Connecting wireguard inside mikrotik router to wireguard on the vps

lebaran · February 28, 2022, 1:44pm

How to connecting wireguard wireguard inside mikrotik router to wireguard on the vps. The mikrotik router that I use only gets a private ip from the ISP. Detail is below:

ISP public (shared) ipv4 address: 182.xxx.127.128

Mikrotik
ether1
bridge wan (pppoe) private ip address: 10.165.210.205

Wireguard inside mikrotik
Interface: wireguard1
IP Address: 192.168.204.4
Listen port: 34567

Wireguard on VPS
Interface: wg0
Local address: 192.168.204.1/24
Listen Port: 23456
Endpoint: 103.yyy.107.108

Wireguard on this mikrotik router not handshaking to wireguard on VPS. On Windows, wireguard can connect even though it is behind NAT (double NAT, because the ISP I use only gives private ip) but the wireguard on mikrotik does not.
mikrotik wireguard.png

own3r1138 · February 28, 2022, 2:37pm

Personally, My PPPoE has a dynamic public IP. But as this connection is outgoing then your PrivateIP from your ISP should not be a problem at one point your traffic will go out to the internet from 1 public IP address. so if my assumption is correct then your problem is config, not the private IP. as you successfully connected from windows behind double-NAT.
I would recommend you to check this post. It might help you to find where is the problem. My VPS is an x86 MT.
http://forum.mikrotik.com/t/route-internet-traffic-mt-via-wireguard-tunnel-through-mt-wg-peer/154825/1

404Network · February 28, 2022, 4:05pm

Could you draw a diagram as its not clear to me what is where doing what?
If the MT is getting a private IP then it cannot be used as a SERVER for the initial connection UNLESS the ISP router can forward the listening port etc.
Then there is the issue if the MT is used for its internet access in which case one has to be able to (for return internet traffic) either create a static route from the ISP router to the MT,
OR, have the MT source-nat the traffic from the remote site heading out to the internet before it reaches the ISP router.

Hominidae · February 28, 2022, 11:28pm

…once the tunnel is established, it is a bi-directional IP-Link.
Just establish the tunnel from local MT to VPS.
In local MT specify the VPS-peer as endpoint…

lebaran · March 1, 2022, 1:20am

I’ve added the diagram. Wireguard peer on mikrotik router as “client” and wireguard on vps as “server”. The goal is forwarding mikrotik services port (winbox, ssh, www) to vps, so I can remote it via the internet.

404Network · March 1, 2022, 1:22am

…

lebaran · March 2, 2022, 3:30am

Finally the wireguard settings worked. I don’t know why previously wireguard peer on mikrotik couldn’t handshake with wireguard server on vps.

Hominidae · March 2, 2022, 2:29pm

glad, that it worked out…you should also set a persistant keepalive in the peers to a number much lower than your FW-conntrack settings.

But why not use a CHR on the VPS?..could possibly same some ressources and easier to configure…

own3r1138 · March 2, 2022, 2:39pm

Money I guess :d

Hominidae · March 2, 2022, 7:15pm

maybe…a one-time licence, not a rented CHR on a VPS, is not what I call expensive. Actually I was able to save 1 buck a month by the ability to just use/migrate to a smaller VPS…just sayin’

saxicek · October 9, 2022, 6:21am

@lebaran: I am facing similar problem - trying to establish WireGuard tunnel from my NATed home network to VPS server with public IP. I guess the problem is in firewall (or routing), because tunnel is never established. I noticed you use fwmark - would you be so kind to detail how you use it? Thank you!

anav · October 9, 2022, 10:23am

saxik, post you your config on mikrotik and vps

saxicek · October 11, 2022, 11:28am

@anav, thanks for trying to help. I figured out that it was a firewall issue. I had to enable my WireGuard port on VPS, i.e.:

ufw allow 12345/udp

anav · October 11, 2022, 11:35am

Awesome, glad its working for you!