Hello Forum,
is it possible to force a source address to establish a new Wireguard tunnel?
In a lab enviroment I am able to force it only when I force a route entry /32 towards the endpoint address.
If I try to work with mangle/prerouting in order to make a PBR it doesn’t work: the same scenario works with IKE/IPSEC.
Any Idea,
Thanks!
WG outer traffic (UDP targeting peer’s public IP address) is no other than any other router’s own outgoing traffic … just remember it’s handled by chain=ouput when checking packet flow diagrams.
Very nice MKX, since this is a routing issue I will pipe in…
Example - you want all users to go out wireguard on your router (probably for internet on another device)
Dilemma - How to do this but Knowing that you need to establish the WG tunnel first through the WANIP of the router.
At first this seems in conflict and not possible and one can naturally ask the question how is the user going to go out the WANIP and then the Wireguard.. …
MKX provides the answer - the establishment of the tunnel is from the ROUTER, not the USER as the VPN is a service which is a router responsibility.
MKX provides the hint use the output chain to do this work with mangle, and the best part is that using output chain will NOT preclude the use of Fastrack!
With the above information, attempt to setup the routing, and will see how much tweaking it needs after but its important to go through the mental challenge of trying
it yourself, thinking it through, first!!
Oh I didn’t realize it… I’ll try it and I give you a feedback!
But what if I have a /28 and I want to use a different IP address of the public subnet? Should I use src-nat or even pref.source with a specific route?
Another question about the same scenario.
Let’s suppose I have a huge hub (HQ) and spoke (BO) topology with 40 remote sites.
For each spoke, I have 3 different internet links.
In the hub I have two internet links.
This means that for each BO, I can manage up to 6 different VPN transport tunnels to the HQ.
6x40 = 240 possible VPN transport tunnels among all the spokes and the hub.
Should I realize it with 240 different mangle/output rules?
I am thinking I could use two different range of UDP ports on the Wireguard interfaces:
Any suggestion to make it more easier?
Thanks for the support!
See this post for the change in question…
http://forum.mikrotik.com/t/vpn-protocol-suggested-for-large-hub-and-spoke-topology/156518/4