Wireguard client doesn't see internal subnet

kvitek79 · September 1, 2023, 9:29am

Hello, just set up simple wireguard server on mikrotik. Now try to connect windows client to it. All is well, but client doesn’t see internal mikrotik net. Here my conf.

This is client profile

[Interface]
PrivateKey = KEY=
Address = 10.10.0.2/24
DNS = 1.1.1.1, 1.0.0.1

[Peer]
PublicKey = KEY=
AllowedIPs = 0.0.0.0/0
Endpoint = 2.2.2.2:13231

This is address lists

# 2023-09-01 12:09:40 by RouterOS 7.11.1
# software id = **ELIDED**
#
# model = RB3011UiAS
# serial number = **ELIDED**
/ip address
add address=2.2.2.2/30 interface=ether1 network=2.2.2.2
add address=192.168.188.1/24 interface=bridge1 network=192.168.188.0
add address=10.10.0.0/24 interface=wireguard1 network=10.10.0.0

Firewall

# 2023-09-01 12:02:34 by RouterOS 7.11.1
# software id = **ELIDED**
#
# model = RB3011UiAS
# serial number = **ELIDED**
/ip firewall address-list
add address=4.4.4.4 list=allow_ssh
/ip firewall filter
add action=accept chain=forward comment="WireGuard subnet share" dst-address=192.168.188.0/24 src-address=\
    10.10.0.0/24
add action=accept chain=forward dst-address=10.10.0.0/24 src-address=192.168.188.0/24
add action=drop chain=input comment="drop DNS requests from internet" dst-port=53 in-interface=ether1 \
    protocol=tcp
add action=drop chain=input dst-port=53 in-interface=ether1 protocol=udp
add action=drop chain=input comment="drop invalid" connection-state=invalid
add action=drop chain=forward connection-state=invalid
add action=accept chain=input comment="accept related established untracked" connection-state=\
    established,related,untracked
add action=accept chain=forward connection-state=established,related,untracked
add action=accept chain=input comment="accept Winbox from inside" dst-port=1303 in-interface=!ether1 \
    protocol=tcp
add action=accept chain=input comment="accept ICMP from internet" protocol=icmp
add action=accept chain=input comment="VPN l2tp and pptp ports" dst-port=1723 protocol=tcp
add action=accept chain=input protocol=gre
add action=accept chain=input dst-port=1701 protocol=udp
add action=accept chain=input protocol=ipsec-esp
add action=accept chain=input protocol=ipsec-ah
add action=accept chain=input dst-port=50,500,4500 protocol=udp
add action=accept chain=input comment="OpenVPN port" dst-port=1194 protocol=tcp
add action=accept chain=input comment=WireGuard dst-port=13231 protocol=udp
add action=accept chain=input comment="Allow SSH" dst-port=22 protocol=tcp src-address-list=allow_ssh
add action=add-src-to-address-list address-list=port_8000 address-list-timeout=1m chain=input comment=\
    "Port knocking" dst-port=8000 protocol=tcp
add action=add-src-to-address-list address-list=allow_ssh address-list-timeout=1d chain=input dst-port=3000 \
    protocol=tcp src-address-list=port_8000
add action=accept chain=input comment="Allow FTP from inside" dst-port=21 in-interface=!ether1 protocol=tcp
add action=add-src-to-address-list address-list=wake_server address-list-timeout=55s chain=input comment=\
    "WOL trigger" dst-port=999 protocol=tcp
add action=drop chain=forward comment="drop not dstnat'ed forward" connection-nat-state=!dstnat disabled=yes \
    in-interface=ether1
/ip firewall nat
add action=masquerade chain=srcnat

Interfaces

/interface bridge
add arp=proxy-arp name=bridge1
/interface wireguard
add listen-port=13231 mtu=1420 name=wireguard1
/interface list
add comment="internal interfaces" name=LAN
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/interface bridge port
add bridge=bridge1 comment="room plugs" ingress-filtering=no interface=ether2
add bridge=bridge1 ingress-filtering=no interface=ether3
add bridge=bridge1 comment=server ingress-filtering=no interface=ether4
add bridge=bridge1 comment=service ingress-filtering=no interface=ether5
add bridge=bridge1 comment=wifi ingress-filtering=no interface=ether10
/interface l2tp-server server
set default-profile=*1 use-ipsec=yes
/interface list member
add interface=bridge1 list=LAN
/interface wireguard peers
add allowed-address=10.10.0.2/24 interface=wireguard1 public-key=\
    "KEY="

So I cannot make requests Win Client → 192.168.188.2. Any thoughts?

xrlls · September 1, 2023, 10:52am

The address for the Wireguard interface is the same as the network address. Try changing it to 10.10.0.1

anav · September 1, 2023, 12:04pm

(1) Did you get windows client from wireguard site and if not, then go back and get it from there and not Microsoft.

(2) Windows client IP is WRONG should be: 10.10.0.2**/32**

(3) Windows client MISSING persistent keep alive set it to like =35s

(4) ROUTER Wireguard address is wrong should be 10.10.0.1/24

(5) I am not sure why you need this rule…? Do you really want subnet users to access mobile clients laptop LOL??
add action=accept chain=forward dst-address=10.10.0.0/24 src-address=192.168.188.0/24

(6) Source nat rule is incomplete not sure why you truncated the default rule ( missing out-interface=ether1), in any case with a static WANIP the correct format is…
add chain=srcnat action=src-nat out-interface=ether1 to-addresses=2.2.2.2

(7) Back to firewall rules , could be cleaned up!!! Also with wireguard access, and also SSH would get rid of port knocking… you also have a bunch of other VPNs, I would simplify and use wireguard as the main VPN and one other for backup.

/ip firewall address-list
add address=4.4.4.4 list=allow_ssh
add address=AdminIP-1 list=Trusted comment=“admin desktop”
add address=AdminIP-2 list=Trusted comment=“admin laptop”
add address=AdminIP-3 list=Trusted comment=“admin smartphone”
add address=10.0.0.2 list=Trusted comment=“admin remote wireguard”

/ip firewall filter
{Input Chain}
add action=accept chain=input comment=“defconf: accept established,related,untracked” connection-state=established,related,untracked
add action=drop chain=input comment=“defconf: drop invalid” connection-state=invalid
add action=accept chain=input comment=“defconf: accept ICMP” protocol=icmp
add action=accept chain=input comment=“defconf: accept to local loopback (for CAPsMAN)” dst-address=127.0.0.1
add action=accept chain=input comment=“VPN l2tp and pptp ports” dst-port=1723 protocol=tcp
add action=accept chain=input protocol=gre
add action=accept chain=input dst-port=1701 protocol=udp
add action=accept chain=input protocol=ipsec-esp
add action=accept chain=input protocol=ipsec-ah
add action=accept chain=input comment=“OpenVPN port” dst-port=1194 protocol=tcp
add action=accept chain=input comment=WireGuard dst-port=13231 protocol=udp
add action=accept chain=input comment=“Allow SSH” dst-port=22 protocol=tcp src-address-list=allow_ssh
add action=accept chain=input in-interface-list=LAN src-address-list=Trusted
add action=accept chain=input comment=“Allow LAN DNS queries-UDP”
dst-port=53 in-interface-list=LAN protocol=udp
add action=accept chain=input comment=“Allow LAN DNS queries - TCP”
dst-port=53 in-interface-list=LAN protocol=tcp
add action=drop chain=input comment=“drop all else”
{forward chain}
_add action=accept chain=forward comment=“defconf: accept in ipsec policy” ipsec-policy=in,ipsec
add action=accept chain=forward comment=“defconf: accept out ipsec policy” ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment=“defconf: fasttrack” connection-state=established,related
add action=accept chain=forward comment=“defconf: accept established,related, untracked” connection-state=established,related,untracked
add action=drop chain=forward comment=“defconf: drop invalid” connection-state=invalid
add action=accept chain=forward comment=“internet” in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward in-interface=wireguard1 dst-address=192.168.88.0/24
add action=accept chain=forward comment=“port forwarding” connection-nat-state=dstnat

add action=drop chain=forward comment=“drop all else”_

Note: If you need to allow any other traffic in the forward chain put the accept rule here *********

(8) Interface lists
/interface list
add comment=“internal interfaces” name=LAN
add name=WAN

(9) Interface list members
add interface=bridge1 list=LAN
add interface=wireguard1 list=LAN
add ether1 list=WAN

(10) FIx peer allowed address
/interface wireguard peers
add allowed-address=10.10.0.2/32 interface=wireguard1 public-key=
“KEY=”

kvitek79 · September 20, 2023, 9:12am

Hello, thank you for your help. I’ve made changes into configuration, but nothing helped at first. Finally I’ve realized that my windows client connected to mikrotik using internal network and in that network I’ve been trying to make wireguard tunnel. After that I contected my laptop to mobile internet than run windows wireguard client and everything was good. Still a little bit amused that thirst scenario is not working.