Recently I've swapped out my old router for a MikroTik hEX RB750Gr3 (buy using my amazon link, thanks :) ), as I wanted more control & visibility of my home network traffic. Switching to a MikroTik router isn't for the faint hearted, they're not a plug in play. You have to configure everything. As I've got some networking experience (configuring linux firewalls, making network cables, configuring switches, etc.) I thought I would give it a go and try something new. I highly recommend you get one and have a play, they are really good fun.
One of the first things I did was to upgrade to RouterOS v7, to make use of the new Wireguard support (at the time of writing RouterOS v7 is still in it's development beta phase). I'm a big fan of Wireguard ever since I switched to Algo VPN (a roll your own VPN), it's lightweight, easy to use and really quick to set up. To be fair, Algo VPN does all of the Wireguard configuration for you so all you need to do is scan a QR code and you're done! Anyway I thought I would set up a inbound Wireguard endpoint for my home router, so I can connect back and keep and eye on things on the go.
Hopefully this guide will help you set up your own inbound Wireguard endpoint so you can connect back to your home/office network from anywhere.
- Create the Wireguard interface
/interface wireguard add comment="Inbound" listen-port=13233 name=wg_inbound
Add a peer
- On your peer device generate a public and private key and enter the public key in the command below
- Generate a preshared key running
brew install wireguard-tools) and save this on your device and enter it in the command below
/interface wireguard peers add allowed-address=0.0.0.0/0 comment="Inbound Device" interface=wg_inbound preshared-key="<PRESHARED KEY>" public-key="<PEER PUBLIC KEY>"
- Allow UDP traffic to your new
wg_inboundinterface from your WAN
/ip firewall filter add action=accept chain=input comment="Inbound Wireguard" dst-port=13233 in-interface=<WAN-INTERFACE> protocol=udp ∏
Remember to move your rule to be above any
DROP actions in the
- Setup an IP range for the Wireguard peers on your network and add the interface to the LAN interface list.
/ip address add address=10.51.0.1/24 interface=wg_inbound network=10.51.0.0 /interface list member add interface=wg_inbound list=LAN
Setup your peer
- Set the IP address to 10.51.0.2/32
- Enter your endpoint (public IP) and port (use MikroTiks DDNS)
- set the allowed ips to 0.0.0.0/0 to route all traffic back to your router
You should now be able to connect back to home/office LAN via a Wireguard tunnel.
If you get stuck, remember you can use the MikroTik Torch to inspect packets and connections.