Hi Guys, Just pinning this top comment with some relevant information like the setup or the whitepaper docs. Please use for reference. Wireguard Whitepaper: www.wireguard.com/papers/wireguard.pdf MikroTik Wireguard Material: help.mikrotik.com/docs/display/ROS/WireGuard Topology Diagram: imgur.com/yFp2o8M Router Configurations: pastebin.com/VP9Ef0n4
Genuinely impressed with how clearly you explain things. Huge respect. I'm learning WireGuard with PFSense, but this video is so good and easy to understand, I'm finding it invaluable. That's about as high a compliment as I can give. Thank you for making this video.
I wasted hours of firewall config and didn't succeed in connecting a Windows client to the mikrotik router. I shall try it again with the ultimate tutorial. Thank you very much for your Videos
Thanks. I'm already running WG on MT and road warriors, but I'll keep this as a reference. It's clear and complete. Plus with document references as a bonus. Nice.
I made it through using AWS as public CHR and looks cool. Subscribed and thanks to you man. Very clear explanation. Will do the pihole as my next project and will watch your video on this. No skipping on your ads. More power to you!
Great guide, easy and as always you give a good explanation on how and why one should do the following things, I just setup an similar setup using your guide, and i had problems with my road warrior routers, they would sometimes prefer to use their own internet connection instead of using "site A" internet connection, to fix this i added/changed the following to the config (corrected so it should match your guide): /routing table add name=onlyWG fib /ip route add dst-address=0.0.0.0/0 gwy=WG-MikroTik-C table=onlyWG /routing rule add src-address=172.16.20.0/24 action=lookup table=onlyWG if one should wish to only allow internet through the WG tunnel change the action to action=lookup-only-in-table Note: my Mikrotik bokses are running standard firewall config and are doing NAT. Note: RouterOS version is 7.14.1 (2024-MAr 08 14:50)
Hello Johnny. Thank you for another excellent video. Would you care to share a little about your "special startup scripts"? The default firewall script works fairly well, but I'm just curious whether you come up with some "must have" addons?
thank you i am successful . where i had challenge on your design were 'WG-INET1 and WG_INET2' but after reading comment here . you made me understand they are acting as isp . so i nated them . thanks .
Thanks for this, I have been pfSense user for long time, but since merger with another company, the others here are Mikrotik fanboys. I am learning Mikrotik and taking this video as a basic , was able to make a WG S2S from an old RB3011 to my 5100 Netgate pfSense. Mikrotik is a little strange compare to pfSense (and everything else really) but I do notice that changes are near instantaneous eg. firewall rules etc. where pfSense has to wait for filters to reload. Having said that, we continue to use pfSense for most new things, just want to learn Mikrotik to support some existing clients.
That's awesome Brian, one thing that really makes MikroTik stand out vs other vendors is just how versatile the software is. Many people tend to call it the "Swiss Army Knife of networking" because you can really almost do anything that you'd like to do on it. Hope you enjoy your learning journey with MikroTik and if you ever have questions feel free to send me a message ^^
Thanks! works 100%!!!! Can I configure and run s2s and road warrior running at the same time? Should I add a new wireguard interface for road warrior? Thanks!!!
Great video! I was able to follow this perfectly. I can ping site to site with these access points, but when I plug any device into any ethernet port, the tunnel is bypassed. I think I'd need to make a separate bridge and set up the device as a router. Is there any way I can do this so that devices that connect to these will be able to access the subnets?
Oh... Don't get me started on ISPs... If anybody is even thinking about any usable VPN connection it's recommended that at least one endpoint has public IP. It will make your life so much easier... I had multiple LTE Mikrotiks on multiple locations and until we got an internet connection with public IP it was a nightmare to get tunnels working... You speak with an ISP, they "fix" the problem... A couple of days later the same sh*t. Now the server is on public ip and no more problems with random connection dropouts. Also, a great video as always, that is some quality content, glad to see that you manage to make videos even now when you are a father :) Maybe one day we will have The Network Berg jr. Hehe
Using wireguard is PREDICATED upon at least ONE END having a REACHABLE PUBLIC IP. It does not have to be the MT router or device you are using AS LONG AS, the Router in front of the MT device can forward a port to the MT device. One can also get creative. LEts say I have two MT devices behind other routers and no way to forward ports, basically screwed. One can still get a cloud based server to run MT RoS and connect both of your devices (as clients) to the CLOUD instance via WIREGUARD, and ipso facto you are not connected from MT device to MT device.
So you only need one site to have Public IP, right? There are a lot of ISP-s who cannot even give you Public IP or it has a very high price... So If I want to connect to a so called "center" mikrotik router which has a public ip, then I can connect to it from multiple sites not having public IP-s? Am I right?
Thank you so much for this great tutorial. I have a question regarding my setup. I have a MikroTik router with two PPPoE connections and I'm using PCC for load balancing. I want to use WireGuard on this router to make it the main server. My goal is to achieve a site-to-site VPN where, for example, when a client server (like another MikroTik router) connects, it can utilize both PPPoE connections' upload speeds simultaneously. I've heard this might not be possible. Is that correct? Please let me know. Thank you in advance!
At time 0850, it should be made clear that yes, allowed address can be viewed As THE STUFF on the other side of the equation but it one should ensure the full picture is provided --->it is more accurate to say what one is trying to reach at the other side "to get to", but ALSO, what source addresses are incoming from the other side "coming from". (Both are indeed concerning the other side, but the nuance I am adding is that the need for traffic considerations should be viewed as BI_DIRECTIONAL. For example you have articulated the requirement for traffic from ServerA to reach Subnet 172.16.20.0/24 at the B-device LAN. This is important due to crypto key routing where you have tell Router A, which destination IPs are allowed to enter the tunnel outbound. This serves double duty in case the same subnet on B device wants to access one of the local Router A lan subnets. Since the list of incoming source IPs is ALREADY in the allowed IPs, it will be allowed to reach the Server A subnets ( with appropriate firewall rules and routes of course). In other words crypto key routing on the inbound tunnel traffic, uses the allowed IPs to permit identified incoming source addresses to exit the tunnel at Server A. To drive this home consider a different lan subnet at Site-B 10.10.10.0/24 (made up), that needs access to the subnet on Server A. Even though there is no intention for anyone on Server A to reach that subnet, the admin must include this new subnbet as allowed IPs on the Server A setup to address the incoming IPs and to ensure they are allowed to exit the tunnel at Server A.
Great tutorial. It all worked. Almost. I can reach site A from B and from C. Site A can reach both. But b cannot ping c. When I traceroute it goes to wg 0.1 lan and stuck. So it reaches site A and goes nowhere. What’s interesting when I connect to site A from B network using l2tp its routes well.
Awesome video, one thing that I'd like to know is how to use "DNS" between wireguard tunnels so we don't need to remember IP every time, is that possible ?
Really good guide. Just one thing: how do you handle things if Site A only has a dynamic ip with DynDns? The Linux version has scripts to track IP changes and restart the IF. I thing in a typical home user scenario DynDns is part of the equation and should be covered :) is there a solution for mikrotik?
Of course, if one has an MT server with a dynamic IP then simply use the built in IP cloud DDNS service on the router. If one is using an MT device as the client then use the Mynetname of the IP cloud on the MT server as the endpoint address. Where MT falls short at the moment is that if the Server changes IP or reboots etc. , the client MT device will not always re-capture the SERVERs New IP, due to the lag between resolving the new address which may take some time where WG attempts to connect prior and if it fails it just sits there and one has to reboot the client or restart manually the WG client side.
Yeah Alex is 100% correct. I also booted the lab up and just added some DNS entries on the remote sites and I could use the A Records to connect with just fine. So creating a central point using a dynamic connection is totally fine if people are connecting over DDNS.
@@TheNetworkBerg shure i am aware of that. But if you have an existing connection and the public ip of ther server changes the tunnel stops working. It needs to be reenabled (at least in the linux implementation). This because the DNS lookukp is done only at the start of the tunnel. Is there a way to handle this in Mikrotik?
Hmmmm I see, I will have to play around with it, but I am pretty sure you could achieve something with scripting on scheduler or netwatch where you could test and see if you can access the WG tunnel IP of the remote side. If not, then the router can disable and re-enable the peer after a certain delay and then that should re-establish the tunnel on the new IP.
@@michaelhelmlinger827 Yes, this is a common issue and it has been sent by many to MT to fix as bug reports. Seeing as how MT has their IP cloud and ddns - mynetname, it behoves them to fix it asap. As NB noted, there are scripts that can address this.
Thank you very much for this great video. I had an issue with the config. There was no ping possible until I added the IPof the other WG Device (or change the allowed IPs to the subnet of the WG interface) is this a bug or did I do anything different?
Great video. Want to try out wireguard on my 3 site setup that currently is using ipsec tunnels in a triangular topology. All miktotiks have static public IPs and different subnets behind them. In my current ipsec setup if one host goes down the other 2 are still connected. I wish to modify your presented wireguard topology. Do I setup like you have presented with Site A as master and site B &C as clients and add the extra allowed IPs for the other client to the existing client wireguard peer as you have done or should I add an extra peer on each client for the other client (like on Site A) for each client. In your setup are Site B and C still connected if Site A goes down? Thanks
Great video.. as always!!! Question: trying to do a Site-to-Multisite (hub/spoke) with each endpoint having their own subnet. Can this be done with 1 WG interface and multiple Peers or do we need to build a WG interface on the Hub Router for each site endpoint? We also need each site to reach every other site in said topology. We set it up with 1 WG/multi peers and we can ping the far end router subnet interface but not the devices within the network. very strange..
It can be done with a single WG interface, just need to ensure your allowed-from addresses are correct and that you have routing and firewall policies allowing the traffic if you are using the default firewall rules.
This was extremely well put together! One question, what if my main site does not have a static IP address? I have a domain that I update with DDNS, can I point it to the domain instead of the ip address?
You can definitely use DDNS, although there are some caveats when going this route. Namely if your IP changes the peers will have to be refreshed by either disabling and re-enabling them manually or by using scripting. But can be done.
Interesting. I was working with some routers, where WG worked, but those tunnels did not have assigned local IP addresses to WG interfaces. They used static routes to forward traffic and instead of IP address, route contains the WG interface name. How is that it works? And is that a good aproach, to not have local addresses assigned to WG interfaces?
Last thing last, if you don't mind. Would there be any particular problem with setting a, say, hybrid wireguard network, consisting of a S2S one (like the site a and the site b in your video above) and a few' road warrior' clients which want to connect to the server network (site a)? Thanks
what are the firewall/nat rules we need to use in order to connect from our phone to our router and access the internet via the tunnel? could you export that part of the config?
In my case, I have several users who access their devices remotely. I would like to know how to configure all of them in a more practical way, similar to OPENVPN. I would send a file which the user would import into the application, and then it would be configured automatically
Should be able to configure something like this using scripting. Where it can export the data into whatever format you want to use to import back into a wireguard client or something. Practical but also a lot of additional curves.
Sure, I make use of a free tool on draw.io You access this directly from the web and it saves your diagrams to many repos like Googledrive,Git or even on your local machine Very handy and is just as useful if not more than visio.
Hi ,I'm very rookie about MikroTik so I didi so many Tims to run wirguard between my router and iPhone unfortunately I don't have send and receive data could u please tell me how I can run it? very appreciate
Hi there. Just a little confused re: a Firewall rule you set at 16:27 on Site B as well as 17:26 on Site A. In your narrative, you describe the need to set the chain parameter to input, but in the video, the Site A firewall rule chain is set to "forward". I presume "input" would be correct?
@@TheNetworkBerg Thank you! Unlike my ham-fisted attempts to follow your recipe with IPSEC, the Wireguard tunnel works like a champ. Thank you! Could one further increase security re: the input chain by creating an address list of allowed peers and only allowing connections from same? Or, use the brute-forcing-prevention example for SSH on the Mikrotik site to black-hole IP addresses once multiple login attempts on the WireGuard interface have failed?
@@constantin286 for the address list option yes, you could create a list and then use that in your firewall rule as the src-address list and the advanced/extra options. As for the brute force prevention thing, I really don't know. In theory I can't see why it wouldn't work, but I have never tried configuring it that way before. So would have to test it out for yourself and see if it works the way you want it to.
I didn't understand what the WG-INET1 and WG_INET2 routers are exactly for? Wouldn't it be just fine connect SITE A and SITE B router to the "NET" item? Thanks
my network is behind an ISP dmz. All ports are dumped to my router. Cant seem to get any vpn to connect. Would be nice if you made a video on how to do an eoip tunnel or wiregaurd through a dmz.
It should work then, as if you think about it logically a client connecting to the public IP address of your ISP router on that port would get sent to your router. Thus it will work and most likely there is something else missing in your configuration which is the issue.
I have an EOIP tunnel between two of my Mikrotiks, the remote end doesn't have any local addressing just a bridge with the VLANS, and clients get a DHCP lease across the default vlan on the tunnel. Can this same setup be achieved with wireguard?
Thank you, My idea I want to connected my site A To mobile "Android" like vpn site to remote. In mobile also download the WireGuard application but the vpn connect as well to WireGuard server with "Tx,Rx" but I cant access to my local server from mobile !!? Whats the problem
Another nice video, but I have some question. At 19:50 you enter this address 192.168.149.152, but I do not see it in your diagram. (All used IP must be on the diagram). If this is the site C outside router IP and this is a road warrior, you should specify interface instead if IP. At 20:20 you get a different listen port than 13231 and you do not change it. Is it ok with different port on each side?
That IP at 19:50 is really just my "normal internet", you can think of that as your LTE, or your ISP's router. The listening port is really only relevant if you are specifying the endpoint details on both ends. If only one device initiates the connection the server can figure out what the listening ports/endpoint-address is from the wireguard packets received in the initial peering process.
@@TheNetworkBerg Hmmmmm. One should already have a default route existing at site C, to Ping Check the endpoint, assuming you have added default route in IP DHCP settings or pppoe settings. If not, then one needs to create a default route 'add dst-address=0.0.0.0/0 gwy=ISP-GW-IP table=main as you will need that WAN route up to get the initial WG handshake later. I dont see the point of the 'cute' temporarary route to see if the endpoint can be pinged when it would be covered by the existing default route or a manually created route anyway. Perhaps it will still work to keep this temp route as the only route for the ISP, but I am not savvvy enough to know how this would affect DNS or ISP connectivity, probably fine.
Not completely, this setup assumes that you want to route all internet traffic via your wireguard tunnel. You will still need to define a static route out to your normal internet path with the wireguard's dst-address for it to work correctly. If you only have a 0.0.0.0/0 route pointing traffic to your wireguard interface nothing will connect at all.
@@TheNetworkBerg You but you still not explain where the IP 192.168.149.152 is on the diagram. WG-INET2 ether1? ether2?? And since its a Road warrior and you do not know the IP, so how to set it up generic?
I can't, for the life of me, get this to work. I tried the configuration example from mikrotik, from the second link, before coming here, I then tried following your video, nothing again.
How to troubleshoot/make Site C(roadwarrior) to talk to master Site B if there is a problem with NAT and the main modem/router at home is confused due to ips being on 192 for all mikrotiks?
Hi The Network Berg. Im trying to configure SiteToMultiSite (20+) Wireguard .. with OSPF, but with no luck .. Is it possible ?I need to route all network at all sites ... (IPSeck +L2TP work .. ) firewall will blok unnessesary comunication ... Thanks
how would one get site b's listening port to be random on every reconnection? i have a setup similar to the one in the video, with a central mikrotik wireguard server that has a static public IP address and all ports available to the mikrotik router, while site B is a mikrotik router that constantly moves around changing internet connections supplied through other routers (double NAT). The other devices and what ports they use are unknown to me and i do not want to create a conflict. I have been running this setup with OVPN for a while now (only complain is performance) and noticed the clients will always use random source ports, constantly changing until they get a connection. the mikrotik wireguard client will only use the source port that i specify and doesn't look like it will deal with a port conflict issue for reply traffic. am i missing something?
how to troubleshoot if the NATTing problem is not letting the Site B to talk to Site A? Like, you can see that Site A is xfering data but Site B is not talking to Site A back?
is it possible to make SITE A (router server) connected to SITE B (router client), and then i make another wireguard interface on the SITE A (server) with a client to site connection to windows pc (windows pc needs to reach the lan of site B ) is it possibile ? i mean i site to site with ROUTER A and ROUTER B and then a client pc connected witch router A needs to reach router b lan.
Hi. I didn't understand what exactly WG-INET1 and WG-INET2 routers are for. Wouldn't connecting SITE_A and SITE_B routers directly to the "NET" item be just fine? Thanks
They are there to give "Public" addresses to the CPEs sitting behind them. Think of them as the ISP router that you have no control over. Not needed but I also don't want people to think that ALL CPEs are also just directly connected. This is a much truer representation of how stuff would connect over the internet
You could change the ports to something your ISP does not block to connect on. You can set the listening port to whatever you want it to be for the service.
@@TheNetworkBerg Ah thanks man i give it a try . I never saw you makin a video in blocking websites and how to allow only TH-cam to a certain IP address
@@TheNetworkBerg Really Appreciate your reply, I made it work. I am not sure what was the issue but setting persistent keep alive somehow made the handshake or I am wrong idk but it is working as expected.
No that seems to be a thing now, where you must specify a keep alive, I have also encountered this before. Probably happened after some update where it was made into a requirement
I have bandwidth 500mb up and down on both sites. Bandwidth test give almost 500mb up and down. But in browsing speedtest gives almost 400mb down but upload is not more than 30mb. Any idea how can I troubleshoot?
wireguard mk 1 and wireguard mk 2 with android client, i have access to both local lan (0.1/24 and 4.1/24). But wireguard site to site with mk1 and mk2, cannot access local lan. Pc(0.8) mk1 dont acess pc Pc(4.5) mk2. Any help?
Not true, Site B & Site C is working as natted connections and are initiating Wireguard connectivity to Site A on its public reachable address. As shown in the video Site A did not use any of the remote site's endpoint details to create a peer. Only one side's WAN address needs to be known. That site will in turn receive wireguard packets with the relevant src address and listening port to successfully create the peer.
NB is correct, in fact BOTH ends can have dynamic public IPs. if you had read the reply to the question above, repeated here, the question was already answered. What is key is as long as the public IP is reachable (static or dynamic has nothing to do with it). "Using wireguard is PREDICATED upon at least ONE END having a REACHABLE PUBLIC IP (static or dynamic). It does not have to be the MT router or device you are using AS LONG AS, the Router in front of the MT device can forward a port to the MT device. One can also get creative. Lets say I have two MT devices behind other routers and no way to forward ports, basically screwed. One can still get a cloud based server to run MT RoS and connect both of your devices (as clients) to the CLOUD instance via WIREGUARD, and ipso facto you are not connected from MT device to MT device
@@TheNetworkBerg Yes friend what I want is to connect to two dynamic wlan interfaces adding two wireguard clients that come from a CHR which has a single public IP and gives me conflicts
@@TheNetworkBerg sir isp give 250mbps speed if i enable fasttrack it give me full speed 250mbps but wireguard not work if i disable fasttrack wireguard work but speed is 180mbps even i saprate 2 mangel rules for WhatsApp call
Have you considered making a newer video reflecting latest changes, there is quite a difference in Peer tab in addition to public key it’s also asking for a private key
@@TheNetworkBerg let me know if you’re interested in creating tutorial in real life environment instead of virtual lab. I can give you full access to my router
hey ! I am just wondering if you have one bridge, and would like to stick with one bridge only, have a dozens of other vlans in your lab network, how to configure it this way that your wireguard traffic goes inside a separate vlan like all your other traffic ? how to logically bound it together, if when executing this: /interface wireguard add name=int-wireguard-FirstTunel listen-port=20202 mtu=1420 /ip address add address=10.20.30.252/30 interface=int-wireguard-FirstTunnel /interface bridge vlan set bridge=bridge-all-vlans vlan-ids=134 tagged=bridge-all-vlans untagged=int-wireguard-FirstTunnel the last command throws this error: input does not match any value of interface when I run: interface/ print the interface is listed when I try to add the interface to the bridge via gui, there is no evidence of the interface on the lists, so just can not add it. on the other hand I have not seen an option to somehow bind the vlan with the wireguard interface, I'm puzzled.
It's called EVE-NG. You can check how to install this on VMWARE Player on this playlist that I created here: th-cam.com/play/PLJ7SGFemsLl1ZSsdcdYqeCFDM71dz97XS.html
Thanks, it's very clear! ping is success, but when I try ssh to each other over wireguard tunnel, it fails login. such as ssh to SITE_A from SITE_B /system/ssh 192.168.32.1 user=admin, also winbox from SITE_B to SITE_A will stuck at login download descriptors.
Most likely it is caused by MTU, Wireguard has some quirks as well since the tunnel usually runs at 1420 MTU, you could try and adjust-mss and clamp-to-pmdtu for traffic that leaves over the tunnel, if it is caused by MTU this will resolve it. You can check out this part of another video how to create the MSS rule th-cam.com/video/v2m7DGlS0v4/w-d-xo.htmlsi=CZXR9jGjn8CtvKEU&t=1681
Hi Guys,
Just pinning this top comment with some relevant information like the setup or the whitepaper docs. Please use for reference.
Wireguard Whitepaper:
www.wireguard.com/papers/wireguard.pdf
MikroTik Wireguard Material:
help.mikrotik.com/docs/display/ROS/WireGuard
Topology Diagram:
imgur.com/yFp2o8M
Router Configurations:
pastebin.com/VP9Ef0n4
Genuinely impressed with how clearly you explain things. Huge respect.
I'm learning WireGuard with PFSense, but this video is so good and easy to understand, I'm finding it invaluable. That's about as high a compliment as I can give. Thank you for making this video.
Thank you very much for the comment Justin! I really appreciate it and I hope more people like yourself can find value in the videos I create.
I wasted hours of firewall config and didn't succeed in connecting a Windows client to the mikrotik router. I shall try it again with the ultimate tutorial. Thank you very much for your Videos
Thanks. I was able to create multiple connections to a number of different offices with this. Excellent tutorial.
Excellent, happy to hear that this helped you :D!
Loved the video!! And just addressed my use cases!! I tested the configuration myself and worked flawlessly!! Thanks so much 😎👍
Thanks. I'm already running WG on MT and road warriors, but I'll keep this as a reference. It's clear and complete. Plus with document references as a bonus. Nice.
Amazing step-by-step tutorial. I was running EoIP and desperately wanted to simplify things. Thank you!
Thank's a lot for the really good one on teaching Wireguard on Mikrotik.
I made it through using AWS as public CHR and looks cool. Subscribed and thanks to you man. Very clear explanation. Will do the pihole as my next project and will watch your video on this. No skipping on your ads. More power to you!
Thanks Kenneth appreciate that let me know if you run into any issues with your Pihole setup 😁
VPN made easy! Great work with a detailed guide to the end goal.
Great guide, easy and as always you give a good explanation on how and why one should do the following things, I just setup an similar setup using your guide, and i had problems with my road warrior routers, they would sometimes prefer to use their own internet connection instead of using "site A" internet connection, to fix this i added/changed the following to the config (corrected so it should match your guide):
/routing table add name=onlyWG fib
/ip route add dst-address=0.0.0.0/0 gwy=WG-MikroTik-C table=onlyWG
/routing rule add src-address=172.16.20.0/24 action=lookup table=onlyWG
if one should wish to only allow internet through the WG tunnel change the action to action=lookup-only-in-table
Note: my Mikrotik bokses are running standard firewall config and are doing NAT.
Note: RouterOS version is 7.14.1 (2024-MAr 08 14:50)
Hello Johnny. Thank you for another excellent video.
Would you care to share a little about your "special startup scripts"?
The default firewall script works fairly well, but I'm just curious whether you come up with some "must have" addons?
Finally somone who knows what is doing.....GREAT JOB!!!
Thank you for your kind words and supporting the channel Riccardo, it is very much appreciated!
@@TheNetworkBerg just a beer for happy new year! 🥳
Please make a video tutorial on how to connect a Mikrotik router to a pfSense firewall using WireGuard.Thanks You
I would love to see how you connect a mikrotik router to a Pritunl server :)
Great videos!
thank you i am successful . where i had challenge on your design were 'WG-INET1 and WG_INET2' but after reading comment here . you made me understand they are acting as isp . so i nated them . thanks .
Thanks for this, I have been pfSense user for long time, but since merger with another company, the others here are Mikrotik fanboys. I am learning Mikrotik and taking this video as a basic , was able to make a WG S2S from an old RB3011 to my 5100 Netgate pfSense. Mikrotik is a little strange compare to pfSense (and everything else really) but I do notice that changes are near instantaneous eg. firewall rules etc. where pfSense has to wait for filters to reload. Having said that, we continue to use pfSense for most new things, just want to learn Mikrotik to support some existing clients.
That's awesome Brian, one thing that really makes MikroTik stand out vs other vendors is just how versatile the software is. Many people tend to call it the "Swiss Army Knife of networking" because you can really almost do anything that you'd like to do on it. Hope you enjoy your learning journey with MikroTik and if you ever have questions feel free to send me a message ^^
Thank you very much. Very good Turorial. Greetings from Germany.
Glad it was helpful! Greetings from a South African living abroad :D!
Thanks! works 100%!!!! Can I configure and run s2s and road warrior running at the same time? Should I add a new wireguard interface for road warrior? Thanks!!!
Great video! I was able to follow this perfectly. I can ping site to site with these access points, but when I plug any device into any ethernet port, the tunnel is bypassed. I think I'd need to make a separate bridge and set up the device as a router. Is there any way I can do this so that devices that connect to these will be able to access the subnets?
Hero of Network
Oh... Don't get me started on ISPs... If anybody is even thinking about any usable VPN connection it's recommended that at least one endpoint has public IP. It will make your life so much easier... I had multiple LTE Mikrotiks on multiple locations and until we got an internet connection with public IP it was a nightmare to get tunnels working... You speak with an ISP, they "fix" the problem... A couple of days later the same sh*t. Now the server is on public ip and no more problems with random connection dropouts.
Also, a great video as always, that is some quality content, glad to see that you manage to make videos even now when you are a father :) Maybe one day we will have The Network Berg jr. Hehe
Using wireguard is PREDICATED upon at least ONE END having a REACHABLE PUBLIC IP. It does not have to be the MT router or device you are using AS LONG AS, the Router in front of the MT device can forward a port to the MT device. One can also get creative. LEts say I have two MT devices behind other routers and no way to forward ports, basically screwed.
One can still get a cloud based server to run MT RoS and connect both of your devices (as clients) to the CLOUD instance via WIREGUARD, and ipso facto you are not connected from MT device to MT device.
So you only need one site to have Public IP, right? There are a lot of ISP-s who cannot even give you Public IP or it has a very high price... So If I want to connect to a so called "center" mikrotik router which has a public ip, then I can connect to it from multiple sites not having public IP-s? Am I right?
Thank you so much for this great tutorial. I have a question regarding my setup. I have a MikroTik router with two PPPoE connections and I'm using PCC for load balancing. I want to use WireGuard on this router to make it the main server. My goal is to achieve a site-to-site VPN where, for example, when a client server (like another MikroTik router) connects, it can utilize both PPPoE connections' upload speeds simultaneously. I've heard this might not be possible. Is that correct? Please let me know. Thank you in advance!
Thank you so much to provide this content 👏
At time 0850, it should be made clear that yes, allowed address can be viewed As THE STUFF on the other side of the equation but it one should ensure the full picture is provided --->it is more accurate to say what one is trying to reach at the other side "to get to", but ALSO, what source addresses are incoming from the other side "coming from". (Both are indeed concerning the other side, but the nuance I am adding is that the need for traffic considerations should be viewed as BI_DIRECTIONAL. For example you have articulated the requirement for traffic from ServerA to reach Subnet 172.16.20.0/24 at the B-device LAN. This is important due to crypto key routing where you have tell Router A, which destination IPs are allowed to enter the tunnel outbound. This serves double duty in case the same subnet on B device wants to access one of the local Router A lan subnets. Since the list of incoming source IPs is ALREADY in the allowed IPs, it will be allowed to reach the Server A subnets ( with appropriate firewall rules and routes of course). In other words crypto key routing on the inbound tunnel traffic, uses the allowed IPs to permit identified incoming source addresses to exit the tunnel at Server A. To drive this home consider a different lan subnet at Site-B 10.10.10.0/24 (made up), that needs access to the subnet on Server A. Even though there is no intention for anyone on Server A to reach that subnet, the admin must include this new subnbet as allowed IPs on the Server A setup to address the incoming IPs and to ensure they are allowed to exit the tunnel at Server A.
Great tutorial.
It all worked. Almost.
I can reach site A from B and from C. Site A can reach both. But b cannot ping c. When I traceroute it goes to wg 0.1 lan and stuck. So it reaches site A and goes nowhere.
What’s interesting when I connect to site A from B network using l2tp its routes well.
I managed to make it work. But I had to add static routes in B to C, in C to B. Even though the routes are on the A, but it did not work without it
Awesome video, one thing that I'd like to know is how to use "DNS" between wireguard tunnels so we don't need to remember IP every time, is that possible ?
Grazie.
Thank you very much for the tutorial!
Really good guide. Just one thing: how do you handle things if Site A only has a dynamic ip with DynDns? The Linux version has scripts to track IP changes and restart the IF. I thing in a typical home user scenario DynDns is part of the equation and should be covered :) is there a solution for mikrotik?
Of course, if one has an MT server with a dynamic IP then simply use the built in IP cloud DDNS service on the router. If one is using an MT device as the client then use the Mynetname of the IP cloud on the MT server as the endpoint address. Where MT falls short at the moment is that if the Server changes IP or reboots etc. , the client MT device will not always re-capture the SERVERs New IP, due to the lag between resolving the new address which may take some time where WG attempts to connect prior and if it fails it just sits there and one has to reboot the client or restart manually the WG client side.
Yeah Alex is 100% correct. I also booted the lab up and just added some DNS entries on the remote sites and I could use the A Records to connect with just fine. So creating a central point using a dynamic connection is totally fine if people are connecting over DDNS.
@@TheNetworkBerg shure i am aware of that. But if you have an existing connection and the public ip of ther server changes the tunnel stops working. It needs to be reenabled (at least in the linux implementation). This because the DNS lookukp is done only at the start of the tunnel. Is there a way to handle this in Mikrotik?
Hmmmm I see, I will have to play around with it, but I am pretty sure you could achieve something with scripting on scheduler or netwatch where you could test and see if you can access the WG tunnel IP of the remote side. If not, then the router can disable and re-enable the peer after a certain delay and then that should re-establish the tunnel on the new IP.
@@michaelhelmlinger827 Yes, this is a common issue and it has been sent by many to MT to fix as bug reports. Seeing as how MT has their IP cloud and ddns - mynetname, it behoves them to fix it asap. As NB noted, there are scripts that can address this.
Thank you very much for this great video. I had an issue with the config. There was no ping possible until I added the IPof the other WG Device (or change the allowed IPs to the subnet of the WG interface) is this a bug or did I do anything different?
Great video. Want to try out wireguard on my 3 site setup that currently is using ipsec tunnels in a triangular topology. All miktotiks have static public IPs and different subnets behind them. In my current ipsec setup if one host goes down the other 2 are still connected. I wish to modify your presented wireguard topology. Do I setup like you have presented with Site A as master and site B &C as clients and add the extra allowed IPs for the other client to the existing client wireguard peer as you have done or should I add an extra peer on each client for the other client (like on Site A) for each client. In your setup are Site B and C still connected if Site A goes down? Thanks
It seams that the routing for the Wireguard net is automatic in 7.6.
DAc 192.168.250.0/24 wireguard_HQ 0
And a big thank you.
very nice guide. thanks for the guide
Great video.. as always!!! Question: trying to do a Site-to-Multisite (hub/spoke) with each endpoint having their own subnet. Can this be done with 1 WG interface and multiple Peers or do we need to build a WG interface on the Hub Router for each site endpoint? We also need each site to reach every other site in said topology. We set it up with 1 WG/multi peers and we can ping the far end router subnet interface but not the devices within the network. very strange..
It can be done with a single WG interface, just need to ensure your allowed-from addresses are correct and that you have routing and firewall policies allowing the traffic if you are using the default firewall rules.
Thanks for another great Video. On 17:00 the chain must set tu input - right?
That is correct
This was extremely well put together! One question, what if my main site does not have a static IP address? I have a domain that I update with DDNS, can I point it to the domain instead of the ip address?
You can definitely use DDNS, although there are some caveats when going this route. Namely if your IP changes the peers will have to be refreshed by either disabling and re-enabling them manually or by using scripting. But can be done.
@@TheNetworkBerg Good to know, thanks!
Interesting. I was working with some routers, where WG worked, but those tunnels did not have assigned local IP addresses to WG interfaces. They used static routes to forward traffic and instead of IP address, route contains the WG interface name. How is that it works? And is that a good aproach, to not have local addresses assigned to WG interfaces?
Last thing last, if you don't mind. Would there be any particular problem with setting a, say, hybrid wireguard network, consisting of a S2S one (like the site a and the site b in your video above) and a few' road warrior' clients which want to connect to the server network (site a)? Thanks
what are the firewall/nat rules we need to use in order to connect from our phone to our router and access the internet via the tunnel?
could you export that part of the config?
The UDP 13231 shall be "chain=input" right? Because we access the router itself, the router is the server...
Great video, .. thanks
You are welcome!
In my case, I have several users who access their devices remotely. I would like to know how to configure all of them in a more practical way, similar to OPENVPN. I would send a file which the user would import into the application, and then it would be configured automatically
Should be able to configure something like this using scripting. Where it can export the data into whatever format you want to use to import back into a wireguard client or something. Practical but also a lot of additional curves.
Hello, nice video. What is the name of the service where you draw the diagram?
Sure, I make use of a free tool on draw.io
You access this directly from the web and it saves your diagrams to many repos like Googledrive,Git or even on your local machine
Very handy and is just as useful if not more than visio.
very useful guide!
Hi ,I'm very rookie about MikroTik so I didi so many Tims to run wirguard between my router and iPhone unfortunately I don't have send and receive data could u please tell me how I can run it? very appreciate
Hi there. Just a little confused re: a Firewall rule you set at 16:27 on Site B as well as 17:26 on Site A. In your narrative, you describe the need to set the chain parameter to input, but in the video, the Site A firewall rule chain is set to "forward". I presume "input" would be correct?
Input is correct yes, any traffic relating to the router being the destination will use this chain
@@TheNetworkBerg Thank you! Unlike my ham-fisted attempts to follow your recipe with IPSEC, the Wireguard tunnel works like a champ. Thank you! Could one further increase security re: the input chain by creating an address list of allowed peers and only allowing connections from same? Or, use the brute-forcing-prevention example for SSH on the Mikrotik site to black-hole IP addresses once multiple login attempts on the WireGuard interface have failed?
@@constantin286 for the address list option yes, you could create a list and then use that in your firewall rule as the src-address list and the advanced/extra options.
As for the brute force prevention thing, I really don't know. In theory I can't see why it wouldn't work, but I have never tried configuring it that way before. So would have to test it out for yourself and see if it works the way you want it to.
I didn't understand what the WG-INET1 and WG_INET2 routers are exactly for? Wouldn't it be just fine connect SITE A and SITE B router to the "NET" item? Thanks
Thanks
my network is behind an ISP dmz. All ports are dumped to my router. Cant seem to get any vpn to connect. Would be nice if you made a video on how to do an eoip tunnel or wiregaurd through a dmz.
It should work then, as if you think about it logically a client connecting to the public IP address of your ISP router on that port would get sent to your router. Thus it will work and most likely there is something else missing in your configuration which is the issue.
I have an EOIP tunnel between two of my Mikrotiks, the remote end doesn't have any local addressing just a bridge with the VLANS, and clients get a DHCP lease across the default vlan on the tunnel. Can this same setup be achieved with wireguard?
Thank you,
My idea I want to connected my site A To mobile "Android" like vpn site to remote.
In mobile also download the WireGuard application but the vpn connect as well to WireGuard server with "Tx,Rx" but I cant access to my local server from mobile !!?
Whats the problem
Another nice video, but I have some question. At 19:50 you enter this address 192.168.149.152, but I do not see it in your diagram. (All used IP must be on the diagram). If this is the site C outside router IP and this is a road warrior, you should specify interface instead if IP. At 20:20 you get a different listen port than 13231 and you do not change it. Is it ok with different port on each side?
That IP at 19:50 is really just my "normal internet", you can think of that as your LTE, or your ISP's router. The listening port is really only relevant if you are specifying the endpoint details on both ends. If only one device initiates the connection the server can figure out what the listening ports/endpoint-address is from the wireguard packets received in the initial peering process.
Concur, the work at 19:50 seems unnecessary?
@@TheNetworkBerg Hmmmmm. One should already have a default route existing at site C, to Ping Check the endpoint, assuming you have added default route in IP DHCP settings or pppoe settings. If not, then one needs to create a default route 'add dst-address=0.0.0.0/0 gwy=ISP-GW-IP table=main as you will need that WAN route up to get the initial WG handshake later. I dont see the point of the 'cute' temporarary route to see if the endpoint can be pinged when it would be covered by the existing default route or a manually created route anyway.
Perhaps it will still work to keep this temp route as the only route for the ISP, but I am not savvvy enough to know how this would affect DNS or ISP connectivity, probably fine.
Not completely, this setup assumes that you want to route all internet traffic via your wireguard tunnel. You will still need to define a static route out to your normal internet path with the wireguard's dst-address for it to work correctly. If you only have a 0.0.0.0/0 route pointing traffic to your wireguard interface nothing will connect at all.
@@TheNetworkBerg You but you still not explain where the IP 192.168.149.152 is on the diagram. WG-INET2 ether1? ether2?? And since its a Road warrior and you do not know the IP, so how to set it up generic?
Where do one find the public IP for the Mikrotik router? Say if you wanna just use a phone to wireguard "home" to your router?
How do I use wireguard to access routers remotely using API
I can't, for the life of me, get this to work.
I tried the configuration example from mikrotik, from the second link, before coming here, I then tried following your video, nothing again.
How to troubleshoot/make Site C(roadwarrior) to talk to master Site B if there is a problem with NAT and the main modem/router at home is confused due to ips being on 192 for all mikrotiks?
How can you use one site as an exit node (route all traffic)?
This works, I found the Mikrotik documented steps dont work.
Hi The Network Berg. Im trying to configure SiteToMultiSite (20+) Wireguard .. with OSPF, but with no luck .. Is it possible ?I need to route all network at all sites ... (IPSeck +L2TP work .. ) firewall will blok unnessesary comunication ... Thanks
hello, is it possible to short circuit s2s with nat?
probably not but I wanted to ask
Regards
Daniel
My pcs in site B simply dont ping a pc in site A. But Mikrotiks ping each other in winbox. I simply dont understand why!
how would one get site b's listening port to be random on every reconnection? i have a setup similar to the one in the video, with a central mikrotik wireguard server that has a static public IP address and all ports available to the mikrotik router, while site B is a mikrotik router that constantly moves around changing internet connections supplied through other routers (double NAT). The other devices and what ports they use are unknown to me and i do not want to create a conflict. I have been running this setup with OVPN for a while now (only complain is performance) and noticed the clients will always use random source ports, constantly changing until they get a connection. the mikrotik wireguard client will only use the source port that i specify and doesn't look like it will deal with a port conflict issue for reply traffic. am i missing something?
how to troubleshoot if the NATTing problem is not letting the Site B to talk to Site A? Like, you can see that Site A is xfering data but Site B is not talking to Site A back?
^ watching this
Is there a way to do site C but have Site A be on dynamic DNS, so you can't have that static route to A?
If we have internet 1000/1000 on 2 sides What is the maximum speed possible?
is it possible to make SITE A (router server) connected to SITE B (router client), and then i make another wireguard interface on the SITE A (server) with a client to site connection to windows pc (windows pc needs to reach the lan of site B ) is it possibile ? i mean i site to site with ROUTER A and ROUTER B and then a client pc connected witch router A needs to reach router b lan.
Hi. I didn't understand what exactly WG-INET1 and WG-INET2 routers are for. Wouldn't connecting SITE_A and SITE_B routers directly to the "NET" item be just fine? Thanks
They are there to give "Public" addresses to the CPEs sitting behind them. Think of them as the ISP router that you have no control over. Not needed but I also don't want people to think that ALL CPEs are also just directly connected. This is a much truer representation of how stuff would connect over the internet
@@TheNetworkBerg ah ok; they 'work' as they were ISP routers. Got it thanks
@@TheNetworkBerg ok thanks
hi there what if my ports are blocked by my isp can this still work if I put my Wan address as my endpoint?
You could change the ports to something your ISP does not block to connect on. You can set the listening port to whatever you want it to be for the service.
@@TheNetworkBerg Ah thanks man i give it a try . I never saw you makin a video in blocking websites and how to allow only TH-cam to a certain IP address
BTW, Nice new look.
Hey, I have tried everything but still got no success using wireguard. Can you personally help a bit?
What seems to be wrong, are you getting any errors?
@@TheNetworkBerg Really Appreciate your reply, I made it work. I am not sure what was the issue but setting persistent keep alive somehow made the handshake or I am wrong idk but it is working as expected.
No that seems to be a thing now, where you must specify a keep alive, I have also encountered this before. Probably happened after some update where it was made into a requirement
@@TheNetworkBerg Noted!! Much Love
I have bandwidth 500mb up and down on both sites. Bandwidth test give almost 500mb up and down. But in browsing speedtest gives almost 400mb down but upload is not more than 30mb. Any idea how can I troubleshoot?
Finally I sorted it out
wireguard mk 1 and wireguard mk 2 with android client, i have access to both local lan (0.1/24 and 4.1/24). But wireguard site to site with mk1 and mk2, cannot access local lan. Pc(0.8) mk1 dont acess pc Pc(4.5) mk2. Any help?
Write routes to each local networks correctly
Problem with this VPN solution is that it requires to have both sides conigured with specific IPs and it will not work with dynamic IPs.
Not true, Site B & Site C is working as natted connections and are initiating Wireguard connectivity to Site A on its public reachable address. As shown in the video Site A did not use any of the remote site's endpoint details to create a peer.
Only one side's WAN address needs to be known. That site will in turn receive wireguard packets with the relevant src address and listening port to successfully create the peer.
NB is correct, in fact BOTH ends can have dynamic public IPs. if you had read the reply to the question above, repeated here, the question was already answered. What is key is as long as the public IP is reachable (static or dynamic has nothing to do with it).
"Using wireguard is PREDICATED upon at least ONE END having a REACHABLE PUBLIC IP (static or dynamic). It does not have to be the MT router or device you are using AS LONG AS, the Router in front of the MT device can forward a port to the MT device. One can also get creative. Lets say I have two MT devices behind other routers and no way to forward ports, basically screwed. One can still get a cloud based server to run MT RoS and connect both of your devices (as clients) to the CLOUD instance via WIREGUARD, and ipso facto you are not connected from MT device to MT device
hello friend I have a question to which I have not found an answer I need to know if wireguard in Mikrotik does not have any method to add src.address
I'm not aware of any src.address option, what are you trying to accomplish? Do you want the tunnel to be sourced from a specific WAN address?
@@TheNetworkBerg Yes friend what I want is to connect to two dynamic wlan interfaces adding two wireguard clients that come from a CHR which has a single public IP and gives me conflicts
Does this work if I have a WireGuard Server and want to use the router as the client?
Yes, you can use this on a router as a "client"
@@TheNetworkBerg do I use the same steps?
Sir if i active fasttrack wireguard not work
Yes, you need to either disable fasttrack or have separate rules above the fasttrack rule that allows wireguard access.
@@TheNetworkBerg sir isp give 250mbps speed if i enable fasttrack it give me full speed 250mbps but wireguard not work if i disable fasttrack wireguard work but speed is 180mbps even i saprate 2 mangel rules for WhatsApp call
why mine is not working
What errors are you getting?
Thank you so much
Have you considered making a newer video reflecting latest changes, there is quite a difference in Peer tab in addition to public key it’s also asking for a private key
Might defintely need a slight update for the current v7 setup
@@TheNetworkBerg let me know if you’re interested in creating tutorial in real life environment instead of virtual lab. I can give you full access to my router
hey ! I am just wondering if you have one bridge, and would like to stick with one bridge only, have a dozens of other vlans in your lab network, how to configure it this way that your wireguard traffic goes inside a separate vlan like all your other traffic ? how to logically bound it together, if when executing this:
/interface wireguard add name=int-wireguard-FirstTunel listen-port=20202 mtu=1420
/ip address add address=10.20.30.252/30 interface=int-wireguard-FirstTunnel
/interface bridge vlan set bridge=bridge-all-vlans vlan-ids=134 tagged=bridge-all-vlans untagged=int-wireguard-FirstTunnel
the last command throws this error: input does not match any value of interface
when I run: interface/ print
the interface is listed
when I try to add the interface to the bridge via gui, there is no evidence of the interface on the lists, so just can not add it.
on the other hand I have not seen an option to somehow bind the vlan with the wireguard interface, I'm puzzled.
What's your tools for network simulate in 192.168.149.157/lagecy ?
It's called EVE-NG. You can check how to install this on VMWARE Player on this playlist that I created here:
th-cam.com/play/PLJ7SGFemsLl1ZSsdcdYqeCFDM71dz97XS.html
@@TheNetworkBerg Thank you.
Thanks, it's very clear! ping is success, but when I try ssh to each other over wireguard tunnel, it fails login.
such as ssh to SITE_A from SITE_B /system/ssh 192.168.32.1 user=admin, also winbox from SITE_B to SITE_A will stuck at login download descriptors.
Most likely it is caused by MTU, Wireguard has some quirks as well since the tunnel usually runs at 1420 MTU, you could try and adjust-mss and clamp-to-pmdtu for traffic that leaves over the tunnel, if it is caused by MTU this will resolve it.
You can check out this part of another video how to create the MSS rule
th-cam.com/video/v2m7DGlS0v4/w-d-xo.htmlsi=CZXR9jGjn8CtvKEU&t=1681
@@TheNetworkBerg I change MSS to 1205 looks works at least from one direction.
Thank you so much