Wireguard Connection between two sites

ohkwarig · November 2, 2021, 5:27pm

I have a new RB5009UG+S+IN which is running RouterOS 7.1rc5

I have two locations (home and work) which I’m trying to bridge using Wireguard. Prior to getting the RB5009, I used OpenVPN. Work has a commodity router running lede/openwrt.

Home uses the 192.168.88 address space. Work uses the 192.168.9 address space. Under OpenVPN, I had things setup so that traffic was intelligently routed between the two networks. I’m trying to do the same with Wireguard.

I’m finding the Wireguard wiki and documentation to be rather opaque. There is a set of instructions at https://help.mikrotik.com/docs/display/ROS/WireGuard on linking two locations, but they presume that you’re using two mikrotik devices, and they don’t explain the reasons for taking certain actions.

I’m able to get home and work to handshake successfully, but that’s the extent of what I’m able to do. I have somewhat more experience on the OpenWRT, so I’m more confident that what I’m doing there is correct. I believe my issues are starting at the heading “IP and routing configuration” on the page linked above. I’m unable to determine what the importance of the address line (“/ip/address add address=10.255.255.1/30 interface=wireguard1”) is or if the address 10.255.255.1 is magic in some way – it doesn’t appear on the diagram above. I’m also unable, as far as I can tell, to set any address for the interface in openwrt.

I want to be able to tell the RB5009 “if you see a packet destined for 192.168.9, send it over the wireguard interface” but I can’t seem to figure out a way to do that.

thanks for help in advance

felixka · November 3, 2021, 3:24pm

The 10.255.255.1/30 network essentially provides two IP addresses: 10.255.255.1 and 10.255.255.2. These are there to facilitate the routing between the two endpoints on the tunnel. These should be chosen such that they are “out of the way” of any of the other subnets you’re using.

You are in fact able to add IPv4 and IPv6 addresses to wireguard interfaces on OpenWrt the same way you would on any other type of interface:

uci add_list network.wg0.addresses="10.255.255.2/30"

Where wg0 is your Wireguard interface name

See if adding the IP address solves the routing problem for you.

anav · November 3, 2021, 4:31pm

Please describe the network setup at both ends…
For example its not clear if you have an MT at both ends
and/or if the MTs are directly connected to an ISP modem or behind another router etc…

ohkwarig · November 3, 2021, 4:54pm

Please describe the network setup at both ends…
For example its not clear if you have an MT at both ends
and/or if the MTs are directly connected to an ISP modem or behind another router etc…

Work (openwrt) <—> ISP fiber modem <—> Internet <—> ISP cable modem <—> Home (MT RB5009)

I have not yet had the opportunity to try the other user’s suggestion about assigning an IP on the OpenWRT side. I hope to be able to later today.

anav · November 3, 2021, 5:30pm

So the OpenWRT has the listening port and your attempting to get to work from home or vice versa?

ohkwarig · November 3, 2021, 5:34pm

Home is listening – the MT device. Work is making the connection. The handshake is successful. Routing is not.

anav · November 3, 2021, 6:03pm

Okay at HOME (server router).
Assuming this is connected to the ISP modem.
In any case,
(1) Hence INPUT Chain requires the listening port allowed UDP, in-interface-list=WAN

(2) Wireguard Settings;

WIREGUARD TAB: name given to interface (lets say WG-HOME, Listen port, Private Key (not used external to the router), Public Key (key needed at OPENWRT router).

PEERS TAB: Interface name from above (WG-HOME) , Public Key (as provided by OPENWRT router), Endpoint is WANIP of Opernwrt router (or dyndns name for router), Allowed address (Typically the allowed subnet from the peer location)

(3) Route Rule to ensure that Wireguard Traffic from Work when its shunted out the internet, gets returned through the tunnel back to work…
For example the same subnet you noted in peers tab.
dst address: allowed subnet Gateway=WG-HOME

That should be it for the home router/
One does not need to assign an IP address to the Wireguard gateway.
But please confirm is it internet that you want access to or LAN resources at home???

Finally post your config for review
/export hide-sensitive file=anynameyouwish

ohkwarig · November 3, 2021, 11:05pm

The 10.255.255.1/30 network essentially provides two IP addresses: 10.255.255.1 and 10.255.255.2. These are there to facilitate the routing between the two endpoints on the tunnel. These should be chosen such that they are “out of the way” of any of the other subnets you’re using.

You are in fact able to add IPv4 and IPv6 addresses to wireguard interfaces on OpenWrt the same way you would on any other type of interface:
uci add_list network.wg0.addresses="10.255.255.2/30"
Where wg0 is your Wireguard interface name

See if adding the IP address solves the routing problem for you.

Thanks, that makes sense.

Unfortunately, I tried it and it didn’t work. At this point, I’m wondering if I made a major error on the OpenWRT end. I’m thinking of restoring the configuration to OpenWRT as it was just before I started the upgrade (or sidegrade) process. Debugging two systems has so many more wonderful possibilities for mistakes…

Halfeez92 · November 4, 2021, 4:07am

I have a new RB5009UG+S+IN which is running RouterOS 7.1rc5

I have two locations (home and work) which I’m trying to bridge using Wireguard. Prior to getting the RB5009, I used OpenVPN. Work has a commodity router running lede/openwrt.

Home uses the 192.168.88 address space. Work uses the 192.168.9 address space. Under OpenVPN, I had things setup so that traffic was intelligently routed between the two networks. I’m trying to do the same with Wireguard.

I’m finding the Wireguard wiki and documentation to be rather opaque. There is a set of instructions at https://help.mikrotik.com/docs/display/ROS/WireGuard on linking two locations, but they presume that you’re using two mikrotik devices, and they don’t explain the reasons for taking certain actions.

I’m able to get home and work to handshake successfully, but that’s the extent of what I’m able to do. I have somewhat more experience on the OpenWRT, so I’m more confident that what I’m doing there is correct. I believe my issues are starting at the heading “IP and routing configuration” on the page linked above. I’m unable to determine what the importance of the address line (“/ip/address add address=10.255.255.1/30 interface=wireguard1”) is or if the address 10.255.255.1 is magic in some way – it doesn’t appear on the diagram above. I’m also unable, as far as I can tell, to set any address for the interface in openwrt.

I want to be able to tell the RB5009 “if you see a packet destined for 192.168.9, send it over the wireguard interface” but I can’t seem to figure out a way to do that.

thanks for help in advance

Have you set a route for that subnet thru wireguard? Try this command on your RB5009

/ip/route/add dst-address=192.168.9.0/24 gateway=Your-Remote-WG-Interface-IP

ohkwarig · November 4, 2021, 2:14pm

So, first off, I have to confess a grievous sin. I thought that the work router was directly bridged to the internet, but it turns out that the last time my ISP had someone here, he reconfigured the routers. So, there was actually not a direct connection from my work (WRT) router to the internet. That has been fixed…

The VPN is still not working, though. The handshake goes through, but the routing still doesn’t work. I’m continuing to troubleshoot.

Thank you all for your patience, and it’s just another reminder to verify topology even when you think you’re certain…

anav · November 4, 2021, 2:25pm

THus you need to forward the listening port from the first router at work (connected to the ISP) to the router hosting wireguard.

ohkwarig · November 4, 2021, 4:31pm

Okay, I have done that and confirmed it’s working because I can access ssh on an alternate port…

I have put the mikrotik /export below with confidential stuff (I think) redacted.

# nov/04/2021 12:13:30 by RouterOS 7.1rc5
# software id = REMOVED
#
# model = RB5009UG+S+
# serial number = REMOVED
/interface bridge
add admin-mac=DC:2C:6E:28:EF:55 auto-mac=no comment=defconf name=bridge
/interface wireguard
add listen-port=13231 mtu=1420 name=wireguard1
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=default-dhcp ranges=192.168.88.128-192.168.88.254
/ip dhcp-server
add address-pool=default-dhcp interface=bridge name=defconf
/interface bridge port
add bridge=bridge comment=defconf ingress-filtering=no interface=ether2
add bridge=bridge comment=defconf ingress-filtering=no interface=ether3
add bridge=bridge comment=defconf ingress-filtering=no interface=ether4
add bridge=bridge comment=defconf ingress-filtering=no interface=ether5
add bridge=bridge comment=defconf ingress-filtering=no interface=ether6
add bridge=bridge comment=defconf ingress-filtering=no interface=ether7
add bridge=bridge comment=defconf ingress-filtering=no interface=ether8
add bridge=bridge comment=defconf ingress-filtering=no interface=sfp-sfpplus1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/interface wireguard peers
add interface=wireguard1 persistent-keepalive=25s public-key=\
    "REMOVED"
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
    192.168.88.0
add address=10.255.255.1/24 interface=wireguard1 network=10.255.255.0
/ip dhcp-client
add comment=defconf interface=ether1
# RESERVED LEASES REMOVED
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf dns-server=\
    192.168.88.94,192.168.88.98 domain=lan gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes
# DNS REMOVED
/ip firewall filter
add action=accept chain=input comment="allow wireguard in" dst-port=13231 \
    protocol=udp
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=accept chain=forward comment="wireguard office to home" \
    dst-address=192.168.88.0/24 src-address=192.168.9.0/24
add action=accept chain=forward comment="wireguard home to office" \
    dst-address=192.168.9.0/24 src-address=192.168.88.0/24
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat comment="secure smtp" dst-address=MYIP \
    dst-port=587 log=yes log-prefix=smtp protocol=tcp to-addresses=\
    192.168.88.98 to-ports=25
add action=dst-nat chain=dstnat comment=smtp dst-address=MYIP \
    dst-port=25 log=yes log-prefix=smtp protocol=tcp to-addresses=\
    192.168.88.98 to-ports=25
add action=dst-nat chain=dstnat comment="alternate ssh" dst-address=\
    REMOVED dst-port=22310 in-interface=ether1 log=yes log-prefix=ssh \
    protocol=tcp to-addresses=192.168.88.98 to-ports=22
add action=masquerade chain=srcnat comment="hairpin nat attempt https://help.m\
    ikrotik.com/docs/display/ROS/NAT#NAT-HairpinNAT" disabled=yes \
    dst-address=192.168.88.98 log=yes log-prefix=hairpin out-interface=bridge \
    protocol=tcp src-address=192.168.88.0/24
/ip route
add disabled=no distance=1 dst-address=192.168.9.0/24 gateway=wireguard1 \
    pref-src="" routing-table=main scope=30 suppress-hw-offload=no \
    target-scope=10
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www address=192.168.0.0/16
set ssh disabled=yes
set api disabled=yes
set winbox address=192.168.88.0/24
set api-ssl address=192.168.88.0/24
/ip upnp
set enabled=yes
/ip upnp interfaces
add interface=ether1 type=external
add interface=bridge type=internal
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
    33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
/system clock
set time-zone-autodetect=no time-zone-name=America/Indiana/Indianapolis
/system package update
set channel=development
/system routerboard settings
set cpu-frequency=auto
# SCHEDULER AND SCRIPTS REMOVED
/tool bandwidth-server
set enabled=no
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool mac-server ping
set enabled=no

Are there any red flags in here? If it all looks good, then it must be on the OpenWRT side.

As it stands now, though, a ping from work will hit 10.255.255.2 (work’s WG ip). A ping from home will hit 10.255.255.1 (home’s WG ip). A ping from home will not hit 10.255.255.2 and a ping from work will not hit 10.255.255.1. And hosts cannot contact hosts on the other network.

rplant · November 5, 2021, 6:18am

Hi,
You need some allowed addresses in the mikrotik peers setting.
10.255.255.0/24 and 192.168.9.0/24

You should then be able to ping 10.255.255.2 from the openwrt router, and hopefully also work workstations.

Though you may need to add similar allowed peers at the openwrt end first.
If nothing, check there are stats at bottom of peer entry form

ohkwarig · November 5, 2021, 1:54pm

Awesome, thank you and that’s done.

Unfortunately, still no joy.

For the record, here’s the output of

pgrep -f -a wg; wg show; wg showconf wg0

on the work (OpenWRT) side:

3 kworker/0:0-wg-
2304 wg-crypt-wg0
2936 kworker/0:2-wg-
interface: wg0
  public key: REMOVED
  private key: (hidden)
  listening port: 13231

peer: REMOVED
  endpoint: REMOVED:13231
  allowed ips: 192.168.88.0/24, 10.255.255.0/24
  latest handshake: 1 minute, 21 seconds ago
  transfer: 211.74 KiB received, 238.59 KiB sent
  persistent keepalive: every 25 seconds
[Interface]
ListenPort = 13231
PrivateKey = REMOVED

[Peer]
PublicKey = REMOVED
AllowedIPs = 192.168.88.0/24, 10.255.255.0/24
Endpoint = REMOVED:13231
PersistentKeepalive = 25

Output of

ip address show; ip route show table all

on the work (OpenWRT) side:

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP qlen 1000
    link/ether REMOVED brd ff:ff:ff:ff:ff:ff
    inet REMOVED/23 brd REMOVED scope global eth0
       valid_lft forever preferred_lft forever
    inet6 REMOVED/64 scope link
       valid_lft forever preferred_lft forever
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel master br-lan state UP qlen 1000
    link/ether REMOVED brd ff:ff:ff:ff:ff:ff
7: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    link/ether 84:16:f9:d6:e7:fb brd ff:ff:ff:ff:ff:ff
    inet 192.168.9.1/24 brd 192.168.9.255 scope global br-lan
       valid_lft forever preferred_lft forever
    inet6 fde3:e6b9:a6dd::1/60 scope global noprefixroute
       valid_lft forever preferred_lft forever
    inet6 fe80::8616:f9ff:fed6:e7fb/64 scope link
       valid_lft forever preferred_lft forever
8: wg0: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN qlen 1000
    link/[65534]
    inet 10.255.255.2/24 brd 10.255.255.255 scope global wg0
       valid_lft forever preferred_lft forever
9: wlan1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-lan state UP qlen 1000
    link/ether 84:16:f9:d6:e7:fb brd ff:ff:ff:ff:ff:ff
    inet6 fe80::8616:f9ff:fed6:e7fb/64 scope link
       valid_lft forever preferred_lft forever
10: wlan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-lan state UP qlen 1000
    link/ether 84:16:f9:d6:e7:fa brd ff:ff:ff:ff:ff:ff
    inet6 fe80::8616:f9ff:fed6:e7fa/64 scope link
       valid_lft forever preferred_lft forever
default via REMOVED dev eth0  src REMOVED
10.255.255.0/24 dev wg0 scope link
HOME_IP_REMOVED via WORK_IP_REMOVED dev eth0
REMOVED/23 dev eth0 scope link  src REMOVED
192.168.9.0/24 dev br-lan scope link  src 192.168.9.1
192.168.88.0/24 dev wg0 scope link
broadcast 10.255.255.0 dev wg0 table local scope link  src 10.255.255.2
local 10.255.255.2 dev wg0 table local scope host  src 10.255.255.2
broadcast 10.255.255.255 dev wg0 table local scope link  src 10.255.255.2
broadcast REMOVED dev eth0 table local scope link  src REMOVED
local REMOVED dev eth0 table local scope host  src REMOVED
broadcast REMOVED dev eth0 table local scope link  src REMOVED
broadcast 127.0.0.0 dev lo table local scope link  src 127.0.0.1
local 127.0.0.0/8 dev lo table local scope host  src 127.0.0.1
local 127.0.0.1 dev lo table local scope host  src 127.0.0.1
broadcast 127.255.255.255 dev lo table local scope link  src 127.0.0.1
broadcast 192.168.9.0 dev br-lan table local scope link  src 192.168.9.1
local 192.168.9.1 dev br-lan table local scope host  src 192.168.9.1
broadcast 192.168.9.255 dev br-lan table local scope link  src 192.168.9.1
fde3:e6b9:a6dd::/64 dev br-lan  metric 1024
unreachable fde3:e6b9:a6dd::/48 dev lo  metric 2147483647
fe80::/64 dev eth0  metric 256
fe80::/64 dev br-lan  metric 256
fe80::/64 dev wlan1  metric 256
fe80::/64 dev wlan0  metric 256
local ::1 dev lo table local  metric 0
anycast fde3:e6b9:a6dd:: dev br-lan table local  metric 0
local fde3:e6b9:a6dd::1 dev br-lan table local  metric 0
anycast fe80:: dev eth0 table local  metric 0
anycast fe80:: dev br-lan table local  metric 0
anycast fe80:: dev wlan1 table local  metric 0
anycast fe80:: dev wlan0 table local  metric 0
local fe80::8616:f9ff:fed6:e7fa dev wlan0 table local  metric 0
local fe80::8616:f9ff:fed6:e7fb dev br-lan table local  metric 0
local fe80::8616:f9ff:fed6:e7fb dev wlan1 table local  metric 0
local fe80::8616:f9ff:fed6:e7fc dev eth0 table local  metric 0
multicast ff00::/8 dev br-lan table local  metric 256
multicast ff00::/8 dev eth0 table local  metric 256
multicast ff00::/8 dev wg0 table local  metric 256
multicast ff00::/8 dev wlan1 table local  metric 256
multicast ff00::/8 dev wlan0 table local  metric 256

output of

uci show firewall

on the work (OpenWRT) side:

firewall.@defaults[0]=defaults
firewall.@defaults[0].input='ACCEPT'
firewall.@defaults[0].output='ACCEPT'
firewall.@defaults[0].forward='REJECT'
firewall.@defaults[0].synflood_protect='1'
firewall.lan=zone
firewall.lan.name='lan'
firewall.lan.input='ACCEPT'
firewall.lan.output='ACCEPT'
firewall.lan.forward='ACCEPT'
firewall.lan.network='lan'
firewall.wan=zone
firewall.wan.name='wan'
firewall.wan.input='REJECT'
firewall.wan.output='ACCEPT'
firewall.wan.forward='REJECT'
firewall.wan.masq='1'
firewall.wan.mtu_fix='1'
firewall.wan.network='wan' 'wan6' 'wg0'
firewall.@forwarding[0]=forwarding
firewall.@forwarding[0].src='lan'
firewall.@forwarding[0].dest='wan'
firewall.@rule[0]=rule
firewall.@rule[0].name='Allow-DHCP-Renew'
firewall.@rule[0].src='wan'
firewall.@rule[0].proto='udp'
firewall.@rule[0].dest_port='68'
firewall.@rule[0].target='ACCEPT'
firewall.@rule[0].family='ipv4'
firewall.@rule[1]=rule
firewall.@rule[1].name='Allow-Ping'
firewall.@rule[1].src='wan'
firewall.@rule[1].proto='icmp'
firewall.@rule[1].icmp_type='echo-request'
firewall.@rule[1].family='ipv4'
firewall.@rule[1].target='ACCEPT'
firewall.@rule[2]=rule
firewall.@rule[2].name='Allow-IGMP'
firewall.@rule[2].src='wan'
firewall.@rule[2].proto='igmp'
firewall.@rule[2].family='ipv4'
firewall.@rule[2].target='ACCEPT'
firewall.@rule[3]=rule
firewall.@rule[3].name='Allow-DHCPv6'
firewall.@rule[3].src='wan'
firewall.@rule[3].proto='udp'
firewall.@rule[3].src_ip='fc00::/6'
firewall.@rule[3].dest_ip='fc00::/6'
firewall.@rule[3].dest_port='546'
firewall.@rule[3].family='ipv6'
firewall.@rule[3].target='ACCEPT'
firewall.@rule[3].enabled='0'
firewall.@rule[4]=rule
firewall.@rule[4].name='Allow-MLD'
firewall.@rule[4].src='wan'
firewall.@rule[4].proto='icmp'
firewall.@rule[4].src_ip='fe80::/10'
firewall.@rule[4].icmp_type='130/0' '131/0' '132/0' '143/0'
firewall.@rule[4].family='ipv6'
firewall.@rule[4].target='ACCEPT'
firewall.@rule[5]=rule
firewall.@rule[5].name='Allow-ICMPv6-Input'
firewall.@rule[5].src='wan'
firewall.@rule[5].proto='icmp'
firewall.@rule[5].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type' 'router-solicitation' 'neighbour-solicitation' 'router-advertisement' 'neighbour-advertisement'
firewall.@rule[5].limit='1000/sec'
firewall.@rule[5].family='ipv6'
firewall.@rule[5].target='ACCEPT'
firewall.@rule[5].enabled='0'
firewall.@rule[6]=rule
firewall.@rule[6].name='Allow-ICMPv6-Forward'
firewall.@rule[6].src='wan'
firewall.@rule[6].dest='*'
firewall.@rule[6].proto='icmp'
firewall.@rule[6].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type'
firewall.@rule[6].limit='1000/sec'
firewall.@rule[6].family='ipv6'
firewall.@rule[6].target='ACCEPT'
firewall.@rule[6].enabled='0'
firewall.@include[0]=include
firewall.@include[0].path='/etc/firewall.user'
firewall.@redirect[0]=redirect
firewall.@redirect[0].target='DNAT'
firewall.@redirect[0].src='wan'
firewall.@redirect[0].dest='lan'
firewall.@redirect[0].proto='tcp'
firewall.@redirect[0].src_dport='REMOVED'
firewall.@redirect[0].dest_port='22'
firewall.@redirect[0].name='alt port ssh'
firewall.@redirect[0].dest_ip='192.168.9.92'

output of

uci show network

on the work (OpenWRT) side:

network.loopback=interface
network.loopback.proto='static'
network.loopback.ipaddr='127.0.0.1'
network.loopback.netmask='255.0.0.0'
network.loopback.device='lo'
network.globals=globals
network.globals.ula_prefix='fde3:e6b9:a6dd::/48'
network.lan=interface
network.lan.proto='static'
network.lan.netmask='255.255.255.0'
network.lan.ip6assign='60'
network.lan.ipaddr='192.168.9.1'
network.lan.dns='192.168.9.92' '192.168.9.90'
network.lan.device='br-lan'
network.wan=interface
network.wan.proto='dhcp'
network.wan.peerdns='0'
network.wan.dns='192.168.9.92' '192.168.9.90'
network.wan.device='eth0'
network.wan6=interface
network.wan6.proto='dhcpv6'
network.wan6.reqaddress='try'
network.wan6.reqprefix='auto'
network.wan6.device='eth0'
network.@switch[0]=switch
network.@switch[0].name='switch0'
network.@switch[0].reset='1'
network.@switch[0].enable_vlan='1'
network.@switch_vlan[0]=switch_vlan
network.@switch_vlan[0].device='switch0'
network.@switch_vlan[0].vlan='1'
network.@switch_vlan[0].ports='2 3 4 5 0'
network.@switch_vlan[1]=switch_vlan
network.@switch_vlan[1].device='switch0'
network.@switch_vlan[1].vlan='2'
network.@switch_vlan[1].ports='1 6'
network.@device[0]=device
network.@device[0].name='br-lan'
network.@device[0].type='bridge'
network.@device[0].ports='eth1'
network.wg0=interface
network.wg0.proto='wireguard'
network.wg0.private_key='REMOVED'
network.wg0.defaultroute='0'
network.wg0.peerdns='0'
network.wg0.delegate='0'
network.wg0.addresses='10.255.255.2/24'
network.wg0.listen_port='13231'
network.wgserver=wireguard_wg0
network.wgserver.public_key='REMOVED'
network.wgserver.endpoint_host='REMOVED'
network.wgserver.endpoint_port='13231'
network.wgserver.route_allowed_ips='1'
network.wgserver.persistent_keepalive='25'
network.wgserver.description='home'
network.wgserver.allowed_ips='192.168.88.0/24' '10.255.255.0/24'

Thanks again in advance for all of the assistance. I feel like I owe everyone a few beers.

rplant · November 6, 2021, 3:07am

Hi,

Sorry, not sure.
wg0 on the openwrt box is wan, so you will be unlikely to connect from home end.

But it looks like you should be able to ping and connect from the work end to the home end.
Perhaps try pinging from openwrt to mikrotik.
ping 10.255.255.1
then from lan interface of openwrt to mikrotik
ping 10.255.255.1 -I 192.168.9.1
ping 192.168.88.1
ping 192.168.88.94 (Maybe)
ping 192.168.88.94 -I 192.168.9.1

Perhaps trial with wg0 being LAN

anav · November 6, 2021, 4:07pm

Sorry cannot help on the openwrt side of the house but the RB5009 as a client wireguard device is straightforward.

WG Setup
WG settings
-Give WG interface a name, lets call it WG-Client
-Listen port NOT required
-Private key (internal use only)
-Public key (needed on Openwrt setup)

Peer settings
-Interface is WG-Client
-Public Key (provided by openwrt router)
-Endpoint WANIP of openwrt (best to use a dyndns name if not static)
-Enpoint port (the listening port set on the openwrt router)
-Allowed address: 192.168.9.0/24 {to be clear this setting says these are the allowable possible destination addresses to be used in the tunnel}
-Pesistent keep alive set at your preference aka 35 seconds for example

IP ADDRESS for wireguard interface NOT REQUIRED

IP Route REQUIRED, to ensure all traffic for work lan is sent through the wg tunnel.

/ip route (almost)
add dst-address=0.0.0.0/0 gateway=WANgatewayIP (either manually entered or done through client settings)
add dst-address=192.168.9.0/24 gateway=WG-Client

To prevent any potential leakage of requests to go through the MT client Router WAN side, if and when the tunnel connection is down for any reason *********, it is best to use a route rule approach and thus the final config would look like.
add dst-address=0.0.0.0/0 gateway=WANgatewayIP (either manually entered or done through client settings)
add dst-address=192.168.9.0/24 gateway=WG-Client routing-table=USETUNNEL

Route Rule
Source address=192.168.88.0/24
Action: Lookup Only in Table
Table: USETUNNEL

++++++++++++++++++++++++++++++++++++++

******* (courtesy of Sindy).
The hierarchy of routes was unclear (as I was not quite sure how to ensure the route to the tunnel would be matched or take prioirity over the standard route already on the router since there would be overlap!!!
(since 0.0.0.0/0 (the standard route) also covers the IP addresses 192.168.9.0/24)
Priority goes by…

Route-Mark, has the highest priority
Next, among all routes with the same routing-mark and matching the destination address of the packet, the system looks for one with the longest prefix in dst-address
In this case 192.168.9.0/24 describes a longer prefix than 0.0.0.0/0. (24 vs 0, I think)
Finally, distance can be used, if all of the above are identical, a lower distance will ensure one route is matched before the other…

The question remains, how to ensure when the tunnel is down 192.168.9.0/24 doesnt leak out elsewhere.
I note on 7.0X beta RC whatever, the use of PROHIBIT and BLACKHOLE are no longer available.

I had thought that this would work.
0.0.0.0/0 gateway=wanipgateway {main table} distance=default
192.168.9.0/24 gateway=WG {main table} distance=default ( any destination due to the longer preference here would take precedence as required)
192.168.9.0/24 type=blackhole distance=default +1 (when the tunnel was down no leakage could occur to the client WANIP)

However, blackhole is like DROP in firewall rules, no indications to LAN users there is a problem just no results.
Thus like reject, PROHIBIT would provide at least an error message return.

0.0.0.0/0 gateway=wanipgateway {main table} distance=default
192.168.9.0/24 gateway=WG {main table} distance=default ( any destination due to the longer preference here would take precedence as required)
192.168.9.0/24 type=prohibit distance=default +1

As stated, blackhole and prohibit are not available and thus one is left with the one clear SOLUTION:

/ip route
add dst-address=0.0.0.0/0 gw=wanIPgateway {standard route either manually entered or by ip client checkbox}
add dst-address=192.168.9.0/24 gw=wg-client routing-mark=USETUNNEL

/ip route rule
source-address=192.168.88.0/24
action: Lookup-Only-In-Table
table=USETUNNEL

Halfeez92 · November 7, 2021, 6:32am

Sorry cannot help on the openwrt side of the house but the RB5009 as a client wireguard device is straightforward.

WG Setup
WG settings
-Give WG interface a name, lets call it WG-Client
-Listen port NOT required
-Private key (internal use only)
-Public key (needed on Openwrt setup)

Peer settings
-Interface is WG-Client
-Public Key (provided by openwrt router)
-Endpoint WANIP of openwrt (best to use a dyndns name if not static)
-Enpoint port (the listening port set on the openwrt router)
-Allowed address: 192.168.9.0/24 {to be clear this setting says these are the allowable possible destination addresses to be used in the tunnel}
-Pesistent keep alive set at your preference aka 35 seconds for example

IP ADDRESS for wireguard interface NOT REQUIRED

IP Route REQUIRED, to ensure all traffic for work lan is sent through the wg tunnel.

/ip route (almost)
add dst-address=0.0.0.0/0 gateway=WANgatewayIP (either manually entered or done through client settings)
add dst-address=192.168.9.0/24 gateway=WG-Client

To prevent any potential leakage of requests to go through the MT client Router WAN side, it is best to use a route rule approach and thus the final config would look like.
add dst-address=0.0.0.0/0 gateway=WANgatewayIP (either manually entered or done through client settings)
add dst-address=192.168.9.0/24 gateway=WG-Client routing-table=USETUNNEL

Route Rule
Source address=192.168.88.0/24
Action: Lookup Only in Table
Table: USETUNNEL

Why would you not to put ip address on the WG interface? On the Openwrt end it uses 10.255.255.1 right? You should put 10.255.255.2 on the RB5009 ends, then you would create a route to gateway 10.255.255.1 to access destination 192.168.9.0/24. Make sure to add the 10.255.255.0/24 address to allow on RB5009 peers also.

anav · November 7, 2021, 2:42pm

Absolutely no need for an address on the WG interface.
The RB5009 setup I recommended will route all traffic from 192.168.88.0/24 through the tunnel whenever a destination address of 192.168.9.0/24 is utilized.

That is what the OP wants! Why are you assuming different requirements??

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Furthermore, I know jack squat about openwrt settings but if this was instead an MT router.
Here is how I would handle it from an MT wireguard router perspective (SERVER).

Besides the normal ALLOW RULE in the input chain in-interface-list=WAN, UDP for the listening port
{note: If the MT router was behind an ISP router, the ISP router would have to port forward the listening port udp to the MT router.}

WIREGUARD ROUTER (server)
Wireguard Settings

name required, so use WG-Server
-Listen port xxxxxx
Private key {internal use}
Public Key ( for use on the RB5009 client router)

Peer Settings

Interface, from above WG-Server
Public Key (provided by the RB5009)
Endpoint they WANIP of the RB5009, I would use the ip cloud name for the router (free dyndns name)
Endpoint port, not required.
Allowed address 192.168.88.0/24 (the subnet that will be coming through the tunnel)

No requirement to state any IP address for this WG interface either.
Two other requirements need to be addressed:
(1) Forward chain firewall rule to ensure client traffic is allowed to reach server LAN subnet.
add chain=forward action=accept in-interface=WG-Server dst-address=192.168.9.0/24

(2) Route rule on Server router to ensure return traffic does indeed go back through the tunnel.
dst-address=192.168.88.0/24 Gateway=WG-Server

ohkwarig · November 7, 2021, 10:46pm

Ah, I got it! I had to move the wg0 interface on the work-client side into the LAN firewall zone.

For anyone who finds this in the future, here’s the setup script I used on the OpenWRT side:

(I removed the preshared key code simply to remove a potential complicating factor. You could easily re-insert it.)

#!/bin/sh
#wireguard setup client
# from https://openwrt.org/docs/guide-user/services/vpn/wireguard/client

# Configuration parameters
WG_IF="wg0"
WG_SERV="SERVER_PUBLIC_ADDRESS"
WG_PORT="13231"
WG_ADDR="10.255.255.2/24"

# Generate keys
umask go=
#wg genkey | tee wgserver.key | wg pubkey > wgserver.pub
if [ ! -f wgclient.key ]; then
  wg genkey | tee wgclient.key | wg pubkey > wgclient.pub
else
  echo "wgclient.key already exists"
fi
#wg genpsk > wgclient.psk

# Client private key
WG_KEY="$(cat wgclient.key)"
 
# Pre-shared key
#WG_PSK="$(cat wgclient.psk)"
 
# Server public key
WG_PUB="REMOVED"

# Configure firewall
uci rename firewall.@zone[0]="lan"
uci rename firewall.@zone[1]="wan"
uci del_list firewall.wan.network="${WG_IF}"
uci add_list firewall.wan.network="${WG_IF}"
uci commit firewall
/etc/init.d/firewall restart

# Configure network
uci -q delete network.${WG_IF}
uci set network.${WG_IF}="interface"
uci set network.${WG_IF}.proto="wireguard"
uci set network.${WG_IF}.private_key="${WG_KEY}"
uci add_list network.${WG_IF}.addresses="${WG_ADDR}"
#uci add_list network.${WG_IF}.addresses="${WG_ADDR6}"
 
# Add VPN peers
uci -q delete network.wgserver
uci set network.wgserver="wireguard_${WG_IF}"
uci set network.wgserver.public_key="${WG_PUB}"
#uci set network.wgserver.preshared_key="${WG_PSK}"
uci set network.wgserver.endpoint_host="${WG_SERV}"
uci set network.wgserver.endpoint_port="${WG_PORT}"
uci set network.wgserver.route_allowed_ips="1"
uci set network.wgserver.persistent_keepalive="25"
uci add_list network.wgserver.allowed_ips="192.168.88.0/24"
uci add_list network.wgserver.allowed_ips="10.255.255.0/24"
#uci add_list network.wgserver.allowed_ips="::/0"
uci commit network
/etc/init.d/network restart

echo "DONE?"

And then, if you want to move that interface into the lan firewall-zone – please note that this carries with it potential security issues, though I don’t believe any more issues than setting up routing properly.

#!/bin/sh
WG_IF="wg0"

uci del_list firewall.wan.network="${WG_IF}"
uci add_list firewall.lan.network="${WG_IF}"
uci commit firewall
/etc/init.d/firewall restart

Thanks so much to all who helped with this. I know OpenWRT is not the target audience for this board, but you all made it possible for me to work through this.

thanks again!

Halfeez92 · November 8, 2021, 12:03pm

Absolutely no need for an address on the WG interface.
The RB5009 setup I recommended will route all traffic from 192.168.88.0/24 through the tunnel whenever a destination address of 192.168.9.0/24 is utilized.

That is what the OP wants! Why are you assuming different requirements??

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Furthermore, I know jack squat about openwrt settings but if this was instead an MT router.
Here is how I would handle it from an MT wireguard router perspective (SERVER).

Besides the normal ALLOW RULE in the input chain in-interface-list=WAN, UDP for the listening port
{note: If the MT router was behind an ISP router, the ISP router would have to port forward the listening port udp to the MT router.}

WIREGUARD ROUTER (server)
Wireguard Settings

name required, so use WG-Server
-Listen port xxxxxx

Private key {internal use}

Public Key ( for use on the RB5009 client router)

Peer Settings

Interface, from above WG-Server

Public Key (provided by the RB5009)

Endpoint they WANIP of the RB5009, I would use the ip cloud name for the router (free dyndns name)

Endpoint port, not required.

Allowed address 192.168.88.0/24 (the subnet that will be coming through the tunnel)

No requirement to state any IP address for this WG interface either.
Two other requirements need to be addressed:
(1) Forward chain firewall rule to ensure client traffic is allowed to reach server LAN subnet.
add chain=forward action=accept in-interface=WG-Server dst-address=192.168.9.0/24

(2) Route rule on Server router to ensure return traffic does indeed go back through the tunnel.
dst-address=192.168.88.0/24 Gateway=WG-Server

I don’t understand. Why in my environment, I try not to put ip address on wg interface, then I create a route using wg internet, but I got error 22 (invalid argument).