Wireguard and Mikrotik

Posted on Posted in General thoughts Tagged with ,

To me, Wireguard and Mikrotik is a match made in heaven. I took to Wireguard immediately, it’s a super useful and super easy concept to adopt. With Mikrotik, it took me longer to find my way to it – both the UI and the CLI of Mikrotik devices seemed rather counter-intuitive to me at first. But after spending enough time with it, I certainly do appreciate that it allows you to do exactly whatever you want to do with networking and that’s what really counts, doesn’t it. In a way, it reminded me of writing firewall rules back in the iptables days, it takes you time to get used to it but once you do, you can be absolutely sure that it does what you told it to do.

Anyway, because of the ease of use, I happened to start with Wireguard first, running it on a Raspberry at home. My use case was pretty simple, I wanted to be able to access my home network when away plus I wanted the road warrior mode (on both laptops and Android devices). Because the Raspberry was behind NAT, it added some unnecessary complexity to the setup. Which wasn’t such a big deal until I decided that I wanted to join two remote LAN locations via Wireguard, this was when running Wireguard directly on the router suddenly made much more sense. There are certainly other ways to go about it than Mikrotik but I didn’t want to build my router on top of some PC from scratch. Nor did I want to flash my existing router with OpenWRT, not that I wouldn’t like it, I used to have OpenWRT (and even DD-WRT) on some of my older routers back in the day. It was just simply that Mikrotik having support for Wireguard by default starting with RouterBoardOS version 7 convinced me to give it a try.

First, I started with the official Mikrotik documentation https://help.mikrotik.com/docs/display/ROS/WireGuard. It was good but quite frankly, I didn’t have a very good understanding of the Mikrotik interface, as mentioned above, so I got a little bit lost. So while I’d normally prefer written documentation, I resorted to a guide on Youtube this time. The one I found, I have to say, was really, really well done. So instead of explaining what I did myself, I’m embedding this video here, I could never explain it better than this guide does – kudos to the author of this video:

In my case, I joined two remote sites in the way that’s described in this video tutorial. One is my home site and the other one is a different location where I keep some offsite backups of important stuff like family photos. Syncing those through Wireguard feels like a better option than opening some ports between the two locations.

Other use cases that I found for the site-to-site setup as well as the road warrior mode:

  • tang-clevis
    • All my PC devices are encrypted. You can use tang and clevis for network bound disk encryption where the a tang server part is somewhere else physically than the devices that are being unlocked using clevis. Placing that tang server in a different location connected via Wireguard feels like upping the game. Now, if somebody broke into my home and took all the devices, they wouldn’t be able to automatically unlock the disks against the tang server because that server is physically somewhere else.
  • NAS disk decryption
    • In a similar fashion, I can unlock my home Synology NAS disks automatically after a reboot by having keys stored off-site. In case it’s taken somewhere else, you need to unlock the disks manually.
  • Pi Hole DNS
    • I run a Pi Hole instance at home and I really like the way it blocks ads for every device connected to my home network. And when I’m away from home, I connect to my home network using Wireguard so that I can use this Pi Hole instance for DNS resolution no matter where I am. Which is especially great when you’re on mobile connection as it saves a ton of traffic.
  • Locally running AI
    • I like the llama.cpp project where I can use my machine to run models locally. Again, I can connect this way to my home network and use the more powerful machine at home to run models on when travelling with a less powerful laptop or even from phone via a web browser.
  • Home automation
    • Similarly, being able to connect home using Wireguard means access to Home Assistant at home. This means that Home Assistant is running just locally and doesn’t need to be connected to any kind of cloud for remote access.

Now, my ISP doesn’t provide meaningful IPv6 yet (well, they do but it’s either having IPv6 or being able to switch the device they provide me with to bridge mode and so far, I’ve preferred the latter). But once I’m able to start using IPv6 properly, it will probably mean that I’ll have to rethink this site-to-site setup. But right now, I have to say I really like what Wireguard and Mikrotik can offer when combined together.