Wireguard - HackMD

# Wireguard RouterOs設定Wireguard給一般裝置連線的方法基本上都是參照[官方文件](https://help.mikrotik.com/docs/display/ROS/WireGuard) ## RoadWarrior WireGuard tunnel ### Router - 設定給Wireguard用的Address ``` /ip address \ add address=10.1.1.0/24 interface=wireguard ``` - 設定Wirefuard Interface 建完之後到Wireguard裡面可以看到後續Client端需要的pb-key ``` /interface/wireguard \ add listen-port=13231 name=wireguard ``` - 把Wireguard Interface加入LAN List ``` /interface list member \ add interface=wireguard list=LAN ``` - 設定Peer (開Profile給使用者連線) 先透過[產生Config網站](https://www.wireguardconfig.com/)產生Config ``` /interface/wireguard/peers \ add allowed-address=10.1.1.0/24 endpoint-port=13231 interface=wireguard1 \ public-key="{使用網站產生的pb-key}" ``` #### Firewall 可能會需要特別允許存取Wireguard的Port或是IP(給DNS使用) ``` /ip firewall filter \ add action=accept chain=input comment="allow WireGuard" dst-port=13231 protocol=udp place-before=1 ``` - 通常有把wireguard的interface加入LAN List就不用這條 ``` /ip firewall filter \ add action=accept chain=input comment="allow WireGuard traffic" src-address=192.168.100.0/24 place-before=1 ``` ### Client ``` [Interface] Address = 10.1.1.20/32 # 對應 Client Address ListenPort = 13231 PrivateKey = {使用網站產生的pr-key} DNS = {Router的內部IP} [Peer] PublicKey = {Wireguard本身的pb-key} AllowedIPs = 0.0.0.0/0, ::/0 Endpoint = {Router的外部IP}:13231 ``` ## Site to Site WireGuard tunnel ### A Router - 新增Wireguard Interface ``` /interface/wireguard add listen-port=13231 name=wireguard ``` - 新增Wireguard Site to Site使用的address ``` /ip/address add address=10.255.255.1/30 interface=wireguard ``` - 確認Wireguard Secret ``` /interface/wireguard print Flags: X - disabled; R - running 0 R name="wireguard" mtu=1420 listen-port=13231 private-key="yKt9NJ4e5qlaSgh48WnPCDCEkDmq+VsBTt/DDEBWfEo=" public-key="u7gYAg5tkioJDcm3hyS7pm79eADKPs/ZUGON6/fF3iI=" ``` - 新增Wireguard peer 注意一定要新增上面新增的Wireguard Address才有辦法讓兩方互連 ``` /interface/wireguard/peers add allowed-address={B Router 內部IP},10.255.255.0/30 endpoint-address={B Router 外部IP} endpoint-port=13231 interface=wireguard \ public-key="v/oIzPyFm1FPHrqhytZgsKjU7mUToQHLrW+Tb5e601M=" ``` - 新增Route ``` /ip/route add dst-address={B Router 內部IP} gateway=wireguard ``` ### B Router - 新增Wireguard ``` /interface/wireguard add listen-port=13231 name=wireguard ``` - 新增Wireguard Site to Site使用的address ``` /ip/address add address=10.255.255.2/30 interface=wireguard ``` - 確認Wireguard Secret ``` /interface/wireguard/print Flags: X - disabled; R - running 0 R name="wireguard" mtu=1420 listen-port=13231 private-key="KMwxqe/iXAU8Jn9dd1o5pPdHep2blGxNWm9I944/I24=" public-key="v/oIzPyFm1FPHrqhytZgsKjU7mUToQHLrW+Tb5e601M=" ``` - 新增Wireguard peer 注意一定要新增上面新增的Wireguard Address才有辦法讓兩方互連 ``` /interface/wireguard/peers add allowed-address={A Router 內部IP},10.255.255.0/30 endpoint-address={A Router 外部IP} endpoint-port=13231 interface=wireguard \ public-key="u7gYAg5tkioJDcm3hyS7pm79eADKPs/ZUGON6/fF3iI=" ``` - 新增Route ``` /ip/route add dst-address={A Router 內部IP} gateway=wireguard ```