Hi there.
Topology: ISP <-GPON FTTH-> ONU <-PPPoE-> CCR ↔ clients.
Goal: Setting up a VPN connection and route all traffic trough that. Like running VPN client on each PC/Phone but use CCR instead. Would be nice to create a white-lists later (an addresses/domains the connections to should be going NOT through VPN).
Trivia:
I am certanly Mikrotik newbie and “network engineering” also. Two birds one shot: learning both of networking and Mikrotik; and resolving “home network” tasks. The final config you see below is the compilation of some fragments (sometimes with changes) I found here and there. Probably it doesn’t look well but it’s working. Kind of.
I have a PPPoE ISP connection with the static IP addr. And I have an external VPN provider that allows OpenVPN and WireGuard connections.
Problems:
- Executing
curl ifconfig.meon the client I getting a VPN IP: 185.176.222.43. So, for any web service I should be “a user from the VPN country”. But it’s not. I cannot access resources that are blocked by my ISP. However if I’d run a WireGuard client on the Desktop - everything is good. I also obtain a VPN IP but moreover I can access blocked resources. - If I’d prefer OpenVPN over WireGuard then IDK how to set up this. In all instructions I found it’s required to have a multiple certificates. But I have only CA certificate in the distibuted OpenVPN config. Using this config in mobile/desktop OpenVPN clients is ok but I cannot “up” the OpenVPN connection in RouterOS. Adding just CA and pointing to it, I get a “TLS Failed” OpenVPN client interface error.
Questions:
- How to solve the task? What’s wrong with the current config? And whether something wrong at all?
- If I’d prefer to use OpenVPN how to setting the conn w/o certificates or how to generate them (I only found an instructions if you’re also have OpenVPN server access)
- I’m looking at the 0.0.0.0/0 at the /ip/routes for ISP PPPoE and WireGuard and something inside me tells it shouldn’t be like that.
- Am I under double NAT?
Additions:
I did a traceroute with disabled WireGuard 0.0.0.0/0 route and NAT rule and w/o. For me it looks correct. When both settings are disabled (I guess it’s enough to route traffic directly) I see my ISP’s and my country datacenter’s IPs. And if I “enable Wireguard” I see an IPs of a VPN country. However I still assume that I did’t set up a WireGuard right.
# feb/27/2022 18:24:31 by RouterOS 7.1.1
# software id = 26DH-D2ZF
#
# model = CCR1009-7G-1C
# serial number = 7AF407533E1C
/interface bridge
add name=bridge1
/interface ethernet
set [ find default-name=ether1 ] speed=100Mbps
set [ find default-name=ether2 ] speed=100Mbps
set [ find default-name=ether3 ] speed=100Mbps
set [ find default-name=ether4 ] speed=100Mbps
set [ find default-name=ether5 ] speed=100Mbps
set [ find default-name=ether6 ] speed=100Mbps
set [ find default-name=ether7 ] speed=100Mbps
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1 name=pppoe_telewest \
user=35769
/interface wireguard
add listen-port=51820 mtu=1420 name=wireguard1
/interface list
add name=bridge1_list
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_pool1 ranges=10.20.30.128-10.20.30.254
/ip dhcp-server
add address-pool=dhcp_pool1 interface=bridge1 lease-time=15m name=\
dhcp_server1
/interface bridge port
add bridge=bridge1 hw=no interface=ether2
add bridge=bridge1 hw=no interface=ether3
add bridge=bridge1 hw=no interface=ether4
add bridge=bridge1 hw=no interface=ether5
add bridge=bridge1 hw=no interface=ether6
add bridge=bridge1 hw=no interface=ether7
/ip neighbor discovery-settings
set discover-interface-list=bridge1_list
/interface list member
add interface=bridge1 list=bridge1_list
/interface wireguard peers
add allowed-address=0.0.0.0/0 endpoint-address=lv.gw.xeovo.com endpoint-port=\
51820 interface=wireguard1 public-key=\
"sb61ho9MhaxhJd6WSrryVmknq0r6oHEW7PP5i4lzAgM="
/ip address
add address=10.20.30.1/24 interface=bridge1 network=10.20.30.0
add address=10.128.15.210 interface=wireguard1 network=10.128.15.210
/ip dhcp-server network
add address=10.20.30.0/24 dns-server=1.1.1.1,1.0.0.1 gateway=10.20.30.1
/ip dns
set servers=1.1.1.1,1.0.0.1
/ip firewall filter
add action=accept chain=input connection-state=established,related
add action=drop chain=input connection-state=invalid
add action=accept chain=input comment="Allow ICMP" in-interface=\
pppoe_telewest protocol=icmp
add action=drop chain=input comment="Restrict Winbox" dst-port=8291 \
in-interface=!bridge1 protocol=tcp
add action=accept chain=input comment="Allow SSH (on a non-standard port)" \
dst-port=2223 in-interface=pppoe_telewest protocol=tcp
add action=drop chain=input comment="Block everything that is not allowed" \
in-interface=!bridge1
add action=accept chain=forward comment="accept established,related" \
connection-state=established,related
add action=drop chain=forward comment="drop invalid" connection-state=invalid
add action=drop chain=forward comment="drop all from WAN to LAN" \
connection-nat-state=!dstnat connection-state=new in-interface=\
pppoe_telewest
/ip firewall nat
add action=src-nat chain=srcnat out-interface=pppoe_telewest to-addresses=\
31.148.11.138
add action=masquerade chain=srcnat out-interface=wireguard1
/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=wireguard1 pref-src=\
"" routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=pppoe_telewest \
pref-src="" routing-table=main scope=30 suppress-hw-offload=no \
target-scope=10
/ipv6 address
add address=fd64:e20:68a3::fd2/128 advertise=no interface=wireguard1