Great walkthrough!!! Unfortunately, Wireguard connections are not shown in the router log. I understand that it is a "stateless" protocol. However, there must be some form of logging user access. Please consider adding a video to show how to add this feature! Keep up the good work Mikrotik!!!
I have the same issue. I send two counted pings every minute using the scheduler. It could be possible to add an extra “if” sentence to send info to the log when the ping fails.
what are the firewall/nat rules we need to use in order to connect from our phone to our router and access the internet via the tunnel? could you export that part of the config?
An excellent concise video - it works great. Is DHCP a possibility with the Wireguard Android App, and if so, how does this effect the peer settings in Mikrotik routerOS side?
I noticed you left the allowed IPs optional in iphone setup. But if I do so, the wireguard connection doesn't work. I have to put 0.0.0.0/0 on the allowed ips on iphone side. Anything I am missing ?
I am sorry but this wideo is below standards! To much details you assumed and did not explain. You did not try your connection at the end... you did not explain how to check if connection is established... and many other things...
Edit: I got the answer to my first question. At first it seemed like this was for situations where you had static IPs at both ends, but I see that you just need 1 node to be static (or maybe ddns works? dunno.) I can get a connection, but it isn't able to reach anything on my private network. The .100.1 network you said we could add isn't able to reach my private network. I added the rules you showed, but I think there is either a masquerade or a route missing.
I have this problem too…. I had it working with a forward rule from wireguard interface to bridge interface, but I ended up hard resetting my router and haven’t been able to make it work again 🤷♂️
Great tutorial, thanks! I wonder - is there a way to make this work in case I forgot to disconnect with VPN, but I came home and my WiFi kicked in? If that happens, my phone cannot access anything (neither LAN, nor the internet)
if youre still searching for a solution, setup Connection on Demand in your mobile Wireguard Client and add the SSIDs on which you dont want to have an active connection
@@exen900 I don't see this in my mobile Wireguard Client - I can only set the connection per application (or exclude from application), but nothing about the SSIDs. I'm on version 1.0.20231018, running on Android.
@@exen900 what automation apps do you mean? Stuff like Samsung's Bixby? It doesn't allow to steer wireguard VPN, only the stock VPN protocols, built into the OS... What do you use?
@@mikrotik you can show it in CLI, Winbox, and even by Web. As Mikrotik show graphs via 192.168.88.1/graphs it can show wiregard connect info by 192.168.88.1/wireguard for example.
After wast some time on configuration i try to change the 13231 port ...... baang work perfectly !! [i think my provider filtrate the default port (Iliad)] thanks for you tutorial !!!
after following all the instructions what you are saying finally can't turn on the button on my phone to connect. error bringing up tunnel. VPN is not authorized by user.
Is there any way to combine this with tethering? I mean I have working Wireguard connection on my Android Device, but when I start tethering to other devices it works through base connection. I want to Tether VPN as well. Tethering app is not excluded in the app.
Hi i have installed MikroTik CHR, could you please guide me how to enable DDNS Cloud! I had before mikrotik rb 2011 worked, but will CHR not working. Thanks.
I wonder what to do, if public wifi is blocking "WG" like blocking UDP or something like that. Even using open ports did not made my device to handshake :/ Mostly airport wifi´s.
But wireguard is not passing any traffic when it is showing peer packets in tx and rx section but on the wireguard interface there is nothing in EVENG Lab ?
following this video I've been partially successful to enable wireguard on my router and my mobile! But my mobile doesn't connects to internet when the VPN tunnel is active! How to solve this and get to internet?
Is there an update for Mikrotik IOS app coming up that support WireGuard configuration properly ? Currently on ios if i go to config a peer allowed ip they doesnt show up I need to resort to ssh when there is a need to edit peers configuration
Did everything that was said in the video step-by-step on pure hAP ax2 with QuickSet configuration. Still doesn't work. Can't even understand where's the problem. Traffic just doesn't go through.
It works, but I don't have a clue what is wrong with my config because while connected bandwidth is very limited. I have at home 1/1Gbps, but while connected with phone using wireguard I have poor 0,2Mbps :( I know that I can be limited by mobile connection - but without VPN my score only mobile phone is around 100Mbps. Tried to play a bit with Queues but I didnt get any better results.
Hi, I use my Mikrotik RB750Gr3 as DHCP server. Trying to setup Wireguard as shown in this guide doesn't work. It works fine if don't use my routerboard as DHCP server. Anyone can help me?
did NOT work at all. Followed this exactly, didn't work. Used the QR code instead, didn't work. TX packets , no RX packets. Router doesn't even see me connecting. And yet I did exactly everything you did in the video.
Estimados, puedo contectar la VPN a mi Mikrotik, pero no puedo salir a internet desde el cliente wireguard, tengo todo tal cual lo hacen en el tutorial, porfavor ayudenme.
Mikrotik - молодцы, конечно. Развиваются и побыстрее многих. Но кто-нибудь может объяснить, почему они WireGuard добавили в семерку на ВСЕ платформы, а ZeroTier, вроде как использующий для коммуникации тот же самый wg, работает только на arm архитектуре? Ужасно обидно. Это такой ненавязчивый способ донести мысль "переходите, парни, на наши новые роутеры"? как было бы приятно заполучить доступ к куче CPE устройств, стоящих за NAT'ом. Но многие из них, (или например вполне себе современный SXT LTE6 Kit) придется настраивать для доступа отдельно и специально поднимая VPN клиент...
печально что нет для CHR .... в принципе всё остальное постольку поскольку, скорее всего по ресурсам не тянет ... но вот то что нет для пк .... это прямо странно ...
@@KonstantinovAG согласен. про CHR прям странно тоже. но насчет остальных - фиг знает. какой-нибудь hex [s] вряд ли сильно уступит процессором то. а по памяти так и побьет hap ac2 (не считая первых версий, где mt вкрячивал 256 вместо обещанных 128 рамы).
Heloo all, on wifi works on Cellular data NOT work . I have a pppoe connection to internet , i have ddns on my ip , still dont work ... Any Help Thanq .
You rushed the end way to fast. At the beginning you didn't mention using wireguard to config the router or to go to the internet but "to access your home network securely (vpn in general) and then more specifically for wireguard to access devices/resources at work or at the office, BUT THEN YOU WANDERED OFF COURSE. You actually configured the smart device to go out the internet of the home or office and then added a rule without much explanation on the input chain which allows one to access the config. Thus I grade this video as 6/10. There was also no mention of routing which needs to be at least noted/considered for each Wireguard setup. On my iphone, I use Wireguard to connect to my router and then I use the MT App to access the config.
@@mikrotik I am talking about a consistent video/messaging. Yes adding 0.0.0.0/0 (for internet) also includes the subnets on the mikrotik router but did you explain that, NO! Did you clearly explain that the user can add the wireguard interface to the LAN interface list and then any associated firewall rules apply? NO. Did you state that to access LAN resources, the firewall rules should be checked to ensure they allow or at least dont block WG interface to LAN interface traffic? Not really, you made a vague reference to drop all rules and then quickly moved on. I am all for a short basic video but you missed the mark here. Finally how do you propose the user from his smart phone access the router config............. just by using wireguard to connect to the router is NOT the entire solution and yes the need for an allow input chain rule is 1/2 way there. Yes, in some cases one need not change a config, but one should learn to confirm that the firewall rules work and the routes work as a damn good habits, especially for the beginner.
@@Anavllama it works for me, i could get access to router and LAN without any additional settings. I already had l2tp connection, so i connected to mikrotik and just add wireguard connection.
@@Goldman5800 Yes it works on my router (hAP ac^2) after after I made the l2tp settings, one question how can I made a second WireGuard(2) for one other phone on mikrotik ?
@@mikrotik I don't think, but I know. Among those RUclipsrs that I subscribe to, no one reads from the screen, because, firstly, it is unnatural, and secondly, the audience immediately notices this and puts a dislike from the beginning. Any child can read from the screen, but a real specialist should radiate from the consciousness, and not be a monkey reading a teleprompter.
@@mikrotik I have successfully configured everything according to your instructions. It was simple and fast. Thanks for that! I additionally had to enable DDNS and so I could connect to my RB3011 from outside (VPN into the office with my Android device). When I establish a connection this way I can connect to the router using the Mikrotik Android app (it downloads plugins, I can look up and configure things). BUT: When I try to connect to other devices (for example to a Windows Server using Android app "RD Client" for Remote Desktop) it cannot find that device. I assume it has something to do with "allowed-address" setting in WG peers tab. My config: Router (192.168.1.100/24), WG address (192.168.1.101/24) WG peers "Allowed Address" (192.168.1.102/24 but I have tried 192.168.1.0/24 as well without success), my Android device (192.168.1.103/24). Could you please help me what I need to successfully connect to other devices in my office network, too?
Great walkthrough!!! Unfortunately, Wireguard connections are not shown in the router log. I understand that it is a "stateless" protocol. However, there must be some form of logging user access. Please consider adding a video to show how to add this feature! Keep up the good work Mikrotik!!!
I have the same issue. I send two counted pings every minute using the scheduler. It could be possible to add an extra “if” sentence to send info to the log when the ping fails.
WICKED video, i just took my RB750-g3 out, updated to 7.3 and woah !! NICE !!! Thanks sir !!
what are the firewall/nat rules we need to use in order to connect from our phone to our router and access the internet via the tunnel?
could you export that part of the config?
Thank you for explaining this thoroughly!
An excellent concise video - it works great.
Is DHCP a possibility with the Wireguard Android App, and if so, how does this effect the peer settings in Mikrotik routerOS side?
I noticed you left the allowed IPs optional in iphone setup. But if I do so, the wireguard connection doesn't work. I have to put 0.0.0.0/0 on the allowed ips on iphone side. Anything I am missing ?
I am sorry but this wideo is below standards! To much details you assumed and did not explain.
You did not try your connection at the end... you did not explain how to check if connection is established... and many other things...
thanks for the great quality of contenu. What do you use in camera and lense ? i never see this sharpness of video
Great tutorial, I had to add rule into forward chain from wireguard interface to LAN in order to access the LAN.
I have access to lan from smartphone and Linux PC.
can you help me out, is not working for me...
@@josecallejas3549just add forward chain for src address and dst address and accept it in filter rules
@@josecallejas3549 try adding the wiregurad subnet to your routing.
Edit: I got the answer to my first question. At first it seemed like this was for situations where you had static IPs at both ends, but I see that you just need 1 node to be static (or maybe ddns works? dunno.)
I can get a connection, but it isn't able to reach anything on my private network. The .100.1 network you said we could add isn't able to reach my private network. I added the rules you showed, but I think there is either a masquerade or a route missing.
I have this problem too…. I had it working with a forward rule from wireguard interface to bridge interface, but I ended up hard resetting my router and haven’t been able to make it work again 🤷♂️
@@domhamai Yea, the 2nd input rule is incorrect. It should be a forward rule.
I cant access to the local server from my mobile?
The same problem
@@ayadwalid680 There is a firewall on the server that blocks access! try turning it off!
@@ayadwalid680 you are using SMB access on the server?
Great tutorial, thanks! I wonder - is there a way to make this work in case I forgot to disconnect with VPN, but I came home and my WiFi kicked in? If that happens, my phone cannot access anything (neither LAN, nor the internet)
I think you just go and deactivate the wireguard tunnel on your phone. Another option is to disable “Block untunnelled traffic” in you’re peer config.
if youre still searching for a solution, setup Connection on Demand in your mobile Wireguard Client and add the SSIDs on which you dont want to have an active connection
@@exen900 I don't see this in my mobile Wireguard Client - I can only set the connection per application (or exclude from application), but nothing about the SSIDs. I'm on version 1.0.20231018, running on Android.
@@shalak001 interesting, seems like that Option is not existent on Android, only with dedicated automation apps.
@@exen900 what automation apps do you mean? Stuff like Samsung's Bixby? It doesn't allow to steer wireguard VPN, only the stock VPN protocols, built into the OS... What do you use?
Nice presentation thanks mikrotik
Very helpful video ! thanks MikroTik ! Can you please answer if there is a possibility to connect a second phone on Wireguard ?
It would be cool to combine WireGuard with RADIUS in RouterOS!
This steps worked fine on my Windows Laptop however on my M1 Macbook do not. Does it need some extra configuration?
straight to the point.
Just make QR generator in next update pls!
Like in linuxserver/wireguard docker image.
Where to show the code? In winbox?
@@mikrotik yep. But if u will make it in CLI too - it will rly cool. Thanks for the answer!
@@mikrotik you can show it in CLI, Winbox, and even by Web. As Mikrotik show graphs via 192.168.88.1/graphs it can show wiregard connect info by 192.168.88.1/wireguard for example.
@@mikrotik an export button (to PNG) would also be a great option
Hi! QR code generator would be really usefull. I like any of the suggetions.
Short and to the point. Subtitles would help to understand the Latvian accent.
Great helpful video, thanks!
I love mikrotik! Thanks)
Bit quick and the phone key bit out of order. But worked first time. Thankyou
After wast some time on configuration i try to change the 13231 port ...... baang work perfectly !! [i think my provider filtrate the default port (Iliad)] thanks for you tutorial !!!
I can make the tunnel but I cannot navigate, can you tell me why?
short but yet precise video. thank you so much, its working 100%
after following all the instructions what you are saying finally can't turn on the button on my phone to connect.
error bringing up tunnel. VPN is not authorized by user.
Hi, did it work if the provider do a CG-NAT? Thanks
What are the steps for setting up multiple peers I.E for laptop and cellphone access with wireguard on the MikroTik router?
Make other WG peers in mikrotik with other ipaddress
Hi how about Site to site vpn? and both mikrotik routers are behind NAT device and our region we can't forward ports. Any solution?
Is there any way to combine this with tethering? I mean I have working Wireguard connection on my Android Device, but when I start tethering to other devices it works through base connection. I want to Tether VPN as well. Tethering app is not excluded in the app.
Hi i have installed MikroTik CHR, could you please guide me how to enable DDNS Cloud! I had before mikrotik rb 2011 worked, but will CHR not working. Thanks.
Very helpful Video as always .
I wonder what to do, if public wifi is blocking "WG" like blocking UDP or something like that. Even using open ports did not made my device to handshake :/ Mostly airport wifi´s.
Is there updated tutorial for latest OS?
Peer tab is different, why there is an addition of private key?
But wireguard is not passing any traffic when it is showing peer packets in tx and rx section but on the wireguard interface there is nothing in EVENG Lab ?
Thanks well done, for the endpoint key in your Routers internet Address static that is
following this video I've been partially successful to enable wireguard on my router and my mobile! But my mobile doesn't connects to internet when the VPN tunnel is active! How to solve this and get to internet?
My client wouldn't connect to the MT Server (using cloud dyndns cloud name) after the MT router changed its IP. Keep alive was set.
support for running wireguard on top of vrf when?
l2tp has this, but it doesnt work together with ipsec.
Am I missing something, I totally don't see the wireguard option on my router. I updated the router to latest model and I don't see wireguard at all
Is there an update for Mikrotik IOS app coming up that support WireGuard configuration properly ?
Currently on ios if i go to config a peer allowed ip they doesnt show up
I need to resort to ssh when there is a need to edit peers configuration
Did everything that was said in the video step-by-step on pure hAP ax2 with QuickSet configuration. Still doesn't work. Can't even understand where's the problem. Traffic just doesn't go through.
Competition is very high. Is there any chance mikrotik would bring better features than fortigate and pfsense?
What features are you missing?
@@mikrotik Suricata & Snort rules IPS Integration
is there any chance to include the src. address in wireguard? as they have in the l2tp client
I don't have this Menu. Do I have to download a package? Is there a NordLynx package somewhere? thx
Your MikroTik device must be running RouterOS v7 (latest is v7.12.1). Use the "check for updates" feature and it can upgrade itself.
But how to put wireguard clients into my home subnet?
tks for short videos, and how to add the second wiguard & peer on same interface (192.168.100.1/24) ?
It works, but I don't have a clue what is wrong with my config because while connected bandwidth is very limited. I have at home 1/1Gbps, but while connected with phone using wireguard I have poor 0,2Mbps :( I know that I can be limited by mobile connection - but without VPN my score only mobile phone is around 100Mbps. Tried to play a bit with Queues but I didnt get any better results.
The way explain public key is extremely confusing
excellent i love you video
Hi, I use my Mikrotik RB750Gr3 as DHCP server. Trying to setup Wireguard as shown in this guide doesn't work. It works fine if don't use my routerboard as DHCP server. Anyone can help me?
Es saprotu ka tā nav mikrotika vaina, bet kā var tik pretīgi sarežģītu uztaisīt? Kas vainas ip+lietotāja vārds+parole?
Jo Lietotājs un Parole ir nedrošāk
at least in android you need to add allowed IPs .. that did the trick for me!
ummm wireguard client??? Where do I find that for my Android Phone?
Play store
How to connect Mikrotik configure as WISP AP + Wireguard client to extrernal Ubuntu Wireguard server??? Please EXPLAIN!
You dont know how.
help.mikrotik.com/docs/display/ROS/WireGuard
Did all steps and does not work. Can not reach anything in my LAN. There is no information how to check logs. plug and pray technology!
did NOT work at all. Followed this exactly, didn't work. Used the QR code instead, didn't work. TX packets , no RX packets. Router doesn't even see me connecting. And yet I did exactly everything you did in the video.
I want to video setting mesh in mikrotik, please
Estimados, puedo contectar la VPN a mi Mikrotik, pero no puedo salir a internet desde el cliente wireguard, tengo todo tal cual lo hacen en el tutorial, porfavor ayudenme.
Mikrotik - молодцы, конечно. Развиваются и побыстрее многих. Но кто-нибудь может объяснить, почему они WireGuard добавили в семерку на ВСЕ платформы, а ZeroTier, вроде как использующий для коммуникации тот же самый wg, работает только на arm архитектуре? Ужасно обидно. Это такой ненавязчивый способ донести мысль "переходите, парни, на наши новые роутеры"? как было бы приятно заполучить доступ к куче CPE устройств, стоящих за NAT'ом. Но многие из них, (или например вполне себе современный SXT LTE6 Kit) придется настраивать для доступа отдельно и специально поднимая VPN клиент...
ZeroTier uses custom protocol and doesn't rely on WireGuard.
печально что нет для CHR .... в принципе всё остальное постольку поскольку, скорее всего по ресурсам не тянет ... но вот то что нет для пк .... это прямо странно ...
@@VaKU. hm. it is possible. it just came across somewhere that wg, but I admit that there was an error in the article
@@KonstantinovAG согласен. про CHR прям странно тоже. но насчет остальных - фиг знает. какой-нибудь hex [s] вряд ли сильно уступит процессором то. а по памяти так и побьет hap ac2 (не считая первых версий, где mt вкрячивал 256 вместо обещанных 128 рамы).
Heloo all, on wifi works on Cellular data NOT work . I have a pppoe connection to internet , i have ddns on my ip , still dont work ... Any Help Thanq .
Works fine on LTE. Most likely a configuration issue. Ask in our user forum for assistance
It's not working, when ip changed.
it is not compatible with ddns
Thanks
no age restriction to make art!
não conecta em rede externa poderia explicar mais sobre endpoint.
It's only working locally
You rushed the end way to fast. At the beginning you didn't mention using wireguard to config the router or to go to the internet but "to access your home network securely (vpn in general) and then more specifically for wireguard to access devices/resources at work or at the office, BUT THEN YOU WANDERED OFF COURSE. You actually configured the smart device to go out the internet of the home or office and then added a rule without much explanation on the input chain which allows one to access the config. Thus I grade this video as 6/10. There was also no mention of routing which needs to be at least noted/considered for each Wireguard setup. On my iphone, I use Wireguard to connect to my router and then I use the MT App to access the config.
The setup in the video allows phone to access both the router and the LAN devices. No extra config is needed for that.
@@mikrotik I am talking about a consistent video/messaging. Yes adding 0.0.0.0/0 (for internet) also includes the subnets on the mikrotik router but did you explain that, NO! Did you clearly explain that the user can add the wireguard interface to the LAN interface list and then any associated firewall rules apply? NO. Did you state that to access LAN resources, the firewall rules should be checked to ensure they allow or at least dont block WG interface to LAN interface traffic? Not really, you made a vague reference to drop all rules and then quickly moved on. I am all for a short basic video but you missed the mark here. Finally how do you propose the user from his smart phone access the router config............. just by using wireguard to connect to the router is NOT the entire solution and yes the need for an allow input chain rule is 1/2 way there. Yes, in some cases one need not change a config, but one should learn to confirm that the firewall rules work and the routes work as a damn good habits, especially for the beginner.
@@Anavllama it works for me, i could get access to router and LAN without any additional settings. I already had l2tp connection, so i connected to mikrotik and just add wireguard connection.
@@Goldman5800 Yes it works on my router (hAP ac^2) after after I made the l2tp settings, one question how can I made a second WireGuard(2) for one other phone on mikrotik ?
mantap menambah ilmu
Thx
Still waiting the ROS v7xx in Stable update channel...
It is in stable channel for many months. If you are in v6 now, you must select channel “UPGRADE” first
@@mikrotik My bad, I've just checked. Thanks for your video btw.
android os 13 not working
Nice )
Dont read from screen!
If you think other RUclipsrs don’t read from screen … you are sadly mistaken 😊
@@mikrotik I don't think, but I know. Among those RUclipsrs that I subscribe to, no one reads from the screen, because, firstly, it is unnatural, and secondly, the audience immediately notices this and puts a dislike from the beginning. Any child can read from the screen, but a real specialist should radiate from the consciousness, and not be a monkey reading a teleprompter.
Site2Site pls
I think wireguard is better but I don't think this will work on site to site router connections where one router has no static IP.
how to use ipv6 with this wireguard? Please guide. Thank you! @Mikrotik
Вельми вдячний
Just make one for soft soft mobile
We have. Search the app store for mikrotik.
I tried step by step. It does not work.
Try again, but slowly ☺️
@@mikrotik It was my dual modem... I was using the wrong public ip 🤦♂🤦♂
@@mikrotik I have successfully configured everything according to your instructions. It was simple and fast. Thanks for that!
I additionally had to enable DDNS and so I could connect to my RB3011 from outside (VPN into the office with my Android device). When I establish a connection this way I can connect to the router using the Mikrotik Android app (it downloads plugins, I can look up and configure things).
BUT: When I try to connect to other devices (for example to a Windows Server using Android app "RD Client" for Remote Desktop) it cannot find that device. I assume it has something to do with "allowed-address" setting in WG peers tab. My config: Router (192.168.1.100/24), WG address (192.168.1.101/24) WG peers "Allowed Address" (192.168.1.102/24 but I have tried 192.168.1.0/24 as well without success), my Android device (192.168.1.103/24).
Could you please help me what I need to successfully connect to other devices in my office network, too?
@@brianjohnson3621 Yes. It was simple and fast, and no handshake. Android 12. No handshake, no traffic, no error messages in logs. New RB3011
Ok, working... :D Sorry.
/ip/firewall/filter add action=accept chain=input comment="Allow WireGuard" dst-port=13231 protocol=udp place-before=1
/ip/firewall/filter add action=accept chain=input comment="Allow WireGuard traffic" src-address=192.168.100.0/24 place-before=1
How to get public key in phone?
Open WireGuard app, create new tunnel, click generate key pair
@@mikrotik thanks. But it says back to home not available. Im from philippines. Thanks to this tutorial by the way
Not working