Wireguard on Mikrotik RouterOS 7 (and an Ubuntu Client Setup)

With an upgrade to Mikrotuk RouterOS 7.2, my OpenVPN setup started showing signs of distress in the form of a connection loss every hour or so. Instead of downgrading to the previously good version, I decided to abandon OpenVPN altogether. I figured it was about time to get Wireguard going.

As with OpenVPN setup, I will show all steps assuming you're comfortable with both RouterOS and Ubuntu command line. And yes, an Ubuntu setup will work pretty much for any other linux with just a few minot changes.

First we need to create a Wireguard interface on the Mikrotik router. Here make a note of the "SERVER-PUBLIC" key. You will need it later.

RouterOS
/interface wireguard
add listen-port=51820 name=wireguard1
print
Flags: X - disabled; R - running
0 R name="wireguard1" listen-port=51820 private-key="SERVER-PRIVATE" public-key="SERVER-PUBLIC"

With the interface created, we need to add IP address for it. In my case, I choose 192.168.2.1 in a completely separate 192.168.2.0/24 subnet for this purpose.

RouterOS
/ip address
add address=192.168.2.1/24 network=192.168.2.0 interface=wireguard1

Finally, assuming you have a firewall sorted out, we need to add two rules - one for Wireguard itself and another one to allow communication with other nodes connected to the same router. I will add both of them at the very beginning but you should adjust their location to fit with your setup.

RouterOS
/ip firewall filter
add chain=input protocol=udp dst-port=51820 action=accept place-before=0
add chain=forward in-interface=wireguard1 action=accept place-before=1

To allow Wireguard clients access to Internet, we also need to do some masquerade (assuming ether1 is your Internet interface).

RouterOS
/ip firewall nat
chain=srcnat src-address=192.168.2.0/24 out-interface=ether1 action=masquerade

Now we need to get onto Ubuntu client and set wireguard there. The first step is, of course, to install some packages.

Terminal
sudo apt update
sudo apt install --yes wireguard

Before anything else, we need a private and public key created. I like to get them both into variables instead of the files. Yes, it's not as secure but for a single-user computer it's good enough. Do make note of client's public key as we'll need it soon.

Terminal
WG_PRIVATE_KEY=`wg genkey`
WG_PUBLIC_KEY=`echo $WG_PRIVATE_KEY | wg pubkey`
echo $WG_PUBLIC_KEY
CLIENT-PUBLIC

Now we need to create a Wireguard configuration file. Make sure to replace "SERVER-PUBLIC" with whatever public key you generated on server (not client!) and for endpoint make sure you give IP (or DNS name) of your router.

Terminal
cat << EOF | sudo tee /etc/wireguard/wg0.conf
[Interface]
PrivateKey = $WG_PRIVATE_KEY
Address = 192.168.2.20/24

[Peer]
PublicKey = SERVER-PUBLIC
Endpoint = 192.168.0.1:51820
AllowedIPs = 0.0.0.0/0
EOF

Once we have the config file ready, we need to get back to RouterOS and add our client as a peer using its public key. Note that this "CLIENT-PUBLIC" is a public key we got in Ubuntu just a few moments ago.

RouterOS
/interface wireguard peers
add interface=wireguard1 allowed-address=192.168.2.20/24 public-key="CLIENT-PUBLIC"

If everything went fine, you should have VPN properly configured. The easiest way of checking it is to simply bring interface up and check the route. It should show us using Wireguard interface (and IP) with pings flowing freely.

Terminal
sudo wg-quick up wg0

ip route get 1.1.1.1
1.1.1.1 dev wg0 table 51820 src 192.168.2.20 uid 1000

ping 1.1.1.1

If we want this connection to be up every time we boot the system, we can enable it as a service

Terminal
sudo systemctl enable wg-quick@wg0.service

And that's all folks.

7 thoughts to “Wireguard on Mikrotik RouterOS 7 (and an Ubuntu Client Setup)”

  1. Hi, thanks for all.

    One thing.

    in the sction at the end, you use:
    sudo wg-quick up wg0

    But in the section above you create /etc/wireguard/wg1.conf (with the 1 instead of 0)

    Really helpfull your post. Thanks!!

  2. A little correction, useful if you want to connect more wireguard clients (peers) : In the client config, don’t set the wireguard interface IP address to cover the whole network (that’s the /24 in the example’s Address = 192.168.2.20/24), but to only cover the single host (so that would change to Address = 192.168.2.20/32). Same goes for allowed-address= on routeros side).

    With the setup as described in the post, it works perfectly for a single client. What happens when the client connects: routeros starts to send all traffic for 192.168.2.0/24 over that connection. Now, if a second client connects, no traffic from the routeros side will reach it, as it is too in the 192.168.2.0/24 network – and all that traffic goes to the first client.

Leave a Reply

Your email address will not be published. Required fields are marked *