Route traffic from VPN Clients WireguardTunnel to another MikroTik (changed topic)

Hi folks!

I’m tearing my hair out because I’m stuck. I want to offer my brother-in-law (who has no public IP) the possibility to establish a tunnel via my MikroTik - the VPN protocol of choice is OVPN. Once this tunnel is established he should be able to reach the IP of his Gira X1 (Smart-Home) via his iPhone.

There is already a working EoIP tunnel between the two MikroTiks. The clients from my network (192.168.100.0/23) can access resources from the target network (192.168.99.0/24). However, I can’t (I think some NAT rule or something is missing) get the RoadWarrior clients from the oVPN network (192.255.255.0/28) to access the addresses in the destination.

I have drawn a simple diagram:

I hope it is understandable what I mean.

Below is the (in my opinion) relevant part of the configuration on my end. I don’t know anything about the NAT/firewall rules - I just played around and tested - none of them worked.

/interface ovpn-server add name=ovpn-markusogris user=markusogris
/interface eoip add allow-fast-path=no mac-address=02:6F:41:85:E0:DC name=eoip_markus_ogris remote-address=remote-adress.mynetname.net tunnel-id=0
/ip pool add name=ios-vpn ranges=192.255.255.1-192.255.255.6
/ppp profile add address-list=OGRIS_allowed_clients bridge=BR_LAN dns-server=192.168.100.254 local-address=192.168.100.254 name=ovpn remote-address=ios-vpn use-compression=no use-encryption=required use-upnp=yes
/interface ovpn-server server set auth=sha256 certificate="VPN Server" cipher=aes256-gcm default-profile=ovpn enabled=yes require-client-certificate=yes tls-version=only-1.2
/ip address add address=10.255.250.254/24 interface=eoip_markus_ogris network=10.255.250.0
/ip route add check-gateway=ping disabled=no distance=10 dst-address=192.168.99.0/24 gateway=10.255.250.253 routing-table=main scope=30 suppress-hw-offload=no target-scope=10
/ppp secret add name=markusogris profile=ovpn service=ovpn


/ip firewall filter add action=accept chain=input comment=OpenVPN dst-port=1194 protocol=tcp
/ip firewall filter add action=accept chain=forward out-interface=eoip_markus_ogris src-address-list=OGRIS_allowed_clients
/ip firewall filter add action=drop chain=forward log=yes out-interface=eoip_markus_ogris
/ip firewall filter add action=accept chain=forward comment="Accept in ipsec policy" ipsec-policy=in,ipsec log-prefix=IPSEC
/ip firewall filter add action=accept chain=forward comment="Accept out ipsec policy" ipsec-policy=out,ipsec log-prefix=IPSEC
/ip firewall filter add action=accept chain=forward dst-port=80 protocol=tcp
/ip firewall filter add action=accept chain=input src-address=192.168.100.0/23
/ip firewall filter add action=accept chain=input comment="accept ICMP after RAW" protocol=icmp
/ip firewall filter add action=accept chain=input comment="accept established,related,untracked" connection-state=established,related,untracked
/ip firewall filter add action=drop chain=input comment="drop all not coming from LAN" in-interface-list=!LIST_LAN
/ip firewall filter add action=fasttrack-connection chain=forward comment=fasttrack connection-state=established,related hw-offload=yes
/ip firewall filter add action=accept chain=forward comment="accept established,related, untracked" connection-state=established,related,untracked
/ip firewall filter add action=drop chain=forward comment="drop invalid" connection-state=invalid
/ip firewall filter add action=drop chain=forward comment="Block YouTube on FireTV Sandro" layer7-protocol=*1 src-address=192.168.100.67
/ip firewall filter add action=drop chain=forward comment=" drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=LIST_WAN
/ip firewall filter add action=drop chain=forward comment="drop bad forward IPs" src-address-list=no_forward_ipv4
/ip firewall filter add action=drop chain=forward comment="drop bad forward IPs" dst-address-list=no_forward_ipv4
/ip firewall mangle add action=mark-connection chain=prerouting comment="Mark connections for hairpin NAT - replaced by cloudflare zero-trust-tunnel" disabled=yes dst-address-list=WAN new-connection-mark="Hairpin NAT" passthrough=yes src-address-list=LAN
/ip firewall nat add action=dst-nat chain=dstnat dst-port=3074,27014-27050 in-interface-list=LIST_WAN protocol=tcp to-addresses=192.168.100.59
/ip firewall nat add action=dst-nat chain=dstnat dst-port=3074,3075,3076,3077,3078,3079 in-interface-list=LIST_WAN protocol=udp to-addresses=192.168.100.59
/ip firewall nat add action=dst-nat chain=dstnat comment="SSH to loki 22" dst-port=8080 in-interface-list=LIST_WAN protocol=tcp to-addresses=192.168.100.211 to-ports=22
/ip firewall nat add action=dst-nat chain=dstnat comment=temp_rule_for_letsencrypt_do_not_change dst-port=80 in-interface-list=LIST_WAN protocol=tcp to-addresses=192.168.100.210 to-ports=80
/ip firewall nat add action=masquerade chain=srcnat comment="lan --> WID (Meraki Client VPN)" out-interface=wid-client-vpn src-address-list=WID_allowed_clients
/ip firewall nat add action=accept chain=srcnat dst-address=192.168.99.0/24 src-address=192.168.100.0/23
/ip firewall nat add action=accept chain=srcnat dst-address=192.168.99.0/24 src-address=192.255.255.0/28
/ip firewall nat add action=masquerade chain=srcnat comment="ios_vpn --> eoip_markus" out-interface=eoip_markus_ogris src-address=192.255.255.0/29
/ip firewall nat add action=masquerade chain=srcnat comment="lan --> internet" out-interface-list=LIST_WAN src-address=192.168.100.0/23

Why not use Wireguard, much easier and faster.

Hey!

Would this problem not exist with WireGuard? I will definitely have a look at it
I have no experience with WG until now.

Cheers Mate

I’ve created a simple WireGuard Configuration now - same problem. I can reach the destination from within client-network (192.168.100.0/23) but not from mobile.

WG_config_server (with public ip):

/interface wireguard add listen-port=13231 mtu=1420 name=WG_local<-->ogris@home
/interface wireguard add listen-port=13233 mtu=1420 name=WG_local<-->roadwarrior

/interface wireguard peers add allowed-address=0.0.0.0/0 endpoint-address=client_dyndns.remote.com endpoint-port=13231 interface=WG_local<-->ogris@home public-key="public-key-obfuscated"
/interface wireguard peers add allowed-address=0.0.0.0/0 interface=WG_local<-->roadwarrior public-key="public-key-obfuscated"

/ip address add address=192.168.100.254/23 interface=BR_LAN network=192.168.100.0
/ip address add address=10.255.255.1/29 interface=WG_local<-->ogris@home network=10.255.255.0
/ip address add address=10.255.255.17/29 interface=WG_local<-->roadwarrior network=10.255.255.16

/ip route add check-gateway=ping disabled=no distance=10 dst-address=192.168.99.0/24 gateway=10.255.255.2 pref-src="" routing-table=main scope=30 suppress-hw-offload=no target-scope=10
/ip route add check-gateway=ping comment=mikrotik-Singapore disabled=no distance=10 dst-address=192.168.98.0/24 gateway=10.255.255.9 pref-src="" routing-table=main scope=30 suppress-hw-offload=no target-scope=10

/ip firewall filter add action=accept chain=input comment=WireGuard dst-port=13233,13231 in-interface="ether9 - UPC" protocol=udp

WG_config_remote_router (without public ip):

/interface wireguard add listen-port=13231 mtu=1420 name=WG_local<-->mulatz@home
/interface wireguard peers add allowed-address=0.0.0.0/0 endpoint-address=server_hostname.remote.com at endpoint-port=13231 interface=WG_local<-->mulatz@home public-key="public-key-obfuscated"

/ip address add address=192.168.99.254/24 interface=ether1 network=192.168.99.0
/ip address add address=10.255.255.2/29 interface=WG_local<-->mulatz@home network=10.255.255.0

/ip route add check-gateway=ping disabled=no distance=9 dst-address=192.168.100.0/23 gateway=10.255.255.1 pref-src="" routing-table=main scope=30 suppress-hw-offload=no target-scope=10

I recognized that no traffic is possible against other devices except the router-ip itself (192.168.100.254).

Your setup is confusing…

Do you really need TWO separate wireguard interfaces?
if you do then you should have two clearly separate subnets

It also appears that you have two WANS in the MT server.
If so which is to be used for wireguard??

Word of note, the server should denote clients by their /32 wireguard IP address.
Unless the client is also a router with subnets for example and thus /32wireguardIP,subnetA,subnetB assuming subnets A and B are on the client router.

The clients devices need to have persistent-keep-alive set like 30s for example…
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

https://forum.mikrotik.com/viewtopic.php?t=182340

I recommend a single wireguard network and call it WG_local-SR MT Server / WG_local-CL MT Client

Server Router
192.168.255.255.1/24

Client Router
192.168.255.255.2/24

RW1 ( laptop/ipad - good for router config and access subnets )
192.168.255.3/32

RW2 ( iphone - good for router config)
1192.168.255.4/32

++++++++++++++++++++++++++++++++++++++++++++++

Peer Setting Server MT
allowed address = 192.168.255.2/32,192.168.99.0/24 { to client router }
allowed address = 192.168.255.3/32, { to RW1 }
allowed address = 192.168.255.4/32, { to RW2 }

Peer Setting Client MT
allowed address = 192.168.255.0/24,192.168.100.0/24 { to Server Router router }

RW1: allowed address = 0.0.0.0/0 { to Server Router, allows access to either router for config or to any subnet on either router or to internet via Server Router }

RW2: allowed address = 0.0.0.0/0 { to Server Router, allows access to either router for config or to any subnet on either router or to internet via Server Router }

++++++++++++++++++++++++++++++++++
Firewall rules

MT Server
input chain allow port 13321 protocol udp
Input chain allow in-interface=WG_local-SR src-address-list=??? if you have more than just admin on wireguard use source address list to narrow down.
Forward chain allow in-interface=WG_local-SR out-interface=WG_local-SR { allow relay from RW to Router client }
Forward chain allow in-interface=WG dst-adress=192.168.100.0./24 { if you want to give access to local subnet }
Forward chain allow src-address=192.168.100.0./24 out-interface=WG_local-SR { if you want to allow local subnet users to Client Router subnet }

MT Client
Input chain allow in-interface=WG_local-CL src-address-list=??? if you have more than just admin on wireguard use source address list to narrow down.
Forward chain allow in-interface=WG_local-CL dst-adress=192.168.100.0./24 { if you want to give access to local subnet }
Forward chain allow src-address=192.168.99.0./24 out-interface=WG_local { if you want to allow local subnet users to Server Router subnet }

++++++++++++++++++++++++++++++++
ROUTES - unable until we discuss your ISP and WAN setup… and intentions…

Hi @anav,

first of all thank you very much for your help - I really appreciate it!

I have now reconfigured as follows - I still have 10.255.255.0/27 as my VPN network as I don’t want a 192.168 network for it.
I’m also not sure about the firewall rules. Are they really necessary? With the corrected setup, I can (even with FORWARD rules disabled (see below)) already access the remote network (192.168.99.0/24) from the iPhone.

Btw - the network 192.168.100.0 - is a /23 not /24. Also there is a typo in the INPUT rule for WireGuard interface - it’s 13231 not 13321

Also, I don’t have two WAN interfaces. I only have “ether 9 - UPC” which is my WAN interface to Magenta (Internet provider in Austria) (I still call it UPC because that’s what it used to be called)

I will (as soon as everything is really “finalized”) rather go the way to restrict the access with address lists (I haven’t done it yet) - because my brother-in-law should only be able to access his own network - and not mine).

Cheers Mate

SERVER-ROUTER →

/interface wireguard
add listen-port=13231 mtu=1420 name=WG_local-SR

/interface wireguard peers
add allowed-address=192.168.99.0/24,10.255.255.0/27 endpoint-address=dyndns.client.router endpoint-port=13231 interface=WG_local-SR persistent-keepalive=30s public-key="obfuscated-public-key"
add allowed-address=10.255.255.3/32 interface=WG_local-SR persistent-keepalive=30s public-key="obfuscated-public-key" comment="iPhone Flo"
add allowed-address=10.255.255.4/32 interface=WG_local-SR persistent-keepalive=30s public-key="obfuscated-public-key" comment="iPhone Markus"

/ip address
add address=192.168.100.254/23 interface=BR_LAN network=192.168.100.0
add address=10.255.255.1/27 interface=WG_local-SR network=10.255.255.0

/ip firewall filter
add action=accept chain=input comment=WireGuard dst-port=13231 in-interface="ether9 - UPC" protocol=udp
add action=accept chain=forward disabled=yes in-interface=WG_local-SR out-interface=WG_local-SR
add action=accept chain=forward disabled=yes dst-address=192.168.100.0/23 in-interface=WG_local-SR
add action=accept chain=forward disabled=yes out-interface=WG_local-SR src-address=192.168.100.0/23

/ip route
add check-gateway=ping disabled=no distance=5 dst-address=192.168.99.0/24 gateway=10.255.255.2 pref-src=10.255.255.1 routing-table=main scope=30 \
    suppress-hw-offload=no target-scope=10

CLIENT-ROUTER →

/interface wireguard
add listen-port=13231 mtu=1420 name=WG_local-CL

/interface wireguard peers
add allowed-address=192.168.100.0/23,10.255.255.0/27 endpoint-address=public_ip.server.router endpoint-port=13231 interface=WG_local-CL persistent-keepalive=30s public-key="obfuscated-public-key"

/ip address
add address=192.168.99.254/24 interface=ether1 network=192.168.99.0
add address=10.255.255.2/27 interface=WG_local-CL network=10.255.255.0

/ip firewall filter
add action=accept chain=forward disabled=yes in-interface=WG_local-CL src-address=192.168.99.0/24

/ip route
add check-gateway=ping disabled=no distance=5 dst-address=192.168.100.0/23 gateway=10.255.255.1 pref-src=10.255.255.2 routing-table=main scope=30 \
    suppress-hw-offload=no target-scope=10

No problem, some of the stuff was guesswork not knowing the structure.
I did forget to mention all your client devices with peer settings for the MT server should have persistent-keep-alive set to something lets say 30s.
Will have a look at the two configs today.

As far as firewall rules, it all depends, I cannot help with what is not shown… it was a general comment, everyones config is different.

In terms of what you have.

Server Router
Peer Settings to Client Router

• does not need endpoint etc, its not originating a connection.
• allowed ip setting is 10.255.255.2/32 to the client router NOT 10.255.255.0/27
• keep alive is NOT required for the server ( its the client connecting to server… )

Peer Settings to Other clients

• same comment keep alive not required, it is only required on the client devices

Last Point, your routes, use the wg interface name and get rid of preferred source as well. Think about it. you are telling the router in each case, for traffic heading to this destination use the local wireguard interface. THis work for both local traffic heading to that subnet OR any return traffic that has visited a local subnet and you need a path back into the tunnel for that traffic.

MT server
/ip route
add check-gateway=ping disabled=no distance=5?? dst-address=192.168.99.0/24 gateway=WG_ilocal-SR routing-table=main scope=30
suppress-hw-offload=no target-scope=10

MT Client
ip route
add check-gateway=ping disabled=no distance=5?? dst-address=192.168.100.0/23 gateway=WG_local-CL routing-table=main scope=30
suppress-hw-offload=no target-scope=10


PS. Why the distance=5? Is that something you put on all routes or is there a specific reason?

Hi there,

Unfortuantely when I put “WG_local-SR” as Gateway in the route instead of 10.255.255.2 my clients are not able to reach the destination anymore. When I put the IP back again - everything is fine.
With the IP it says: Immediate Gateway: 10.255.255.2%WG_local-SR
With the interface name as Gateway it says: Immediate Gateway: unknown_________

No specific reason for distance 5 - just because I like the number

keep alive is NOT required - does not mean it harms right?

updated config for now on MT-server (only the modified portion)

/interface wireguard
add listen-port=13231 mtu=1420 name=WG_local-SR
/interface wireguard peers
add allowed-address=192.168.99.0/24,10.255.255.2/32 comment=ogris-client-router interface=WG_local-SR public-key="obfuscated"
add allowed-address=10.255.255.3/32 comment="iPhone Flo" interface=WG_local-SR public-key="obfuscated"
add allowed-address=10.255.255.4/32 comment="iPhone Markus" interface=WG_local-SR public-key="obfuscated"
/ip route
add check-gateway=ping disabled=no distance=5 dst-address=192.168.99.0/24 gateway=10.255.255.2 pref-src="" \
    routing-table=main scope=30 suppress-hw-offload=no target-scope=10

updated config for now on MT-client (only the modified portion)

/interface wireguard
add listen-port=13231 mtu=1420 name=WG_local-CL
/interface wireguard peers
add allowed-address=192.168.100.0/23,10.255.255.1/32 endpoint-address=public-ip.wg-server.com endpoint-port=13231 interface=WG_local-CL persistent-keepalive=30s public-key="obfuscated"

I also put those three rules on each side with specific Adresslist-entries which leads exactly to the fact that I’m able to control who is able to access which service / ip:

/ip firewall filter
add action=accept chain=forward dst-address=192.168.99.0/24 src-address-list=WG_allowed_clients
add action=jump chain=forward dst-address=192.168.99.0/24 jump-target=DROP src-address-list=!WG_allowed_clients
add action=drop chain=DROP log=yes log-prefix="CHAIN_DROP: "

Cheers mate

(1) There is no point in putting distance=5 and you should leave it as the default aka distance=1
Do every change for a reason, not a fancy LOL!

(2) Yes, there is something horribly wrong with your config if the using the interface name for gateway is not working!!
Ensure, Wireguard Interface Name matches name used for IP address and for associated Routes.

(3) Keep alive is REQUIRED at the client devices be it router or iphone etc.

(4) Proper router config ( also GET RID OF CHECK GATEWAY PING, Why you keep adding crap is beyond me ?? )
/ip route
add dst-address=192.168.99.0/24 gateway=WG_local-SR routing-table=main

(5) On the MT Client, the allowed IP should be 10.255.255.0/24 and not 1/32.
In this manner, the admin as a Road Warrior can access and ping the client router without any fuss.

(6) The RW clients typically should just use 0.0.0.0/0 for allowed IPs.

As for your MT router and MT client devices.

A. ensure you add the wg interface as a list member of LAN

No need for your firewall rules shenanigans.
/ip firewall filter
add action=accept chain=forward dst-address=192.168.99.0/24 src-address-list=WG_allowed_clients
add action=jump chain=forward dst-address=192.168.99.0/24 jump-target=DROP src-address-list=!WG_allowed_clients
add action=drop chain=DROP log=yes log-prefix="CHAIN_DROP: "

If you have a drop rule at the end of the forward chain then you dont need any rules but this is a piss poor approach to firewall usage.
So assuming you have a drop all rule at the end, one simply has to include allowed traffic flow above this rule.

So the first rule looks good stating who is allowed You could use either the dst address or the WG interface or both…
add action=accept chain=forward dst-address=192.168.99.0/24 out-interface=WG_local_SR src-address-list=WG_allowed_clients

The next two rule are useless.

Take a look at a proper forward chain construct…

forward chain}
add action=fasttrack-connection chain=forward comment=“defconf: fasttrack” connection-state=established,related
add action=accept chain=forward comment=“defconf: accept established,related, untracked” connection-state=established,related,untracked
add action=drop chain=forward comment=“defconf: drop invalid” connection-state=invalid
add action=accept chain=forward comment=“allow internet traffic” in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment=“allow port forwarding” connection-nat-state=dstnat
add action=accept chain=forward comment=“allow users out wireguard” in-interface-list=LAN out-interface=WG_local-SR
add action=accept chain=forward comment=“allow select user to local subnet” in-interface=WG_local-SR src-address-list=Authorized dst-address=192.168.100.0/23
add action=drop chain=forward comment=“drop all else”

Allowed IPs 192.168.99.0/24
Routes 192.168.99.0/23 - WG interface - main
FW rules on inbound determines who in the 99 subnet can visit local subnet

My experience has shown that its more flexible to allow anyone to enter wireguard for the remote destination outbound which cross matches same as allowed IPs. (easy to do/see ).
Then use the firewall rules locally to determine ( narrow down ) who is allowed into the local subnet.
So above basically the LAN is allowed to enter the tunnel outbound but I control who locally exits the tunnel and connects to my subnets.


Similarly at the client Device.
add action=fasttrack-connection chain=forward comment=“defconf: fasttrack” connection-state=established,related
add action=accept chain=forward comment=“defconf: accept established,related, untracked” connection-state=established,related,untracked
add action=drop chain=forward comment=“defconf: drop invalid” connection-state=invalid
add action=accept chain=forward comment=“allow internet traffic” in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment=“allow port forwarding” connection-nat-state=dstnat
add action=accept chain=forward comment=“allow users out wireguard” in-interface-list=LAN out-interface=WG_local-CL
add action=accept chain=forward comment=“allow select user to local subnet” in-interface=WG_local-CL src-address-list=Authorized dst-address=192.168.99.0/23
add action=drop chain=forward comment=“drop all else”

Allowed IPs 192.168.100.0/23
Routes 192.168.100.0/23 - wg interface - main
FW rules on inbound determines who in the 100 subnet can visit local subnet