In this article, I want to share how I set up a VPN connection via WireGuard between my MikroTik router and my Android phone. This VPN connection allows me to securely access my home network from anywhere in the world. MikroTik documentation used for this guide.
WireGuard VPN Setup on the MikroTik Router
a) Quick & Easy (without own domain)
In this quick and easy setup, the MikroTik´s own DDNS (Dynamic DNS) service is used. This can be activated in the terminal (source):
Enable DDNS
/ip cloud set ddns-enabled=yes
To obtain the details (needed later in the configuration), type:
/ip cloud print
ddns-enabled: yes
ddns-update-interval: none
update-time: yes
public-address: 105.142.169.100
public-address-ipv6: 2a02:610:7501:1000::2
dns-name: 420.m12345678969.sn.mynetname.net
status: updated
Create WireGuard Interface
Create a new WireGuard interface and assign an IP address to it:
/interface wireguard
add listen-port=13231 name=wireguard1
/ip address
add address=192.168.100.1/24 interface=wireguard1
This will automatically generate a pair of private and public keys. You will need the PUBLIC key for configuration of the remote device. To obtain the public key value, simply print out the interface details:
/interface wireguard print
Flags: X - disabled;
R - running 0 R name="wireguard1" mtu=1420 listen-port=13231
private-key="random-string-not-needed-for-configuration"
public-key="this-is-the-public-key-you-need-to-copy"
For the next steps, you will need the public key of the remote device. Continue here with Setting up the WireGuard Connection on an Android Phone
Create WireGuard Peers
/interface wireguard peers
add allowed-address=192.168.100.10/32 interface=wireguard1 public-key="paste-public-key-from-remote-device"
Firewall considerations
Option a)
If you have a default or strict firewall configuration, you must permit the remote device to establish a WireGuard connection with your device.
/ip firewall filter
add action=accept chain=input comment="allow WireGuard" dst-port=13231 protocol=udp place-before=1
To enable remote devices to connect to RouterOS services (such as requesting DNS), you should allow the WireGuard subnet in the input chain.
/ip firewall filter
add action=accept chain=input comment="allow WireGuard traffic" src-address=192.168.100.0/24 place-before=1
Option b)
Or simply add the WireGuard interface to “LAN” interface list
/interface list member
add interface=wireguard1 list=LAN
Continue with the setup on your remote device here with Final configuration on the remote device
b) Configuration with an own domain
TBD ;-)
Setting up the WireGuard Connection on an Android Phone
For this setup, I am using the WireGuard App for Android.
Create a new WireGuard connection
Create a new connection “Create from scratch”, choose a name for the interface and generate a pair of private and public keys. If you want, you can directly type in an IP address as shown in the image below. IP address must be from the same address space as the WireGuard interface. Note down the public key and continue here with Create WireGuard Peers
Final configuration on the remote device
Edit your recently created WireGuard connection, add a peer and populate the fields like shown in the image below: Save and test the connection.
Debugging
Check IP addresses:
- WireGuard interface: 192.168.100.1/24
- WireGuard Peer: 192.168.100.10/32 (used in the Android configuration as well)
- IP Firewall filter: 192.168.100.0/24
Check DDNS
- IP Cloud DDNS enabled?
- DNS name must be used in the Android app
Firewall