Get best of the week

We configure WireGuard on a Mikrotik router running OpenWrt

image

In most cases, connecting a router to a VPN is not difficult, but if you want to protect the whole network while maintaining the optimal connection speed, then the best solution would be to use the WireGuard VPN tunnel . Mikrotik

routers have established themselves as reliable and very flexible solutions, but unfortunately there is still no support for WireGuard on RouterOS and it is not known when it will appear and in which version. Recently, it became known that the developers of the WireGuard VPN tunnel offered a set of patches that will make their VPN tunnel organization software part of the Linux kernel, and we hope this will contribute to the implementation of RouterOS.

But for now, unfortunately, to configure WireGuard on a Mikrotik router, you need to change the firmware.

Firmware Mikrotik, install and configure OpenWrt


First you need to make sure that OpenWrt supports your model. You can see the model’s compliance with its marketing name and image on mikrotik.com .

Go to openwrt.com in the firmware download section .

For this device, we need 2 files:

downloads.openwrt.org/releases/18.06.2/targets/ar71xx/mikrotik/openwrt-18.06.2-ar71xx-mikrotik-rb-nor-flash-16M-initramfs-kernel.bin|elf

downloads.openwrt.org/releases /18.06.2/targets/ar71xx/mikrotik/openwrt-18.06.2-ar71xx-mikrotik-rb-nor-flash-16M-squashfs-sysupgrade.bin


You need to download both files: Install and Upgrade .



1. Network setup, loading and setting up a PXE server


Download Tiny PXE Server for Windows latest version.

Unzip to a separate folder. In the config.ini file, add the parameter rfc951 = 1 section [dhcp] . This parameter is the same for all Mikrotik models.



We turn to the network settings: you need to register a static ip address on one of the network interfaces of your computer.


IP address: 192.168.1.10
Netmask: 255.255.255.0


Start Tiny PXE Server as Administrator and select the server with the address 192.168.1.10 in the DHCP Server field. On some versions of Windows, this interface may appear only after an Ethernet connection. I recommend connecting the router and immediately connecting the router and PC using a patch cord. Click the "..." button (bottom right) and indicate the folder into which you downloaded the firmware files for Mikrotik. Choose a file whose name ends with "initramfs-kernel.bin or elf"



image







2. Downloading the router from the PXE server


We connect the PC wire and the first port (wan, internet, poe in, ...) of the router. After that we take a toothpick, stick it into the hole with the inscription "Reset".



Turn on the power of the router and wait 20 seconds, then release the toothpick.
Over the next minute, the following messages should appear in the Tiny PXE Server window:



If a message appears, then you are in the right direction!

Restore the settings on the network adapter and set the receiving address dynamically (via DHCP).

Connect to the LAN ports of the Mikrotik router (2 ... 5 in our case) using the same patch cord. Just switch it from port 1 to port 2. Open the address 192.168.1.1 in the browser.



Enter the OpenWRT administrative interface and go to the menu section “System -> Backup / Flash Firmware”.



In the “Flash new firmware image” subsection, click on the button “Select file (Browse)”.



Specify the path to the file whose name ends with "-squashfs-sysupgrade.bin".

image

After that, click the “Flash Image” button.

In the next window, click the "Proceed" button. The firmware download to the router will begin.



!!! DO NOT DISCONNECT THE ROUTER'S POWER IN THE PROCESS OF FIRMWARE !!!



After flashing and rebooting the router, you will receive Mikrotik with OpenWRT firmware.

Possible problems and solutions


Many 2019 Mikrotik devices use the FLASH-NOR memory chip type GD25Q15 / Q16. The problem is that flashing does not save device model data.

If you see the error "The uploaded image file does not contain a supported format. Make sure that you choose the generic image format for your platform. ” then most likely the problem is in flash.

This is easy to verify: run the command to verify the model ID in the device terminal

root@OpenWrt: cat /tmp/sysinfo/board_name

And if you get the answer “unknown”, then you need to manually specify the device model in the form of “rb-951-2nd”

To get the device model, run the command

root@OpenWrt: cat /tmp/sysinfo/model
MikroTik RouterBOARD RB951-2nd

Having received the model of the device, we install it manually:

echo 'rb-951-2nd' > /tmp/sysinfo/board_name

After that, you can flash the device through the web interface or using the sysupgrade command

Create a VPN server with WireGuard


If you already have a server with WireGuard configured, you can skip this item.
I will use the MyVPN.RUN application about the cat to configure a personal VPN server. I already published a review .

Configuring WireGuard Client on OpenWRT


Connect to the router via SSH:

ssh root@192.168.1.1

Install WireGuard:

opkg update
opkg install wireguard

Prepare the configuration (copy the code below to the file, replace the specified values ​​with your own and run in the terminal).

If you use MyVPN, then in the configuration below you only need to change WG_SERV - the IP of the server, WG_KEY - the private key from the wireguard configuration file and WG_PUB - the public key.

WG_IF="wg0"
WG_SERV="100.0.0.0" # ip  
WG_PORT="51820" #  wireguard
WG_ADDR="10.8.0.2/32" #   wireguard

WG_KEY="xxxxx" #  
WG_PUB="xxxxx" #   

# Configure firewall
uci rename firewall.@zone[0]="lan"
uci rename firewall.@zone[1]="wan"
uci rename firewall.@forwarding[0]="lan_wan"
uci del_list firewall.wan.network="${WG_IF}"
uci add_list firewall.wan.network="${WG_IF}"
uci commit firewall
/etc/init.d/firewall restart

# Configure network
uci -q delete network.${WG_IF}
uci set network.${WG_IF}="interface"
uci set network.${WG_IF}.proto="wireguard"
uci set network.${WG_IF}.private_key="${WG_KEY}"

uci add_list network.${WG_IF}.addresses="${WG_ADDR}"

# Add VPN peers
uci -q delete network.wgserver
uci set network.wgserver="wireguard_${WG_IF}"
uci set network.wgserver.public_key="${WG_PUB}"
uci set network.wgserver.preshared_key=""
uci set network.wgserver.endpoint_host="${WG_SERV}"
uci set network.wgserver.endpoint_port="${WG_PORT}"
uci set network.wgserver.route_allowed_ips="1"
uci set network.wgserver.persistent_keepalive="25"
uci add_list network.wgserver.allowed_ips="0.0.0.0/1"
uci add_list network.wgserver.allowed_ips="128.0.0.0/1"
uci add_list network.wgserver.allowed_ips="::/0"
uci commit network
/etc/init.d/network restart

This completes the setup of WireGuard! Now all traffic on all connected devices is protected by a VPN connection.

References


Source # 1
Modified instruction on MyVPN (additionally L2TP, PPTP configuration instructions on standard Mikrotik firmware are available)
OpenWrt WireGuard Client

Source: https://habr.com/ru/post/undefined/

More articles:


All Articles