Hello, I have a strange situation where my ISP does not give me a public IPv4 address, only a private IPv4 address. I would like to port forward services such as Minecraft and SSH, so I purchased a Linode VPS and have set up a Wireguard VPN tunnel on it. I was able to successfully get the VPN link between the Linode and my MikroTik hap ac2 router to work, and have no issues communicating with devices on my network with it.
While I was able to get this to work, I’ve noticed that traffic that is port forwarded through the VPN has a source address of 172.16.255.1, which is the IP address of the wg0 interface on my Linode. I would like to see the client’s actual IPv4 address. I believe this is due to me needing to set up a masquerade rule in nftables on the Linode. I was only able to get it to work this way, so I suspect there may be a configuration error on my MikroTik router. Is there anything I can do to resolve this issue on my router, or is it a configuration issue on the Linode side? From what I’ve read, I may need to configure some routing policies on the client device (mikrotik) so it knows to send traffic back through the VPN.
For reference, here is the traffic flow and relevant IP addresses:
Linode VPS public IPv4 → WireGuard tunnel → hap ac2 → private ip address range
So, for example if port 25565 is forwarded to 192.168.10.20:25565, 192.168.10.0/24 has a route that goes through the VPN to my router.
IP addresses:
Linode wg0: 172.16.255.1/30
hap ac2 wireguard1: 172.16.255.2/30
LAN: 192.168.10.0/24
Below is my current configuration that is pertinent to the VPN. If you need the full configuration, I can provide it if needed. Note that in the configuration there is only the default NAT masquerade rule, and wireguard1 is not part of the WAN interface list. So no NAT should be performed between the VPN and LAN subnet.
/interface wireguard
add listen-port=12755 mtu=1420 name=wireguard1
/interface list member
add interface=bridge list=LAN
add interface=ether1-wan list=WAN
/interface wireguard peers
add allowed-address=0.0.0.0/0 comment="Wireguard tunnel to Linode" endpoint-address=<Linode public ip> endpoint-port=51820 interface=wireguard1 persistent-keepalive=30s public-key="<Linode pubkey>"
/ip address
add address=192.168.10.1/24 interface=bridge network=192.168.10.0
add address=172.16.255.2/30 comment="Site to site VPN" interface=wireguard1 network=172.16.255.0
/ip firewall address-list
add address=192.168.10.20-192.168.10.25 comment="Virtual machines" list=allowed_from_vpn
add address=192.168.10.10 comment="Proxmox host" list=allowed_from_vpn
/ip firewall filter
add action=drop chain=forward comment="Only allow VPN to access specific hosts on LAN" dst-address-list=!allowed_from_vpn in-interface=wireguard1
# note: this firewall rule is to prevent the linode from accessing devices outside of ones specifically allowed. I intend to place these devices in their own vlan eventually... the rule works and hopefully shouldn't be causing any issues.
# Default NAT rule
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
nftables configuration:
table ip nat {
chain prerouting {
type nat hook prerouting priority dstnat; policy accept;
iif "eth0" tcp dport { 8091, 25565 } dnat to 192.168.10.20
iif "eth0" udp dport { 19132 } dnat to 192.168.10.20
}
chain postrouting {
type nat hook postrouting priority srcnat; policy accept;
# DNATted traffic is masqueraded -- I would like to get rid of this so I see the real ipv4 address in connection logs
ct status dnat masquerade;
}
}
Any help is appreciated! Let me know if you need anything else. Thank you so much in advance.
