Wireguard Client setup with pppoe internet

RouterOS General
1

Hello everyone,

I found the process of setting up the wireguard client extremely complicated. So here I am after about 8 hours of struggling.

  1. My wireguard server is working and it took me 30 seconds to set up a windows client and verify that the connection was not the problem.
  2. My setup in the router OS seems to be sending data over the WG interface correctly: I see it in Torch. But nothing comes back. I have inbound and outbound firewall rules, but inbound rule does not show any traffic. Maybe Tx requests never left my router? But the handshake is successful and being maintained. I am so confused!

Could you please help me to solve this puzzle?

here is the setup:

/interface bridge
add name=docker port-cost-mode=short
add name=local port-cost-mode=short
/interface veth
add address=88.0.0.2/24 gateway=88.0.0.1 gateway6="" name=pihole-veth
/interface wireguard
add listen-port=26015 mtu=1420 name=WG
/interface vlan
add interface=ether1 name=vlan-telekom vlan-id=7
/interface pppoe-client
add add-default-route=yes disabled=no interface=vlan-telekom max-mru=1492 \
    max-mtu=1492 name=pppoe-telekom-fiber use-peer-dns=yes user=...
/container mounts
add dst=/etc/pihole name=etc_pihole src=/usb1/pihole-etc
add dst=/etc/dnsmasq.d name=dnsmasq_pihole src=/usb1/pihole-dns
/disk
set usb1 media-interface=none media-sharing=no slot=usb1
set usb2 media-interface=none media-sharing=no
/interface list
add name=listBridge
add name=LAN
add name=WAN
add name=DNS
add name=VPN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_pool0 ranges=192.168.0.100-192.168.0.254
/ip dhcp-server
add address-pool=dhcp_pool0 interface=local lease-time=10m name=dhcp1
/ip smb users
set [ find default=yes ] disabled=yes
/routing table
add disabled=no fib name="VPN table"
/container
add envlist=envs_pihole interface=pihole-veth logging=yes mounts=\
    etc_pihole,dnsmasq_pihole root-dir=usb1/pihole start-on-boot=yes
/container config
set registry-url=https://registry-1.docker.io tmpdir=usb1/containers
/container envs
...
/interface bridge port
add bridge=local interface=ether2 internal-path-cost=10 path-cost=10
add bridge=docker interface=pihole-veth internal-path-cost=10 path-cost=10
add bridge=local interface=ether3 internal-path-cost=10 path-cost=10
/ip firewall connection tracking
set udp-timeout=10s
/ip neighbor discovery-settings
set discover-interface-list=listBridge
/interface list member
add interface=local list=listBridge
add interface=ether1 list=WAN
add interface=pppoe-telekom-fiber list=WAN
add interface=vlan-telekom list=WAN
add interface=local list=LAN
add interface=docker list=LAN
add interface=docker list=DNS
add interface=WG list=VPN
/interface wireguard peers
add allowed-address=0.0.0.0/0 endpoint-address=... endpoint-port=... interface=WG name=firetv-peer persistent-keepalive=25s \
    preshared-key=... public-key=...
/ip address
add address=192.168.0.1/24 interface=local network=192.168.0.0
add address=88.0.0.1/24 interface=docker network=88.0.0.0
/ip cloud
set update-time=no
/ip dhcp-client
add disabled=yes interface=ether1
/ip dhcp-server lease
add address=192.168.0.5 mac-address=... server=dhcp1
/ip dhcp-server network
add address=192.168.0.0/24 dns-server=88.0.0.2 gateway=192.168.0.1
/ip dns
set allow-remote-requests=yes
/ip firewall address-list
add address=192.168.0.0/24 list=Local-LAN
add address=192.16.0.0/24 list=Guest-LAN
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="WireGuard Handshake" dst-port=26015 \
    protocol=udp
add action=accept chain=input comment="Allow LAN" in-interface-list=LAN \
    src-address-list=Local-LAN
add action=drop chain=input comment="Drop all"
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=accept chain=forward comment=DNS in-interface-list=LAN \
    out-interface-list=DNS
add action=accept chain=forward comment="Internet traffic" in-interface-list=\
    LAN out-interface-list=WAN
add action=accept chain=forward comment="LAN to VPN" in-interface-list=LAN \
    out-interface-list=VPN
add action=accept chain=forward comment="VPN to LAN" in-interface-list=VPN \
    out-interface-list=LAN
add action=drop chain=forward comment="Drop all"
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN
/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=WG routing-table=\
    "VPN table" scope=30 suppress-hw-offload=no target-scope=10
add disabled=no distance=1 dst-address=88.0.0.0/24 gateway=docker \
    routing-table="VPN table" scope=30 suppress-hw-offload=no target-scope=10
add disabled=no distance=1 dst-address=192.168.0.0/24 gateway=local \
    routing-table="VPN table" scope=30 suppress-hw-offload=no target-scope=10
/ip service
...
/ip smb shares
...
/ip ssh
set strong-crypto=yes
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
add address=::224.0.0.0/100 comment="defconf: other" list=bad_ipv6
add address=::127.0.0.0/104 comment="defconf: other" list=bad_ipv6
add address=::/104 comment="defconf: other" list=bad_ipv6
add address=::255.0.0.0/104 comment="defconf: other" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
    33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
/routing rule
add action=lookup-only-in-table disabled=no src-address=192.168.0.112/32 \
    table="VPN table"
/system clock
...
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp client servers
add address=time.nist.gov
/system routerboard settings
set auto-upgrade=yes
/tool bandwidth-server
set enabled=no
/tool mac-server
set allowed-interface-list=listBridge
/tool mac-server mac-winbox
set allowed-interface-list=listBridge
2

Anyone? :sob:

3

This is not paid support keep your underwear on, be patient!!

A few things,

  1. what is this guest network all about, its only defined in firewall address list ??

  2. Allowed IPs is incorrect. if the MT is the Server peer for handshake, the client peers EACH should be assigned as separate peers, with their respective wireguard IP address detailed as the allowed IP.
    For example 10.10.10.2/32 remote1, 10.10.10.3/32 remote2, etc..

  3. Which brings me to the biggest problem, NO definition of wireguard Subnet.

/ip address
add address=192.168.0.1/24 interface=local network=192.168.0.0
add address=88.0.0.1/24 interface=docker network=88.0.0.0
??? wg address ???

  1. This routing rule makes no sense to me… Your router is the server, where do you propose this user is going??? Assuming I am missing some information, that would make this clear?
    /routing rule
    add action=lookup-only-in-table disabled=no src-address=192.168.0.112/32
    table=“VPN table”
4

Hi! Thank you for looking into this issue!

Nothing, it doesn’t exist yet

I try to setup router as a client that connects to remote wire guard server (my another remote machine) and proxies all traffic from user 192.168.0.112 via that server

No, my router is wire guard client, not a server. User is supposed to send all its traffic except DNS via that wire guard tunnel.

5

Ahh it was not clear that was the case, your first post mentioned you had setup it up as a server.
Misunderstood.

Okay with that in mind…

  1. The big mistake noted previously is still biting you in the ass here.
    MISSING is wireguard interface address!!

  2. This is nonsense…there is only one subnet → add address=192.16.0.0/24 list=Guest-LAN
    aka noise!! cluttering the config.

  3. To be clear you only want ONE IP address to use the tunnel to the wireguard server and its for internet purposes
    Routing rules should look like…
    /routing rule
    add action=lookup-only-in-table min-prefix=0 table=main
    add action=lookup-only-in-table src-address=192.168.0.112/32 table=“VPN table”

  4. IP Routes
    /ip route
    add disabled=no dst-address=0.0.0.0/0 gateway=WG routing-table=“VPN table”

  5. Last step is ensuring all users go to docker/pi for dns.
    /ip firewall nat
    add action=masquerade chain=srcnat out-interface-list=WAN
    add action=dst-nat chain=dstnat in-interface=Local dst-port=53 protoco=udp to-address=(Docker/piDNS)-IPaddress
    add action=dst-nat chain=dstnat in-interface=Local dst-port=53 protoco=tcp to-address=(Docker/piDNS)-IPaddress