Router
- Check if you have access to it, how? https://www.wikihow.com/Access-a-Router
Mikrotik
If you have little to no experience I’ll suggest that you use https://help.mikrotik.com/docs/spaces/ROS/pages/328129/WinBox but access at least for the first time.
You can try to enter with creds “admin:" which means admin and no password, else https://help.mikrotik.com/docs/spaces/RKB/pages/285147143/Default+password
If you routeros version is below <7 we are going to need an update.
If case you need to update it you can go into System > Packages and there you go, It may be needed to use channel Testing if you device is really old.
Configure wireguard your server
This section is quite simple, if we already have our RouterOS 7 a section regarding Wireguard should be there
Once we click it we can configure our server, which in the case of it the only fields that require change are these two
Name could be anything, port make sure is one free and pref from the 10-60k range, save it for later we are going to use it in our approach with 2 networks, the private key it auto generates so don’t worry.
This creates a new interface which we are going to use in our Address List in the next section.
Configure your address list
To do so, we are going to IP > Address and then click at New from that we can select a range and the interface that was generated from creating the Wireguard server before.
Once this is complete, this will also add a entry in the routing table located at IP > Routes
In case you want to read more about routing here is the docs https://help.mikrotik.com/docs/spaces/ROS/pages/328084/IP+Routing, also here a cool video about it https://www.youtube.com/watch?v=8qtKpZGoNdI
Configure your firewall
To go into this section we should click IP > Firewall
Now for the firewall we need a few things depending on what we want to archive, here I’m going to show a quick/simple example that forwards the traffic from the range we created before and also allowed in our entire network.
The rule needed for this particular configuration (one to accept everything coming from this range we created)
Accept - Input - Src. Address
Here we are saying, all of the traffic coming from 192.168.178.0/24 accept it into any dst address, protocol, port, etc.
Make sure this rule is ABOVE any other drop rule, or else your package will be lost. Now into the next section, we are going to see how to create a peer and connect into this network from outside our LAN
Port forwarding
Before creating our peer we are probably going to need a forward here :)
Login into your ISP router and create a rule to forward for the listening port that Wireguard is doing the listening (in this tutorial we were using 13231) for the protocol part TCP should be enough but I’ll enable both of them just in case.
That onto the ip address of your mikrotik using the IP generated from the ISP router, with this we are saying, hey handle request coming into my public ip from this port into this IP.
Create your first peer
Create the tunnel in Wireguard Android App
For this example I’m going to use my phone → https://play.google.com/store/apps/details?id=com.wireguard.android&hl=en-US
Once inside choose to create a new tunnel from zero, after that we will choose a name, type our address that we decided before and point our DNS server (if there is any private resolution, else just use 1.1.1.1 or 8.8.8.8
From here we are going to COPY THE PUBLIC KEY and use it in the Wireguard peer in mikrotik.
Configure the Peer in Mikrotik
Now it’s time to sync things from the mikrotik part, let’s go into Wireguard > Peers and create a new one
Here we need to use the public key we generated and copied in the previous step, in my case is iv39qZIHpWuGDNfSdt8TzMUzKtY8XEaTOH1fxh3alAA= for private key let’s use none for now, and in allowed address let’s type one for example 192.168.178.3/32 with this we should be ok for this part.
Now back into the android app, edit the tunnel we created before to add a peer, in the public key we need to use the one from the Wireguard instance we created way before (the one from the picture below)
For the Endpoint part we need our public ip (https://whatismyipaddress.com/) + the listen port we set when we created the wireguard instance (13231 in the picture above) so it’s going to be something like <IP>:<PORT> and for allowed ips for now let’s use 0.0.0.0/0.
End result should look like this in android →
Tunnel
Name (Anything)
Public Key (Auto generated here and copied into mikrotik peer)
Address (the one we are going to live on)
DNS Server (private one or 1.1.1.1)
Peer
Public Key (The one from the wireguard instance in mikrotik)
Allowed Ips (0.0.0.0/0)
Endpoint (<PUBLIC_IP>:<PORT>)
There we go, now we could enable this and navigate in our network :), if done correctly up until now we should see some traffic going on
Here our device shouls activity and also mentions that we are connected via Wireguard.
Access your network
At this point with the wireguard client enabled we should be able to access our private network
It’s maybe not clear for you, but this resource is clearly internal and works only on my network, so with this I’m able to connect and handle things if there is an emergency :)
Conclusion
Wireguard could be a “Easy” (if you have a more clear understand of what are you doing not like me) to setup and use, I’ll highly recommended!! :)
