OSPF over Wireguard links

metron6 · Thu Feb 29, 2024 4:50 pm

hello all,

i have a CHR router, where i have created wireguard links to several mikrotik routers. Up to here works fine. The problem is when i try to run OSPF for routing networks behind router.

this is my setup in wireguard server:

Wireguard server

/interface wireguard
add listen-port=14567 mtu=1420 name=WG-SRV

/interface wireguard peers
add allowed-address=10.129.200.2/32,10.107.14.0/24 comment=Libero interface=WG-SRV persistent-keepalive=30s public-key=\
    "Kz3zip6JJDuKin7tRYipM5j/aW6ynRe3RoJGuFlW2E4="
add allowed-address=10.129.200.3/32,10.122.2.0/24 comment=M6 interface=WG-SRV persistent-keepalive=30s public-key=\
    "kUR/r2ggqx1JAJYBVfmOnjxGzVzWuMqkvBli4kkCEHk="

/interface list
add name=LAN
/interface list member
add interface=WG-SRV list=LAN

/ip firewall filter
add action=accept chain=input comment="allow wireguard" dst-port=14567 protocol=udp

/ip address
add address=10.129.200.1/24 interface=WG-SRV network=10.129.200.0


OSPF Server

/routing ospf instance
add disabled=no name=default redistribute=connected,static,ospf router-id=10.107.13.1 routing-table=main
/routing ospf area
add disabled=no instance=default name=default
/routing ospf interface-template
add area=default auth=simple auth-key=twmn cost=5 disabled=no interfaces=WG-SRV networks=10.0.0.0/8 type=ptp

and this is my setup on clients

Wireguard client 1

/interface wireguard
add listen-port=13231 mtu=1420 name=WG-AD110
/interface wireguard peers
add allowed-address=0.0.0.0/0 endpoint-address=xxxxxxx.sn.mynetname.net endpoint-port=14567 interface=\
    WG-AD110 persistent-keepalive=25s public-key="3NgniWi9PX+uTaa/Kk/5/BzmuXPURaGeRmJrnEpcPyQ="

/interface list
add name=LAN
/interface list member
add interface=WG-AD110 list=LAN


OSPF client 1
 
/routing ospf instance
add disabled=no name=default redistribute=connected,static,ospf router-id=10.122.2.1 routing-table=main
/routing ospf area
add disabled=no instance=default name=default
/routing ospf interface-template
add area=default auth=simple auth-key=twmn cost=5 disabled=no interfaces=WG-AD110 networks=10.0.0.0/8 type=ptp

the problem of course is that OSPF cannot find neighbor routers, so its not running

Larsa · Thu Feb 29, 2024 5:03 pm

I'm not exactly sure what you mean by "OSPF for routing networks behind the router," but you have to define all networks that should be routed using OSPF. Adjacent ones don't propagate automatically.

Here are a couple of short and concise step-by-step labs that might cover what you need:

"MikroTik: OSPF on a single area"
https://www.youtube.com/watch?v=XAtJ5eaOJ0Y

"MikroTik: Multiple areas in OSPF"
https://www.youtube.com/watch?v=GtRJ1rSSB5o

metron6 · Thu Feb 29, 2024 5:52 pm

by the "OSPF for routing networks behind the router" i mean that if you configure to advertise for example connected networks, the oppose router get the routes.

metron6 · Thu Feb 29, 2024 6:03 pm

when i setup a pptp l2tp etc vpn, ospf works fine. neighbors are displayed, routes are distributed

thats why i think the problem is with wireguard.

Larsa · Thu Feb 29, 2024 6:29 pm

Unfortunately, there is no built-in automatic "discovery" functionality in OSPF. All included networks/subnets must be explicitly defined somewhere. For example, if a router is connecting two areas (i.e. acting as an OSPF Area Border Router) both networks must be defined for their respective areas in the connecting router. The same applies to a single area with two different subnets on respective side of a router. Otherwise, OSPF will not know how to propagate network information to the other side.

It doesn't matter what type of links you are using and Wireguard works out just fine with OSPF. Just make sure to use the link type ptp. When everything is working as expted, you may add BFD for superfast failover. Feel free to have a look at the videos before asking more questions.

EDIT:
For troubleshooting purposes, make sure to test the WireGuard links with static routes before applying OSPF. Tho before enabling it, remember to remove the static routes or alternatively use a very high distance metric (eg 250) so that routes added by OSPF take precedence.

metron6 · Fri Mar 01, 2024 1:38 am

routers that are connected via wireguard links are not shown in the ospf neighbors.
router 1 can see routes for all networks from all routers, except router 2.
router 2 and 3 even though they are connected and can ping each other, they cannot communicate with OSPF.

Larsa · Fri Mar 01, 2024 4:09 pm

Nice picture, but unfortunately it's pretty difficult to say anything else since it lacks info about networks and interface addresses. Let's begin with router 2 and 3. Btw, is this a single or multi-area topology?

mantouboji · Fri Mar 01, 2024 4:16 pm

For IPv4 links over wirefuard , it must allow 224.0.0.0/24 over wireguard.
For IPv6 links , you must assign a fe80::xxxx/64 linklocal address to each endpoint and allow fe80::/16

截屏2024-03-03 17.21.38.png

Larsa · Fri Mar 01, 2024 4:58 pm

I'm sorry, but that simply isn't true! Are you taking advice from ChatGPT?

nmt1900 · Fri Mar 01, 2024 7:07 pm

Is protocol 89 (ospf) allowed over this wireguard link by firewall policy (in input chain)?

Larsa · Fri Mar 01, 2024 8:13 pm

Yeah, good suggestion. If the wg-interface used for OSPF isn't listed in the LAN device list, you'll need to specify that port explicitly. This also affects the forward chain for routing.

rplant · Sat Mar 02, 2024 10:42 am

This is worth looking at:

viewtopic.php?t=182046

I would be inclined to setup static neighbors to the wireguard peers.

OSPF over Wireguard links

OSPF over Wireguard links

Re: OSPF over Wireguard links

Re: OSPF over Wireguard links

Re: OSPF over Wireguard links

Re: OSPF over Wireguard links

Re: OSPF over Wireguard links

Re: OSPF over Wireguard links

Re: OSPF over Wireguard links

Re: OSPF over Wireguard links

Re: OSPF over Wireguard links

Re: OSPF over Wireguard links

Re: OSPF over Wireguard links

Who is online