MikroTik RouterOS and WireGuard for Road Warriors.
Configuring a MikroTik router with WireGuard to enable remote access to home lab resources.
MikroTik RouterOS and WireGuard for Road Warriors.
As the world starts to open back up, I find that I am traveling more, but I still need access to my home network and Lab equipment for demos and testing. I have tried various VPNs over the years including OpenVPN and ZeroTier and IPsec. These all worked well, but required running a separate server to handle the VPN termination, and were difficult to configure and maintain. In 2020, a new player entered the ring called WireGuard. If you don’t know what WireGuard is, here is how WireGuard describes itself:
WireGuard is an extremely simple yet fast and modern VPN that utilizes state-of-the-art cryptography. It aims to be faster, simpler, leaner, and more useful than IPsec, while avoiding the massive headache.
As I looked at my home lab/network I decided that I wanted to run my VPN service from my primary router. My choice of home router is the MikroTik RB3011. This router supports a few different options when it comes to VPNs, and with the release of MikroTik RouterOS 7, WireGuard has been added as a native VPN service.
This blog post will talk about how to configure MikroTik 7.5 in a “Road Warrior” configuration. A “Road Warrior” configuration allows you to connect into your remote network (in this case my home lab) from any Internet connection, and route ALL traffic through the remote (home) network. This not only gives you secure access to your home network and resources, it also ensures that my network access can not be intercepted by third parties.
Dynamic DNS Host Name - we will configure one below, or you can use an existing DDNS host name
We will configure RouterOS using the RouterOS command line. You can access the command line from either the Web UI or by connecting to to your router via SSH. I do not recommend using the WebUI to add new WireGuard clients to the system. Using the Web UI caused me two days of troubleshooting only to figure out that something in the Web UI is broken and not creating the peer entries correctly. Consider yourself warned.
Start by connecting to your RouterOS command line via ssh user@<router IP address>.
Create a Dynamic DNS Hostname
You will need a way to connect to your public IP address when you are out on the road. You can use a Dynamic DNS client to configure a host name that will always be the same but resolve to your current public IP address. MikroTik routers have built in support for creating a Dynamic DNS entry that ends in .sn.mynetname.net, or you can use any other client. If you do not have a client, here is how you enable this feature on a MikroTik router:
With the WireGuard interface created, we will assign an IP address to the interface. Note that this should be an IP on a NEW subnet, do not use an existing subnet for your WireGuard network. In the example below we will be using Network 192.168.100.0/24 and assigning the IP address 192.168.100.1 to this interface:
[admin@home] > /interface wireguard print
Flags: X - disabled; R - running
0 R name="wireguard1" mtu=1420 listen-port=12345 private-key="cBPD6JNvbEQr73gJ7NmwepSrSPK3np381AWGvBk/QkU="
NOTE: You need to ensure that you do NOT publish the “private-key” anywhere. This would compromise your security.
At this point, you are now ready for configuring your remote clients.
Configuring a Client
Install the Client
We will be using the OSX Client that can be obtained from the App Store WireGuard. The steps that we will use below can also be used for configuring other clients. The configuration file is used in most implementations of WireGuard.
Configure Your Connection
Once you have installed the WireGuard client, open the configuration tool by selecting “Manage Tunnels”. We can then create our “Home Connection” tunnel, by selecting the “+” and then select “Add Empty Tunnel”.
Start by entering a Name:, this is the name you will use later to reference this connection. Also take note of the Public Key:, we will need this shortly when we configure the MikroTik device to trust this connection.
Use the following as a template to configure your connection. Be sure you do not overwrite the PrivateKey that was generated by your client.
[Interface]PrivateKey =qLZ59foscJYkFxP4L7OFjW0fWJ3oUgfBveF3pMa8/14=Address =192.168.100.2/24DNS =<ip address of your MikroTik Router>[Peer]PublicKey =VmGMh+cwPdb8//NOhuf1i1VIThypkMQrKAO9Y55ghG8=AllowedIPs =0.0.0.0/0Endpoint =530d0391a71d.sn.mynetname.net:12345PersistentKeepalive =25
A few key entries to point out here:
PrivateKey - This is generated by the client. Do not change this or share the PrivateKey with anyone.
Address - All IPs in WireGuard are statically assigned. Pick another IP address from the network you created earlier, and make sure you don’t duplicate IPs
DNS - This should point to the DNS servers inside your network. This ensures that you do not leak information on public networks based on your DNS resolution
At this point, you can now test your connection. From the WireGuard GUI, select the tunnel configuration and click Activate. You should see Data received and Data sent start to increment.
By leveraging the WireGuard services built into your MikroTik router, you can securely connect to your home network and your home network resources. This configuration also gives you the added functionality of helping secure your Internet access when you are away from home, by leveraging your DNS servers and home internet connection for all outbound connections.