Mainland China VPN Hong Kong via MikroTik and WireGuard

张无忌

RouterOS machine IP address = 192.168.88.0/24. After installation please remember to carry out "syetem reboot". All ethernets and (wireless lans) of router are ported Hong Kong network (HK-Gateway).

Cautions:
1. Line 73 (in the following script) abc.xyz.org should be modified to a right one.
2. Lines 47-49, the firewall filter code should be placed before the drop line.
3. Hong Kong MikroTik router listen-port=22555.
4. Mainland China MikroTik router listen-port=13231.
5. If 192.168.88.0/24 is changed to other value, please check line 90.
6. If the router does not start correctly, you have to wait for few minutes.
7. Line 77, "persistent-keepalive=25" may be removed to keep traffic clean.

#

1. ########################################
   
2. # Step One: Wireguard Tunnel Setup
   
3. ########################################
   
4. 
   
5. # On HK MikroTik
   
6. # Set up wireguard interface. This will also generate private/public keypair.
   
7. #/interface wireguard
   
8. #add listen-port=22555 mtu=1420 name=wg-china comment="WG China"
   
9. 
   
10. #/interface wireguard print
    
11. #0  R ;;; WG China
    
12. #     name="wg-china" mtu=1420 listen-port=22555
    
13. #     private-key="iBrbTYwkIK30+lDHMXlDWu9n3KUeA1XFJx+BjsbEHnA="
    
14. #     public-key="mE1t7D3LBfeJ8SkvVRyRsEuZhTo4gl59cgKFstYm92E="
    
15. 
    
16. /interface wireguard
    
17. add listen-port=22555 mtu=1420 name=wg-china private-key=\
    
18. "iBrbTYwkIK30+lDHMXlDWu9n3KUeA1XFJx+BjsbEHnA=" \
    
19. comment="WG China"
    
20. 
    
21. ############################################################
    
22. 
    
23. # On China MikroTik
    
24. # Set up Wireguard interface. This will also generate private/public keypair.
    
25. #/interface wireguard
    
26. #add listen-port=13231 mtu=1420 name=wg-hk
    
27. 
    
28. #/interface wireguard print
    
29. #0  R name="wg-hk" mtu=1420 listen-port=13231
    
30. #    private-key="MADwYW6QTh77/z0fXN6kRdQIA+J7Q4dZURWHeoyi1GM="
    
31. #    public-key="+l7EoWoM3JIIRw2cKWZMPc/IdI4Qjrjt1YScZJ0ObmM="
    
32. 
    
33. /interface wireguard
    
34. add listen-port=13231 mtu=1420 name=wg-hk private-key=\
    
35. "MADwYW6QTh77/z0fXN6kRdQIA+J7Q4dZURWHeoyi1GM=" \
    
36. comment="WG HK"
    
37. 
    
38. ######################################################
    
39. ######################################################
    
40. 
    
41. # On HK MikroTik
    
42. /ip address
    
43. add address=10.1.200.1/24 comment="WG China" interface=wg-china \
    
44.     network=10.1.200.0
    
45. 
    
46. # The firewall filter must be placed before the drop line
    
47. /ip firewall filter
    
48. add action=accept chain=input comment="WG China" dst-port=22555 \
    
49.     in-interface=ether1 protocol=udp
    
50. 
    
51. # Set up China peer.
    
52. /interface wireguard peers
    
53. add name=china allowed-address=10.1.200.2/32 comment="WG China" \
    
54.     interface=wg-china public-key=\
    
55.     "+l7EoWoM3JIIRw2cKWZMPc/IdI4Qjrjt1YScZJ0ObmM=" \
    
56.      preshared-key="qAnHo8uMf5CrgqFP0XzyFHsG1EZW8+BWG8I3GW/rPUQ="
    
57. 
    
58. #######################################################
    
59. 
    
60. # On China MikroTik
    
61. # Assign address to the router on the new interface.
    
62. /ip address
    
63. add address=10.1.200.2/32 comment="Wireguard" interface=wg-hk \
    
64.     network=10.1.200.0
    
65. 
    
66. #/ip firewall filter
    
67. #add action=accept chain=input comment="Wireguard" dst-port=13231 \
    
68. #   protocol=udp
    
69. 
    
70. # Set up HK peer
    
71. /interface wireguard peers       
    
72. add name=hk allowed-address=0.0.0.0/0 comment="hk" \
    
73.     endpoint-address=abc.xyz.org endpoint-port=22555 \
    
74.     interface=wg-hk public-key=\
    
75.     "mE1t7D3LBfeJ8SkvVRyRsEuZhTo4gl59cgKFstYm92E=" \
    
76.     preshared-key="qAnHo8uMf5CrgqFP0XzyFHsG1EZW8+BWG8I3GW/rPUQ=" \
    
77.     persistent-keepalive=25
    
78. 
    
79. ##########################################################
    
80. # Step Two: Routing the Traffic
    
81. ##########################################################
    
82. 
    
83. # On China MikroTik
    
84. /routing table
    
85. add comment="For use by local clients" disabled=no fib name=wg-vpn
    
86. 
    
87. /routing rule
    
88. add action=lookup-only-in-table \
    
89.     comment="Local clients should use (only) Wireguard routing table" \
    
90.     disabled=no interface=bridge src-address=192.168.88.0/24 table=wg-vpn
    
91. 
    
92. /ip route
    
93. add dst-address=0.0.0.0/0 gateway=wg-hk routing-table=wg-vpn
    
94. 
    
95. /ip firewall nat \
    
96. add chain=srcnat out-interface=wg-hk action=masquerade
    
97. 
    
98. ### Open MSDOS  window input "curl http://myip.dnsomatic.com" to display HK IP address ###
    
99. 
    
100. #############################################
     
101. # Step Three: DNS
     
102. #############################################
     
103. 
     
104. # On China MikroTik
     
105. /ip dns
     
106. set allow-remote-requests=yes servers=1.1.1.1,8.8.8.8
     
107. 
     
108. /ip dhcp-server network
     
109. set 0 dns-server=1.1.1.1,8.8.8.8
     
110. 
     
111. #must reboot once
     
112. # /system reboot
     
113. 
     
114. #################################################
     
115. # Step Four
     
116. #################################################
     
117. 
     
118. /ip firewall mangle
     
119.   add action=change-mss chain=forward new-mss=clamp-to-pmtu passthrough=yes protocol=tcp tcp-flags=syn
     
120.   add action=change-mss chain=output new-mss=clamp-to-pmtu passthrough=no protocol=tcp tcp-flags=syn
     
121. 
     
122. /system reboot

複製代碼

Ref.
[1] https://dimitrije.website/posts/ ... -and-wireguard.html

张无忌

MikroTik routers CN to HK performance via WireGuard

下列routers:
RB951G-HnD
hAP ac2
CCR1009-7G-1C-PC
hAP ax lite
RB5009UG+S+IN
hAP ax3

有了HK Gateway后，PC、手机、iPAD都不用VPN，就能直接HK network （HK-Gateway）。

https://speedtest.ofca.gov.hk/speedtest.html
Mainland China client side：RB951G-HnD，1CPU，v7.16.2，broadband=500Mbps/50Mbps
HK server side：hAP ac3，4CPU，v7.16.1，broadband=300Mbps/300Mbps
Table 1 （maximum kept）

1. Date        Time    Latency(ms)   Jitter(ms)   Download(Mbps)   Upload(Mbps)
   
2. 2024-12-01  13:33   41            0.9          53               40
   
3. 2024-12-02  09:20   41            0.4          53               45
   
4. 2024-12-04  09:24   40            0.4          54               38
   
5. 2024-12-06  08:03   42            0.8          54               39
   
6. 2024-12-08  07:58   41            0.2          53               44

複製代碼

Mainland China client side：hAP ac2， 4CPU，v7.16.2，broadband=500Mbps/50Mbps
HK server side：hAP ac3，4CPU，v7.16.2， broadband=300Mbps/300Mbps
Table 2 （maximum kept）

1. Date        Time    Latency(ms)   Jitter(ms)   Download(Mbps)   Upload(Mbps)
   
2. 2024-12-18  16:15   38            0.1          245              35
   
3. 2024-12-23  17:36   37            0.2          249              43
   
4. 2024-12-26  14:16   40            0.2          249              44
   
5. 2025-01-04  10:28   41            0.3          243              42
   
6. 2025-01-09  12:18   40            0.3          248              31

複製代碼

Mainland China client side：CCR1009-7G-1C-PC，9CPU，v7.17.1， broadband=500Mbps/50Mbps
HK server side：hAP ac3，4CPU，v7.17.1， broadband=300Mbps/300Mbps
Table 3 （maximum kept）

1. Date        Time    Latency(ms)   Jitter(ms)   Download(Mbps)   Upload(Mbps)
   
2. 2025-01-27  11:17   39            0.5          239              38
   
3. 2025-01-28  14:12   40            0.2          243              43
   
4. 2025-02-02  12:28   38            0.2          244              43
   
5. 2025-02-05  08:16   37            0.2          248              41
   
6. 2025-02-07  08:51   40            0.5          235              41

複製代碼

Mainland China client side：hAP ax lite，2CPU，v7.17.2， broadband=500Mbps/50Mbps
HK server side：hAP ac3，4CPU，v7.17.2， broadband=300Mbps/300Mbps
Table 4 （maximum kept）

1. Date        Time    Latency(ms)   Jitter(ms)   Download(Mbps)   Upload(Mbps)
   
2. 2025-02-15  09:36   42            0.3          136              34
   
3. 2025-02-16  09:49   40            0.4          140              36
   
4. 2025-02-18  09:30   45            1.0          129              43
   
5. 2025-02-19  09:02   43            0.2          129              43
   
6. 2025-02-23  09:01   39            0.2          139              46

複製代碼

Mainland China client side：RB5009UG+S+IN，4CPU，v7.18， broadband=500Mbps/50Mbps
HK server side：hAP ac3，4CPU，v7.18， broadband=300Mbps/300Mbps
Table 5 （maximum kept）

1. Date        Time    Latency(ms)   Jitter(ms)   Download(Mbps)   Upload(Mbps)
   
2. 2025-02-24  07:46   42            0.3          168              34
   
3. 2025-02-27  17:07   52            3.4          173              34
   
4. 2025-02-28  11:27   40            0.3          239              41
   
5. 2025-03-02  09:16   37            0.2          256              42
   
6. 2025-03-03  08:08   39            0.2          169              45

複製代碼

Mainland China client side：hAP ax3，4CPU，v7.18.1， broadband=500Mbps/50Mbps
HK server side：hAP ac3，4CPU，v7.18.1， broadband=300Mbps/300Mbps
Table 6 （maximum kept）

1. Date        Time    Latency(ms)   Jitter(ms)   Download(Mbps)   Upload(Mbps)
   
2. 2025-03-07  09:48   41            0.2          264              40
   
3. 2025-03-08  15:29   42            0.5          259              36
   
4. 2025-03-09  09:26   38            0.3          247              28
   
5. 2025-03-10  08:20   37            0.2          169              39
   
6. 2025-03-12  09:07   37            0.2          158              31

複製代碼

2025-02-24 14:20 10212

freshtomato

多謝分享！

用你上面的例子
問如果香港server router Os 已经GUI设定好 (睇YouTube 教学)
可以iPhone wireguard client logon,

宜家我多隻Microtik router 放在內地(reset default configuration)、 想张呢隻router 去setup wireguard client side,

我有wireguard client conf file,

問點樣可以人手或import conf file 去隻内地Microtik router? 麻烦指點!

Thanks in advance!!!

张无忌

Thank for appreciation and you have bought several MikroTik routers in (both Hong Kong and) Mianland China.

1. 香港的router是MikroTik吗？
2. 大陆的MikroTik routers能否have public IP？
3. 我上面的script有两部分，HK and China （Mainland），我只是用terminal输入的，但是改为输入方法，应该可以。

freshtomato

香港Pccw, 有兩個public ip, 一台Mikrotik(HK1) 一台Qnap(HK2), 两台router都是wireguard server,

大陸Broadband 無public ip, 有隻Mikrotik router (CN) ROS 7.16.2

我可以用mikrotik terminal 輸入,

最后,如果可以的话、教一下advance version, when Mikrotik CN wireguard to HK1, if connect failed 3 times, Mikrotik CN auto switch to wireguard HK2!


多谢🙏

linuxfans

回覆 1# 张无忌


    好文 收藏+拜读 ！！！赞！！！

linuxfans

回覆 5# freshtomato


    如果您要同时连接香港两条WG，可以做成负载均衡即一条线连接不上时还可以连接另一条线路来使用。配置复杂一些。

一般个人在电脑或手机APP上使用WG，就直接切换到两条WG线路即可，简单快捷！

雯雯

Thank for appreciation and you have bought several MikroTik routers in (both Hong Kong and) Mianland ...
张无忌 發表於 2024-11-28 17:39

我補充一下, Mikrotik既site to site wirguard只要求一個site有public IPV4/IPV6便可.

Evangeline

Thanks for share

freshtomato

香港那边已经做好wireguard server, 因为有时大约一两个星期或一个月香港那边换public IP, 一换public, 我要人手入去个大陸router 换IP, 如果可以的话, 其实我想要3个答案

1, Normal Mikrotik CN to Microtik HK ( 1 to 1) 应该最简单

2, On mainland side Mikrotik router WIfi SSID: ABC, Mikrotik CN to HK1, SSID: JKL, Mikrotik CN to HK2, 2 wireguards connect to both HK1 & HK2 at the same time, no need to detect wireguard connection failure.

3,  when Mikrotik CN wireguard to HK1, if connect failed 3 times, Mikrotik CN auto switch to wireguard HK2!


Thanks