Route all traffic to VPN (With exceptions)

RouterOS General
1

Greetings. I have MikroTik RB962UiGS-5HacT2HnT / Router OS 7.2.1 with mostly default configuration, and a manually configured wireguard interface (Client) that is up and running.
How can I route all outgoing connections through that wireguard1 interface?
My first attempt was adding static route for 8.8.8.8 and trying to ping it from device connected from LAN, this works.
My second attempt was to manually add static routes for all the subnets except 10.10.10.0/24 which is LAN. This does not work. Probably because wireguard connection itself must connect to WAN directly. I can add an exception for it too, but this is not future-proof solution because wireguard peer endpoint (IP) will be resolved from peer host one day (When this feature will be implemented), so I need a better one. The ultimate rule is something like “Whatever comes from wlan1/wlan2/ether2/ether3/ether4/ether5/bridge is redirected to wireguard1, unless destination is in 10.10.10.0/24 subnet”.

Any clue/a rule of thumb on how to solve this case will be helpful. I don’t need precise instructions.

Port forwarding through Proton VPN?
2

Hi,
You can find all you need in these posts.
http://forum.mikrotik.com/t/route-internet-traffic-mt-via-wireguard-tunnel-through-mt-wg-peer/154825/1
https://forum.mikrotik.com/viewtopic.php?t=182340

3

Hi L117, Lets get some facts.
The MT RoS wifi router is acting as wireguard client.

What are you connecting to??? Third party VPN??
If so check out para 7, in the above link!

If you need to force local users out internet via the wireguard tunnel instead of the the local ISP?
Then check out - Para J here - https://forum.mikrotik.com/viewtopic.php?t=182373

It is not clear what you mean by force all users except for destination 10.10.10.0/24
Are you talking an internal private IP on the router OR are you talking a single public IP on the internet???

Internal routes are more discreetly identified (or have higher value in routing than 0.0.0.0/0 (which has the lowest value), and thus the internal route will take precedence over 0.0.0.0/0 and all internal traffic, LAN to LAN etc will not go into the tunnel.

4

Thanks for replies.

What are you connecting to??? Third party VPN??

Yes. In my case it is Cryptostorm VPN provider.

If you need to force local users out internet via the wireguard tunnel instead of the the local ISP?

Yep, that’s what I needed.

It is not clear what you mean by force all users except for destination 10.10.10.0/24
Are you talking an internal private IP on the router OR are you talking a single public IP on the internet???

I was talking about internal IP. Sorry for my english, it is not good enough to express my thought well.

Internal routes are more discreetly identified (or have higher value in routing than 0.0.0.0/0 (which has the lowest value), and thus the internal route will take precedence over 0.0.0.0/0 and all internal traffic, LAN to LAN etc will not go into the tunnel.

I had no idea and always thought that only metric/distance affects precedence. Thanks.

I ended up using these instructions http://littlefool.de/posts/mullvad-wireguard-with-routeros-7/ .
With two little corrections:

  1. Used bridge in last two bits of NAT configuration (in-interface) as all of the local interfaces are bridged.
  2. Disabled fasttrack in firewall/filters as it was affecting performance. What is the purpose of fasttrack, by the way?
5

Do NOT disable fastrack!!

Post your wireguard config and will have a look.
/export file=anynameyou wish.

Assuming the VPN site gave you
a. endpoint IP
b. endpoint port
c. Ip address for you to use as client probably something like 172.24.20.2/32
d. public Key to stick into the MT Peer settings for the VPN service.

Assuming you passed to the VPN site
a. your public key from the wireguard interface definition (name=wireguard1) to give to the peer setting on the remote site, in this case the VPN provider.

++++++++++++++++++++++++++++++++++++
On your PEER Settings on the MT
a.- Allowed IPs 0.0.0.0/0
b.- KEEP alive, use something like 40 seconds.
++++++++++++++++++++++++++++++++++

On the MT router (assuming the subnet needing internet is 192.168.10.0/24)

(1) ADD IP address 172.24.20**.2/24** interface=wireguard1

(2) Firewall Rules add chain=forward action=accept src=address=192.168.10.0/24 out-interface=wireguard1

(3) IP ROUTES.

Assuming you already either have a existing dynamic default route for your ISP (due to on IP DHCP client stating add default route=yes), or a manually created route.
dst-address=0.0.0.0/0 gateway=ISP gwy IP table=main.

You need an additional Route and an associated table and as many route rules as subnets…
Create table
/routing table add name=useWG fib

Create additional route
/ip route
dst-address=0.0.0.0/0 gwy=wireguard1 table=useWG

Create Route rules.
/route rule add src-address=subnet-1 action=lookup table=useWG
/route rule add scr-address=subnet-2 action=lookup table=useWG

/route rule add src-address=subnet-last action=lookup table=useWG

Note1: Using action=lookup means, that if the wireguard tunnel is down the router will look at the main table and find a route so users could go out normal ISP for internet.
Note2: if you use action=lookup-only-in-table, if the wireguard tunnel is not working, then no internet will be found as the router will not look for an alternative route.

(4) Finally the tricky part, and the most often overlooked part. SOURCE-NAT
Think about this, what do you think the ALLOWED IP PEER setting is at the server… What source IP addresses is it expecting to come from your side…
The answer is 172.24.20.2

Answer the next question… What source IPs do you have at the moment hitting tunnel.
answer IPs from subnets 1,2… Last (a gazillion IPs and none of the what the server is expecting.
What will be the result? The third party Wireguard Crypto processing will drop all your traffic.

SOLUTION: we have to source nat all the subnet traffic.
So your source nat rules would look like.

Option 1:

/interface list
add name=WAN
add name=LAN
/interface list members
add interface=bridge list=LAN
add interface=ether1 list=WAN
add interface=wireguard1 list=WAN
/ip firewall nat
add chain=srcnat action=masquerade out-interface-list=WAN


OR if you dont add the wireguard interface to the WAN interface list
Option 2:

/ip firewall nat
add chain=srcnat action=masquerade out-interface=ether1   ( assuming ether1 is the name of your WAN interface, it could be pppoe-1, or a vlan etc.)
add chain=srcnat action=masquerade out-interface=wireguard1