And by route I mean, even after the action=lookup-only-in-table, all my traffic still goes through the primary WAN instead of the wireguard.

To explain the structure a tiny bit (config below) I am using a hAp ax2 as a routed wireless bridge. I need to hide my geographic IP from my company. So the MT connects to the hotel etc wifi and then bridges the eth & local wifi to the clients. Everything on LAN should go through the WG, no need for any specialty config at the moment.
Got this part working in about 10 mins. Actually I use the 2.4G radio for the provider wifi as client, and then the 5G radio for my devices. Figure no point splitting both connections in half using virtual APs. Anyway, that part is working.

I have two VPN providers and as yóu can see in the config I've had a few stabs at various setups. Just ignore the IPSEC attempts for now, though eventually I do want to have a scenario where I can disable certain IFs and/or policies, and enable others, to have the MT switch over from WG to IKEv2, or from one VPN provider to another, depending on my needs at the time. But that's for later.

Anyway I have the WG2 if running, it tells me, and I believe I've configured the correct routes, and route table, and masquerade route, and as mentioned the action=lookup-in-table-only set. Which should block all traffic if it's not routed to WG from what I've been led to believe. So the traffic is not going down the WG path, but the internet still works just fine:

[ 5ghz CLient] ---- Wifi2 ---- { MT ] ---- Wifi1 ----- [2.4 ghz Hotel wifi]

The WG if should be used for the traffic from my LAN. But it doesn't. I also see when looking at Routing/Tables, that both WG tables are marked 'not used', even though they are both definitely selected in the rules & routes.

Now just checking back, I see that, for the first time, the Nordvpn WG if appears to have connected - but the Purevpn if now reports "Invalid" on the addresses page (I'm using Webfig primarily). [Side note, is it normal that I can't paste into the Terminal in Webfig? It's horribly inconvenient like that.. ]

There are a couple of other bugs I'm seeing, like the thread I raised a couple ours ago where it seems either the time service is buggy or the device is powering off on occasion.. not helpful :/ But the WG config is the first priority, I guess..

Appreciate any help anyone can give, and thanks in advance..
Oh also is the NordVPN cert chain issue from ROS 7.5 & up fixed yet? My 7.7 has this issue at present. :/

Code: Select all

# jun/07/2023 04:16:42 by RouterOS 7.7

# software id = 3KBA-BDED

#

# model = C52iG-5HaxD2HaxD

# serial number = [...]

/interface bridge

add name=bridge-Mgmt

add admin-mac=[...] auto-mac=no comment=defconf name=bridge-lan

add name=bridge-wan

/interface wifiwave2

set [ find default-name=wifi1 ] channel.skip-dfs-channels=10min-cac configuration.mode=ap .ssid=mikko disabled=no security.authentication-types=wpa2-psk,wpa3-psk .encryption=ccmp,gcmp,ccmp-256,gcmp-256

/interface wireguard

add listen-port=13231 mtu=1420 name=wg1-nordvpn

add listen-port=13231 mtu=1420 name=wg2-purevpn

/interface list

add comment=defconf name=WAN

add comment=defconf name=LAN

add comment="Device Mgmt only. " name=Mgmt

/interface wifiwave2 security

add authentication-types=wpa-psk,wpa2-psk,wpa3-psk comment="1st setup 230605" encryption=tkip,ccmp,gcmp,ccmp-256,gcmp-256 name=SCInn

/interface wifiwave2

set [ find default-name=wifi2 ] channel.skip-dfs-channels=10min-cac configuration.mode=station .ssid="SC INN HOTELS" disabled=no security=SCInn security.authentication-types=wpa2-psk,wpa3-psk

/ip ipsec mode-config

add name=NordVPN.base responder=no

add name=Nord-01-modeconfig responder=no

/ip ipsec peer

add address=de-ipsec.ptoserver.com comment="PureVPN - Preferred IPSEC Server DE" disabled=yes name=PureVPN-IpSec-DE

/ip ipsec policy group

add name=NordVPN.base

add name=PureVPN.base

add name=Nord-01-policygroup

/ip ipsec profile

add enc-algorithm=aes-256 hash-algorithm=sha384 name=Nord1.base-aes256.sha384

add enc-algorithm=aes-256,aes-128,3des name=PureVPN.base-3des.sha1

add name=Nordvpn-ipsec01

add name=Nord-01-profile

/ip ipsec peer

add address=nl1.pointtoserver.com comment="PureVPN LTTP/IPSEC NL preferred server\

    \n" disabled=yes exchange-mode=ike2 name=PureVPN-LttP/Ipsec-NL profile=PureVPN.base-3des.sha1

add address=nl125.nordvpn.com exchange-mode=ike2 name=Nord-NL-peer01 profile=Nord-01-profile

add address=nl2-auto-ipsec.ptoserver.com comment="PureVPN - Preferred IPSEC Server NL" disabled=yes name=PureVPN-IpSec-NL profile=PureVPN.base-3des.sha1

add address=nl983.nordvpn.com comment="NordVPN primary IPSEC - NL" disabled=yes exchange-mode=ike2 name=Nord01-NL profile=Nord1.base-aes256.sha384

add address=sx051756-ikev.ptoserver.com comment="PureVPN IPSEC generated server address" disabled=yes exchange-mode=ike2 name=PureVPN-generatedNL profile=PureVPN.base-3des.sha1

add address=us2-auto-ipsec.ptoserver.com comment="PureVPN - Preferred IPSEC Server US" disabled=yes name=PureVPN-IpSec-US profile=PureVPN.base-3des.sha1

/ip ipsec proposal

add auth-algorithms=sha512,sha256,sha1 name=Nord1.base-shax.aesx pfs-group=none

add auth-algorithms=sha256 name=PureVPN.Prop-sha256.aesx pfs-group=none

add name=Nord-01-proposal pfs-group=none

/ip pool

add name=dhcppool-lan113 ranges=192.168.113.100-192.168.113.239

add name=dhcppool-mgmt99 ranges=192.168.99.100-192.168.99.113

add name=dhcp_pool113v2 ranges=192.168.113.100-192.168.113.239

/ip dhcp-server

add address-pool=dhcppool-mgmt99 interface=bridge-Mgmt name=dhcp-mgmt99

add add-arp=yes address-pool=dhcp_pool113v2 interface=bridge-lan lease-time=2h name=dhcp-lan113

/routing table

add disabled=yes fib name=routeWG-Pure

add disabled=no fib name=routeWG-Nord

/interface bridge port

add bridge=bridge-lan comment=defconf interface=ether2

add bridge=bridge-lan comment=defconf interface=ether3

add bridge=bridge-lan comment=defconf interface=ether4

add bridge=bridge-Mgmt comment=defconf interface=ether5

add bridge=bridge-wan interface=ether1

add bridge=bridge-lan comment=5g/AX-Mikko interface=wifi1

/ip neighbor discovery-settings

set discover-interface-list=WAN lldp-med-net-policy-vlan=1

/interface list member

add comment=defconf interface=bridge-lan list=LAN

add interface=wifi2 list=WAN

add comment="Dedicated mgmt port to prevent lockouts. " interface=bridge-Mgmt list=Mgmt

add interface=wg1-nordvpn list=LAN

add interface=bridge-wan list=WAN

add interface=wg2-purevpn list=LAN

/interface wireguard peers

add allowed-address=0.0.0.0/0 comment="Nordlynx Server 826 NordVPN Wireguard" disabled=yes endpoint-address=nl826.nordvpn.com endpoint-port=51820 interface=wg1-nordvpn public-key="CKMAE9LARlt2eZHgGnNaSUYiKllKJN7f3hed/bWm5E8=F30"

add allowed-address=0.0.0.0/0 comment="Nordlynx Server 897 NordVPN Wireguard" disabled=yes endpoint-address=159.48.55.216 endpoint-port=51820 interface=wg1-nordvpn public-key="CKMAE9LARlt2eZHgGnNaSUYiKllKJN7f3hed/bWm5E8="

add allowed-address=0.0.0.0/0 comment="NordLynx server NL-977 NordVPN Wireguard" disabled=yes endpoint-address=nl977.nordvpn.com endpoint-port=51820 interface=wg1-nordvpn public-key="K53l2wOIhU3262sX5N/5kAvCvt4r55lNui30EbvaDlE="

add allowed-address=0.0.0.0/0 comment="NordLynx Server UK-1818 NordVPN Wireguard" disabled=yes endpoint-address=uk1818.nordvpn.com endpoint-port=51820 interface=wg1-nordvpn public-key="K53l2wOIHU3262sX5N/5kAvCvt4r55lNui30EbvaDlE="

add allowed-address=0.0.0.0/0 comment="PureVPN WG NL-sx050159" endpoint-address=sx050159-wg.pointtoserver.com endpoint-port=51820 interface=wg2-purevpn persistent-keepalive=21s public-key="FSnxjK+/pP7ZJ3hbzGS1WDWtXruz/qTFqPIRIUMW7lo="

add allowed-address=0.0.0.0/0 comment="nord-FR\?" endpoint-address=37.19.217.30 endpoint-port=51280 interface=wg1-nordvpn persistent-keepalive=25s public-key="FT46M53w4dhBep/2VScW1j/EoZbpBgzvk71FlLZLDBM="

/ip address

add address=192.168.113.1/24 comment=defconf interface=bridge-lan network=192.168.113.0

add address=192.168.99.99/27 comment="Spare IF to prevent lockout" interface=bridge-Mgmt network=192.168.99.96

add address=172.25.35.181 comment="PureVPN-provided WG Interface IP" interface=wg2-purevpn network=172.25.35.181

add address=10.5.0.2 interface=wg1-nordvpn network=10.5.0.2

/ip dhcp-client

# DHCP client can not run on slave or passthrough interface!

add comment=defconf interface=ether1

add disabled=yes interface=wifi1

add default-route-distance=2 interface=wifi2

/ip dhcp-server network

add address=192.168.13.0/24 comment=HomeLan dns-server=193.168.13.1 gateway=192.168.13.1

add address=192.168.99.0/24

add address=192.168.113.0/24 dns-server=192.168.113.1 gateway=192.168.113.1

/ip dns

set allow-remote-requests=yes

/ip dns static

add address=192.168.113.1 comment=defconf name=router.lan

/ip firewall address-list

add address=192.168.113.0/24 list=vpnrouted

/ip firewall filter

add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked

add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid

add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp

add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1

add action=accept chain=input comment="Allow mgmt traffic & log. " in-interface-list=Mgmt log=yes protocol=tcp

add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN

add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec

add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec

add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related hw-offload=yes

add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked

add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid

add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN

/ip firewall nat

add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN

add action=masquerade chain=srcnat comment="masq WG-pureVPN" out-interface=wg2-purevpn

/ip ipsec identity

add auth-method=pre-shared-key-xauth comment="PureVPN-1698\

    \n[....]\

    \n[...]" peer=PureVPN-IpSec-NL username=yjtyjtyjtyjytjytj

add auth-method=eap certificate=root.der_0 eap-methods=eap-mschapv2 generate-policy=port-strict mode-config=Nord-01-modeconfig peer=Nord-NL-peer01 policy-template-group=Nord-01-policygroup username=[...]

/ip ipsec policy

set 0 disabled=yes

add disabled=yes peer=PureVPN-IpSec-NL proposal=PureVPN.Prop-sha256.aesx

add disabled=yes dst-address=0.0.0.0/0 group=Nord-01-policygroup proposal=Nord-01-proposal src-address=0.0.0.0/0 template=yes

/ip route

add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=172.25.35.181 pref-src="" routing-table=routeWG-Pure suppress-hw-offload=no

add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=wg2-purevpn pref-src="" routing-table=routeWG-Pure suppress-hw-offload=no

/ip service

set www address=192.168.0.0/16

set api address=192.168.0.0/16

set winbox address=192.168.0.0/16

/ipv6 firewall address-list

add address=::/128 comment="defconf: unspecified address" list=bad_ipv6

add address=::1/128 comment="defconf: lo" list=bad_ipv6

add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6

add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6

add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6

add address=100::/64 comment="defconf: discard only " list=bad_ipv6

add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6

add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6

add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6

/ipv6 firewall filter

add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked

add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid

add action=accept chain=input comment="defconf: accept ICMPv6" protocol=icmpv6

add action=accept chain=input comment="defconf: accept UDP traceroute" port=33434-33534 protocol=udp

add action=accept chain=input comment="defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=udp src-address=fe80::/10

add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 protocol=udp

add action=accept chain=input comment="defconf: accept ipsec AH" protocol=ipsec-ah

add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=ipsec-esp

add action=accept chain=input comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec

add action=drop chain=input comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN

add action=accept chain=forward comment="defconf: accept established,related,untracked" connection-state=established,related,untracked

add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid

add action=drop chain=forward comment="defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6

add action=drop chain=forward comment="defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6

add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" hop-limit=equal:1 protocol=icmpv6

add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=icmpv6

add action=accept chain=forward comment="defconf: accept HIP" protocol=139

add action=accept chain=forward comment="defconf: accept IKE" dst-port=500,4500 protocol=udp

add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=ipsec-ah

add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=ipsec-esp

add action=accept chain=forward comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec

add action=drop chain=forward comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN

/routing rule

add action=lookup-only-in-table disabled=yes interface=wg2-purevpn routing-mark=routeWG-Pure src-address=192.168.113.0/24 table=routeWG-Pure

add action=lookup-only-in-table disabled=no interface=wg1-nordvpn routing-mark=routeWG-Nord src-address=192.168.113.0/24 table=routeWG-Nord

/system clock

set time-zone-name=Europe/Istanbul

/tool mac-server

set allowed-interface-list=LAN

/tool mac-server mac-winbox

set allowed-interface-list=LAN

I need to hide my geographic IP from my company. <--- Not interested in helping!

PureVPN Wireguard works fine here in RouterOS 7.0
I asume you already Wireguard manual configuration config downloaded from purevpn member area.
1. create Wireguard interface and peers
2. create ip address (IP in config files) to WG Interfaces
3. Create route table FIB
4. Create route Rules. Scr. Address="yourDeviceIP" action="lookup only in table" , table="yourRouteTable"
5. Create IP Route. Dst address 0.0.0.0/0 , Gateway="YourWGInterface", Routing Table="yourRouteTable"

viewtopic.php?t=182340 only thing I will offer.

viewtopic.php?t=182340 only thing I will offer.

Yes I followed that.. that's how I got where I am at the moment.

Unsure what your problem is, are you part of the illuminati pulling world labour strings and can't fathom the idea of an employee subverting corporate dictatorship? Just seems a strange personal principle to take.

hello @op,

are you sure about this wg interface setup?

Code: Select all

/interface wireguard

add listen-port=13231 mtu=1420 name=wg1-nordvpn

add listen-port=13231 mtu=1420 name=wg2-purevpn

Yes I followed that.. that's how I got where I am at the moment.

Unsure what your problem is, are you part of the illuminati pulling world labour strings and can't fathom the idea of an employee subverting corporate dictatorship? Just seems a strange personal principle to take.

Not really, if you cannot ask your company IT to setup the equipment as you need it and you are circumventing the IT rules, then its called illegal in most places.
Criminal, depending upon the sensitivity of the information being handled.
If you are IT, and you need access to the internet to get work done for work thats a different matter, however it would seem you want access to internet for personal reasons, which is fine in most corporations within some limits as set by filters, but in this case you want to hide IP address which makes things murkier....................... Sounds less legit the more I t hink about it.\

Not to worry there are many here lacking ethics or morals........

I'm not certain-certain but the IF is up,