/interface bridge add comment="LAN switch" name=bridgeLAN protocol-mode=none /interface wireless set [ find default-name=wlan1 ] ssid=MikroTik /interface wireguard add comment="Mullvad-WG" listen-port=51820 mtu=1420 name=wg0 private-key="6BjYCaFQI/Mm8L8BYp3DT66iW4Upw6XB7lbqdfK7n1U=" /interface list add comment="Uplink(s)" name=WAN add comment="Trusted LAN" name=LAN /interface wireless security-profiles set [ find default=yes ] supplicant-identity=MikroTik /ip pool add name=dhcpPool ranges=192.168.88.10-192.168.88.254 /ip dhcp-server add address-pool=dhcpPool comment="LAN DHCP" interface=bridgeLAN name=dhcp1 /interface bridge port add bridge=bridgeLAN comment=LAN-1 interface=ether2 add bridge=bridgeLAN comment=LAN-2 interface=ether3 add bridge=bridgeLAN comment=LAN-3 interface=ether4 /interface list member add interface=bridgeLAN list=LAN /interface wireguard peers add allowed-address=0.0.0.0/0,::0/0 comment="Mullvad-peer" endpoint-address=193.138.218.83 endpoint-port=51820 interface=wg0 name=peer1 persistent-keepalive=25s public-key="fZFAcd8vqWOBpRqlXifsjzGf16gMTg2GuwKyZtkG6UU=" /ip address add address=192.168.88.1/24 comment="LAN GW" interface=bridgeLAN network=192.168.88.0 add address=10.64.60.65/32 comment="WG local address" interface=wg0 /ip dhcp-client add default-route-distance=2 interface=ether1 script=" # ----- Maintain pinned /32 route to Mullvad endpoint (kill-switch) ---- :if (\$bound = 1) do={ :local gw \$\"gateway-address\" :local dst \"193.138.218.83/32\" :local id [/ip route find comment=\"mullvad-endpoint\"] :if ([:len \$id] = 0) do={ /ip route add dst-address=\$dst gateway=\$gw distance=1 comment=\"mullvad-endpoint\" } else={ /ip route set \$id gateway=\$gw disabled=no } } else={ # Lease lost - disable pinned route, no leak possible :local id [/ip route find comment=\"mullvad-endpoint\"] :if ([:len \$id] > 0) do={ /ip route set \$id disabled=yes } }" /ip dhcp-server network add address=192.168.88.0/24 dns-server=192.168.88.1 gateway=192.168.88.1 /ip dns set allow-remote-requests=yes servers=10.64.0.1 /ip firewall filter add action=accept chain=input connection-state=established,related add action=accept chain=input comment="Allow WG handshake from WAN" dst-port=51820 in-interface=ether1 protocol=udp add action=accept chain=input comment="Allow LAN management" in-interface-list=LAN add action=drop chain=input comment="Drop everything else to router" add action=accept chain=forward connection-state=established,related add action=accept chain=forward out-interface=wg0 add action=accept chain=forward dst-port=51820 out-interface=ether1 protocol=udp add action=drop chain=forward comment="Kill-switch: block leaks if tunnel down" connection-state=new out-interface-list=WAN /ip firewall nat add action=masquerade chain=srcnat comment="Masq LAN to VPN" out-interface=wg0 /ip route add distance=1 dst-address=0.0.0.0/0 gateway=wg0 add comment=mullvad-endpoint distance=1 dst-address=193.138.218.83/32 gateway=192.168.88.1 /ip service set ftp disabled=yes set telnet disabled=yes set www disabled=yes set ssh port=2222 set winbox address=192.168.88.0/24 set api disabled=yes /system identity set name=Chief-Bobcat /system routerboard settings set auto-upgrade=yes