Wireguard roadwarrior routing problem

mikrotico · July 3, 2024, 9:27am

I have two hAp ac^3 connected with wireguard site-to-site VPN, working perfect. I can access router and computers from site A to site B and reverse. But, now I’ve added roadwarrior VPN connections in site A. This is the network diagram:

Roadwarrior connections have internet access and can access computers in network A, but not in network B. I’ve been searching a lot and found that router B need a route with the roadwarrior network, and after add it, I can access router B … BUT still can’t access computer B.

This is config from router B, because is where the error is (I think):

    # 2024-07-01 19:00:23 by RouterOS 7.16beta2
    # software id = A4LF-AZ7Z
    #
    # model = RBD53iG-5HacD2HnD
    # serial number = xxx
    /interface wireguard
    add listen-port=xxxx mtu=1420 name=wireguard-sts
    /interface list
    add name=WAN
    add name=LAN
    /interface bridge port
    add bridge=bridge comment=defconf disabled=yes ingress-filtering=no \
        interface=finetwork internal-path-cost=10 path-cost=10
    add bridge=bridge ingress-filtering=no interface="ether1" \
        internal-path-cost=10 path-cost=10
    add bridge=bridge ingress-filtering=no interface="ether2" \
        internal-path-cost=10 path-cost=10
    add bridge=bridge ingress-filtering=no interface=ether3 internal-path-cost=10 \
        path-cost=10
    add bridge=bridge ingress-filtering=no interface="ether4" \
        internal-path-cost=10 path-cost=10
    add bridge=bridge ingress-filtering=no interface=wlan2.4 internal-path-cost=\
        10 path-cost=10
    add bridge=bridge ingress-filtering=no interface=wlan5.8 internal-path-cost=\
        10 path-cost=10
    /ip firewall connection tracking
    set udp-timeout=10s
    /ip neighbor discovery-settings
    set discover-interface-list=LAN
    /ipv6 settings
    set disable-ipv6=yes max-neighbor-entries=8192
    /interface detect-internet
    set detect-interface-list=WAN
    /interface list member
    add interface=bridge list=LAN
    add interface=wireguard-sts list=LAN
    /interface wireguard peers
    add allowed-address=172.16.1.1/32,192.168.3.0/24,192.168.50.0/24 \
        endpoint-address=xxx.sn.mynetname.net endpoint-port=xxxx \
        interface=wireguard-sts name=xxxx persistent-keepalive=10s \
        public-key="xxx"
    /ip address
    add address=192.168.1.1/24 interface=bridge network=192.168.1.0
    add address=172.16.1.2/24 interface=wireguard-sts network=172.16.1.0
    /ip firewall filter
    add action=accept chain=input connection-state=established,related,untracked \
        protocol=0
    add action=drop chain=input connection-state=invalid
    add action=accept chain=input protocol=icmp
    add action=accept chain=input comment="VPN: allow wireguard-sts" dst-port=\
        xxxx protocol=udp
    add action=drop chain=input comment="defconf: drop all not coming from LAN" \
        in-interface-list=!LAN
    /ip firewall nat
    add action=masquerade chain=srcnat out-interface-list=WAN
    /ip ipsec profile
    set [ find default=yes ] dpd-interval=2m dpd-maximum-failures=5
    /ip route
    add disabled=no distance=1 dst-address=192.168.3.0/24 gateway=172.16.1.1 \
        routing-table=main suppress-hw-offload=no
    add disabled=no distance=1 dst-address=192.168.50.0/24 gateway=172.16.1.1 \
        routing-table=main suppress-hw-offload=no
    /routing bfd configuration
    add disabled=no

From roadwarrior connection I can go up to router B, but not more far, This is traceroute to computer B from roadwarrior:

    C:\Users\Mobile>tracert 192.168.1.10
    
    Traza a 192.168.1.10 sobre caminos de 30 saltos como máximo.
    
      1    25 ms     1 ms     1 ms  192.168.11.1
      2    40 ms    41 ms    34 ms  192.168.50.1
      3    49 ms    45 ms    47 ms  172.16.1.2
      4     *        *        *     Tiempo de espera agotado para esta solicitud.
      5     *        *        *     Tiempo de espera agotado para esta solicitud.
      6     *        *        *     Tiempo de espera agotado para esta solicitud.
      7     *        *        *     Tiempo de espera agotado para esta solicitud.
      8     *        *        *     Tiempo de espera agotado para esta solicitud.
      9     *        *        *     Tiempo de espera agotado para esta solicitud.

Any idea ? Thanks!!!

Best regards.

anav · July 3, 2024, 11:58am

You should not assume you think you know where the problem is and simply post both configs.
The road warrior should be in the same subnet as the rest of the wireguard so not sure what you are doing, and of course, without the other config, am in the dark.

On Router B.
(1) Modify allowed IPs TO:
/interface wireguard peers
add allowed-address=172.16.1**.0/24,**192.168.3.0/24
endpoint-address=xxx.sn.mynetname.net endpoint-port=xxxx
interface=wireguard-sts persistent-keepalive=10s public-key=“xxx”

(2) why do you have this???
add action=accept chain=input comment=“VPN: allow wireguard-sts” dst-port=
xxxx protocol=udp

(3) Why are you missing all forward chain rules??

(4) Route should look like…
/ip route
add dst-address=192.168.3.0/24 gateway=wireguard-sts routing-table=main

mikrotico · July 3, 2024, 7:10pm

Hello anav, thanks for your reply.

I’m not a network expert, so to create the site-to-site and road warrior VPN, I followed some tutorials I’ve found on internet.

This is to allow wireguard traffic from the WAN.

I’ve removed some lines from config to avoid unwanted noise (like wifi, dhcp, time, dns …). I’ll repost both config with more lines.

This is the router A config:

# 2024-07-03 20:47:55 by RouterOS 7.16beta2
# software id = WNRR-6DX4
#
# model = RBD53iG-5HacD2HnD
# serial number = xxxxx
/interface bridge
add admin-mac=xxxxx auto-mac=no comment=defconf name=bridge \
    port-cost-mode=short
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX \
    country=spain distance=indoors frequency=auto installation=indoor mode=\
    ap-bridge name=wlan-2.4g ssid="xxxxx" wireless-protocol=802.11 \
    wps-mode=disabled
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=\
    20/40/80mhz-XXXX country=spain disabled=no distance=indoors frequency=\
    5240 installation=indoor mode=ap-bridge name=wlan-5.8g ssid=\
    "xxxxx" wireless-protocol=802.11 wmm-support=enabled wps-mode=\
    disabled
/interface ethernet
set [ find default-name=ether1 ] name="ether1"
set [ find default-name=ether2 ] name="ether2"
/interface wireguard
add listen-port=xxxxx mtu=1420 name=wireguard-rw
add listen-port=xxxxx mtu=1420 name=wireguard-sts
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface bridge port
add bridge=bridge comment=defconf ingress-filtering=no interface=ether2 \
    internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether3 \
    internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether4 \
    internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether5 \
    internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=wlan-2.4g \
    internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=wlan-5.8g \
    internal-path-cost=10 path-cost=10
/ip firewall connection tracking
set udp-timeout=10s
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface detect-internet
set detect-interface-list=all
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=pppoe list=WAN
add interface=wireguard-rw list=WAN
add interface=wireguard-sts list=LAN
add interface=wireguard-rw list=LAN
/interface ovpn-server server
set auth=sha1,md5
/interface wireguard peers
add allowed-address=172.16.1.2/32,192.168.1.0/24,192.168.50.0/24 \
    endpoint-address=routerB.sn.mynetname.net endpoint-port=xxxxx \
    interface=wireguard-sts name=routerB public-key=\
    "xxxxx"
add allowed-address=192.168.50.2/32 interface=wireguard-rw name=xxxxx \
    public-key="xxxxx"
add allowed-address=192.168.50.3/32 interface=wireguard-rw name=xxxxx \
    public-key="xxxxx"
add allowed-address=192.168.50.4/32 interface=wireguard-rw name=xxxxx \
    public-key="xxxxx"
/ip address
add address=192.168.3.1/24 interface=bridge network=192.168.3.0
add address=192.168.50.1/24 interface=wireguard-rw network=192.168.50.0
add address=172.16.1.1/24 interface=wireguard-sts network=172.16.1.0
/ip cloud
set ddns-enabled=yes ddns-update-interval=1m
/ip dhcp-client
add comment=defconf disabled=yes interface="ether1"
/ip dhcp-server network
add address=192.168.3.0/24 comment=defconf gateway=192.168.3.1 netmask=24
/ip dns
set allow-remote-requests=yes cache-size=32768KiB servers=1.1.1.1 \
    use-doh-server=https://cloudflare-dns.com/dns-query
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="VPN: allow wireguard-rw" dst-port=\
    xxxxx log-prefix=wg protocol=udp
add action=accept chain=input comment="VPN: allow wireguard-sts" dst-port=\
    xxxxx protocol=udp
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
/ip ipsec profile
set [ find default=yes ] dpd-interval=2m dpd-maximum-failures=5
/ip route
add disabled=yes dst-address=0.0.0.0/0 gateway=192.168.100.1
add dst-address=192.168.1.0/24 gateway=172.16.1.2

Router B:

# 2024-07-03 21:00:46 by RouterOS 7.16beta2
# software id = A4LF-AZ7Z
#
# model = RBD53iG-5HacD2HnD
# serial number = xxxxx
/interface bridge
add admin-mac=xxxxx auto-mac=no name=bridge port-cost-mode=short
/interface wireless
set [ find default-name=wlan1 ] disabled=no mode=ap-bridge name=wlan2.4 ssid=\
    "xxxxx" wps-mode=disabled
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=\
    20/40/80mhz-XXXX country=spain disabled=no mode=ap-bridge name=wlan5.8 \
    ssid="xxxxx" wireless-protocol=802.11 wps-mode=disabled
/interface ethernet
set [ find default-name=ether2 ] name=ether1
set [ find default-name=ether3 ] name=ether2
set [ find default-name=ether4 ] name=ether3
set [ find default-name=ether5 ] name=ether4 poe-out=off
set [ find default-name=ether1 ] name=finetwork
/interface wireguard
add listen-port=xxxxx mtu=1420 name=wireguard-sts
/interface list
add name=WAN
add name=LAN
/interface bridge port
add bridge=bridge comment=defconf disabled=yes ingress-filtering=no \
    interface=finetwork internal-path-cost=10 path-cost=10
add bridge=bridge ingress-filtering=no interface=ether1 \
    internal-path-cost=10 path-cost=10
add bridge=bridge ingress-filtering=no interface=ether2 \
    internal-path-cost=10 path-cost=10
add bridge=bridge ingress-filtering=no interface=ether3 internal-path-cost=10 \
    path-cost=10
add bridge=bridge ingress-filtering=no interface=ether4 \
    internal-path-cost=10 path-cost=10
add bridge=bridge ingress-filtering=no interface=wlan2.4 internal-path-cost=\
    10 path-cost=10
add bridge=bridge ingress-filtering=no interface=wlan5.8 internal-path-cost=\
    10 path-cost=10
/ip firewall connection tracking
set udp-timeout=10s
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface detect-internet
set detect-interface-list=WAN
/interface list member
add interface=bridge list=LAN
add interface=finetwork list=WAN
add interface=wireguard-sts list=LAN
/interface ovpn-server server
set auth=sha1,md5
/interface wireguard peers
add allowed-address=172.16.1.1/32,192.168.3.0/24,192.168.50.0/24 \
    endpoint-address=routerA.sn.mynetname.net endpoint-port=xxxxx \
    interface=wireguard-sts name=routerA persistent-keepalive=10s \
    public-key="xxxxx"
/ip address
add address=192.168.1.1/24 interface=bridge network=192.168.1.0
add address=172.16.1.2/24 interface=wireguard-sts network=172.16.1.0
/ip dns
set allow-remote-requests=yes cache-size=32768KiB servers=1.1.1.1 \
    use-doh-server=https://cloudflare-dns.com/dns-query
/ip firewall filter
add action=accept chain=input connection-state=established,related,untracked \
    protocol=0
add action=drop chain=input connection-state=invalid
add action=accept chain=input protocol=icmp
add action=accept chain=input comment="VPN: allow wireguard-sts" dst-port=\
    xxxxx protocol=udp
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN
/ip ipsec profile
set [ find default=yes ] dpd-interval=2m dpd-maximum-failures=5
/ip route
add disabled=no distance=1 dst-address=192.168.3.0/24 gateway=172.16.1.1 \
    routing-table=main suppress-hw-offload=no
add disabled=no distance=1 dst-address=192.168.50.0/24 gateway=172.16.1.1 \
    routing-table=main suppress-hw-offload=no
/routing bfd configuration
add disabled=no

Thanks for the help!

anav · July 3, 2024, 7:31pm

(2) why do you have this???
add action=accept chain=input comment=“VPN: allow wireguard-sts” dst-port=
xxxx protocol=udp

This is to allow wireguard traffic from the WAN.

That would hold true if this device was the server for handshake but it is not, and thus the rule serves no purpose.
There is no traffic comeing from the server MT device asking to connect to the client peer for the handshake.
I hope thats clear and why the rule is not required.

anav · July 3, 2024, 7:32pm

You failed to make the changes I recommended on Router B, so no comment there.

As for router A.
(1) You are very confused…
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=pppoe list=WAN
add interface=wireguard**-rw list=WAN** <---- remove
add interface=wireguard-sts list=LAN
add interface=wireguard**-rw list=LAN**

REMOVE THE WAN membership

(2) Why does router A have client peer type settings, for the other MT router… it should look like.
/interface wireguard peers
add allowed-address=172.16.1.2/32,192.168.1.0/24 interface=wireguard-sts
public-key=“=====”

By the way the second wireguard interface is a local subnet on this router, there is absolutely no requirement to state it on the allowed IPs for the Client peer router.
You are correct in that the client peer router (B) needs that subnet on its allowed peer setting for this device, which is now made clear by not hiding information.
However as noted on the top of this post, the allowed IP should be modified to 172.16.1**.0/24** on Router B.

No firewall rules so cannot comment much on that.

IP Routes need works…
TO:
/ip route
add dst-address=192.168.**1.**0/24 gateway=wireguard-sts routing-table=main
You dont need a route for a local subnet ( wireguard rw) as its already created with the IP address.

Also you had the wrong subnet, .3.0 is local you need .1.0 aka match your allowed Ips…

mikrotico · July 4, 2024, 7:29pm

Hello anav,

Thanks for your reply, I really appreciate your help.

I didn’t make the changes on router B on first time, because I preferred to send you both router configs. I have applied your recommendations, and it’s working now! I can access computers in network B from road warrior.

Thanks you very much!