Hey! I have had this setup for a while, so that I can have a static IPv4 for my server, since I only have IPv6.
What I have set up is ether1 has the WAN connection, which goes through other routers and then to the internet. Next, I have a Wireguard connection (wg1 - 10.0.0.2/30 local IP and 10.0.0.1/30 remote IP) to a VPS which has my IPv4. I also have a LAN port where my server is connected, let’s say ether2. ether2 and wg1 are in a VRF (vrf-lan) where I have a different default gateway than the rest of the router (which goes through WAN - ether1) to route everything through wireguard - 0.0.0.0/0 → 10.0.0.1@vrf-lan.
This has worked for me before, but I had to migrate to a new VPS and now after I changed the IPs and wireguard settings, it no longer works. I am unable to ping 10.0.0.1 from the router and 10.0.0.2 from the VPS, although the WG connection is successfully established. But, when I remove wg1 from the VRF and remove the VRF rule for 0.0.0.0/0 → 10.0.0.1@vrf-lan, then it starts to ping. Also, when the interface is in the VRF and I have the default route, I am able to ping the hosts from LAN through the other side of the WG tunnel. So the traffic is still able to go through the tunnel for 10.10.0.0/16, but not for 10.0.0.0/30.
I am absolutely dumbfounded by this and am unsure what is causing issues, that I am no longer able ping both sides when I add the wg1 to the VRF.
Here is my config:
[admin@router] > /interface/wireguard/print
Flags: X - disabled; R - running
1 R ;;; WG WAN
name="wg1" mtu=1420 listen-port=XYZ private-key="XYZ" public-key="XYZ"
[admin@router] > /interface/wireguard/peers/print
Columns: INTERFACE, PUBLIC-KEY, ENDPOINT-ADDRESS, ENDPOINT-PORT, ALLOWED-ADDRESS, PERSISTENT-KEEPALIVE
# INTERFACE PUBLIC-KEY ENDPOINT-ADDRESS ENDPOINT-PORT ALLOWED-ADDRESS PERSISTENT-KEEPALIVE
;;; WG WAN
1 wg1 XYZ ENDPOINT PORT 10.0.0.1/30 25s
0.0.0.0/0
[admin@router] > /ip address print
Flags: X - DISABLED, D - DYNAMIC
Columns: ADDRESS, NETWORK, INTERFACE
# ADDRESS NETWORK INTERFACE
;;; SERVER LAN
2 10.10.0.1/16 10.10.0.0 ether2
;;; WAN
6 D 10.100.1.12/24 10.100.1.0 ether1
;;; WG WAN
7 10.0.0.2/30 10.0.0.0 wg1
[admin@router] > /ip vrf print
Flags: X - disabled; * - builtin
0 name="vrf-lan" interfaces=ether2,wg1
1 * name="main" interfaces=all
[admin@router] > /ip route print
Flags: D - DYNAMIC; A - ACTIVE; c - CONNECT, s - STATIC
Columns: DST-ADDRESS, GATEWAY, DISTANCE
# DST-ADDRESS GATEWAY DISTANCE
;;; WAN - mikro
0 As 0.0.0.0/0 10.100.1.1 1
DAc 10.100.1.0/24 ether1 0
;;; WAN - ext
1 As 0.0.0.0/0 10.0.0.1@vrf-lan 1
DAc 10.0.0.0/30 wg1@vrf-lan 0
DAc 10.10.0.0/16 ether2@vrf-lan 0
[admin@router] > /ip/firewall/nat/print
Flags: X - disabled, I - invalid; D - dynamic
0 ;;; WAN masquerade
chain=srcnat action=masquerade out-interface=ether1 log=no log-prefix="" ipsec-policy=out,none
1 ;;; WG WAN masquerade
chain=srcnat action=masquerade out-interface=wg1 log=no log-prefix="" ipsec-policy=out,none
Can anyone help me understand the issue? The routes are set, so I do not understand why the ICMP and other packets do not go through to 10.0.0.1. Maybe I am doing this absolutely wrong, but it has worked before. Thank you!