defguard
  • Introduction
  • User documentation (help)
    • Configuring VPN
      • Defguard Desktop Client
        • Update instance
      • Other WireGuard® Clients
        • Configuring a device for new VPN Location manually
    • Password change / Reset
    • Enrollment & Onboarding
      • With internal Defguard SSO
      • With external SSO (Google/Microsoft/Custom)
    • Setting up 2FA/MFA
    • Desktop Client
    • CLI Client
  • Admin & features
    • Deploying your instance
      • One-line install script
      • Standalone package based installation
      • Docker images and tags
      • Docker Compose
      • Kubernetes
      • Upgrading
      • Gateway
        • Running gateway on MikroTik routers
      • Securing gRPC communication
      • OpenID RSA key
      • Configuration
      • Pre-production and development releases
      • High Availability and Failover
      • Health check
    • Features & configuration
      • Zero-Trust VPN with 2FA/MFA
        • Create/manage VPN Location
        • Network overview
        • Executing custom gateway commands
        • Multi-Factor Authentication (MFA/2FA)
          • MFA Architecture
        • Remote desktop client configuration
        • DNS and domains
      • Remote user enrollment
        • User onboarding after enrollment
      • SSO (OpenID Connect)
        • Portainer
        • Grafana setup
        • Proxmox
        • Matrix / Synapse
        • Django
        • MinIO
        • Vault
      • SMTP for email notifications
      • YubiKey Provisioning
      • Webhooks
      • Forward auth
      • SSH Authentication
      • Network devices
      • Gateway notifications
      • New version notifications
  • Troubleshooting Guide
    • Sending support information
    • Client Windows installer exit codes
    • Client "All traffic" connection issues
    • WebAuthn security keys
  • Enterprise Features
    • License
    • Enteprise features
      • Automatic (real time) desktop client configuration & sync
      • External OpenID providers
        • Google
        • Microsoft
        • Zitadel
        • Keycloak
        • JumpCloud
        • Okta
        • Custom
      • External OIDC secure enrollment
      • VPN & Client behavior customization
      • REST API
      • Access Control List
        • ACL Aliases
      • LDAP and Active Directory integration
        • Configuration
        • Settings table
        • Two-way LDAP and Active Directory synchronization
  • Tutorials
    • Step by step setting up a VPN server
      • Adding additional VPN locations
  • In depth
    • Roadmap
    • Architecture
      • How do VPN statistics work
      • Security concepts
  • For Developers
    • Contributing
    • Environment setup
    • Translations (core/web)
      • Switching language
      • Adding translations
  • Translations (client)
    • Adding translations
  • Contact us
    • Community & Support
Powered by GitBook
On this page
  • Prerequisites
  • Setup
  • Prepare network to install Docker container
  • Setup firewall rules
  • Run gateway container

Was this helpful?

Edit on GitHub
  1. Admin & features
  2. Deploying your instance
  3. Gateway

Running gateway on MikroTik routers

PreviousGatewayNextSecuring gRPC communication

Last updated 7 months ago

Was this helpful?

By leveraging the ability of some MikroTik routers to run Docker containers it is possible to deploy the gateway directly on your router.

Proceed with extra caution when working with your core infrastructure. All official still apply.

Prerequisites

  • RouterOS device with ARM or ARM64 architecture (popular homelab choices include RB4011 or RB5009)

  • Container package installed and enabled

  • running defguard core instance with a WireGuard location configured

  • (optional) self-signed certificate generated by following

Setup

This guide assumes you do not have other Docker containers deployed on your router yet. If this is not the case adjust accordingly.

The same applies if you have some more specific network configuration requirements.

For brevity we'll be using RouterOS terminal commands, but everything can also be accomplished through WinBox GUI.

Prepare network to install Docker container

  • first create a bridge interface for Docker containers and assign it an IP address in a dedicated Docker subnet (172.17.0.0/24 in our example):

/interface/bridge/add name=docker
/ip/address/add address=172.17.0.1/24 interface=docker

  • each container must have a dedicated VETH interface; create a veth1 interface and assign it an IP address in the chosen Docker subnet:

/interface/veth/add name=veth1 address=172.17.0.2/24 gateway=172.17.0.1

  • add the virtual interface to the Docker bridge:

/interface/bridge/port add bridge=docker interface=veth1

Setup firewall rules

  • set up NAT for outgoing traffic from containers:

/ip/firewall/nat/add chain=srcnat action=masquerade src-address=172.17.0.0/24

  • add port forwarding rule to send UDP traffic from the public WireGuard port to the gateway container:

/ip/firewall/nat/add chain=dstnat protocol=udp dst-address=<YOUR PUBLIC IP> dst-port=<YOUR PUBLIC WG PORT> action=dst-nat to-addresses=172.17.0.2 to-ports=<YOUR PUBLIC WG PORT>

Container port being forwarded to must match your public WireGuard port.

  • add routing for your chosen WireGuard subnet configured in defguard UI location settings:

/ip/route/add dst-address=<YOUR WG SUBNET> gateway=172.17.0.2

Run gateway container

  • configure environment variables for the gateway container:

/container/envs/add name=defguard_env key=DEFGUARD_TOKEN value=<YOUR TOKEN>
/container/envs/add name=defguard_env key=DEFGUARD_GRPC_URL value=<YOUR DEFGUARD GRPC URL>

  • (optional) to use SSL for communication between the gateway and your defguard instance copy the root certificate to your router's filesystem and add a following mount and environment variable:

/container/mounts/add name=defguard_cert src=<PATH TO CERT DIR> dst=/certs
/container/envs/add name=defguard_env key=DEFGUARD_GRPC_CA value=/certs/myCA.pem

Put the root certificate in a directory and mount the whole directory. Trying to mount a specific file can cause unexpected issues.

  • add GitHub container registry to config:

/container/config/set registry-url=https://ghcr.io

  • finally create the actual container:

/container/add remote-image=ghcr.io/defguard/gateway:latest interface=veth1 envlist=defguard_env

At this point you should see that the gateway is connected in your defguard instance's web UI.

RouterOS containers warnings
gRPC SSL setup guide