OpenVPN server and Wireguard server on same router

RouterOS General
1

Hello,

I am using Hap AX2, with latest OS version and I am unable to figure it out how to configure Openvpn clients and Wireguard clients to see each other.

192.168.200.0/25 - LAN subnet - Router IP is 192.168.200.1/25
10.168.200.0/25 - Wireguard subnet - Router IP is 10.168.200.1/32
10.168.200.128/25 - OpenVPN subnet - Router IP is 10.168.200.254/25
10.167.200.0/24 - OpenVPN site to site subnet for remote branches.
192.168.200.128/25 - OpenVPN site to site subnet for remote branch.

All interfaces belong to LAN interace list, so no additional firewall forward rules are necessary (although I tried adding those rules, but it’s the same)

When I connect to Wireguard server, I can only ping LAN subnet (and vice versa) and other Wireguard peers, but neither OpenVPN subnet or OpenVPN s2s subnet.

When I connect to OpenVPN server, I can ping LAN subnet and other OpenVPN clients and remote branches, but I can’t ping Wireguard clients.

Something I am obviously missing about routing… :frowning:

Windows OpenVPN client's  route table
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0    192.168.0.129    192.168.0.150     25
          0.0.0.0          0.0.0.0   10.168.200.254   10.168.200.248    537
     10.167.200.0    255.255.255.0   10.168.200.254   10.168.200.248    537
     10.168.200.0    255.255.255.0   10.168.200.254   10.168.200.248    537
   10.168.200.128  255.255.255.128         On-link    10.168.200.248    281
   10.168.200.248  255.255.255.255         On-link    10.168.200.248    281
   10.168.200.255  255.255.255.255         On-link    10.168.200.248    281
        127.0.0.0        255.0.0.0         On-link         127.0.0.1    331
        127.0.0.1  255.255.255.255         On-link         127.0.0.1    331
  127.255.255.255  255.255.255.255         On-link         127.0.0.1    331
    192.168.0.128  255.255.255.128         On-link     192.168.0.150    281
    192.168.0.150  255.255.255.255         On-link     192.168.0.150    281
    192.168.0.255  255.255.255.255         On-link     192.168.0.150    281
    192.168.200.0    255.255.255.0   10.168.200.254   10.168.200.248    537
        224.0.0.0        240.0.0.0         On-link         127.0.0.1    331
        224.0.0.0        240.0.0.0         On-link    10.168.200.248    281
        224.0.0.0        240.0.0.0         On-link     192.168.0.150    281
  255.255.255.255  255.255.255.255         On-link         127.0.0.1    331
  255.255.255.255  255.255.255.255         On-link    10.168.200.248    281
  255.255.255.255  255.255.255.255         On-link     192.168.0.150    281




Windows Wireguard client's route table
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0  192.168.255.254    192.168.255.1      2
     10.167.200.0    255.255.255.0         On-link      10.168.200.2      5
   10.167.200.255  255.255.255.255         On-link      10.168.200.2    261
     10.168.200.0    255.255.255.0         On-link      10.168.200.2      5
     10.168.200.2  255.255.255.255         On-link      10.168.200.2    261
   10.168.200.255  255.255.255.255         On-link      10.168.200.2    261
        127.0.0.0        255.0.0.0         On-link         127.0.0.1    331
        127.0.0.1  255.255.255.255         On-link         127.0.0.1    331
  127.255.255.255  255.255.255.255         On-link         127.0.0.1    331
    192.168.200.0    255.255.255.0         On-link      10.168.200.2      5
  192.168.200.255  255.255.255.255         On-link      10.168.200.2    261
    192.168.255.0    255.255.255.0         On-link     192.168.255.1    257
    192.168.255.1  255.255.255.255         On-link     192.168.255.1    257
  192.168.255.255  255.255.255.255         On-link     192.168.255.1    257
        224.0.0.0        240.0.0.0         On-link         127.0.0.1    331
        224.0.0.0        240.0.0.0         On-link     192.168.255.1    257
  255.255.255.255  255.255.255.255         On-link         127.0.0.1    331
  255.255.255.255  255.255.255.255         On-link     192.168.255.1    257




Mikrotik routes
Flags: D - DYNAMIC; A - ACTIVE; c - CONNECT, s - STATIC, d - DHCP
Columns: DST-ADDRESS, GATEWAY, DISTANCE
#     DST-ADDRESS         GATEWAY                           DISTANCE
  DAd 0.0.0.0/0           10.168.1.1                               1
0  As 10.167.200.32/27    <ovpn-pr2-kapija.domain.loc>             1
1  As 10.167.200.64/27    <ovpn-magacin-kapija.domain.loc>         1
2  As 10.167.200.128/27   <ovpn-pr5-kapija.domain.loc>             1
3  As 10.167.200.160/27   <ovpn-pr6-kapija.domain.loc>             1
  DAc 10.168.1.0/24       ether1                                   0
4  As 10.168.200.0/25     WG                                   1
  DAc 10.168.200.1/32     WG                                  0
  DAc 10.168.200.248/32   <ovpn-w.domain.loc>                      0
  DAc 10.168.200.249/32   <ovpn-pr6-kapija.domain.loc>             0
  DAc 10.168.200.250/32   <ovpn-pr1pr4-kapija.domain.loc>          0
  DAc 10.168.200.251/32   <ovpn-pr2-kapija.domain.loc>             0
  DAc 10.168.200.252/32   <ovpn-pr5-kapija.domain.loc>             0
  DAc 10.168.200.253/32   <ovpn-magacin-kapija.domain.loc>         0
  DAc 192.168.200.0/25    vlan1                                    0
5  As 192.168.200.128/25  <ovpn-pr1pr4-kapija.domain.loc>          1




Wireguard config
[Interface]
PrivateKey = ****************
ListenPort = 65534
Address = 10.168.200.3/32
DNS = 192.168.200.100
MTU = 1412

[Peer]
PublicKey = ****************
PresharedKey = ****************
AllowedIPs = 192.168.200.0/24, 10.167.200.0/24, 10.168.200.0/24
Endpoint = ****************:65534
PersistentKeepalive = 25




OpenVPN (relevant to routing) part of theconfig

register-dns
route-delay 4
route-method exe
route-metric 512
route 192.168.200.0 255.255.255.0
route 10.168.200.0 255.255.255.0
route 10.167.200.0 255.255.255.0
route 0.0.0.0 0.0.0.0




Traceroute from Wireguard client to OpenVPN client

Tracing route to 10.168.200.248 over a maximum of 30 hops

  1     9 ms    11 ms    10 ms  10.168.200.1
  2     *        *        *     Request timed out.
  3     *        *        *     Request timed out.




Traceroute from  OpenVPN client to Wireguard client
Tracing route to 10.168.200.2 over a maximum of 30 hops

  1     4 ms     3 ms     3 ms  10.168.200.254
  2     *        *        *     Request timed out.
  3     *        *        *     Request timed out.




Mikrotik config:

# 2024-01-22 16:30:30 by RouterOS 7.13.2
#
# model = C52iG-5HaxD2HaxD

/interface bridge
add admin-mac=48:A9:8A:62:7A:17 auto-mac=no comment=defconf name=bridge \
    port-cost-mode=short protocol-mode=none vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] comment=Internet poe-out=off
/interface ovpn-server
add name=<ovpn-magacin-kapija.domain.loc> user=magacin-kapija.domain.loc
add name=<ovpn-pr1pr4-kapija.domain.loc> user=pr1pr4-kapija.domain.loc
add name=<ovpn-pr2-kapija.domain.loc> user=pr2-kapija.domain.loc
add name=<ovpn-pr5-kapija.domain.loc> user=pr5-kapija.domain.loc
add name=<ovpn-pr6-kapija.domain.loc> user=pr6-kapija.domain.loc
/interface wireguard
add comment="Wireguard VPN" listen-port=65534 mtu=1412 name=WG
/interface vlan
add comment="LAN mreza" interface=bridge name=vlan1 vlan-id=1
add comment="Buduca mreza za goste" interface=bridge name=vlan2 vlan-id=2
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add comment="vlan20 - wifi gosti" name=WIFI
/interface wifi channel
add band=2ghz-ax disabled=no frequency=2412 name=1 width=20mhz
add band=2ghz-ax disabled=no frequency=2437 name=6 width=20mhz
add band=2ghz-ax disabled=no frequency=2462 name=11 width=20mhz
add band=5ghz-ax disabled=no frequency=5180-5250 name=42 width=20/40/80mhz
/interface wifi
set [ find default-name=wifi1 ] channel=42 configuration.country=\
    "United States" .mode=ap .ssid=**** datapath.bridge=bridge .vlan-id=1 \
    disabled=no security.authentication-types=wpa2-psk .ft=yes \
    .ft-mobility-domain=0x10 .wps=disable
set [ find default-name=wifi2 ] channel=1 configuration.country=\
    "United States" .mode=ap .ssid=**** datapath.bridge=bridge .vlan-id=1 \
    disabled=no security.authentication-types=wpa2-psk .ft=yes \
    .ft-mobility-domain=0x10 .wps=disable
/ip pool
add name=dhcp_vlan10 ranges=192.168.200.10-192.168.200.99
add name=openvpn ranges=10.168.200.130-10.168.200.253
/ip dhcp-server
add address-pool=dhcp_vlan10 interface=vlan1 lease-time=2w1d name=dhcp1
/port
set 0 name=serial0
/ppp profile
add change-tcp-mss=yes dns-server=192.168.200.100 interface-list=LAN \
    local-address=10.168.200.254 name=openvpn only-one=yes remote-address=\
    openvpn use-compression=no use-encryption=required use-ipv6=no use-mpls=\
    no use-upnp=no
/interface bridge port
add bridge=bridge comment=defconf interface=ether2 internal-path-cost=10 \
    path-cost=10
add bridge=bridge comment=defconf interface=ether3 internal-path-cost=10 \
    path-cost=10
add bridge=bridge comment=defconf interface=ether4 internal-path-cost=10 \
    path-cost=10
add bridge=bridge comment=defconf interface=ether5 internal-path-cost=10 \
    path-cost=10
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=15360
/interface bridge vlan
add bridge=bridge tagged=bridge untagged=\
    ether2,ether3,ether4,wifi1,wifi2,ether5 vlan-ids=1
add bridge=bridge tagged=bridge,ether2,ether3,ether4,ether5,wifi1,wifi2 \
    vlan-ids=2
/interface list member
add comment=defconf interface=vlan1 list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=WG list=LAN
/interface ovpn-server server
set auth=sha1 certificate=kapija.domain.loc cipher=aes128-cbc \
    default-profile=openvpn enabled=yes netmask=25 port=587 \
    require-client-certificate=yes
/interface wireguard peers
add allowed-address=10.168.200.2/32 interface=WG preshared-key=\
    "********************************" public-key=\
    "********************************"
add allowed-address=10.168.200.3/32 interface=WG preshared-key=\
    "********************************" public-key=\
    "********************************"
/ip address
add address=192.168.200.1/25 interface=vlan1 network=192.168.200.0
add address=10.168.200.1 interface=WG network=10.168.200.1
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server lease
******************************
/ip dhcp-server network
add address=192.168.200.0/25 dns-server=192.168.200.100 domain=domain.loc \
    gateway=192.168.200.1
/ip dns
set servers=192.168.200.100
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=accept chain=input disabled=yes src-address=************
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input comment=Wireguard dst-port=65534 \
    in-interface-list=WAN protocol=udp
add action=accept chain=input comment=OpenVPN dst-port=587 in-interface-list=\
    WAN protocol=tcp
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat dst-port=37777-37778 in-interface-list=WAN \
    protocol=tcp src-address=!192.168.200.0/25 to-addresses=192.168.200.25 \
    to-ports=37777-37778
add action=dst-nat chain=dstnat dst-port=10000 in-interface-list=WAN \
    protocol=tcp src-address=!192.168.200.0/25 to-addresses=192.168.200.1 \
    to-ports=587
/ip route
add distance=1 dst-address=10.167.200.32/27 gateway=\
    <ovpn-pr2-kapija.domain.loc>
add distance=1 dst-address=10.167.200.64/27 gateway=\
    <ovpn-magacin-kapija.domain.loc>
add distance=1 dst-address=10.167.200.128/27 gateway=\
    <ovpn-pr5-kapija.domain.loc>
add distance=1 dst-address=10.167.200.160/27 gateway=\
    <ovpn-pr6-kapija.domain.loc>
add distance=1 dst-address=192.168.200.128/25 gateway=\
    <ovpn-pr1pr4-kapija.domain.loc>
add disabled=no dst-address=10.168.200.0/25 gateway=WG routing-table=main \
    suppress-hw-offload=no
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
    33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
/ppp secret
add name=w.domain.loc profile=openvpn service=ovpn
*******************
/system clock
set time-zone-name=Europe/Belgrade
/system identity
set name=kapija.domain.loc
/system note
set show-at-login=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

Edit:

Wireguard peer config on Mikrotik
Capture.JPG

2

  1. Dont use vlan1 for data, if you have a home subnet, make it vlan11 for example. Vlan1 works in the background on a bridge, no need to make it a vlan.

  2. I am not so sure opnvvpn can be a LAN interface, like wireguard and thus would definitely ensure forward chain rules permit traffic.

  3. Why are two WG routes showing up on the routes board??
    Only one dst-address=10.168.200.0/24 table=main should be there.

This is not required:
add disabled=no dst-address=10.168.200.0/25 gateway=WG routing-table=main
suppress-hw-offload=no

  1. Why did you change MTU from default??

VERY CONFUSED by your subnet creation.
For example you have openvpn and wireguard on same subnet…

10.168.200.0/25 - Wireguard subnet - Router IP is 10.168.200.1/32
10.168.200.128/25 - OpenVPN subnet - Router IP is 10.168.200.254/25

First thing I would is separate the two completely, nothing to be gained by being cute or non-standard as far as I can tell.
Similar thing with your LAN and second OVPN, however for this case, maybe there is some logic that makes sense.

192.168.200.0/25 - LAN subnet - Router IP is 192.168.200.1/25
192.168.200.128/25 - OpenVPN site to site subnet for remote branch.

  1. The above facts make it very difficult to make sense of the rest of the config, including allowed IPs on what appears to be another router.

  2. Don’t think this is a proper IP address, at least for wireguard.
    add address=10.168.200.1 interface=WG network=10.168.200.1
    more like
    add address=10.168.200.1/24 interface=WG network=10.168.200.0

(7) Not sure putting in a LAN IP address for a different subnet other than wg on the router for DNS works, but seems plausible,
I typically just put the IP gateway address of the wg subnet 10.168.200.1 for example. One would have to ensure that
the incoming wg interface has access in forward chain to that DNS server in the other subnet.

3

Yeah, while I was trying to avoid editing configuration of dozens of openvpn clients, I tried to split vpn subnet 10.168.200.0/24 to two /25.

And that was the cause of my problem.

I gave Wireguard new subnet 10.166.200.0/24 and change existing OpenVPN subnet from 10.168.200.0/25 to 10.168.200.0/24 and now everything works.

All I need to do now is to edit client’s openvpn configuration files to add route to 10.166.200.0/24 subnet, because pushing routes to clients is still unsupported by Mikrotik. :frowning:

Thanks.