Wireguard successful over 4G but not wireless/lan

routergoblin · February 26, 2022, 11:33pm

I have a Mikrotik Hap2 which I’m trying to configure as a Wireguard server. My intention is to be able to access the devices connected over LAN with this router from outside of my house. The Mikrotik Hap2 is behind a public facing ISP provided router on the same subnet. The ISP facing router is port forwarded to the WG-Server with the port 51820.

The issue I’m having is that one wireguard peer can successfully connect to the wireguard server using my mobile 4G hotspot. But when connecting from a separate premise over wifi the same peer connects to wireguard but fails to ping the router/vice versa. A separate peer also has the same issue, managing to communicate to establish the wireguard connection. But unable to ping the router/vice versa from this location over ethernet.

All details/IP’s have been changed.
WG-Server

192.168.80.1

I have 2 Wireguard clients setup Peer 1 and Peer 2.

Peer 1 192.168.80.2
Peer 2 192.168.80.3

Peer 1 is connecting to the internet and Wireguard tunnel over 4G provided over hotspot from my phone. This device successfully connects to WG-Server and each can ping one another.
Peer 2 is connecting to the internet and Wireguard tunnel over ISP provided internet to the premises (separate premesis/public IP address to WG-Server). This device connects successfully to the WG-Server but neither device can ping one another.

Mikrotik Server Config in relation to Wireguard

/interface wireguard
add listen-port=51820 mtu=1300 name=wireguard1
/interface wireguard peers
add allowed-address=0.0.0.0/0 comment="Peer 2" interface=wireguard1 \
    public-key=####
add allowed-address=0.0.0.0/0 comment="Peer 1" interface=wireguard1 \
    public-key=####
/ip address
add address=192.168.25.1/24 interface=ether1 network=192.168.25.0
add address=192.168.80.1/24 interface=wireguard1 network=192.168.80.0
/ip firewall filter
add action=accept chain=input comment="ICMP Allow" protocol=icmp
add action=accept chain=input comment="Wireguard Port" dst-port=51820 \
    in-interface=wlan1 log=yes log-prefix="WIREGUARD " protocol=udp

Peer 1 Wireguard Config

[Interface]
PrivateKey = ####
Address = 192.168.80.2/24
DNS = 1.1.1.1
MTU = 1300

[Peer]
PublicKey = ####
AllowedIPs = 0.0.0.0/0, ::/0
Endpoint = ####:51820
PersistentKeepalive = 60

Peer 2 Wireguard Config

[Interface]
PrivateKey = ####
ListenPort = 51820
Address = 192.168.80.3/24
DNS = 1.1.1.1
MTU = 1300

[Peer]
PublicKey = ####
AllowedIPs = 0.0.0.0/0
Endpoint = ####:51820
PersistentKeepalive = 60

holvoetn · February 27, 2022, 3:32pm

Suggestion:
Peer definition on mikrotik, don’t use 0.0.0.0/0 as allowed address.
Only endpoint ip for mobile device or subnet which you want to be accessible.

404Network · February 27, 2022, 3:58pm

The Why is more important.

Think of Allowed IPs as a setting that describes TWO functions.
Each function considers the IPs at the other end of the connection.
What do I mean??

FUNCTION-1. The allowed IPs is a setting for the local Device and local wireguard interface to match and select traffic to ENTER the tunnel heading outbound. In other words from local users.
How is this accomplished? —> By the destination IPs (IPs at the far end) local devices are using, and these are the destination IPs that local users are going to want to connect to.
a. Router detects outgoing requests to destination IPs.
b. Router finds any IP routes that apply to those IPs and discovers routes associated with WG interface (either by manual IP route or by dynamically assigned routes from IP address associated with Wg interface.
c. Router then matches the destination address and selects the first peer on the list of peers that is identical and sends the traffic down this peer.

FUNCTION-2. The allowed IPs is a setting for the local Device and local wireguard interface to permit traffic to exit the tunnel heading inbound.
How is this accomplished? —> By the source IPs of the remotes users coming out of the tunnel.
a. Wireguard interface detects IP addresses of traffic coming through the tunnel
b. Wireguard interface checks against the list of Allowed IPs and if not ON the list drops the traffic.
c. Filtered traffic is allowed to exit the tunnel and is then like lan traffic, and can flow wherever depending upon firewall rules.

So you can see in both instances, the Allowed IP settings on the peers at the local device, considers IP from the remote site…

Finally your case.
The use case requirement described indicates you want to have various remote USers access servers on your LAN subnets.
Therefore on the remote devices (iphone, laptop etc. since its really a one way street, one need only consider destination IPs).
In this case therefore the remote devices need access to the local subnets, or single IPs, and throw in the wireguard IP address of the local router as well.
So for example on an iphone it could be three addresses: 192.168.15.12/32 (server), 192.168.30.0/24 (subnet with 3 servers), 192.168.80.1 (wg address of interface)

Now on the local Hapac Router, since you have not identified any reverse flow traffic requirements, we are not concerned about the SENDING or DESTINATION addresses, we are only concerned
about filtering the Inbound traffic attempting to exit the router. So we are interested in the remote SOURCE ADDRESSES that will be coming out of the tunnel
Thus the allowed IPs could be : IP of iphone, Ip of laptop etc… *(these are the faux or made up IP settings attributed to the device in their WG settings).

Finally, what you do with firewall rules is just as critical as teh wireguard settings.
If you have drop all rules at the end of the forward chain then you will need to ensure traffic is permitted to the subnets.

add chain=forward action=accept in-interface=WG-Interface-name (would allow all WG traffic to your LANS)
add chain=forward action=accept in-interface=WG-interface-name src-address=iphone dst-address=IPofServer (limits one remote user to one server)
add chain=forward action=accept in-interface=WG-Interface-name src-address-list=Whaatever dst-address-list=whatever ( you can group remote users and group servers )

OR ANYTHING in between. Your way to ensure on the traffic you wish to permit gets to the server its supposed to reach.

++++++++++++++++++++++++++++++++++++++++++

As for 0.0.0.0/0 Two points!

a. typically used for internet access and if you need both internet and subnet access, this IP address covers every IP so dont need anymore IP entries. You will need to ensure firewall rules are used to partition traffic as required at the local site.
b. one should not have duplicate peer settings of 0.0.0.0/0 for the same wireguard interface as this will cause errors in traffic flow.

Light Reading, if you want to spend time learning —> https://forum.mikrotik.com/viewtopic.php?t=182340