With an upgrade to Mikrotuk RouterOS 7.2, my OpenVPN setup started showing signs of distress in the form of a connection loss every hour or so. Instead of downgrading to the previously good version, I decided to abandon OpenVPN altogether. I figured it was about time to get Wireguard going.
As with OpenVPN setup, I will show all steps assuming you're comfortable with both RouterOS and Ubuntu command line. And yes, an Ubuntu setup will work pretty much for any other linux with just a few minot changes.
First we need to create a Wireguard interface on the Mikrotik router. Here make a note of the "
SERVER-PUBLIC" key. You will need it later.
add listen-port=51820 name=wireguard1
Flags: X - disabled; R - running
0 R name="wireguard1" listen-port=51820 private-key="SERVER-PRIVATE" public-key="SERVER-PUBLIC"
With the interface created, we need to add IP address for it. In my case, I choose
192.168.2.1 in a completely separate
192.168.2.0/24 subnet for this purpose.
add address=192.168.2.1/24 network=192.168.2.0 interface=wireguard1
Finally, assuming you have a firewall sorted out, we need to add two rules - one for Wireguard itself and another one to allow communication with other nodes connected to the same router. I will add both of them at the very beginning but you should adjust their location to fit with your setup.
/ip firewall filter
add chain=input protocol=udp dst-port=51820 action=accept place-before=0
add chain=forward in-interface=wireguard1 action=accept place-before=1
To allow Wireguard clients access to Internet, we also need to do some masquerade (assuming
ether1 is your Internet interface).
/ip firewall nat
chain=srcnat src-address=192.168.2.0/24 out-interface=ether1 action=masquerade
Now we need to get onto Ubuntu client and set wireguard there. The first step is, of course, to install some packages.
sudo apt update
sudo apt install --yes wireguard
Before anything else, we need a private and public key created. I like to get them both into variables instead of the files. Yes, it's not as secure but for a single-user computer it's good enough. Do make note of client's public key as we'll need it soon.
WG_PUBLIC_KEY=`echo $WG_PRIVATE_KEY | wg pubkey`
Now we need to create a Wireguard configuration file. Make sure to replace "
SERVER-PUBLIC" with whatever public key you generated on server (not client!) and for endpoint make sure you give IP (or DNS name) of your router.
cat << EOF | sudo tee /etc/wireguard/wg0.conf
PrivateKey = $WG_PRIVATE_KEY
Address = 192.168.2.20/24
PublicKey = SERVER-PUBLIC
Endpoint = 192.168.0.1:51820
AllowedIPs = 0.0.0.0/0
Once we have the config file ready, we need to get back to RouterOS and add our client as a peer using its public key. Note that this "CLIENT-PUBLIC" is a public key we got in Ubuntu just a few moments ago.
/interface wireguard peers
add interface=wireguard1 allowed-address=192.168.2.20/24 public-key="CLIENT-PUBLIC"
If everything went fine, you should have VPN properly configured. The easiest way of checking it is to simply bring interface up and check the route. It should show us using Wireguard interface (and IP) with pings flowing freely.
sudo wg-quick up wg0
ip route get 220.127.116.11
18.104.22.168 dev wg0 table 51820 src 192.168.2.20 uid 1000
If we want this connection to be up every time we boot the system, we can enable it as a service
sudo systemctl enable email@example.com
And that's all folks.