Hello folks
I am New to Mikrotik and seeking help to configure Access to my ip camera behind a Mikrotik Router through the VPN…
I have added image for you to view the scenario
Router R1 and User PC1 are clients on same Wireguard VPN network 10.253.0.0/24
They can ping each other via the VPN
What configuration to make on R1 so that IP Cam listening on TCP port 8080 can be reached viewed?
Thanks
What is missing, is the Router… where is the server for wireguard (handshake) in this picture.
What are its settings/config and if not MT then what are its wireguard settings and firewall rules etc…
Can fix it if we dont know…
As for approach, yes tres simple to get pc client to reach webcam in this scenario.
you could also port forward from ROUTER server through wireguard to the ip cam ( this would be the case where you want external users to reach the IP Cam by connecting to the local WANIP of the wireguard server router and then through the tunnel to the IP CAM etc… I concur that the PC via wireguard direct to IP cam is more secure… just another option not knowing the requirements.
/export file=anynameyouwish (minus router serial #, mac address, any public WANIP information, keys etc. )
Actually i have an unraid server on which i have configurer the wireguard server 10.253.0.1
My script
/interface bridge
add name=LAN
/interface wireguard
add listen-port=51821 mtu=1420 name=wireguard1
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
add authentication-types=wpa-psk,wpa2-psk mode=dynamic-keys name=profile1 supplicant-identity=“”
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n disabled=no frequency=auto mode=ap-bridge security-profile=profile1 ssid=“OZIATECH CI”
/ip pool
add name=PlageDhcpLocal ranges=192.168.10.2-192.168.10.200
/ip dhcp-server
add add-arp=yes address-pool=PlageDhcpLocal always-broadcast=yes interface=LAN lease-time=10m name=ServeurDhcpLocal
/routing table
add disabled=no fib name=wg-table
/interface bridge port
add bridge=LAN interface=ether3
add bridge=LAN interface=ether4
add bridge=LAN interface=ether5
add bridge=LAN interface=ether2
add bridge=LAN interface=wlan1
/interface wireguard peers
add allowed-address=10.253.0.0/24,192.168.1.200/32 endpoint-address=160.154.125.48 endpoint-port=51820 interface=wireguard1 is-responder=yes name=peer4 persistent-keepalive=25s public-key=
“Z6gJylWj7b0qeNm8UAcnfPKtRlTtLHIZIcEH44SZtB0=”
/ip address
add address=192.168.10.254/24 interface=LAN network=192.168.10.0
add address=10.253.0.2/24 interface=wireguard1 network=10.253.0.0
/ip dhcp-client
add interface=ether1
/ip dhcp-server network
add address=192.168.10.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=192.168.10.254 netmask=24
/ip firewall filter
add action=accept chain=input dst-port=8080 protocol=tcp
add action=accept chain=input comment=“accept wireguard” in-interface=wireguard1 protocol=tcp
/ip firewall mangle
add action=mark-connection chain=input in-interface=wireguard1 new-connection-mark=VPN-conn passthrough=yes protocol=tcp
add action=mark-routing chain=output connection-mark=VPN-conn new-routing-mark=wg-table passthrough=no protocol=tcp
add action=mark-connection chain=forward in-interface=wireguard1 new-connection-mark=VPN-conn-f passthrough=no protocol=tcp
add action=mark-routing chain=prerouting connection-mark=VPN-conn-f in-interface=LAN new-routing-mark=wg-table passthrough=yes protocol=tcp
/ip firewall nat
add action=masquerade chain=srcnat src-address=192.168.10.0/24
add action=masquerade chain=srcnat out-interface=wireguard1
/ip ipsec profile
set [ find default=yes ] dpd-interval=2m dpd-maximum-failures=5
/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=10.253.0.1 routing-table=wg-table suppress-hw-offload=no
The MikroTik will route unless you have specifically rules it not to (or not so specific if you have a generic drop all rule if it doesn’t meet other criteria).
I think the other question not asked is what is your WG configuration? Allowed IP’s is what I’m getting at, is that set to 0.0.0.0/0 or just the WG subnet?