This setup is a great way to give your home or office network a static Public IP, especially if you are behind CGNAT. You are essentially creating a "tunnel" where the VPS acts as the gateway to the internet for your MikroTik LAN.

Prerequisites

  • A VPS (Ubuntu 22.04 or 24.04 recommended) with a Public IP.
  • A MikroTik Router (ROS v7.x is required for WireGuard support).
  • IP Forwarding enabled on the VPS.

Step 1: Configure the VPS (Server)

First, install WireGuard and enable packet forwarding so traffic can flow through the VPS.

  1. Install WireGuard:

    sudo apt update && sudo apt install wireguard -y

  2. Enable IP Forwarding: Edit /etc/sysctl.conf and uncomment net.ipv4.ip_forward=1, then apply:

    sudo sysctl -p

  3. Generate Keys:

    wg genkey | tee privatekey | wg pubkey > publickey

  4. Create Config (/etc/wireguard/wg0.conf): Replace <VPS_PRIVATE_KEY> with the key you just generated.

    [Interface]
PrivateKey = <VPS_PRIVATE_KEY>
Address = 10.0.0.1/24
ListenPort = 51820

# Replace 'eth0' with your VPS network interface name
PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE

[Peer]
PublicKey = <MIKROTIK_PUBLIC_KEY>
AllowedIPs = 10.0.0.2/32, 192.168.88.0/24

    Note: 192.168.88.0/24 should be your MikroTik’s LAN subnet.

Step 2: Configure the MikroTik (Client)

  1. Create WireGuard Interface: Navigate to WireGuard in Winbox. Click + to add a new interface.

    • Name: wireguard-vps

    • Listen Port: 51820

    • Copy the Public Key (you need to paste this into the VPS config later).

  2. Add IP Address to Interface: Go to IP > Addresses:

    • Address: 10.0.0.2/24

    • Interface: wireguard-vps

  3. Add Peer: Under the WireGuard > Peers tab:

    • Interface: wireguard-vps

    • Public Key: (The Public Key from your VPS)

    • Endpoint: VPS_PUBLIC_IP

    • Endpoint Port: 51820

    • Allowed IPs: 0.0.0.0/0 (This allows all traffic to pass through the tunnel).

    • Persistent Keepalive: 25s

Step 3: Routing LAN Traffic through the VPN

To make your LAN use the VPS IP, we use Policy Based Routing (PBR) so you don't lose access to the router itself.

  1. Create a Routing Table: Go to Routing > Tables. Add a new table:

    • Name: via-vps

    • FIB: Checked

  2. Add a Route for the Table: Go to IP > Routes. Add a new route:

    • Dst. Address: 0.0.0.0/0

    • Gateway: 10.0.0.1 (The VPS WireGuard IP)

    • Routing Table: via-vps

  3. Create a Mangle Rule: Go to IP > Firewall > Mangle. This identifies LAN traffic and marks it for the VPS route.

    • Chain: prerouting

    • Src. Address: 192.168.88.0/24 (Your LAN)

    • Dst. Address: !192.168.88.0/24 (Important: NOT destination LAN)

    • Action: mark routing

    • New Routing Mark: via-vps

  4. Add NAT (Masquerade): Go to IP > Firewall > NAT:

    • Chain: srcnat

    • Out. Interface: wireguard-vps

    • Action: masquerade

Step 4: Finalizing

  1. Start the WireGuard service on the VPS: sudo wg-quick up wg0.

  2. Check the Peers tab in MikroTik. You should see "Rx" and "Tx" traffic increasing.

  3. From a device on your MikroTik LAN, visit icanhazip.com. It should now display your VPS Public IP.

Quick Troubleshooting Tips:

  • MTU Issues: If websites load slowly or partially, set the MTU on the WireGuard interface (both sides) to 1420 or 1320.

  • Firewall: Ensure the VPS has port 51820 UDP open in its cloud firewall (security groups).

Sai

Post a Comment

Post a Comment