How to forward Mikrotik LAN via Wireguard interface

Hi everyone,

I would appreciate your help, as I’m banging my head on this for days… I have setup a wireguard server in docker on a personal linux server I own with a static IP address (namely the https://github.com/wg-easy/wg-easy docker image). It’s WG IP is 10.8.0.1. I have installed the WG client on a macbook (10.8.0.3) and connect to the server flawlessly. Third and final peer is on a MikroTik SXT LTE6 router, with address 10.8.0.2, which also connects to my WG server. My macbook can see the mikrotik router (on its 10.8.0.2 address, and so can MT see the macbook). Via port forwarding, I can access certain devices behind my LAN network on MT (192.168.210.0/24) from my macbook (see the dstnat rules of my config I attach). What I would ideally want though is to access my entire LAN net from my macbook directly, using the 192.168.210.0/24 address space. Unfortunately I cannot correctly setup this forwarding. Could someone please help? I attach my router’s config and my macbook’s peer WG config.

Thank you in advance!
mikrotik.txt (10.1 KB)
wg0.txt (789 Bytes)
macbook-wg.txt (190 Bytes)

To help understand.
You have an ISP connection with an unamed Router, where you have a linux server running wireguard or thereabouts.
You have a macbook pro which you can connect to the wireguard instance from any remote site.
You have a different location that has a MT router that is another peer client and connects to the linux server WG.

You would like to access the full MT LAN from the macbook pro.

The confusing bit for me is the port forwarding…
From which device to which public IP etc… how does it get from macbook pro to MT router ???

You are correct in the sense I didn’t explain my end goal…

You have an ISP connection with an unamed Router, where you have a linux server running wireguard or thereabouts.

That is correct. I’m running WG, inside a docker container, from site A which has a static IP.

You have a macbook pro which you can connect to the wireguard instance from any remote site.

Also correct. My macbook peer connects to the server successfully.

You have a different location that has a MT router that is another peer client and connects to the linux server WG. You would like to access the full MT LAN from the macbook pro.
The confusing bit for me is the port forwarding…
From which device to which public IP etc… how does it get from macbook pro to MT router ???

I’m using WG tunnel as my ISP on the mikrotik side blocks all ports, and thus I cannot expose any port to the outside world. The idea was to setup a WG server on a machine which I have full control and open a WG port accessible via my static IP, and then have the MT router on the other, restrictive ISP, connect to it and act as a client / peer. Then, my macbook peer (10.8.0.3) should be able to connect to my MT peer (10.8.0.2) and from there to my internal LAN. The tunnel connection is being established correctly. I can ping from my macbook the WG IP for my MT router, but I cannot access any IP inside my LAN (int the 192.168.210.0/24 range) which is behind my MT. What I have been able to do is to select some vital machines inside my LAN and access them via NAT, but essentially I’m accessing them all via the WG IP of my MT on a bunch of ports I have specified.

Surely I need to create some forwarding rules, but I have been unsuccessful in doing so. Any help is greatly appreciated!

Sorry, no less clear and actually more muddled.

You cannot have an MT device using wireguard as its ISP without an ISP in the first place to allow the tunnel connection.
So what is the MT device connected to?
In other words provide a diagram or it makes no sense.

I apologize for the confusion. Attached is my network diagram. What I meant is that my mikrotik is connected to the internet via a restrictive ISP which blocks all ports. Thus, my Mikrotik cannot act as a WireGuard server itself, for my phone or laptop or desktop on the other side of the world connect directly to it. That is why I’m hosting my WireGuard server on a VM somewhere else, inside a docker container, on which I can expose a public port to the internet for others to connect to. Thus my Wireguard server’s endpoint address is static, valid and operational!

With this setup, Mikrotik becomes a wireguard client. What I want is somehow to be able to access from my laptop (10.8.0.3), all the machines inside my internal network which live behind mikrotik via the wireguard tunnel connection. Unfortunately I cannot ping any machine on the 192.168.210.0/24 range from my laptop. I can only access the WireGuard IP (10.8.0.2) of my mikrotik. Most probably the necessary routes are missing from the mikrotik side, and perhaps on the wireguard server itself. Although I have 192.168.210.0/24 in the allowed IPs list of my laptop WG peer setup, when I hit an address (e.g. 192.168.210.2), the wireguard server inside the docker image doesn’t know where to forward the request, or if it does, certain routes need to be created on the mikrotik side to allow it to pass inside my LAN and back again via its WG IP (10.8.0.2). That’s where I’m stuck!

I managed to resolve the issue after all. The wireguard docker implementation I was using (wg-easy) did not support peers’ LAN sharing after all. I installed a different wireguard docker image and everything now works as expected! Sorry to have bothered you.

Sounds great.
Yes, not having a mikrotic CHR in the cloud its a bit harder to setup but sounds like you covered the bases.
So I will explain it from a CHR perspective since the request is valid.

Problem. Cannot reach MIKROTIK device due to ISP situation ( blocks port, non public IP and unable to port forward )
Need. For users to reach servers on the MIKROTIK device.

Solution1: Use another SITE (like VM cloud or friends home) for folks to aim their plain text server requests and then send that traffic in a wireguard tunnel to the MIKROTIK.

CLoud CHR:
WIreguard Server for handshake.
Peer Clients: include MIKROTIK ROUTER and admin remote devices ( to reach and configure CHR and to reach and configure MIKROTIK while away from router )

Firewall settings:
allow wireguard port udp 15535 (input chain)
allow port forwarding (forward chain)
add address=10.10.20.1/24 interface=wireguard1 network=10.10.20.0

Wireguard settings:
peer1 /32 wg address for mikrotik,ServersubnetA,ServerSubnetB - wireguardCHR - public key
peer2 /32 wg address for admin laptop - wireguardCHR - public key
ex.
peer3 allowed-ips=10.10.20.4/32 interface=wireguardCHR public key=“----” comment=“admin smartphone”

Two possibilities for handling external requests.
a. the server needs to see the original source address from user ( or admin wants to record that at server )
b. the server does not require to see the original source address and thus we can simplify traffic to the MT. RECOMMENDED
( one can always record the initial dstnat rule connections from users on the CHR, and thus have a list of external users )

a. no change
b. we sourcenat all the traffic leaving the wireguardinterface to the wireguard IP
( /interface list members add interface=wireguard1 list=WAN
( works with default rule add chain=srcnat action=masquerade out-interface-list=WAN )

Standard Port forwarding rule
add chain=dstnat action=dst-nat dst-address=CHRaddress dst-port=xxxxx protocol=yy to-address=192.168.44.12 comment=“To server subnet A on MT”
add chain=dstnat action=dst-nat dst-address=CHRaddress dst-port=bbbbb protocol=cd to-address=192.168.12.5 comment=“To server subnet B on MT”

/ip route
add dst-address=192.168.44.0/24 gateway=wireguard1 routing-table=main
add dst-address=192.168.12.0/24 gateway=wireguard1 routing-table=main

+++++++++++++++++++++++++++++++++++++

Mikrotik
Wireguard settings

Remember the two options above, the first was the server needs to see the addresses and thus when the server returns original addresses back through wireguard they need to include all possible addresses:
a. add allowed-addresses**=0.0.0.0/0** interface=wireguardhome endpointIP=CHR endpoint-port=15535 persistent-keep-alive=25 interface=wireguardhome public-key=“----”

Otherwise if all the traffic from wireguard appears to come from the single IP address then the allowed ip changes;;;;;;;;
b. add allowed address=10.10.20.0/24 interface=wireguardhome endpointIP=CHR endpoint-port=15535 persistent-keep-alive=25 interface=wireguardhome public-key=“----”

In both cases need.
/firewall rule add action=accept chain=forward in-interface=wireguardhome dst-address=ServerList


CaseA:
Where it gets tricky IMHO, is the return traffic for case A. that is because the originating IP address is unknown.
Therefore how do we ensure that the server traffic goes back out Wireguard tunnel and not to the local internet.
We use routing rules to ensure that this happens

/routing table
add name=useWG fib

/routing rule
add min-prefix=0 action=lookup-only-in-table table=main { ensures local traffic first between local users, when interacting with the servers on the MT, is permitted )
add src-address=server1 action=lookup-only-in-table table=useWG { rest of server traffic is sent back through the tunnel }
add src-address=server2 action=lookup-only-in-table table=useWG
…
add src-address=serverN action=lookup-only-in-table table=useWG

/ip route
add dst-address=0.0.0.0/0 gateway=wireguardhome routing-table=useWG

CASE B.

The source address of the incoming traffic is known to the router (as being part of the existing wireguard subnet) and thus no special accommodations need be made.
Traffic being returned by the servers is sent back through the wireguard interface to the cloud instance.

Option2.

Forget port forwarding. Use Wireguard directly from users to SERVERS!
Requires that you know the users and they are capable of setting up wireguard at that end.
They need a public key from your MT and you need the public key their end produces.

The firewall rules at the CHR ensure that relay is possible
add chain=forward action=accept in-interface=wireguardCHR out-interface=wireguardCHR

In other words, any Peer client TO Server is handled by the first part of the rule and then Server TO different peer client is handled by the second half.
One still needs the routes for the subnets of the servers on the MT device, so that
the router knows to send the first part of the rule back out out for the second half of the rule
/ip route
add dst-address=192.168.44.0/24 gateway=wireguard1 routing-table=main
add dst-address=192.168.12.0/24 gateway=wireguard1 routing-table=main

firewall rules at the MT decide which wireguard address can go to servers on the forward chain etc…
and which ones can go to Input chain for admin acccess.

May I ask which Docker image you're using now?
I'm currently experiencing the same issue as you. Thank you.