Place wireguard within an existing subnet

gecco · January 20, 2023, 11:34am

Hi,

I have a general questions regarding wireguard. At the moment the wireguard road warrior test-setup is running. Configured according to the mikrotik documentation: https://help.mikrotik.com/docs/display/ROS/WireGuard#WireGuard-RoadWarriorWireGuardtunnel

Nonetheless, I read that with wireguard you should use a own new subnet and can’t be added to a bridge due to how wireguard works (layer 3).

However, we have 4 locations which are connected via ipsec. At the moment all road warrior clients connect via l2tp/ipsec to location A, get a ip address via dhcp from the according subnet (e.g. office subnet) and can e.g. access also services at location 1-4. This is possible e.g. because the office subnet from location A is allowed to access some service at location B.

Now with wireguard I’m looking for a solution so that the wireguard road warriors act like they have a ip adress from the existing office subnet without reconfigurating all firewall rules of all locations. I’m afraid I wasn’t able to google a working solution. Think I’m missing some basic network understanding.

Thank you very much in advance

Best regards

holvoetn · January 20, 2023, 11:47am

Might be more helpful to first have a drawing clearly showing what you currently have and how you would like it to work.
Pay attention to all used subnets (also clients) and what needs to connect to where.

Export of your current config of the device acting as central hub might also be needed (minus serial number, public WANIP and Private/Public keys)

gecco · January 20, 2023, 12:06pm

Thank you very much for your message. Will draw a diagram later + config.
A really simple depiction is:

Our office subnet is 10.4.10.0/24. I want the wireguard road warrior to have an ip adress within this range.

Larsa · January 20, 2023, 12:41pm

Yes, it’s possible if you are able to allocate a free subnet for the remote clients within that adress range like for example 10.4.10.0/29 (6 clients) or 10.4.10.0/28 (14 clients).

You can calculate different subnet options using: https://www.calculator.net/ip-subnet-calculator.html?cclass=any&csubnet=29&cip=10.4.10.0&ctype=ipv4&printit=0&x=68&y=21

Just bear in mind that the Mikrotik WG implementation doesn’t offer dynamic allocation of ip addresses (of your office address subnet) thus you have to allocate a static ip for each client.

anav · January 20, 2023, 1:23pm

Without a much clearer set of requirements that doesnt talk about the config in any way, and a network diagram, wont touch it with a 10 foot pole.
https://forum.mikrotik.com/viewtopic.php?p=908118

gecco · January 20, 2023, 7:48pm

Thank you very much for your replies.

Drawing of the network setup is enclosed. I configured a test setup according to Larsa with a wireguard with an ip range within the subnet. However, tunnel is up an running (handshake), but no connection is possible within the subnet 10.1.10.0/24

# jan/20/2023 20:14:14 by RouterOS 7.5
# model = RouterBOARD 3011UiAS

/interface bridge
add name=bridge5_private protocol-mode=none
add name=bridge7_dmz protocol-mode=none
add arp=proxy-arp name=bridge10_office protocol-mode=none
add name=bridge99_mgmt protocol-mode=none
add name=bridge200_public protocol-mode=none
/interface ethernet
set [ find default-name=ether1 ] name=ether1_mgmt
set [ find default-name=ether2 ] speed=100Mbps
set [ find default-name=ether3 ] speed=100Mbps
set [ find default-name=ether4 ] speed=100Mbps
set [ find default-name=ether5 ] name=ether5_trunk
set [ find default-name=ether6 ] speed=100Mbps
set [ find default-name=ether7 ] speed=100Mbps
set [ find default-name=ether8 ] speed=100Mbps
set [ find default-name=ether9 ] speed=100Mbps
set [ find default-name=ether10 ] poe-out=off
/interface pppoe-client
add add-default-route=yes comment=ISP disabled=no interface=sfp1_gateway \
    keepalive-timeout=60 max-mtu=1480 name=pppoe-out1 use-peer-dns=yes
/interface wireguard
add listen-port=13231 mtu=1420 name=wireguard1-roadwarrior
/interface vlan
add interface=ether5_trunk name=vlan5.5_private vlan-id=5
add interface=ether5_trunk name=vlan5.7_dmz vlan-id=7
add interface=ether5_trunk name=vlan5.10_office vlan-id=10
add interface=ether5_trunk name=vlan5.99_mgmt vlan-id=99
add interface=ether5_trunk name=vlan5.200_public vlan-id=200
/ip ipsec profile
add dh-group=modp1024 enc-algorithm=aes-128 name=profile_nat-traversal
/ip ipsec peer
add address=xx.xx.xx.xx/32 comment=FH local-address=xx.xx.xx.xx name=\
    peer_fh profile=profile_nat-traversal
add comment="dynamic Hub, CA" local-address=xx.xx.xx.xx name=\
    peer_dynamic-ip passive=yes profile=profile_nat-traversal \
    send-initial-contact=no
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=md5 enc-algorithms=aes-128-cbc \
    lifetime=8h
add auth-algorithms=sha256,sha1 enc-algorithms=aes-128-cbc,des lifetime=1h \
    name=proposal_custom
/ip pool
add name=pool10_office ranges=10.1.10.10-10.1.10.30
add name=pool5_private ranges=10.1.5.10-10.1.5.50
add name=pool99_mgmt ranges=10.1.99.10-10.1.99.20
add name=pool200_public ranges=10.1.200.10-10.1.200.240
/ip dhcp-server
add address-pool=pool5_private interface=bridge5_private lease-time=1d name=\
    dhcp5_private
add address-pool=pool200_public interface=bridge200_public lease-time=3d \
    name=dhcp200_public
add address-pool=pool10_office interface=bridge10_office lease-time=1d name=\
    dhcp10_office
add address-pool=pool99_mgmt disabled=yes interface=bridge99_mgmt lease-time=\
    1d name=dhcp99_mgmt
/interface bridge port
add bridge=bridge200_public ingress-filtering=no interface=vlan5.200_public
add bridge=bridge99_mgmt ingress-filtering=no interface=vlan5.99_mgmt
add bridge=bridge5_private ingress-filtering=no interface=vlan5.5_private
add bridge=bridge10_office ingress-filtering=no interface=vlan5.10_office
add bridge=bridge99_mgmt ingress-filtering=no interface=ether1_mgmt
add bridge=bridge7_dmz ingress-filtering=no interface=vlan5.7_dmz
/interface wireguard peers
add allowed-address=10.1.10.100/32 comment=testClient endpoint-port=13231 \
    interface=wireguard1-roadwarrior public-key=\
    "xxx"
/ip address
add address=10.1.10.254/24 interface=bridge10_office network=10.1.10.0
add address=10.1.5.254/24 interface=bridge5_private network=10.1.5.0
add address=10.1.200.254/24 interface=bridge200_public network=10.1.200.0
add address=10.1.99.254/24 interface=bridge99_mgmt network=10.1.99.0
add address=10.1.7.254/24 interface=bridge7_dmz network=10.1.7.0
add address=10.1.10.96/28 interface=wireguard1-roadwarrior network=10.1.10.96
/ip dhcp-server network
add address=10.1.5.0/24 dns-server=10.1.5.254 gateway=10.1.5.254
add address=10.1.7.0/24 dns-server=10.1.7.254 gateway=10.1.7.254
add address=10.1.10.0/24 dns-server=10.4.10.203,10.1.10.201 domain=pale.local \
    gateway=10.1.10.254
add address=10.1.99.0/24 dns-server=10.4.10.203,10.1.10.201 domain=pale.local \
    gateway=10.1.99.254
add address=10.1.200.0/24 dns-server=10.1.200.254 gateway=10.1.200.254
/ip dns
set allow-remote-requests=yes
/ip firewall address-list
add address=10.1.10.0/24 list=1.10_office
add address=10.1.200.0/24 list=1.200_public
add address=10.1.5.0/24 list=1.5_private
add address=10.1.99.0/24 list=1.99_mgmt
add address=10.1.0.0/16 list=1_all
add address=10.3.0.0/16 list=3_all
add address=10.3.10.0/24 list=3.10_office
add address=10.3.2.0/24 list=3.2_pos
add address=10.3.99.0/24 list=3.99_mgmt
add address=10.4.0.0/16 list=4_all
add address=10.4.10.0/24 list=4.10_office
add address=10.4.99.0/24 list=4.99_mgmt
add address=10.1.7.0/24 list=1.7_dmz
add address=10.4.5.0/24 list=4.5_private
add address=10.2.0.0/16 list=2_all
add address=10.2.99.0/24 list=2.99_mgmt
add address=10.2.5.0/24 list=2.5_private
add address=10.1.110.0/24 list=1.0_wireguard
/ip firewall filter
add action=fasttrack-connection chain=forward comment=\
    "=== FASTTRACK === accept related/established except ipsec" \
    connection-mark=!ipsec connection-state=established,related hw-offload=\
    yes
add action=accept chain=forward connection-state=established,related
add action=drop chain=input comment="=== COMMON === Drop Invalid connections" \
    connection-state=invalid
add action=accept chain=input comment="Allow Established connections" \
    connection-state=established
add action=accept chain=input comment="Allow Related connections" \
    connection-state=related
"=== ACCESS TO MT === ALWAYS ACTIVE!" \
    src-address-list=1_all
add action=accept chain=input src-address-list=2_all
add action=accept chain=input src-address-list=3_all
add action=accept chain=input src-address-list=4_all
add action=accept chain=input comment="=== Allow DNS ===" dst-port=53 \
    in-interface=!pppoe-out1 protocol=tcp
add action=accept chain=input dst-port=53 in-interface=!pppoe-out1 protocol=\
    udp
add action=accept chain=forward comment=\
    "=== REMOTE === ROUTER ___pppoe-out1 (pptp)" protocol=gre
add action=accept chain=input dst-port=1723 protocol=tcp
add action=drop chain=forward comment=\
    "=== ISOLAT BRIDGES === Block traffic between bridges" in-interface=\
    bridge5_private out-interface=!pppoe-out1
add action=drop chain=forward in-interface=bridge7_dmz log-prefix=log_test_ \
    out-interface=!pppoe-out1
add action=drop chain=forward in-interface=bridge10_office log-prefix=\
    log_test_ out-interface=!pppoe-out1
add action=drop chain=forward in-interface=bridge99_mgmt out-interface=\
    !pppoe-out1
add action=drop chain=forward in-interface=bridge200_public out-interface=\
    !pppoe-out1
add action=accept chain=input comment=\
    "=== IPSec & L2TP | 500 (IPSec Port) ===" dst-port=500 in-interface=\
    pppoe-out1 protocol=udp
add action=accept chain=input comment=\
    "IPSec & L2TP | 4500 (NAT Traversal Port)" dst-port=4500 in-interface=\
    pppoe-out1 protocol=udp
add action=accept chain=forward comment="=== IPSEC FH === allow FH to APP" \
    dst-address-list=1.99_mgmt src-address-list=4.99_mgmt
add action=accept chain=forward dst-address-list=1.10_office \
    src-address-list=4.10_office
add action=accept chain=forward disabled=yes dst-address-list=1.99_mgmt \
    src-address-list=4.10_office
add action=accept chain=forward comment="=== IPSEC HUB === allow HUB to APP" \
    dst-address-list=1.99_mgmt src-address-list=3.99_mgmt
add action=accept chain=forward dst-address-list=1.10_office \
    src-address-list=3.10_office
add action=accept chain=forward disabled=yes dst-address-list=1.99_mgmt \
    src-address-list=3.10_office
add action=accept chain=forward comment="=== IPSEC CA === allow CA to APP" \
    dst-address-list=1.99_mgmt src-address-list=2.99_mgmt
add action=accept chain=forward dst-address-list=1.7_dmz dst-port=22,9091 \
    log-prefix=private_____ protocol=tcp src-address-list=2.5_private
add action=drop chain=forward comment=\
    "=== IPSEC COMMON === Drop everything else" dst-address-list=1_all \
    src-address-list=4_all
add action=drop chain=forward dst-address-list=1_all src-address-list=3_all
add action=drop chain=forward dst-address-list=1_all src-address-list=2_all
add action=drop chain=input comment="=== DROP EVERYTHING ELSE ===" \
    log-prefix=###drop_input###
/ip firewall mangle
add action=mark-connection chain=forward comment="=== FASTTRACK & IPSEC ===" \
    ipsec-policy=out,ipsec new-connection-mark=ipsec passthrough=yes
add action=mark-connection chain=forward ipsec-policy=in,ipsec \
    new-connection-mark=ipsec passthrough=yes
/ip firewall nat
add action=accept chain=srcnat comment="IPSec & L2TP" dst-address-list=3_all \
    src-address-list=1_all
add action=accept chain=srcnat dst-address-list=2_all src-address-list=1_all
add action=accept chain=srcnat dst-address-list=4_all src-address-list=1_all
add action=masquerade chain=srcnat comment="NAT PPPOE" out-interface=\
    pppoe-out1
add action=dst-nat chain=dstnat comment="DMZSRV01 ___plex, transmission, ssh" \
    dst-port=32400 protocol=tcp to-addresses=10.1.7.201
/ip firewall service-port
set sip disabled=yes
/ip ipsec identity
add auth-method=pre-shared-key-xauth peer=peer_fh username=fh_app
add auth-method=pre-shared-key-xauth generate-policy=port-override peer=\
    peer_dynamic-ip username=app_hub
add auth-method=pre-shared-key-xauth disabled=yes generate-policy=\
    port-override peer=peer_dynamic-ip username=app_ca
/ip ipsec policy
add comment=FH dst-address=10.4.0.0/16 peer=peer_fh proposal=proposal_custom \
    src-address=10.1.0.0/16 tunnel=yes
add comment="Template Hub" dst-address=10.3.0.0/16 proposal=proposal_custom \
    src-address=10.1.0.0/16 template=yes
add comment="Template CA" disabled=yes dst-address=10.2.0.0/16 proposal=\
    proposal_custom src-address=10.1.0.0/16 template=yes
set 3 disabled=yes

What is my goal?
I want that road warriors get an ip address within the ip range 10.1.10.0/24
OR
kind of routing is working so that the road warrios “behave” like they have a ip address within the ip range 10.1.10.0/24

Thank you very much in advance
wiregaurd.drawio.png

anav · January 20, 2023, 7:59pm

Okay, so a few differences wireguard is peer to peer.
So you have choices,
a. connect RW to site 1 directlly via wireguard and
b. connect RW to site 2 directly via wireguard OR
c. connect RW to site1 directly and via the same or different wireguard interface on site 1 relay to site2 OR
d. connect RW to site 2 directly and via the same or different wiregard interface on site 2 relay to site 1

Connectivity is very much dependent upon which ROUTERS have accessible public IP addresses or have routers in front of them that can port forward to the MT.
IN terms of connecting the two devices, it would be important to know this fact as then one will be a client for the initial handshake and the other the server.
If they both are capable then we can expand that to either way. Is one of them the Central site (1) and other a branch site (2).

Is there any reason you may want to keep the tunnel between the two routers separate from the tunnels of RW to Sites, it adds complexity and overhead without gaining any security as the routes, peers allowed and firewall rules will permit granular control of access…

Finally are both sites Mikrotik devices ??

It speaks as I said to stating clearly the users needs… telling me they get an office IP is useless and not how WG works.
What I need to know are the users requirements.
a. connect to other users/devices on subnet A at site 1
b. connect to a single device on subnet B at site 2
c. access the internet through Site 3

That is traffic originating at the RW !

Now between site1 and site 2 you would need to detail users originating traffic to each other
site 1 users to site 2
site 2 users to site 1

admin traffic ( assuming at R1 to config R1, at R2 to config R2) but via wireguard.
R1 admin able to config R2
R2 admin able to config R1
RW admin to be able to config both R1 and R2 ???

gecco · January 22, 2023, 9:00am

Thank you very much for your input. Did a small test setup and the suggestion form @Larsa worked.

anav · January 22, 2023, 3:39pm

The intent of wireguard is not to provide the same subnet addressing that may exist on the office LAN.
I believe zerotier or other methods are better suited to such endeavours. Wireguard is peer to peer.

What you can do as a RW is come out of the tunnel and then through firewall rules.
access any device or user on any subnet as required and setup by the admin.

THERE IS NO NEED to be part of the subnet… and thus not sure what functionality you are using or requirement that the RW coming in has the same IP addressing ???

The fact that you got it working is cool, but I dont understand the need so cannot really comment further.