WIREGUARD: So close yet so far. Please help and educate. Thanks

rama · February 21, 2022, 12:16pm

WIREGUARD: So close yet so far. Please help and educate. Thanks

I have remote wireguard peer running on Ubuntu 20 on a Amazon VPS.

On the local site.

ISP router-------D-Link switch -----various devices( GLi router wireguard to the remote VPS: Works OK , Windows wireguard client to remote VPS: OK, Arch Linux PC wireguard to remote VPS:OK)

Trying to connect hap_lite to VPS over wireguard for internet access to all devices connected to hap lite: Problems...

Tunnel is UP. Can only ping the the VPS from winbox terminal. No other traffic possible from loclal to VPS.
Tried several suggestion about wireguard on the forum without success.

Not sure how to pass all the traffic through the tunnel. Don't know how to deal with the two gateways.

feb/21/2022 11:26:23 by RouterOS 7.1.2

software id = YICU-II2S

model = RouterBOARD 941-2nD

serial number = mmmmmmmmmmmmmm

/interface bridge
add name=bridge1
/interface bridge port
add bridge=bridge1 interface=ether2

/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1
add action=accept chain=srcnat out-interface=wg1

/interface wireguard
add listen-port=23074 mtu=1420 name=wg1
/interface wireguard peers
add allowed-address=0.0.0.0/0,::/0 endpoint-address=xxxxxxxxx
endpoint-port=10855 interface=wg1 persistent-keepalive=25s public-key=
"yyyyyyyyyyyyyyyyyyyyyyyyyyyyy"

/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=192.168.0.100
pref-src=0.0.0.0 routing-table=main scope=30 suppress-hw-offload=no
target-scope=10
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=wg1 pref-src=0.0.0.0
routing-table=wg1 scope=30 suppress-hw-offload=yes target-scope=10

own3r1138 · February 21, 2022, 12:32pm

Hello,

Trying to connect hap_lite to VPS over wireguard for internet access to all devices connected to hap lite: Problems…

What does this mean? Do you want to pass all your outgoing traffic from your hap lite through a WG tunnel, Like a VPN Tunnel?
or do you want to access your local devices behind the HAP lite from the WG gateway?

404Network · February 21, 2022, 12:56pm

1 -Diagram please, too confusing otherwise.
2- provide config on MT
/export file=anynameyouwish

rama · February 21, 2022, 3:51pm

Thanks for your offer to help:

I am trying to send all traffic for devices connected to hap lite through the tunnel (like a VPN indeed)
hap lite is crashing when trying to export the config. I printed out all the relevant sections of the configuration.

It is a simple setup, ports 2,3,4 are bridged and port 1 is NAT (src-nat) to the ISP local port: 192.168.0.100. port 1 is DHCP client of the local LAN dhcp server. The devices connected to hap lite are PC’s trying to access the internet through wireguard tunnel as VPN on the Amazon VPS ( acting as VPN server)
wg_diag.txt (2.32 KB)

own3r1138 · February 21, 2022, 5:57pm

Hello,
Try Netinstall to the latest ROS 7.1.3 in my experience it helps with a cleaner setup. But the export CLI is CPU bound.
This is one way to config it. My VPS was an x86 RouterOS VM.
http://forum.mikrotik.com/t/route-internet-traffic-mt-via-wireguard-tunnel-through-mt-wg-peer/154825/1

rama · February 23, 2022, 9:50am

Finally figured out the problem:
Added a route rule for the return path from the remote peer. No PBR/Mangle rules necessary in my case.
An interesting exercise for a noob like me to make a poor man’s VPN. MT routerOS: the flexibility is enormous but brings complexity with it for simple jobs.

I’ll be happy to add more detail if someone needs it. The config rsc is not possible on hap_lite (v7.13) for some reason, keeps crashing mid-stream.

gluedHead · November 8, 2023, 8:10pm

Hi Rama
can you share info about you solved the issue?
It could be helpful to me as I may be having a very similar configuration.
Thnx

anav · November 8, 2023, 11:39pm

Sending wireguard traffic to a VPS for internet is not to bad…
You have the interface defined, CHECK
You have the peer settings for the VPS server defined CHeck

( I would have prefaced your statment like so.)
I have a remote WIreguard Serer running on Unbuntu via AMAZON VPS
Just to be clear it was acting as server for handshake is all.

You have srcnat out the wireguard inteface CHECK

Assuming wg IP Address setup like so
Lets say it was
add address=10.7.0.11/24 gateway=wg1 network=10.7.0.0/i]

Then you should have a route on the router for wireguard already
dst-address=10.7.0.0/24 gateway=wg1 routing-table=main.

Thus far all is going fine.
Lets check the other requirements.

I see you have a route to to the local private gateway which I am assuming leads to your local WAN connection
dst-address=0.0.0.0/0 gateway=192.168.0.100 routing-table=main.

I see you have a route to the wireguard so local traffic can be directed out a different path for internet
add dst-address=0.0.0.0/0 gateway=wg1 routing-table=useWG

What is missing - Well the rest of the config to make any real determinations.
Typically we invoke
/routing table add fib name=useWG
/routing rule add src-address=subnet4VPN action=lookup table=useWG

We use action=lookup because in case the VPN connection goes down, the local subnet can then find wan through the local WAN as a backup, otherwise change action to ‘lookup-only-in-table’

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

However the answer you came up with is a little different. You state you had to do something on the remote peer.
This is strange because the only source address the Ubuntu would be seeing is your assigned wg IP address 10.7.0.11 so it should know that this is associated with the tunnel and already created a route. Typically a route is only required when the subnet is a remote one, not local and thus not known to the router ??
Oh well this has nothing to do with MT issues..