All-in-one VPN with WireGuard, MikroTik and Keenetic
In this article, I will share my experience and configs for building a universal family VPN – both for end users and for organizing network interaction between a summer house and an apartment.
You will learn how:
configure on VPS server WireGuard
organize communication via WireGuard between two home networks without public IPs
organize access from client devices to the Internet without borders if your VPS is located on a foreign site
List of abbreviations
reduction | decoding |
WG | wire guard |
Of course, there are many different articles about WG – however, when I needed to solve a complex problem, those articles that I found did not help me. I would venture to guess that this was because most of the articles give the recipe without explaining the mechanics of what is happening, so stepping to the left or right makes the instructions useless. I want to close this gap and give the reader not only instructions, but also an understanding of how it works, so that he can implement something that is not described anywhere.
To begin with, I will describe the problem that I had and which was successfully solved. The initial starting point was the idea to connect two network segments – in the country house and in the apartment, so that you can administer one grid from the other and vice versa. It so happened that the environment turned out to be heterogeneous – there is a Keenetic Viva router at home, access to its admin panel is from the Internet thanks to Keenetic technologies, but MirkoTik RB3011 is installed in the country house, and the local provider does not have public IP services. The idea was in the air for a long time, but the implementation driver was the fact that the cool VPN Windscribe stopped working through my provider at all. I decided to rent a VPS abroad, set up a VPN for family members, and connect the two networks at the same time – like a cherry on top. The target architecture looks like this:
Rented a VPS server from a provider Fornexas a starting article for configuring WireGuard was used article on 1cloud. Next, we go in order – I used a root account, so commands without sudo
.
Install WG:
apt install -y wireguard
Go to catalog /etc/wireguard
and we do everything there. So far, everything is according to the instructions – we generate a key pair for the server:
wg genkey | tee /etc/wireguard/privatekey | wg pubkey | tee /etc/wireguard/publickey
As a result, we will have two keys – private and public, they will be used to connect to the WG server. Now it’s time to return to the study of materiel – how WG works, what entities it operates on and what it all leads to. Simplified, the WG workflow looks like this:
This scheme describes the following facts and considerations:
As a result of starting the WG server, a separate network interface on the host is raised
Server WG configuration applied to network interface
For each client connection on the server side, its own peer is configured, it is also a peer
A secure channel is established between two peers
The server does not configure client peers, it only configures its own peers
A peer, aka peer, as follows from the translation of the term, is an equal participant in data exchange, peers on the server do not differ in rights from peers on clients, and each peer has its own settings, and these settings determine what data will be sent to the secure channel , and this is a very important fact that will help you adjust the parameters to solve the problem.
First, let’s analyze the flow of packets from the apartment network to the dacha network and vice versa. Let’s assume we have the following options:
apartment subnet, Keenetic | 192.168.0.0/24 |
dacha subnet, MikroTik | 192.168.88.0/24 |
VPS IP address | xxxx |
VPN subnet | 10.0.0.0/24 |