Nordlynx server wireguard setup

goodsat · February 22, 2022, 5:52pm

hello here is my basic configuration range ip local 192.168.88.1 to 192.168.88.253 router ip 192.168.88.254 network to SFP+
user eth1 to eth4 if someone can explain to me the routing to the vpn server wireguard wg0

# feb/20/2022 22:46:04 by RouterOS 7.1
# software id = LFGF-8WF5
#
# model = RB4011iGS+5HacQ2HnD
#
/interface bridge
add admin-mac=2C:C8:1B:41:41:19 auto-mac=no comment=defconf name=bridge
/interface ethernet
set [ find default-name=ether5 ] disabled=yes
set [ find default-name=ether6 ] disabled=yes
set [ find default-name=ether7 ] disabled=yes
set [ find default-name=ether8 ] disabled=yes
set [ find default-name=ether9 ] disabled=yes
set [ find default-name=ether10 ] disabled=yes
/interface wireless
set [ find default-name=wlan1 ] band=5ghz-a/n/ac channel-width=\
    20/40/80/160mhz-XXXXXXXX country=france disabled=no distance=indoors \
    frequency=auto installation=indoor mode=ap-bridge ssid=MikroTik5 \
    wireless-protocol=802.11
set [ find default-name=wlan2 ] band=2ghz-b/g/n channel-width=20/40mhz-XX \
    country=france disabled=no distance=indoors frequency=auto installation=\
    indoor mode=ap-bridge ssid=MikroTik-2.4 wireless-protocol=802.11
/interface wireguard
add listen-port=38914 mtu=1420 name=wg0 private-key=\
    "MyKey"
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface lte apn
set [ find default=yes ] ip-type=ipv4
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk mode=\
    dynamic-keys supplicant-identity=MikroTik wpa-pre-shared-key=123456789 \
    wpa2-pre-shared-key=123456789
/ip pool
add name=dhcp ranges=192.168.88.1-192.168.88.253
/ip dhcp-server
add address-pool=dhcp interface=bridge lease-time=1d name=defconf
/port
set 0 name=serial0
set 1 name=serial1
/interface bridge port
add bridge=bridge comment=defconf ingress-filtering=no interface=ether2
add bridge=bridge comment=defconf ingress-filtering=no interface=ether3
add bridge=bridge comment=defconf ingress-filtering=no interface=ether4
add bridge=bridge comment=defconf ingress-filtering=no interface=ether5
add bridge=bridge comment=defconf ingress-filtering=no interface=ether6
add bridge=bridge comment=defconf ingress-filtering=no interface=ether7
add bridge=bridge comment=defconf ingress-filtering=no interface=ether8
add bridge=bridge comment=defconf ingress-filtering=no interface=ether9
add bridge=bridge comment=defconf ingress-filtering=no interface=ether10
add bridge=bridge comment=defconf disabled=yes ingress-filtering=no \
    interface=sfp-sfpplus1
add bridge=bridge comment=defconf ingress-filtering=no interface=wlan1
add bridge=bridge comment=defconf ingress-filtering=no interface=wlan2
add bridge=bridge ingress-filtering=no interface=ether1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ip settings
set max-neighbor-entries=8192
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface list member
add comment=defconf interface=bridge list=LAN
add interface=sfp-sfpplus1 list=WAN
/interface wireguard peers
add allowed-address=0.0.0.0/0 endpoint-address=138.199.47.163 endpoint-port=\
    58210 interface=wg0 persistent-keepalive=25s public-key=\
    "FT46M53w4dhBep/2VScW1j/EoZbpBgzvk71FlLZLDBM="
/ip address
add address=192.168.88.254/24 comment=defconf interface=bridge network=\
    192.168.88.0
add address=10.5.0.2/24 interface=wg0 network=10.5.0.0
/ip dhcp-client
add comment=defconf interface=sfp-sfpplus1
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.254 netmask=24
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.254 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set irc disabled=yes
set h323 disabled=yes
set sip disabled=yes
set pptp disabled=yes
set udplite disabled=yes
set dccp disabled=yes
set sctp disabled=yes
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/system clock
set time-zone-name=Europe/Paris
/system identity
set name=RouterOS
/system leds
add interface=wlan2 leds="wlan2_signal1-led,wlan2_signal2-led,wlan2_signal3-le\
    d,wlan2_signal4-led,wlan2_signal5-led" type=wireless-signal-strength
add interface=wlan2 leds=wlan2_tx-led type=interface-transmit
add interface=wlan2 leds=wlan2_rx-led type=interface-receive
/system package update
set channel=long-term
/system resource irq rps
set sfp-sfpplus1 disabled=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

nordlynx.conf work fine to win10 and wireguard.exe software

[Interface]
PrivateKey = ----------------
ListenPort = 38914
Address = 10.5.0.2/24
DNS = 8.8.8.8, 8.8.4.4
[Peer]
PublicKey = FT46M53w4dhBep/2VScW1j/EoZbpBgzvk71FlLZLDBM=
AllowedIPs = 0.0.0.0/0
Endpoint = 138.199.47.163:51820
PersistentKeepalive = 25

cmd get recommendations serveur nordlynx for your connexion:

curl --ssl-no-revoke "https://api.nordvpn.com/v1/servers/recommendations?&filters\[servers_technologies\]\[identifier\]=wireguard_udp&limit=10"|jq -r '.[]|.hostname, .station, (.locations|.[]|.country|.city.name), (.locations|.[]|.country|.name), (.technologies|.[].metadata|.[].value), .load'

Sob · February 22, 2022, 6:05pm

What do you want to route? Traffic from whole LAN or from selected devices, traffic to all or selected destinations?

goodsat · February 22, 2022, 6:19pm

hello I would like to route a list of local addresses see the example below

/ip firewall address-list add address=192.168.88.3 list=allow_ip_nordlynx
/ip firewall address-list add address=192.168.88.8 list=allow_ip_nordlynx

404Network · February 22, 2022, 6:45pm

Firewall address lists cannot be used to route traffic through the wireguard tunnel.

However, assuming you wish to push those two users out nordlyx for all internet traffic.
Then

MT Peer setttings: ( you have this correct )
Allowed IPs =0.0.0.0/0

Required is how to force just those two IP addresses to wireguard for internet traffic. 3 Steps:

/routing table add name=useWG0 fib

/ip route
dst-address=0.0.0.0/0 gateway=wg0 table=useWG0

/routing rule src-address=192.168.88.3/32 action=lookup-only-in-table table=useWG0
/routing rule src-address=192.168.88.8/32 action=lookup-only-in-table table=useWG0

goodsat · February 22, 2022, 7:03pm

thank you but it does not work it is possible to debug the wireguard connection log

404Network · February 22, 2022, 7:05pm

Two things to look at.

Latest config with changes
Picture of your winbox IP RoUTES (and cover any public IPs or gateway IPs like with eraser in paint )

msatter · February 22, 2022, 7:24pm

/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN

WAN, is wrong. Create one dedicated to WireGuard and use it. You can use connection marking to force choosen clients through that Interface in NAT.

goodsat · February 22, 2022, 7:53pm

well I have just managed to make the wireguard work with nordlynx fat to you and I thank you very much I you but below the correct parameters

/interface wireguard
add listen-port=38914 mtu=1420 name=wg0 private-key=
“Private_key”

/interface wireguard peers
add allowed-address=0.0.0.0/0 endpoint-address=37.19.217.30 endpoint-port=
51820 interface=wg0 persistent-keepalive=25s public-key=
“FT46M53w4dhBep/2VScW1j/EoZbpBgzvk71FlLZLDBM=”

/ip address
add address=10.5.0.2/24 interface=wg0 network=10.5.0.0

/ip firewall nat
add action=masquerade chain=srcnat comment=“defconf: allow wireguard”
out-interface=wg0

/routing table
add fib name=useWG0

/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=wg0 pref-src=“”
routing-table=useWG0 scope=30 suppress-hw-offload=no target-scope=10

/routing rule
add action=lookup-only-in-table disabled=no src-address=192.168.88.1/32
table=useWG0

Sob · February 22, 2022, 8:09pm

Not exactly true, it’s possible with mangle rules. But if it’s for whole addresses (not just selected ports), I’d probably prefer routing rules too.

Not necessarily, it will work if WG interface is added in WAN interface list. Which could be good choice, because it’s basically untrusted WAN interface anyway.

404Network · February 23, 2022, 12:55am

WHAT? Hmmmmmm

He wants to send two IPs on his local LAN through a third party wireguard provider , for internet access.
This is not rocket science.

(1) The allowed IPs on the MT peer setting must include 0.0.0.0/0 as valid destination addresses that will come from those two IPs.
(2) We use the FORCE tactic as already described.
routing table / IP Route / Route rule for each IP address.

(3) If required a firewall rule could be required depending
add chain=forward action=accept src-address-list=ChosenIPs out-interface=wgInterfaceName

What is missing here, dont think to hard. NOTHING!!!

Sob · February 23, 2022, 1:27am

Did I say that anything is missing? No, I didn’t. I just corrected your claim that address list can’t be used for this.

404Network · February 23, 2022, 1:41am

Yes, let me add caveats for the nitpicky types.

a. firewall address list is handy for any firewall rules involving wg traffic
b. firewall address lists are not used in WG routes, unless one has to use MANGLING, (and then your config is so evil it should be banned anyway… )

goodsat · February 23, 2022, 9:50am

Hello my configuration still works very well is it possible to add a killswitch on wireguard

msatter · February 23, 2022, 10:56am

I am using PPPoE to connect. The gateway of the dynamic created Wireguard routing is the PPPoE. Is then Wireguard not also protected by the WAN being not trusted?

msatter · February 23, 2022, 11:01am

My basic killswitch:

/ip/route add blackhole disabled=no distance=254 dst-address=0.0.0.0/0 gateway="" pref-src="" routing-table=exampleRoutingMark-wireguard scope=30 suppress-hw-offload=no \
    target-scope=10

You need to routing-mark traffic. As example, I used “exampleRoutingmarkWireguard”

Update: if I am correct you use: “useWG0”.

404Network · February 23, 2022, 11:57am

HI msmatter, that looks interesting but I dont understand.
a. what is a killswitch
b. how do you invoke it, get it to fire, action, work??? Im assuming you dont ask Alexa
c. what does your rule in effect do?

goodsat · February 23, 2022, 12:00pm

hello a killswitch detects if the vpn is disconnected and switches to the default route to always have an operational internet connection

404Network · February 23, 2022, 12:36pm

Hmmm interesting.
I will give you one example.

(1) Going out Remote device for internet: The most obvious example then would be I have two subnets vlan10 and vlan11.
Vlan10 is supposed to go out standard internet (local WANIP) and we want vlan11 to enter WG tunnel and go out remote device WANIP.
Besides Firewall rules etc…

/ip route
dst-address=0.0.0.0/0 gwy=wanipgateway table=main { sends all vlan 10 and vlan 11 traffic out the local wan }

But now we want to send vlan11 only out the tunnel and thus need 3 steps to accomplish this!

/routing table add name=useWG fib
/ip route dst-address=0.0.0.0/0 gwy=wg-Interface-Name table=useWG
/routing rule interface=vlan11 action=lookup-only-in-table table=useWG

With the above rules in place, normally we select action to ONLY in TABLE. If there is no vpn, vlan 11 gets no internet!!
However if we use only LOOKUP, then its the same as a killswitch (assuming your definition is correct). IF the wg tunnel is not up, the users will be directed to the next available table which is table main and the vlan11 users would go out the local WANIP.

Done!!!

msatter · February 23, 2022, 1:18pm

My definition of Kill-switch is that unencrypted traffic is not getting out. If the VPN goes down then traffic on the way out, which is not encrypted and that should not happen. All that traffic is destroyed before able to get out of the router.

If you are redirecting it then that is a fail-over. I use that also but the last stop is always a destruction if all fails.

msatter · February 23, 2022, 1:21pm

a) See above
b) if VPN is not working then the dynamic routing line is removed by the router, leaving the static rule I stated to handle that traffic.
c) it blackholes that traffic by destroying it.