Home Blog Secure Travel Router

How I Built the Ultimate Secure Travel Router with Mikrotik & WireGuard

Donald Seder Donald Seder
Dec 20, 2024
6 min read

Being in IT, you learn pretty quickly not to trust public Wi-Fi. How do I know who owns that SSID? How do I know who else is lurking on the network sniffing packets? My solution has always been a VPN.

But a VPN on my laptop doesn't solve everything. How do I easily connect my phone, tablet, and Switch? How do I access my home servers and cameras without configuring every single device? This is where my Travel Router comes in.

Here is my breakdown of how I configured a Mikrotik hAP ax² to act as a WireGuard client, tunneling everything securely back to my home Mikrotik AX3.

The Architecture: Splitting the Radios

To make this work without extra hardware, I split the roles of the two wireless radios inside the router:

  • Interface wifi1 (5GHz) → The LAN: Configured as an AP Bridge. This broadcasts my private "Travel SSID." All my personal devices connect here.
  • Interface wifi2 (2.4GHz) → The WAN: Configured as a Station. This acts as the uplink. It connects to the hotel Wi-Fi just like a phone would.

Why this setup? Public hotspots usually broadcast on 2.4GHz for better range, so I use that for the uplink. I keep the faster 5GHz band clean for my own devices.

Step 1: The "WAN" Configuration (2.4GHz)

First, I set up the 2.4GHz radio to act as the internet fetcher.

  1. Security Profile: I created a profile that allows for Open/None encryption, as most hotels use open networks with captive portals.
  2. Station Mode: I set the mode to station. This tells the device it is a client connecting to another AP.
  3. DHCP Client: I attached a DHCP Client to the wifi2 interface. Crucially, I set Add Default Route to yes but changed the Default Route Distance to 2. (This is important for the failover logic later!)

Step 2: Bypassing the Captive Portal

Hotels love their splash pages (Captive Portals). A router generally can't open a web browser to click "I Agree."

The MAC Masquerading Workaround

  1. Authenticate via Phone: I connect my phone to the hotel Wi-Fi first, navigate the splash page, and authenticate. The hotel network now whitelists my phone's MAC address.
  2. Copy the MAC: I go into my phone settings and copy the Wi-Fi MAC address.
  3. Spoof the Router: In WinBox, I go to the 2.4GHz Interface settings and paste my phone's MAC into the MAC Address field.
  4. Connect: I disconnect my phone and enable the router interface. The hotel network sees the whitelisted MAC and lets the router online immediately.

Step 3: The WireGuard Tunnel

With internet access established, I secure it using WireGuard.

Home (AX3) Side:

  • Created a WireGuard peer for the travel router.
  • Allowed IPs: Set to the specific private IP of the travel router (e.g., 172.16.0.2/32).

Travel (hAP ax²) Side:

  • Interface: Created a WireGuard interface.
  • Peer: Added my home AX3 public IP and public key.
  • Allowed IPs: 0.0.0.0/0 (This allows all internet traffic to traverse the tunnel).

Step 4: The Routing Logic (The Secret Sauce)

This is the most critical part. I want all traffic to go through the VPN, but I need a fallback if the tunnel breaks.

1. The Backup Route (Distance 2)

The DHCP client on the 2.4GHz interface adds a default route to the hotel gateway with a Distance of 2. This is our "underlay" connection.

2. The VPN Route (Distance 1)

I manually added a static route:

  • Dst-Address: 0.0.0.0/0
  • Gateway: wireguard-interface
  • Distance: 1

Because the WireGuard route has a lower distance (1 vs 2), the router sends all traffic through the encrypted tunnel.

Note on "The Loop": Technically, if you force everything through the tunnel, the tunnel can't reach the internet to connect to your home! RouterOS is usually smart enough to create an implicit exception for the VPN endpoint. However, if issues arise, add a specific static route for your home public IP via the hotel gateway.

The "Kill Switch" Trick

I wanted to ensure that if the VPN drops, I don't accidentally browse on the insecure hotel network. To do this, I set my DHCP Server to hand out my internal home DNS servers (accessible only via VPN). If the tunnel drops, DNS fails, and my internet "breaks" safely rather than leaking data.

Testing the Setup

I struggled at first getting the metrics right, so I highly recommend testing this before you leave the house!

  1. Turn on your phone's Mobile Hotspot.
  2. Configure the Mikrotik 2.4GHz radio to connect to your phone.
  3. Verify the WireGuard handshake establishes.
  4. Check "What Is My IP" on a laptop connected to the Mikrotik. It should show your Home ISP address, not your cellular carrier.

Conclusion

Being security-oriented, I LOVE this setup. Having the knowledge that my traffic is encrypted from potential peepers on the guest network makes me feel warm and fuzzy this holiday season.

Tags: Mikrotik WireGuard VPN Security
DS

Donald Seder

IT Infrastructure Engineer

Specializing in cloud infrastructure, automation, and enterprise networking. Currently managing systems at Six Flags.

Back to All Posts