Some reference material and useful links: MikroTik Wireguard Docs: help.mikrotik.com/docs/display/ROS/WireGuard Wireguard Docs: www.wireguard.com/papers/wireguard.pdf Wireguard Ubuntu Setup: www.thomas-krenn.com/en/wiki/Ubuntu_Desktop_as_WireGuard_VPN_client_configuration

IPSec road warrior sound like a awesome next video ! Thanks again for a great upload ! Have a good evening

absolutely the best MK WG manual. great job. thank you.

Wow. On your video it works without add any firewall rule (e.g. masquerade) for access to LAN. It's really shocking. 👍

An important thing to note is that if you want to reach out to hosts inside the subnet(s) that are connected to the wireguard server (the router) from your wireguard roadwarrior peers, you need to srcnat the range of your wireguard subnet on your router otherwise, the only thing you’re going to reach through the tunnel is the router itself and the internet. Since my main goal with the tunnel was reaching my remote desktops and services at home, this was key to a working setup. The other very important step is to allow the wireguard udp port through your input chain early on so the connection can establish successfully.

thank you and i am your student . i did sstp ,l2tp and wireguard VPN on my pc and mikrotik router as server . trust me the BW test i got on each test . wiregaurd is by far the best. without vpn speed is 80/80M, l2tp 11/4M ,SSTP 6/13M and wiregaurd 27/21M. wow !!

Thanks, the actual setup worked fine. But the setup video only makes Wireguard tunnel accessible from the local network. IMO, it defeats the purpose of road warrior setup. To make it accessible from the WAN. I had to add this firewall rule: chain=input action=accept protocol=udp in-interface= dst-port= Add this rule and move it in number one place of your firewall rules. AFAIK, Wireguard has in-built protection against port-scanners, so you would be fine here. I tested with an online open port checker and my WG port was displayed as closed. Just for assurance don't use WG's default port. P.S: If you'd like to access your Mikrotik's webfig and Winbox settings through Wireguard tunnel. Make sure to add this rule and put it under the 'Wireguard Port' rule: chain=input action=accept protocol=tcp in-interface= dst-port=80,8291

I found out what the problem was. I had a firewall NAT rule for my phone server for ports 2000-65000 UDP and this clashed with wireguard UDP 13231. So i changed wireguard to a port below 2000 and it works fine! Thanks!

Covering third party vpn setup could be a useful video, sure to get lots of hits............. Juice it up by adding road warrior connection person A, using your main router internet as you have just demonstrated and road warrior connection person B, tunneling in and using the 3rdparty wireguard VPN tunnel (and not the main ISP internet).

/32 for the peers, now it's working, thanks again!!!

Thanks for the Video, Lovely I must say. Someday I want you to do some video on user manager for ISP set up to manage data volume for WISP. Using Mikrotik router as the core device

Another good video. You should note that it would help to have control of alle the peer by adding a comment to them. No one knows what an IP is. You can use netwatch to monitor the stateless Wireguard.

The need for a adblocker on your browser is real! haha Great little tutorial though! Need to setup and test mine too

Hi! great video, big learning process! Could you make a WG setup with a firewall rules (no production setup is been done without the proper fw rules)? tx

Nice video thank you ! For quick and easy LAN access through the wireguard tunnel, if I'm correct, you can add the wireguard interface in the default "LAN" interface list.

Thank you for sharing knowlegde! Great and straight to the point :) I'm wondering if you could make a video wireguard setup on a mikrotik - then connect ether1 to internal network - and then share that wireguard connection to port 2-5. Then several PCs, TV/netflix etc can share the vpn connection. Possible?

8:12 You can give the Clients also a /24 Address. MikroTik doesn't automatically setup routes for the AllowedIPs i think/know.

did everything exactly as mentioned in the video... unfortunately could not get it to work anywhere.. not even on local network :(

I saw this on your LinkedIn, Kindly do a tutorial (mikrotik & cisco) on these - Configuration of traffic engineering with features such as QoS, CoS, ToS, and Traffic Queues. - Configuring advanced features such as traffic manipulation through services such as route-leaking

Loved the video!!! I did tried but I noticed that something was missing. I had to add a Firewall rule for the input chain to allow the UDP port 13231

Thanks!

I'm interested in setting up an ultimate road-warrior, portable Access Point. The goal is to have a mikrotik device, that I can travel with. That device should have several ways to connect to any internet uplink - of course, all of them by default disabled, and I'd enable whatever I have at my disposal - sometimes, I'd put a SIM card in, sometimes I'd connect to hotel WiFi and sometimes, I'd simply plug in an ethernet cable. On the other side of this device, I'd have it spread 3 WiFi networks. One would allow me to reach internet directly + all my self-hosted services at home via a wireguard tunnel. The second WiFi would tunnel all traffic through wireguard tunnel. And the third, would only share the internet uplink (this WiFi I'd share with the friends I'm travelling with). I'm thinking on what would be the best approach to achieve this. Any suggestions?

Quick question I am able to connect with an android device to my router with Wireguard, I have the available addresses set to 0.0.0.0/0 on the android and can access the internet through the WG connection and other IP's on the network that my MT is connected to but cant access the mikrotik or anything on the local network of the MT itself. Checked all firewall rules and nothing there blocking input from WG ip's any ideas?

From client device hdandshake not working. Public key at both end are okay. What could be problem?

I would be most grateful if someone would kindly explain the /24 /32 masks in more detail. I think I understand why this is, but not really. Why does /24 on the warriors break the setup? How exactly does it break it? Thanks in advance :)

Can we do a IPsec or wireguard setup same as NordVPN to only push certain devices (Apple TV) over the VPN to bypass restricted content. Maybe with a hosted ROS in linode? Using Mikroik as the client device.

Kindly post a video tutorial of this senarrio I have wireguard vpn server on my ubuntu server and i want to connect my mikrotik as wireguard client

i like it

Great video

Thanks for manual! What would be the difference in connection logic if made server on two sides? Like point A would be 10.1.1.1, point B 10.1.1.2, and on both sides I would create opposite peer with endpoint etc.

How could client provisioning become more automated? I tried to set allowed ips to the /24 subnet and tried to setup a DCP server on Mikrotik. But the interface is not listed there. OTOH it might not make sense, because you already need to have an allowed IP, when connecting to MT server. Wonder how to aproach that topic ....

I have an issue with this configuration. I can not connect via remote desktop client. I can see the Windows Logon Screen but when I enter the credentials it says that user or password are wrong. I created dst-nat rule to access the Windows Server directly via intenet and I can connect with no issues. I´ve found this NAT rule that was causing me the issue: chain=dstnat action=dst-nat to-addresses=192.168.x.103 to-ports=3389 protocol=tcp dst-port=3389 log=no log-prefix=""

Can you do another video showing S2S VPNs? The use case is one side working as a server with a public IP (Static or dynamic) and the client side behind a NAT (i.e., CGNAT). Your other video assumes that you have each endpoint's IP address but that configuration doesn't work for this use case

Can you show us the firewall setup for WireGuard? Would it be in the Input chain or the forward? Filter list or nat list?

If you didnt want the WG to be the default route I assume you add all the subnets behind the WG server to allowed-ips on the client?

hello i have wireguard site to site How do I get a public IP address from Site B to Site A? thanks

Hello again, The Network Berg, thank you for this video, but it will be nice to see this case with the mobile device between two Mikrotik A and B routers, which is connected site to site via IPsec. And when C (android or iphone) are connected, get access to both LANs of router A and B. Is this possible? Here is the scheme: |C - Mobile| | |Wireguard or | IPsec IKEv2 | |A - Router1| |B - Router2|

Do you know why my mikrotik-wireguard interface is in italics? Also, in IP->Addresses, the IP Address I setup for wireguard says 'Invalid' as it is in red writing.

How do you find the Endpoint IP on your MikroTik?

Quick update it's no longer 'public.key' it's just publickey

3 weeks ago I was using L2TP and PPTP. After watching your video I set up Wireguard and have installed and configured in many Mobiles and Windows PCs. I have been using it for 3 weeks and I am not satisfied. I noticed that the speed is less than what I had. So I decided not to use it anymore.

why mine is not working

This sadly did not work. It may be due to the firewall filter rules i am not sure. I tried to add a rule but it didn't work. add action=accept chain=input comment="Wireguard 13231 port allowed" \ dst-port=13231 in-interface=ether1 protocol=udp

Why does WireGuard using Dragon logo- just wondering...

We've configured WireGuard on all our Mikrotik routers in a site-to-site configuration. We have one site setup with the server configuration and the other sites connect to it. All the sites can see each other and the devices at each site. We are trying to create a Road Warrior config that will enable remote users to access resources on the various subnets. We are unable to get the Road Warrior client to see any other subnet other than the subnet the WireGuard server is on. Any ideas?