Mikrotik Creating a Client to Site Vpn With Wireguard
Server Setup
Let's add a new wireguard interface and give it the name "Wireguard1" The listening port is set to the default port number that the wireguard devs intended. The MTU value is default to what Mikrotik auto-fills
/interface/wireguard/add listen-port=51820 mtu=1420 name=wireguard1
Now let's print out the servers private and public keys. This will be used when creating the client configuration files.
/interface/wireguard/print
=====OUTPUT=====
name="wireguard1" mtu=1420 listen-port=51820 private-key="AUTO-GENERATED-PRIV-KEY" public-key="AUTO-GENERATED-PUB-KEY"
We have our Wireguard interface setup. Next we have to bind the interface to an IP address. The subnet for the interface should be new and unique. I set mine to 192.168.150.
/ip/address/add address=192.168.150.1/24 interface=wireguard1 network=192.168.150.0
Now let's allow Wireguard traffic through the Mikrotiks firewall.
/ip/firewall/filter/add action=accept chain=input dst-port=51820 protocol=udp
I had some other custom firewall rules I didn't want to conflict with Wireguard. This next step is completley optional, but I'm going to move my Wireguard rule to INDEX 1 of the filter chain.
/ip/firewall/filter/print
[...]
16 chain=input action=accept protocol=udp dst-port=5182
/ip/firewall/filter/move 16 destination=1
Client Setup
Download and install the Wireguard Client Program. I'd recommend using this powershell script afterward to quickly generate your config file.
Param(
[Parameter(Mandatory=$true)] [string]$ServerIP,
[Parameter(Mandatory=$true)] [string]$ServerPubkey,
[Parameter(Mandatory=$true)] [string]$ServerPort,
[Parameter(Mandatory=$true)] [string]$DnsServers,
[Parameter(Mandatory=$true)] [string]$ClientIP
)
# Generate a private key
& 'C:\Program Files\WireGuard\wg.exe' genkey | Out-File $env:temp\privatekey.txt
$privkey=Get-Content $env:temp\privatekey.txt
# Generate the pubkey from the privkey
$pubkey=$privkey | & 'C:\Program Files\WireGuard\wg.exe' pubkey
$config = @"
[Interface]
PrivateKey = $privkey
Address = $ClientIP
DNS = $DnsServers
[Peer]
PublicKey = $ServerPubkey
AllowedIPs = 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16
Endpoint = $ServerIP`:$ServerPort
PersistentKeepalive = 15
"@
$config
"`n`nClient Public Key: $pubkey
`n`n`nClient Private Key: $privkey
`n`n`nMikrotik Command to add new peer:`n
interface/wireguard/peers/add allowed-address=$ClientIP,10.10.10.0/24 interface=wireguard1 public-key=`"$pubkey`"
`n
Here's how to execute the script.
Set-ExecutionPolicy RemoteSigned -Scope Process
.\wireguard_generate_client_conf.ps1
cmdlet wireguard_generate_client_conf.ps1 at command pipeline position 1
Supply values for the following parameters:
ServerIP: unixfandom.com
ServerPubkey: t3nasldfjasdlfjasldfjs9ui+7tnTkwHmQs=
ServerPort: 51820
DnsServers: 1.1.1.1
ClientIP: 192.168.150.101
[Interface]
PrivateKey = kJalkdjadsfVnlsakdjflasjfzlkxcxljsb9=
Address = 192.168.150.101
DNS = 1.1.1.1
[Peer]
PublicKey = r3alsdfjalcoaio2oiasdjfaldskfjl=
AllowedIPs = 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16
Endpoint = unixfandom.com:51820
PersistentKeepalive = 15
Client Public Key: 2asdlfjasljcl31jas=
Client Private Key: asldkjacj02askfjlsf=
Mikrotik Command to add new peer:
interface/wireguard/peers/add allowed-address=192.168.150.101,YOUR_INTERNAL_IP/24 interface=wireguard1 public-key="r3alsdfjalcoaio2oiasdjfaldskfjl="
Copy the [Interface] and [Peer] blocks into a wireguard.conf file on your desktop. That will be used by your wireguard client.
After that, copy and paste the Mikrotik command outputted by the script. Replace YOUR_INTERNAL_IP with the IP Range for your office – Not the IP range of the wireguard interface
After you paste that command, you should be able to see your peer on the Mikrotik. Once you use your wireguard client with the wireguard.conf file, you'll also be able to see the recieve and transmit data in the WinBox Wireguard GUI screen.
/interface/wireguard/peers/print detail
Flags: X - disabled
0 interface=wireguard1 public-key="r3alsdfjalcoaio2oiasdjfaldskfjl=" endpoint-address="" endpoint-port=0 current-endpoint-address=192.168.81.200 current-endpoint-port=65342
allowed-address=192.168.150.101/32,192.168.81.0/24 rx=1296 tx=368 last-handshake=10s