Настройка WireGuard между Mikrotik и Windows
Уже много информации в Интернете написано про WireGuard, но большинство инструкций для его настройки перегружены лишней информацией. Поэтому решил написать несколько статей в стиле «1, 2, 3».
В этой статье настроим WireGuard соединение между компьютером с Windows и роутером Mikrotik.
Внимание! Данная информация представлена исключительно в целях обеспечения защищённого удалённого доступа.
На микротике требуется версия ROS 7.x. Для Windows скачиваем клиент WireGuard с официального сайта.
WireGuard не имеет в своей терминологии выделенного сервера. Вместо этого есть пиры — это каждый участник сети. Хотя бы один пир должен иметь белый IP-адрес. При этом все пиры равноправны и настраиваются совершенно одинаково.
Предположим, что микротик имеет белый IP-адрес 203.0.113.10 и соединён с локальной сетью 192.168.1.0/24. Задача организовать доступ к микротику (и локальной сети) с удалённого компьютера.
Создаём WG-интерфейс на микротике. Для этого выбираем одноимённый пункт меню и нажимаем на плюсик. В появившемся окне вводим номер порта (по-умолчанию 13231) и сразу нажимаем кнопку «Apply«. Автоматически будут сгенерированы приватный и публичный ключи:
Публичный ключ запишем, он нам понадобится. После этого нажимаем OK.
Теперь назначим IP-адрес интерфейсу. Можно выбрать любой из диапазона для локальных сетей. Например, 10.100.100.1/24. Делается это как обычно в IP — Addresses:
Теперь аналогичную операцию делаем в клиенте под Windows. Нажимаем кнопку «Добавить тоннель» — «Добавить пустой тоннель«. Появится окно с текстовым файлом конфигурации. Здесь вводим название тоннеля. И тоже копируем публичный ключ:
Добавляем сюда IP-адрес из выбранной подсети:
Address = 10.100.100.2/24
Теперь необходимо, чтобы наши пиры узнали друг о друге. Для этого на микротике в окне WireGuard переключаемся на вкладку Peers и добавляем новый пир:
Здесь нас интересуют следующие поля:
Public Key— сюда вставляем ранее скопированный открытый ключ с компьютера.EndpointиEndpoint Port— IP-адрес и порт подключения к пиру. Если пир не имеет белого IP, то просто не заполняем.Allowed Address— дословно «разрешённые адреса», но я не согласен с таким названием. Правильнее было бы назвать «маршрутизируемые адреса». Здесь необходимо указать IP или их список, который нужно завернуть в тоннель. В самом минимальном случае здесь указывается IP адрес пира (туннельный) или его подсеть. Со стороны микротика нам не нужно заворачивать никакой трафик в туннель, поэтому так и поступим.
В результате у нас должно получиться примерно так:
Переходим к настройке в Windows. Там нам нужно добавить в текстовую конфигурацию ещё один раздел — [Peer] и дописать необходимые параметры:
PublicKey— соответственно открытый ключ из микротика.Endpoint— точка подключения к пиру-микротику. Так как он у нас имеет белый IP-адрес, то указываем его и порт.AllowedIPs— здесь возможны несколько вариантов:10.100.100.1— так мы разрешим удалённый доступ только к самому микротику.10.100.100.0/24— доступ ко всем пирам в сети WireGuard (если их у нас больше двух).10.100.100.0/24,192.168.1.0/24— доступ к микротику, а также к устройствам в локальной сети (наш вариант).0.0.0.0/0— а так мы завернём в WG-туннель весь трафик с компьютера.
PersistentKeepalive— данный параметр позволяет поддерживать соединение открытым путём периодической отправки пустого пакета. Указывается время в секундах.
В итоге файл конфигурации будет выглядеть примерно следующим образом:
[Interface]
PrivateKey = qIFxFE916Bl7g3wQf3qvcd+jfoGd3V528ybq/1vqk0s=
Address = 10.100.100.2/24
[Peer]
PublicKey = fYzxjqDWyZOHkZnjQy+fP7fK0YoDxSDkbGOqIGl8aUU=
AllowedIPs = 10.100.100.0/24, 192.168.1.0/24
Endpoint = 203.0.113.10:13231
PersistentKeepalive = 25
Сохраняем изменения. Окно клиента теперь содержит информацию об интерфейсе и о пире:
Пробуем подключиться. Не радуйтесь, если увидите статус «Подключен». Это ещё ничего не значит. Пробуем пропинговать удалённый пир (конечно не забываем, что в фаерволе должно быть разрешение ICMP пинга). Если всё нормально, то пакеты должны успешно вернуться. При этом в окне клиента можно наблюдать передачу/получение трафика:
Ну и для того, чтобы можно было получать доступ к локальной сети — необходимо добавить SRC-NAT правило. Например, такое:
Всё, мы получили безопасный и удобный удалённый доступ к своей локальной сети из любой точки мира.
Обратите внимание, что необходим обмен только публичными ключами. При этом утечка этих ключей не страшна. Главное хранить в секрете только приватные ключи. В этом плане технология очень похожа на PGP.
VPN (Virtual Private Network) is one of the most popular services in MikroTik RouterOS. A lot of VPN services (IPsec, EoIP, OpenVPN, PPTP, L2TP, IPIP etc.) are available in MikroTik RouterOS but in RouterOS7, a new VPN service named WireGuard has been introduced which is extremely simple yet first, secure and modern VPN. WireGuard uses cryptography to make it secure.
In RouterOS7, WireGuard can be used either Client-Server (Road Warrior) VPN tunnel or site to site VPN tunnel. Using Client-Server WireGuard VPN tunnel, a Windows, Mac, Linux, iOS or Android user can be connected to his remote network and can access servers and other network devices as if he/she has be seated in that network. On the other hand, using site to site WireGuard VPN tunnel, two remote offices can always be connected across public network and can comminate with each other over this VPN tunnel.
In my previous article, I discussed how to configure MikroTik RouterOS 7 first time with step-by-step guideline. In this article, I will discuss how to configure Road Warrior WireGuard VPN tunnel in MikroTik RouterOS7 and then I will also discuss how to configure WireGuard Client in Window 10/11.
WireGuard Configuration in MikroTik RouterOS 7 (Road Warrior)
To configure Client-Server WireGuard VPN tunnel with Windows client, we will follow the following network diagram.
In the above diagram, WireGuard VPN Server is configured in the office network. So, WireGuard client configured in Windows or Linux or Android device can be connected to the office network creating a secure WireGuard VPN tunnel and can access remote servers and other network devices securely.
We will now configure such an office network where WireGuard VPN Server will be configured in a MikroTik RouterOS 7 and a Windows client will connect to this WireGuard VPN Server to access remote servers and other network devices.
WireGuard VPN Configuration in MikroTik RouterOS 7
WireGuard package is enabled by default in MikroTik RouterOS7. So, we don’t need to install it manually. We just need to setup WireGuard service. To configure WireGuard VPN for a Client-Server (Road Warrior) tunnel, follow the following steps.
- Login to MikroTik RouterOS using Winbox with full access user permission.
- From menu item, click on WireGuard. WireGuard window will appear.
- Click on PLUS SIGN(+) to create a new WireGuard interface. New Interface window will appear.
- Put an interface name in Name input field or you can keep the default name wireguard1.
- In Listen Port input field, put 443 because we want to use 443 port which is usually not blocked. In MikroTik RouterOS7, the default WireGuard Listen Port is 13231. WireGuard works on UDP protocol because UDP is faster. On the other hand, TCP packets follow over TCP VPN tunnel makes performance issue. So, TCP is not used in WireGuard VPN tunnel.
- Click Apply button. Public Key and Private Key will be generated as soon as you click the Apply button. The Public Key will be required when WireGuard client will be configured.
- Click OK button.
WireGuard VPN service is now enabled in MikroTik RouterOS7. Now we will assign IP address on newly created WireGuard interface. To assign IP address on WireGuard Interface, issue the following steps.
- From Winbox, go to IP > Addresses menu item. Address List window will appear.
- Click PLUS SIGN (+). New Address window will appear.
- In Address input field, put an IP address which you want. According to the network diagram, I am assigning 10.10.105.1/24. WireGuard clients will get IP address from this IP block.
- From Interface dropdown menu, choose the created WireGuard interface (wireguard1).
- Click Apply and OK button.
WireGuard VPN Server configuration in RouterOS7 has been completed. We will now download and install WireGuard Client in Windows 10/11.
Downloading and Installing WireGuard in Windows Operating System
As we are going to connect Windows OS to WireGuard VPN Server, we need to download and install WireGuard’s Windows application from WireGuard’s website. So, go to WireGuard installation page and download the installer for Windows Operating System. At the time of writing this article, the installation page of WireGuard looks like the following image.
Installing WireGuard Windows installer is as simple as installing other Windows applications. So, download the Windows installer and make a double click on it. The WireGuard installer will do the rest of the work for you. After installing WireGuard in your Windows Operating System, it will start WireGuard service and open a new WireGuard window like the following image where it will ask to provide configuration either manually or importing any configuration file.
We will configure WireGuard tunnel here manually because MikroTik RouterOS does not provide any configuration file. So, from this window, click on Add Tunnel dropdown menu and then choose Add empty tunnel… option. Create new tunnel window will appear where we will provide all the options required to create WireGuard Tunnel.
In Create new tunnel window, put a name (example: wg1) for the tunnel in Name input field and then click Save button. You will also find generated Public Key and Private Key in this window. Among these two keys, the Public Key will be required to configure peer between WireGuard Server and Client.
Creating Peer Between WireGurad Server and Client
To create a VPN tunnel between Windows client and the RouterOS WireGuard Server, we need to configure WireGuard Peer. So, at first, we will configure peer in MikroTik RouterOS and then we will configure peer in WireGuard Windows client.
To configure WireGuard peer in MikroTik RouterOS, follow the following steps.
- From WireGuard window, click on Peers tab and then click on PLUS SIGN (+). New WireGuard Peer window will appear.
- In New WireGuard Peer window, choose WireGuard interface (wiregurad1) from Interface dropdown menu.
- In Public Key input field, put the public key generated by the Windows client (with whom it will make peer).
- In Allowed Address field, put the IP address (10.10.105.3/32) that will be assigned to the WireGuard Client.
- Click Apply and OK button.
Peer configuration in MikroTik RouterOS has been completed. Now we will configure WireGuard Peer in Windows Client.
- Open WireGuard client in Windows OS and select the WireGuard interface that was created before and then click on Edit button.
- In Interface configuration, add two more properties (Address = 10.10.105.3/32 and DNS = 8.8.8.8). These two values will be assigned the WireGuard virtual interface. Change the IP values according to your network configuration.
- Now add a new option named [Peer] and add these properties (PublicKey = y9uah2vvBg9nkBhovSA72Ji3C3LmMxoUab0dwhUwAy0= AllowedIPs = 0.0.0.0/0 Endpoint = 103.177.246.6:443 PersistentKeepalive = 10). Here, the Public Key is the Public Key of the RouterOS WireGuard, AllowedIPs will be the IPs those can access this client and by default it is 0.0.0.0/0 that means it can access any IP, the Endpoint property is very important and it will be the IP of the MikroTik RouterOS where WireGuard Server is enabled and the Port number, the PersistentKeepalive property keeps the tunnel active by checking the status of the tunnel every assigned time (seconds).
- Click the Save button to save the configuration.
Peer configuration between the WireGuard Server and Client has been completed. Now click the Activate button from the WireGuard client. If everything is OK, the tunnel will be created and you can access your remote servers and other network devices without any issue and the client window looks like the following image.
If you face any confusion to follow the above steps, watch the following video for step by step guideline.
How to configure Road Warrior WireGuard VPN in MikroTik RouterOS7 has been discussed in this article. I hope you will now be able to configure Client Server WireGuard VPN tunnel in RouterOS 7. However, if you face any confusion to setup WireGuard VPN in RouterOS7, feel free to discuss in comment or contact me form Contact page. I will try my best to stay with you.
WireGuard — это коммуникационный протокол и бесплатное программное обеспечение с открытым исходным кодом, которое реализует зашифрованные виртуальные частные сети.
Для настройки Wireguard имеем настроенный Mikrotik на RouterOS.
Настройка интерфейса Wireguard
1. Добавление интерфейса WireGuard.
Переходим на вкладку WireGuard → “+” → Name (вписываем понятное для нас имя) → Apply.
Рисунок 1 — Добавление интерфейса WireGuard
2. Назначение IP адреса на интерфейс WireGuard который мы создали – IP → Addresses → “+” → назначаем IP адрес и выбираем наш созданный интерфейс WireGuard.
Рисунок 2 — Назначение IP адреса
3. Разрешить в Firewall входящее соединение на указанный порт:
IP → Firewall → Filter Rules → “+” Chain – input, Protocol – udp, Dst. Port – 34567, In. Interface – ether1 → Apply.
Правило надо перенести выше чем запрещающие правила принимать входящие соединения на внешний интерфейс.
Рисунок 3 — Добавление правила в Firewall
3. Настройка Peer.
Переходим на вкладку WireGuard → Peers → to-windows (наш созданный пир):
- На каком интерфейсе будет ожидаться соединение;
- Публичный ключ противоположной стороны
- Endpoint – внешний IP-адрес противоположной стороны
- Endpoint Port – порт противоположной стороны
- Allowed Address –сети которые будут работать в туннели
Рисунок 4 — Настройка Peer
Настройка клиента WireGuard на Windows
1. В приложение WireGuard на Windows сочетанием клавиш Ctrl + N добавляем пустой туннель.
Рисунок 5 — Добавление пустого туннеля
2. Добавляем в пустой туннель строчки:
[Interface] PrivateKey = UIfsPWz7rxXUsE/7Z7JmHceWOBYY4ATr2P9JlYWXLGg= Address = 10.0.0.2/24 DNS = 8.8.8.8 [Peer] PublicKey = jxE7UkQQwffGEWgLj3GgIYUSjPKpW/zriT3PtE85r08= AllowedIPs = 0.0.0.0/0 Endpoint = 46.188.57.135:13231
Обмен публичными ключами
На Mikrotik берем публичный ключ в WireGuard и открываем наш интерфейс, копируем и вставляем в туннель на Windows.
На Windows берем публичный ключ в нашем созданном туннели и копируем его peer на Mikrotik.
Рисунок 6 — Обмен публичными ключами
Проверка Работоспособности
На Windows нажимаем Подключить и после удачного подключения можно выполнить ping до сети Mikrotik.
Рисунок 7 — Проверка работоспособности
Post Notes: as of RouterOS 7.18 – ip – added support for /31 address
Contents:
Mikrotik WireGuard Interface Setup
Windows Client Setup
Firewall Config
In this guide, I’ll show you how to easily set up a VPN tunnel using WireGuard between a Windows PC and a MikroTik router. Whether you need to manage your router remotely or access hosts on your network from anywhere, this tutorial will covers each aspect and aims to simplify the steps to make it easy for anyone at any skill level.
Mikrotik WireGuard Interface Setup:
On your Mikrotik router navigate to the WireGuard menu, and click on “New” to create a new Wiregurad interface.
Name: The name of the WireGuard interface. Usually you can leave this default, unless you have multiple WireGuard interfaces, and need to organise better.
Listen Port: Most of the time leaving this on the default port which is 13231 is fine.
Everything can be left default, but feel free to customise to this to your needs. Once done, press “OK”.
Once the WireGuard interface is setup, we need to assign an IP subnet to it, which will be used for the VPN tunnel. I’m only planning to add 1 device, so I will use a /30 ptp subnet. However, if your plan is to have multiple devices connected to the VPN at once, using a larger subnet would be required, as each connecting device (peer) needs a unique IP address. You can also add a single ptp subnet for each connecting peer.
To add an IP subnet to the WireGuard interface, Navigate to IP > Addresses, then click on “New”.
Address: This defines the IP address assigned to the WireGuard interface. I’m going to assign 172.16.0.1/30 to the interface, which means 172.16.0.2/30 can be used for my connecting device (peer).
Network: If you leave this blank, RouterOS will fill in the network address automatically, otherwise specific it manually. in pre v7.18 releases, this would have been the other endpoint in a /31 subnet.
Interface: Select the WireGuard interface that we created earlier from the drop down menu.
After assigning an IP address and subnet to the WireGuard interface, we can move on and create the peers. A peer is any device connecting to the Mikrotik’s WireGuard interface. We have to define these explicitly so that our client devices (e.g. Windows computer) are allowed to connect.
Navigate to WireGuard > Peers > and click on “New” to add a new peer. One of the required fields here are the peers private key, which we get from the WireGuard Windows client, so before we can start filling out the fields, we have to install WireGuard on our Windows computer and generate a public key for this peer.
On your Windows system, download and install WireGuard. The downlink can be found 👉 here.
Once done, open the WireGuard application, and click on the downward facing arrow next to “Add Tunnel” and select “Add empty tunnel…”
A new window will pop up called “Create a new tunnel”. In this window you’ll see your newly generated public key near the top of the window. This is your peers public key, and is what we must copy and paste into the Public Key field on the Mikrotik peer setup.
The rest of the peer settings on the Mikrotik are as follows:
Interface: Select the WireGuard interface we created earlier.
Private Key: Leave blank.
Endpoint: This is the IP address of the peer. If you define this, it will only allow the peer to connect if its src address is whatever is defined. I suggest leaving this blank so that the router allows the peer to connect from any IP address.
Endpoint Port: This is the src port of the connecting peer. Leave this blank to allow any port, or define if you want to lock it down further. Note that if you define the port here, you have to also define the same port on the Windows client explicitly.
Private Key: Leave this blank.
Allowed Address: This is the address that your peer is going to be connecting to the tunnel with, and also the address that return traffic to the peer is sent over. Remember, I set 172.16.0.1/30 to the WireGuard interface, and therefore my peer will be using 172.16.0.2, which is what I will be putting in here. I didn’t define a cidr notation here, but since I left it blank the RouterOS will add it as a /32.
Preshared Key: Can be used to setup additional security for decryption. In simple terms, its a password of sorts that gets added onto the encryption keys that would be required to decrypt the data if the keys were ever cracked. Leave this blank to not require one.
Persistent Keep Alive: Defines an amount of seconds, between 1 and 65535 of how often to send an authenticated empty packet to the peer in order to keep a stateful firewall or NAT mapping valid persistently. For our use case this can be left blank. Once this has been setup, we can press “OK” and move on to the WireGuard windows client setup.
WireGuard Windows Client Setup:
As a base template, you can copy paste the below code snippet into your WireGuard tunnel. Just change the values according to your requirements. The Public Key under the “Peer” settings on your windows client must be the Mikrotiks WireGuard interface public key, e.g., the inverse of what we configured on the peers page on the Mikrotik The rest of the lines are quite self explanatory, but take special note of the “AllowedIPs” section:
Adding entries to the “AllowedIPs” field in the configuration file will do two things:
- Adds a route: It will add routes to the specified subnets (e.g., 172.16.0.0/30) on the Windows computer. This means that any traffic destined for these subnets will be routed through the WireGuard tunnel.
- Allows return traffic: It will allow traffic from these subnets to be received back through the WireGuard tunnel. Essentially, “AllowedIPs” defines which IP addresses are allowed to be routed through the tunnel and also specifies which incoming traffic is accepted.
By specifying AllowedIPs = 172.16.0.0/30, x.x.x.x/x, you are configuring the client to route traffic to these subnets through the WireGuard interface and to accept return traffic from these subnets.
If you want to send all traffic to the Mikrotik, and use it as your Windows computers default route, you can add in the address “0.0.0.0/0” to your tunnel, which will force all traffic out the VPN tunnel. Just make sure that you are natting the tunnel subnet, otherwise your Windows computer will not have internet breakout.
[Interface]
PrivateKey = your private key
Address = 172.16.0.2/32
DNS = 1.1.1.1
[Peer]
PublicKey = your routers wireguard interface public key
PresharedKey = if any else remove from line
AllowedIPs = 172.16.0.0/30, 0.0.0.0/0, x.x.x.x.x/x (remove what you don't need. "0.0.0.0/" if you want to use as default route)
Endpoint = 192.168.88.219:13231 (can also use IP cloud address if public)
Once done, click on “Save” and then “Activate” to bring the WireGuard tunnel up. You once up, the two ends of the tunnel will shake hands, and data can begin to flow over it. You should be able to reach the opposite end point IP, and other subnets specified in your “allowed address” field.
*Important: We’ve not yet discussed firewall requirements. If your tunnel is setup correctly, but you cannot establish a handshake to your router, its likely a firewall issue, which is discussed under this section.
Firewall Config:
There are a number of ways to configure the firewall to allow WireGuard to work correctly, and the exact route you take will depend on your setup. Just keep in mind that at the very least, for the tunnel to establish you have to allow the listen port on the Mikrotiks WireGuard interface in via the WAN interface, using UDP.
To start, navigate to IP > Firewall.
In the firewall filters menu, click on “New” and add a new firewall filter. This is the filter to allow the WireGuard tunnel to form:
Chain: input
Protocol: UDP
Dst.Port: 13231 (or whatever port you set)
Navigate to the Action tab, and set it to “Accept”, then click on “OK” to add this filter in. Make sure to drag this filter into the correct place in your firewall to prevent filters above it overriding it.
Next, lets assume we want to be able to login to the Mikrotik from our Windows computer to manage it. We have to allow that in too. The previous rule we added only allows the tunnel to form. Assuming there are standard catch all rules we have to allow input from the WireGuard interface too so that we can reach the router via the tunnel.
To do this, add another filter:
Chain: input
In.Interface: wireguard1 (your WireGuard interface)
Like before, navigate to the Action tab and set it to “Accept”, then press the “OK” button. Make sure to drag this rule into the right place, like with the rule above it.
This next filter may or may not be required, but it depends on what rules you have for the forward chain. If you have locked your forward chain down, and you have to explicitly define the rules for it, then you’ll need to allow forwards from the WireGuard interface in order to reach other hosts and networks from your Windows computer.
To do this, create a new filter:
Chain: Forward
In.Interface: wireguard1 (your WireGuard interface)
Navigate to the Action tab and set it to “Accept”, then press the “OK” button. Make sure to drag this rule into the right place, like with the rule above it.
With all of this now in place, on my Windows PC, I can once again activate the WireGuard tunnel and now have full routing and access to the Mikrotik router. Any other networks behind the Mikrotik can also be accessed by simply adding the subnet to the WireGuard peers allowed addresses on the Mikrotik.
Description
In this article we install and configure only Wireguard tunnels.
Here we won’t touch on static or dynamic routing
Input data
Server Mikrotik Wireguard
WAN — 172.16.1.2
Wireguard interface IP address — 10.10.10.1/24
Client Wireguard Mikrotik
Wireguard interface IP address — 10.10.10.2/24
Client Wireguard Windows 10
Wireguard interface IP address — 10.10.10.3/24
Server Mikrotik install and configure
Firewall accept wireguard (it may be custom) udp port
/ip firewall filter
add action=accept chain=input dst-port=1111 in-interface=ether3 protocol=udp
Interface add
/interface wireguard
add listen-port=1111 mtu=1420 name=wireguard1
IP address add
/ip address
add address=10.10.10.1/24 interface=wireguard1
Get and remember Mikrotik-Server interface’s public-key (we will need it during install clients)
/interface/wireguard/print detail
... Flags: X - disabled; R - running 0 R name="wireguard1" mtu=1420 listen-port=1111 private-key="6N3/h46NlYqzNQr6h6Z+2tdhK4CSYxJBhy3cwolV8XY=" public-key="4gBu3gbZMfgOjnTd0OhhGpi/h5wQrMi0V+XXTDwx12w=" ...
Clients install and configure
Mikrotik-Client
Interface add
/interface wireguard
add listen-port=1111 mtu=1420 name=wireguard2
IP address add
/ip address
add address=10.10.10.2/24 interface=wireguard2
Get Mikrotik-Client’s interface public key
! Now we have got client’s Mikrotik-Client public-key and we can set it in the peer for this Mikrotik-Client’s on the Mikrotik-Server’s side !
/interface/wireguard/print detail
... Flags: X - disabled; R - running 0 R name="wireguard2" mtu=1420 listen-port=1111 private-key="oE96127HCyK0qiJnoojYstspVDuR0pAV0mC0LnbzjGw=" public-key="xrXMoab0w4/D87YxMd1ZOd9iRJKdLQyrqY2pMVPsA0A=" ...
Peer add (for Mikrotik-Server)
! Copy public-key from interface wireguard1 on the Mikrotik-Server’s side !
/interface wireguard peers
add allowed-address=10.10.10.0/24,192.168.1.0/24 endpoint-address=172.16.1.2 endpoint-port=1111 interface=wireguard2 public-key=\
"4gBu3gbZMfgOjnTd0OhhGpi/h5wQrMi0V+XXTDwx12w="
Windows-Client
Download and install Windows Wireguard Client
https://www.wireguard.com/install/#windows-7-8-81-10-2012-2016-2019
Add empty tunnel
! remember autogenerated public-key: 77kGQB+aEcCaFAYOOD9iOUuUSsoy+L0ex6XpdvW6eXw= !
[Interface] PrivateKey = 6IOT1Ip/o+7FZryy+0h1JPSeMY35XvrAFTDl9ojSq1M= # autogenerated Address = 10.10.10.3/24 # Wireguard interface IP address - 10.10.10.3/24 DNS = 77.88.8.8 [Peer] PublicKey = 4gBu3gbZMfgOjnTd0OhhGpi/h5wQrMi0V+XXTDwx12w= # Copy public-key from Server-Mikrotik wireguard interface AllowedIPs = 0.0.0.0/0 Endpoint = 172.16.1.2:1111 # Mikrotik-Server's WAN IP address
Mikrotik-Server
Mikrotik-Client Peer add
! Copy public-key from interface wireguard on the Mikrotik-Client’s side !
/interface wireguard peers
add allowed-address=10.10.10.0/24,192.168.2.0/24 interface=wireguard1 public-key="xrXMoab0w4/D87YxMd1ZOd9iRJKdLQyrqY2pMVPsA0A="
Windows-Client Peer add
! Copy public-key from interface wireguard on the Windows-Client’s side !
/interface wireguard peers
add allowed-address=10.10.10.0/24,192.168.3.0/24 interface=wireguard1 public-key="77kGQB+aEcCaFAYOOD9iOUuUSsoy+L0ex6XpdvW6eXw="
Test
Mikrotik-Server
Ping Mikrotik-Client wireguard interface IP
ping 10.10.10.2
... SEQ HOST SIZE TTL TIME STATUS 0 10.10.10.2 56 64 12ms180us 1 10.10.10.2 56 64 3ms959us 2 10.10.10.2 56 64 3ms628us ...
Ping Windows-Client wireguard interface IP
ping 10.10.10.3
... SEQ HOST SIZE TTL TIME STATUS 0 10.10.10.3 56 64 12ms180us 1 10.10.10.3 56 64 3ms959us 2 10.10.10.3 56 64 3ms628us ...
Mikrotik-Client
Ping Mikrotik-Server wireguard interface IP
ping 10.10.10.1
... SEQ HOST SIZE TTL TIME STATUS 0 10.10.10.1 56 64 4ms624us 1 10.10.10.1 56 64 4ms227us 2 10.10.10.1 56 64 3ms735us sent=3 received=3 packet-loss=0% min-rtt=3ms735us avg-rtt=4ms195us max-rtt=4ms624us ...
Windows-Client
Ping Mikrotik-Server wireguard interface IP
ping 10.10.10.1
... Ответ от 10.10.10.1: число байт=32 время=5мс TTL=64 Ответ от 10.10.10.1: число байт=32 время=5мс TTL=64 ...