📛Secure fast and easy VPN on MikroTik with Wireguard. This is CRAZY v7.1.1 [Re-upload]📛
ฝัง
- เผยแพร่เมื่อ 15 ก.ค. 2024
- Re-Upload of previous video without background audio! Many people have asked me to make a new video about wireguard. So I did!
Support the Channel:
⭐Become a Patreon: / thenetworkberg
⭐Become a TH-cam Member: / @thenetworkberg
Social Media:
🌏 thenetworkberg.com
🌏 / thenetworkberg
🌏 / bergnetwork
🌏 / the-network-berg-39451...
MTCNA Playlist:
• Free MTCNA RoSv6
Timestamps:
00:00 - Introduction
00:37 - Wireguard Overview
01:55 - EVE-NG & Wireguard Topology
03:52 - Configuring Interfaces
06:50 - Configuring Peers
Credits:
Thumbnail: Created on Canva
Intro: Created on Canva
Thanks again for watching
Wireguard docs:
www.wireguard.com/papers/wireguard.pdf
Very nice video and run perfectly with Mikrotik Router 7.4.1 (Server) and Android/win/Linux clients. Thanks for your time and your share
Thanks for the updated video!
Well done, I've tried setup wireguard to my VPS as server and mikrotik as client / peer but as I'm very new to this I got stuck at allowed IP to pass through but no internet connection, but I think I understand more after this video, will give it a go. thanks... hou so aan, Dankie
So fast to implement feedbacks. 😊
Ohhhh you removed the music from the reupload. This is much easier to listen this way. 😀 now back to the video.
Indeed, many people were unhappy with the background audio. So I re-edited the video without any background music :)
@@TheNetworkBerg THANK YOU for doing that. Music is great in an introduction clip and closing clip.
I have a working "triangle" setup of wireguard networks connected. I really like the ease of setup, but one MAJOR bummer is that you need to restart both peers if one of them is on a dynip. I'm trying a workaround with netwatch, but I'd very much prefer an automatic solution
Would be happy for some spped comparising in terms of Wireguard vs OpenVPN vs SSTP vs IpSec vs L2TP/IpSec, just to understand it also performance wise.
Hi @The Network Berg, nice video! Just a question for you, the endpoint address in Peer is the WAN ip address of my entire network or the ip address of the mikrotik? I am talking about server side here. Thank you!
Mikrotik
Hi! I need to ask that, can we user two separate mikrotik pppoe routerboards on a single network?
Hello again!
What if i have 2 routers connecting to main router. Do i have to create for each one new wireguard interface on main router?
Good video.....you got a good grasp of this tech. Did I miss a video about putting MT 7 on Eve? I thought only certain versions of 6 would work on Eve?
All versions of 6 for the CHR works fine on EVE, same for v7 :)
Ok - thanks
could you give me some advice on how to set up an RB5009 and an LDF LTE6 in my home lab config? Id be very grateful from one saffer to another.
Excellent explanation but unfortunately doesn't help me. I have a VPS running wireguard, all working fine. I'm behind CGNAT so got a little Hex MT and tried to connect it to my VPS wireguard. I'm sure it's a routing problem but buggered if I can get it to work. So... a video on connecting MT with wireguard to VPS wireguard would be very helpful (for me and probably others). After that I'm hoping to set up a pair of Audience MT's to mesh network my home but baby steps at first.
Hello. I would like to know if it is possible to use wireguard between two site, however, I have only one static public ip in the HQ-Mikrotik office and I have a dynamic ip in the SITE-Mikrotik office. Thanks A.
Hi Berg, What if your remote sites do not have a WAN IP, but my server have a PUBLIC IP, how can we setup WIREGUARD?
hello sir i see that the End Point on the peer should put with an a WAN IP address but my home WAN IP are dynamic so after reboot the router the WAN IP will change the IP, so what is the solution for me bcoz im already make a static ip but the ISP wont make me connect to the Internet and should i use the cloud public IP address (ROuter behind the NAT,Remote Connection Might not Work)? Im using a Prepaid Sim card Internet.
Sorry guys im not getting something. I have an Iphone 13 with latest WG client get solid connection but only inbound packets. Cant seem to get anything to route back to the WG client. To make things more complicated my ROS7 is stuck behind carrier NAT with a Forward although that is not seeming the problem. TNG can you please help we numpties with a remote IOS example for road warriors
hey guys. i want to connect my modem to router and config vpn on it then when i connect to router with wifi it tunnel the whole internet and i dont need to use vpn on my device. what should i do?
Awesome and love from Pakistan
Love from South Africa :D!
@@TheNetworkBerg I thought that accent was lekker!
Great job on the videos man! I know a few local guys watching and learning from you!
@@OckertM Local is very lekker :P Happy to hear that my videos are making it to more people. MikroTik is definitely growing in South Africa.
hi wireguard can blocked very simple with ISP do you have any solution?
Can you please make a tutorial on how to setup nordvpn on mikrotik hap ax3 router with wireguard.
according to mducharme mikrotik technical support on MT forums, states that it is necessary to put the WG with the LAN interface on the interface list to handle the NATted traffic?
Nowhere on the MT docs does it state this, this is most likely for an ease of use if you are using a home based router with the default configuration. For the official docs I suggest looking at
help.mikrotik.com/docs/display/ROS/WireGuard
Otherwise I would recommend looking at my latest video covering WG
th-cam.com/video/P6f8Qc4EItc/w-d-xo.html
Do you really need specify Endpoint and port at 7:07?
Way better
This seems like a lot of work compared to L2TP/IPsec roadwarrior setup. Instead of static routes could you use OSPF?
I would also love to see this setup with OSPF, I have tried S2S wireguard with OSPF but I can’t get it to peer with any neighbors. Not sure what might be the problem. If for example SSTP is used as interface it works.
I have not been able to make wireguard and OSPF work together. I would actually recommend looking at VxLAN, VPLS or EOIP to configure OSPF over as these protocols span L2 across to remote networks and OSPF should in theory be able to work over these protocols and the interfaces you configure via them.
I actually configured Wieguard for my remote clients after L2TP setup stopped working after i put up an IPSEC tunnel.
you didnt answer my question on another video, so here it is again. i have very poor bandwidth performance and i dont know why/. (over the internet). my ISP speeds are very good, but not through the tunnel. any idea why?
Which tunnel, Wireguard? Zerotier? IPSEC? This video is specifically related to Wireguard and if you asked a question on another video then I suspect you are using a different tunnel than Wireguard.
There are many reasons why tunnel'd traffic could potentially be slower. Especially if it's maybe something like Zerotier. If there are no servers near you to form the mesh then you may be taking a path to a different continent to bring our ZT up and that could add a lot of latency to your connections with slower connectivity.
And that is just one of many speculations why the tunnel might be slow. If it is ZT I suggest reading this thread on the MT forums:
forum.mikrotik.com/viewtopic.php?p=902224&hilit=ZeroTier+Slow#p902224
I have local servers where I am from, however, even I have seen a 15% - 20% drop my speed when transferring traffic over a ZT connection. And this seems more like something between ZT & MT that needs to be sorted out.
Hi, but I need configure my Mikrotik as Wireguard CLIENT :(
I used to have wireshark in my raspberry and recently change the service to the mikrotik. One thing that is just 🤌 in the raspberry is that it creates a qrcode in the console or GUI that you can scan with your phone wireguard client and boom! The client is configured im the phone. I would really like to have that feature in the mikrotik. Let's be honest, copy keys is just not fun.
Mikrotiks latest feature BackToHome does exactly this with WG, I still need to make a video on the subject, though I am sure MT has it in their documentation of how to set it up
This video is great! But what if we want VPN from client to site router, but HQ router is not a Mikrotik router?
Wireguard is more a standard than what it is something MikroTik specific, as long as the device supports Wireguard you can still configure a peer and connect with the same principles.
I am not sure setting-up the site to site VPN using Wireguard is less hassle, than using an IPSEC connection. What is an advantage here, apart from IPSEC not being a real interface?
speed
Hello. I have two Mikrotik in different locations.
one is with static IP ... the second is with PPPoE...
And I have a problem with the second one.
trying to use cloud DDNS for the endpoint ... but for some reason, I don't have connections :/ ...
Can you plan to reproduce some more complicated scenarios like mine?
I think the problem is in the rules of firewall and nat specifically
Hmmmmm, I could definitely do a lab similar to that by creating a CHR that obtains an IP via DHCP. I'll see if I can setup a lab like that and if it is possible with the current MT code. Because since version 7 is still new there might be some code/bug issue that prevents DDNS names to be used as remote-addresses. But that is just speculation.
Will reply here once I have tested myself :)
@@TheNetworkBerg Greetings. I have a similar issue where the remote mikrotik connection provides a Dynamic Public IP via PPPOE and need to use the cloud DDNS IP.
solve the problem.
For some reason, the PPPoE connection has one address, but Cloud DDNS Public IP has another. Tryed "Force Update", but nothing happens.
what I had to do was reconnect the PPPoE connection ... (or restart the router :D)
....
of course, before that, I had to see that the addresses are different :/
So long story short:
if you have "Router Is Behind A NAT. Remote connection might not work" in the cloud section ... check your WAN IP and your CLOUD DDNS IP :)
I use a cell phone provider for internet access from home/home office. They do not provide me with a routable IP at the edge router. It is a 10.x.x.x/y address. I am working on starting up a WISP and want to be able to VPN into my home/home network as well as the systems at my WISP tower(s). They are a completely different network and ISP providing my uplinks. It seems from this video that this can be done - with the exception that I haven't found a solution to initial a tunnel into my home/home office network due to the private IPs being supplied to me by the cell provider. Will this Wireguard solution work in that scenario? Or would it be limited to initiating from home/home office - but not the other way around?
Hi Andrew, I would probably suggest using something like ZeroTier for that purpose having a router with ZT at your home as well as having a ZT capable device at your towers that you can connect to. If you have ROMON enabled on MikroTIks at your towers you can basically manage them all.
Here is another video on the channel specifically covering ZeroTier
th-cam.com/video/eFI59jJ2MM8/w-d-xo.html
Is there actually the possibility to support you once?
Had already written to you once directly via Discord.
Greetings Markus
Hi Markus, thank you for wanting to help support the channel, at the moment people can sign up as a TH-cam or Patreon member, though there is some form of monthly subscription (which you can stop at any time) If you are asking for something like a link for once off donations, then no, unfortunately not yet. I know there are some sites like buymeacoffee or streamlabs OBS that allows for once of donations. I'll take a look at that once I have more time, and set that up you see it a lot with people streaming on Twitch having donation buttons and I am sure there is something I can do similar for the TH-cam channel.
Hello Mr Berg,
I am having 2 queries which i will ask one by one
a. How you added VPC in this topology which is acting as your pc? is this a feature in eve-pro edition? i am using community edition right now is v2.0.3-112
b. Strange problem on my office pc, Everytime i need to disable/enable vmnet (NAT) or vmnet (internal) or RadminVPN network adapters then it starts working, before that they send traffic but receive remains on 0. i have reinstalled vmware but still problem as it is. Any suggestions?
Thanks in Advance
PST
A) The VPC in the topology is just there for reference. I was using my actual computer to establish the wireguard connection from Windows. EVE-NG Pro does have a a cool docker that functions are a virtual PC that can run certain apps. Though you can still import a Windows or Linux image yourself and use it in a topology with Wireguard.
B) EVE does this from time to time, disabling/re-enabling seems to be the only current fix. Please log with EVE team yourself if you want them to take a look. But this is what I am doing currently as well.
@@TheNetworkBerg Thank you Mr Berg, I Thought i was the only one who has this same problem. Anyways my point B does not relate only to EVE but it is related to my system in which RadminVPN, Vmware adapters does not work until i disable then re-enable them.
For your Info, i have 4 emulator and vpn software for which virtual adapters are installed like VMware workstation, Oracle Virtual box, Zerotier1 & RadminVPN. out of which no problem is found with ZT1.
In my opinion problem seems with Windows side on which these virtual adapters are configured. i am having this same problem on Windows 10 before and after update to windows 11 from windows 10 it carries along. Till now i haven't found its solution but it happens only with virtual network adapters for e.g. Vmware workstation and RadminVPN. On the other hand ZT1 adapter works fine, due to which i feel a bit confused. Why ZT1 virtual adapter works and other does not.
i thought you might have an issue like that before or someone in your tech-team, by which i can get some clue to investigate further.
can DDNS be used instead of static IPs as peers endpoints?
I've had very limited success with this. It seems that the official apps (Android) don't implement dns lookups. I use cloud flare and update the ip when the lease renews. And it's never worked. Would love to see if someone has had better success
does mikrotik hEX support Wireguard? I am unable to find WireGuard option on my router
If you are running RouterOS v7 then yes you should be able to use Wireguard.
Otherwise excellent but peer endpoint IP on server glossed over... Did you just put a random IP there? What is the point of configuring an endpoint to the server for a client. Can't we just leave it blank? If I understood this right that makes the device (mikrotik) initiate the connection and it would just try to hammer that IP, in your case 192.168.149.1
I'm having a hard time getting an iPhone to work. Androids and other routerboards work just fine.
Where did the end point come from? Seems a bit fast of a presentation... Clearly im slow
Hi Chris, the endpoint IPs have been defined in the EVE-NG topology, essentially this is just the WAN IP that you will be using to connect to as your Peer for Wireguard. Sorry if I was going too fast or did not explain that point clearly.
Actually found this video confusing. Why do you assign a listening port on the client PC. Why do you use two different WANIP (endpoint addresses for the MT Server router - one for the pc client and one for the Server Client)? Would make sense if you were doing this intentionally and stating a scenario, lets say your Main Router has two public IPs, you can use each for a wg interface etc.........
Sorry if the video was confusing for you Alex. I created what I believe is a good broad use for Wireguard. One being an easy VPN server to connect to as a client, the other allowing for things such as S2S VPN. I also incorporate remote site access from a client PC to the rest of the network. The point of it was to show how much we can do with Wireguard in less than 15 minutes.
@@TheNetworkBerg Sounds reasonable and probably more to do with my misunderstandings of how it should work. I think its important to delineate somethings very clearly like the Random single IP for a smartphone peer connection or a specific subnet from a client router and then on the allowed addresses to clearly state if one is going to accept all IPs (aka use the internet of the Server Router), or specific subnets behind the router etc. (which I believe you did). The other point that is often fuzzy is the selection of an IP address for the Server Router wireguard interface. Does it have any connection to any other existing subnet (or is it random and separate from any other subnet). Its function is not clear to me as I have not used an IP address for a wg interface yet.
on android sir
Just gloss over the Mikrotik Wiregard interface. Kind of need step one.
Nice Video but Can you do this setup using a provider VPN. Thanks
Hi Jermaine, please let me know what you mean regarding provider VPN? I can definitely make another video regarding another type of VPN or I might even already have a video available :D
@@TheNetworkBerg I would love to see Torguard Vpn wireguard setup. Thanks
This looks very cumbersome. I dont understand why its implied its easy to setup. OpenVpn much easyer to setup, atleast on the client you just import a file containing the keys and server ip. You dont have to write and know any commands as a user.
You don't need to write any commands as a user on Wireguard either. An administrator can create a tunnel file and send it to a user that they just import.
Hello!
Thank you for your video. Do i have to configure firewall rules for proper Wireguard running?
Hei, I tried now this setup but without firewall rules inside of Mikrotik wasn't working from the internet. Make the rules of the port and it will work.
Have you tested throughput for wireguard client on this mikrotik device and speed before hitting the bottleneck ? thank you
Mmm... Doesn't seem to be that easy to setup... Is this really easier and better than ovpn?
For sure, you just need to have a public key and an IP to connect to, I literally configured a hub-and-spoke network with s2s VPN and remote access from a Wireguard client to the entire network within 15 minutes. I'd say that is extremely easy and quick to do. If I made a video just showing you how to connect as a client to a server it would be a really short video and super simple, but I am showcasing the power of Wireguard across an expanded network.
@@TheNetworkBerg I think you should make that shorter version.