hEX + Surfshark - getting different VPN connections on port 1,2,3 and 4.

stiga · November 26, 2022, 2:46pm

Hi,
Just purchased a hEX RB750Gr3.
ether1 is connected to my network, and got an internal IP.
Managed to configure surfshark and got the VPN connection working on det hEX istelf.
DNS is working. I can ping google.com.
But connecting to ether2,ether3,ether4 or ether5 is not working.

What I would like is to connect to
ether2 - and get VPN connection to Denmark
ether3 - and get VPN connection to Finland
ether4 - and get VPN connection to USA
ether5 - and get VPN connection to Germany

How do I brigde/connect the ether-ports to be able to use different VPN connections ?

anav · November 26, 2022, 3:00pm

https://forum.mikrotik.com/viewtopic.php?p=908118

That is not how wireguard works… its peer to peer!
You will need a new IP and a different wireguard interface for each location

stiga · November 26, 2022, 3:15pm

Ah, that makes sense. Thank you. Only one VPN connection can be enabled with wireguard.
Next step is to get PC that are connected to ether2-5 to be able to use the VPN then.

Sob · November 26, 2022, 4:58pm

You can have many connections even with single WG interface. But remote addresses must not overlap. But when you want to route traffic to internet over it (i.e. remote address can be anything), they would always overlap. So you need separate WG interface for each.

anav · November 26, 2022, 5:08pm

Well stated as the op seemingly wants internet access to various sites and since such an allowed IP setting is 0.0.0.0/0 on the wireguard, it becomes clear that a different wireguard interface is required as the router would always pick the first peer for every internet attempt. ( order counts ) and never attempt to reach the rest of the sites.

stiga · November 26, 2022, 6:37pm

Do I need to setup dhcp server on the hEX for ether2-5 ?.
Try to read up here;
https://help.mikrotik.com/docs/display/ROS/WireGuard
https://help.mikrotik.com/docs/display/ROS/DHCP
Also trying to youtube too..
https://www.youtube.com/watch?v=P6f8Qc4EItc

anav · November 26, 2022, 8:04pm

Wont give any advice until you decide what the requirements are, seems to be a bit disjointed at the moment.
Try drawing a network diagram to show your intentions.
Then post full config
/export file=anynameyouwish ( minus router serial number or any public WANIP information )

stiga · November 26, 2022, 9:59pm

Okey, so what i’m trying to figure out is how to use this device, as a “easy connect to different vpn countries”.
Did manage to enable dhcp server and when I connect PC to ether2/3/4/5 - check whatsmyip - and I can see that i’m using the VPN tunnel. I can ping google.com etc, but I cannot use web or netflix.

My config:

# nov/26/2022 22:36:40 by RouterOS 7.6#
# model = RB750Gr3

/interface bridge
add fast-forward=no name=BridgeLAN
/interface ethernet
set [ find default-name=ether1 ] name=ether1.ISP
/interface wireguard
add listen-port=13231 mtu=1420 name=Wireguard-Denmark
/interface list
add name=WAN
add name=LAN
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=se
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=pool1.LAN ranges=192.168.50.2-192.168.50.100
/ip dhcp-server
add address-pool=pool1.LAN interface=BridgeLAN name=server1.LAN
/port
set 0 name=serial0
/interface bridge port
add bridge=BridgeLAN interface=ether2
add bridge=BridgeLAN interface=ether3
add bridge=BridgeLAN interface=ether4
add bridge=BridgeLAN interface=ether5
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface list member
add interface=ether1.ISP list=WAN
add list=LAN
/interface ovpn-server server
set auth=sha1,md5
/interface wireguard peers
add allowed-address=0.0.0.0/0 endpoint-address=195.26.6.39 endpoint-port=\
    51820 interface=Wireguard-Denmark public-key=\
    "oUFRc+2234gogDVWnJF4RAzr72P5afCzMVeQOgG92lY="
/ip address
add address=10.14.0.2/16 interface=Wireguard-Denmark network=10.14.0.0
add address=192.168.50.1/24 interface=BridgeLAN network=192.168.50.0
/ip dhcp-client
add interface=ether1.ISP
/ip dhcp-server network
add address=192.168.50.0/24 comment="LAN DHCP" gateway=192.168.50.1 netmask=\
    24
/ip dns
set allow-remote-requests=yes servers=162.252.172.57,149.154.159.92,8.8.8.8
/ip firewall address-list
add address=192.168.1.0/24 list=Surfshark
/ip firewall filter
add action=accept chain=output
add action=accept chain=input disabled=yes
add action=accept chain=forward
/ip firewall nat
add action=masquerade chain=srcnat log=yes out-interface=ether1.ISP
add action=masquerade chain=srcnat out-interface=Wireguard-Denmark
/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=Wireguard-Denmark \
    pref-src="" routing-table=main scope=30 suppress-hw-offload=no \
    target-scope=10
add disabled=no distance=1 dst-address=195.26.6.39/32 gateway=192.168.1.1 \
    pref-src="" routing-table=main scope=30 suppress-hw-offload=no \
    target-scope=10
add disabled=yes distance=1 dst-address=192.168.1.0/24 gateway=\
    Wireguard-Denmark pref-src="" routing-table=main scope=30 \
    suppress-hw-offload=no target-scope=10
add disabled=yes distance=1 dst-address=192.168.0.10/32 gateway=\
    Wireguard-Denmark pref-src="" routing-table=main scope=30 \
    suppress-hw-offload=no target-scope=10
add disabled=yes distance=1 dst-address=192.168.1.0/24 gateway=192.168.1.1 \
    pref-src="" routing-table=main scope=30 suppress-hw-offload=no \
    target-scope=10
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/system clock
set time-zone-name=Europe/Stockholm

stiga · November 26, 2022, 10:13pm

Tried to draw this.
Untitled Diagram.drawio.png

anav · November 27, 2022, 1:23am

Not interested in a config with a firewall that is non-existent. If its facing the internet you should at least have a decent firewall.
https://forum.mikrotik.com/viewtopic.php?t=180838
/ip firewall filter ???
add action=accept chain=output
add action=accept chain=input disabled=yes
add action=accept chain=forward

What I dont understand are your routes.

You need
a. standard route for going out your WANIP address

THen for wireguard you need.
a. table

/routing table
add name=use-WG-Denmark fib

b. a route.
add dst=address=0.0.0.0/0 gwy=Wireguard-Denmark table=use=WG-Denmark

c. a routing rule to force people out wireguard and not the local WANIP.
but we dont know quite enough yet to formulate …
+++++++++++++++++++++++++++++++++

Now we need to know what your requirements are.
Which LAN subnet should go out wireguard and if wireguard is not working for whatever reason should they be able then to fall back on and use the local WANIP?

anav · November 27, 2022, 1:26am

If you are planning on buying enough vpns from a provider, then

a. as many tables needed, one for each wg configuration
/routing table
add name=use-WG-Denmark fib
add name=use-WG-Finland fib
add name=use-WG-USA fib
add name=Use-WG-Germany fib

b. add dst=address=0.0.0.0/0 gwy=Wireguard-Denmark table=use-WG-Denmark
add dst=address=0.0.0.0/0 gwy=Wireguard-Finland table=use-WG-Finland
add dst=address=0.0.0.0/0 gwy=Wireguard-USA table=use-WG-USA
add dst=address=0.0.0.0/0 gwy=Wireguard-Germany table=use-WG-Germany

c. Routing rules.
add src-address=subnetA action=lookup table=use-WG-Denmark
add src-address=subnetB action=lookup table=use-WG-Finland
add src-address=subnetC action=lookup table=use-WG-USA
add src-address=subnetD action=lookup table=use-WG-Germany

+++++++++++++++++++
As stated need more info for routing rules. Which Subnet going out which wireguard tunnel.
You could have users select this on a WIFI basis, with SSIDs identifying the vlan/subnet and thus users decide.

In addition another consideration is subnet to subnet traffic. You should note that user will NOT be able to visit other subnets UNLESS you add additional rules allowing this PRIOR to the subnet being forced out the internet via wireguard.

Typically one uses a destination address
add dst-address=subnetA action=lookup-only-in-table table=main { all users in every other subnet wanting to go to subnet A, will be sent to main table and thus will reach subnet A }

wuhoatu · November 27, 2022, 5:58am

It seems that you have no routing table nor routing rule.

Okey, so what i’m trying to figure out is how to use this device, as a “easy connect to different vpn countries”.
Did manage to enable dhcp server and when I connect PC to ether2/3/4/5 - check whatsmyip - and I can see that i’m using the VPN tunnel. I can ping google.com etc, but I cannot use web or netflix.

My config:

# nov/26/2022 22:36:40 by RouterOS 7.6#
# model = RB750Gr3

/interface bridge
add fast-forward=no name=BridgeLAN
/interface ethernet
set [ find default-name=ether1 ] name=ether1.ISP
/interface wireguard
add listen-port=13231 mtu=1420 name=Wireguard-Denmark
/interface list
add name=WAN
add name=LAN
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=se
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=pool1.LAN ranges=192.168.50.2-192.168.50.100
/ip dhcp-server
add address-pool=pool1.LAN interface=BridgeLAN name=server1.LAN
/port
set 0 name=serial0
/interface bridge port
add bridge=BridgeLAN interface=ether2
add bridge=BridgeLAN interface=ether3
add bridge=BridgeLAN interface=ether4
add bridge=BridgeLAN interface=ether5
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface list member
add interface=ether1.ISP list=WAN
add list=LAN
/interface ovpn-server server
set auth=sha1,md5
/interface wireguard peers
add allowed-address=0.0.0.0/0 endpoint-address=195.26.6.39 endpoint-port=\
    51820 interface=Wireguard-Denmark public-key=\
    "oUFRc+2234gogDVWnJF4RAzr72P5afCzMVeQOgG92lY="
/ip address
add address=10.14.0.2/16 interface=Wireguard-Denmark network=10.14.0.0
add address=192.168.50.1/24 interface=BridgeLAN network=192.168.50.0
/ip dhcp-client
add interface=ether1.ISP
/ip dhcp-server network
add address=192.168.50.0/24 comment="LAN DHCP" gateway=192.168.50.1 netmask=\
    24
/ip dns
set allow-remote-requests=yes servers=162.252.172.57,149.154.159.92,8.8.8.8
/ip firewall address-list
add address=192.168.1.0/24 list=Surfshark
/ip firewall filter
add action=accept chain=output
add action=accept chain=input disabled=yes
add action=accept chain=forward
/ip firewall nat
add action=masquerade chain=srcnat log=yes out-interface=ether1.ISP
add action=masquerade chain=srcnat out-interface=Wireguard-Denmark
/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=Wireguard-Denmark \
    pref-src="" routing-table=main scope=30 suppress-hw-offload=no \
    target-scope=10
add disabled=no distance=1 dst-address=195.26.6.39/32 gateway=192.168.1.1 \
    pref-src="" routing-table=main scope=30 suppress-hw-offload=no \
    target-scope=10
add disabled=yes distance=1 dst-address=192.168.1.0/24 gateway=\
    Wireguard-Denmark pref-src="" routing-table=main scope=30 \
    suppress-hw-offload=no target-scope=10
add disabled=yes distance=1 dst-address=192.168.0.10/32 gateway=\
    Wireguard-Denmark pref-src="" routing-table=main scope=30 \
    suppress-hw-offload=no target-scope=10
add disabled=yes distance=1 dst-address=192.168.1.0/24 gateway=192.168.1.1 \
    pref-src="" routing-table=main scope=30 suppress-hw-offload=no \
    target-scope=10
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/system clock
set time-zone-name=Europe/Stockholm

So I don’t think that your internet connection working via Surfshark.
I am now stuck with making Surfshark+WG working on my HexS.

stiga · November 27, 2022, 11:36am

The device is behind a firewall, pfsense, already and gets an internal ip from the firewall/dhcp server.
The “allow all firewall” on the hEX is just to make sure that its not dropping anything.. but this I can adjust and tighten again, when I know it works

stiga · December 4, 2022, 11:01am

Okey, I will try to setup the device all over again. Really want this to work.
Its easy to the the surfshark software on a pc, but would be nice to have it working on the device - so I could just connect to see netflix from another country

anav · December 4, 2022, 7:18pm

Yup it should just work.
Post your latest config and I will have another look.
Lets start with one good wireguard connection, after that just buy more connections from the provider one for each country.