Hello!
I’ve made a config for routing wifi traffic through wireguard vpn. It doesn’t work. I want to understand why. Sadly the config is a bit convoluted, however I only want to understand /ip/route part, perhaps someone could explain without digging too deep.
I want wifi clients’ traffic to run through wg1 interface. The interface itself works, I can ping from ROS, ping comes up on wireguard server. But when I ping from wifi client it doesn’t work. Here’s 6 cases:
- from mikrotik ping 10.10.0.3 (vpn client address) – ok
- from mikrotik ping 10.10.0.1 (vpn server address) – ok
- from mikrotik ping anything-on-internet – ok
- from wifi client ping 10.10.0.3 (vpn client address) – ok
- from wifi client ping 10.10.0.1 (vpn server address) – timeout, nothing on VPN server
- from wifi client ping anything-on-internet – timeout, nothing on VPN server
My question is, why in cases 5 and 6 traffic gets dropped? I thought adding default route 0 As 0.0.0.0/0 wg1 2 should do the trick.
addresses:
[admin@MikroTik] > ip address print
Columns: ADDRESS, NETWORK, INTERFACE
# ADDRESS NETWORK INTERFACE
0 192.168.1.200/24 192.168.1.0 bridge
1 10.10.0.3/24 10.10.0.0 wg1
routes:
[admin@MikroTik] > ip route print
Flags: D - DYNAMIC; A - ACTIVE; c, s, y - COPY
Columns: DST-ADDRESS, GATEWAY, DISTANCE
# DST-ADDRESS GATEWAY DISTANCE
0 As 0.0.0.0/0 wg1 2
1 As <wg-inet-public-ip>/32 192.168.1.254 1
DAc 10.10.0.0/24 wg1 0
DAc 192.168.1.0/24 bridge 0
About network:
- My LAN gateway (G) is 192.168.1.254/24, not a mikrotik.
- My mikrotik (M) is 951G-2HnD current firmware 7.2.3
- M is connected to LAN in full switch mode, DHCP client&server disabled.
- M has ip 192.168.1.200 statically assigned to it to avoid using G’s DHCP.
- VPN server is on remote linux machine, it’s VPN address is 10.10.0.1/24.
- VPN client is on M, interface wg1, it’s address is 10.10.0.3/24.
- Wifi client is an android phone, configured manually, ip 192.168.1.201, gateway 192.168.1.200 (M), DNS 8.8.8.8, again to avoid G’s DHCP.