Connecting to local network from outside using L2TP/Wireguard

RouterOS Beginner Basics
1

So I have a hap lite TC router plus an Internet modem/router.
I want to setup a VPN server on hap lite to be able to connect to my local network (i.e., hap lite and internet modem/router and all of connected devices) from outside of local network.
First of all, I think that I will need an static IP. However, I was wondering about IP/Cloud which is some how acts like a dynamic DNS. (I don’t know whether it is compatible with my device or not?). If it is not, I can purchase a static IP from my ISP.
I would like to use wireguard as VPN server, I don’t know whether wireguard is compatible with my device or not but if it’s not, I can use L2TP as well.
I am not professional in networking, so I want to ask tell me the steps that I should take with details. I think these are steps but I am not sure:
1- Connect router OS to internet (Note that I want to connect to VPN using static IP so I think I should use bridge mode but I don’t know how.)
2- Starting a VPN server on router (preferably wireguard) that I can connect to that from outside.
3- Some firewall rules in order to make the config more secure.

If my mentioned steps are right, please kindly let me know how that I can do them.

2

You are on the right track for sure.
THe key is not whether the public iP is static or dynamic but is it publicly accessible.

So you either need to have an ISP Modem device that gives your router a public IP ( most common )
OR
An ISP modem Router that gets a public IP and which you can enter to at least forward ports to your router ( common )

There is much reading to be had…
https://forum.mikrotik.com/viewtopic.php?t=182373

3

Thanks. Let’s consider this one:

So you either need to have an ISP Modem device that gives your router a public IP ( most common )

If I purchase a static IP from my ISP, how can I assign that to my router? (Not my Modem.)

4

Why would you want to purchase a static IP if they are providing you with a public dynamic IP??
Seems like an extra cost for very little gain. I only say this because you are pinching pennies with ah haplite aka didnt buy an RB5009 for example! or an AX3!

5

Well, this is because It seems that my IP is not public. When I check my IP address in https://www.iplocation.net/ it shows an address that is totally different with what IP address that ADSL modem shows in PPPoE setting section.

6

Sound like getting a static IP is the right approach then!!

Checking What Your IP IS:
In other words, the admin should ensure that the WANIP the router gets is the same one that the external World sees. This can be accomplished via
a. ‘whats my IP’ in your browser
b. Checking the public IP that shows up when one enables IP Cloud.
c. Checking what IP address is shown under the details of IP DHCP Client
d. Checking what IP address is shown in IP routes - look for a (DAC) entry and preferred source.

They should ALL be the same if your router is getting a valid Public IP. If not, then you may be getting a private IP address from your Provider.

7

Hello,
I have a public and static IP on my 4G/LTE modem right now. Hap Lite router is also connected to 4G Modem and gets IP from 4G Modem.
I also set up a virtual server on my 4G modem that forward all incoming traffic from outside to port 5142 into internal IP of MikroTik modem and to wireguard port:

This is mikrotik config:

/interface wireless
set [ find default-name=wlan1 ] ssid=MikroTik
/interface wireguard
add listen-port=13231 mtu=1450 name=wireguard1
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/interface l2tp-server server
set use-ipsec=yes
/interface wireguard peers
add endpoint-address=192.168.2.1 endpoint-port=13231 interface=wireguard1 \
    public-key="1YjceDL371vHOid7**********"
/ip dhcp-client
add interface=ether1

and this is my IPhone wireguard config:

However, when I activate wireguard on my IPhone, I cannot connect to internet or even to the Mikrotik or 4G router. In the mikrotik winbox the Rx is also 0 and not changing.
C1.JPG
Untitled.png

8

Of course not as its probably not setup properly. The config only follows the error prone human.
Hiding parts of your config just wastes the time of us attempting to help so please provide the full export (minus router serial number and any public WANIP information).

9

Hi, Please find the config attached below.
Everything is Ok at this time and I can connect from outside to my LAN using wireguard. However, my wireguard client doesn’t have access to Internet and I don’t know why.
config.rsc (1.1 KB)

10

Not much of a config, but the extra source address is what is not needed.
If your traffic is… remote users inbound, get rid of it.

11

[quote=anav post_id=1001887 time=1683902212 user_id=115581]
Not much of a config, but the extra source address is what is not needed.

If your traffic is… remote users inbound, get rid of it.
[/quote]

I always have this problem and haven’t find a solution for that. I mean I use </s>/export file=somename<e> to export config but anyone who looks at the config says the config is not complete. I really don’t know why this happens.

Anyway, Attached is output of </s>/export verbose<e>
I hope it could help.



By the way, I was searching in internet about this problem and somebody said this is due to port forwarding. (<LINK_TEXT text=“https://askubuntu.com/questions/1294533 … net-access”>https://askubuntu.com/questions/1294533/wireguard-handshake-works-but-no-internet-access</LINK_TEXT>). Can you take a look at that please?

12

Where is your wan port ???
Is this connected to another router??
Is it MT, if so need to see config…

If not is WG port forwarded to the WANIP of this device??

13

My WAN port is 5142.
Yes, It is connected to another 4G/LTE router. I am using port-forwarding on 4G router to forward traffic.
Capture.JPG
It is not MT, it is TP-Link.

14

Okay so you have a TPLink router forwarding the port to the MT router…
Suggest the following config then…
I get that the Fixed static IP of the MT router on the TPLINK Lan is 192.168.2.100
Ether1 is the “wan” port.
Ether2 is unknown but lets say its connected to something…

Things I did
a. removed IP DHCP Client - not required.
b. removed unneeded srcnat and modified default for static IP.
c. add dns server to ip dhcp network settings
d. added dns settings

Give it a shot and see if things are better ( but change client MTU to 1420 or change MT to 1450, they both should be the same!! )…


/interface wireguard
add listen-port=13231 mtu=1420 name=wireguard1
/ip pool
add name=dhcp_pool0 ranges=192.168.3.2-192.168.3.254
/ip dhcp-server
add address-pool=dhcp_pool0 interface=ether2 name=dhcp1
/interface wireguard peers
add allowed-address=192.168.100.2/32 interface=wireguard1 public-key=
“ydz3qh9st1bAgWZeKl55xIv5XXXXXXXXXXXXXXXX”
/ip address
add address=192.168.100.1/24 interface=wireguard1 network=192.168.100.0
add address=192.168.3.1/24 interface=ether2 network=192.168.3.0
/ip dns
set allow-remote-requests=yes servers=1.1.1.1,8.8.8.8
/ip dhcp-server network
add address=192.168.3.0/24 gateway=192.168.3.1 dns-server=192.168.3.1
/ip firewall nat
add chain=srcnat action=src-nat out-interface=ether1 to-addresses=192.168.2.100
/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=192.168.2.1
routing-table=main scope=30 suppress-hw-offload=no target-scope=10

15

Thanks, works like a charm!

I decided to use two wireguard interfaces with two different WAN static IPs. Ether1 is for WAN1 and Ether2 is for WAN2. they both have static and public IPs and port forwarded to MT.
So I need two wireguard ifaces, namely wg1 and wg2.
Whenever users connect to wg1, they should access to internet through WAN1 and whenever users connect to wg2 they should access to internet through WAN2.

Can you help me in this?

16

As always, only work from the latest updated config…
Any user LAn details needed should be stated in clear requirments.
who needs what where both internal and external flows by all, exceptions should be noted.

Finally failover expections and usage of WANs in general should be discussed.
Then the config can be modified with context.

17

Hi. Here is the config.
Ether1 is connected to DSL modem with static public IP, MT gets local static IP address 192.168.1.100 from DSL modem and port 7236 on DSL modem is forwarded to MT.
Ether2 is connected to LTE modem with static public IP, MT gets local static IP address 192.168.2.100 from LTE modem and port 5036 on LTE modem is forwarded to MT.
Ether3 is connected to my laptop, I need to connect to internet through Ether2 on my laptop.
Anyone who connects to wg-iface-lte should access to internet only through Ether2.
Anyone who connects to wg-iface-dsl should access to internet only through Ether1.
Anyone who connects to any wg interface should be able to see all LAN devices.

/interface wireless
set [ find default-name=wlan1 ] ssid=MikroTik
/interface wireguard
add listen-port=7236 mtu=1420 name=wg-iface-dsl
add listen-port=5036 mtu=1420 name=wg-iface-lte
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_pool0 ranges=192.168.3.2-192.168.3.254
add name=dhcp_pool1 ranges=192.168.3.2-192.168.3.254
add name=dhcp_pool2 ranges=192.168.3.2-192.168.3.254
/ip dhcp-server
add address-pool=dhcp_pool2 interface=ether3 name=dhcp1
/interface wireguard peers
add allowed-address=192.168.100.2/32 interface=wg-iface-dsl public-key=\
    "Y8HzPJuhH5he7xqgvbqNLYX1eVfAm1oT/ClgVMzPBXo="
add allowed-address=192.168.200.2/32 interface=wg-iface-lte public-key=\
    "1Lqomm4L/nluKczxheAQskfWAH95gtph5L9Ha+FZS0s="
/ip address
add address=192.168.3.1/24 interface=ether3 network=192.168.3.0
add address=192.168.100.1/24 interface=wg-iface-dsl network=192.168.100.0
add address=192.168.200.1/24 interface=wg-iface-lte network=192.168.200.0
/ip dhcp-client
add interface=ether1 use-peer-dns=no use-peer-ntp=no
add interface=ether2 use-peer-dns=no use-peer-ntp=no
/ip dhcp-server network
add address=192.168.3.0/24 dns-server=192.168.3.1 gateway=192.168.3.1
/ip dns
set allow-remote-requests=yes servers=1.1.1.1,8.8.8.8
/ip firewall nat
add action=src-nat chain=srcnat out-interface=ether2 to-addresses=\
    192.168.2.100
add action=src-nat chain=srcnat out-interface=ether1 to-addresses=\
    192.168.1.100

This is the config that I use on my clients to connect to wg interfaces: (Assume 188.188.188.188 is public IP of DSL and 151.151.151.151 is public IP of LTE)

[Interface]
PrivateKey = wKNmmsp1fAxv5ryQps1DceXoNq6XmiBwqOyvyXfnNng=
Address = 192.168.100.2/32
DNS = 1.1.1.1
MTU = 1420
[Peer]
PublicKey = ufG1OYlNvlZt//1FoawUj+oZFffzNmOn37ybSqxyjWk=
AllowedIPs = 0.0.0.0/0
Endpoint = 188.188.188.188:7236
PersistentKeepalive = 25




[Interface]
PrivateKey = 2IfSkvQRcgB/IxHc5KFU+4jSJ7csb/JRB1FS04BxgGI=
Address = 192.168.200.2/32
DNS = 1.1.1.1
MTU = 1420
[Peer]
PublicKey = tzSGclGX633qfvll+g4vf/N8SP2Ww5fJnJdWrUdIcHo=
AllowedIPs = 0.0.0.0/0
Endpoint = 155.155.155.155:5036
PersistentKeepalive = 25

By the way, I didn’t understand this:

a. removed IP DHCP Client - not required.

MT needs to get an IP from each modem, can it be done without a DHCP client?

18

Can you confirm you only have one LAN, and thats connected on ether3?
Can you explain why you have three pools for the same subnet?


Remove IP DHCP Client for both interfaces. There is no dynamic assignments and thus no real purpose to this method!
You get a private IP Not public from upstream device and its static WANIP.

There are multiple ways to accomplish these things, in your case the simplest is
a. IP address of each WAN, as you have done
b. manual route (which you failed to show :frowning:

/ip route add dst-address=0.0.0.0/0 gateway=192.168.1.1 routing-table=main
/ip route add dst-address=0.0.0.0/0 gateway=192.168.2.1 routing-table=main

Assuming wireguard is strictly for your remote external clients (not for local LAN users).
++++++++++++++++++++++++++++++++++++++

Herein lies the problem, the initial handshake needs to be considered. There is not a problem reaching ether1 or ether2 by various means, dyndns type name.
So when the external user first hits either of the two WANs, via the necessary port, a handshake attempt is executed. However, how do we ensure the response back to the originator
goes out the same WAN and thus ISP, it came in on??

Also, what is the hierachy of wan1, wan2, for your LAN users.
How are they suppose to utilize the two WANs, is one primary and the other failover, PCC (shared) etc…

19



Can you confirm you only have one LAN, and thats connected on ether3?

Yes

Can you explain why you have three pools for the same subnet?

It was just a mistake.

So when the external user first hits either of the two WANs, via the necessary port, a handshake attempt is executed. However, how do we ensure the response back to the originator
goes out the same WAN and thus ISP, it came in on??

Yes, this is the main problem.

Also, what is the hierachy of wan1, wan2, for your LAN users.

There is no hierachy at all. No load balancing and no failover.
They are two separate WANs. User can decide on his/her own to connect to which WAN.

20

I do not understand, how can a user decide which WAN they use… its not obvious…