Route specific source connections through WG

Chasteaux · November 26, 2022, 5:43am

I am sure I am missing something basic.
I am trying to route traffic from a specific list of hosts through wireguard vpn.

# nov/25/2022 21:36:20 by RouterOS 7.6
# software id = 18FZ-89CU
#
# model = RB3011UiAS
/ip firewall address-list
add address=192.168.88.253 list=wireguard

I setup wireguard on my router:

# nov/25/2022 23:41:45 by RouterOS 7.6
# software id = 18FZ-89CU
#
# model = RB3011UiAS

/interface wireguard
add listen-port=13231 mtu=1420 name=wireguard1
/interface wireguard peers
add endpoint-address=us9690.nordvpn.com endpoint-port=51820 interface=wireguard1 persistent-keepalive=25s public-key=\
    "<pub>"

Now how do I tell it to route everything from that list, through the wireguard vpn, but still allow LAN connections (192.168.88.0/24)?

anav · November 27, 2022, 1:34am

Need full config please, if I am to be of assistance.
/export hide-sensitive file=anynameyouwish ( minus router serial number and any public WANIP information )

wuhoatu · November 27, 2022, 6:17am

Put this on the top of mangle tab, so it will accept all your local connection without routing to any other interface.

/IP firewall mangle
add action=accept chain=prerouting disabled=no src-address=192.168.88.0/24 dst-address=192.168.88.0/24 in-interface=BridgeLAN

Then, you can route an IP list connection via VPN routing table with dst-address-type is not local
/ip firewall mangle
add action=mark-routing chain=prerouting src-address-list=ListA dst-address-list=ListB dst-address-type=!local new-routing-mark=VPN_routing_table passthrough=no

Chasteaux · November 28, 2022, 9:42pm

Put this on the top of mangle tab, so it will accept all your local connection without routing to any other interface.
/IP firewall mangle
add action=accept chain=prerouting disabled=no src-address=192.168.88.0/24 dst-address=192.168.88.0/24 in-interface=BridgeLAN
Then, you can route an IP list connection via VPN routing table with dst-address-type is not local
/ip firewall mangle
add action=mark-routing chain=prerouting src-address-list=ListA dst-address-list=ListB dst-address-type=!local new-routing-mark=VPN_routing_table passthrough=no

I got it to work by adding a new routing table with the wireguard as the default gateway, and creating a routing rule to use this table for the specific clients that I want to go through vpn.
Is that basically what this mangle rule is doing?

/ip route
add disabled=no dst-address=0.0.0.0/0 gateway=192.168.2.1
add disabled=no dst-address=0.0.0.0/0 gateway=wireguard1 routing-table=usWG1 suppress-hw-offload=no
/routing table
add fib name=usWG1
/routing rule
add action=lookup disabled=no src-address=192.168.88.254/32 table=usWG1
add action=lookup disabled=no src-address=192.168.88.250/32 table=usWG1
add action=lookup disabled=no src-address=192.168.88.251/32 table=usWG1

anav · November 28, 2022, 11:31pm

That is the better way yes, you can do an entire subnet or 3 individual users. All good.

By the way if they need also to access a different subnet on the lan, just put another routing rule BEFORE the wg ones, so that they can access local devices aka like a printer.
add dst-address=IPofPrinter action=lookup-only-in-table table=main

malabar · April 5, 2023, 1:01pm

Hi anav,

I’m promoting this post as I have a very similar situation described. Let me know if I need to open a new post.
See below my network diagram:

My problem is, when I access my local network via Wireguard - Road Warrior from outside (laptop with IP 192.168.50.2), I have access to my router and all LAN devices (I added Wireguard interface to LAN interface list), except access to the Raspberry Pi which is routed to Surfshark VPN (via Wireguard), since I need all traffic from this device to go out via VPN.

My question is, how can I keep this Raspberry routed to Surfshark VPN, and at the same time be able to access it from outside my local network?

Here’s routing code:

/routing rule
add action=lookup-only-in-table comment="Orange Pi" disabled=no interface=\
    bridge src-address=192.168.87.241/32 table=Surfshark

I’ve already tried to change to “lookup” in action, but doesn’t work.

Firewall address lists and filters:

/ip firewall address-list
add address=192.168.87.241 list=Under_VPN
add address=192.168.87.247 disabled=yes list=Under_VPN
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=accept chain=input comment="Allow OpenVPN" dst-port=1194 protocol=\
    tcp
add action=accept chain=input comment="Allow Wireguard - Road Warrior" \
    dst-port=22134 protocol=udp
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input comment="Allow IPSec" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="accept vpn encrypted input traffic" \
    ipsec-policy=in,ipsec src-address=192.168.67.0/24
add action=accept chain=input comment=\
    "Allow Wireguard - Road Warrior reach LAN" disabled=yes src-address=\
    192.168.50.0/24
add action=accept chain=input comment=\
    "Accept vlan2 & 3  (IPTV & VoIP) multicast & broadcast traffic" \
    dst-address-type=!unicast in-interface-list=Vlan2&3
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment=\
    "drop communication from LAN to GUEST network" dst-address=\
    192.168.77.0/24 src-address=192.168.87.0/24
add action=drop chain=forward comment=\
    "drop communication from GUEST network to LAN" dst-address=\
    192.168.87.0/24 src-address=192.168.77.0/24
add action=drop chain=forward comment="Block Brother printer to Internet" \
    out-interface-list=WAN src-address=192.168.87.249
add action=drop chain=forward comment=\
    "Drop all new unicast traffic from vlan3 & 2 (Voip & Iptv) not DSTNATed" \
    connection-nat-state=!dstnat connection-state=new dst-address-type=\
    unicast in-interface-list=Vlan2&3
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN

IP addresses:

/ip address
add address=192.168.87.1/24 comment=defconf interface=bridge network=\
    192.168.87.0
add address=192.168.77.1/24 interface=bridge-guests network=192.168.77.0
add address=10.14.0.2/16 interface=WG-Surfshark network=10.14.0.0
add address=192.168.50.1/24 interface=Wireguard-rw network=192.168.50.0

Thanks in advance,

anav · April 5, 2023, 1:40pm

First try this…

/routing rule
add action=lookup-only-in-table dst-address=192.168.50.2 table=main { has to be first rule }
add action=lookup-only-in-table comment=“Orange Pi” src-address=192.168.87.241/32 table=Surfshark { note dont need bridge interface in there }

malabar · April 5, 2023, 2:36pm

Ah yes! It works:

I removed “bridge” interface as mentioned.
Added in first position the rule you said. As I have several devices going through Wireguard, I specified whole range of IPs (192.168.50.0/24), I guess it’s OK?

Thanks anav,

anav · April 5, 2023, 3:02pm

Yup if you need lan to lan traffic from the users going out wireguard " THIS THE WAY "