Mullvad WG VPN as a second WAN for use of a subnet?

nin · December 5, 2023, 7:32pm

Dear friends,

I was thinking of putting a present, a Mullvad VPN 12 months Card to good use.
Let’s assume that I have this config on my CCR:

RouterOS 7.12

/interface bridge
add igmp-snooping=yes name=bridge1
/interface vlan
add comment=Telekom interface=ether1 name=VLAN vlan-id=7
/interface pppoe-client
add add-default-route=yes disabled=no interface=VLAN max-mru=1492 max-mtu=
1492 name=T-DSL use-peer-dns=yes user=
00000000000000000000000000000@t-online.de
/disk
set usb1 type=hardware
set usb2 type=hardware
add parent=usb2 partition-number=1 partition-offset=512 partition-size=
“31 268 535 808” type=partition
/interface list
add name=WAN
add name=LAN
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add comment=“Appliances etc” name=untrusted-pool ranges=192.168.88.0/24
add comment=“Guest Wifi” name=guest-pool ranges=192.168.13.0/24
add comment=“trusted VPN clients” name=Mullvad ranges=192.168.10.0/24
/port
set 0 name=serial0
set 1 name=serial1
/routing bgp template
set default disabled=no output.network=bgp-networks
/routing ospf instance
add disabled=no name=default-v2
/routing ospf area
add disabled=yes instance=default-v2 name=backbone-v2
/interface bridge port
add bridge=bridge1 ingress-filtering=no interface=ether2
add bridge=bridge1 ingress-filtering=no interface=ether3
add bridge=bridge1 ingress-filtering=no interface=ether4
add bridge=bridge1 ingress-filtering=no interface=ether5
add bridge=bridge1 ingress-filtering=no interface=ether6
add bridge=bridge1 ingress-filtering=no interface=ether7
add bridge=bridge1 ingress-filtering=no interface=ether8
add bridge=bridge1 ingress-filtering=no interface=ether9
add bridge=bridge1 ingress-filtering=no interface=ether10
add bridge=bridge1 ingress-filtering=no interface=ether11
add bridge=bridge1 ingress-filtering=no interface=ether12
/ip neighbor discovery-settings
set discover-interface-list=all
/ip settings
set max-neighbor-entries=8192
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface detect-internet
set detect-interface-list=none
/interface list member
add interface=ether1 list=WAN
add interface=bridge1 list=LAN
/interface ovpn-server server
set auth=sha1,md5
/ip address
add address=192.168.1.1/16 interface=bridge1 network=192.168.0.0
/ip cloud
set ddns-enabled=yes ddns-update-interval=1m
/ip dhcp-server
add address-pool=dhcp interface=bridge1 lease-time=10m name=dhcp1
/ip dhcp-server lease
add address=192.168.7.150 client-id=1:3c:2a:f4> > 1e:a comment=Printer
mac-address=3C:2A:F4:0B:1E:0A server=dhcp1
add address=192.168.7.30 client-id=1:58:c1:7a:c:db:dc comment=
“cnPilot E600 1” mac-address=58:C1:7A:0C:DB:DC server=dhcp1
add address=192.168.7.40 client-id=1:58:c1:7a:c:90:a4 comment=
“cnPilot E600 2” mac-address=58:C1:7A:0C:90:A4 server=dhcp1
add address=192.168.7.100 client-id=1:70:85:c2:5e:4a:92 comment=“Admin PC”
mac-address=70:85:C2:5E:4A:92 server=dhcp1
(…tons of lease entries deleted)
/ip dhcp-server network
add address=192.168.0.0/16 gateway=192.168.1.1 netmask=16
/ip dns
set allow-remote-requests=yes
/ip firewall address-list
add address=0.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=172.16.0.0/12 comment=RFC6890 list=not_in_internet
add address=192.168.0.0/16 comment=RFC6890 list=not_in_internet
add address=10.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=169.254.0.0/16 comment=RFC6890 list=not_in_internet
add address=127.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=224.0.0.0/4 comment=Multicast list=not_in_internet
add address=198.18.0.0/15 comment=RFC6890 list=not_in_internet
add address=192.0.0.0/24 comment=RFC6890 list=not_in_internet
add address=192.0.2.0/24 comment=RFC6890 list=not_in_internet
add address=198.51.100.0/24 comment=RFC6890 list=not_in_internet
add address=203.0.113.0/24 comment=RFC6890 list=not_in_internet
add address=100.64.0.0/10 comment=RFC6890 list=not_in_internet
add address=240.0.0.0/4 comment=RFC6890 list=not_in_internet
add address=192.88.99.0/24 comment=“6to4 relay Anycast [RFC 3068]” list=
not_in_internet
add address=192.168.0.0/16 list=allowed_to_router
/ip firewall filter
add action=fasttrack-connection chain=forward comment=FastTrack
connection-state=established,related hw-offload=yes
add action=accept chain=input comment=“accept established, related input”
connection-state=established,related
add action=accept chain=input comment=“, accept allowed_to_router”
src-address-list=allowed_to_router
add action=accept chain=input comment=“allow icmp input” protocol=icmp
add action=accept chain=forward comment=“Established, Related”
connection-state=established,related
add action=accept chain=forward comment=“This allows clients from inner protec
ted network to access Internet and be safe” out-interface=T-DSL
src-address=192.168.0.0/16
add action=drop chain=forward comment=
“Drop incoming packets that are not NATted” connection-nat-state=!dstnat
connection-state=new in-interface=ether1 log=yes log-prefix=!NAT
add action=drop chain=forward comment=
“Drop incoming from internet which is not public IP” in-interface=ether1
log=yes log-prefix=!public src-address-list=not_in_internet
add action=drop chain=forward comment=“Drop invalid” connection-state=invalid
log=yes log-prefix=invalid
add action=drop chain=forward comment=“drop everything else” log=yes
log-prefix=“[drop forward rest rule]”
add action=drop chain=input comment=“Drop the remaining input” log-prefix=
“[drop input rest rule]”
/ip firewall nat
add action=masquerade chain=srcnat
/ip pool
add name=dhcp next-pool=8+9-pool-dhcp ranges=192.168.7.210-192.168.7.254
add name=8+9-pool-dhcp next-pool=dhcp ranges=192.168.8.0/23
add name=10-pool-dhcp ranges=192.168.10.0/24
/ip service
(…)
/ip ssh
set forwarding-enabled=remote strong-crypto=yes
/lcd
set backlight-timeout=1h color-scheme=dark default-screen=stats
/lcd interface
set ether2 disabled=yes
set ether3 disabled=yes
set ether4 disabled=yes
set ether5 disabled=yes
set ether6 disabled=yes
set ether7 disabled=yes
set ether8 disabled=yes
set ether9 disabled=yes
set ether10 disabled=yes
set ether11 disabled=yes
set ether12 disabled=yes
(…)
/system note
set show-at-login=no
/system ntp client
set mode=broadcast
(…)

I was quite positive to this cool inspiration here: https://scholz.ruhr/blog/mullvad-as-second-wan-on-mikrotik/
and would like to implement it for the clients on a new subnet: 192.168.10.1/24.

Define variables

:local wgName “mullvad”
Test with ch-zrh-wg-005.conf
:local wgConf “mullvad-ch-zrh-wg-005”
:local wgConfIP “10.69.38.208”

> https://raw.githubusercontent.com/maximko/mullvad-socks-list/list/mullvad-socks-list.txt

host ch-zrh-wg-socks5-005.relays.mullvad.net

we will automate this for multiple confs

:local wgConfNet “10.124.0.125”
:local wgConfPrivateKey “private_key”
:local wgConfPublicKey “public_key”
:local wgConfEndpoint “193.32.127.70”
:local wgConfPort “51820”

:local wgIPv4Address “192.168.10.1/24”
:local wgIpv4Net “192.168.10.0”
:local peerAllowedIPv4 “0.0.0.0/0”

#Create a VLAN interface with VLAN ID 10 and assign it to the “bridge1” interface.
/interface/vlan/add vlan-id=10 interface=bridge1 name=$wgName

#Configure an IP address for this interface.
/ip/address/add address=$wgIPv4Address network=$wgIpv4Net interface=$wgName

#Add a Wireguard interface with a specified private key.
/interface/wireguard/add private-key=$wgConfPrivateKey name=$wgConf

#Configure a peer for this Wireguard interface.
/interface/wireguard/peers/add allowed-address=$peerAllowedIPv4 endpoint-address=$wgConfEndpoint endpoint-port=wgConfPort interface=$wgConf public-key=$wgConfPublicKey

#Assign an IP address to this Wireguard interface.
/ip/address/add address=wgConfIP network=$wgConfNet interface=$wgConf

#Create a routing table for $wgName
/routing/table/add name=$wgName fib

#Mark packets arriving on the $wgName interface for routing using the $wgName routing table.
/ip/firewall/mangle/add chain=prerouting in-interface=$wgName action=mark-routing new-routing-mark=$wgName

#Set up a routing rule to only route packets marked for the $wgName routing table.
/routing/rule/add routing-mark=$wgName action=lookup-only-in-table table=$wgName

#Define a default route with the gateway IP address and the $wgName routing table.
/ip/route/add dst-address=$peerAllowedIPv4 gateway=$wgConfNet routing-table=$wgName

#Configure masquerade NAT for outgoing traffic through the Wireguard interface.
/ip/firewall/nat/add chain=srcnat out-interface=$wgConf action=masquerade

#Setting the DNS as provided in $wgConf for exclusive use by the clients in 192.168.10.0/24
(honestly, no idea)

Have not tested it yet as I do only have a production setup here. Your kind feedback would be super appreciated.

Cheers, nin

anav · December 5, 2023, 9:30pm

Yeah use vlan filtering for the subnets, one bridge…
The bizarro approach to address, dhcp server pool, if not for a specific needed reasons is cutsie crap for nothing.

http://forum.mikrotik.com/t/new-routerboard-jumper-settings/12089/1

nin · December 6, 2023, 5:49pm

You are right. Thank you, anav!

Again, totally right. I should have omitted this, it was just “elderly gentleman playing around”.

Frankly, I needed a minute to make sure that this less elevating discussion about jumpers was not actually what you wanted to recommend. But I discovered the missing “0” at the end of the link and thank you for the reference, very good info and equally interesting discussion.

Here is a changed VPN config:

# Define variables
:local wgName "mullvad"
#test with ch-zrh-wg-005.conf
:local wgConf "mullvad-ch-zrh-wg-005"
:local wgConfIP "10.69.38.208"
# https://raw.githubusercontent.com/maximko/mullvad-socks-list/list/mullvad-socks-list.txt
# host ch-zrh-wg-socks5-005.relays.mullvad.net
# we will automate this for multiple confs
:local wgConfNet "10.124.0.125"
:local wgConfPrivateKey "private_key"
:local wgConfPublicKey "public_key"
:local wgConfEndpoint "193.32.127.70"
:local wgConfPort "51820"
:local wgConfDNS "10.64.0.1"

:local wgIPv4Address "192.168.10.1/24"
:local wgIpv4Net "192.168.10.0"
:local peerAllowedIPv4 "0.0.0.0/0"


#Create a VLAN interface with VLAN ID 10 and assign it to the "bridge1" interface.
/interface/vlan/add vlan-id=10 interface=bridge1 name=$wgName

#Configure an IP address for this interface.
/ip/address/add address=$wgIPv4Address network=$wgIpv4Net interface=$wgName

#Add a Wireguard interface with a specified private key.
/interface/wireguard/add private-key=$wgConfPrivateKey name=$wgConf

#Configure a peer for this Wireguard interface.
/interface/wireguard/peers/add allowed-address=$peerAllowedIPv4 endpoint-address=$wgConfEndpoint endpoint-port=wgConfPort interface=$wgConf public-key=$wgConfPublicKey

#Assign an IP address to this Wireguard interface.
/ip/address/add address=wgConfIP network=$wgConfNet interface=$wgConf

#Create a routing table for $wgName
/routing/table/add name=$wgName fib

#Mark packets arriving on the $wgName interface for routing using the $wgName routing table.
/ip/firewall/mangle/add chain=prerouting in-interface=$wgName action=mark-routing new-routing-mark=$wgName

#Set up a routing rule to only route packets marked for the $wgName routing table.
/routing/rule/add routing-mark=$wgName action=lookup-only-in-table table=$wgName

#Define a default route with the gateway IP address and the $wgName routing table.
/ip/route/add dst-address=$peerAllowedIPv4 gateway=$wgConfNet routing-table=$wgName

#Configure masquerade NAT for outgoing traffic through the Wireguard interface.
/ip/firewall/nat/add chain=srcnat out-interface=$wgConf action=masquerade

#Setting the DNS as provided in $wgConf for exclusive use by the clients in 192.168.10.0/24 
/ip/dhcp-server/network/set [find address="192.168.10.0/24"] dns-server=$wgConfDNS

Here are some changes to the existing config - limited to essential parts:

/interface bridge
add name=bridge1

/interface ethernet
set [find] name=ether2-ether12

/interface vlan
add interface=bridge1 name=vlan10 vlan-id=10

# First subnet of 192.168.1.0/21 (192.168.1.1 to 192.168.8.254) as a basis, no vlan
# Second subnet of 192.168.10.1/24 for VPN users with vlan10
/ip address
add address=192.168.1.1/21 interface=bridge1
add address=192.168.10.1/24 interface=vlan10

/ip pool
add name=pool1 ranges=192.168.1.151-192.168.8.254
add name=pool2 ranges=192.168.10.1-192.168.10.254

/ip dhcp-server
add address-pool=pool1 interface=bridge1
add address-pool=pool2 interface=bridge1

/ip dhcp-server network
add address=192.168.1.0/21 gateway=192.168.1.1
add address=192.168.10.0/24 gateway=192.168.10.1

/interface bridge port
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=ether3
add bridge=bridge1 interface=ether4
add bridge=bridge1 interface=ether5
add bridge=bridge1 interface=ether6
add bridge=bridge1 interface=ether7
add bridge=bridge1 interface=ether8
add bridge=bridge1 interface=ether9
add bridge=bridge1 interface=ether10
add bridge=bridge1 interface=ether11
add bridge=bridge1 interface=ether12
add bridge=bridge1 interface=vlan10

#isolate VLAN 10 from the rest of the network
/ip firewall filter
add action=drop chain=forward src-address=192.168.10.0/24
add action=drop chain=forward dst-address=192.168.10.0/24

# allow communication between the VLAN 10 network and the 192.168.1.0/21 network while blocking any other traffic
/ip firewall filter
add action=accept chain=forward src-address=192.168.1.0/21 dst-address=192.168.10.0/24
add action=accept chain=forward src-address=192.168.10.0/24 dst-address=192.168.1.0/21

Still bizarro or perhaps closer to ok?

Cheers, nin

anav · December 6, 2023, 6:17pm

Yes still bizarro, Whats wrong with this picture for example…
/ip dhcp-server
add address-pool=pool1 interface=bridge1
add address-pool=pool2 interface=bridge1

/interface bridge port
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=ether3
add bridge=bridge1 interface=ether4
add bridge=bridge1 interface=ether5
add bridge=bridge1 interface=ether6
add bridge=bridge1 interface=ether7
add bridge=bridge1 interface=ether8
add bridge=bridge1 interface=ether9
add bridge=bridge1 interface=ether10
add bridge=bridge1 interface=ether11
add bridge=bridge1 interface=ether12
add bridge=bridge1 interface**=vlan10**

VLAN10 IS NOT A BRIDGE PORT, , what etherport is vlan10 travelling over???
MISSING /interface bridge vlan
Missing enabling bridge vlan filtering

Filter rules show a complete lack of understanding of what they do and how they should be sued.
In other words, I wouldnt contemplate doing any VPN until you understand basics.

nin · December 6, 2023, 6:59pm

Thanks for your reply. I posted this in “Beginner Basics”. I will try to understand.

nin · December 6, 2023, 7:10pm

It depends on the physical location the user is. There are more than 1 Wifi APs from Cambium networks in use. Thank you.

nin · December 6, 2023, 9:02pm

No idea tbh. It would be much appreciated to know the reason. Is it because VLAN interfaces are typically associated with Ethernet ports to allow VLAN traffic to pass through them?

anav · December 6, 2023, 9:49pm

Non-standard but if you understand why it works, then it should be good.

nin · December 6, 2023, 10:14pm

total beginner here.

nin · December 6, 2023, 10:17pm

I would like to politely request further details

anav · December 6, 2023, 10:35pm

https://www.youtube.com/watch?v=NXvHdZbAuTI
https://www.youtube.com/watch?v=hMj80ZIVBQs
https://www.youtube.com/watch?v=4G_TAiBQisE&t=7s
https://www.youtube.com/watch?v=MN5TwxJZ8Os

https://forum.mikrotik.com/viewtopic.php?t=180838