Connect to the container without exposing the port

RouterOS Containers
1

Hi everyone, I really need your expert Mikrotik knowledge :smiley:

My setup: a remote server in the cloud, running wstunnel and WireGuard. General idea is if a client is in restricted network and cannot connect to WG directly, they go through wstunnel which wraps WireGuard into a Websockets tunnel. I have tested it locally and it works, so server settings are out of question.

Iā€™m starting wstunnel like this:

wstunnel -L ā€˜udp://12345:0.0.0.0:127.0.0.1:51820ā€™ ā€¦., which basically means: ā€œlisten on all interfaces locally for port 12345, and on the other side of the tunnel, forward it to 127.0.0.1 port 51820ā€. This works on both rpi4 and my laptop, I can ping serverā€™s WG IP no problem. So far so good.

The real fun starts when I put wstunnel in the container and try to run it on the router (hAP ax2). Following wstunnel configuration logic, on my hAP WG peer should have WG endpoint configured as
[container IP ]:12345,
so wstunnel can pick up this connection and forward it upstream. The problem is it doesnā€™t work :smiley: in my container logs, I can see a connection to the server being made, and on the server wstunnel logs also report that connection is established, BUT:

  • I cannot ping MikroTik peer;
  • MikroTikā€™s logs say that WG handshake didnā€™t succeed (and interface status and counters also indicate that).

Now, if I go into the container shell and install wg-quick there, put some pubkey and addr and add it on the server, I can ping the server from inside the container and vice versa, so wstunnel IS working. The problem lies somewhere with forwarding packets back from the container to the router.

Iā€™m using standard ā€œBridge with NATā€ container configuration from the official manual:

/interface/veth/add name=veth1 address=172.17.0.2/24 gateway=172.17.0.1
/interface/bridge/add name=containers
/ip/address/add address=172.17.0.1/24 interface=containers
/interface/bridge/port add bridge=containers interface=veth1

Manual also mentions these two NAT rules, which I tried both with no luck:

/ip firewall nat
add chain=srcnat action=masquerade src-address=172.17.0.0/24
add action=dst-nat chain=dstnat dst-address=192.168.88.1 dst-port=80 protocol=tcp to-addresses=172.17.0.2 to-ports=80

Iā€™m also not sure theyā€™re really needed, since:

  1. masquerade rule was not being hit (or I missed something), and
  2. I probably can adjust 2nd rule to use port 51820 and put 192.168.88.1 into my WG endpoint config, but this loop feels wrong, and also exposes wstunnel to my LAN, which I donā€™t want.

My Mikrotik WG peer configuration is

/interface wireguard peers
add allowed-address=0.0.0.0/0 endpoint-address=172.17.0.2 endpoint-port=51820 \
    interface=wg1 name=wstunnel public-key="mykey"

Iā€™m out of any ideas, if anyone can suggest anything Iā€™m all ears.

Thanks a lot!

2

Of course I was stupid and messed my WireGuard keys :laughing: :laughing: :laughing:

I had to put container in the default bridge though, Iā€™m thinking of adding a firewall rule to limit access from anyone != 192.168.88.1.