Wireguard setup Roadwarrior

korg · May 5, 2024, 9:57am

Hello MT community,

i’ve been through a lot of yt and other videos of how to setup a WG roadwarrior setup in order to access the local subnet. I would like to ask for an additional ‘how to’ of the present code as i did not get the wg connectivity working.

The schematic is very simple: i have a mt (ltap lte6) and would like to access my local subet wia WG. I am using instead of a fix public IP cloud IP address of MT.

# 2024-05-05 11:48:30 by RouterOS 7.11
# software id = 180R-71Q6
#
# model = RBLtAP-2HnD
/interface bridge
add name=bridge1
/interface wireguard
add listen-port=13231 mtu=1420 name=wireguard1
/interface list
add name=InternetOut
add name=WAN
add name=LAN
/interface lte
set [ find default-name=lte1 ] allow-roaming=no apn-profiles=A1 band="" \
    network-mode=lte
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
add authentication-types=wpa-psk,wpa2-psk mode=dynamic-keys name=profile1 \
    supplicant-identity=""
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-g/n channel-width=20/40mhz-eC \
    disabled=no frequency=2432 installation=outdoor max-station-count=15 \
    mode=ap-bridge radio-name="MT LtaP" security-profile=profile1 ssid=\
    "WIFI" wireless-protocol=802.11
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/ip ipsec profile
set [ find default=yes ] dh-group=ecp256,modp2048,modp1024 enc-algorithm=\
    aes-256,aes-128,3des
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=\
    aes-256-cbc,aes-192-cbc,aes-128-cbc,3des
/ip pool
add name=dhcp ranges=192.168.1.2-192.168.1.253
/ip dhcp-server
add address-pool=dhcp interface=bridge1 lease-time=4h10m name=dhcp1
/port
set 0 name=serial0
/interface bridge port
add bridge=bridge1 ingress-filtering=no interface=ether1
add bridge=bridge1 ingress-filtering=no interface=wlan1
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/ip settings
set max-neighbor-entries=8192
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface list member
add interface=lte1 list=WAN
add interface=bridge1 list=LAN
add interface=wireguard1 list=LAN
/interface ovpn-server server
set auth=sha1,md5
/interface wireguard peers
add allowed-address=172.16.0.2/32 interface=wireguard1 public-key=\
    "123123123123123123="
/ip address
add address=192.168.1.1/24 interface=bridge1 network=192.168.1.0
add address=172.16.0.254/24 interface=wireguard1 network=172.16.0.0
/ip cloud
set ddns-enabled=yes ddns-update-interval=10m
/ip dhcp-server network
add address=192.168.1.0/24 dns-server=192.168.1.1 gateway=192.168.1.1 \
    netmask=24
/ip dns
set allow-remote-requests=yes servers=8.8.8.8
/ip firewall filter
add action=fasttrack-connection chain=forward connection-state="" hw-offload=\
    yes
add action=accept chain=input connection-state=established,related
add action=drop chain=input connection-state=invalid
add action=accept chain=input comment="Wireguard allow" dst-port=13231 \
    protocol=udp
add action=accept chain=input comment="Wireguard allow traffic" src-address=\
    172.16.0.0/24
add action=accept chain=input comment=\
    "Allow DHCP, DNS, NTP from internal networks only" dst-port=\
    5678,123,53,67,68 in-interface=!lte1 protocol=udp
add action=accept chain=input comment="Allow access to FW except internet" \
    in-interface=!lte1
add action=accept chain=input comment="Allow ICMP" in-interface=!lte1
add action=reject chain=input comment=\
    "Global DENY !!! Don't move or change !!" log-prefix=Global_ reject-with=\
    icmp-net-prohibited
add action=accept chain=forward connection-state=established,related
add action=drop chain=forward connection-state=invalid
add action=accept chain=forward in-interface=LAN \
    out-interface=WAN
add action=accept chain=forward in-interface=wireguard1 out-interface=LAN
add action=drop chain=forward disabled=yes
/ip firewall nat
add action=masquerade chain=srcnat comment=internet
add action=masquerade chain=srcnat comment="Wireguard masqurade - internet" \
    out-interface=wireguard1
/ip route
add disabled=yes distance=1 dst-address=192.168.1.0/24 gateway=wireguard1 \
    pref-src="" routing-table=main scope=30 suppress-hw-offload=no \
    target-scope=10
/ip service
set telnet disabled=yes
set ftp disabled=yes
set api disabled=yes
set api-ssl disabled=yes
add disabled=no interfaces=all min-rx=200us min-tx=200us multiplier=5
/system clock
set time-zone-name=Europe/Zagreb
/system gps
set port=gps
/system leds
set 0 type=wireless-signal-strength
/system note
set show-at-login=no

Win10 config

[Interface]
PrivateKey = 123123123123213213213
Address = 172.16.0.2/32
DNS = 8.8.8.8

[Peer]
PublicKey = 123123123213123213123
AllowedIPs = 192.168.1.0/0
Endpoint = publicIP:13231

Few things:

.i can connect to the MT, can ping 172.16.0.2 but can not ping local subnet 192.168.1.0/24

if i do ipconfig of a wg1 interface on my win10 machine i get this

what is my config missing?

Tx for any help!

korg

Njumaen · May 5, 2024, 12:19pm

Try

AllowedIPs = 192.168.1.0/24

korg · May 5, 2024, 12:54pm

Tx Njumaen… it was my misspelling .. it is allowedip 192.168.1.0/24

Again, i can ping the mt peer but not the local LAN itself

tx

korg

anav · May 5, 2024, 2:33pm

The allowed IPs in the router setting ( for the peer windows client) is correct as is:
/interface wireguard peers
add allowed-address=172.16.0.2/32 interface=wireguard1 public-key=
“123123123123123123=”

Concur on the client side device (windows10) allowed address should be: 192.168.1**.0/24** to reach the remote subnet, but your are MISSING the wireguard address!!
What I also don’t see on w10 is the persistent-keep-alive setting??
( also ensure you get the windows client from WIREGUARD website ).

PublicKey = 123123123213123213123
AllowedIPs = 172.16.0.0/24,192.168.1.0/24
Endpoint = publicIP:13231
Persistent-keep-alive=35s

NOTE: If the intent was also to be able to go out the interenet of the home router, then allowed IPs on windows 10 would simply be:]
AllowedIPs=0.0.0.0/0

Remove this route it serves no purpose and one like it is already created by the router based on the wireguard IP address.
add disabled=yes distance=1 dst-address=192.168.1.0/24 gateway=wireguard1
pref-src=“” routing-table=main scope=30 suppress-hw-offload=no
target-scope=10

Fix Sourcenat RULEs to following. Default is wrong and REMOVE one for wiregauard NOT required.
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
So with all the details fixed we can focus on the firewall rules.

/ip firewall filter
add action=accept chain=input connection-state=established,related,untracked
add action=drop chain=input connection-state=invalid
add action=accept chain=input protocol=icmp
add action=accept chain=input comment=“Wireguard allow” dst-port=13231
protocol=udp
add action=accept chain=input in-interface-list=LAN
add action=drop chain=input comment=“Drop all else” { ensure you add this rule last }
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
add action=fasttrack-connection chain=forward connection-state=established,related
add action=accept chain=forward connection-state=established,related,untracked
add action=drop chain=forward connection-state=invalid
add action=accept chain=forward in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward in-interface=wireguard1 out-interface-list=LAN
add action=drop chain=forward disabled=yes

When and if you want to make access to the router more secure ONLY do the following using mostly static DHCP leases.
/ip firewall address-list
add 192.168.1.X list=Authorized comment=“admin desktop local”
add 192.168.1.Y list=Authorized comment=“admin laptop wifi”
add 192.168.1.Z list=Authorized comment=“admin smartphone/ipad wifi”
add 172.16.0.2 list=Authorized comment=“admin laptop remote”
add 172.16.0.3 list=Authorized comment=“admin smartphone/ipad remote”
add action=accept chain=input in-interface-list=LAN src-address-list=Authorized
add action=accept chain=input comment=“user services” dst-port=53,123 protocol=udp in-interface-list=LAN
add action=accept chain=input comment=“user services” dst-port=53 protocol=tcp in-interface-list=LAN
add action=drop chain=input comment=“Drop all else” { ensure you add this rule last }

korg · May 6, 2024, 8:50am

@anav you rule!!!

Tx for your time and help…

i unfortunately did not manage to get to the local network. Could the reason be taht this is (still) a CG NAT connection?

Here are my current setup file

# 2024-05-06 10:43:55 by RouterOS 7.11
# software id = 180R-71Q6
#
# model = RBLtAP-2HnD
/interface bridge
add name=bridge1
/interface lte
set [ find default-name=lte1 ] allow-roaming=no band="" network-mode=lte
/interface wireguard
add listen-port=13231 mtu=1420 name=wireguard1 private-key=\
    "123123123123123213123"
/interface list
add name=InternetOut
add name=WAN
add name=LAN
/interface lte apn
set [ find default=yes ] apn=internet ip-type=ipv4 name=HT \
    use-network-apn=no
add apn=internet name=A1
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
add authentication-types=wpa-psk,wpa2-psk mode=dynamic-keys name=profile1 \
    supplicant-identity="" wpa-pre-shared-key=222 wpa2-pre-shared-key=\
    2222
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-g/n channel-width=20/40mhz-eC \
    disabled=no frequency=2432 installation=outdoor max-station-count=15 \
    mode=ap-bridge radio-name="MT LtaP" security-profile=profile1 ssid=\
    "WIFI Majer" wireless-protocol=802.11
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/ip pool
add name=dhcp ranges=192.168.1.2-192.168.1.253
/ip dhcp-server
add address-pool=dhcp interface=bridge1 lease-time=4h10m name=dhcp1
/port
set 0 name=serial0
/interface bridge port
add bridge=bridge1 ingress-filtering=no interface=ether1
add bridge=bridge1 ingress-filtering=no interface=wlan1
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/ip settings
set max-neighbor-entries=8192
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface list member
add interface=lte1 list=WAN
add interface=bridge1 list=LAN
add interface=wireguard1 list=LAN
/interface ovpn-server server
set auth=sha1,md5
/interface wireguard peers
add allowed-address=172.16.0.2/32 interface=wireguard1 public-key=\
    "123123123123="
/ip address
add address=192.168.1.1/24 interface=bridge1 network=192.168.1.0
add address=172.16.0.254/24 interface=wireguard1 network=172.16.0.0
/ip cloud
set ddns-enabled=yes ddns-update-interval=10m
/ip dhcp-server network
add address=192.168.1.0/24 dns-server=192.168.1.1 gateway=192.168.1.1 \
    netmask=24
/ip dns
set allow-remote-requests=yes servers=8.8.8.8
/ip firewall filter
add action=accept chain=input connection-state=established,related,untracked
add action=drop chain=input connection-state=invalid
add action=accept chain=input comment="Wireguard allow" dst-port=13231 \
    protocol=udp
add action=accept chain=input comment="Wireguard allow traffic" dst-port=\
    13231 protocol=udp src-address=172.16.0.0/24
add action=accept chain=input comment=\
    "Allow DHCP, DNS, NTP from internal networks only" dst-port=\
    5678,123,53,67,68 in-interface=!lte1 protocol=udp
add action=accept chain=input comment="Allow access to FW except internet" \
    in-interface=!lte1
add action=accept chain=input comment="Allow ICMP" in-interface=!lte1
add action=reject chain=input comment=\
    "Global DENY !!! Don't move or change !!" log-prefix=Global_ reject-with=\
    icmp-net-prohibited
add action=fasttrack-connection chain=forward connection-state="" hw-offload=\
    yes
add action=accept chain=forward connection-state=\
    established,related,untracked
add action=drop chain=forward connection-state=invalid
add action=accept chain=forward in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward in-interface=wireguard1 out-interface-list=\
    LAN
add action=drop chain=forward disabled=no
/ip firewall nat
add action=masquerade chain=srcnat comment=internet out-interface-list=WAN
/ip service
set telnet disabled=yes
set ftp disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/routing bfd configuration
add disabled=no interfaces=all min-rx=200us min-tx=200us multiplier=5
/system clock
set time-zone-name=Europe/Zagreb
/system gps
set port=gps set-system-time=yes
/system identity
set name="Wow MT :)"
/system leds
set 0 type=wireless-signal-strength
/system logging
add topics=wireguard,info
/system note
set show-at-login=no

and my Win10 config

[Interface]
PrivateKey = 123123123123213123=
Address = 172.16.0.2/32
DNS = 8.8.8.8

[Peer]
PublicKey = 123123123123123123
AllowedIPs = 172.16.0.0/24, 192.168.1.0/24
Endpoint = public-ip:13231
PersistentKeepalive = 35

tx

korg

Njumaen · May 6, 2024, 9:22am

Try

adding wg interface to LAN interface list
adding NAT masquerade rule for wg interface

allways worked for me

Cheers

korg · May 6, 2024, 9:35am

Hi Njumaen,

wg1 interface is already in the LAN list
regarding adding masqurade for the wg1 interface .. will try

tx

korg

anav · May 6, 2024, 11:52am

Yes, the issue is you have a CGNAT connection.
If your device was an arm,arm64,tile architecture one could also use the BTH VPN wireguard functionality (which would allow you to deal with the CGNAT shortcoming).
The only other option I know of, but have not implemented is using IPV6 to do so.

Snipped from CGNAXXX post.
Quote: " Nowadays, IPv6 should be well supported by mobile networks. You can use IPv6 for the WireGuard connection instead. But you might have to setup IPv6 on your device first, if you currently don’t see any IPv6 address listed in the IP → Cloud window (if that’s the case, you need to do the usual IPv6 configuration: DHCPv6 Client → IPv6 pool → Get prefix from pool to assign to the bridge interface → open port 13231 UDP chain input on the IPv6 firewall filter table, for the LAN devices to have working IPv6, IPv6 ND must also be configured). If there is already an IPv6 address listed on the IP → Cloud window, then you only need to open port 13231 UDP on your IPv6 firewall." unquote.

korg · May 6, 2024, 2:49pm

I see, i have sent request to the internet provider to put my connection out of CG NAT pool.

I’ll reply if everything went ok

tx

korg

korg · May 6, 2024, 3:36pm

Ok.. now i am outside of CG NAT.. and i dont still have no connection to the local network.. here is a situation…

i dont see any traffic on the wireguard FW rules
this is my current win10 config
i can ping 172.16.0.2/32 (my peer allowed address) remotely
having said that, i still think i have some errors in my script. @anav could you pls take another look at my current mt config?

# 2024-05-06 17:32:09 by RouterOS 7.11
# software id = 180R-71Q6
#
# model = RBLtAP-2HnD
/interface bridge
add name=bridge1
/interface lte
set [ find default-name=lte1 ] allow-roaming=no band="" network-mode=lte
/interface wireguard
add listen-port=13231 mtu=1420 name=wireguard1 private-key=\
    "1231231231232131"
/interface list
add name=WAN
add name=LAN
/interface lte apn
set [ find default=yes ] apn=internet.ht.hr ip-type=ipv4 name=HT \
    use-network-apn=no
add apn=internet name=A1
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
add authentication-types=wpa-psk,wpa2-psk mode=dynamic-keys name=profile1 \
    supplicant-identity="" wpa-pre-shared-key=1111111 wpa2-pre-shared-key=\
    111111111
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-g/n channel-width=20/40mhz-eC \
    disabled=no frequency=2432 installation=outdoor max-station-count=15 \
    mode=ap-bridge radio-name="MT LtaP" security-profile=profile1 ssid=\
    "WIFI Majer" wireless-protocol=802.11
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/ip ipsec profile
set [ find default=yes ] dh-group=ecp256,modp2048,modp1024 enc-algorithm=\
    aes-256,aes-128,3des
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=\
    aes-256-cbc,aes-192-cbc,aes-128-cbc,3des
/ip pool
add name=dhcp ranges=192.168.1.2-192.168.1.253
/ip dhcp-server
add address-pool=dhcp interface=bridge1 lease-time=4h10m name=dhcp1
/port
set 0 name=serial0
/interface bridge port
add bridge=bridge1 ingress-filtering=no interface=ether1
add bridge=bridge1 ingress-filtering=no interface=wlan1
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/ip settings
set max-neighbor-entries=8192
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface list member
add interface=lte1 list=WAN
add interface=bridge1 list=LAN
add interface=wireguard1 list=LAN
/interface ovpn-server server
set auth=sha1,md5
/interface wireguard peers
add allowed-address=172.16.0.2/32 interface=wireguard1 public-key=\
    "1111111111"
/ip address
add address=192.168.1.1/24 interface=bridge1 network=192.168.1.0
add address=172.16.0.254/24 interface=wireguard1 network=172.16.0.0
/ip cloud
set ddns-enabled=yes ddns-update-interval=10m
/ip dhcp-server network
add address=192.168.1.0/24 dns-server=192.168.1.1 gateway=192.168.1.1 \
    netmask=24
/ip dns
set allow-remote-requests=yes servers=8.8.8.8
/ip firewall filter
add action=accept chain=input connection-state=established,related,untracked
add action=drop chain=input connection-state=invalid
add action=accept chain=input comment="Wireguard allow" dst-port=13231 \
    protocol=udp
add action=accept chain=input comment=\
    "Allow DHCP, DNS, NTP from internal networks only" dst-port=\
    5678,123,53,67,68 in-interface=!lte1 protocol=udp
add action=accept chain=input comment="Allow access to FW except internet" \
    in-interface=!lte1
add action=accept chain=input comment="Allow ICMP" in-interface=!lte1
add action=reject chain=input comment=\
    "Global DENY !!! Don't move or change !!" log-prefix=Global_ reject-with=\
    icmp-net-prohibited
add action=fasttrack-connection chain=forward connection-state="" hw-offload=\
    yes
add action=accept chain=forward connection-state=\
    established,related,untracked
add action=drop chain=forward connection-state=invalid
add action=accept chain=forward in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward in-interface=wireguard1 out-interface-list=\
    LAN
add action=drop chain=forward 
/ip firewall nat
add action=masquerade chain=srcnat comment=internet out-interface-list=WAN
add action=masquerade chain=srcnat comment="Wireguard masqurade - internet" \
    out-interface=wireguard1
/ip service
set telnet disabled=yes
set ftp disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/routing bfd configuration
add disabled=no interfaces=all min-rx=200us min-tx=200us multiplier=5
/system clock
set time-zone-name=Europe/Zagreb
/system gps
set port=gps set-system-time=yes
/system identity
set name="WowMT :)"
/system leds
set 0 type=wireless-signal-strength
/system logging
add topics=wireguard,info
/system note
set show-at-login=no

and my current Win10 config

[Interface]
PrivateKey = 1231321321321
Address = 172.16.0.2/32
DNS = 172.16.0.254

[Peer]
PublicKey = 12321321321312
AllowedIPs = 172.16.0.0/24, 192.168.1.0/24
Endpoint = publicip:13231
PersistentKeepalive = 35

tx

korg

anav · May 6, 2024, 4:11pm

Overall dont see anything glaring. You have not made the changes I recommended in the first go around and I am not about to go through that again, suffice to say, they were not provided lightly and may help gain success.

Once you fix those, then we can look at anything else that may be more obvious.
One additional thing is can you confirm you can ping from your smartphone on cellular your NOW public IP address?
It should the same public IP that shows up on your IP Cloud settings…

korg · May 7, 2024, 11:18am

I understand… but.. i think i have followed all your tips:

anav: Concur on the client side device (windows10) allowed address should be: 192.168.1.0/24 to reach the remote subnet, but your are MISSING the wireguard address!!
What I also don’t see on w10 is the persistent-keep-alive setting??

me:

[Peer]
PublicKey = 12321321321ri1232131m4=
AllowedIPs = 172.16.0.0/24, 192.168.1.0/24
Endpoint = publicIP:13231
PersistentKeepalive = 35

anav: Remove this route it serves no purpose and one like it is already created by the router based on the wireguard IP address.
add disabled=yes distance=1 dst-address=192.168.1.0/24 gateway=wireguard1
pref-src=“” routing-table=main scope=30 suppress-hw-offload=no
target-scope=10

me: no manual routes

anav: Fix Sourcenat RULEs to following. Default is wrong and REMOVE one for wiregauard NOT required.
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN

Me: done! /ip firewall nat
add action=masquerade chain=srcnat comment=internet out-interface-list=WAN

anav: /ip firewall filter
add action=accept chain=input connection-state=established,related,untracked
add action=drop chain=input connection-state=invalid
add action=accept chain=input protocol=icmp
add action=accept chain=input comment=“Wireguard allow” dst-port=13231
protocol=udp
add action=accept chain=input in-interface-list=LAN
add action=drop chain=input comment=“Drop all else” { ensure you add this rule last }
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
add action=fasttrack-connection chain=forward connection-state=established,related
add action=accept chain=forward connection-state=established,related,untracked
add action=drop chain=forward connection-state=invalid
add action=accept chain=forward in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward in-interface=wireguard1 out-interface-list=LAN
add action=drop chain=forward disabled=yes

Me: /ip firewall filter
add action=accept chain=input connection-state=established,related,untracked
add action=drop chain=input connection-state=invalid disabled=yes
add action=accept chain=input comment=“Wireguard Handshake” dst-port=13231
protocol=udp
add action=accept chain=input comment=
“Allow DHCP, DNS, NTP from internal networks only” dst-port=
5678,123,53,67,68 in-interface=!lte1 protocol=udp
add action=accept chain=input comment=“Allow access to FW except internet”
in-interface=!lte1
add action=accept chain=input comment=“Allow ICMP” in-interface=!lte1
add action=reject chain=input comment=
“Global DENY !!! Don’t move or change !!” disabled=yes log-prefix=Global_
reject-with=icmp-net-prohibited
add action=fasttrack-connection chain=forward connection-state=“” hw-offload=
yes
add action=accept chain=forward connection-state=
established,related,untracked
add action=drop chain=forward connection-state=invalid
add action=accept chain=forward in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward in-interface=wireguard1 out-interface-list=
LAN
add action=drop chain=forward disabled=yes

The most strange thing is.. that once i connect to the wg.. i can ping 172.16.0.2 peer.. but i dont see any traffic on the input chain for WG

korg · May 8, 2024, 3:45pm

Hello to all, especially to anav,

just wanted to give info that CG NAT was still active while i have asked for help again and again. CG NAT is now deactivated and WG is now working.

Again, @anav tx a lot for your info/input/help on that matter.

If you guys wish, i could put my current setup which is running.

Tx

korg

anav · May 8, 2024, 5:18pm

No thanks, dont want to see that ugly looking set of firewall rules again.
Glad you got it sorted!

korg · May 8, 2024, 5:30pm

Thank you for guiding me to the right path of FW rules and for all other ‘paths’

great day

korg