Can a mikrotik be a Wireguard server and a client in the same time?

slaz · April 13, 2023, 11:14am

Hi all,

I would like to ask you if it’s possible to have the mikrotik router as a Wireguard server and as a Wireguard client in the same time.
Basically I have it set up as a server and it works ok to connect from android phone to a NAS behind the router.

Now I would like to add a RPI Wireguard server from another remote network and I would like to connect with the mikrotik router to that particular Wireguard server and allow connection from the webserver ip mentioned in the screenshot ( 192.168.0.20 ) to the synology nas mentioned in the screenshot ( 192.168.200.3 ). So that the synology nas collects data from the webserver api.
Please excuse my poor drawing skills

Thank you lots in advance for all the help
Screenshot 2023-04-13 141217.jpg

Frederick88 · April 13, 2023, 12:19pm

you can create second peers on each MikroTik Wireguard interface.

https://forum.mikrotik.com/viewtopic.php?p=920105
Scenario 4 - (MEDIUM) Peer to Peer tunnelling with one Wireguard interface & Use of IP addresses for Wireguard interfaces.

slaz · April 13, 2023, 12:50pm

hi, thank you for the response. Unfortunately I only have a mikrotik router in the first location, and on the second location I have a raspberry pi. So maybe I misunderstood or I am too new at this

mozerd · April 13, 2023, 1:23pm

In the WireGuard world of VPN’s there is no such thing as Client/Server … WireGuard is strictly Peer to Peer … Any WireGuard Peer can communicate with any other WireGuard Peer … A Peer does not talk to itself … a Peer only communicates with it’s other permitted Peers …

So your Raspberry WireGuard Peer can establish communications with your MikroTik Peer as long as you exchange the proper keys and have the allowed addresses in place and your Firewall is correctly configured to allow the communication.

anav · April 13, 2023, 2:04pm

All partial information.

As mozerd states, connectivity is TWO WAY, peer to peer ONCE CONNECTED

For the initial handshake one side has to ACT as server and the other end a client.
For a device to be a server it has to have a reachable public IP (either direct or by port forwarding from an upstream ISP modem/router for example).

There is no reason why two publicly accessible MT routers for example couldn’t start a tunnel to the other.
I would use a different interface and different listening ports to make it clear but its possible.

As stated what has to line up are the basic requirements

necessary firewall rules (both input and forward chain)
applicable Allowed-Addresses at both ends!!
-necessary routes.

mozerd · April 13, 2023, 2:50pm

Peer to Peer means:
Decentralized peer-to-peer programs (such as WireGuard) allow pushing files, which means the calling Peer initiates the data transfer rather than the receiving Peer.
No SERVER is involved … PERIOD

calling Peer
receiving Peer.

ABSOLUTLY no server is involved because the communication is Decentralized where all PEERS are equal

slaz · April 13, 2023, 3:00pm

Understood, but how can I make sure the mikrotik is the one connecting to the rpi? Meaning, how can he be the one initiating the connection?

anav · April 13, 2023, 3:00pm

So why does one MT device need an input chain rule!! and the other does not…
Reality is there is an initial handshake whether you like it or not. Your are confusing the OP.

slaz · April 13, 2023, 3:14pm

This is the config on the rpi with pivpn

sami@pivpn:~ $ pivpn -d
::: Generating Debug Output
::::		PiVPN debug		 ::::
=============================================
::::		Latest commit		 ::::
Branch: master
Commit: 4032a55c80f25b51419180eda93f44d579ab79e9
Author: 4s3ti
Date: Wed Mar 29 14:54:19 2023 +0200
Summary: docs(issues): Remove old markdown template
=============================================
::::	    Installation settings    	 ::::
PLAT=Raspbian
OSCN=bullseye
USING_UFW=0
IPv4dev=eth0
IPv6dev=eth0
IPv4addr=192.168.200.158/24
IPv4gw=192.168.200.1
install_user=sami
install_home=/home/sami
VPN=wireguard
pivpnPORT=51821
pivpnDNS1=9.9.9.9
pivpnDNS2=149.112.112.112
pivpnHOST=REDACTED
INPUT_CHAIN_EDITED=1
FORWARD_CHAIN_EDITED=1
INPUT_CHAIN_EDITEDv6=1
FORWARD_CHAIN_EDITEDv6=1
pivpnPROTO=udp
pivpnMTU=1420
pivpnDEV=wg0
pivpnNET=192.168.202.0
subnetClass=24
pivpnenableipv6=1
pivpnNETv6="fd11:5ee:bad:c0de::"
subnetClassv6=64
ALLOWED_IPS="0.0.0.0/0, ::0/0"
UNATTUPG=1
INSTALLED_PACKAGES=(git dnsutils grepcidr bsdmainutils iptables-persistent wireguard-tools qrencode unattended-upgrades)
=============================================
::::  Server configuration shown below   ::::
[Interface]
PrivateKey = server_priv
Address = 192.168.202.1/24,fd11:5ee:bad:c0de::1/64
MTU = 1420
ListenPort = 51821
### begin Sami_S22 ###
[Peer]
PublicKey = Sami_S22_pub
PresharedKey = Sami_S22_psk
AllowedIPs = 192.168.202.2/32,fd11:5ee:bad:c0de::2/128
### end Sami_S22 ###
### begin Sami_mikrotik ###
[Peer]
PublicKey = Sami_mikrotik_pub
PresharedKey = Sami_mikrotik_psk
AllowedIPs = 192.168.202.3/32,fd11:5ee:bad:c0de::3/128
### end Sami_mikrotik ###
### begin Sami_hp ###
[Peer]
PublicKey = Sami_hp_pub
PresharedKey = Sami_hp_psk
AllowedIPs = 192.168.202.4/32,fd11:5ee:bad:c0de::4/128
### end Sami_hp ###
=============================================
::::  Client configuration shown below   ::::
[Interface]
PrivateKey = Sami_S22_priv
Address = 192.168.202.2/24
DNS = 192.168.202.1

[Peer]
PublicKey = server_pub
PresharedKey = Sami_S22_psk
Endpoint = REDACTED:51821
AllowedIPs = 0.0.0.0/0, ::0/0
=============================================
:::: 	Recursive list of files in	 ::::
::::	/etc/wireguard shown below	 ::::
/etc/wireguard:
configs
keys
wg0.conf

/etc/wireguard/configs:
Sami_S22.conf
Sami_hp.conf
Sami_mikrotik.conf
clients.txt

/etc/wireguard/keys:
Sami_S22_priv
Sami_S22_psk
Sami_S22_pub
Sami_hp_priv
Sami_hp_psk
Sami_hp_pub
Sami_mikrotik_priv
Sami_mikrotik_psk
Sami_mikrotik_pub
server_priv
server_pub
=============================================
::::		Self check		 ::::
:: [OK] IP forwarding is enabled
:: [OK] Iptables MASQUERADE rule set
:: [OK] Iptables INPUT rule set
:: [OK] Iptables FORWARD rule set
:: [OK] WireGuard is running
:: [OK] WireGuard is enabled 
(it will automatically start on reboot)
:: [OK] WireGuard is listening on port 51821/udp
=============================================
:::: Having trouble connecting? Take a look at the FAQ:
:::: https://docs.pivpn.io/faq
=============================================
:::: WARNING: This script should have automatically masked sensitive       ::::
:::: information, however, still make sure that PrivateKey, PublicKey      ::::
:::: and PresharedKey are masked before reporting an issue. An example key ::::
:::: that you should NOT see in this log looks like this:                  ::::
:::: YIAoJVsdIeyvXfGGDDadHh6AxsMRymZTnnzZoAb9cxRe                          ::::
=============================================
::::		Debug complete		 ::::
::: 
::: Debug output completed above.
::: Copy saved to /tmp/debug.log
:::

sami@pivpn:~ $ sudo iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     udp  --  anywhere             anywhere             udp dpt:51821 /* wireguard-input-rule */

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             192.168.202.0/24     ctstate RELATED,ESTABLISHED /* wireguard-forward-rule */
ACCEPT     all  --  192.168.202.0/24     anywhere             /* wireguard-forward-rule */
ACCEPT     all  --  anywhere             10.14.239.0/24       ctstate RELATED,ESTABLISHED /* wireguard-forward-rule */
ACCEPT     all  --  10.14.239.0/24       anywhere             /* wireguard-forward-rule */

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

For testing purpose I have the rpi in the same network as the nas atm.

This is the config on the mikrotik

/interface wireguard
add listen-port=51821 mtu=1420 name=Wireguard_piVPN
add listen-port=51820 mtu=1420 name=Wireguard_wg0

/interface wireguard peers
add allowed-address=192.168.201.3/24 comment="Sami's S22+" interface=Wireguard_wg0 public-key="gDSO"
add allowed-address=192.168.202.3/24 comment=piVPN interface=Wireguard_piVPN public-key="V7Uj"

/ip address
add address=192.168.200.1/24 interface=eth2-lan network=192.168.200.0
add address=50.0.0.1/24 interface=bridge-guest network=50.0.0.0
add address=192.168.201.1/24 interface=Wireguard_wg0 network=192.168.201.0
add address=192.168.202.1/24 interface=Wireguard_piVPN network=192.168.202.0
add address=51.0.0.1/24 interface=bridge-dmz network=51.0.0.0

/ip firewall filter
add action=accept chain=input comment="Allow Wireguard" dst-port=51820 in-interface=digi protocol=udp
add action=accept chain=forward src-address=192.168.201.0/24
add action=accept chain=forward dst-address=192.168.201.0/24
add action=accept chain=input comment="Wireguard  piVPN  Temp" dst-port=51821 in-interface=digi protocol=udp
add action=accept chain=forward comment="Wireguard  piVPN  Temp" src-address=192.168.202.0/24
add action=accept chain=forward comment="Wireguard  piVPN  Temp" dst-address=192.168.202.0/24

/ip firewall nat
add action=masquerade chain=srcnat comment="Hairpin NAT" connection-mark="Hairpin NAT"
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat comment="Wireguard hairpin nat" disabled=yes dst-address-list=WANs dst-port=51820 protocol=udp to-addresses=192.168.200.1 to-ports=51820
add action=masquerade chain=srcnat comment="Wireguard piVPN" src-address=192.168.202.0/24

/ip route
add disabled=yes distance=1 gateway=eth1-wan
add comment="Wireguard range" disabled=yes distance=1 dst-address=192.168.201.0/24 gateway=bridge-lan pref-src=192.168.200.1 routing-table=main scope=10 suppress-hw-offload=no target-scope=10

I don’t know what I should configure more or how it should look. Any help is much appreciated here

anav · April 13, 2023, 6:45pm

https://forum.mikrotik.com/viewtopic.php?t=182340

anav · April 13, 2023, 6:58pm

I see that you have a second wireguard interface setup on the RPI, for android access probably not a bad idea but are you saying that both Devices have publicly accessible WAN IPs?

The important addition to android phone connectivity is the ability for the NAS server and the webservers to
a. be accessible via firewall rules L3
b. or do something automatically like stream or read traffic, or something at L2??

slaz · April 13, 2023, 7:10pm

The mikrotik has a WAN IP, but the rpi does not. It’s behind a router with port forward.
For the moment my priority is to get mikrotik and rpi up and running with connection. Basically to have connectivity between the webserver and the synology nas. Android is after to make sure I have a backup connection in place.

I looked over the topic you posted but I am quite new and can’t follow it all only parts of it. That is why I tried to reach out for some support

anav · April 13, 2023, 8:05pm

Shouldnt be too far to get working…
It looks like you dont use vlans but multiple bridges?

(1) Please provide full config
/export file=anynameyouwish ( minus router serial # and any public WANIP information )

(2) Missing many firewall rules??

(3) Okay so where is the same rule, as below, for port 51821 ???
/ip firewall filter
add action=accept chain=input comment=“Allow Wireguard” dst-port=51820 in-interface=digi protocol=udp

Okay its below,
Nothing more than I detest than an unorganized firewall chain.
Group input chain together and forward chain together, much easier to read and troubleshoot

anav · April 13, 2023, 8:12pm

Why have any firewall rules, all is permitted… so the rules you made are not even necessary as there are no blocking rules.
A mess of a config… if you are truly internet facing!!

What is the purpose of this rule??
add action=masquerade chain=srcnat comment=“Hairpin NAT” connection-mark=“Hairpin NAT”

or any of your rules…’
add action=dst-nat chain=dstnat comment=“Wireguard hairpin nat” disabled=yes dst-address-list=WANs dst-port=51820 protocol=udp to-addresses=192.168.200.1 to-ports=51820
add action=masquerade chain=srcnat comment=“Wireguard piVPN” src-address=192.168.202.0/24

+++++++++++++++++++++++++

You are attempting advanced config concepts for a homeowner without having an understanding of any basics…

slaz · April 13, 2023, 8:47pm

What is the purpose of this rule??
add action=masquerade chain=srcnat comment=“Hairpin NAT” connection-mark=“Hairpin NAT”

This was added to be able to access devices when I connect through the VPN from inside the home WLAN

I added my full config with sensitive stuff removed. I am open to critics so I can improve. And indeed I am a noob in this aspect but I am reading and trying to make it good
And not the least, thank you lots for your help. It’s much appreciated
export_mikrotik.rsc (25.8 KB)