🌎MikroTik Ultimate Wireguard S2S Guide🌎

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
hey there guys the networkberg here hope you're doing well so in this video we will be covering how to create wire guard side to side vpns but it will also be a little bit of a mac mix match with road warrior configurations as well so i'm hoping that i can treat this as my last wire guard video i'm going to call this my ultimate vpn guide when it comes to wire guard because i want this to be the video that you use to reference whenever you're setting up wire guard and just understanding some of the quirks that there are when using a micro tick with wire guard so let's get into the video [Music] now before we get digging into this lab that looks quite interesting behind me let's just get into some of the theory of wire guard so i'm just going to navigate onto another tab here go to wireguard.com and i always put this link in the description or comment of my videos but a lot of people seem to also ignore it so i highly highly advise please go to the white paper and read through this it explains exactly how wire guard functions how it works and how the implementation is and what i like is there's a little stat here let me just scroll down here where you can see the performance and this goes is based off of performance versus openvpn ike v1 and 2 and wireguard and as you can see wireguards throughput and response time is just outright insane it's crazy fast and it's crazy big so it's a pretty pretty good vpn protocol so this is why it's like so much better to use wireguard as opposed to openvpn because it's going to give you so much more and it's just also so much easier to configure wireguards literally just setting up an interface configuring your peer and with marketing there's a few extra little weird things you need to do but overall it's really easy to set up way easier than ipsec in my opinion but it all of the information regarding wireguard is on here please read this if you want to get into all of the how's it works but i'm going to show you guys what i know is typically the issue that breaks a lot of people when they try and configure wireguard and they want to understand how side to side specifically works because and this comes down to routing as well as this allowed source or allowed eyepiece across your peer now whenever we think about allowed eyepiece i actually want you to think of them as the the destinations or prefixes that you would like to get to so when you configure that in your peer in wireguard and you set a loud eyepiece you are in essence saying the stuff that you want to get to that's on the other side of the tunnel so remember that when we actually do the setup now because it's going to make a lot of sense when we configure this on micro tick but that that's typically what confuses people that gets them there's other things like firewall rules for your microtics that can also cause issues now i typically don't use any of the base micro tick firewall rules i have my own set of scripts that i usually import that is for my own use or if you're using a bank blank router like i'm using in this example then there's no firewall rule so you won't run into any potential issues of ports being blocked but if you are using the default marketing firewall then the default listening port when you configure wireguard via when box does get blocked so you need to actually implement the input filter chain to allow that traffic and i'll show you guys how to add those input filter chains as well but just stuff to take note of it's it's nitty nitty-gritty stuff that varies from person to person this is why i sometimes find somebody says great example it works perfect and another person will tell me this is terrible it doesn't work at all whereas they might have been using the default settings or an input rule was actually blocking them from accessing or working with wireguard so just some stuff to take note of um let's quickly just go over this uh topology as well so what we're going to do is we're going to have three sites site a b and c each site has a lan subnet sitting behind the router all three routers are microsec devices and we're going to act as if we don't know what the site b and c ip addresses are they might be coming in overnight connections and they'll be connecting to a wireguard server in this instance to form a tunnel to connect and get to subnets now the nice thing about wireguard is you don't just need to connect to a server you can form tunnels to each wire guard client let's say to create almost a meshed network that is actually why wireguard is so cool as well but we'll set this up in the basic sense that people is used to where we'll have a server like a hub and spoke a central point that people connect to which will be the site a marketing now another thing that i just want to stress when it comes to configuring wire guard on micro tick another quirk is whereas if you do it on a client or another vendor then a lot of the stuff might automatically get added like the routing on micro tig you need to statically add any routes for remote subnets that you're trying to reach so that doesn't automatically get added and this is also why i assign for my critique specifically i'll assign slash 24 addresses to my wireguard interfaces however when i come to the allowed addresses on the peer configuration i'll just be allowing over slash 32 addresses you'll see when we actually do the setup so let's get into the setup let's open up winbox so i'll go into my terminal and let me just close this window i just close all these windows let me get on to winbox uh wine win box i heard they're also making a new uh winbox for mac and linux hopefully so that is native to the operating system which is quite nice but anyways let's connect i will first just connect onto the site a micro tick i'm going to connect through rom on on site a and this will be our little server so i'm just going to zoom in so you guys can clearly see what i'm doing and i'm going to go into my wire guard and first thing that's always going to be a thing that you need to click on the plus then we got our wire guard interface so let's give it the name i'll just call this wg dash micro tick dash a and listening port by default it's one three two three one and then i can just click on apply it will generate a private and public key for me i don't need to add anything here i just need to take note of the public key as i'm going to use it on my peers configuration later on next step i'm going to assign an ip address to the wireguard interface so i'm going to my ip address and this will be think of this as the eyepiece that the wire guard will use to communicate with each other any client that's participating with wireguard and also to route traffic with so i'm going to use 192.1683 24. i'll bind that to my wire guard interface i'll click on ok and now that is done now my next step is i actually need to create a pier so i'm going to go into the peers tab i'm going to click on the plus and i need to set my interface which will always be the first interface that i have created but if you have multiple wire guard interfaces select the right one that people are connecting to now we need to specify our public key so obviously i need to have a wire guard interface on the second micro tick so let's quickly get that going i'll set up a new winbox window i'll connect onto ramon again and then get onto site b and then inside b just very quickly we create a wireguard interface call it wg dash micro tick dash b and i will hit apply i'm just going to copy this public key quickly and then i'm going to go back to the site a micro microtech paste the public key and that is it now i'm not going to specify an endpoint and endpoint port because i'm working off the assumption that those connections are coming from a carrier grade net or an added connection or an ip that i'm not aware of so leave it blank but we need to set our allowed addresses and again i'm going to stress the allowed address is the stuff that lives on the other end of the tunnel the things that you want to get to so in my case i want to be able to get to 192.168.32.2 32 because that is the wireguard ip of micro tick 2 or site b i also want to get to 172.16. because that is site b's land subnet that i want to access and i'm also going to set a persistent keeper live now what is a persistent keeper live this is basically just an empty packet that will be sent across the tunnel in whatever interval you set here just to keep the tunnel alive because if no traffic actually gets sent over the tunnel very similar to ipsec the tunnel might just shut down because it's like okay nothing's happening so let's set a persistent keeper live i'll set that to 25 seconds that's pretty much baseline but you can tweak that as you need to maybe you want less packets you could make it like 10 minutes but 25 seconds is a good baseline a nice thing that another viewer suggested was is also set a comment because if you set the comment this you can act as if it's the name for the peer so here i can call the site b so now i know that this pier will connect to site b if i click on apply we can see their site b is having these pure details if you leave that blank and you suddenly have 10 or 100 wireguard peers you're gonna get pretty lost in knowing which pier is which i can almost guarantee that all right now we are done with the site a configuration i'm going to head into the site b micro tick and first thing i want to do is just assign an ip to its wire guard tunnel interface and that is going to be six eight thirty two dot two slash twenty four and that is wg dash micro tick dash b now in the previous video i said i make the clients usually slash thirty twos and i usually do if it is a wire guard client like a windows or linux or macbook or something that's connecting but if it's micro ticks i'm making this a slash 24 so that if i look at my routes the whole slash 24 subnet will be routed over the wire guard interface that is the main reason i do that but like i stressed earlier i will still set the allowed addresses in the peer configuration to slash 32s so let me go into the pier and configure that let's get the public key from site a quickly so i'm just copying the public key of site a and then i'm going to place that in the site b microtics configuration and then i'm going to set my endpoint here because i need something to initiate the traffic if if both if neither end has an endpoint specified then who's going to start talking you know these devices are quite shy and one of them needs to be an initiator somebody needs to come in and start the conversation so microtic side b will be the one that will initiate that conver conversation so it will connect to an end point and that will be a wan ip or the address of micro tick 2 or site a apologies and the endpoint port was 1 3 two three one allowed address now this is where i need to say the stuff that i want to get to what networks lives at site a that i want to reach and that will be 192 168 32.1 32 which is the wireguard tunnel ipf microtic 1 or site a and i also want to get to 172 16 10.0 24 because that is the lan subnet that lives behind micro tick 1 or site a i'll set the persistent keeper live as well and let's just set a comment even though it will only be one pier it's a good practice to just do that let's hit apply and there we go tunnel is set i can already see some traffic traversing the tunnel we can see there is a handshake so this is really good and i'd like to see does this actually work so i'll go into eve and i've got some virtual pcs here so let's just add dhcp this is now pca for site a and from pca which is having the ipf 172 1610.254 i want to see can i ping micro tick 2 or side b's lan address 172 16 20.1 can i ping that it is timing out any idea why it might be timing out well i said earlier in the video microtic has some weird quirks and we haven't actually specified any static routing yet so let's add those static routes so what i'm going to do is on side a i need to add a route to say how am i going to get to the land subnet of site b's or the second micro ticks lan so that was 172 1620.0024 and my gateway i'm going to use is the wire guard interface so that will be wg dash micro tick dash a i'll hit apply now you'll see i have this new static route that's routing 172 16 20.0 24 over the wire guard tunnel let's do the same on the side b micro tick so i'll add her out to say if i want to get to the lan subnet upside a's micro tick i will go over the wire guard interface so that is wg dash micro tick dash b i'll hit apply all right so the routing is in place now so we've set the peers we've set the routing everything should be fine let's just try and reinitiate that traffic so i'll try and ping 172 16 20.1 and it is still timing out now i've seen this happen on microtic and to get this working all that we are going to do is actually just re-off the pier so i'm just going to disable the pier re-enable the pier and once that is done i'll go back to the vpc and i'll try and ping again and now the ping works so just something to take notes of it it's again one of those weird quirky things you could try and add the static route first and then bring up the tunnel but just be aware of that this might be something that catches you off guard as well because maybe you do the setup and you're like hey it still doesn't work this timing out just refresh the tunnel and that could potentially solve the issues you're having before i get on to the site c micro tick i just want to stress please make sure that you have the relevant firewall policies in place because if you don't you're going to run into some issues now rules that i recommend you have is firstly some filter rules to allow traffic between the subnets so what i mean by that is any traffic that's going to be forwarded across the tunnel allow that so i would say 172 or 10.00 24 which is my land subnet i'm going to 172 1620.0624 which is site b subnet subnet i'm going to say accept that that's all i'm going to do and i'll copy the same rule and i'll just do the uno and reverse this and there i copy that one but there we go so now we have two four chains to say allow traffic between the land subnets and if you had any firewall policies already in place just make sure you push these two rules at the very top so that they get referenced first and then this should in essence allow access if there is other filter rules in place already now another filter rule that is recommended that you have is you click on the plus you do an input chain you specify the protocol as udp you specify the port as one three two three one but this could be whatever the listening port is of wire guard so in our case it's one three two three one um but that's what you would add but i'm on the wrong micro technology you should be doing this on the server so let me just go to the server quickly and add it there and the reason for this is the default microtic firewall is blocking one three two three one on udp so you need to just allow this if you use it i typically don't so this is why i don't run into these issues one three two three one and you just need to accept it so this is very basic firewall rule just to make sure that any incoming traffic on port 13231 that wants to connect will be able to connect to your micro tick all right you can also just set the in interface to your wan interface just to add a little bit more security there and yeah that should be a good rule just to allow the incoming traffic so that wireguard could be formed something else i want to point out is it might also fail because of your service provider now what do i mean by that so let's say you've got an isp and they're giving you internet access obviously however on their router they might be blocking the udp port that wireguard wants to use to listen on then you'd have to ask your isp to also just allow that type of traffic this is why it's such a a weird thing for me to recommend to everybody everywhere because everything is so different when it comes to networking and the internet there's so many possibilities why your tunnel might not be working that you'd have to troubleshoot it and you'd have to maybe get a consultant to check it out for you as well but i'm just showing you how to do a typical side-to-side setup which should in theory work with most isps or most setups but you never know like it's it's impossible for me to know everybody's setups all right so let's do the site c now so site c we're going to be doing through the command line just to show you how quick and easy it is and i'm just going to explain it's going to be a little bit different because we're going to treat sightsee as a road warrior think of this as an ltap device we've got carrying around with us and then we just set this up connect our laptop to it and boom we're on the wire guard network and we can get to all of the resources we need to and browse the internet securely now what this means is i'm just going to set the allowed addresses to all and i'm going to route all internet traffic over the wireguard tunnel now for this to work i'm going to actually just look at my ip routes and we can see i don't have any routing configured at the moment maybe since it's an ltap you might have your default drag guard over your ld interface or something but what i'd recommend is set up a default route or another default route a static route to the wire guards public address that you're going to be forming the connection to so that endpoint address and for me this will be 164 0.2 32. and then my gateway will obviously be now my actual internet the way that i connect it could be your wlan as well whatever you're actually getting onto the internet with so 192.168.149.152 so let's just see can i ping my wire guard server and i can so this should mean i should be able to create that tunnel so let's continue with the actual setup first bit is interface wire guard we're going to add a new wire guard interface i'll just give this the name of wg-micro tick dash c i'll hit enter and then i'm going to print this new interface and here we can see what the public keys and i want you to note also the listen port is completely random so if you do the setup from uh the command line just taken out of that especially if you do a server side of thing because then the list import could be something different in one three two three one and then you just have to add whatever that port is to your firewall rules all right but let's just copy this public key and then i will navigate to my site a microtic i'll create a new peer i'll paste the public key in here for site c i won't specify an endpoint address or port i will specify the allowed addresses because remember this is the prefixes that lives on the other side of the tunnel which was one nine two one six eight it will be thirty two dot three slash thirty two and it will also be one seven two sixteen thirty dot zero slash twenty four i'll also set a persistent keeper live of 25 seconds and i'll set the comment as site c i'll apply this and now that has been set up now let's just do the setup on site c one more thing sorry let's just pre add this route out to the lan subnet for site c so one seven two sixteen thirty eight zero twenty four gateway will be wg dash micro tick a apply and done now let's continue jump back to the terminal first things first let's add an ip address of 192.168.32.3 24. i'll add that to my wireguard interface then we're going to add the actual wire guard here so interface wire guard piers add i'm going to set a persistent keeper live will be 25 seconds i'll be setting my end point address as 1640 i'll be setting my endpoint port as one three two three one i'll be setting my interface as the wg dash microtic c be setting my allowed address as 192.16832.1632 which is the wireguard tunnel iop of microtic 1 or site a and i'll also just add 172 16. actually sorry since i said this is going to be a road warrior let's make it zero zero zero zero we're just going to push everything over the tunnel and i just need the public key of site a site a's interface so let's just copy this and let's just paste that in in quote marks hit enter and that's it this is the typical setup if i do an ip route print what i'm going to do is i'm going to route all traffic now over the wire guard tunnel so i'm going to do an ip route add destination is zero zero zero zero zero and my gateway will be the wg dash micro tick that she hit enter and what i'd like to do now is just go back to site a i just want to see the peers do i have any tx and rx i do have some tx and rx here from site a i'd like to see can i ping 192 168 or sorry 172.16.30.1 brom 172 1610.1 so i can ping across the tunnel which is actually very good news for us can i ping 192.16832.3 which is the wireguard tunnel ip for site b or site c apologies and i can let's check from the command line for site c can i ping 8888 and i can ping out to google or google's dna server and this is through the wireguard tunnel now all right so we've got our tunnels working from side c and side b to side a which is fantastic however one question remains that a lot of people tend to ask me is how do we get the two remote sites to communicate with each other especially if they're running on matted connections like this so in this way we will also route the traffic through site a but we need some additional configuration for the remote sites to be able to talk to each other namely we will need to update the allowed addresses where applicable so for site c it's not applicable since we're just routing all traffic out over the wire tunnel but if we didn't then we'd have to also just stipulate in that configuration what additional subnets we'd like to get to so remember allowed addresses is the stuff that you want to get to the stuff that you're allowing to go over the tunnel and come back in over the tunnel so i'm going to do this configuration on the microtech router site b i'm actually going to go into my peers in wireguard and then i'm just going to firstly click on this down arrow and then i'm going to add the lan subnet of site c in here and additionally i'm also going to need to add a route for the traffic to get over the wire guard interface so i'm going to say if i want to get to 172 16 30.0 24 then my gateway can be wg-micro tick b i'll hit apply and now i am allowing traffic to the additional subnet of site c i don't need to do any thing on the peers of the site a microtic because site already knows how to get to all of these subnets and access them so let's do a quick test so what i might do is let me just close this window and reopen it for the vpc at site c i'll do a ipdhcp let's just see what ipi obtain i get the ip address of 172 163254 so let's see can i ping 172 16. 20.1 ray i can ping 20.1 and that is the remote address of the lan for site b can i ping 10.1 yes i can and similarly i'll just log on to the site b micro tick and i'll also just test from its terminal so i'll do a ping 172 16 30.1 and i'll source from my own lan range 172 16 20.1 and i can ping across and all i did was add additional config on this site b micro tick and like i said if i did specify specific subnets on the site c micro tick then i'd also just add the site b subnet in that allowed address and it would work the same way the principle is exactly the same and if you see it doesn't work then i also just want to stress check the firewall rules again and also just maybe disable re-enable your peers and see if that maybe and hopefully fixes your issue but this covers i hope all the basic scenarios that i think that you might get when you configure wireguard it it's been a trip but i'm really hoping this is the last video i make regarding wire guard i hope you guys enjoyed i'd like to thank my youtube and patreon members for supporting the channel as well as everybody that just watches the channel i'll see you guys in the next video have a good day bye [Music]
Info
Channel: The Network Berg
Views: 26,971
Rating: undefined out of 5
Keywords: #Site-To-Site, #Wireguard, mikrotik, mikrotik ospf, network berg
Id: P6f8Qc4EItc
Channel Id: undefined
Length: 28min 29sec (1709 seconds)
Published: Mon Jun 06 2022
Related Videos
☁️Easy IPSEC Site-To-Site VPN Guide, MikroTik ROSv7☁️
The Network Berg
36K
Correspondence Monitoring/Tracking Dashboard using TABLEAU #tableau #dashboard #tracking
Fun Channel_byMaddy
11
❗Basic introduction to BGP - Ft. MikroTik ROSv7❗
The Network Berg
22K
How To Protect Your MikroTik Router From Hackers - Device Hardening Tips
The Network Berg
26K
🔥Wireguard Road Warrior Setup, Ft. MikroTik🔥
The Network Berg
18K
Create your own VPN server with WireGuard in Docker
Christian Lempa
130K
Is Wireguard the BEST VPN? (Spoiler: I Think So)
Shawn Powers
1.4K
Which VPN to use on your MikroTik?
The Network Berg
17K
How to configure site to site VPN
Jean-Pier Talbot
5.2K
How to network monitoring with Mikrotik tool for free
NETVN82
195K
WireGuard installation and configuration - on Linux
Christian Lempa
126K
Configure Wireguard VPN between MikroTik RouterOS v7 and Microsoft Windows
MAICT
37K
MikroTik Telegram bot
MikroTik
16K
📘 MikroTik MTCRE - Diving more into VLAN theory, Inter-VLAN routing & QnQ (Episode 2)
The Network Berg
27K
pfSense 2.5.0 WireGuard Site-to-Site VPN
Travis Newton
16K
How to Create a Site to Site VPN // OpenWrt, Wireguard
Dev Odyssey
9.4K
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.