[ROS7] How to get public IP (sort of)

anav · April 4, 2022, 3:31pm

okay so you want to fill up a how to get a public IP thread with other crap. I can do that.

(1) My recommendation is not to use the same name for the wirgueard interface as the table to direct people to use the wireguard.
/routing table
add disabled=no fib name=useWG99

So that its clear what its for but distinct from the actual wireguard interface name.

(2) Why is your IP address for wg99 10.200.200.2/24 - was it given to you by a third party provider??

By the way the reason Sob suggested 0.0.0.0/0 for allowed IPs, is because he was assuming internet access was desired. Such an astute observation.
The important thing to note here is that 0.0.0.0/0 includes the 10.200… subnet so you should still be able to ping the server with no issues.

(3) These rules are TOO WIDE OPEN
add action=accept chain=forward in-interface=wg99
add action=accept chain=forward out-interface=wg99

In other words where to you want the users on your network to go, OR where do you want the users on a remote network to go?
You probably dont need or want both!

Assuming you want to let your LAN users go out 3rd party VPN for internet
add action=accept chain=forward source-address=192.168.88.0/24 out-interface=wg99 is much clearer and accurate.

(4) add you should move those rules (sorry the new singular rule) under the default rules. like right after the drop invalid rule!

(5) OKAY NOW WE HAVE A PROBLEM

/routing rule
add action=lookup disabled=yes src-address=192.168.88.253/32 table=wg99

What are you doing here, this may unnecessary.?
Did you not want your entire subnet to use the third party VPN??

IF not, and lets say you ONLY wanted a single user to use the VPN, then lets make those changes necessary.
Then all you need to do is this…
add action=accept chain=forward source-address=192.168.88.253/32 out-interface=wg99

If you had a number of IPs on the subnet requiring such
simply make a firewall address list and use src-address-list.

NOTE: I am assuming you have an IP route for the rest of the subnet users, not visible because you have selected YES to ip route in IP DHCP client ???

Sob · April 4, 2022, 3:43pm

@anav: So you didn’t notice that it’s the same thing, only instead of using it for incoming connections, the last question is about outgoing ones? Not much difference.

anav · April 4, 2022, 3:50pm

Nope without a diagram or stated requirements, its greek to me! I stay away from assumptions.

aliboy · April 4, 2022, 11:22pm

I have followed the instructions from the very first post on this thread. I didn’t have to configure everything related to Wireguard in Mikrotik as everything is a result of the pasted command on the terminal.

Here is the copy of the command:

__

_# Create wireguard interface
/interface wireguard add listen-port=13235 mtu=1420 name=wg99 private-key=“qK+H0jPkvBBrJQbp2cYsSIqcVso3kZfBOFGFl3Dxa0s=”
\

Connect to the wireguard server

/interface wireguard peers add allowed-address=10.200.200.0/24 endpoint-address=172.104.48.54 endpoint-port=51820 interface=wg99 persistent-keepalive=25s public-key=“9meO7N1VTUNoDzfUQ78ongdfY5H2Y9xupjbeB+H2t1A=”
\

Set IP for wireguard interface

/ip address add address=10.200.200.2/24 interface=wg99 network=10.200.200.0
\

Exclude such traffic from fasttrack/allow in firewall

/ip firewall filter add action=accept chain=forward in-interface=wg99 place-before=[find where action=fasttrack-connection]
/ip firewall filter add action=accept chain=forward out-interface=wg99 place-before=[find where action=fasttrack-connection]_

I will try all your recommendations and will let you know the results after.

kajotsoft · November 8, 2022, 9:50pm

Hi

is it possible to get with ssh tuneling? ssh -R somehow? and after that install wireguard on mikrotik and self host in on such kind of forwarded port?

br
KJ

pblvsk · December 27, 2022, 6:30pm

Hello,

thank you for providing this solution, it works well…

Except for the part, where I can access my internal services when using other network than the same LAN.

LTE on my mobile > go to domain.com > domain loads
Same network as Mikrotik > go to domain.com > domain timed out

Is there any extra step I need to follow for this to work?

bpwl · February 13, 2023, 9:28pm

I always saw Zerotier as a very nice implemenation for STUN/TURN/ICE , where Zerotier has a free public TURN server, and will switch to STUN if possible. If not possible to switch to STUN it will continue on TURN (passing the traffic over the TURN server). STUN goes direct between the 2 involved sites without going over the TURN server, if the “UDP hole punching” or other connection spoofing techniques do work.

https://www.zerotier.com/2014/08/25/the-state-of-nat-traversal/

Maybe there is somewhere a STUN/TURN/ICE server or setup that can be used for Wireguard without access via public IP on all sites with MT.
https://medium.com/orion-innovation-turkey/webrtc-in-a-nutshell-ep-iii-19ce0e967969