Mullvad WireGuard RouterOS LAN/NAT

LittleFool — Sat, 14 May 2022 09:20:10 GMT

LAN Routing

After updating to RouterOS 7.2.3 I noticed that my setup in the previous post still works but the router was unreachable via ping and winbox. So to reach my Mikrotik again I re-did my "noVPN" Mangle rules. I will give these just for IPv4 but something similar should work for IPv6.

The basic idea is to not route-mark anything that is originating from a local interface to a local interface, if we did, it would be send out to Mullvad (or the VPN Provider in general). Since we have to use the prerouting chain we can't use "out interfaces", therefore we will filter by "dst. address" or "dst. address list". I will be doing the example with "dst. Address list" and "in. interface list" because it is the most flexible approach I found. I will be assuming that ether2 and ether3 are LAN interfaces with the IP networks 192.168.88.0/24 and 192.168.89.0/24.

Mullvad WireGuard with RouterOS 7

LittleFool — Wed, 02 Feb 2022 15:28:26 GMT

Introduction

After getting a GL iNet travel router and Mikrotik releasing RouterOS 7 I thought it's time to look at a 24/7 VPN connection again. When looking through the VPN services GL iNet suggests, I stuck with Mullvad. So in this post I will explain how I setup my Mikrotik CHR to use Mullvad VPN with WireGuard, implement a kill-switch and use the Mullvad DNS. If you are using RouterOS 7.2 or later read my other post first!

LittleFool's Blog (Posts about WireGuard)

Mullvad WireGuard RouterOS LAN/NAT

LAN Routing

Mullvad WireGuard with RouterOS 7

Introduction