After some challenges understanding how to setup the routing, I’ve finally managed to get my router to connect to NordVPN using wireguard and send all internet traffic from my local network over the VPN connection. There’s one remaining frustration that I just can’t get to the bottom of: when I enable the route to send traffic over the wireguard tunnel, I immediately lose the ability to connect to the router’s web interface, or ping it at its local network address 192.168.1.1. I can still connect to other machines on the local network, and, weirdly, I can still resolve DNS requests against the router using UDP port 53. And of course I can access the internet over the tunnel - and my IP correctly shows as that of the VPN exit node. In order to be able to access the router I have to use winbox to connect via MAC address.
Current config:
# 2023-10-06 18:45:22 by RouterOS 7.11.2
# software id = DNSC-DX1W
#
# model = RB750Gr3
/interface bridge
add admin-mac=18:FD:74:74:08:BC auto-mac=no comment=defconf name=bridge
/interface pppoe-client
add add-default-route=yes dial-on-demand=yes disabled=no interface=ether1 \
max-mru=1492 max-mtu=1480 name=pppoe-out1 user=XXXXXXXX
/interface wireguard
add listen-port=37728 mtu=1420 name=nordvpn
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/ip pool
add name=dhcp ranges=192.168.1.10-192.168.1.254
/ip dhcp-server
add address-pool=dhcp interface=bridge lease-time=10m name=defconf
/port
set 0 name=serial0
/routing table
add fib name=useNordVPN
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ipv6 settings
set disable-ipv6=yes
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=pppoe-out1 list=WAN
add interface=nordvpn list=WAN
/interface wireguard peers
add allowed-address=0.0.0.0/0 comment=uk2220.nordvpn.com endpoint-address=\
178.239.162.243 endpoint-port=51820 interface=nordvpn \
persistent-keepalive=40s public-key=\
"K53l2wOIHU3262sX5N/5kAvCvt4r55lNui30EbvaDlE="
/ip address
add address=192.168.1.1/24 comment=defconf interface=bridge network=\
192.168.1.0
add address=10.5.0.2/24 interface=nordvpn network=10.5.0.0
/ip dhcp-client
add comment=defconf disabled=yes interface=ether1
/ip dhcp-server network
add address=192.168.1.0/24 comment=defconf dns-server=192.168.1.1 gateway=\
192.168.1.1 netmask=24
/ip dns
set allow-remote-requests=yes servers=103.86.96.100
/ip dns static
add address=192.168.1.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=forward in-interface-list=LAN out-interface=nordvpn
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
/ip route
add disabled=yes distance=1 dst-address=0.0.0.0/0 gateway=nordvpn pref-src=\
10.5.0.2 routing-table=useNordVPN scope=30 suppress-hw-offload=no \
target-scope=10
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
33434-33534 protocol=udp
add action=accept chain=input comment=\
"defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
ipsec-esp
add action=accept chain=input comment=\
"defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
"defconf: drop everything else not coming from LAN" in-interface-list=\
!LAN
add action=accept chain=forward comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
"defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
ipsec-esp
add action=accept chain=forward comment=\
"defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
"defconf: drop everything else not coming from LAN" in-interface-list=\
!LAN
/routing rule
add action=lookup src-address=192.168.1.0/24 table=useNordVPN
/system clock
set time-zone-name=Europe/Madrid
/system note
set show-at-login=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
Obviously I enable the disabled route to send traffic over the VPN. Is there some kind of screw up with my firewall rules that’s stopping me reaching the router when the VPN route is enabled?
Observations.
-
I know nothing about pppoe but are the max-mru and max-mtu set as defaults? Just asking as I dont know.
-
You should get rid of the static DNS settings… and what the heck is 103. whatever??? Is that the nordvpn dns provided info?
/ip dns
set allow-remote-requests=yes servers=103.86.96.100
/ip dns static
add address=192.168.1.1 comment=defconf name=router.lan
If that is nordvpn Try this instead as the router and the initial handshake need access to DNS. Also if you just had one user that you didnt want to go out wireguard, they would be able to use this DNS.
/ip dns
set allow-remote-requests=yes servers=1.1.1.1
In DCHP settings …
/ip dhcp-server network
add address=192.168.1.0/24 dns-server=103.86.96.100 gateway=
192.168.1.1 netmask=24
SInce you are pushing the subnet out the tunnel door, the dns entry here seems to make sense.
- Lets review the significant pieces of the wg config.
You have the pieces for success needed! Your Nordvpn ip address is sourcenatted to all your LAN users, check!! You have a table, check!! You have a routing rule check!! You have an IP route, uh oh… format is screwy WTF is pref source doing there.. remove it as per below.???
add interface=nordvpn list=WAN
/routing table
add fib name=useNordVPN
/routing rule
add action=lookup src-address=192.168.1.0/24 table=useNordVPN
/ip route
add dst-address=0.0.0.0/0 gateway=nordvpn routing-table=useNordVPN
One thing to note is that your action selection in the routing rule means that if wireguard is NOT working, the router will go to the main table and find an alternate route and use the pppoe connection.
- The reason normally one cannot access local destinations from within the subnet is because you force all traffic out the tunnel.
Suggest fixing the stuff above first and see how the router responds…
If you still have issues then add an additional routing rule as such (order is critical ):
/routing rule
add action=look-up-only-in-table dst-address=192.168.1.0/24 table=main
add action=lookup src-address=192.168.1.0/24 table=useNordVPN
The pref source thing was just me randomly trying stuff without really understanding what I was doing. The results are the same with or without it. The DNS server is a Nord one, I have put this back to being 8.8.8.8 for the moment. I haven’t bothered changing the DHCP config yet because ideally I’d prefer that local clients use the router for DNS so I can put static routes for the local network in there. Ultimately I’ll have to work something out for this because I don’t want a DNS leak but to start with I just want to get the basics working.
I’ve tried adding your additional routing rule but it makes no difference. This is where I’m at now:
# 2023-10-07 11:11:34 by RouterOS 7.11.2
# software id = DNSC-DX1W
#
# model = RB750Gr3
/interface bridge
add admin-mac=18:FD:74:74:08:BC auto-mac=no comment=defconf name=bridge
/interface pppoe-client
add add-default-route=yes dial-on-demand=yes disabled=no interface=ether1 \
max-mru=1492 max-mtu=1480 name=pppoe-out1 user=lucian_holland
/interface wireguard
add listen-port=37728 mtu=1420 name=nordvpn
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/ip pool
add name=dhcp ranges=192.168.1.10-192.168.1.254
/ip dhcp-server
add address-pool=dhcp interface=bridge lease-time=10m name=defconf
/port
set 0 name=serial0
/routing table
add fib name=useNordVPN
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ipv6 settings
set disable-ipv6=yes
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=pppoe-out1 list=WAN
add interface=nordvpn list=WAN
/interface wireguard peers
add allowed-address=0.0.0.0/0 comment=uk2220.nordvpn.com endpoint-address=\
178.239.162.243 endpoint-port=51820 interface=nordvpn \
persistent-keepalive=40s public-key=\
"K53l2wOIHU3262sX5N/5kAvCvt4r55lNui30EbvaDlE="
/ip address
add address=192.168.1.1/24 comment=defconf interface=bridge network=\
192.168.1.0
add address=10.5.0.2/24 interface=nordvpn network=10.5.0.0
/ip dhcp-client
add comment=defconf disabled=yes interface=ether1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8
/ip dns static
add address=192.168.1.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=forward in-interface-list=LAN out-interface=nordvpn
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
/ip route
add disabled=yes distance=1 dst-address=0.0.0.0/0 gateway=nordvpn pref-src="" \
routing-table=useNordVPN scope=30 suppress-hw-offload=no target-scope=10
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
33434-33534 protocol=udp
add action=accept chain=input comment=\
"defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
ipsec-esp
add action=accept chain=input comment=\
"defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
"defconf: drop everything else not coming from LAN" in-interface-list=\
!LAN
add action=accept chain=forward comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
"defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
ipsec-esp
add action=accept chain=forward comment=\
"defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
"defconf: drop everything else not coming from LAN" in-interface-list=\
!LAN
/routing rule
add action=lookup-only-in-table disabled=no dst-address=192.168.1.24 table=\
main
add action=lookup src-address=192.168.1.0/24 table=useNordVPN
/system clock
set time-zone-name=Europe/Madrid
/system note
set show-at-login=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
(1) Using 8.8.8.8 is fine but you have failed to get rid of the static setting…
(2) The allow rule for nordvpn is in the wrong order, not that it should hurt but its not ideal…ç
Put that rule FROM:
_add action=drop chain=input comment=“defconf: drop all not coming from LAN”
in-interface-list=!LAN
add action=accept chain=forward in-interface-list=LAN out-interface=nordvpn
add action=accept chain=forward comment=“defconf: accept in ipsec policy” _
To:
add action=drop chain=forward comment=“defconf: drop invalid”
connection-state=invalid
add action=accept chain=forward in-interface-list=LAN out-interface=nordvpn
add action=drop chain=forward comment=
“defconf: drop all from WAN not DSTNATed” connection-nat-state=!dstnat
connection-state=new in-interface-list=WAN
(3) No wonder look at your routing rule.…
/routing rule
add action=lookup-only-in-table disabled=no dst-address=192.168.1.24 table=
main
this is what I suggested…
add action=look-up-only-in-table dst-address=192.168.1.0/24 table=main
…
Try again with properly formatted rule .
Also perhaps you were attempting 192.168.1.1/32 in the rule which may be worth trying if the above doesnt work as I am out of other ideas.
I know another rule that helps if there are internet issue when using the Nordvpn tunnel, so just in case you run into that later here it is…
/ip firewall mangle
add action=change-mss chain=forward comment=“Clamp MSS to PMTU for Outgoing packets” new-mss=clamp-to-pmtu out-interface=wireguard1 passthrough=yes protocol=tcp tcp-flags=syn
You completely deleted this setting from your new config… ITS MISSING
/ip dhcp-server network
add address=192.168.1.0/24 comment=defconf dns-server=192.168.1.1 gateway=
192.168.1.1 netmask=24
but remember change this to…
/ip dhcp-server network
add address=192.168.1.0/24 comment=defconf dns-server=103.86.96.100 gateway=
192.168.1.1 netmask=24
OMG what an idiot - too much staring at IP addresses and netmasks and my brain just gave up obviously. With the address corrected this does the trick. Many thanks for your help!