Wireguard roadwarrior to IPsec S2S

jofrey007 · July 26, 2022, 12:17pm

Hi all

because I spent lots of time to solve my problem, and no succes I am asking for help in MK community.
We have two office branch which is interconnectd by IPsec S2S (tunneled) connection, this works well. I am able ping from any host fom Office1 to any other host in Office2. (10.10.10.12 <----> 192.168.100.10)
Also we have some people on HomeOffices which are (will be) connected as wireguard client (10.10.30.2). Wireguard server (10.10.30.1) works on Mikrotik (10.10.10.1) installed in Office1.

I sef lots of combination of ip firewall filter and NATs, but I am able ping only from WG client (10.10.30.2) to network 10.10.10.x .
No ping from this WG client to Office2 (192.168.100.x).

May you somebody help me ?

MK Office1 config

/ip firewall filter add action=accept chain=input in-interface=vpn-wg log=yes
/ip firewall filter add action=accept chain=output out-interface=vpn-wg
/ip firewall filter add action=accept chain=forward in-interface=vpn-wg
/ip firewall filter add action=accept chain=forward out-interface=vpn-wg
/ip firewall filter add action=accept chain=forward connection-state=established,related dst-address=10.10.10.0/24
/ip firewall filter add action=accept chain=forward src-address=10.10.10.0/24
/ip firewall filter add action=accept chain=input dst-port=53 protocol=udp src-address=10.10.10.0/24
/ip firewall filter add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=es
tablished,related,untracked
/ip firewall filter add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
/ip firewall filter add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
/ip firewall filter add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
/ip firewall filter add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,r
elated hw-offload=yes
/ip firewall filter add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state
=established,related,untracked
/ip firewall filter add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
/ip firewall filter add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
/ip firewall filter add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dst
nat connection-state=new in-interface-list=WAN
/ip firewall filter add action=drop chain=forward

/ip firewall nat add action=masquerade chain=srcnat dst-address=192.168.100.1 log=yes log-prefix=nat:: src-address=10.10.30.1
/ip firewall nat add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN

[admin@mk] > ip route/print 
Flags: D - DYNAMIC; A - ACTIVE; c, s, y - COPY
Columns: DST-ADDRESS, GATEWAY, DISTANCE
#     DST-ADDRESS       GATEWAY       DISTANCE
0  As 0.0.0.0/0         xx.xx.xx.xx         1
  DAc 10.10.10.0/24     bridge               0
  DAc 10.10.30.0/24     rsys-vpn-wg          0
  DAc xx.xx.xx.xx   ether1               0
1  As 192.168.1.0/24    bridge               1
2  As 192.168.100.0/24  rsys-vpn-wg          2

MK Office 2 config

/ip firewall filter add action=accept chain=forward dst-address=192.168.100.0/24 log=yes src-address=10.10.10.0/24
/ip firewall filter add action=accept chain=forward src-address=10.10.30.0/24
/ip firewall filter add action=accept chain=input dst-port=1194 protocol=tcp
/ip firewall filter add action=drop chain=input dst-port=53 in-interface=ether1 protocol=tcp
/ip firewall filter add action=drop chain=input dst-port=53 in-interface=ether1 protocol=udp
/ip firewall filter add action=drop chain=forward dst-port=2000 in-interface=ether1 protocol=tcp
/ip firewall filter add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
/ip firewall filter add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
/ip firewall filter add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
/ip firewall filter add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
/ip firewall filter add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
/ip firewall filter add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
/ip firewall filter add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
/ip firewall filter add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
/ip firewall filter add action=drop chain=forward comment="defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN


/ip firewall nat add action=accept chain=srcnat dst-address=192.168.1.0/24 src-address=192.168.100.0/24 to-addresses=10.10.10.1
/ip firewall nat add action=accept chain=dstnat dst-address=192.168.100.0/24 src-address=10.10.30.0/24 to-addresses=10.10.10.1
/ip firewall nat add action=log chain=dstnat in-interface=bridge src-address=10.10.30.0/24
/ip firewall nat add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN

[admin@MikroTik-01] > ip route print 
Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, B - blackhole, U - unreachable, P - prohibit 
 #      DST-ADDRESS        PREF-SRC        GATEWAY            DISTANCE
 0 A S  0.0.0.0/0                          xx.xx.xx.xx              1
 1 X S  10.10.10.0/24                      bridge                    1
 2 A S  10.10.30.0/24      192.168.100.1   bridge                    1
 3 X S  10.10.100.0/22                     bridge                    1
 4 ADC  172.20.1.0/24      172.20.1.1      bridge                    0
 5 ADC  xx.xx.xx.xx/20    xx.xx.xx.xx    ether1                    0
 6 A S  192.168.1.0/24     192.168.100.1   bridge                    1
 7 ADC  192.168.100.0/24   192.168.100.1   bridge                    0

c:\>tracert 10.10.10.12
Tracing route to NPI25AD57 [10.10.10.12]
over a maximum of 30 hops:
  1    13 ms    15 ms    15 ms  10.10.30.1
  2    13 ms    13 ms    13 ms  NPI25AD57 [10.10.10.12]
Trace complete.

c:\>tracert 192.168.100.10
Tracing route to SERVER01 [192.168.100.10]
over a maximum of 30 hops:
  1    15 ms    15 ms    13 ms  10.10.30.1
  2     *        *        *     Request timed out.
  3     *

anav · July 26, 2022, 1:50pm

The diagram is very helpful, the requirements not so much.

Let me try to understand.

(1) The wireguard home clients will be given single IPs…
10.10.30.2/32 , 10.10.30.3/32 , 10.10.30.4/32, etc…

(2) The wg server is in Office 1, with IP address of 10.10.30.1/24

(3) You desire the home clients to access WHAT exactly? I don’t care about pinging I care about user requirements, pinging is not something users do, thats an admin tool
So, what do the home units require access to
office 1 and if so which subnets and which devices within the subnet if specific
office 2 and if so which subnets and which devices within the subnet if specific,

(4) Assuming accessing the internet through either office 1 or office 2 is NOT a requirement.

(5) What are the home clients, IPADS/IPHONEs or Desktops/Laptops

(6) It is easy to get wireguard clients to reach Office 1 MIKROTIK, however the IPSEC part to transfer those clients to Office 2, is not my problem nor my area of expertise.
HOwever, if you wish, an easy solution is to create a tunnel from Office 2 Mikrotik (client) as well to the Office 1 Server and then the home units have a more direct type of link to Office 2.
(assumes Office 2 is also a mikrotik and thus has built in WG).

jofrey007 · July 28, 2022, 7:58am

(1) - yes, right
(2) - yes, right
(3) clients needs IPv4 connectivity, because they will use lots of services in office1, office2… I know that ping is tool, but via ping I check IP connectivity between clients and PC’s in office1,2
(4) yes, internet connection out of VPN
(5) PC, desktops, laptops
(6) Today I created IPsec tunnel between 10.10.30.0 and 192.168.100.0…some progress… I am able reach 10.10.30.1 (WG server) from office 2 (192.168.100.0).But connection between WG clients and office2 still not works

Additional info - I tried trace to wg server and client 10.10.30.2 from 192.168.100.10

acs@server01 ~ $ tracepath 10.10.30.1
 1?: [LOCALHOST]                      pmtu 1500
 1:  192.168.100.1                                         0.401ms
 1:  192.168.100.1                                         0.336ms
 2:  192.168.100.1                                         0.331ms pmtu 1438
 2:  10.10.30.1                                           10.922ms reached
     Resume: pmtu 1438 hops 2 back 2

acs@server01 ~ $ tracepath 10.10.30.2
 1?: [LOCALHOST]                      pmtu 1500
 1:  192.168.100.1                                         0.452ms
 1:  192.168.100.1                                         0.261ms
 2:  192.168.100.1                                         0.321ms pmtu 1438
 2:  10.10.10.1                                           12.604ms
 3:  10.10.10.1                                           12.724ms pmtu 1420
 3:  no reply
 4:  no reply
 5:  no reply
 6:  no reply

BrateloSlava · July 28, 2022, 8:21am

Please, show

/interface wireguard peers add allowed-address=

Server:
Allowed Address - here you should specify 0.0.0.0/0.
Client
AllowedIPs = 0.0.0.0/0

jofrey007 · July 28, 2022, 9:31am

no, it does not work

jofrey007 · July 28, 2022, 9:35am

I tried ping from 192.168.100.10 to 10.10.30.2 , some packets are missing

acs@server01 ~ $ ping 10.10.30.2
PING 10.10.30.2 (10.10.30.2) 56(84) bytes of data.
64 bytes from 10.10.30.2: icmp_seq=5 ttl=126 time=34.8 ms
64 bytes from 10.10.30.2: icmp_seq=12 ttl=126 time=26.2 ms
64 bytes from 10.10.30.2: icmp_seq=17 ttl=126 time=23.8 ms
64 bytes from 10.10.30.2: icmp_seq=20 ttl=126 time=27.9 ms
64 bytes from 10.10.30.2: icmp_seq=23 ttl=126 time=28.0 ms
64 bytes from 10.10.30.2: icmp_seq=25 ttl=126 time=25.9 ms
64 bytes from 10.10.30.2: icmp_seq=34 ttl=126 time=41.2 ms
64 bytes from 10.10.30.2: icmp_seq=35 ttl=126 time=28.1 ms
64 bytes from 10.10.30.2: icmp_seq=36 ttl=126 time=27.9 ms
64 bytes from 10.10.30.2: icmp_seq=37 ttl=126 time=28.0 ms
64 bytes from 10.10.30.2: icmp_seq=38 ttl=126 time=29.7 ms
64 bytes from 10.10.30.2: icmp_seq=42 ttl=126 time=28.1 ms
64 bytes from 10.10.30.2: icmp_seq=52 ttl=126 time=24.7 ms
64 bytes from 10.10.30.2: icmp_seq=59 ttl=126 time=26.2 ms
^C
--- 10.10.30.2 ping statistics ---
64 packets transmitted, 14 received, 78.125% packet loss, time 63792ms
rtt min/avg/max/mdev = 23.829/28.606/41.182/4.288 ms

And also I catched data on 10.10.3.2 on wireshark…no lost packets…

jofrey007 · July 28, 2022, 12:22pm

now I changed opevpn instead of wireguard and its works perfectly…
neverless I will be investigate why wireguard does not works

anav · July 28, 2022, 12:27pm

Okay your answers for 5., 6. need more information/clarity.

Will incoming wg clients be going out internet of office 1?
Will incoming wg clients be going out internet of office 2?
What router is at office 2 (capable of wireguard)? Is is also a mikrotik?

jofrey007 · July 28, 2022, 1:06pm

wg clients will use only tunneled traffic (internet trafic will not be tunneled via offices 1,2)
router at office2 is also mikrotik

anav · July 28, 2022, 1:40pm

Okay so basically, the clients using the tunnel will not be going to another mickrotik to access internet in any direction just subnets on the other side.

Question:
Why is Office 1 MT, the server - has public IP?
Does Office 2 MT have a public IP.

Thinking clients could go to either 1 but I see that its easier to have one tunnel for clients TO a server and be able to reach both office 1 and office 2 subnets with one tunnel.
So the thinking is

wg clients to MT Office1 Server ( on wireguard tunnel x.x.x.0/24)
MT Office 2 Client (also on wireguard tunnel x.x.x.0/24)

Does this establish the requirements…
wg clients To Office 1 subnets (if so to which ones)
wg clients To Office 2 subnets (if so to which ones)
Office1 clients to Office 2 subnets (if so from which ones to which ones)
Office 2 clients to Office 1 subnets (if so from which ones to which ones)

Admin requirements
a. test connectivity
b. configure routers
FROM WHERE, wg client? (working from home for example)