MTWireguard - Installation

Introduction

MTWireguard is an open-source, powerful and secure web-based tool to manage Wireguard on Mikrotik devices.
You can manage Wireguard interface and peers on Mikrotik system (Physical Router or CHR VM).
It also contains some useful options to make your work easy.

What's This

MTWireGuard is not a VPN. It's a web interface built to make using Wireguard on Mikrotik easier.
It is based on docker containers which makes it possible to run on Mikrotik RouterOS (see requirements).
It's based on lightweigth Ubuntu-Chiseled images.

Platforms used

Docker: container
Ubuntu-Chiseled: os
ASP.net Core: back-end
Bootstrap: front-end

Privacy

Sensitive data privacy clarity

No information will sent to other servers. All your data is stored in your device. Wireguard peer's private-key will be held in a local database placed in the project directory. That's explained in FAQs section. Error logging only sends information about errors in application codes to help us improve the project and fix problems. This feature can be disabled from settings page.

Requirements

There are some basic hardware/software requirements to run this project

RouterBoard or machine running RouterOS v7.9+ with root access Recommended 7.12+
At least 1GB of RAM Recommended 2/4GB
At least 512MB of HDD Recommended 5/10GB

Installation

Installation is so simple and takes upto 3 minutes

Enable Container

At first, you need to enable container in device-mode on RouterOS to use docker images.
Enable container using this code:

/system/device-mode/
update container=yes

After enabling container, it's required to reboot device with hardware button or if it's virtual machine, turn off and turn on machine from the host. Set registry-url (to download containers from Docker registry) and set extract directory (tmpdir) to a storage (recommended USB device or second HDD).

/container/config/
set registry-url=https://registry-1.docker.io tmpdir=disk1/pull

If your server is located in Iran, it's recommended to use Shecan DNS / 403.online DNS or route your traffic through a VPN to download docker images.

Shecan

/ip/dns/set servers=185.51.200.2,178.22.122.100

403

/ip/dns/set servers=10.202.10.102,10.202.10.202

To prevent this kind of problems, it's possible to use GitHub Registry to get images as an alternative to Docker registry.
Use the following code to get image from GitHub:

/container/config/
set registry-url=https://ghcr.io

Enable REST-API

Rest-API must be enabled to allow communication between RouterOS and MTWireguard service. To start using REST-API, the www-ssl or www (starting with RouterOS v7.9) service must be configured and running.
It's recommended using www-ssl service with and a valid SSL certificate. RouterOS has built-in option to create valid SSL certificates.
RouterOS v7 has Let's Encrypt (letsencrypt) certificate support for the www-ssl service. To enable the Let's Encrypt certificate service with automatic certificate renewal, use the enable-ssl-certificate command:

/certificate
add name=root-cert common-name=MTWG days-valid=3650 key-usage=key-cert-sign,crl-sign
sign root-cert
add name=https-cert common-name=MTWG days-valid=3650
sign ca=root-cert https-cert

Enable www-ssl service

/ip/service
set www-ssl certificate=https-cert disabled=no

Network Configuration

Containers Bridge

When the Mikrotik is ready, it's time to configure virtual network for containers and install MTWireguard docker image.

Create a VETH

/interface/veth
add address=172.17.0.2/24 gateway=172.17.0.1 name=veth-mtwg

Create a bridge for containers and add VETH(s) to it:

/interface/bridge
add name=dockers
/interface/bridge/port
add bridge=dockers interface=veth-mtwg

Set IP address on bridge for containers gateway:

/ip/address
add address=172.17.0.1/24 interface=dockers

Firewall Rules

After configuring network parameters, it's required to add some firewall rules.

Setup src-nat for outgoing traffic of dockers

/ip/firewall/nat
add chain=srcnat action=masquerade src-address=172.17.0.0/24

Setup dst-nat to access MTWireguard panel over internet
Replace <Public-IP> with your Public IP address and <Public-Port> with the port number you want use to access MTWireguard.

/ip/firewall/nat
add chain=dstnat action=dst-nat dst-address=<Public-IP> dst-port=<Public-Port > protocol=tcp to-addresses=172.17.0.2 to-ports=8080

Now your virtual network is ready for docker containers. Let's setup container...

Container Configuration

Environment Variables

Configure Mikrotik connections settings in container environments to allow container modify RouterOS

Replace your Mikrotik username, password and public IP address in required fields.

/container/envs
add name=mtwg_envs key=MT_IP value=172.17.0.1
add name=mtwg_envs key=MT_USER value=<Mikrotik Username>
add name=mtwg_envs key=MT_PASS value=<Mikrotik Password>
add name=mtwg_envs key=MT_PUBLIC_IP value=<Public IP>

Install MTWireguard image from configured registry
Replace "techgarageir" with "techgarage-ir" if using GitHub registry.

/container
add remote-image=techgarageir/mtwireguard:latest interface=veth-mtwg root-dir=disk1/mtwg envlist=mtwg_envs

Secure Access

To improve security, you can configure your Mikrotik in a more secure way.

If your server is located in Iran, change your DNS servers from Shecan/403 to a secure DNS server (Like 1.1.1.1 or 8.8.8.8) after docker image installed.

Make www-ssl service accessible from MTWireguard only

/ip/service
set www-ssl address=172.17.0.2

Create a restricted user for MTWireguard panel and limit it to be accessible only from MTWireguard IP

/user/group
add name=wgusers policy=read,write,api,rest-api,!local,!telnet,!ssh,!ftp,!reboot,!policy,!test,!winbox,!password,!web,!sniff,!sensitive,!romon
/user
add name=wgadmin password=Str0ngP@S$w0rD group=wgusers address=172.17.0.2

Then use this user in container environment variables.

Quick Start