Wireguard Subnet accessing different subnet

RouterOS Beginner Basics
1

Please help me to understand this. I have spent a good deal of time reading, searching and on YouTube, and have not come up with a resolution.

In this example
A Wireguard peer has a established a connection to the peer on 10.0.0.1 and is allowed an IP of 10.0.0.2 and is ping-able.

An MT router with the WG service is on 192.168.1.1 Assuming there’s a server at 192.168.0.15, how is Wireguard able to connect to it, if they are on a different subnets ?

I am trying to find out why WG would be able to connect to some servers on the 192.168.0.x but others see a foreign IP and refuse. In all cases the peer is seen as 10.0.0.2 and not a 192.168.0.x

I apologize if this is too vague or possibly basic.

2

Draw some diagrams as I have no clue of what you are trying to do.
Its not difficult to explain once we understand the scenario.

If you have two MT devices on each end of the wireguard tunnel, post their configs
/export file=anynameyouwish

3

When using WireGuard the most important part is to understand 3 key areas

1.. Allowed IPs
2.. Associated public keys
3. CryptoKey Routing

1.. Allowed IPs provides the path to all nets/subnets/vlans/etc
2. Public Keys enable the Allowed IPs to understand the path to take
3. CryptoKey Routing makes everything happen the way it should based on 1 and 2.

Study closely the following by Kaspars Dambis who provides a very nice path to follow.

and @404 can also give you everything you need as long as you follow his directions …

Another excellent study guide for WireGuard

4

5

6

Thank you for all of the responses.
I have my tunnel operating and can see all of the servers I wish to, but do hope to learn more about my configuration.

I intend to do up a diagram to explain my simple scenario. I get it, seeing a bunch of IPs on a page is really hard to digest without some context. That said I had seen a simple shareware or freeware Visio type program for network diagramming but I can’t seem to find the same one. Could anyone suggest a basic one that is easy to get started in? In the past I have used Smartdraw, but it’s not open source or freeware.

7

Draw network diagrams…

https://online.visual-paradigm.com/diagrams/solutions/free-network-diagram-software/
https://lucid.app/pricing/lucidchart#/pricing
https://www.diagrams.net/blog/move-diagrams-net
http://kilievich.com/fpinger/
https://sourceforge.net/projects/dia-installer/

8

Just an example to make device behind mikrotik accessible to vps via wireguard tunnel.
Wireguard is only installed on Mikrotik routers and on Ubuntu VPS.

.
mikrotik-wireguard-2.png
.

Wireguard peer on Ubuntu VPS:

VPS Public IP Address (ens3): 103.xx.107.180
Wireguard IP (wg0): 192.168.204.1
Endpoint: 12345
wireguard-peer-on-ubuntu-vps.png
.

Wireguard peer on Mikrotik hEX:

Router Public IP Address: (private dynamic)
Wireguard IP (wireguard): 192.168.204.4
Listen Port: 45678
.
address-list.png
.
Log in to the SSH terminal on the VPS, and type the following command to add peer (mikrotik):

root@your-ubuntu-vps-hostname:~# wg set wg0 peer <mikrotik wireguard public key> allowed-ips 192.168.204.0/24,192.168.77.64/26
root@your-ubuntu-vps-hostname:~# ip route add 192.168.77.64/26 via 192.168.204.1 dev wg0

.

IPTables on Ubuntu VPS:

iptables -A POSTROUTING -s 192.168.204.0/24 -o ens3 -j MASQUERADE
iptables -A POSTROUTING -o ens3 -j MASQUERADE
iptables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i wg0 -o ens3 -j ACCEPT
iptables -A FORWARD -i ens3 -o wg0 -j ACCEPT
iptables -A FORWARD -i wg0 -o wg0 -j ACCEPT

.

Test ping from vps to mikrotik via wireguard tunnel:
ping from vps to mikrotik.png
Traceroute and ping from vps to notebook via wireguard :
ping and traceroute to windows notebook via wireguard.png
Note: linux traceroute default protocol is udp, while windows use icmp

9

10

NO

11

12

On Linux box, maybe.
Not on Mikrotik.

13

14

Thank again for all of your responses.

I hope to create an easy to follow secure tunnel setup for others to follow as they want to get the basics of a Wireguard tunnel up and running.

Here is the diagram which gives a pretty simple view of what’s going on. I have embedded the diagram here and also attached the drawing as a zip if you care too edit it using diagrams.net

I think possibly a NAT statement would be helpful here. I tried using netmap to swap 10.0.0.2 > 192.168.0.252 but I did not get that sorted out. I used 2 statements:

2 X chain=dstnat action=netmap to-addresses=10.0.0.2 dst-address=192.168.0.252 log=no log-prefix=“”
3 X chain=srcnat action=netmap to-addresses=192.168.0.252 src-address=10.0.0.2 log=no log-prefix=“”

@404Network thank you for providing those links.
mt_wg_pinet.zip (103 KB)
mt_wg_pinet.png

15

To be honest, your diagram is not that clear …

2 things I see which might be wrong:

I assume on the left the text blocks are the settings of your Hex, which should be the big blue thing in the middle ?
Peer settings, I assume for Android device (since for public key it says “cell phone pub key”)?
Why allowed addresses 0.0.0.2/32 ? Should be 10.0.0.2/32 so I am going to assume (again) it’s a typo.

Second:
if Android app is not allowed to access certain subnets, use something else then 0.0.0.0/0 because that literally means EVERYTHING.
Even internet traffic.

If e.g. Android app only should access 192.168.0.0/24, use that and only that as allowed addresses.
Internet traffic will go out as normal then using your connection you have at that moment.
If you want to restrict it further to only the 3 PI’s (HAPPY PI-DAY BTW :laughing: ), use only those addresses and nothing else.
But I would use the complete subnet. Could be handy to also access your router from your device.

Can you please clarify what still does not work ?
If needed, can you also export your config from your hex and post it between Code quotes (/export show-sensitive file=anynameyouwish) ?

16

My view:
How can one learn if you erase what was wrong ?
Same mistakes will be made again …

17

Aww snap. I tried to get this right but you did catch my typo.

Thank you for pointing out the 0.0.0.0/0. I was aware that it was a catch all and to get the tunnel running it worked, but I am grateful for the expert advice.
Q: if I limit the Allowed IPs in the cell phones WG config to 192.168.0.0/24 would I still be able to use the speedtest.net app on the cell phone to test tunnel speed ?

The peer is issued the 10.0.0.2 and BlueIris (BI) sees this connection but refuses to authenticate because it is not on the LAN. BI logs do reflect that, and I suppose it is true since it is a different subnet. There is a work-around on BI in the user account settings so I can live with this.

I guess I have been spoiled by the simplicity of a PPTP configuration. My thinking was that I should be able to either:

A - use a setup like for PPTP where the client and server are just reserved IPs on the subnet you want to access
or
B - use NAT to convert 10.0.0.2 into 192.168.0.252 or similar

In this way the client would always be on the desired subnet.


mt_wg_pinet_R2.drawio.png

18

Oh but I am not an expert at all, FAR from. Still learning myself a lot but a bit further on the path already.
And having crossed similar issues: I also use WG for VPN access to home, I also have pi-Hole in my network though not on PI (that’s used for NEMS) but on VM.
I have one Linux VM farm (old laptop with i7 and 24Gb RAM, too good to be thrown away :laughing: ), one VM for PI-Hole, one VM for speedtest on the hour with Grafana dashboard to track results.
Lots of time wasted already learning and relearning, changing things and applying others …

As for your Q:
If only allowing 192.168.0.0/24 as allowed addresses, you can not perform tunnel speed test since all other traffic besides your local network, will not pass the tunnel.
But traffic for 192.168.0.0/24 will !
So …

1- use iperf3 for testing. Since you already have a couple of PI’s, run on one of them iperf3 as daemon and use HE.NET app from App store so you can test the connection using iperf from your Android device.
Or put in a 4th PI for this reason. Or some virtual machine. Whatever.
Much cleaner since you will not have to bother with any other factor which might have impact on a normal speedtest.
Be aware though the test is limited to the weakest link in the chain. If you have PI3, that’s ethernet with 100Mb.
I use iperf a lot at home for Wifi performance testing on both phone and laptop to test effects from various settings for various wifi channels. No external access needed.

2- DO use 0.0.0.0/0 as allowed addresses, everything will pass over the tunnel but you can decide in your firewall what your Android device is allowed to reach on your local network and what not.
An example would be to drop all traffic coming from itf Wireguard heading for Blue Iris server in forward chain.
Regular speed test will work, access to Blue Iris will not.

If your problem is the peer with 10.0.0.2 is not allowed access to Blue Iris because it comes from another subnet, that’s an issue on Blue Iris then.
That should be solved there on that server or you could use some rules on your Mikrotik router to “translate” that IP of the WG-peer into something else (now THAT’s for the experts, haven’t tipped my toe in that water yet)

For both options, you can also use PI-HOLE DNS (I do on my setups).
I trust you have a mechanism in place in case PiHole goes down so there is a fallback and always use router as DNS ? Use that router as DNS in the settings of peer then so there is always DNS resolving.

Basically wireguard is still behaving the same as pptp. Sort of. Certainly as far as IP-traffic is concerned.
You have the IP address of your peers.
You apply routing rules.
You apply firewall rules.

But, for my understanding, what’s the point of adding remote access possibility and not using the full potential of it ?
Why restrict that access ? Just curious to know.
Or is it because that server doesn’t let you with the current setup of subnets ?

19

Wireguard uses cryptokey routing as a basic concept:
https://www.wireguard.com/#cryptokey-routing
So the routing definition WHAT is passed into the tunnel is done with the “Allwed IPs” statement in the Peer definition or Wireguard. You are using 10.0.0.0 /24 as the internal WG network, which is btw. not very intelligent cause this IP is used by millions of users worldweide. A bit a more “exotic” network address would be better but anyway.
Having a local LAN segment this needs to be defined in a network notation under allowed IPs to pass this into the tunnel like:
AllowedIPs = 10.0.0.1/32, 192.168.0.0/24
If you have more segments they need to be added comma separated like:
AllowedIPs = 10.0.0.1/32, 192.168.0.0/24, 192.168.1.0/24
and so on.
You can also use a summary mask like:
AllowedIPs = 10.0.0.1/32, 192.168.0.0**/21**
Which then routes all IP nets from 192.168.0.0 to 192.168.7.0 into the tunnel.
This network declaration in your setup is missing ! Having only the internal 10.0.0.x/32 addresses here will allow ONLY a communication between server and clients but NO routing of the attached network segments !
A good explanation also here: http://forum.mikrotik.com/t/wireguard-allowed-ips-unofficial-wireguard-documentation/156426/1
Btw…
10.0.0.2 in your drawing is NOT a network address ! You should provide correct addresses here to not build any obstacles in understanding !

20

Cryptokey Routing and ROS ordinary routing are two different things. Read this for a hint: http://forum.mikrotik.com/t/wireguard-allowed-ips-unofficial-wireguard-documentation/156426/62