To enable the WireGuard peer called MyPeer
:
/interface/wireguard/peers/enable [find comment="MyPeer"]
To disable the WireGuard peer called MyPeer
:
/interface/wireguard/peers/disable [find comment="MyPeer"]
To enable the WireGuard peer called MyPeer
:
/interface/wireguard/peers/enable [find comment="MyPeer"]
To disable the WireGuard peer called MyPeer
:
/interface/wireguard/peers/disable [find comment="MyPeer"]
Assuming your peer comment is peer1
and the correct endpoint DNS record is peer1.mydomain.com
, you can use this RouterOS script to update the endpoint based on the DNS record:
:if ([interface wireguard peers get number=[find comment=peer1] value-name=endpoint-address] != [resolve peer1.mydomain.com]) do={interface wireguard peers set number=[find comment=peer1] endpoint-address=[/resolve peer1.mydomain.com]}
Related posts which might make that easier to understand:
Assuming your peer comment is peer1
and the correct endpoint DNS record is peer1.mydomain.com
:
([interface wireguard peers get number=[find comment=peer1] value-name=endpoint-address] = [resolve peer1.mydomain.com])
This will return true
if the peer endpoint is the same as the DNS record.
[[email protected]] > :put ([interface wireguard peers get number=[find comment=peer1] value-name=endpoint-address] = [resolve peer1.mydomain.com]) true
We assume that the peer you want to find info about has comment=peer1.mydomain.com
. Use
Use
interface wireguard peers get number=[find comment=peer1.mydomain.com] value-name=endpoint-address
or use :put [...]
to print the value:
:put [interface wireguard peers get number=[find comment=peer1.mydomain.com] value-name=endpoint-address]
[[email protected]] > :put [interface wireguard peers get number=[find comment=peer1.mydomain.com] value-name=endpoint-address] 12.245.102.141
In order to resolve a DNS name use
resolve <domain name>
Use
:put [resolve <domain name>]
to resolve a domain name and print the IP address.
:put [resolve techoverflow.net]
Output:
[[email protected]] > :put [resolve techoverflow.net] 172.67.166.211
WebFig is the Web UI for MikroTik RouterOS routers. When people say to use WebFig for a given task, this typically means to not use the MikroTik terminal.
Use these commands to add all RFC1918 networks to a MikroTik RouterOS IP address list:
/ip firewall address-list add address=10.0.0.0/8 list=RFC1918 /ip firewall address-list add address=172.16.0.0/12 list=RFC1918 /ip firewall address-list add address=192.168.0.0/16 list=RFC1918
If you want to add a MikroTik Address List e.g. for use in firewall rules like this:
you see an error message like
Couldn't add New Firewall Address List - 192.168.0.0/24,10.0.0.0/8 is not a valid dns name (6)
You can’t add multiple addresses to an address list at once. The way to add multiple addresses to an address list is to create multiple entries with the same Name
.
See our detailed guide on How to add multiple addresses to MikroTik RouterOS address list using WebFig for more details on how to achieve that in WebFig.
If you are trying to create a MikroTik firewall address list using WebFig (in IP/Firewall
), you will see that you can’t just add multiple addresses in the Address
field:
First, add the first address like this:
This will look like this in the Address List
view:
Then, add another address with the same name (the comment can be different if you want). You can also select the name using the dropdown for the Name
field.
This will look like this in the Address List
view:
Our RFC1918
list will now identify both networks 10.0.0.0/8
and 192.168.0.0/16
.
Also see Wireguard bandwidth performance of the MikroTik CRS326-24G-2S+
We tested the throughput of the new Wireguard functionality MikroTik CRS309-1G-8S+ running on RouterOS 7.1beta6.
Our test setup consists of a Desktop PC with 1GBase-T connection and a virtualized server on XCP-NG, attached with a 10GB shared connection, both running Ubuntu. Note that the L2 switching infrastructure (consisting only of MikroTik CRS3xx and CRS610 switching with complete hardware offloading) is ignored here because due to 100% hardware offloading to the marvelous Marvell switch chips it has orders of magnitude higher performance compared to any L3 function, hence it will only have minimal impact only the overall performance.
Wireguard was being used without preshared keys. Hitherto, it is unknown to us whether PSKs will have an impact on throughput.
The command on the Desktop was
dd if=/dev/urandom bs=100M | netcat -v 10.185.244.199 2222
whereas the command on the server was
netcat -vvnlp 2222 > /dev/null
As we expected with an uncompressed protocol like Wireguard, there is no difference if you pipe the data from /dev/urandom
as opposed to /dev/zero
.
The Desktop was connected to the CRS309-1G-8S+ using Wireguard. The virtual server was connected to the CRS309 as default gateway within a separate VLAN that was designed to be routed. The CRS309 L3 hardware offloading capability was disabled.
The IP firewall contained 8 simple accept and fasttrack rules. All the WireGuard traffic only matched the last (8th) rule and was accepted. It has not been tested whether fasttracking the Wireguard connection would increase performance
The throughput results showed a steady rate of 131 Mbit/s (unidirectional, bidirectional not tested), but up to 160 Mbit/s. It is unknown what caused the increase in speed, but it’s possible that additional traffic was L3-forwarded over the switch during the test.
The same test was repeated with the IP firewall being disabled in the Bridge Settings.
As expected, disabling additional IP firewall processing caused the throughput to increase, but only by a small margin. The typical speed was around 160 Mbit/s (unidirectional), with peaks up to 185 Mbit/s.
It should be pretty obvious that the CRS309-1G-S+ outperforms most conventional VPN solutions when using Wireguard. For a street price of ~175€, it is not only an awesome switch, but also doubles as a more than adequate Wireguard router for most practical applications.
Note that at the moment of writing this article, Wireguard is only available in the RouterOS 7.1beta6 firmware, which is not yet considered stable. While I have not experienced any problems that have affected reliability in any way, if you run a network where it hurts if it fails, you should consider using alternative solutions in the meantime.
Also see Real-world data on CRS309-1G-8S+ RouterOS Wireguard throughput
We tested the new Wireguard functionality MikroTik CRS326-24G-2S+ running on RouterOS 7.1beta6.
Our test setup consists of a Desktop PC with 1GBase-T connection and a virtualized server on XCP-NG, attached with a 10GB shared connection, both running Ubuntu. Note that the L2 switching infrastructure (consisting only of MikroTik CRS3xx and CRS610 switching with complete hardware offloading) is ignored here because due to 100% hardware offloading to the marvelous Marvell switch chips it has orders of magnitude higher performance compared to any L3 function, hence it will only have minimal impact only the overall performance.
Wireguard was being used without preshared keys. Hitherto, it is unknown to us whether PSKs will have an impact on throughput.
Both the Desktop and the server were connected to two different Wireguard interfaces on the CRS326-24G-2S+.
The CRS326 routed between those interfaces. The virtualized server ran a netcat server while the Desktop ran the wireguard client. IP firewall was disabled during this test, but the switch still had to L3 forward the packets.
The effective throughput of L3 forwarding, doing one Wireguard decryption and one WireGuard encryption operation (both without PSK) is 108.1 Mbit/s (unidirectional. Bidirectional has not been tested)
This is an awesome result, considering that the CRS326-24G-2S+ is only ~120€ street price and is an awesome switch. But it seems like Wireguard is capable of making a high performance VPN router from just a managed MikroTik switch.
Note that at the moment of writing this article, Wireguard is only available in the RouterOS 7.1beta6 firmware, which is not yet considered stable. While I have not experienced any problems that have affected reliability in any way, if you run a network where it hurts if it fails, you should consider using alternative solutions in the meantime.
You can use the following commands to download the standard CA certificates from the Curl webpage and import them:
/tool fetch url=https://curl.se/ca/cacert.pem /certificate import file-name=cacert.pem passphrase=""
This will typically take a couple of minutes.
I recommend to connect to your MikroTik router using SSH, e.g.
ssh [email protected]
so you’re able to copy and paste commands more easily.