VPN Leaking ISP servers in to my Local LAN network

miankamran7100 · June 3, 2025, 4:52pm

Dear all,
Good day.
I have a WireGuard connection on my home MikroTik router. The internet connection from the ISP is directly set up on MikroTik with the ISP’s PPPoE username and password. Everything is working fine. However, when I connect to the WireGuard VPN, and then scan my LAN network (which is in the range 172.20.20.0/24), it shows a lot of LAN devices that are not related to me. It even shows the ISP servers in my 172.20.20.0/24 IP range.

I’m not sure what’s happening. This also occurs when I use the L2TP VPN. I think this might be a VPN leak.

Can anyone help, please?

anav · June 3, 2025, 6:01pm

THe title should be; Admin Has a Leaky Config: Dont blame the router LOL
Sounds more like an error in your configuration,
The client coming in if its allowed addresses=0.0.0.0/0 that usually means that its setup to allow a remote user to see all Router subnets and to go out local internet.
So you need to be clear on the requirements.
Typically one has no control over the client settings so expecting 0.0.0.0/0 is a safe approach.

This means you have to be very precise on any firewall rules associated to allow access only to desired end locations.

miankamran7100 · June 4, 2025, 5:58am

Hi Sir,
I have set my LAN network IP range to 172.20.20.0/24 in the WireGuard client settings, and I have attached an image for reference. Is this enough, or do I need any firewall filter rules to prevent leakage?

Thanks

holvoetn · June 4, 2025, 6:59am

As hinted here but maybe not explicitly enough said:

show your sanitized config of your router (remove sensitive info like public IP, serial, passwds, …). Don’t leave out any parts which you think are not relevant. It doesn’t work for you so you do not know what is relevant and what not.
precisely indicate what are your requirements with that VPN connection. Who can come in ? How ? What can they do ? What should they not be able to do ?

miankamran7100 · June 5, 2025, 4:40pm

"Simply, I have a wireless AP in my network, and the IP range is 172.20.20.0/24. It’s only 20 APs from 172.20.20.11-30, but Advanced IP Scanner shows many IPs, which are not in my network. Even when I hit the IP in the browser, for example, 172.20.20.11, it should open the Wireless AP, but it opens the Dell server. But I didn’t have. I’m sure it is my ISP network, and either ISP have the same IP ranges for their server, but why is it discoverable on my network

 /interface bridge
add name=bridge_LAN port-cost-mode=short
add admin-mac=C4:AD:34:D3:AD:72 auto-mac=no name=bridge_WAN port-cost-mode=\
    short
/interface ethernet
set [ find default-name=ether1 ] name=ether1_WAN
/interface pppoe-client
add disabled=no interface=bridge_WAN name="PPPoE WAN" user=abc
/interface wireguard
add listen-port=13231 mtu=1420 name=wireguard-vpn
/interface list
add include=none name=WAN-Interface-List
add name=LAN-Interface-List
add name=Trusted-Interface-List
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/ip hotspot profile
add dns-name=login.net hotspot-address=10.10.10.1 html-directory=\
    flash/hotspot login-by=http-pap name=hsprof1
/ip pool
add name=hs-pool-1 ranges=10.10.10.11-10.10.10.250
/ip dhcp-server
add address-pool=hs-pool-1 interface=bridge_LAN name=dhcp1
/ip hotspot
add address-pool=hs-pool-1 addresses-per-mac=1 disabled=no interface=\
    bridge_LAN name=hotspot1 profile=hsprof1
/ip hotspot user profile
add add-mac-cookie=no address-pool=hs-pool-1 !mac-cookie-timeout name=1Mbps \
    rate-limit=1M/1M
add add-mac-cookie=no address-pool=hs-pool-1 !mac-cookie-timeout name=2Mbps \
    rate-limit=2M/2M
/ip smb users
set [ find default=yes ] disabled=yes
/port
set 0 name=serial0
/interface bridge port
add bridge=bridge_WAN ingress-filtering=no interface=ether1_WAN \
    internal-path-cost=10 path-cost=10
add bridge=bridge_LAN disabled=yes ingress-filtering=no interface=ether3 \
    internal-path-cost=10 path-cost=10
add bridge=bridge_LAN ingress-filtering=no interface=ether4 \
    internal-path-cost=10 path-cost=10
add bridge=bridge_LAN ingress-filtering=no interface=ether5 \
    internal-path-cost=10 path-cost=10
/ip firewall connection tracking
set udp-timeout=10s
/ip neighbor discovery-settings
set discover-interface-list=!all
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface l2tp-server server
set enabled=yes one-session-per-host=yes use-ipsec=yes
/interface list member
add interface="PPPoE WAN" list=WAN-Interface-List
add interface=wireguard-vpn list=LAN-Interface-List
add interface=bridge_LAN list=LAN-Interface-List
add interface=wireguard-vpn list=Trusted-Interface-List
/interface ovpn-server server
add auth=sha1,md5 mac-address=FE:8E:EE:B3:CF:19 name=ovpn-server1
/interface wireguard peers
add allowed-address=192.168.216.2/32,172.20.20.0/24 client-address=\
    192.168.216.2/32 client-dns=8.8.8.8,1.1.1.1 client-endpoint=\
    xxyyzz.sn.mynetname.net interface=wireguard-vpn name=Laptop \
    persistent-keepalive=25s private-key=\
    "xxyyzz=" public-key=\
    "xxyyWYrhg=" responder=yes
add allowed-address=192.168.216.3/32,172.20.20.0/24 client-address=\
    192.168.216.3/32 client-dns=8.8.8.8,1.1.1.1 client-endpoint=\
    xxxx0.sn.mynetname.net interface=wireguard-vpn name=iPhone \
    persistent-keepalive=25s private-key=\
    "xxxxJxxxxxxxxU=" public-key=\
    "xxxxxxxxxxxxxxxx=" responder=yes
/ip address
add address=10.10.10.1/24 interface=bridge_LAN network=10.10.10.0
add address=192.168.216.1/24 interface=wireguard-vpn network=192.168.216.0
add address=172.20.20.1/24 interface=bridge_LAN network=172.20.20.0
/ip cloud
set ddns-enabled=yes ddns-update-interval=1m
/ip dhcp-server alert
add disabled=no interface=bridge_LAN on-alert=":log info \"Rogue DHCP Server I\
    dentified at \$[/system clock get date] \$[/system clock get time] on inte\
    rface bridge_LAN]\"" valid-server=B8:69:F4:AE:BC:FD
/ip dhcp-server network
add address=10.10.10.0/24 comment="hotspot network" gateway=10.10.10.1
/ip dns
set allow-remote-requests=yes cache-size=10000KiB servers=8.8.8.8,1.1.1.1
/ip firewall filter
add action=passthrough chain=unused-hs-chain comment=\
    "place hotspot rules here" disabled=yes
add action=accept chain=input comment=Wireguard dst-port=13231 protocol=udp
add action=accept chain=input comment="Router Access Remotely" dst-port=\
    8295,8296 protocol=tcp
/ip firewall mangle
add action=change-ttl chain=postrouting new-ttl=set:1 out-interface=\
    bridge_LAN passthrough=no src-address=10.10.10.0/24
/ip firewall nat
add action=masquerade chain=srcnat comment=Wireguard src-address=\
    192.168.216.1-192.168.216.10
add action=passthrough chain=unused-hs-chain comment=\
    "place hotspot rules here" disabled=yes
add action=masquerade chain=srcnat comment="masquerade hotspot network" \
    src-address=10.10.10.0/24
add action=masquerade chain=srcnat comment="Access Point" src-address=\
    172.20.20.0/24
add action=masquerade chain=srcnat comment="masquerade hotspot network" \
    src-address=10.10.10.0/24
/ip hotspot walled-garden
add comment="place hotspot rules here" disabled=yes
/ip hotspot walled-garden ip
add action=accept disabled=no !dst-address !dst-address-list !dst-port \
    !protocol src-address=10.10.10.1 !src-address-list
/ip ipsec profile
set [ find default=yes ] dpd-interval=2m dpd-maximum-failures=5
/ip route
add comment="Static Route" disabled=no distance=1 dst-address=0.0.0.0/0 \
    gateway="PPPoE WAN" pref-src="" routing-table=main scope=30 \
    suppress-hw-offload=no target-scope=10
/ip service
set ftp disabled=yes
set ssh disabled=yes
set telnet disabled=yes
set winbox port=8295
set www port=8296
set api disabled=yes
set api-ssl disabled=yes
/ip smb shares
set [ find default=yes ] directory=/flash/pub
/ppp secret
add local-address=172.20.20.1 name=hotspot profile=default-encryption \
    remote-address=172.20.20.2 service=l2tp
/routing bfd configuration
add disabled=no interfaces=all min-rx=200ms min-tx=200ms multiplier=5/system logging
add action=disk prefix=-> topics=hotspot,info,debug
/system ntp server
set use-local-clock=yes
/tool bandwidth-server
set authenticate=no enabled=no
/tool romon
set enabled=yes

anav · June 5, 2025, 5:05pm

Why two bridges?
Remove WAN from silly second bridge.
Why do you think you can have two subnets on the same bridge, 10.10 and 172.20
add address=10.10.10.1/24 interface=bridge_LAN network=10.10.10.0
add address=192.168.216.1/24 interface=wireguard-vpn network=192.168.216.0
add address=172.20.20.1/24 interface=bridge_LAN network=172.20.20.0

Furthermore you should also know that wireguard peers are to identify remote addresses
a. remote subnets local users need to reach
and/or
b. remote subnets requiring access to local subnets etc.

So to see any local addresses in wireguard peers is wrongo.
You have been configuring for a while now, and should know better.
You also know better than making wireguard available to the internet on the wan side a serious security mistake!!
Provide a more useful config cleaned up and will assist with it then… ( and also at least default firewall rules).

holvoetn · June 5, 2025, 5:06pm

I can only comment that I hope you have some other firewall in front of that device …

Firewall on that device you show is pretty … thin.
So no wonder “it leaks”.

You have some input rules to accept but no closing drop rule, so everything passes.
Forward: non-existant so everything passes.

What’s wrong with the default firewall ?