This repository contains a RouterOS script for creating and maintaining a private internet access VPN, by configuring the necessary WireGuard interface and peer, address, and handling of reconfiguring the interface when the connection is lost, because of inactivity, thus reestablishing the connection to always maintain a working configuration.
[!IMPORTANT]
This repository is still in active development. That being said, the code from the main branch is actively being used, and should therefore be in a working state.
This script is verified to work on RouterOS version 7.16.
The script is setup to ensure that the specified WireGuard interface exists, i.e., it is created if it does not exist, and otherwise uses the existing one with that name. It does not modify the interface after creation, and only extracts the public key.
The program will ensure that only one peer exist on the interface, and that the peer is setup correctly for communicating with PIA. If no peer exist, one is created and any excess peers not needed for the connection is removed.
An address is setup for the WireGuard interface, which is updated whenever PIA assigns a new address to the WireGuard peer. If no address exist, one is created and any excess address configuration for the interface is removed.
[!NOTE]
The following "Getting Started" section is a temporary solution until the script is finished and a more elegant setup is created.
To get started, you need to setup the script vpn.rsc in your router, by going to System > Scripts, and create a new script with the source field set to the contents of vpn.rsc. The script only need the read, write, and test policies, and you can therefore disable the rest.
When inserted, edit the bottom of the file and change the parameters by filling in your PIA username and password, and possibly adjusting the PIA region and the interface name accordingly.
If your password contain the characters ? or $, you need to escape them with a backslash; \? and \$. See the Scripting Wiki page for more info. Additionally, avoid instances of $[] and $() as they are used for [inserting expressions inside strings](https://wiki.mikrotik.com/wiki/Manual:Scripting#:~:text=By%20using%20%24%5B%5D%20and%20%24()%20in%20string%20it%20is%20possible%20to%20add%20expressions%20inside%20strings).
Lastly, setup a schedule to run the script every 15 minutes. This ensures the connection is checked every 15 minutes and reconfigured if the connection is down. Replace vpn-pia-berlin-1 in the following with what you named the above script.
/system/scheduler/add name="vpn-pia-berlin-1" interval=15m start-time=startup on-event="/system/script/run vpn-pia-berlin-1;";[!IMPORTANT] The script automatically creates the specified interface if it does not exist, and ensures a working VPN connection is setup through the WireGuard interface. Hereafter, it is your responsibility to configure the router to actually route any desired traffic through the interface.
interface
The name which the script uses for the WireGuard interface. The interface is created if none exist.
Example: vpn-pia-berlin-1.region
The PIA server region to connect to.
Example: de_berlin.pia-username
Your PIA username.pia-password
Your PIA password.ping-address
The address used for checking connectivity through the VPN connection. The address is pinged once to check connectivity.
Default: 1.1.1.1.servers-file-path
Specifies a path for where to cache the PIA servers to.
Default: pia-servers.txt.pia-servers-ttl
Specifies the duration of which the servers-file-path is kept before updated. If encountering problems connecting to PIA servers, try setting this to a lower value.
Default: 24h.masquerade
Specifies whether to automatically create a src masquerade rule in your firewall.
Default: true.verify-pia-certificate
Specifies whether to verify the TLS certificate of the PIA servers.
Default: true.install-pia-certificate
Specifies whether to automatically install the PIA CA certificate for verifying PIA servers.
Default: true.