Community discussions

MikroTik App
 
mariuszelectro
just joined
Topic Author
Posts: 19
Joined: Sun Mar 22, 2020 4:49 pm

WireGuard client mikrotik simple setup

Tue Sep 27, 2022 3:11 pm

Hi. i am fighting with WireGuard client setup, but without successfully.
My network looks as in attached picture .
My problem is that not able set correct settings on MT2 for users 192.168.7.254 connected for ETH2.
From other devices like phone or computer I am able connect as client to MT1, so works, but from users who connected for MT2 I can't.

Because other users using iOS or computes can connect directly to MT1 via wireguard (to internet and local LAN MT1, as well) , so I suspect that main problem is in MT2 setup (routes?,rules)

Handshake between MT1 and MT2 by wireguard are working correctly, ping for gate to 192.168.1.254(gate MT1) is working only when ping use direct wireguard interface on MT2.
Ping from user 192.168.7.254 to 192.168.1.254 (MT1) not .
May i please for clarify me, what i will do something else ?
please be patient i am not advanced network setup person....
WGsetup.pdf
You do not have the required permissions to view the files attached to this post.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 14483
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: WireGuard client mikrotik simple setup

Tue Sep 27, 2022 4:01 pm

I will have a look but first read this reference as it may likely answer your questions............

See para F - viewtopic.php?t=182373
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 14483
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: WireGuard client mikrotik simple setup

Tue Sep 27, 2022 4:09 pm

There are usualy three main problem areas, Allowed IPs, Firewall Rules, and IP routes.

(1) ALLOWED IPs

Allowed addresses on MT1 Server need to be spelled out clearly.
peer1 - iphone remote --> 172.16.10.3
peer2 - laptop remote --> 172.16.10.4
peer3- MT2 ---->172.16.10.2/32,192.168.7.0/24

Allowed address on MT2 Client
Peer1 -MT1 ---> 172.16.10.0/24,192.168.1.0/24

(2) FIREWALL RULES

MT1 and M2 ( not all rules apply, and depend upon traffic admin wants to direct )
- allow local subnet to enter tunnel (forward chain) for local subnets going to remote sites.
- allow remote subnet to exit tunnel (forward chain) for remote subnets coming to the local router.
- allow remote users to exit tunnel (forward chain) for remote users coming to local router
- allow remote users to enter tunnel (forward chain) for remote users going to remote sites (relay at server)
- allow remote subnets to enter tunnel (forward chain) for remote subnets going to remote sites (relay at server)
- allow admin to access router (input chain)
++++++++++++++++++++++++++++++++++\
- allow initial handshake (input) (only at server if connectivity not achievable in reverse)

(3) IP ROUTES

MT2
- wireguard IP address takes care of any routes for pinging and return routing of any remote users that reach MT2 through MT1
- require IP Route for remote subnets
a. either --> remote subnets that visit the router and router needs to know where to send return traffic
b. Or --> or remote subnets that will be the destination address of any local subnets.

add dst-address=remotesubnet gwy=wireguard table=main

MT3
Same as above!
In addition, one has to take into account any RELAY ACTIVITY.
ENSURE that remote traffic coming into the router has a route to then to re-enter the tunnel.
 
mariuszelectro
just joined
Topic Author
Posts: 19
Joined: Sun Mar 22, 2020 4:49 pm

Re: WireGuard client mikrotik simple setup

Tue Sep 27, 2022 9:46 pm

Thank you for answer
some tips and rules i fill and corrected some values on MT1 and MT2
I am really beginer in this case....
Resluts of my configuration on MT2 are in attachment.
results are the same ping on gate from MT2 (wireguard) to MT1 (192.168.1.254). is working, but still don't work conneted user 192.168.7.254.
MT2.PNG
You do not have the required permissions to view the files attached to this post.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 14483
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: WireGuard client mikrotik simple setup

Tue Sep 27, 2022 10:39 pm

Would need to see the full config on each MT
/export (minus serial number and any actual public WANIP or gatewayIP info).
 
mariuszelectro
just joined
Topic Author
Posts: 19
Joined: Sun Mar 22, 2020 4:49 pm

Re: WireGuard client mikrotik simple setup

Tue Sep 27, 2022 11:26 pm

Hello. thanks for answer and patience. The are my first configuration export i hope that the are correctly.....
On MT1 are placed two onther one VPN service (server) , OpenVpn (bridge mode) and L2tp+ipsec. both works correctly.
Kind Regards Mariusz.
You do not have the required permissions to view the files attached to this post.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 14483
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: WireGuard client mikrotik simple setup

Wed Sep 28, 2022 12:15 am

MT2

(1) The wg1 wireguard IP address for MT2, is incorrect

From:
/ip address
add address=192.168.7.1/24 comment=defconf interface=bridge network=192.168.7.0

add address=172.16.10.2 interface=wg1 network=172.16.10.0

TO:
/ip address
add address=192.168.7.1/24 comment=defconf interface=bridge network=192.168.7.0

add address=172.16.10.2/24 interface=wg1 network=172.16.10.0

(2) WHY DO you have this Input chain rule on MT2 ??? The handshake is in the opposite direction and plus you cannot receive such things as there is no public iP address??
add action=accept chain=input protocol=udp src-address="my public address" src-port=13231


(3) There is no need for the extra source nat rule on MT2, it can be removed. The reason for allowed IPs on MT1, means that you dont need to use sourcenat, your LAN members will be welcome at MT1!!
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none \
out-interface-list=WAN

add action=masquerade chain=srcnat out-interface=wg1 out-interface-list=WAN protocol=udp

(4) The IP route to MT1 subnets is great but there is a slight config error!!!
From:
/ip route
add disabled=no distance=1 dst-address=192.68.1.0/24 gateway=wg1 pref-src="" routing-table=tablWG scope=\
30 suppress-hw-offload=no target-scope=10

TO:
/ip route
add disabled=no distance=1 dst-address=192.168.1.0/24 gateway=wg1 pref-src="" routing-table=tablWG scope=\
30 suppress-hw-offload=no target-scope=10


MT1

(4) Allowed IPs...... There is no requirement to fill in any endpoint address or endpoint port information, should be removed!
/interface wireguard peers
add allowed-address=172.16.10.120/32 comment="Klient ipad" endpoint-address=193.239.58.35 endpoint-port=13231 interface=wireguard1 \
persistent-keepalive=10s public-key="i9QMyKH2aiZhRleIeKGUl0JUNABBq1I0W3IniXb12GA="
add allowed-address=172.16.10.2/32,192.168.7.0/24 comment="Testowy w domu" endpoint-address=193.239.58.35 endpoint-port=13231 \
interface=wireguard1 persistent-keepalive=5s public-key="Zi5xqAAQACtMQkOxohiXw8LPkiyIJNNYqdjmzHN/MUM="

(5) Not sure what you are accomplishing with the SOURCE NAT RULES but the one in yellow for wireguard should be removed.
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" out-interface=ether1
add action=masquerade chain=srcnat out-interface=ether1 src-address=192.168.10.0/24
add action=masquerade chain=srcnat dst-address=192.168.1.0/24 src-address=192.168.1.0/24
add action=masquerade chain=srcnat out-interface=ether1 src-address=192.168.16.0/24

add action=masquerade chain=srcnat out-interface=ether1 src-address=172.16.10.0/24

(6) The IP routes are incomplete missing the route to the subnet on M2!
/ip route
add disabled=no distance=2 dst-address=0.0.0.0/0 gateway="Huawei Play USB"
add disabled=no dst-address=192.168.1.0/0 gateway="my public IP" routing-table=main suppress-hw-offload=no
add disabled=no dst-address=192.168.7.0/24 gateway=wireguard1
 
mariuszelectro
just joined
Topic Author
Posts: 19
Joined: Sun Mar 22, 2020 4:49 pm

Re: WireGuard client mikrotik simple setup

Wed Sep 28, 2022 9:33 am

Hello, justnagain Thanks for patience and answer, I will apply your notices
Some answers are in text below.
MT2

(1) The wg1 wireguard IP address for MT2, is incorrect

From:
/ip address
add address=192.168.7.1/24 comment=defconf interface=bridge network=192.168.7.0

add address=172.16.10.2 interface=wg1 network=172.16.10.0

TO:
/ip address
add address=192.168.7.1/24 comment=defconf interface=bridge network=192.168.7.0

add address=172.16.10.2/24 interface=wg1 network=172.16.10.0

(2) WHY DO you have this Input chain rule on MT2 ??? The handshake is in the opposite direction and plus you cannot receive such things as there is no public iP address??
add action=accept chain=input protocol=udp src-address="my public address" src-port=13231

Because I use tutorials site-to-site connection when both MT are using pubic IP.
When endpoint on MT1 are empty then are’t handshake in WireGuard….. I don’t know why…..





(3) There is no need for the extra source nat rule on MT2, it can be removed. The reason for allowed IPs on MT1, means that you dont need to use sourcenat, your LAN members will be welcome at MT1!!
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none \
out-interface-list=WAN

add action=masquerade chain=srcnat out-interface=wg1 out-interface-list=WAN protocol=udp

(4) The IP route to MT1 subnets is great but there is a slight config error!!!
From:
/ip route
add disabled=no distance=1 dst-address=192.68.1.0/24 gateway=wg1 pref-src="" routing-table=tablWG scope=\
30 suppress-hw-offload=no target-scope=10

TO:
/ip route
add disabled=no distance=1 dst-address=192.168.1.0/24 gateway=wg1 pref-src="" routing-table=tablWG scope=\
30 suppress-hw-offload=no target-scope=10


MT1

(4) Allowed IPs...... There is no requirement to fill in any endpoint address or endpoint port information, should be removed!
/interface wireguard peers
add allowed-address=172.16.10.120/32 comment="Klient ipad" endpoint-address=193.239.58.35 endpoint-port=13231 interface=wireguard1 \
persistent-keepalive=10s public-key="i9QMyKH2aiZhRleIeKGUl0JUNABBq1I0W3IniXb12GA="
add allowed-address=172.16.10.2/32,192.168.7.0/24 comment="Testowy w domu" endpoint-address=193.239.58.35 endpoint-port=13231 \
interface=wireguard1 persistent-keepalive=5s public-key="Zi5xqAAQACtMQkOxohiXw8LPkiyIJNNYqdjmzHN/MUM="

The same like my answer above about empty endpoint address…..
when this are empty even iOS client doesn’t work…. I don’t know why….. I attached peer configuration about mobile device.
682FC254-4CA0-4A68-BCBD-A4D4F046B747.jpeg
(5) Not sure what you are accomplishing with the SOURCE NAT RULES but the one in yellow for wireguard should be removed.
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" out-interface=ether1
add action=masquerade chain=srcnat out-interface=ether1 src-address=192.168.10.0/24
add action=masquerade chain=srcnat dst-address=192.168.1.0/24 src-address=192.168.1.0/24
add action=masquerade chain=srcnat out-interface=ether1 src-address=192.168.16.0/24

add action=masquerade chain=srcnat out-interface=ether1 src-address=172.16.10.0/24

(6) The IP routes are incomplete missing the route to the subnet on M2!
/ip route
add disabled=no distance=2 dst-address=0.0.0.0/0 gateway="Huawei Play USB"
add disabled=no dst-address=192.168.1.0/0 gateway="my public IP" routing-table=main suppress-hw-offload=no
add disabled=no dst-address=192.168.7.0/24 gateway=wireguard1
You do not have the required permissions to view the files attached to this post.
 
mariuszelectro
just joined
Topic Author
Posts: 19
Joined: Sun Mar 22, 2020 4:49 pm

Re: WireGuard client mikrotik simple setup

Wed Sep 28, 2022 10:04 pm

Hi, the notices was introduces, i hope that i understood correctly and complete
The results are following:
  • handshake is working
  • ping to gate from wg1 interlace on MT2 to gateway 192.168.1.254 is working
  • ping form user 192.168.7.254 to gateway 192.168.1.254 not work , some rules/ routes was missing ? i don't have experience (in bridge was easy....)
You do not have the required permissions to view the files attached to this post.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 14483
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: WireGuard client mikrotik simple setup

Wed Sep 28, 2022 10:40 pm

MT2

(1) Modify these rules just to be sure.....
add action=accept chain=forward dst-address=192.168.7.0/24 src-address=192.168.1.0/24 in-interface=wg1
add action=accept chain=forward dst-address=192.168.1.0/24 src-address=192.168.7.0/24 out-interface=wg1

(2) Delete this rule NOT needed. You dont need to masquerade traffic because we allow 192.168.7.0/24 users (all of the subnet IPs) on MT1.
add action=masquerade chain=srcnat out-interface=wg1 out-interface-list=WAN protocol=udp

(3) This route is needed but.......... the last part is wrong. The gateway is needed, not a different table. Just remove the routing-table entry.
/ip route
add disabled=no distance=1 dst-address=192.168.1.0/24 gateway=wg1 pref-src="" routing-table=tablWG \
scope=30 suppress-hw-offload=no target-scope=10


(4) Why do you have this routing rule............. not sure what you are attempting to do but its not under any guidance/advisement.???
REMOVE IT.
/routing rule
add action=lookup-only-in-table disabled=no dst-address=192.168.1.254/32 interface=wg1 routing-mark=\
tablWG src-address=192.168.7.254/32 table=tablWG


NOTE: A routing rule and table are typical if you have to redirect users to use internet through the wireguard tunnel, vice ones own local WAN. Not the case here!


MT1

(5) Just in case it makes a difference, modify the allowed address for the MT2 (remove the /32)
TO:
add allowed-address=172.16.10.2,192.168.7.0/24 comment="Testowy w domu" \
interface=wireguard1 persistent-keepalive=5s public-key=\
"Zi5xqAAQACtMQkOxohiXw8LPkiyIJNNYqdjmzHN/MUM="


Please make the changes above and then confirm the following:

IPad to MT1 ping
IPAD to MT2 ping
IPAD to MT1 - access a device on the 192.168.1.254 network
IPAD to MT2 - access a device on the 192.168.7.0/24 networks
MT2 to MT1 - ping
MT2 to MT1 - access a device on the 192.168.1.254 network
MT1 to MT2 - ping
MT1 to MT2 - access a device on the 192.168.7.0/24 network
 
mariuszelectro
just joined
Topic Author
Posts: 19
Joined: Sun Mar 22, 2020 4:49 pm

Re: WireGuard client mikrotik simple setup

Thu Sep 29, 2022 9:49 pm

hello.
i am not sure what is wrong in notice 3. So i introduced directly this rule by terminal on MT2
"/ip route
add disabled=no distance=1 dst-address=192.168.1.0/24 gateway=wg1 pref-src="" routing-table=tablWG \
scope=30 suppress-hw-offload=no target-scope=10"

results of Ping:
IPad to MT1 ping
IPad to gateway MT1 192.168.1.254 by WireGuard Client on IPad from other network status OK 5ms

IPAD to MT2 ping
IPad to gateway MT2 192.168.7.1 by WireGuard Client on IPad from other network status OK 5ms

IPAD to MT1 - access a device on the 192.168.1.254 network
IPad to gateway MT1 192.168.1.xx local devices by WireGuard Client on IPad from other network status OK 5ms

IPAD to MT2 - access a device on the 192.168.7.0/24 networks
IPad to gateway MT2 192.168.7.254 local devices by WireGuard Client on IPad from other network status not OK timeout

MT2 to MT1 - ping
computer connected to local LAN on MT2 ping to 192.168.1.254 - notOK

MT2 to MT1 - access a device on the 192.168.1.254 network
computer connected to local LAN on MT2 ping 192.168.1.200 - notOK

MT1 to MT2 - ping
ping form network (computer 192.168.1.200) local LAN on MT1 - to 192.168.7.1 - not OK timeout

MT1 to MT2 - access a device on the 192.168.7.0/24 network
ping form network (computer 192.168.1.200) local LAN on MT1 - to 192.168.7.254 - not OK timeout


My observation:
1) IPAD works OK and get public address form MT1 for internet, have fully access to local network on MT1 as well...
2) handshake between MT1 / MT2 works as expected
You do not have the required permissions to view the files attached to this post.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 14483
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: WireGuard client mikrotik simple setup

Thu Sep 29, 2022 10:05 pm

The problem is you dont NEED a routing rule or routing table on MT2 !!!!!

The table on the route should be TABLE MAIN!!!

I think the instructions were clear!

TOO FUNNY, instead of deleting the WRONG table entry, you disabled it and then created the same rule with the same WRONG table entry
From:
/ip route
add disabled=yes distance=1 dst-address=192.168.1.0/24 gateway=wg1 pref-src="" \
routing-table=tablWG scope=30 suppress-hw-offload=no target-scope=10
add disabled=no distance=1 dst-address=192.168.1.0/24 gateway=wg1 pref-src="" \
routing-table=tablWG scope=30 suppress-hw-offload=no target-scope=10


TO:
/ip route
add distance=1 dst-address=192.168.1.0/24 gateway=wg1 table=main
 
mariuszelectro
just joined
Topic Author
Posts: 19
Joined: Sun Mar 22, 2020 4:49 pm

Re: WireGuard client mikrotik simple setup

Fri Sep 30, 2022 9:58 pm

Hi.
All pings works !!! without one exception.
My computer still have public IP from MT2.......
What I will do get internet form MT1?

I checked WG VPN speed performance this connection
MT2->MT1 Upload is 44 Mbps
download is 20,6 Mbps
is it normal ?

CPU usage MT1 is 40/20%
CPU usage MT2 is 90/75%

Ipad WG clinet connection performance
download 83Mbps upload 40,6Mbps

performance l2PT+ipsec for Ipad is
80/45

is it possible improve this on side MT2?
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 14483
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: WireGuard client mikrotik simple setup

Fri Sep 30, 2022 11:31 pm

You never stated a requirement to go out internet of MT1 from MT2!
Post latest of both configs please....
 
mariuszelectro
just joined
Topic Author
Posts: 19
Joined: Sun Mar 22, 2020 4:49 pm

Re: WireGuard client mikrotik simple setup

Sat Oct 01, 2022 1:07 am

Sorry that not clear…..
My main intend was that user connected to mt2 (red on diagram) go to internet via WG by MT1
(Red arrow on diagram)
The configuration was not not changed only was introduced with correct valuec (main table) within your latest post
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 14483
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: WireGuard client mikrotik simple setup

Sat Oct 01, 2022 3:36 am

Cant help unless you post your latest config from both.
A fresh export ensures changes you forget you made are included (trust me it happens).
 
mariuszelectro
just joined
Topic Author
Posts: 19
Joined: Sun Mar 22, 2020 4:49 pm

Re: WireGuard client mikrotik simple setup

Sat Oct 01, 2022 12:17 pm

Hi my latest fresh configs in attachments
You do not have the required permissions to view the files attached to this post.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 14483
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: WireGuard client mikrotik simple setup

Sun Oct 02, 2022 2:49 am

So you want MT2 users to access M1 servers and M1 internet.

(1) In this case on MT2, the allowed IPs should consist solely of 0.0.0.0/0 as this is what is needed to cover off internet inquiries.
The neat thing is this also covers off any subnets at M1, and the wireguard IP address at M1.

(2) We still need the route that points users into wireguard for the remote subnet they will be visiting 192.168.1.0/24 on table main.
/ip route
add disabled=no distance=1 dst-address=192.168.1.0/24 gateway=wg1 pref-src="" \
routing-table=main scope=30 suppress-hw-offload=no target-scope=10


(3) Your firewall rules are backward.
From:
add action=accept chain=forward dst-address=192.168.7.0/24 out-interface=wg1 \
src-address=192.168.1.0/24
add action=accept chain=forward dst-address=192.168.1.0/24 in-interface=wg1 \
src-address=192.168.7.0/24

TO:
add action=accept chain=forward dst-address=192.168.7.0/24 in-interface=wg1 \
src-address=192.168.1.0/24
add action=accept chain=forward dst-address=192.168.1.0/24 out-interface=wg1 \
src-address=192.168.7.0/24

Think of it this way. In the first rule you are saying traffic heading to the local subnet its coming in on wireguard1 and specifically from the remote subnet.
The second rule you are saying any traffic heading for the remote subnet from local users it going out the wireguard interface.

(4) Whats missing is the firewall rule for internet access, or more clearly stated, the ability for your local subnet users on M2, to enter the wireguard when attempting to either go out the internet via M1 WAN, or to m1 subnets, so we can basically replace the second rule above with one that covers off any traffic from local users on M2 to M1
so the two rules will now look like this
add action=accept chain=forward dst-address=192.168.7.0/24 in-interface=wg1 \
src-address=192.168.1.0/24

add action=accept chain=forward out-interface=wg1 src-address=192.168.7.0/24

(5) Now a new route required to ensure M2 users going out for internet get routed to the wireguard tunnel and we do this by forcing the users out the wireguard tunnel for internet instead of the local M2 WAN.
We need three things, the table, you already have, the routing rule and the route.
a. /routing table
add disabled=no fib name=tablWG

b. /routing rule add src-address=192.168.7.0/24 action=lookup table=tablWG
Note: If you want users to be able to access the local WAN if the wireguard tunnel goes down, then keep the action as noted above. However if you dont want them having any internet when wireguard goes down then change the action to: lookup-only-in-table

c. /ip route
add dst-address=0.0.0.0/0 gwy=wireguard1 table=tablWG

that should suffice for M2
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

M1 Comments....

(6) The masquerade rule for remote users coming out the tunnel (from mT2 or any remote user) and going out the WAN of the MT1 is NOT REQUIRED!
THe MT1 router has a direct link to the internet and thus returning traffic will be sent back to the KNOWN originators.
A. because the wireguard interface is on MT1
B. because one has a route through the wireguard interface for remote subnets
c. because one has firewall rules permitting the traffic flow.

Remove this rule.
add action=masquerade chain=srcnat comment="niepewne dla lWireGuard" \
disabled=yes out-interface=ether1 src-address=172.16.10.0/24


(7) I dont see an explicit firewall rule allowing mt2 users to go out WAN on MT1 so suggest adding it.
add chain=forward action=accept in-interface=wireguard1 src-address=192.168.7.0/24 out-interface=ether1

(8) I do not understand the purpose of this route assuming you made it?
add disabled=no dst-address=192.168.1.0/0 gateway="public IP MT1" \
routing-table=main suppress-hw-offload=no


If you dont know why suggest remove it.
 
mariuszelectro
just joined
Topic Author
Posts: 19
Joined: Sun Mar 22, 2020 4:49 pm

Re: WireGuard client mikrotik simple setup

Sun Oct 02, 2022 7:26 pm

Hi, i dont introduced your tips about access to internet by MT1, beacuce my previosus configuration (for local LAN on MT1) was complete destroyed ......... after reset MT1 (power cycle) ,or afer one day works.
At the momnet MT1<->MT2 handshake dont work
I will tried recreated configuration i onotherone router (hexS) router config as MT3 as WG client.
please help ! i don't know waht hepend.......


Update. It is works when in MT1 i put endpoint addres to my MT2/MT3 public network !!!
I don't understand
I am really beginer.
You do not have the required permissions to view the files attached to this post.
 
mariuszelectro
just joined
Topic Author
Posts: 19
Joined: Sun Mar 22, 2020 4:49 pm

Re: WireGuard client mikrotik simple setup

Sun Oct 02, 2022 9:34 pm

Hi all Your tips was introuced
All works fine, thank You very much!!
It is strange whe when MT1 was power up then WG don't work.... without definition endopints by peer......
You do not have the required permissions to view the files attached to this post.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 14483
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: WireGuard client mikrotik simple setup

Mon Oct 03, 2022 2:50 am

MT1 looks okay.
MT2 almost okay.

I said on my last post you solely need 0.0.0.0/0 on allowed IPS. Soley means ONLY!
Thus you should modify
From:
/interface wireguard peers
add allowed-address=172.16.10.0/24,192.168.1.0/24,0.0.0.0/0 \
endpoint-address="Public IP MT1" endpoint-port=13231 interface=wg1 \
persistent-keepalive=5s public-key=\
"IeQ0yrzJpnlyBRvJC8SGkWgTIze9YcmDs6NAB2QtFQk="
TO:
/interface wireguard peers
add allowed-address=0.0.0.0/0 \

endpoint-address="Public IP MT1" endpoint-port=13231 interface=wg1 \
persistent-keepalive=5s public-key=\
"IeQ0yrzJpnlyBRvJC8SGkWgTIze9YcmDs6NAB2QtFQk="


(2) Clean up the firewall rules, you have some disabled that need to be removed and then you have good rules followed by duplicates that should be removed.

/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=accept chain=forward disabled=yes dst-address=\
192.168.1.0/24 in-interface=wg1 src-address=192.168.7.0/24
add action=accept chain=forward disabled=yes dst-address=\
192.168.7.0/24 out-interface=wg1 src-address=192.168.1.0/24

add action=accept chain=forward comment="WG for subnet" dst-address=\
192.168.7.0/24 in-interface=wg1 src-address=192.168.1.0/24

add action=accept chain=forward dst-address=192.168.1.0/24 \
out-interface=wg1 src-address=192.168.7.0/24

add action=accept chain=forward dst-address=192.168.7.0/24 \
in-interface=wg1 src-address=192.168.1.0/24
add action=accept chain=forward out-interface=wg1 src-address=\
192.168.7.0/24
 
mariuszelectro
just joined
Topic Author
Posts: 19
Joined: Sun Mar 22, 2020 4:49 pm

Re: WireGuard client mikrotik simple setup

Mon Oct 03, 2022 9:40 pm

hi , does bad extra allowed IP can be a reason unstable wireguard interface on server side when power cycle occur?
It starts properly work when i put endpoint for peer but in on server side.
The same case for Ipad client as well.
Anyway 🙏🙏🙏🙏🙏🙏🙏🙏🙏
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 14483
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: WireGuard client mikrotik simple setup

Mon Oct 03, 2022 11:56 pm

There should be no extra anything the configs are good as far as I can tell.

When a power cycle occurs the MT client will often fail due to the WIreguard handshake occuring before the MT Server is back online,
In this case, one has to manually disable and enable the Wireguard client on the MT client.

Read up on Para 6 here -- viewtopic.php?t=182340

Sadly, MT seems unwilling to address this deficiency within their code.
It would be too easy to detect if the admin has selected keep alive on the client settings.
With that in place, the mT code should then disable and enable the wireguard interface on an admin schedule if the wireguard connection fails.

The attempts can be graduated to accommodate for varying degrees of outages.......... starting point to the power X=1, X=2 div by2, X=3 divby3 etc...........
first attempt - 15 seconds
second attempt - 2 minutes
third attempt - 20 minutes
fourth attempt - 3hours
fifth attempt - 42 hours.
STOP after 7 days.
 
mariuszelectro
just joined
Topic Author
Posts: 19
Joined: Sun Mar 22, 2020 4:49 pm

Re: WireGuard client mikrotik simple setup

Fri Oct 28, 2022 2:02 am

Hello again.
I have strange observation
I can’t manage MT2 from MT1 via WireGuard, and from any other interfaces, except local LAN by wire, directly connected to MT2.
Ping from MT1 to MT2 192.168.7.1 is working……
Ping from MT2 to MT1 192.168.1.254 is working. In this case mange MT1 from MT2 is possible…..
May I please help ?
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 14483
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: WireGuard client mikrotik simple setup

Fri Oct 28, 2022 3:18 am

Post your two configs please.
 
mariuszelectro
just joined
Topic Author
Posts: 19
Joined: Sun Mar 22, 2020 4:49 pm

Re: WireGuard client mikrotik simple setup

Fri Oct 28, 2022 1:03 pm

Hi,
my configuration are in attachments

some explanation about MT2
for Ethernet port 5 is connected ubiquiti AC-lite for provide WiFi connections (4 SSID)
some of SSID are contented to VLANs. only.
You do not have the required permissions to view the files attached to this post.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 14483
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: WireGuard client mikrotik simple setup

Fri Oct 28, 2022 2:10 pm

MT2 -

(1) Possible Bridge Port Errors,Not related to WG but VLANs in my understanding are NOT bridge ports ( etherports or wlanports qualify ).

Therefore the following are probably wrong.
add bridge=bridge interface=vlan55
add bridge=bridge interface=AZserwer
add bridge=bridge interface=vlanOpenVpn13


(2) Your wireguard settings for allowed IPs is wrong, If you include 0.0.0.0/0 then remove all the other entries for that peer as they are already included........
/interface wireguard peers
add allowed-address=172.16.10.0/24,192.168.1.0/24,0.0.0.0/0 endpoint-address=\
"public IP MT1" endpoint-port=13231 interface=wg1 persistent-keepalive=5s \
public-key="IeQ0yrzJpnlyBRvJC8SGkWgTIze9YcmDs6NAB2QtFQk="

(3) Your firewall order is completely hosed and you have some rules that are not necessary. It will take me some time to work through them and is probably the reason for your issue. Will do that on next post.

(4) Where did you ever see any kind of source nat format with two out interfaces...........
add action=masquerade chain=srcnat disabled=yes out-interface=vlan55 \
out-interface-list=WAN
add action=masquerade chain=srcnat out-interface=vlan12 out-interface-list=WAN
add action=masquerade chain=srcnat out-interface=vlan11 out-interface-list=WAN
# vlanOpenVpn13 not ready
add action=masquerade chain=srcnat out-interface=vlanOpenVpn13 \
out-interface-list=WAN

(5) In summary lots to learn about MT config, what config lines do/purpose, and how they work.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 14483
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: WireGuard client mikrotik simple setup

Fri Oct 28, 2022 3:53 pm

(1) MT firewall rules......

/ip firewall filter [ input chain ]
{Default Rules}
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
{Admin Rules}
add action=accept chain=input comment="allow LAN access" \
in-interface-list=LAN
add action=accept chain=input comment="allow wg access for config" \
in-interface=wg1
add action=drop chain=input comment="drop all else"

[forward chain]
{Default Rules}
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=\
invalid
{Admin Rules}
add action=accept chain=forward in-interface-list=LAN out-interface-list=WAN comment="allow internet traffic"
add action=accept chain=forward connection-nat-state=dstnat comment="allow port forwarding"
add action=accept chain=forward comment="WG for net" dst-address=192.168.7.0/24 \
in-interface=wg1 src-address=192.168.1.0/24
add action=accept chain=forward dst-address=192.168.1.0/24 out-interface=wg1 \
src-address=192.168.7.0/24
add action=drop chain=forward comment="drop all else"


(2) Your routes seem okay for the most part except one is missing. Do you have default route selected in dhcp settings.............. if so fine. Dont need different distances here, no purpose to that in this case. In your IP routes section you should see the following.

dst-address=0.0.0.0/0 gwy=WAN_gatewayIP table=main ( standard route required for local traffic to wan and initial connections to other sites )
dst-address=0.0.0.0/0 gwy=wg1 table=tablWG ( used with routing rule, to force users out wireguard instead of local WAN )
dst=address=192.168.0.0/24 gwy=wg1 table=main ( to let router know when users want to reach subnet on MT1, where to go )

you have the table made already and you have the routing rule already which is good. I should note that action is important. If you want local users to be able to access the local WAN (internet) if the wireguard tunnel is not available, then it is good. However if you never want to allow that subnet access to local WAN, then change action to: lookup-only-in-table
/routing table
add disabled=no fib name=tablWG
/routing rule
add action=lookup disabled=no src-address=192.168.7.0/24 table=tablWG
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 14483
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: WireGuard client mikrotik simple setup

Fri Oct 28, 2022 4:03 pm

MT1

(1) WHY??? You have two lines to describe the same peer?? Remove the duplicate ( aka the first one with the incorrect address)!!

add allowed-address=172.16.10.2/32,192.168.7.0/24 comment="Testowy w domu" \
endpoint-address="address MT2" interface=wireguard1 public-key=\
"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa="
add allowed-address=172.16.10.3/32,192.168.7.0/24 comment=HexS \
endpoint-address="address MT2" interface=wireguard1 public-key=\
"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa="


(2) WHY??? You have an input chain rule for the intial handshake from M2 which is good.
What the heck are you trying to say with ether1 here in the FORWARD chain??
add action=accept chain=forward comment="WireGuard for NET" in-interface=\
wireguard1 out-interface=ether1 src-address=192.168.7.0/24


The rule should look like the following (you can look at MT2 for the example)
add action=accept chain=forward comment="WireGuard for NET" in-interface=\
wireguard1 src-address=192.168.7.0/24 dst-address=192.168.1.0/24


Further you still need the other rule which is missing!!
add action=accept chain=forward comment="WireGuard for NET" out-interface=\
wireguard1 src-address=192.168.1.0/24 dst-address=192.168.7.0/24



OVERALL clean up your firewall rule structure as per MT2.
 
mariuszelectro
just joined
Topic Author
Posts: 19
Joined: Sun Mar 22, 2020 4:49 pm

Re: WireGuard client mikrotik simple setup

Sat Oct 29, 2022 1:20 am

Hi thanks for hard jobs with my troubles
now i have access from MT1 to MT2 via winbox, (many thanks) but i am i little confused about a lot rules in firewall
Could You take a look in my configuration both devices ?

so i cant get access to MT2 form local network ..... only from wired LAN ports works......
I have connected ubiqiti AC-lite by Ethernet 5, so one SSID connected without VLAN to bridge, so my devices gets IP form bridge's DHCP but i can't get access via winbox to MT2
You do not have the required permissions to view the files attached to this post.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 14483
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: WireGuard client mikrotik simple setup

Sat Oct 29, 2022 6:25 pm

You are not providing enough info but also conflicted info.

Which Subnet in particular cannot reach MT locally (vlan 11?)

THis sentence makes no sense......
so i cant get access to MT2 form local network ..... only from wired LAN ports works......

What do you mean. Wired LAN ports are not on the local network???

I absolutely despise configs where people use the bridge for dhcp it just makes a big mess for nothing.
I much prefer using all vlans for subnets and then rules and moving traffic and expectations are clean.


Why is the bridge the only member of the interface list LAN,
normally all the vlans are part of the LAN interface as well??

To be clear only the bridge right now is a member and look at your input chain rule.
add action=accept chain=input comment="allow LAN access" in-interface-list=LAN

Currently this does not include any vlans!!

++++++++++++++++
as far as the rest of the firewall rules I have provided enough guidance already. If you have a specific question of understanding, because from hereonin its about your understanding of firewall rules not doing them for you.
 
mariuszelectro
just joined
Topic Author
Posts: 19
Joined: Sun Mar 22, 2020 4:49 pm

Re: WireGuard client mikrotik simple setup

Sat Oct 29, 2022 10:05 pm

Sorry that not clear……

For clear hardware configuration:
The ubiquity are connected to port Ethernet5
In this port are connected VLAN11, VLAN12, VLAN13
In ubiqiti I have 4 SSID
1) connected to VLAN11 only
2) connected to VLAN12 only
3) connected to VLAN13 only
4) normal mode connected to 192.168.7.0 network

All VLANS are different networks, so I can’t access to management MT2 it is normally,
But 4 SSID are connected to bridge without any VLAN, the ping to 192.168.7.1 (gateway) doesn’t working, for example my client connected to SSID4 get address form DHCP 192.168.7.252.
Ping from 192.168.7.252 to 192.168.7.1 aren’t working, but access to internet is possible.

Of course all LAN 2,3,4,5 port are connected to Bridge as local LAN.

So I don’t understand why I don’t have access to Mikrotik mange from LAN5 trough SSID4

update!
from MT1 i can mange by IP 192.168.7.1 that fine
but in case local LAN ports is possible only via MAC, ping form any local LAN ports in MT2 to gateway 192.168.7.1 is timeout......

ps2 I think that i know know what going on, all traffic are redirect to VPN ...... so i can't get access via IP..... i am are right,.... how to resolve ?


Regards Mariusz.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 14483
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: WireGuard client mikrotik simple setup

Sun Oct 30, 2022 3:34 am

Firstly ubiquiti can shove it. Stupid pos!

You should only have to trunk port out of the router and into the ubiquity.
The ubiquity then like any other stinking smart device should use vlan11 for its own address ( and distribute all vlans to users as required ).

THat being said you are quite right anybody on 192.168.7.0/24 is being pushed out the tunnel.

If you want it to be able to reach a local subnet simply put another routing rule BEFORE the existing one.
/routing rule
add action=lookup disabled=no dst-address=other_local_subnet table=main
add action=lookup disabled=no src-address=192.168.7.0/24 table=tablWG

However you should have access to the router as long as the associated vlan has access to the router
hence why I suggested you add the applicable vlan to the interface list LAN........
 
mariuszelectro
just joined
Topic Author
Posts: 19
Joined: Sun Mar 22, 2020 4:49 pm

Re: WireGuard client mikrotik simple setup

Mon Oct 31, 2022 12:05 am

Hi, just again I will thank you for your patience and professional support.

Now I have access to mange MT2 from local LAN by IP, and form one off SSID connected to bridge trough ubiquity as well.

Added this rule as first, resolved problem
/routing rule
add action=lookup disabled=no dst-address=192.168.7.0/24 table=main

I am not sure that correct, but it works.

Thank you very much.
 
mariuszelectro
just joined
Topic Author
Posts: 19
Joined: Sun Mar 22, 2020 4:49 pm

Re: WireGuard client mikrotik simple setup

Sat Nov 12, 2022 9:30 pm

Hello, again.
My networks with WireGuard is working until a few days.
Generally fine, but I have some observations that not absolute well.
Some application can’t connect to external servers when using Mikrtotik”s VPN client.
Some website, I can’t open in this same case.
It is strange, because most of www and application works fine.

It is depend by MT client, i am sure.
When I am using WG VPN on side IPad client directly to the same server, then all works without any problems
It look that port forwarding not works as expected in some cases.

BR Mariusz.
 
markeclaudio
just joined
Posts: 1
Joined: Sun Nov 13, 2022 2:33 am

Re: WireGuard client mikrotik simple setup

Sun Nov 13, 2022 2:39 am

I needed it and I created it for everyone. You can use this tool I created:

https://markeclaudio.github.io/mikrotik ... generator/

Who is online

Users browsing this forum: chechito and 11 guests