In most cases, connecting a router to a VPN is not difficult, but if you want to protect the entire network and at the same time maintain optimal connection speed, then the best solution is to use a VPN tunnel .
Routers Mikrotik proved to be reliable and very flexible solutions, but unfortunately still not and it is not known when it will appear and in what performance. Recently about what the developers of the WireGuard VPN tunnel suggested , which will make their VPN tunneling software part of the Linux kernel, we hope this will contribute to the adoption in RouterOS.
But for now, unfortunately, to configure WireGuard on a Mikrotik router, you need to change the firmware.
Flashing Mikrotik, installing and configuring OpenWrt
First you need to make sure that OpenWrt supports your model. See if a model matches its marketing name and image .
Go to openwrt.com .
For this device, we need 2 files:
You need to download both files: install и Upgrade.
1. Network setup, download and setup PXE server
Download for Windows latest version.
Unzip to a separate folder. In the config.ini file add the parameter rfc951=1 section [dhcp]. This parameter is the same for all Mikrotik models.
Let's move on to the network settings: you need to register a static ip address on one of the network interfaces of your computer.
IP address: 192.168.1.10
Netmask: 255.255.255.0
Run Tiny PXE Server on behalf of the Administrator and select in the field DHCP Server server with address 192.168.1.10
On some versions of Windows, this interface may only appear after an Ethernet connection. I recommend connecting a router and immediately switching the router and PC using a patch cord.
Press the "..." button (bottom right) and specify the folder where you downloaded the firmware files for Mikrotik.
Choose a file whose name ends with "initramfs-kernel.bin or elf"
2. Booting the router from the PXE server
We connect the PC with a wire and the first port (wan, internet, poe in, ...) of the router. After that, we take a toothpick, stick it into the hole with the inscription "Reset".
We turn on the power of the router and wait 20 seconds, then release the toothpick.
Within the next minute, the following messages should appear in the Tiny PXE Server window:
If the message appears, then you are in the right direction!
Restore the settings on the network adapter and set to receive the address dynamically (via DHCP).
Connect to the LAN ports of the Mikrotik router (2…5 in our case) using the same patch cord. Just switch it from 1st port to 2nd port. Open address in the browser.
Log in to the OpenWRT administrative interface and go to the "System -> Backup/Flash Firmware" menu section
In the "Flash new firmware image" subsection, click on the "Select file (Browse)" button.
Specify the path to a file whose name ends with "-squashfs-sysupgrade.bin".
After that, click the "Flash Image" button.
In the next window, click the "Proceed" button. The firmware will start downloading to the router.
!!! IN NO EVENT DO NOT DISCONNECT THE POWER OF THE ROUTER DURING THE FIRMWARE PROCESS !!!
After flashing and rebooting the router, you will receive Mikrotik with OpenWRT firmware.
Possible problems and solutions
Many Mikrotik devices released in 2019 use a FLASH-NOR memory chip of the GD25Q15 / Q16 type. The problem is that when flashing, data about the device model is not saved.
If you see the error "The uploaded image file does not contain a supported format. Make sure that you choose the generic image format for your platform." then most likely the problem is in flash.
It is easy to check this: run the command to check the model ID in the device terminal
root@OpenWrt: cat /tmp/sysinfo/board_nameAnd if you get the answer "unknown", then you need to manually specify the device model in the form "rb-951-2nd"
To get the device model, run the command
root@OpenWrt: cat /tmp/sysinfo/model
MikroTik RouterBOARD RB951-2ndAfter receiving the device model, install it manually:
echo 'rb-951-2nd' > /tmp/sysinfo/board_nameAfter that, you can flash the device through the web interface or using the "sysupgrade" command
Create a VPN server with WireGuard
If you already have a server with WireGuard configured, you can skip this step.
I will use the application to set up a personal VPN server about the cat I already .
Configuring WireGuard Client on OpenWRT
Connect to the router via SSH protocol:
ssh [email protected]Install WireGuard:
opkg update
opkg install wireguardPrepare the configuration (copy the code below to a file, replace the specified values with your own and run in the terminal).
If you are using MyVPN, then in the configuration below you only need to change WG_SERV - Server IP WG_KEY - private key from the wireguard configuration file and WG_PUB - public key.
WG_IF="wg0"
WG_SERV="100.0.0.0" # ip адрес сервера
WG_PORT="51820" # порт wireguard
WG_ADDR="10.8.0.2/32" # диапазон адресов wireguard
WG_KEY="xxxxx" # приватный ключ
WG_PUB="xxxxx" # публичный ключ
# Configure firewall
uci rename firewall.@zone[0]="lan"
uci rename firewall.@zone[1]="wan"
uci rename firewall.@forwarding[0]="lan_wan"
uci del_list firewall.wan.network="${WG_IF}"
uci add_list firewall.wan.network="${WG_IF}"
uci commit firewall
/etc/init.d/firewall restart
# Configure network
uci -q delete network.${WG_IF}
uci set network.${WG_IF}="interface"
uci set network.${WG_IF}.proto="wireguard"
uci set network.${WG_IF}.private_key="${WG_KEY}"
uci add_list network.${WG_IF}.addresses="${WG_ADDR}"
# Add VPN peers
uci -q delete network.wgserver
uci set network.wgserver="wireguard_${WG_IF}"
uci set network.wgserver.public_key="${WG_PUB}"
uci set network.wgserver.preshared_key=""
uci set network.wgserver.endpoint_host="${WG_SERV}"
uci set network.wgserver.endpoint_port="${WG_PORT}"
uci set network.wgserver.route_allowed_ips="1"
uci set network.wgserver.persistent_keepalive="25"
uci add_list network.wgserver.allowed_ips="0.0.0.0/1"
uci add_list network.wgserver.allowed_ips="128.0.0.0/1"
uci add_list network.wgserver.allowed_ips="::/0"
uci commit network
/etc/init.d/network restartThis completes the WireGuard setup! Now all traffic on all connected devices is protected by a VPN connection.
references
(additionally available instructions for setting up L2TP, PPTP on standard Mikrotik firmware)
Source: habr.com