- This topic has 3 replies, 2 voices, and was last updated 5 days, 14 hours ago by
.
One of the things I was excited about w/ MikroWizard was that it said it had integrated wireguard management, which I thought was really cool.
I couldn’t actually get this to work, and even if it did, you’d still have to establish the initial connection which if the device is NAT’d requires some sort of tunnel to be setup anyway.
What would be pretty cool, would be if it worked similar to other MT management platforms. Where you run a script that has various variables auto inserted let’s say and negotiates the WG tunnel on both ends, and starts talking to eachother.
For example in “System Settings” “Bootstrap Script & Variables”
Then people can run a single command on their MT’s to get a device hooked in, and have variables auto populated.
So it might look something like this.
Boot Script and Variables page
Variables (with examples from my implementation)
WireGuardEndPoint “public.dns.of.my.MW.instance” (Checkbox allow change at generation)
WireGuardPort “#####” (checkbox to allow change at generation
WireGuardPubKey “<key>” (checkbox)
WGInternalIP “”1.1.1.1/24” (This is the IP that the Mikrotik sets on the wireguard interface which for example would be different on each router, so you’d need to change it every time)and of course you could establish any number of additional variables for your script for future flexibility customization and bootstrapping tailored to your individual setup
For example, I put firewall rules to accept all input from my known and trusted ranges but it’s not in my bootstrap script yet because I’m too lazy to write the if ‘name exists’ rules right now and since I have to login to the MT to bootstrap it anyway I just paste them in after that
For reference, here is the current bootstrapping script I’m using on my devices to get them onboarded:
# ==========================================
{
# — UPDATE THESE VARIABLES —
:local serverIP “pub.dns.com”;
:local serverPort “####”;
:local serverPubKey “<key>”;
:local wgInternalIP “172.16.200.13/23″; # Assign a unique VPN IP for this specific remote router
# ——————————# 1. Create the WireGuard Interface
/interface wireguard add name=wg-mikrowizard listen-port=60040;
:delay 2s;# 2. Add the Central Server as a Peer (Crucial: 25s keepalive punches through the NAT)
/interface wireguard peers add interface=wg-mikrowizard public-key=$serverPubKey endpoint-address=$serverIP endpoint-port=$serverPort allowed-address=”172.16.200.1/32″ persistent-keepalive=25s;# 3. Assign the Internal VPN IP
/ip address add address=$wgInternalIP interface=wg-mikrowizard;# 4. Open API Access specifically for the Tunnel
/ip firewall filter add chain=input action=accept protocol=tcp dst-port=8728,8729 in-interface=wg-mikrowizard place-before=0 comment=”Allow MikroWizard API over WG”;:local user “admin”;
:local newIP 172.16.200.1/32;# 1. Get current addresses as a native array (No :tostr needed)
:local current [/user get $user address];:put (“Current array: ” . [:tostr $current]);
# 2. Check if the IP is already in the array to avoid duplicates
:if ([:len [:find $current $newIP]] = 0) do={
:put “IP not found, adding…”;# 3. Use (array, item) to append natively
# If the list is currently empty, just set it; otherwise append.
:if ([:len $current] = 0) do={
/user set $user address=$newIP;
} else={
/user set $user address=($current, $newIP);
}
:put “Appended $newIP successfully.”;
} else={
:put “IP $newIP already exists in the list. Skipping.”;
}# 5. Ensure API service is enabled and listening to the WG subnet
/ip service set api address=”172.16.200.1/32″ disabled=no;
/ip service set ssh address=”172.16.200.1/32″ disabled=no;/ip firewall filter add chain=input src-address=172.16.200.1 action=accept comment=”Allow MikroWizard Server Access” place-before=0;
/system routerboard settings set auto-upgrade=yes
/system scheduler add name=auto-firmware-reboot start-time=startup on-event=”:delay 15s;\r\n/system routerboard\r\n:if ([get current-firmware] != [get upgrade-firmware]) do={\r\n /system reboot\r\n}” policy=reboot,read,write}
Additional extensibility here, could be to somehow from the mikrotik to request a ‘scan’ for inclusion from the device itself
so for example, additional variables
(We already have the device WG IP in the variables)
(We already have the device admin in a variable where we’re adding the MW WG IP (172.16.200.1)
Add new variable (adminpassword)
add new variable api port w/ the api port default auto filled (apiport)In system configuration, “Subnet to accept answer API requests from in my case (172.16.200.0/23)
Then in the mikrotik script I could do whatever the terminal command to ‘curl / wget / post’ to a url:
https://dns.dom.com/api.php?devip=$wgInternalIP,apiport=$apiport,user=$user,userpw=$adminpasswordThen in the admin panel you’d ‘create bootstrap script’
Fill out all your various variables.
It would create a script that was deleted say an hour later at “https://dns.dom.com/bootstrapscripts/$wginternalIP.rsc (or whatever that extension is) [Or you could just have the bootstrap script get deleted when the Scan/api request is sent]
then spit out the command you’d run on terminal to fetch / run that script on the mikrotik.Now the preparation and scan/inclusion of the device are completely automated, there’s less room for errors etc….
And once this integrated wireguard infrastructure is more mature when it sends the API Scan request, you could pass the public key for the MT to the MikroWizard instance, and then it adds peer and waits 25 seconds before it tries to do the scan (as the wireguard has to be up for the scan to work)
In my current implementation, I would have to basically just add the WG Peer manually as I’m doing WG at the OS/VM level because I couldn’t figure out how to get the Wireguard MW extension to work, plus this exchange has to happen somehow to begin with, which in the case of a NAT’d device requires WG to basically already exist.
1 user thanked author for this post.
- You must be logged in to reply to this topic.