Wireguard after ISP - Router

RouterOS Beginner Basics
1

Hey,

i’m trying to set up a WG client after my ISP router.
I followed a guide on youtube and this guide right here: https://forum.mikrotik.com/viewtopic.php?t=182340

Now i can ping across the tunnel on both sides, i can reach the server from mikrotik terminal and i can reach the client from the server. Server is running on Ubuntu btw.

But when i do the last step to route the traffic from my local subnets across the tunnel, like described here:

Third - Then make the associated route rule
src-address=192.168.50.0/24
Action=Lookup-only-in-table
Table=useWG
Note: If the admin wants the users to be able to access internet locally if WG is down then use ACTION=Lookup
Note:2 If you have multiple peers going through the same tunnel/interface then you may need multiple such routes.

After that i got no internet connection. Im guessing there is some more routing necessary?

This is my current config:

feb/06/2022 09:15:37 by RouterOS 7.1.1

software id = 0TNB-GDV5

model = RB750Gr3

serial number = CC220D337BEE

/interface wireguard
add listen-port=51820 mtu=1420 name=wireguard1
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/ip pool
add name=dhcp ranges=192.168.0.3-192.168.0.254
/ip dhcp-server
add address-pool=dhcp interface=ether2 name=dhcp1
/port
set 0 name=serial0
/routing table
add fib name=useWG
/interface list member
add interface=ether1 list=WAN
add list=LAN
/interface wireguard peers
add allowed-address=0.0.0.0/0 endpoint-address=199.247.23.50 endpoint-port=
51820 interface=wireguard1 persistent-keepalive=25s public-key=
“0ZmbHjRtHscfLa7NBDN/lZmIXnQ+HVl7kBvX4AStQBc=”
/ip address
add address=192.168.0.1/24 interface=ether2 network=192.168.0.0
add address=10.0.0.2/24 interface=wireguard1 network=10.0.0.0
/ip dhcp-client
add interface=ether1
/ip dhcp-server network
add address=192.168.0.0/24 gateway=192.168.0.1 netmask=24
/ip dns
set allow-remote-requests=yes
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN
add action=masquerade chain=srcnat out-interface=wireguard1
/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=wireguard1 pref-src=
0.0.0.0 routing-table=useWG scope=30 suppress-hw-offload=no target-scope=
10
/routing rule
add action=lookup-only-in-table disabled=yes src-address=192.168.0.253/32
table=useWG
/system clock
set time-zone-name=Europe/Berlin
/system routerboard settings
set boot-protocol=dhcp force-backup-booter=yes

2

Incomplete information.
There are two sides to every tunnel, what is at the other end?

Also if this MT device is behind the ISP router, can you forward ports on the ISP router??

Fix this up…
/interface list member
add interface=ether1 list=WAN
add list=LAN

TO
/interface list member
add interface=ether1 list=WAN
add interface=ether2 list=LAN

3

I will guess that you are sending out to a wireguard third party vpn provider and you want
one IP on your network to use the internet of the third party…

Hopefully you put in fake numbers for the PEER settings!!

Lets fix up your IP routes… they look okay I think… but not sure what that second 0.0.0.0 is doing there and missing the construction of the table…
EDIT: Found it you have the rule!!

/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=wireguard1 pref-src=
0.0.0.0 routing-table=useWG scope=30 suppress-hw-offload=no target-scope=10

/routing rule
add action=lookup-only-in-table disabled=yes src-address=192.168.0.253/32 table=useWG

Okay, concur that to get one IP to go out the wireguard tunnel, you will need to do the following three steps.

(1) /routing table add name=useWG fib

(2) /ip route add dst-address=0.0.0.0/0 gwy=wireguard1 routing-table=useWG

(3) /ip routing rule add action=lookup-only-in-table src-address=192.168.0.253/32

++++++++++++++++++++++++++++++++++++++++++++

So to be clear your IP routes should only contain two entries
dst-address=0.0.0.0/0 gwy= ISP_gwy-IP routing-table=main
dst-address=0.0.0.0/0 gwy=wireguard1 routing-table=useWG

+++++++++++++++++++++++++++++++++++++++++++

In summary, all looks good except I dont see where you have IP DHCP client and thus the primary route for traffic going out through the ISP.

4

Ahh this may be interfering.
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN
add action=masquerade chain=srcnat out-interface=wireguard1

Why was it added??

5

I’ve got the port 51820 forwarded on my ISP router to the fixed IP of the MikroTik .
The server side is running on a cloud server on Ubuntu.
I’ve got two identical servers running with OpenWRT devices and they are working.
I’m going to try out your suggestions now.

Also im going to change the keys after i got this sorted out of course :wink:

6

Hi there, well in the case of wireguard if the initial connection is being established from your local MT to the CLOUD instance, there would be no need to forward port from your ISP router to the MT device.

Okay what are you trying to reach at or through the UBUNTU SERVERs??
If you are trying to reach subnets there, then 0.0.0.0/0 is not that useful, instead put in the actual subnets 192.168.20.0/24, 192.168.40.0/24 etc…

The IP route for this is simple
dst-address=192.168.20.0/24 gwy=wg table=main
dst-address=192.168.40.0/24 gwy=wg table=main

Depending upon your firewall rules (assuming you use drop rule at end of forward chain)
add chain=forward action=accept src-address=local subnet out-interface=WG

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

If you are trying to reach subnets AND the internet, then 0.0.0.0/0 covers both subnets and internet,
In this case then you need to create a table and force subnet traffic out the wg interface.

however at the ubuntu server you will need to use firewall rules to separate the traffic based on what is allowed.
Suggesting dont use the same subnet for both accessing subnet on the other side and internet or use firewall rules at ubuntu side to filter traffic accordingly,

7

I don’t really need to reach the subnets but i need to reach the internet. The purpose of the wg-tunnel is to give my device a fixed IP and to forward port TCP 44158.
I know that i’m missing the rule for port forwarding on the MT but first i’m trying to get internet access running.

I added ether2 to LAN interface list and also tried to remove the masquerade rule but that sadly didn’t change anything.
https://www.youtube.com/watch?v=2pFcVRaoscE&t=166s is where i got that rule from.
The only difference to that video is that i’m behind an ISP router so i think that i am missing something.

I have two identical servers running with other devices so i think the firewall rules on the server should be fine.
My firewall config on the server looks like this if it’s helpful:

Generated by iptables-save v1.8.7 on Tue Feb 8 02:31:58 2022

*filter
:INPUT ACCEPT [108546:15562238]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [101737:11792733]
-A INPUT -i enp1s0 -p udp -m udp --dport 51820 -j ACCEPT
-A INPUT -i wg0 -j ACCEPT
-A FORWARD -i wg0 -o enp1s0 -j ACCEPT
-A FORWARD -i enp1s0 -o wg0 -j ACCEPT
-A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss 1240
-A FORWARD -i wg0 -j ACCEPT
-A FORWARD -i enp1s0 -o wg0 -p tcp -m tcp --dport 44158 --tcp-flags FIN,SYN,RST,ACK SYN -m conntrack --ctstate NEW -j ACCEPT
-A FORWARD -i enp1s0 -o wg0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
COMMIT

Completed on Tue Feb 8 02:31:58 2022

Generated by iptables-save v1.8.7 on Tue Feb 8 02:31:58 2022

*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A PREROUTING -i enp1s0 -p tcp -m tcp --dport 44158 -j DNAT --to-destination 10.0.0.2
-A POSTROUTING -s 10.0.0.0/24 -o enp1s0 -j MASQUERADE
-A POSTROUTING -o enp1s0 -j MASQUERADE
COMMIT

Completed on Tue Feb 8 02:31:58 2022

8

I don’t really know how but somehow i got it to work… thanks for the help