wireguard site2site with one RB behind NAT

horuck · January 17, 2022, 6:26pm

Dear Forum members,

I am now happily running 7.1.1 on all my mikrotik devices and love the new wireguard VPN Protocol rather the complicated IKEv2 setup procedure before.

All my differen clients can connect perfectly with a /32 IP to my wireguard core router.

I am running a CCR2004 on a 500mbit fiberline with a /28 network on it.

Now my question:
I would like to make a wireguard site 2 site connection from my LTE mikrotik or another Mikrotik site which is running behind NAT an thus having no public IP or open UDP port I can specify on my public IP core wireguard router to specify on the endpoint.

I understand how to route traffic via a /30 network between the (lets assume) both /24 networks (e.g 10.10.10.0/24 on core router and 192.168.10.0/24 on the event behing NAT router) and add a default route via the /30 network on both ends.

What must be done on the wireguard interface or peers to get the tunnel running behind NAT?

looking forward for your help, I couldn’t find any examples therefore.
Thanks!

holvoetn · January 17, 2022, 6:49pm

Nothing special, as far as I know.
One end needs to be public reachable, static or ddns.
The other end will follow once the connection has been made.

I have a setup like that with SXT LTE in France behind CGNAT connecting to my home Hex with ddns IP.

anav · January 17, 2022, 8:55pm

Requirement: Deal with a wireguard connection where at one end, the First Router is not within one’s control. This means that you have a MT Router under admin control attached to and behind an ISP ( a router or modem/router) and the other end is an MT device that is directly connected to the internet (only behind a straight type of modem). Many times you can still gain access to the ISP router but only to forward ports or dmz etc… in this case thats easy and either side can be the Server or Client.
However we are talking a NO CONTROL/ACCESS to ISP router at one end.

Two things should be noted, 1 - For any WG connection one needs to establish the Server and the Client. This is just for the initial connection only
2- After initial connection consider the tunnel a two way street dependent upon the setups at either end.

So to answer the question, do not despair, assuming you are allowed internet traffic (from the MT device) through the ISP router you are good to go and should view this MT Device as the CLIENT for the initial setup.

Client WG Settings
add listen port but not really required I think needed to generate public key in any case put the the same port as you will set on teh server Router
name=remoteWG
public key to give to the main server (in its peer settings)

Client PEER Settings
allowed addresses - destinations for the remote users (assuming you want to access the internet and possibly subnets on the main router) use 0.0.0.0/0
endpoint address - IP of main server and associated port , could be ipcloudname:port etc…
public key (given by the main server).
keep alive set it to something like 30secs…

Now on the CLIENT side you probably have a default route already of some sort probably created dynamically so that your LAN users go out the wan port of the MT and then hit the main router etc…
and traffic gets returned.

Next you have to make a table… via Terminal cli
/routing table add add name=useWG fib

You need to add a route for the subnet or user that is going out the tunnel, lets say its one of the subnets on the router (192.168.50.0/24)
dst-address=0.0.0.0/0 gwy=remoteWG table=useWG

Then make the associated route rule
src-address=192.168.50.0/24
Action: Lookup-only-in-table {note if you wanted users to be able to access internet locally if WG is down then use ACTION: “Lookup” }
Table: useWG

+++++++++++++++++++++++++++++++++++++++++++++++++++

So The remote router Wireguard service will go out the wan of the Remote router, through the ISP router, to the internet and reach the Main MT Server Router and establish the tunnel.
The sourcenat rule on the Remote Server takes care of this normal (visible traffic).

With this tunnel active, however, the subnet 192.168.50.0/24 users will be directed by the route rule to go out the tunnel… and bypass the ISP router (transparent)

On the OTher Server router side you have to ensure that the subnet is allowed in WIREGUARE PEER settings…
Typically set an IP address for the subnet as such
address=192.168.50.254 network=192.168.50.0 and you are good to go for the most part…

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

In other words as long as one end of the tunnel is connected directly to the internet and not behind an ISP router you can connect.
Its simply a matter of having the hidden side be the CLIENT at least just for the connection, after that traffic according to wireguard and a few other rules can go both ways.

horuck · January 26, 2022, 10:32am

Thank you for all your help.
I got my home RB now sucessfully connected to my office RB via wireguard.

RB home is 192.168.10.0/24
RB office is 10.10.10.0/24

with 10.255.255.0/30 between (10.255.255.1 in office and 10.255.255.2 home) for the wg tunnel (and as a route with the opposite wg gateway).
All working great.

I even changed in the home WG peer setting now instead of 10.10.10.0/24 to 0.0.0.0 to route (or better ALLOW) all internettraffic through my WG tunnel, but I’m stuck with defining the route to get the routerboard properly sending all traffic through the WG tunnel.
A simpel 0.0.0.0 default route of course won’t make the tunnel any longer esablished.

If my home GW decides to route all traffic through WG furthermore I then would like to SRC-NAT the home network (192.168.10.0/24) to a certain outside IP which is on my office RB, and even port forward eg tcp,443 then to my home nas (192.168.10.10)

for the moment I’m stuck with routing rules, to get my internettraffic routed through the tunnel (and then masqueraded or SRC-NAT) to my additional IP.

Any help, ideas on that?
kind regards

Requirement: Deal with a wireguard connection where at one end, the First Router is not within one’s control. This means that you have a MT Router under admin control attached to and behind an ISP ( a router or modem/router) and the other end is an MT device that is directly connected to the internet (only behind a straight type of modem). Many times you can still gain access to the ISP router but only to forward ports or dmz etc… in this case thats easy and either side can be the Server or Client.
However we are talking a NO CONTROL/ACCESS to ISP router at one end.

Two things should be noted, 1 - For any WG connection one needs to establish the Server and the Client. This is just for the initial connection only
2- After initial connection consider the tunnel a two way street dependent upon the setups at either end.

So to answer the question, do not despair, assuming you are allowed internet traffic (from the MT device) through the ISP router you are good to go and should view this MT Device as the CLIENT for the initial setup.

Client WG Settings
add listen port but not really required I think needed to generate public key in any case put the the same port as you will set on teh server Router
name=remoteWG
public key to give to the main server (in its peer settings)

Client PEER Settings
allowed addresses - destinations for the remote users (assuming you want to access the internet and possibly subnets on the main router) use 0.0.0.0/0
endpoint address - IP of main server and associated port , could be ipcloudname:port etc…
public key (given by the main server).
keep alive set it to something like 30secs…

Now on the CLIENT side you probably have a default route already of some sort probably created dynamically so that your LAN users go out the wan port of the MT and then hit the main router etc…
and traffic gets returned.

Next you have to make a table… via Terminal cli
/routing table add add name=useWG fib

You need to add a route for the subnet or user that is going out the tunnel, lets say its one of the subnets on the router (192.168.50.0/24)
dst-address=0.0.0.0/0 gwy=remoteWG table=useWG

Then make the associated route rule
src-address=192.168.50.0/24
Action: Lookup-only-in-table {note if you wanted users to be able to access internet locally if WG is down then use ACTION: “Lookup” }
Table: useWG

+++++++++++++++++++++++++++++++++++++++++++++++++++

So The remote router Wireguard service will go out the wan of the Remote router, through the ISP router, to the internet and reach the Main MT Server Router and establish the tunnel.
The sourcenat rule on the Remote Server takes care of this normal (visible traffic).

With this tunnel active, however, the subnet 192.168.50.0/24 users will be directed by the route rule to go out the tunnel… and bypass the ISP router (transparent)

On the OTher Server router side you have to ensure that the subnet is allowed in WIREGUARE PEER settings…
Typically set an IP address for the subnet as such
address=192.168.50.254 network=192.168.50.0 and you are good to go for the most part…

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

In other words as long as one end of the tunnel is connected directly to the internet and not behind an ISP router you can connect.
Its simply a matter of having the hidden side be the CLIENT at least just for the connection, after that traffic according to wireguard and a few other rules can go both ways.

anav · January 26, 2022, 12:56pm

As per this post
Network diagram cause I am lost in your subnets etc…
State the traffic flows required.
and post the two configs.

https://forum.mikrotik.com/viewtopic.php?t=182340

Urajmal · February 22, 2023, 3:47pm

Great topic!

I wonder if it is possible to run Mikrotik behind another (Draytek NAT). Mikrotik ETH1 has an IP of 192.168.0.210, where all interfaces are as bridge. Is it possible to create a connection to such a device, or it is better that Mikrotik has its own subnet?

anav · February 22, 2023, 4:17pm

Vague question. If you mean can you use the MT behind the draytek as a wireguard device, the answer is YES as long as you can port forward from the draytek to the MT. It will acting as a router so no, you dont want any MT LAN to be the same as Draytek LAN. The only connection is that the LANIP of the MT on the draytek LAN is also the WANIP of the MT device. Yes I would give the lan on the MT its own subnet aka to its bridge just if for nothing else to configure the router… If you have deeper questions start your own thread!!!

anav · February 22, 2023, 4:27pm

Thank you for all your help.
I got my home RB now sucessfully connected to my office RB via wireguard
If my home GW decides to route all traffic through WG furthermore I then would like to SRC-NAT the home network (192.168.10.0/24) to a certain outside IP which is on my office RB, and even port forward eg tcp,443 then to my home nas (192.168.10.10)

On the home device you want options and because one of them is to the internet, quite correct that changes the allowed-ips for the peer describing the office connection to be only 0.0.0.0/0
a. connect to offlce LAN
b. use Office MT internet.

ON home device decide which subnet you wish to push out the office WAN, call it subnetA.
then you need three things, table, route, routing rule. ( the route will need to be added not replace the default or manual IP route for standard local internet traffic)
/routing table add name=useOFFICE
/ip route
add dst-address=0.0.0.0/0 gwy=wireguard table=useOFFICE
/routing rule add src-address=SubnetA action=lookup table=useOFFICE

note:1 If you never want subnet A to use the home internet, even if the wireguard tunnel is down, change action=lookup-only-in-table
note2: if you have other subnets and users in A may need to reach them then you need additional rules, order counts… Due to the fact we are forcing
all subnetA traffic out the tunnel so we have to capture other needs prior to doing this…

/routing rule add dst-address=SubnetB action=lookup table=main
/routing rule add src-address=SubnetA action=lookup table=useOFFICE

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Regarding source-nat. Nothing special is required. Lets follow the bouncing ball.
AT HOME
a. wireguard settings allow all destination traffic to be pumped out single available peer, no issues there.
b. firewall rules, assuming you allow subnet A to go out the tunnel, great!
c. IP route, you force subnet A out the tunnel, fantastic.

AT OFFICE
a. wireguard settings. peer settings for home, have allowed-ips that include SUBNET A, good to go, as traffic will be filtered and permitted to exit the tunnel and sit on the router.
b. firewall rules will allow wireguard to internet trafffic either via a separate forward chain rule or included with in-interface-list=LAN out-interface-list=WAN rule automatically if you have included the wireguard interface as a LAN LIST MEMBER! Similarly you may have subnet A, to Office Subnet rule as well, or perhaps to specifiic devices like a printer.

on the input chain perhaps added both the admin IP address on subnet A, that you use as well as as a roadwarrior wireguard IIP address you use for laptop/ipad/iphone) on an address list, to a rule allowing access to the input chain to configure the office router.

C. Routing… nothing special here other than what you already noted which is a requirement to ensure a. or b. or perhaps both:
a. return traffic from remote subnet A ( so router knows where to send thiis traffic )
b. local originating traffic heading for subnet A

add dst-address=subnetA gwy=wireguard routing-table=main.

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

In summary, the traffic from your home router goes smoothly to the office router.
Because the office router has a standard route, all its internet bound traffic has a route through the WAN port to the ISP.
Because the firewall rules allow wireguard traffic to exit the WAN, its allowed to.
Because the destination on the wireguard traffic is not local to the office ( aka not to office LAN ) and presumably legit traffic, this traffic does go out the office WAN.

Because all traffic is already source-natted by the default rule OUT-INTERFACE-LIST=WAN, then all local office internet bound traffic and remote home internet bound traffic will get sourcenatted with the WANIP of the office router…