How setup Wireguard VPN between Ubuntu and Mikrotik

burabaika · July 21, 2024, 7:51am

Hello!

I try to run a VPS server as wireguard vpn server and get access to this VPN server via my local network on mikrotik router.

The wireguard IP range is 10.9.0.0/24
And the local network on my mikrotik is : 192.168.7.254/21

I want the VPS have a gateway with wireguard to my local network and can ping it and forward packets to server at home.

But : on Mikrotik I see that the connection is established, but there is no ping from VPS and no packets are sent.

VPS config

ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: ens3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
    link/ether 52:54:00:17:b8:98 brd ff:ff:ff:ff:ff:ff
    altname enp0s3
    inet 185.230.143.197/32 brd 185.230.143.197 scope global ens3
       valid_lft forever preferred_lft forever
    inet6 2a12:5940:b271::2/48 scope global
       valid_lft forever preferred_lft forever
    inet6 fe80::5054:ff:fe17:b898/64 scope link
       valid_lft forever preferred_lft forever
5: wg0: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN group default qlen 1000
    link/none
    inet 10.9.0.0/24 scope global wg0
       valid_lft forever preferred_lft forever

iptables

iptables -t nat -A POSTROUTING -s 192.168.7.254/21 -j MASQUERADE

Wireguard Config on VPS :

[Interface]
Address = 10.9.0.0/24
ListenPort = 9000
PrivateKey = aaaaaaaaaaaaaaa

[Peer]
PublicKey = xxxxxxxxxxxxxxx
PresharedKey = yyyyyyyyyyyyyyy
AllowedIPs = 10.9.0.0/24, 192.168.0.0/21
PersistentKeepalive = 25

Mikrotik Configs :

/interface wireguard
add listen-port=9000 mtu=1420 name=wireguard

/interface wireguard peers
add allowed-address=0.0.0.0/0 endpoint-address=185.230.143.197 endpoint-port=\
    9000 interface=wireguard name=peer1 persistent-keepalive=25s \
    preshared-key="aaaa" private-key=\    "bbbbbb" public-key=\    "cccccccc"
    
/ip address
add address=192.168.7.254/21 comment=LAN interface=LAN-Bridge network=\
    192.168.0.0
add address=10.9.0.2/24 interface=wireguard network=10.9.0.0

/ip firewall address-list
add address=8.8.8.8 comment=DNS list="Trusted IPs"
add address=77.88.8.8 comment=DNS list="Trusted IPs"
add address=185.230.143.197 comment="VPS my" list="Trusted IPs"
add address=10.9.0.0/24 comment=WG list="Trusted Networks"

/ip firewall filter
add action=accept chain=input comment="Trusted Networks" src-address-list=\
    "Trusted Networks"
add action=accept chain=input comment="Trusted IPs" src-address-list=\
    "Trusted IPs"
add action=accept chain=input comment=LAN in-interface=LAN-Bridge
add action=accept chain=forward comment="route accept" in-interface=ether1 \
    ipsec-policy=in,ipsec
add action=drop chain=input comment="Drop All" src-address=!91.219.166.119

/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1

/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=wireguard \
    routing-table=wg scope=30 suppress-hw-offload=no target-scope=10

abbio90 · July 21, 2024, 10:10am

https://andreacaracciolo.it/2024/03/15/debian-wireguard-server/

anav · July 21, 2024, 3:52pm

I am glad Italian wireguard is the same as English Wireguard
All to say is i didnt even need the link to ask myseslf.

Why does the OP think that his IP address on VPS servers is any good/legitmate
10.9.0**.0**/24

Could be reasonably: 10.9.0.1/24

Furthermore, the SERVER identifies each peer by its wireguard IP address/32
So this is also not correct
allowed ips=10.9.0.0.24,192.168.0.0/21

Could be reasonably:
AllowedIPs = 10.9.0.2/32, 192.168.0.0/21

Finally, persistent keep-alive is required on the peer client device for handshake, and thus should be removed from the VPS settings