DNS issues with Wireguard

RouterOS General
1

Hello,

I am trying to setup a ProtonVPN wireguard tunnel. At this stage I have everything working except not being able to resolve any DNS queries. I can ping and access websites using their IP address, and traffic passes correctly through the tunnel. I am also able to ping Proton’s DNS server (10.2.0.1). However, I am neither able to access any sites using URL nor traceroute. Therefore, I think that either my DNS configuration is screwed or something else blocks these queries. I have tried several solutions found online to no avail. At this point I am using the default ROS 7.4 configuration (with wlan1 instead of ether1 for WAN) with wireguard settings provided by Proton and will introduce modifications when I get this part working. I would appreciate any suggestions on what else I could try.

/interface bridge
add auto-mac=no comment=defconf name=bridge
/interface wireguard
add comment="ProtonVPN interface" listen-port=12930 mtu=1420 name=protonwg01
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
add authentication-types=wpa2-psk eap-methods="" group-ciphers=tkip,aes-ccm \
    mode=dynamic-keys name=HomeAP supplicant-identity=""
add authentication-types=wpa2-psk eap-methods="" mode=dynamic-keys name=Red \
    supplicant-identity=""
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-eC \
    disabled=no distance=indoors frequency=2452 installation=indoor \
    security-profile=HomeAP ssid=<SSID> wireless-protocol=802.11
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=\
    20/40/80mhz-XXXX country=<COUNTRY> disabled=no distance=indoors frequency=\
    auto installation=indoor mode=ap-bridge security-profile=Red ssid=\
    <SSID> wireless-protocol=802.11
add disabled=no keepalive-frames=disabled mac-address=<MAC ADDRESS> \
    master-interface=wlan1 multicast-buffering=disabled name=wlan3 \
    security-profile=Red ssid=<SSID> wds-cost-range=0 wds-default-cost=0 \
    wps-mode=disabled
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=default-dhcp interface=bridge name=defconf
/routing table
add disabled=no fib name=protonvpn_wg
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=wlan2
add bridge=bridge interface=wlan3
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=wlan1 list=WAN
/interface wireguard peers
add allowed-address=0.0.0.0/1,128.0.0.0/1 endpoint-address=<ADDRESS> \
    endpoint-port=51820 interface=protonwg01 public-key=\
    <PUBLIC KEY>
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
    192.168.88.0
add address=10.2.0.2/30 interface=protonwg01 network=10.2.0.0
/ip dhcp-client
add comment=defconf interface=wlan1
/ip dhcp-server lease
add address=192.168.88.20 client-id=<ID> mac-address=\
    <MAC> server=defconf
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=\
    192.168.88.1
/ip dns
set allow-remote-requests=yes servers=10.2.0.1
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall address-list
add address=192.168.88.0/24 list=under_protonvpn
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-mark=no-mark connection-state=established,related disabled=yes \
    hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall mangle
add action=mark-connection chain=prerouting new-connection-mark=\
    under_protonvpn passthrough=yes src-address-list=under_protonvpn
add action=mark-routing chain=prerouting new-routing-mark=protonvpn_wg \
    passthrough=yes src-address-list=under_protonvpn
add action=change-mss chain=forward connection-mark=under_protonvpn new-mss=\
    1360 passthrough=yes protocol=tcp tcp-flags=syn tcp-mss=!0-1375
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat out-interface=protonwg01
/ip route
add comment="ProtonVPN Wireguard default route" disabled=no distance=1 \
    dst-address=0.0.0.0/0 gateway=protonwg01 pref-src="" routing-table=\
    protonvpn_wg scope=30 suppress-hw-offload=no target-scope=10

/system clock
set time-zone-name=<TIMEZONE>
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
2

(1) What IP address were you given by PROTON for your wireguard? It is not clear,
Did they give you 10.10.10.2/30 or did you get 10.10.10.2/32. What other information did they provide???

(2) Where in heck did you think this was a good idea?
/interface wireguard peers
add allowed-address=0.0.0.0/1,128.0.0.0/1 endpoint-address= \

(1b) and why do you have this included…
/interface wireguard peers
add allowed-address=0.0.0.0/1,128.0.0.0/1 endpoint-address= \

If you are going out for internet traffic it should be this period
add allowed-address**=0.0.0.0/0**

(2) Why is the address for the network as follows?
add address=10.2.0.2/30 interface=protonwg01 network=10.2.0.0

Normally it should be
add address=10.2.0.2**/24** interface=protonwg01 network=10.2.0.0

Regardless if they give you one or two IP addresses, use the standard notation for IP address on the MT Device Client side.
It works…

(3) Missing persistent keep alive on the MT client settings, 40 seconds is fine…

(4) WHY is this selected…It might be causing some issues??? Investigating as I am weak on DNS for wg.
/ip dns
set allow-remote-requests=yes servers=10.2.0.1

(5) I would handle your WG without mangling, which by the way often means one has to disable the fasttrack setting in forward chain filter rules.
You have most of the necessary config to do this already, just a couple of additions and DELETE ALL MANGLING.

a. DONE - create table.
/routing table
add disabled=no fib name=protonvpn_wg

b. DONE - provide a route for tunnel
/ip route
add comment=“ProtonVPN Wireguard default route” disabled=no distance=1
dst-address=0.0.0.0/0 gateway=protonwg01 pref-src=“” routing-table=protonvpn_wg
scope=30 suppress-hw-offload=no target-scope=10

c. ADD - standard routing - provide a route for the router
/ip route
add distance=1 dst-address=0.0.0.0/0 gwy=ether1 table=main

d. ADD - to send lan users through tunnel
/ip route rule
add src-address=192.168.88.0/24 action=lookup-only-in-table table=protonvpn_wg

note: if you wanted lan members to be able to access internet through local ISP, if the wg tunnel goes down, then change action to simply: action=lookup

3

Thanks for the response.

  1. They wrote to use: 10.2.0.2/30 (in their guide, in the config file it is /32). The config file provided included:
PrivateKey = <PRIV KEY>
Address = 10.2.0.2/32
DNS = 10.2.0.1

[Peer]
PublicKey = <PUB KEY>
AllowedIPs = 0.0.0.0/0
Endpoint = <IP ADDRESS>:51820

The rest of their configuration I took from their Mikrotik guide: https://protonvpn.com/support/wireguard-mikrotik-routers/

1a) and b) Good points. That’s what they had in their guide, but even their config file includes 0.0.0.0/0 as you mentioned. FIXED

  1. Their guide had 10.2.0.2/30 No idea why, but can change it.

  2. FIXED

  3. That is also coming from their guide. I understand that should be their DNS server address accessible from within the tunnel. I tried to remove it, but DNS still doesn’t work.

5c and d) I worked out that table refers to routing-table in 5c. However, I cannot get 5d as I am told that ‘rule’ is a bad command.

4

Okay all good so far,
Definitely use 10.2.0.2/24 as your IP address on the MT.

For IP DNS I think you were on the right track to put in 10.2.0.1, just add some common ones as well after that.
/ip dns
set allow-remote-requests=yes servers=10.2.0.1,1.1.1.1,9.9.9.9

As far as the setup regarding routes, basically you should have
the standard route
dst-address=0.0.0.0/0 gwy=ether1 table=main
dst-address=0.0.0.0/0 gwy=protonwg01 table=protonvpn_wg

The new table
/ip table
add name=protonvpn_wg fib

The route rule
/ip route
add src-address=192.168.88.0/24 action=lookup-only-in-table table=protonvpn_wg

++++++++++++++++++++++++++
Can you show IP routes table and also the error that comes up,
Is it the format thats wrong or is there something else its saying is wrong??

5

OK, IP address and DNS servers done.

However, I am still not able to add your last route rule. When I use your command I get:
expected end of command (line 1 column 15)
I wonder if something was not changed on Mikrotik’s side as neither source address nor the action are part of IP routes table when I check what options are there to put it manually via Winbox. Here is the IP routes table:

 Columns: DST-ADDRESS, GATEWAY, DISTANCE
#      DST-ADDRESS      GATEWAY      DISTANCE
0  As+ 0.0.0.0/0        wlan1               1
  DAd+ 0.0.0.0/0        192.168.0.1         1
  DAc  10.2.0.0/24      protonwg01          0
  DAc  192.168.0.0/24   wlan1               0
  DAc  192.168.88.0/24  bridge              0
;;; ProtonVPN Wireguard default route
1  As  0.0.0.0/0        protonwg01          1

Edit: I don’t think it matters for the issue at hand, but just to clarify the table above, I use Mikrotik as a travel router so it is connected via wlan1 to a home/hotel router. Hence, wlan1 is WAN and 192.168.0.0/24 are addresses assigned by the home router. The entry itself was added automatically.

6

Since its the client as long as one has a viable WAN connection through some source it should work.

As for the bad command line info, that is because the CLI command is incorrect,
It should be
/routing rule add …

/routing rule add src-address=192.168.88.0/24 action=lookup-only-in-table table=protonvpn_wg

7

Awesome, I can confirm that it works now and the connection is way faster than IPSec config that I used before.

As I got the basic wireguard connection working, I tried to port it to my actual configuration of the router and I realised that it is not that straightforward as now routing tables are used instead of mangle rules. Basically, I would like to have 5 VLANs with no communication between them (with a single exception for a device with a static IP that is accessible from another VLAN. 3 of these VLANs should connect via different Proton wireguard tunnels, one use clearnet and one not have access to internet. My current configuration accomplished these goals with IPSec so only the wireguard part must be adjusted.

  1. The biggest issue right now is that the configuration that we got working previously, doesn’t work when I try to route traffic for a specific VLAN only. The routing table has way more entries now, and I am not sure if the issue is that I need to add more nat rules for VLANs or there is another routing problem. I am not able to ping any external IPs, but the WG tunnel itself is up.

  2. As I intend to have 3 different WG connections, I am planning to create 3 tunnels and route tables for each VLAN. Is that the right approach?

  3. Is there a way to define DNS server for each VLAN separately? Currently I define a static IP (10.2.0.1) as guided by Proton. However, I noticed that clearnet VLAN doesn’t work as it obviously cannot and shouldn’t access that server.

As the configuration is pretty long, I tried to group settings for better readability.

#######################################
# WIFI Setup
#######################################

/interface wireless security-profiles add authentication-types=wpa2-psk eap-methods="" group-ciphers=tkip,aes-ccm mode=dynamic-keys name=HomeAP supplicant-identity="" wpa2-pre-shared-key=""
/interface wireless security-profiles add name=Green authentication-types=wpa2-psk mode=dynamic-keys wpa2-pre-shared-key=""
/interface wireless security-profiles add name=Red authentication-types=wpa2-psk mode=dynamic-keys wpa2-pre-shared-key=""
/interface wireless security-profiles add name=Blue authentication-types=wpa2-psk mode=dynamic-keys wpa2-pre-shared-key=""

/interface wireless set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-eC country=<country> disabled=no frequency=auto mode=ap-bridge security-profile=Red ssid=Red wps-mode=disabled
/interface wireless set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=20/40/80mhz-eCee country=<country> disabled=no distance=indoors frequency=auto installation=indoor security-profile=HomeAP ssid=<SSID> wireless-protocol=802.11
/interface wireless add name=wlan3 ssid=Green master-interface=wlan2 security-profile=Green disabled=no wps-mode=disabled
/interface wireless add name=wlan4 ssid=Blue master-interface=wlan1 security-profile=Blue disabled=no wps-mode=disabled


#######################################
# Bridge
#######################################

/interface bridge add auto-mac=no comment=defconf name=bridge vlan-filtering=no

/ipv6 settings set disable-ipv6=yes max-neighbor-entries=8192

#######################################
#
# -- Access Ports --
#
#######################################

# Green VLAN
/interface bridge port add bridge=bridge comment=defconf interface=ether2 pvid=10
/interface bridge port add bridge=bridge comment=defconf interface=ether3 pvid=10
/interface bridge port add bridge=bridge comment=defconf interface=wlan3 pvid=10

# Red VLAN
/interface bridge port add bridge=bridge comment=defconf interface=wlan1 pvid=20

# Blue VLAN
/interface bridge port add bridge=bridge comment=defconf interface=wlan4 pvid=30

# Purple VLAN
/interface bridge port add bridge=bridge comment=defconf interface=ether4 pvid=40

# Base VLAN
/interface bridge port add bridge=bridge comment=defconf interface=ether5 pvid=99

# L3 switching so Bridge must be a tagged member
/interface bridge vlan add bridge=bridge tagged=bridge [find vlan-ids=10]
/interface bridge vlan add bridge=bridge tagged=bridge [find vlan-ids=20]
/interface bridge vlan add bridge=bridge tagged=bridge [find vlan-ids=30]
/interface bridge vlan add bridge=bridge tagged=bridge [find vlan-ids=40]
/interface bridge vlan add bridge=bridge tagged=bridge [find vlan-ids=99]
###


#######################################
# IP Addressing & Routing
#######################################

# LAN facing router's IP address on the BASE_VLAN
/interface vlan add interface=bridge name=BASE_VLAN vlan-id=99
/ip address add address=192.168.88.1/24 interface=BASE_VLAN network=192.168.88.0

# DNS server, set to cache for LAN
/ip dns set allow-remote-requests=yes

/ip dns static add address=192.168.88.1 name=router.lan

# DHCP Client for HomeAP
/ip dhcp-client add comment=defconf interface=wlan2

/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=wlan2 pref-src="" \
    routing-table=main scope=30 suppress-hw-offload=no target-scope=10

#######################################
# IP Services
#######################################

# DHCP instance for BASE_VLAN
/ip pool add name=BASE_POOL ranges=192.168.88.10-192.168.88.254
/ip dhcp-server add address-pool=BASE_POOL interface=BASE_VLAN name=BASE_DHCP disabled=no
/ip dhcp-server network add address=192.168.88.0/24 dns-server=192.168.88.1 gateway=192.168.88.1

# Green VLAN interface creation, IP assignment, and DHCP service
/interface vlan add interface=bridge name=GREEN_VLAN vlan-id=10
/ip address add interface=GREEN_VLAN address=10.0.10.1/24
/ip pool add name=GREEN_POOL ranges=10.0.10.10-10.0.10.254
/ip dhcp-server add address-pool=GREEN_POOL interface=GREEN_VLAN name=GREEN_DHCP disabled=no
/ip dhcp-server network add address=10.0.10.0/24 dns-server=192.168.88.1 gateway=10.0.10.1

# Red VLAN interface creation, IP assignment, and DHCP service
/interface vlan add interface=bridge name=RED_VLAN vlan-id=20
/ip address add interface=RED_VLAN address=10.0.20.1/24
/ip pool add name=RED_POOL ranges=10.0.20.10-10.0.20.254
/ip dhcp-server add address-pool=RED_POOL interface=RED_VLAN name=RED_DHCP disabled=no
/ip dhcp-server network add address=10.0.20.0/24 dns-server=192.168.88.1 gateway=10.0.20.1

# Blue VLAN interface creation, IP assignment, and DHCP service
/interface vlan add interface=bridge name=BLUE_VLAN vlan-id=30
/ip address add interface=BLUE_VLAN address=10.0.30.1/24
/ip pool add name=BLUE_POOL ranges=10.0.30.10-10.0.30.254
/ip dhcp-server add address-pool=BLUE_POOL interface=BLUE_VLAN name=BLUE_DHCP disabled=no
/ip dhcp-server network add address=10.0.30.0/24 dns-server=192.168.88.1 gateway=10.0.30.1

# Purple VLAN interface creation, IP assignment, and DHCP service
/interface vlan add interface=bridge name=PURPLE_VLAN vlan-id=40
/ip address add interface=PURPLE_VLAN address=10.0.40.1/24
/ip pool add name=PURPLE_POOL ranges=10.0.40.10-10.0.40.254
/ip dhcp-server add address-pool=PURPLE_POOL interface=PURPLE_VLAN name=PURPLE_DHCP disabled=no
/ip dhcp-server network add address=10.0.40.0/24 dns-server=192.168.88.1 gateway=10.0.40.1

#######################################
# Firewalling & NAT
#######################################

/interface list add comment=defconf name=WAN
/interface list add name=BASE
/interface list add name=VLAN
/interface list add name=NO_LOCAL

/interface list member add interface=wlan2 list=WAN
/interface list member add interface=BASE_VLAN list=BASE
/interface list member add interface=BASE_VLAN list=VLAN
/interface list member add interface=GREEN_VLAN list=VLAN
/interface list member add interface=RED_VLAN list=VLAN
/interface list member add interface=PURPLE_VLAN list=VLAN
/interface list member add interface=RED_VLAN list=NO_LOCAL
/interface list member add interface=BLUE_VLAN list=NO_LOCAL
/interface list member add interface=PURPLE_VLAN list=NO_LOCAL

# Local addresses on home router
/ip firewall address-list add address=192.168.0.0/24 list=Block_addresses

##################
# IPv4
##################

##################
# INPUT CHAIN
##################
/ip firewall filter add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
/ip firewall filter add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
/ip firewall filter add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
# Allow BASE_VLAN full access to the device
/ip firewall filter add action=accept chain=input in-interface=BASE_VLAN comment="Allow Base_Vlan Full Access"
/ip firewall filter add chain=input action=drop comment="Drop"

##################
# FORWARD CHAIN
##################
/ip firewall filter add action=accept chain=forward connection-state=new src-address=<src IP> dst-address=<dst IP> comment="Allow access to a specific device across VLANs"
/ip firewall filter add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
/ip firewall filter add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
/ip firewall filter add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
/ip firewall filter add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
/ip firewall filter add action=drop chain=forward in-interface=BLUE_VLAN out-interface-list=WAN comment="Drop Blue VLAN access to Internet"
/ip firewall filter add action=drop chain=forward dst-address-list=Block_addresses in-interface-list=NO_LOCAL
/ip firewall filter add action=accept chain=forward comment="VLAN Internet Access only" connection-state=new in-interface-list=VLAN out-interface-list=WAN
/ip firewall filter add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall filter add chain=forward action=drop comment="Drop"

##################
# IPv6
##################
/ipv6 firewall filter add action=drop chain=input
/ipv6 firewall filter add action=drop chain=forward

##################
# NAT
##################
/ip firewall nat add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN

#######################################
# VLAN Security
#######################################
/interface bridge port set bridge=bridge ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged [find interface=ether2]
/interface bridge port set bridge=bridge ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged [find interface=ether3]
/interface bridge port set bridge=bridge ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged [find interface=ether4]
/interface bridge port set bridge=bridge ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged [find interface=ether5]
/interface bridge port set bridge=bridge ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged [find interface=wlan1]
/interface bridge port set bridge=bridge ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged [find interface=wlan3]
/interface bridge port set bridge=bridge ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged [find interface=wlan4]


#######################################
# MAC Server settings
#######################################
/system clock set time-zone-name=<timezone>
/system routerboard settings set cpu-frequency=auto
/ip neighbor discovery-settings set discover-interface-list=BASE
/tool mac-server set allowed-interface-list=BASE
/tool mac-server mac-winbox set allowed-interface-list=BASE
/tool mac-server ping set enabled=no

#######################################
# Turn on VLAN mode
#######################################
/interface bridge set bridge vlan-filtering=yes



#######################################
# Setup ProtonVPN
#######################################

# RED
/interface wireguard
add comment="ProtonVPN interface" listen-port=12930 mtu=1420 name=protonwg01 \
    private-key=<PRIV KEY>

/routing table
add disabled=no fib name=protonvpn_wg1

/interface wireguard peers
add allowed-address=0.0.0.0/0 endpoint-address=<IP address> endpoint-port=\
    51820 interface=protonwg01 persistent-keepalive=40s public-key=\
    <PUB Key>

/ip address
add address=10.2.0.2/24 interface=protonwg01 network=10.2.0.0

/ip dns
set allow-remote-requests=yes servers=10.2.0.1

/ip firewall address-list
add address=10.0.20.0/24 list=under_protonvpn_RED


/ip firewall nat add action=masquerade chain=srcnat out-interface=protonwg01

/ip route
add comment="ProtonVPN Wireguard default route" disabled=no distance=1 \
    dst-address=0.0.0.0/0 gateway=protonwg01 pref-src="" routing-table=\
    protonvpn_wg1 scope=30 suppress-hw-offload=no target-scope=10


/routing rule
add action=lookup-only-in-table src-address=10.0.20.0/24 table=\
    protonvpn_wg1
8

Okay if you can provide a diagram and state your FULL requirements clearly we can make more progress.