Hello my Friends..!
first of all:
a wireguard server is my MT router installed in my office.
a wireguard client is my windows machine in my home.
so my situation like this ..
i already have a wireguard tunnel that worked well with my current configuration, however my problem is that when i establish a connection using my wireguard interface from my windows machine
i did not get the puplic IP address of my router, other wise i stay with the public IP of my home network, so anyone know how to make all the traffic go through this tunnel..?
below is my configuration in both side :
in my windows machine:
wg.rsc (6.92 KB)
WINDOWS:
(1) Error Allowed IPs. you should be stating the subnets, 192.168.1.**0/24,192.168.10.0/24,192.168.88.0/24,192.168.40.0/**24
The allowed IPs on the windows side could be the single entry of 0.0.0.0/0 if you wanted internet access as well.
(2) Why do you have 192.168.88.??? and 192.168.40.?? They do NOT exist on the router???
Looks like it should only include 1.0 and 10.0
(3) As for DNS, try using 172.22.0.1
and if that doesnt work one of the DNSs that are used on the office router maybe 1.1.1.1 etc…
(4) Why using MTU of 1340?
first try both set at default 1420 and then both at 1500 for example. ( both ends of tunnel same setting )
ROUTER
(5) This looks wrong. Did you add that? It should be 172.22.0**.0** for network check this out yourself by only putting in the ip address and interface and the router will create the rest.
Ahh, you also screwed up the address part too, forgetting /24
FROM
add address=172.22.0.1**???** comment=wireguard-Windows interface=wireguard1
network=172.22.0**.2**
TO:
add address=172.22.0**.1/24** comment=wireguard-Windows interface=wireguard1
network=172.22.0**.0**
(6) Why is it that you have 3 DHCP pools, and yet only two corresponding IP addresses… In other words where is the Ip address for 192.168.10 ???
(7) What do you mean ether1 is a private IP with out ethernet.… is this your WAN connection, not private.
So is the reality that this router attaches to another router? Assuming then that you can port forward from the real router to the MT??
Its very confusing as it appears you have both the router getting a private IP im guessing 192.168.2.2 from the main router but then you have an IP pool of the same.
Nothing makes sense to me on you router…
(8) The first rule on your input chain should be removed as its incomplete and a duplicate. YOu have the correct rule already in place. It also means ANY CONNECTION to your router on UDP is allowed which is a security hole!! IM assuming you meant this as your other wireguard connection, in which case you need modify this rule…
add action=accept chain=input comment=“allow WireGuard” dst-port=
protocol=udp
add action=accept chain=input comment=
“defconf: accept established,related,untracked” connection-state=
established,related,untracked
add action=accept chain=input comment=Wireguard dst-port=47111 protocol=udp
TO
add action=accept chain=input comment=
“defconf: accept established,related,untracked” connection-state=
established,related,untracked
add action=accept chain=input comment=Wireguard1 dst-port=47111 protocol=udp
add action=accept chain=input comment=Wireguard2 dst-port= xxxxxx protocol=udp
(9) What is the mangle rule for…
/ip firewall mangle
add action=passthrough chain=forward comment=local-wan-tx disabled=yes log=
yes out-interface=ether1 src-address=192.168.1.0/24
add action=passthrough chain=forward comment=loca-wan-rx disabled=yes
dst-address=0.0.0.0/0 in-interface=ether1 log=yes
add action=mark-routing chain=prerouting connection-mark=no-mark dst-address=
192.168.2.2 dst-address-type=!local new-routing-mark=wg
(10) What is the purpose of this masquerade rule…
add action=masquerade chain=srcnat out-interface=wireguard1
(11) Get rid of the raw chain bloatware. waste of time. your small router is not equipped to deal with DDOS
(12) What is the purpose of this route??
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=wireguard1 pref-src=
0.0.0.0 routing-table=wg scope=30 suppress-hw-offload=no target-scope=10
Suggest you read…
https://forum.mikrotik.com/viewtopic.php?t=182340
++++++++++++++++++++++++++++
Hello Mr anav..! as always thanks for your replay..!!
WINDOWS:
1-Error allowed IPs: so its not that’s error, yes we can set it as you mention. however, it work well IN MY current config, i try to relpaced with your recommendation but i didnt find any different..
2-yes only 1.0 and 10.0 is the available address, i was testing some other ranges that’s why
i have those guys there.
3- yes i try to playing around DNS alot including what you mentioed above but all this attemp with no avail.
4-actually when i set my wireguard tunnel from the first time i encounter a low tx and rx transition between my wireguard server -router- and my windows machine, so i begain to change the
MTU in client side until i reach to 1340 as the best value for this connection stable and efficient
ROUTER:
5- as i notice from alot of wireguard lab that this /24 doesnt matter alot -may someone will contradict with this statement- but for me at list when i set the ip interface for wireguard like this it work well.
6-well.. previously has been used and now not used, so yes i have to delet this.
7-so yes i a have adsl router before my MT router, and i already put the MT in a DMZ in adsl router
so in this case any port forwarding rule from the mikrotik the dst address will be the ip address of my mikrotik router not my puplic ip.
8-well yes i will removed..! thanks i didnt know that
9-10 i was trying to create a rule in managle to make this happen “Access internet Connection through Wireguard tunnel via public ip of a WireGuard Server Side” but with no avail.
11- i will yes that another trash in my router.
12-its a complement on what i was doing in 9 and 10.
well absolutely i will read your recomendation..! a drop of info very useful for me
Once you have made the changes repost your windows and MT configs, and remove any testing garbage or networks that dont exist etc…
Keep a clean config!!!
so the new config
wg.rsc (5.17 KB)
(1) As stated previously
from
add address=172.22.0.1 comment=wireguard-Windows interface=wireguard1
network=172.22.0.2
TO:
add address=172.22.0.1/24 comment=wireguard-Windows interface=wireguard1
network=172.22.0.2
(2) You dont need this… You are getting a single WANIP on the LAN of the router in front of the MT, so the MTs wanip is simple the LANIP on the primary routers LAN…
add address=192.168.2.0/24 dns-server=8.8.8.8,192.168.1.1 gateway=192.168.2.2
Everything else looks okay.. will look again later.
+++++++++++++++++++++++++++++++++++++++++
I would still try to match up the MTUs (same on either side of tunnel).
Hello Mr anav..!
it work ..! i just change the allow ip address to 0.0.0.0/0 and all thing goes fine..!