← HomepageQueztaz/Mikrotik Creating a Client to Site VPN With Wireguard

Mikrotik Creating a Client to Site VPN With Wireguard

Mikrotik Creating a Client to Site VPN With Wireguard

Preamble

Directions for setting up a Wireguard client-to-site server on a Mikrotik. This is done using the command line from SSH or Winbox.

Server Configuration

Create Wireguard interface

Add a new wireguard interface and give it the name "Wireguard1" The listening port is set to the default port number that the wireguard devs intended. The MTU value is default to what Mikrotik auto-fills

/interface/wireguard/add listen-port=51820 mtu=1420 name=wireguard1

Copy the server PUB and PRIV key

Now let's print out the servers private and public keys. This will be used when creating the client configuration files.

/interface/wireguard/print

=====OUTPUT=====
name="wireguard1" mtu=1420 listen-port=51820 private-key="AUTO-GENERATED-PRIV-KEY" public-key="AUTO-GENERATED-PUB-KEY"

We have our Wireguard interface setup. Next we have to bind the interface to an IP address. The subnet for the interface should be new and unique. I set mine to 192.168.150.

/ip/address/add address=192.168.150.1/24 interface=wireguard1 network=192.168.150.0

Allow Wireguard traffic through the Mikrotiks firewall.

/ip/firewall/filter/add action=accept chain=input dst-port=51820 protocol=udp

Optional: Move firewall to first index

I had some other custom firewall rules I didn't want to conflict with Wireguard. This next step is completely optional, but I'm going to move my Wireguard rule to INDEX 1 of the filter chain.

/ip/firewall/filter/print

[...]
16    chain=input action=accept protocol=udp dst-port=5182

/ip/firewall/filter/move 16 destination=1

Client Setup

Message from the future

Apologies for only including a powershell script on creating the configuration file.

Generating Client Config

Create a PowerShell script with the following content

Param(
   [Parameter(Mandatory=$true)] [string]$ServerIP,
   [Parameter(Mandatory=$true)] [string]$ServerPubkey,
   [Parameter(Mandatory=$true)] [string]$ServerPort,
   [Parameter(Mandatory=$true)] [string]$DnsServers,
   [Parameter(Mandatory=$true)] [string]$ClientIP
)

# Generate a private key
& 'C:\Program Files\WireGuard\wg.exe' genkey | Out-File $env:temp\privatekey.txt
$privkey=Get-Content $env:temp\privatekey.txt

# Generate the pubkey from the privkey
$pubkey=$privkey | & 'C:\Program Files\WireGuard\wg.exe' pubkey

$config = @"
[Interface]
PrivateKey = $privkey
Address = $ClientIP
DNS = $DnsServers

[Peer]
PublicKey = $ServerPubkey
AllowedIPs = 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16
Endpoint = $ServerIP`:$ServerPort
PersistentKeepalive = 15
"@

$config
"`n`nClient Public Key: $pubkey
`n`n`nClient Private Key: $privkey
`n`n`nMikrotik Command to add new peer:`n

interface/wireguard/peers/add allowed-address=$ClientIP,10.10.10.0/24 interface=wireguard1 public-key=`"$pubkey`"
`n

Execute the script

Set-ExecutionPolicy RemoteSigned -Scope Process
.\wireguard_generate_client_conf.ps1

cmdlet wireguard_generate_client_conf.ps1 at command pipeline position 1
Supply values for the following parameters:
ServerIP: unixfandom.com
ServerPubkey: t3nasldfjasdlfjasldfjs9ui+7tnTkwHmQs=
ServerPort: 51820
DnsServers: 1.1.1.1
ClientIP: 192.168.150.101
[Interface]
PrivateKey = kJalkdjadsfVnlsakdjflasjfzlkxcxljsb9=
Address = 192.168.150.101
DNS = 1.1.1.1

[Peer]
PublicKey = r3alsdfjalcoaio2oiasdjfaldskfjl=
AllowedIPs = 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16
Endpoint = unixfandom.com:51820
PersistentKeepalive = 15


Client Public Key: 2asdlfjasljcl31jas=



Client Private Key: asldkjacj02askfjlsf=



Mikrotik Command to add new peer:

interface/wireguard/peers/add allowed-address=192.168.150.101,YOUR_INTERNAL_IP/24 interface=wireguard1 public-key="r3alsdfjalcoaio2oiasdjfaldskfjl="

Copy the [Interface] and [Peer] blocks into a wireguard.conf file on your desktop. That will be used by your wireguard client.

After that, copy and paste the Mikrotik command outputted by the script. Replace YOUR_INTERNAL_IP with the IP Range for your location – Not the IP range of the wireguard interface

After you paste that command, you should be able to see your peer on the Mikrotik. Once you use your wireguard client with the wireguard.conf file, you'll also be able to see the recieve and transmit data in the WinBox Wireguard GUI screen.

/interface/wireguard/peers/print detail

Flags: X - disabled
 0   interface=wireguard1 public-key="r3alsdfjalcoaio2oiasdjfaldskfjl=" endpoint-address="" endpoint-port=0 current-endpoint-address=192.168.81.200 current-endpoint-port=65342
     allowed-address=192.168.150.101/32,192.168.81.0/24 rx=1296 tx=368 last-handshake=10s