Floppy Pancake Media

Setup Wireguard With Mikrotik and Fedora Linux

Written by

Gingham Jones

in

,
  1. Ensure Mikrotik (Hex S in my case) is updated for Wireguard support
  2. In Wireguard menu on Winbox (or web manager):
    • Add a new Wireguard instance
      • Name the interface
      • Change the port number
      • Click ‘+’ next to private key
  3. Go to IP -> Addresses and add new address
    • Comment appropriately
    • Set address as something not commonly used. 192.168.100.1/24, perhaps
    • Set network address (192.168.100.0, for this case)
    • Set the interface as the Wireguard instance created above
  4. Go to IP -> Firewall
    • In Filter Rules:
      • New rule.
        • Chain = input.
        • Protocol = 17(udp).
        • Dst. Port = {your chosen port}.
        • Action = accept.
        • Comment as “Accept WG input” or something.
      • New rule.
        • Chain = forward.
        • In Interface = {WG interface set up above}.
        • Action = accept.
        • Comment as “For WG access” or something.
    • In NAT:
      • New rule.
        • Chain = srcnat.
        • Src Address = {WG network address (192.168.100.0/24)}.
        • Out Interface = {Your WAN interface}.
        • Action = masquerade
        • Comment as “Masquerade WG” or something
  5. On Fedora client (Should work similarly for any Linux distro, to be fair)
    • sudo dnf install wireguard-tools
    • wg genkey | tee privatekey | wg pubkey > publickey
    • sudo su. You will need to be root in terminal to access the WG folder
    • cd /etc/wireguard
    • nano wg0.conf (or name it whatever you want your connection named)
    • "[Interface]
      PrivateKey = {paste private key}
      ListenPort = {your chosen port}
      Address = {IP within chosen network ie/ 192.168.100.2}

      [Peer]
      PublicKey = {paste from Winbox}
      Endpoint = {Your public IP}:{your WG port}
      AllowedIPs = 0.0.0.0/0
      PersistentKeepalive = 20
    • Ctrl + x then ‘y’ to save
    • nmcli con import type wireguard file /etc/wireguard/{your config file}
    • firewall-cmd –add-port={your WG port}/udp
  6. Configure peer in Winbox
    • In Wireguard menu, select Peers tab and add new
    • Give it a name, and a comment if you like
    • Choose your WG interface
    • Copy/paste public key from Fedora
    • Allowed Address = {Fedora WG IP/32 (192.168.100.2/32)}
  7. Try the connection!

Hopefully this is helpful if you stumble across it. I’m hoping to do more of these tutorials as I try to do more stuff myself and stumble across the internet for answers. Did this work for you? Let me know if anything doesn’t or if something confuses you above!

More posts