WireGuard only for specific sites - how?

jovaf32128 · June 13, 2022, 5:48pm

I need to open couple of the site through VPN. This is part of my config connected with wg:

/interface wireguard
add listen-port=12321 mtu=1420 name=wireguard1

/interface wireguard peers
add allowed-address=0.0.0.0/0 endpoint-address=11.22.33.44 endpoint-port=12321 interface=wireguard1 \
    persistent-keepalive=25s public-key="keykeyey"

/interface list
add name=WAN

/interface list member
add interface=ether1 list=WAN
add interface=wireguard1 list=WAN

/routing table
add disabled=no fib name=wg-my

/ip route
add disabled=no distance=10 dst-address=0.0.0.0/0 gateway=wireguard1 routing-table=wg-my scope=30 \
    suppress-hw-offload=no target-scope=10
  
/ip firewall address-list
add address=site.com list=vpnlist
  
/ip firewall mangle
add action=mark-routing chain=prerouting dst-address-list=vpnlist new-routing-mark=wg-my

/ip firewall nat
add action=masquerade chain=srcnat ipsec-policy=out,none out-interface-list=WAN

But the site from the list does not open by timeout. I made 3 logging mangle rules: on prerouting, input and forward. I see incomming packets only on prerouting rule. 2 others is empty.
But if I use just this instead of mangle and address-list:

/routing rule dst-address=special.address.ip action=lookup-only-in-table table=wg-my

then I can open needed site through vpn, but it is not useful for me - i want to use firewall address list of sites.

What is my problem with mangle rule? Why is packets got loss in the first case?

PS. Fasttrack is disabled ofcourse

tangent · June 13, 2022, 6:11pm

Your first code block is backwards: the “/ip route add” block configures the wireguard1 interface as the default. What you’re asking for is the opposite: some other interface to be the default, but for the wireguard1 interface to be the proper route for certain target IPs.

Therefore, let the default gateway be set up normally (e.g. via DHCP) and then add static routes for the exceptions:

/ip route
add dst-address=192.0.2.0/24 gateway=wireguard1

Now all traffic to TEST-NET-1 will go out the WireGuard VPN, and everything else will bypass it.

jovaf32128 · June 13, 2022, 6:20pm

Why? I use routing table mark, not all traffic:
/ip route
add disabled=no distance=10 dst-address=0.0.0.0/0 gateway=wireguard1 routing-table=wg-my scope=30 suppress-hw-offload=no target-scope=10

Therefore, let the default gateway be set up normally (e.g. via DHCP) and then add static routes for the exceptions:

/ip route
add dst-address=192.0.2.0/24 gateway=wireguard1

>
> Now all traffic to > [TEST-NET-1](https://datatracker.ietf.org/doc/html/rfc5735) > will go out the WireGuard VPN, and everything else will bypass it.

Okay, it works, but I need to use address lists. I don't want to generate lots of ip/route rules manually.

tangent · June 13, 2022, 6:43pm

I don’t see a huge distinction between addresses in a list and a list of static routes, particularly given how many rules are required to set up connection marking, multiple routing tables, and such. Unless the number of address is huge, it may be shorter to do it my way.

However, if you insist on proceeding down that path, I think you need a second NAT rule, per this example. Without it, you get no NAT thru the WG link, thus no packet flow.

jovaf32128 · June 13, 2022, 7:01pm

Why?
I already have main masquarade NAT rule thac includes all WAN interfaces (and WG too). It works with route rules. Do you think, it is not fit for address-list case?

tangent · June 13, 2022, 7:14pm

I think you’re confusing the packet flow logic by putting “wireguard1” in “out-interface-list=WAN”. The WAN list should have only the raw (non-VPN) interface(s).

But rather than keep arguing, why not try it and see?

I’m not guaranteeing I’m right. What I am saying is:

If it works, it works.
If it doesn’t, you have a stronger counterargument than “but whhyyyyy?”

jovaf32128 · June 13, 2022, 7:38pm

I did this:

/ip firewall filter
add action=accept chain=forward connection-state=established,related in-interface=wg1 out-interface=bridge-local
add action=accept chain=forward connection-state=established,related,new in-interface=bridge-local out-interface=wg1

/ip firewall nat
add action=masquerade chain=srcnat out-interface=wg1

/ip firewall mangle
add action=mark-connection chain=prerouting dst-address-list=vpnlist in-interface=bridge-local new-connection-mark=vpn-conn
add action=mark-routing chain=prerouting connection-mark=vpn-conn in-interface=bridge-local new-routing-mark=vpn-rt

/ip firewall address-list
add address=2ip.ru list=vpnlist

/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=wg1 pref-src=0.0.0.0 routing-table=vpn-rt scope=30 suppress-hw-offload=\
    no target-scope=10
	
/routing table
add disabled=no fib name=vpn-rt

And it not works. If only I remove “routing-table=vpn-rt” from ip route, it start works with main route table and through main WAN, not wg1

jovaf32128 · June 22, 2022, 11:45am

May anybody explain, what is wrong with part of config above?

jovaf32128 · June 29, 2022, 5:44am

ip settings rp-filter=loose

It was in “strict”

anav · June 30, 2022, 2:24pm

The problem here is that you need to establish a wan connection to the server and thus not ALL traffic can go out the wg tunnel.
There are ways around this which add complexity but should only be approached if necessary.

You have a conundrum in that you have multiple addresses that need to go out WG tunnel
a. create one route and a gazillion route rules to match on dst-address OR
b. create a firewall address list and add mangling

In terms of allowed IP addresses you can add all of them individually to the WG list, or use 0.0.0.0/0 but then you have to be cognizant of how this affects all other traffic intended for the regular internet.

Seems like you have solved a config error, and its working for you now?

jovaf32128 · July 3, 2022, 3:00pm

Yes, I think it was early error in config that led me to this problem. Now it works, I can add required site to the list and it will route through my vpn.