Wireguard Roadwarrior setup won't work with public IP

kaptsea · January 12, 2023, 5:20pm

Hello all!

I have been trying to connect to wireguard all morning through my public (dynamic) IP! After scouring the forum for similar problems, I tried different fixes, with no results.
When I changed my client’s endpoint address to the local IP of my router, I got in! Tried again with the public IP (and the DDNS for that matter) but nothing. I even tried the server on different ports (with the accompanying firewall rules) and nothing.

Any ideas?

This is my config so far!

# jan/12/2023 19:09:58 by RouterOS 7.7rc5
# software id = 9NWZ-PV3H
#
# model = RB3011UiAS
# serial number = ----------
/interface bridge
add name="Docker Bridge"
add name="LAN Bridge"
add name="WAN Bridge"
/interface ethernet
set [ find default-name=ether2 ] name=ether2-Ubiquiti_AP
set [ find default-name=ether3 ] name=ether3-SMPC
set [ find default-name=ether4 ] name=ether4-Server
set [ find default-name=ether7 ] name=ether7-Paradox
set [ find default-name=ether8 ] name=ether8-Brother_printer
set [ find default-name=ether9 ] name=ether9-WAN_Cosmote
set [ find default-name=ether10 ] name=ether10-WAN_Hotspot poe-out=off
/interface veth
add address=172.17.0.2/24 gateway=172.17.0.1 name=veth1-Adguard
/interface wireguard
add listen-port=13231 mtu=1420 name=wireguard1 private-key="oNUl.................6zwOB2M="
/container mounts
add dst=/opt/adguardhome/work name=adguard_workdir src=/SanDisk_Thumb/workdir
add dst=/opt/adguardhome/conf name=adguard_confdir src=/SanDisk_Thumb/confdir
/disk
set SanDisk_Thumb parent=usb1 partition-offset=512 partition-size="30 751 999 488" slot=SanDisk_Thumb
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_pool ranges=192.168.100.100-192.168.100.254
/ip dhcp-server
add address-pool=dhcp_pool authoritative=after-2sec-delay interface="LAN Bridge" lease-time=1d name=dhcp-lan
/port
set 0 name=serial0
/routing bgp template
set default disabled=no output.network=bgp-networks
/container
add interface=veth1-Adguard mounts=adguard_workdir,adguard_confdir root-dir=SanDisk_Thumb/pull workdir=/opt/adguardhome/work
/container config
set registry-url=https://registry-1.docker.io tmpdir=SanDisk_Thumb/pull
/interface bridge port
add bridge="LAN Bridge" ingress-filtering=no interface=ether1
add bridge="LAN Bridge" ingress-filtering=no interface=ether2-Ubiquiti_AP
add bridge="LAN Bridge" ingress-filtering=no interface=ether3-SMPC
add bridge="LAN Bridge" ingress-filtering=no interface=ether4-Server
add bridge="LAN Bridge" ingress-filtering=no interface=ether5
add bridge="LAN Bridge" ingress-filtering=no interface=ether6
add bridge="LAN Bridge" ingress-filtering=no interface=ether7-Paradox
add bridge="LAN Bridge" ingress-filtering=no interface=ether8-Brother_printer
add bridge="WAN Bridge" ingress-filtering=no interface=ether9-WAN_Cosmote
add bridge="WAN Bridge" ingress-filtering=no interface=ether10-WAN_Hotspot
add bridge="Docker Bridge" interface=veth1-Adguard
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/ip settings
set max-neighbor-entries=8192
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface detect-internet
set detect-interface-list=all
/interface wireguard peers
add allowed-address=192.168.50.40/32 interface=wireguard1 public-key="2qCsK4rPM0MTkeE30snSVJHPm+WchnLHD4d/BTdU3lg="
/ip address
add address=192.168.100.1/24 interface="LAN Bridge" network=192.168.100.0
add address=10.0.0.2/24 interface="WAN Bridge" network=10.0.0.0
add address=192.168.1.2/24 interface="WAN Bridge" network=192.168.1.0
add address=172.17.0.1/24 interface="Docker Bridge" network=172.17.0.0
add address=192.168.50.1/24 interface=wireguard1 network=192.168.50.0
/ip cloud
set ddns-enabled=yes ddns-update-interval=1m
/ip dhcp-server lease
add address=192.168.100.9 client-id=1:f0:2f:74:21:e1:a3 mac-address=F0:2F:74:21:E1:A3 server=dhcp-lan
/ip dhcp-server network
add address=192.168.100.0/24 dns-server=192.168.100.1 gateway=192.168.100.1 netmask=24
/ip dns
set allow-remote-requests=yes servers=172.17.0.2

/ip firewall filter
add action=drop chain=input comment="Drop Invalid" connection-state=invalid
add action=accept chain=input comment="Allow Wireguard traffic" src-address=192.168.50.0/24
add action=accept chain=input comment="Allow Wireguard" dst-port=13231 log=yes log-prefix="Wireguard Handshake - " protocol=udp
add action=accept chain=input comment="Allow WinBox" dst-port=8291 in-interface="LAN Bridge" protocol=tcp
add action=accept chain=input comment="Allow API" dst-port=8728 in-interface="LAN Bridge" protocol=tcp
add action=accept chain=input comment="Allow Pings" in-interface="LAN Bridge" protocol=icmp
add action=accept chain=input comment="Allow Established and Related" connection-state=established,related
add action=drop chain=input comment="Drop ALL" in-interface="WAN Bridge"
add action=drop chain=forward comment="Drop Invalid" connection-state=invalid

/ip firewall nat
add action=masquerade chain=srcnat comment="Hairpin for Lan" dst-address=192.168.100.0/24 src-address=192.168.100.0/24
add action=masquerade chain=srcnat comment="Masq for Lan" out-interface="WAN Bridge"
add action=masquerade chain=srcnat comment="Masq for docker" out-interface="WAN Bridge" src-address=172.17.0.0/24
add action=dst-nat chain=dstnat comment="Adguard Web Interface" dst-address=192.168.100.1 dst-port=888 in-interface="LAN Bridge" \
    log-prefix=docker protocol=tcp to-addresses=172.17.0.2 to-ports=80
add action=dst-nat chain=dstnat comment="Server SSH" dst-port=32000 log=yes log-prefix=SSH_CONN_SERVER protocol=tcp to-addresses=\
    192.168.100.100 to-ports=22
add action=dst-nat chain=dstnat comment="Desktop SSH" disabled=yes dst-port=32001 log=yes log-prefix=SSH_CONN_DESKTOP protocol=tcp \
    to-addresses=192.168.100.9 to-ports=22
add action=dst-nat chain=dstnat comment="HTTPS from WAN" dst-port=443 in-interface="WAN Bridge" log=yes log-prefix=HTTPS_WAN protocol=\
    tcp to-addresses=192.168.100.100 to-ports=443
add action=dst-nat chain=dstnat comment=Plex dst-port=32400 protocol=tcp to-addresses=192.168.100.100 to-ports=32400
add action=dst-nat chain=dstnat comment=Plex dst-port=32400 protocol=udp to-addresses=192.168.100.100 to-ports=32400
add action=dst-nat chain=dstnat comment=Gitea dst-port=32223 protocol=tcp to-addresses=192.168.100.100 to-ports=2223

/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set h323 disabled=yes
set sip disabled=yes
set pptp disabled=yes
set udplite disabled=yes
set dccp disabled=yes
set sctp disabled=yes

/ip route
add comment="5G hotspot GW" disabled=yes distance=10 dst-address=0.0.0.0/0 gateway=10.0.0.1
add disabled=no dst-address=0.0.0.0/0 gateway=192.168.1.1

/ip service
set telnet disabled=yes
set ftp disabled=yes
set www address=192.168.100.0/24
set ssh address=192.168.100.0/24
set api disabled=yes
set api-ssl disabled=yes

anav · January 12, 2023, 5:24pm

Is the MT router the client or the server for initial connections ( are users connecting to it, or is it connection to something else?)
im assuming server with only one client.
Change this rule to NONE its known to cause funny issues in the past.
/interface detect-internet
set detect-interface-list=all
Does this router face the internet as you have changed from the default rules why, its nowhere near ready for public exposure.
The rules are problematic from both security and WG perspective.

kaptsea · January 12, 2023, 5:27pm

The MT router is the server, I was planning to have some clients connect to it
Removed the detect internet rule!

anav · January 12, 2023, 5:27pm

FW rules need work

kaptsea · January 12, 2023, 5:30pm

Well I am planning to work on them, I just got my hands dirty with the VPN side for now so I can work remotely on it. Are the FW problems related to WG?

kaptsea · January 12, 2023, 6:41pm

Updated FW rules

/ip firewall filter
add action=drop chain=input comment="Drop Invalid" connection-state=invalid log=yes log-prefix="Invalid Input - "
add action=accept chain=input comment="Allow Established and Related" connection-state=established,related,untracked
add action=accept chain=input comment="Allow Wireguard traffic" src-address=192.168.50.0/24
add action=accept chain=input comment="Allow Wireguard" dst-port=13231 log=yes log-prefix="Wireguard Handshake - " protocol=udp
add action=accept chain=input comment="Allow WinBox" dst-port=8291 in-interface="LAN Bridge" protocol=tcp
add action=accept chain=input comment="Allow API" dst-port=8728 in-interface="LAN Bridge" protocol=tcp
add action=accept chain=input comment="Allow Pings" in-interface="LAN Bridge" protocol=icmp
add action=drop chain=input comment="Drop ALL" in-interface="WAN Bridge"
add action=drop chain=forward comment="Drop Invalid" connection-state=invalid log-prefix="Invalid Forward - "
add action=accept chain=forward comment="Allow Established and Related" connection-state=established,related,untracked
add action=accept chain=forward comment="Allow from LAN to WAN" in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="Allow Port Forwarding" connection-nat-state=dstnat connection-state=new in-interface-list=WAN
add action=drop chain=forward comment="Drop ALL"

anav · January 12, 2023, 7:04pm

Try this…

/ip firewall filter
{ Input Chain }
(default rules)
add action=accept chain=input comment=“Allow Established and Related” connection-state=established,related,untracked
add action=drop chain=input comment=“Drop Invalid” connection-state=invalid log=yes log-prefix="Invalid Input - "
add action=accept chain=input comment=“defconf: accept ICMP” protocol=icmp
(user rules)
add action=accept chain=input comment=“Allow Wireguard” dst-port=13231 log=yes log-prefix="Wireguard Handshake - " protocol=udp
add action=accept chain=input comment=“allow config access” dst-port=8291 protocol=tcp src-address-list=Authorized
add action=accept chain=input comment=“Allow API” dst-port=8728 in-interface=“LAN Bridge” protocol=tcp ******
add action=accept chain=input in-interface-list=LAN dst-port=53 protocol=tcp
add action=accept chain=input in-interface-list=LAN dst-port=53 protocol=udp
add action=drop chain=input comment=“Drop ALL ELSE”
{ Forward Chain }
(default rules)
add action=fasttrack-connection chain=forward comment=“defconf: fasttrack” connection-state=established,related
add action=accept chain=forward comment=“defconf: accept established,related, untracked” connection-state=established,related,untracked
add action=drop chain=forward comment=“defconf: drop invalid” connection-state=invalid
(user rules)
add action=accept chain=forward comment=“allow internet traffic” in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment=“allow wireguard traffic to LAN” in-interface=wireguard1 dst-address=192.168.100.0/24
add action=accept chain=forward comment=“allow wireguard traffic to internet” in-interface=wireguard1 out-interface-list=WAN
add action=accept chain=forward comment=“Allow Port Forwarding” connection-nat-state=dstnat
add action=drop chain=forward comment=“Drop ALL ELSE”

Notes1: Who can configure the router… so Authorized is a firewall address list comprised of.
add IPaddress=admin IP on Router list=Authorized ( could be desktop )
add IP address=admin IP on Router list=Authorized ( could be laptop or ipad )
add IP address=admin IP on wireguard list=Authorized ( could you coming into the router via wg )

Notes2. Suggest using interface list as so…
Uh Oh, dont see interface list or interface list members on your config…
/interface list
add name=WAN
add name=LAN
/interface list members
add interface=bridge list=LAN
add interface=wireguard1 list=LAN
add interface=xxxxx list=WAN

In this regard the incoming wireguard users will have access to WAN through the existing LAN to WAN rule and thus you can remove the extra rule for wireguard to WAN access in the forward chain.
++++++++++++++

I dont get your route to 192.168.1 Do you have a public or private WANIP ???

Your destination nat rules are inconsistent… The format is screwy
Do you have a fixed public static wanip ???

kaptsea · January 12, 2023, 7:26pm

Thanks for the input! I have incorporated most changes apart from the Authorized list for now, will do that later, when I decide on IPs for administration. Might go with MGMT vlan.

So yeah, the route to 192.168.1.0/24 is because I am sitting behind my ISP’s modem router which does not support bridge mode. Hence I only use it as a means to get to the internet really. It’s the one that does the PPoE and routes all the traffic back to MT. Its firewall is disabled and MT is in DMZ. I do not have a static WANIP unfortunately

Again thanks for taking the time man

anav · January 12, 2023, 9:31pm

Okay that was good information to pass on… a network diagram always helps provide context when looking for help.

Now that we know your routers path through the internet is through another device we have to look carefully at the standard two cases for return traffic which illustrate the change we will have to make.
a. reach a lan devce
b. reach the internet,
These can be thought of in two ways,
(1) remote user from a single device with wireguard address within the scope of the IP address of the wireguard address on the router and secondly
(2) It could be a subnet of users coming from another client router.

Case A.

Any single remote user will already be covered for a return traffic path because the Router automatically creates a route for wireguard specific traffic and remember this traffic stays within the MT router.
dst-address=192.168.50.0/24 gwy=wireguard1 table=main
A subnet of users from another router are NOT known to the router, and thus one has to manually create a route for their return traffic to get back into the tunnel. This also conveniently covers the opposite requirement - what if local users want to visit that remote subnet on the client router… in both cases we need a route. Again all traffic remains within the MT router.
add dst-address=remotesubnet gtwy=wireguard1 table=main

Case B.

When reaching the MT Router, after exiting the wireguard tunnel, we have to ensure through firewall rules that the wireguard traffic can reach the WAN.
Hence we add the rule
add chain=forward action=accept in-interface=wireguard1 out-interface-list=WAN

(1+2) So the single client user with source address of 192.168.50.X will leave the router as source via the MT WAN connection and will go out the internet of the ISP modem router.
When the traffic returns the ISP router will see 192.168.50.X as source and since its not local to itself it will drop it like a hot potatoe. The same true holds for any remote subnet user.

The remedy is to ensure that wireguard traffic is also sourcenatted out the Router…
add chain=srcnat action=masquerade in-interface=wireguard1 out-interface-list=WAN

Thus any 192.168.50.x traffic or remote subnet traffic will appear as 192.168.1.1 when it returns from the WWW and the ISP router will send the traffic to the MT Router which will unsourcenat the traffic back to source and with available routes, firewall rules and allowed IPs send it back into the tunnel etc…