summaryrefslogtreecommitdiffstats
path: root/Wireguard Client.md
blob: 9cb7d7a3a522addb78a57a288b9a542615c3523a (plain) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119

1.  **Create the WireGuard interface:**
   
    
/interface wireguard add name=wg1 private-key="6JZgG9OmOZJ/8KU2CnmTOUYMy05IcmEusoFjuQv6eG4=" listen-port=51820
    
2.  **Assign an IP address to the WireGuard interface:**
   

/ip address add address=10.8.0.4/24 interface=wg1
    
3.  **Set the DNS server:**
    
/ip dns set servers=1.1.1.1
    

### Step 2: Add the Peer Configuration

1.  **Add the peer configuration:**

/interface wireguard peers add interface=wg1 public-key="P2MPrD7vvp+YsyoDvLmTNz6BukiAMs1lWnnyUq3aXUE=" preshared-key="FUZoZx+xD1uhwGQhDBOYpPHUtETDSmAwltHgQN/+2J4=" allowed-address=0.0.0.0/0 endpoint-address=202.61.253.193 endpoint-port=51820 persistent-keepalive=1s
    

### Step 3: Configure Firewall Rules

1.  **Allow WireGuard traffic (UDP 51820):**
    
/ip firewall filter add chain=input protocol=udp dst-port=51820 action=accept comment="Allow WireGuard"
    
2.  **Allow traffic from the WireGuard interface to the LAN:**
    
/ip firewall filter add chain=forward in-interface=wg1 out-interface=bridge action=accept comment="Allow WireGuard to LAN"
    
3.  **Masquerade traffic from the WireGuard interface:**
    
/ip firewall nat add chain=srcnat src-address=10.8.0.0/24 out-interface=ether1 action=masquerade comment="Masquerade WireGuard traffic"
    

### Step 4: Enable the WireGuard Interface

1.  **Enable the WireGuard interface:**

/interface wireguard set wg1 disabled=no
    

### Step 5: Verify the Configuration

1.  **Check the WireGuard interface status:**
    
/interface wireguard print
    
2.  **Check the peer status:**
    
/interface wireguard peers print
    
3.  **Check the firewall rules:**
    
/ip firewall filter print
/ip firewall nat print
    

### Summary of Commands:

    /interface wireguard add name=wg1 private-key="6JZgG9OmOZJ/8KU2CnmTOUYMy05IcmEusoFjuQv6eG4=" listen-port=51820
    /ip address add address=10.8.0.4/24 interface=wg1
    /ip dns set servers=1.1.1.1
    /interface wireguard peers add interface=wg1 public-key="P2MPrD7vvp+YsyoDvLmTNz6BukiAMs1lWnnyUq3aXUE=" preshared-key="FUZoZx+xD1uhwGQhDBOYpPHUtETDSmAwltHgQN/+2J4=" allowed-address=0.0.0.0/0 endpoint-address=202.61.253.193 endpoint-port=51820 persistent-keepalive=1s
    /ip firewall filter add chain=input protocol=udp dst-port=51820 action=accept comment="Allow WireGuard"
    /ip firewall filter add chain=forward in-interface=wg1 out-interface=bridge action=accept comment="Allow WireGuard to LAN"
    /ip firewall nat add chain=srcnat src-address=10.8.0.0/24 out-interface=ether1 action=masquerade comment="Masquerade WireGuard traffic"
    /interface wireguard set wg1 disabled=no
    /interface wireguard print
    /interface wireguard peers print
    /ip firewall filter print
    /ip firewall nat print

This configuration will set up a WireGuard VPN on your MikroTik RouterOS v7, including the necessary firewall rules to allow traffic through the VPN. Make sure to replace  `ether1`  with the actual interface name that connects to your WAN.


6. Enable masquerade for that interface

Note: This setup assumes that you are using the default local network address used by MikroTik. If you have changed this, use that address for scr-address=  instead.

```
/ip firewall nat
add action=masquerade chain=srcnat out-interface=wireguard-inet src-address=192.168.88.0/24
7. Redirect all internet traffic through WireGuard
```
```
/ip route
add disabled=no distance=1 dst-address=0.0.0.0/1 gateway=10.2.0.1 pref-src="" routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add disabled=no distance=1 dst-address=128.0.0.0/1 gateway=10.2.0.1 pref-src="" routing-table=main scope=30 suppress-hw-offload=no target-scope=10
```

8. Configure DNS settings
```
/ip dns
set servers=10.2.0.1
/ip dhcp-client
set 0 use-peer-dns=no
```

Duhet me kriju edhe Routing > Tables::

```
/routing table add comment=percka disabled=no fib name=emri
```

Mangle ::::
```
/ip firewall mangle add chain=prerouting src-address=192.1
68.88.0/24 action=mark-routing new-routing-mark=emri passthrough=no
```

After::
```
/ip route add dst-address=0.0.0.0/0 gateway=40.44.44.1 rou
ting-mark=emri
```
generated by cgit v1.2.3 (git 2.25.1) at 2025-07-04 00:12:38 +0000