Simple request here. Currently we can only add individual IPs to the allowed-addresses portion of a wireguard peer. It would be nice to be able to add “address lists” like we do for firewall rules.
Sometimes I need to add domains, or a lot of IPs, and this would provide a clean way to do it.
Edit:
This Address list would be used in the “Allowed-Addresses” portion of /interface wireguard peers
Your request is unclear…
Where would you use this address list?
You’re right, I forgot to mention it.
This Address list would be used in the “Allowed-Addresses” portion of /interface wireguard peers.
I suppose I can currently do this with a script, but so much of the foundations are already in place in RouterOS that it should be a relatively straight forward process.
I disagree with your request if I think I understand what you are getting it. Appears to be nonsensical!
Each entry for Allowed IPs is specific ( at least on the Server Client ( server for handshake ), to ONE client peer.
One does not list all the clients on one line???
Remember each peer also has a unique public IP, which is also included in that specific definition of each peer.
Therefore, please explain what you mean, cause not getting it???
With Wireguard we have to define the networks we want to allow communication with. If we are talking server side, it usually is one (very) small range. But if we are talking client side (or if we are connecting two or more sites), it’s quite common to have several ranges declared.
Also, I think the OP is mistaking Mikrotik’s implementation with wg-quick implementation. With wg-quick the accepted ranges are inserted on the routing table, so no further action is necessary. With Mikrotik the only effect is to allow traffic - we still have to declare the routes, if beyond the Wireguard’s interface range.
Also, due to how Wireguard works, I’m not sure it would be a good thing to change on the fly these ranges…
But That’s what I understood from the OP request.
Well thats the rub.
If the discussion is about adding client devices, the request makes no sense.
If this is about client peers ( and server peer ) being able to add applicable SUBNETS to allowed IPs, and their concomitant IP Routes, then we can have a better discussion.
Q, Can MT implement these two things??
Assume R1 - Server Peer for handshake, connection to R2, with subnets A-Z
allowed-ips=172.168.16.2/32,SubnetA,SubnetB,SubnetC….SubnetZ, interface=wg1 public key=“======”
add dst-address=subnetA gwy=wg1 routing-table=main
…
…
add dst-address=subnetZ gwy=wg1 routing-table=main
TO
allowed-IPs=172.168.16.2/32,**dst-address-list=**SubnetsR2 interface=wg1 public-key=“================”
add **dst-address-list=**SubnetsR2 gw=wg1 routing-table=main
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Chances…99.999999% NO
I don’t use wg-quick
Let me make the reasons for my request very clear with one sample use case:
My main router at home (Site A) is a mikrotik. I have WG enabled on it acting as a “server” (I realize server doesn’t make sense in the WG world, so call it an “endpoint” if you wish).
I also have another site (Site B) with a mikrotik router that is connected to my home through WG. I have a single Netflix account I wish to use at both locations, but while it’s me at both places, Netflix thinks I’m sharing my account, and therefore wants to block me at site B. Now I can route all my traffic from Site B to Site A, but that’s excessive. It would be much nicer to split the tunnel and only pass Netflix traffic through. As with a lot of services, Netflix uses domains for access (and even if it doesn’t, just go with me on this because it applies to other situations too where ips may be dynamic and tied to domains). So in the allowed-addresses field of /interfaces wireguard peers on Site B, I would like to enter an address list of Netflix domains to allow for just passing that traffic through.
I supposed the second problem is that I would have to set up routes for those IPs as well which would require /ip route to allow for address lists too. From what I remember we used to be able to do this through mangle rules, but that may not be the case on ROS7.
Once again, I could in theory set allowed-addresses as 0.0.0.0/0 and only set up routes to those ips. But it doesn’t seem proper.
As I surmized, its a request born of not knowing how WG works.
If your intention was to go out the internet of R1 ( server for handshake peer ) from R2 ( client peer ), then 0.0.0.0/0 for allowed-IP entry is CORRECT and PROPER at R2 !!!
Ensuring which devices are your end, R2, enter the tunnel is up to you and there are several options.
At R1, one only needs to note which subnets are coming across from R2 and ensuring routes are setup to get the return traffic back into the tunnel.
In addition firewall rules to allow DNS, and access to WAN, normally solved at R1 by simply making the wireguard interface a member of the LAN interface list.
HENCE, the title of this thread was wrongly worded and wrong intentioned;
It should have been something like:
Request Help To Access Netflix via Wireguard Between Two MT routers.
anav, I appreciate the discussion, so please indulge me. And this isn’t strictly about Netflix, that was an example.
Suppose from “R2” I want to route the address pointed to from example.com, and only that address, out the internet of “R1”. Keep in mind that address may change at any time even though the domain will remain constant. How would you go about doing so?
Obviously there are many ways to skin a cat, some are hacky and some are elegant. Currently with ROS7 the way it is I’d likely set up a script to keep an eye on IP changes and add/remove/modify them as necessary. It’s interesting to me that our endpoints can be domains, but our allowed addresses can’t.
Your mixing apples and oranges. THIS IS NOT A WIREGUARD ISSUE!!!
Once you set 0.0.0.0/0 on the R2 router, wireguard could care less about destinations, they are all included.
Its up to you the admin on how to send folks to wireguard for that domain.
I suppose the easiest way is to have vlan and/or WIFI SSID/vlan that only is used for that purpose, namely going out wireguard and that traffic is always going out wireguard using Routing Rules.
You can send individual users just to wireguard all the time by Routing Rules
Finally you can mangle a large group of users out wireguard all the time by mangling.
None of these approaches care about the domain, they simply identify who needs to go out R1 internet all the time.
YOu can get more complex by mangling just for that dst…
/ip firewall-address list
add address=mydomain.com list=ExternalSite
add address=lanip1 list=NetflixUsers
add address=lanip2 list=NetflixUsers
/ip firewall mangle
add action=mark-routing chain=prerouting in-interface=list=NetflixUsers dst-address-list=ExternalSites
new-routing=mark=via-WG passthrough=no.
Then need
/routing table add fib name=via-WG
/ip route
add dst-address=0.0.0.0/0 gwy=wireguard1 routing-table=via-WG
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
So you can send specific users or vlans out wireguard easily, or you can send those heading to that domainn ame out via wireguard, with a bit more work.
As a matter of fact, its still not R2s problem as it will be DNS on R1 that finds any www site.
You probably dont need to add the below firewall address list as that has already been done on R2, in other words, the dest address of the users has already been determined…
/ip firewall address-list
add address=mydomain.com list=ExternalSite
/ip firewall filter
add chain=forward action=accept in-interface=wireguard1 dst-address=Externalsite
The router will keep track of the IP of the external site, and the firewall rule ensures such traffic is permitted
Although the waY I configure wireguard on R1, its already allowed as wireguard is added to the LAN interface list and have this rule.
add action=accept chain=forward in-interface-list=LAN out-interface-list=WAN
How about create a firewall address list, and use mangle to mark anything going to Netflix as a new routing table?
You can use the domain names to create the list, there is no need to hack scripts and Wireguard just get one 0.0.0.0 on the allowed addresses. Or two, if You need IPv6 too.
Much appreciated anav
I’ll test it out.