WireGuard Routing and Port Forwarding

WireGuard provides unlimited possibilities for creating private and secure networks without having to expose devices to the public internet. In this example I wanted to access the Mikrotik router configuration panel from anywhere in the world similar to how Cloud Key and Cloud Access enables it for Ubiquity devices. Note that RouterOS already supports VPN access but not through WireGuard.

Solar powered Mikrotik wAP LTE router.

I built a solar powered Raspberry Pi used as a security camera which is connected wirelessly to a solar powered Mikrotik LTE router to access the internet through a mobile data connection.

The Raspberry Pi is also running WireGuard so all we have to do is forward the incoming WireGuard traffic to a few ports on the Mikrotik router.

Here is how to configure the Raspberry Pi acting as a WireGuard peer to do the custom routing:

1. Enable IP Forwarding

IP forwarding is disabled by default on Raspbian so it’s extremely important to enable it for any of the iptables rules to work.

Enable IP forwarding in the Linux kernel by uncommenting or adding (uncommenting) net.ipv4.ip_forward = 1 to /etc/sysctl.conf to persist the setting between system restarts. Use sysctl -w net.ipv4.ip_forward=1 to enable IP forwarding immediately without having to reboot.

2. Configure Routing

We’re routing a WireGuard peer on a network interface wg0 and an IP range of 10.200.200.0/24 to the IP address 192.168.88.1 in the local network available through the wlan0 interface.

Mikrotik router on a WireGuard network
Mikrotik router connected to a WireGuard network through a Raspberry Pi.

First, make requests incoming on the WireGuard network interface wg0 appear as originating from the Raspberry Pi itself to the devices on the local network:

sudo iptables -t nat -A POSTROUTING -o wlan0 -s 10.200.200.0/24 -j MASQUERADE

Then forward ports:

  • 80 for Mikrotik Webfig
  • 5678 for Mikrotik Neighbor Discovery Protocol
  • 8728 for RouterOS API
  • 8291 for Mikrotik Winbox

to the Mikrotik router at IP address 192.168.88.1:

sudo iptables -t nat -A PREROUTING -i wg0 -p tcp --match multiport --destination-ports 80,5678,8728,8291 -j DNAT --to-destination 192.168.88.1

or just a single port 80:

sudo iptables -t nat -A PREROUTING -i wg0 -p tcp --destination-port 80 -j DNAT --to-destination 192.168.88.1

This could be adjusted to forward all traffic to the Mikrotik router but then you would need a separate WireGuard peer configuration for accessing the actual Raspberry Pi through the WireGuard network.

Now you should be able to access the Mikrotik router from any device on the same WireGuard network, including the phone app.

Persist the Routing Configuration

Finally, you can persist these custom routes by configuring the WireGuard PostUp and PostDown directives in the [Interface] section of wg0.conf:

PostUp = iptables -t nat -A ...
PostDown = iptables -t nat -D ...

Notice the -D flag which is used for removing the exact same entries.

Debug Routing and Forwarding

Add temporary rules to the PREROUTING and POSTROUTING tables to enable logging to /var/log/kern.log:

sudo iptables -t nat -A PREROUTING -j LOG
sudo iptables -t nat -A POSTROUTING -j LOG

And now you can view the logs:

sudo tail -f /var/log/kern.log

2 Comments

  1. Iliyan says:

    Hi,

    Have you any experience with the WG interface on MT, available in the dev version of RouterOS?

    I know everyone is saying on the Internet that is very easy to setup, but I cannot make the routing through the WG interface work – interface is esy, two commands, but when it comes to routing through the MT router, nothing I tried works.

    I know this post of yours is old(ish), but combing two great options – WG+MT – seems great way to create tunnels instead of IPsec/OpenVPN

    • Kaspars says:

      Yes, I tried WireGuard on Mikrotik’s RouterOS when it was initially released but it had an issue where the endpoint-address couldn’t be configured as hostname and had to be specified via IP. I’m not sure if that has been resolved yet.

      Are you looking to use the WireGuard instance on the Mikrotik router as the relay server for other peers or do you just want to connect to it from other peers? For using it as relay server you would need to have the router accessible from the public internet.

      Or do you want it as a peer through which you can access the local network? That would require setting the correct allowed-address and some firewall rules as described in the wiki. The Mikrotik forums usually have some useful examples of working setups and even setup instructions.

Leave a Reply