Wireguard setup to VPN LTE RBSXTR

rolo95 · May 29, 2024, 4:58pm

Hello,
can someone help in how to setup
a wire guard VPN so i can connect my MT android app to my LTE device
thanks

a dump file below for reference

# 2024-05-29 09:26:22 by RouterOS 7.14.3
# software id = A2N8-******
#
# model = RBSXTR
# serial number = HG1********
/interface bridge
add admin-mac=18:FD:******* auto-mac=no comment=defconf name=bridge \
    port-cost-mode=short
/interface ethernet
set [ find default-name=ether1 ] mac-address=18:FD:*******
set [ find default-name=ether2 ] mac-address=18:FD:*******
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface lte apn
add apn=broadband use-network-apn=yes
/interface lte
set [ find default-name=lte1 ] allow-roaming=no apn-profiles=broadband \
    band=4 network-mode=lte sms-read=no
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/ip pool
add name=dhcp ranges=192.168.88.100-192.168.88.254
add name=vpn ranges=192.168.89.2-192.168.89.255
/ip dhcp-server
add address-pool=dhcp interface=bridge lease-time=10m name=defconf
/ppp profile
set *FFFFFFFE local-address=192.168.89.1 remote-address=vpn
/interface bridge port
add bridge=bridge comment=defconf interface=ether1 internal-path-cost=10 \
    path-cost=10
add bridge=bridge comment=defconf interface=ether2 internal-path-cost=10 \
    path-cost=10
/ip firewall connection tracking
set udp-timeout=10s
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface l2tp-server server
set enabled=yes use-ipsec=yes
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=lte1 list=WAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
    192.168.88.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf dns-server=1.1.1.1,8.8.8.8 \
    gateway=192.168.88.1 netmask=24
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=accept chain=input comment="allow IPsec NAT" dst-port=4500 \
    protocol=udp
add action=accept chain=input comment="allow IKE" dst-port=500 protocol=udp
add action=accept chain=input comment="allow l2tp" dst-port=1701 protocol=udp
add action=accept chain=input comment=WINBOX connection-nat-state=dstnat \
    connection-state=new connection-type="" dst-port=8291 protocol=tcp
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid disabled=yes
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    disabled=yes in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall mangle
add action=change-ttl chain=postrouting new-ttl=set:64 out-interface=lte1
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat comment="masq. vpn traffic" src-address=\
    192.168.89.0/24
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
    33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
/ppp secret
add name=vpn
/system clock
set time-zone-autodetect=no time-zone-name=America/Chicago
/system identity
set name=iPhone12
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp client servers
add address=time.google.com
/system watchdog
set watch-address=1.1.1.1
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

Larsa · May 29, 2024, 5:31pm

If you’re lucky, maybe @Anav can help you out. He’s like the Big shot when it comes to Wireguard on this forum.

rolo95 · May 29, 2024, 5:53pm

crossing my fingerS !!

anav · May 29, 2024, 6:23pm

Well I am no BTH expert, and thats the functionality you will need seeing as you dont get a public IP via LTE, apn. You get a private IP I believe???

So you will need to read up on BTH and make use of settings available in IP CLOUD.
I would stick to doing things as manually as possible but basically you tell the router you want to start BTH and it sets up your router settings for you, and then
you have to create a wireguard entity on the android device using the numbers provided. It apparently can be done by QR code, but much better IMHO to understand what is being placed where so that wireguard is properly understood.

THe concept of BTH is that both router and device need to punch through NAT, and reach a common connecting point with an MT provided wireguard virtual server in the cloud. Some magic happens and the connection is made.

https://help.mikrotik.com/docs/display/ROS/Back+To+Home

You can see there is some possibility to copy a config and then enter that into the phone vice use qr code etc…
Then one can also see some of the default settings implemented in the config when establishing the wireguard setup.
I may have to try this just to see what its like, but have been holding off LOL

Larsa · May 29, 2024, 7:06pm

I was totally convinced BHT worked on everything, but it only works on Arm, Arm64, and Tile. So for RBSXTR you gotta stick with regular Wireguard.

rolo95 · May 29, 2024, 7:20pm

Anav,
RBSXTR is a mispbe device
only Arm,Arm64 and TILE devices have the BTH function embedded in to ROI

i guess mispbe flash area is reduced so there was no space to include the BTH code
maybe some MT guy can chime in and explain

so no BTH
what are my options if any…
or just get an ARM device and stick it behind the LTE device so i can use BTH

but if possible i want to avoid adding another device to the setup

anav · May 29, 2024, 7:21pm

Thanks for that encouraging tidbit LOL.

Okay so that removes wireguard as a possiblity unless you are willing
a. to ask ISP for a public IP address → dont think its possible but maybe it is??
b. rent a server in the cloud (create your own reachable IP and then use regular wireguard )
Cost approx $7.00 US a month and then you have to buy a one time CHR license from mikrotik.

c. find an MT friend who has a public IP that will allow them to use their router as a conduit, your android and MT device connect to his router and get connected there together.

d. convince larsa to start a small business selling wireguard connection for MT users with no alternatives… for a very small yearly fee ( paid up front ), like $50 bucks.

rolo95 · May 29, 2024, 7:26pm

Larsa · May 29, 2024, 7:53pm

Forgot to ask, but do you get a public IPv4 address on the RBSXTR? Btw, most carriers offer IPv6 these days. Have you tried it out? If that’s the case, it shouldn’t be a problem using WireGuard.

Also, if your RBSXTR is on the same IPv4 CG-NAT network as your cell, it should also work with WireGuard.

rolo95 · May 29, 2024, 9:41pm

They are ATT data sim cards
but if i reboot the LTE modem
they change
if that is what you mean

anav · May 30, 2024, 12:59am

Cant help with ipv6, I am old skool ipv4 only.
Static or dynamic doesnt matter as long as its public or if there is an upstream ISP router he can at least forward a port to a downstream router and yes an MT device there would be real handy.

Larsa · May 30, 2024, 7:42am

@rolo95, to check if you have a ‘public’ IPv4 address, open ‘https://4.ident.me’ from the browser on the same network as your RBSXTR. Compare the address with the one on your LTE interface. If they’re the same, you’ve got a public IPv4 address.

To check if you have an IPv6 address, open ‘https://6.ident.me’ from your cell phone (while not connected to Wi-Fi) and from the browser on the same network as your RBSXTR (if you’ve enabled IPv6 on the RBSXTR).

holvoetn · May 30, 2024, 8:10am

Not for one or the other but my BitDefender is going crazy on those 2 URLs …

Larsa · May 30, 2024, 8:57am

Interesting, it doesn’t seem like ‘ident.me’ is on any DNSBL. What about https://myip.dnsomatic.com, https://api.ipify.org, or https://myip.cam?

holvoetn · May 30, 2024, 8:59am

Those 3 return public IP address of my current location but literally nothing more.
I guess that’s the intention ?

Larsa · May 30, 2024, 9:06am

Yup, just the IP!

anav · May 30, 2024, 10:10am

Compare that to IP DHCP client or the like assigned IP and to ones IP CLOUD. If they are all the same, its a public IP.

Larsa · May 30, 2024, 10:36am

Yeah, that would work too tho OP needs to enable “IP Cloud” first. The benefit of IP Cloud is that you can view both IPv4 and IPv6 (if enabled).

rolo95 · May 30, 2024, 2:38pm

i have the cloud on

and the idme thing gave me the same ip was when i go to whats my ip web page

it is 107.x.x.x

but inside winbox under quickset i see internet ip 10.x.x.x
that is double NAT right cause my PC have the MT NAT 192.168.88.x
then the internet have 10.x.x.x
then the oustside is 107.x.x.x
so means that with one of the 107’s they give NAT to many users…

ok so in that case… what we need to do
pay for a cloud service right ?

and sorry for not stating what i want to do

i just need to monitor my LTE MT’s if they are alive cause we have some cameras and temp sensors tied to to them

i just want to see them from a dashboard or something and if one is down we now what place to see if it was a storm strike or something

rolo95 · May 30, 2024, 2:42pm

same thing as
https://www.whatismyip.com/