Please save my Christmas VPN Network

daddyfix · December 14, 2020, 3:39pm

I have been trying to configure my RPI4 Wireguard VPN server and Mikrotik router for a few days.
Now I look and feel like the Grinch! Can Anyone please help, SantaTik? Are you out there?

Design

WIREGAURD CLIENT ----- INTERNET ----- MICROTIK RB4011iGS+RM ----- RPI4 WIREGUARD SERVER
IP 192.168.10.10------ WAN IP  ------- 192.168.1.1/24 LAN ----- 192.168.1.120, VPN 192.168.10.1 LAN

Below was used to work with my NetGear Router

RPI4 Wiregard Server wg0.conf

[Interface]
PrivateKey = iF<SECRET>2I=
Address = 192.168.10.1/24
ListenPort = 993
DNS = 192.168.1.1

### begin laptop ###
[Peer]
PublicKey = Nu<SECRET>w=
PresharedKey = 05<SECRET>U=
AllowedIPs = 0.0.0.0/1, 128.0.0.0/1, ::/1, 8000::/1
#AllowedIPs = 192.168.10.10/32
### end laptop ###

Laptop wg0.conf

[Interface]
PrivateKey = KG<SECRET>g=
Address = 192.168.10.10/24
DNS = 192.168.1.1, 208.67.222.222, 208.67.220.220
MTU = 1420

[Peer]
PublicKey = ln<SECRET>Co=
PresharedKey = 05<SECRET>pU=
Endpoint = pimedia.ca:993
AllowedIPs = 192.168.1.0/24, 192.168.10.0/24
#AllowedIPs = 192.168.0.0/16

Laptop Connection

[mcon@mcon-XPS-15-9550 ~]$ wg-quick up wg0
[#] ip link add wg0 type wireguard
[#] wg setconf wg0 /dev/fd/63
[#] ip -4 address add 192.168.10.10/24 dev wg0
[#] ip link set mtu 1420 up dev wg0
[#] resolvconf -a tun.wg0 -m 0 -x
[#] ip -4 route add 192.168.1.0/24 dev wg0

[mcon@mcon-XPS-15-9550 ~]$ ip addr show wg0
4: wg0: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN group default qlen 1000
    link/none 
    inet 192.168.10.10/24 scope global wg0
       valid_lft forever preferred_lft forever
       
[mcon@mcon-XPS-15-9550 ~]$ ifconfig wg0
wg0: flags=209<UP,POINTOPOINT,RUNNING,NOARP>  mtu 1420
        inet 192.168.10.10  netmask 255.255.255.0  destination 192.168.10.10
        unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  txqueuelen 1000  (UNSPEC)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 52  bytes 7696 (7.6 KB)
        TX errors 11  dropped 0 overruns 0  carrier 0  collisions 0

My Current MikroTik Setup

My Wireguard Client Connections works but I don’t know how to allow traffic from the RPI4 VPN (192.168.1.120) client connections to the LAN(192.168.1.1/24)

Sob · December 14, 2020, 4:05pm

Is 192.168.10.0/24 only on RPi? Does the rest of LAN know about it? This should make it better:

/ip route
add dst-address=192.168.10.0/24 gateway=192.168.1.120

anav · December 14, 2020, 5:38pm

I can picture Sob wearing an elf hat!!!

daddyfix · December 14, 2020, 5:58pm

Q. Is 192.168.10.0/24 only on RPi?

A. The RPI4 has a LAN Address of 192.168.1.120 and then it issues wireguard client addresses as 192.168.10.x

Q. Does the rest of LAN know about it?

A. I dont know how to check that

So, I added the route

But i still cant communicate with my LAN from the Wireguard Client (192.168.10.10) ?

I tried to PING a LAN IP (192.168.1.130) but it fails. Do I need to add a ICMP rule for the LAN?

[mcon@mcon-XPS-15-9550 ~]$ ping 192.168.1.130
PING 192.168.1.130 (192.168.1.130) 56(84) bytes of data.

^C
--- 192.168.1.130 ping statistics ---
22 packets transmitted, 0 received, 100% packet loss, time 21494ms

Thanks for your hints…

daddyfix · December 14, 2020, 5:59pm

LOL

Sob · December 14, 2020, 6:55pm

According to screenshot, you have address 192.168.10.1/24 on router, and it may not be what you want. Or what is your exact plan with subnets? Should 192.168.10.0/24 be only for VPN clients, or should some devices in LAN also have addresses from this subnet?

@anav: I can tell you don’t know my native language, otherwise you couldn’t guess that wrong.

(although it’s just coincidence, the nickname is not based on the animal)

anav · December 14, 2020, 8:04pm

Let me guess you real name is Irvas?
or did your parents have a sense of humour Irvass ;-))

To set the record straight, to anyone, we are NOT related.
“Camelids are not ruminants taxonomically, physiologically, or behaviorally”

Hmm, I wonder if you will be able to src nat or dst nat your way out of this thread LOL…It seems your favourite rabbit out of the hat trick LOL.

Sob · December 14, 2020, 9:40pm

This one should be easy, I’ll just blame it on user error. Not only is 192.168.10.1/24 on router, it’s on WAN interface on top of that. So if VPN clients connected to RPi server get addresses from same subnet, some part of this config is not right.

Otherwise no further comments for now.

daddyfix · December 14, 2020, 10:41pm

Ok. You tickled my interest.

I could change the VPN router clients IP to 192.168.1.1/24 but Im afraid that there will be a conflict with the current Mikrotik DHCP Leases on 192.168.1.1/24

Q. What is you exact plan with the subnets?

A. My main goal is to have ONLY myself and my wife connect to the VPN and access the Internet and LAN machines

Q. Should 192.168.10.0/24 be only for VPN clients, or should some devices in LAN also have addresses from this subnet?

A. Only VPN Clients can 192.168.10.0/24. All regular LAN clients have the 192.168.1.0/24 subnet

daddyfix · December 14, 2020, 10:58pm

Where you say 192.168.10.1/24 is on the WAN interface, what do you mean?

Sob · December 15, 2020, 12:54am

Fifth line in your screenshot is dynamic route to 192.168.10.0/24 on ether1, which based on default route (I’m not sure why you have two, but it doesn’t matter now) is your WAN port, i.e. connected to internet. The route has preferred source 192.168.10.1, which means that for some reason you added 192.168.10.1/24 as address on ether1. Unless there’s a reason to have it there, which I don’t know about, it looks like mistake and it shouldn’t be there or anywhere else on this router. In any case, it conflicts with same subnet for VPN clients on RPi.

daddyfix · December 15, 2020, 3:30am

Sob, You were exactly right when you had me adjust the routes as so

My problem was the wireguard setup AND the Mikrotik Route.

192.168.1.0/24 is the router LAN network

RPI4 VPN Server

[Interface]
Address = 192.168.10.1
PrivateKey = xxx
ListenPort = 993
PostUp   = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE

[Peer]
PublicKey = xxx
AllowedIPs = 192.168.10.2/32

Ensure port forwarding is set in /etc/sysctl.conf on VPN Server

net.ipv4.ip_forward=1

LAPTOP or TABLET VPN CLIENT

[Interface]
Address = 192.168.10.2
PrivateKey = xxx
ListenPort = 993

[Peer]
PublicKey = xxx
Endpoint = pimedia.ca:993
AllowedIPs = 192.168.10.0/24, 192.168.1.0/24

# This is for if you're behind a NAT and
# want the connection to be kept alive.
PersistentKeepalive = 25

Merry Christmas Sob! Without your help I would been running in circles till the New Year

Sob · December 15, 2020, 4:59am

One tiny little detail, when you added source NAT on RPi like you did, you don’t need the route (at least for connections from VPN to LAN).

anav · December 15, 2020, 12:50pm

F#&k Me, a reindeer that eats pie, what next a Llama eating crow!

daddyfix · March 13, 2021, 8:34pm

Today is Mar 13 2021… My wireguard connection failed after I rebooted Mikrotik

Use this to connect the two networks (Wireguard Clients and LAN). The wireguard default server port is 51820

/ip firewall nat add chain=dstnat dst-port=<internet port> action=dst-nat protocol=udp to-addresses=<IP to Wireguard Server> to-ports=51820