I have an ubuntu server on AWS that i use as a wireguard VPN. I am able to connect to the server using different Linux, Windows, Android clients and when the connection is established the clients get the public IP of the server so here everything is good.
Now I setup my Mikrotik router as a client to the server with Wireguard, and so far I was able to establish the connection. I am able to ping back and forth the server and mikrotik router successfully.
Last step, and here is where I am getting stuck, I would like all the clients on the LAN connecting to the Mikrotik router to be routed through the tunnel and use the Ubuntu server as the gateway.
I followed a few video tutorials and looks like a matter of setting up the routes properly on the Mikrotik. But at the last step, when I enable 0.0.0.0 and wire-aws as the gateway (pointed in the screenshot), I lose connection to the internet completely.
Could you guys take a look at the attached screenshot and guide me a bit, there is something I am doing wrong of course, but I feel like I am almost there. Thank you so much
See Holvoe, a perfect example of a motivated first poster, that with a single training session, could produce a valid first post. There would be many one and dones… My idea is both practical and feasible, for anybody who is not brain dead that is.
Some would take longer, but overall, you should be able to appreciate only seeing first posts that have the required information and research done.
Thank you holvoetn for your friendly and coherent request. Your willingness to help without displaying frustration, sarcasm, or a condescending tone is appreciated. Unlike some individuals on online forums who don’t have much in life or much to do , and may lack education or seem unwelcoming, you demonstrate a positive attitude and helpful demeanor.
Here is the config:
# mar/11/2024 00:00:00 by RouterOS 7.9
# software id = LNA4-IPRD
#
# model = RBD52G-5HacD2HnD
# serial number = xxxxxxx
/interface bridge
add admin-mac=2C:xx:xx:xx:xx:CD auto-mac=no comment=defconf name=bridge
/interface ethernet
set [ find default-name=ether1 ] mac-address=2C:xx:xx:xx:xx:AA
/interface wireless
set [ find default-name=wlan1 ] antenna-gain=0 band=2ghz-b/g/n country=xxxx \
distance=indoors frequency=auto installation=indoor mac-address=\
E8:xx:xx:xx:xx:A1 mode=ap-bridge name=wlan2.4 ssid=NET \
station-roaming=enabled wireless-protocol=802.11
set [ find default-name=wlan2 ] antenna-gain=0 band=5ghz-a/n/ac \
channel-width=20/40/80mhz-XXXX country=xxxx disabled=no distance=\
indoors frequency=auto installation=indoor mac-address=2C:xx:xx:xx:xx:D8 \
mode=ap-bridge name=wlan5g ssid=NET station-roaming=enabled \
wireless-protocol=802.11
/interface wireguard
add disabled=yes listen-port=51001 mtu=1420 name=wire-aws
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk mode=dynamic-keys \
supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.100.10-192.168.100.254
/ip dhcp-server
add address-pool=dhcp interface=bridge lease-time=10m name=defconf
/routing bgp template
set default disabled=no output.network=bgp-networks
/routing ospf instance
add disabled=no name=default-v2
/routing ospf area
add disabled=yes instance=default-v2 name=backbone-v2
/interface bridge port
add bridge=bridge comment=defconf ingress-filtering=no interface=ether2
add bridge=bridge comment=defconf ingress-filtering=no interface=ether3
add bridge=bridge comment=defconf ingress-filtering=no interface=ether4
add bridge=bridge comment=defconf ingress-filtering=no interface=ether5
add bridge=bridge comment=defconf ingress-filtering=no interface=wlan2.4
add bridge=bridge comment=defconf ingress-filtering=no interface=wlan5g
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ip settings
set max-neighbor-entries=8192
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/interface ovpn-server server
set auth=sha1,md5
/interface wireguard peers
add allowed-address=192.168.69.10/24 disabled=yes endpoint-address=xx.xx.xx.xx \
endpoint-port=51001 interface=wire-aws persistent-keepalive=25s \
public-key="osi1xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx="
/ip address
add address=192.168.100.1/24 comment=defconf interface=ether2 network=\
192.168.100.0
add address=192.168.69.10/24 interface=wire-aws network=192.168.69.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server network
add address=192.168.100.0/24 comment=defconf gateway=192.168.100.1 netmask=24
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.100.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=accept chain=input comment=WINBOX dst-port=9800 in-interface-list=\
WAN protocol=tcp
add action=accept chain=forward comment=Wireguard-forward disabled=yes \
out-interface=wire-aws src-address=192.168.100.0/24
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment=wireguard-nat disabled=yes \
out-interface=ether1 src-address=192.168.100.0/24
add action=masquerade chain=srcnat comment="defconf: masquerade - original" \
ipsec-policy=out,none out-interface-list=WAN
/ip route
add disabled=yes distance=1 dst-address=0.0.0.0/0 gateway=wire-aws pref-src=\
"" routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add disabled=no distance=2 dst-address=xx.xx.xx.xx/32 gateway=192.168.100.1 \
pref-src=0.0.0.0 routing-table=main scope=30 suppress-hw-offload=no \
target-scope=10
/ip service
set winbox port=9800
/system clock
set time-zone-name=world
/system identity
set name=mtik
/system note
set show-at-login=no
/system ntp client
set mode=broadcast
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
What’s basically needed is a dedicated routing rule to your wireguard server (external IP) using your ISP gateway for the tunnel setup.
Then use 0.0.0.0/0 to route all the rest to that wg gateway.
That first part I am not seeing.
As long as that’s not there, WG tunnel can not be setup and as a consequence no internet access.
Thank you holvoetn.
As i mentioned in my first post, the wireguard tunnel is setup and working.
I am able to see traffic back and forth in the Mikrotik’s wireguard panel when I activate the connection, I am also able to ping the server’s wireguard interface (192.168.69.1) from the Mikrotik’s terminal and ping the mikrotik tunnel (192.168.69.10) from the ubuntu server.
The Mikrotik is behind the ISP gateway 192.168.1.1 but I am not sure that matters, i can connect all my linux clients independently (connected to the Mikrotik) to the Ubuntu wireguard server and there is nothing configured in the ISP gateway.
I am just missing the part to route all the local LAN clients on the Mikrotik to the already established wireguard tunnel.
Where is that wireguard server located ? It’s external IP needs to be reachable … you need a dedicated route at all times usable for that since the default 0.0.0.0/0 will be used for something else later on.
The server is located in AWS. It has an external IP 3.x.x.x. The local IP i am referring to is the wireguard interface on the server 192.168.69.1 and the mikrotik client 192.168.69.10 as seen in the configuration file i uploaded.
I had to mask the server IP and other sensitive information but the local IPs are shown as they are in the router.
Make sure there is a dedicated route towards that 3.x.x.x address.
That will assure wg can be functional.
And then the rest can go over that wg tunnel.
The route is already there (pointed in the screenshot below), but when the wireguard connection is active, the clients connected to the Mikrotik in the LAN still go around it using the local IP from the ISP. Then the grayed out 0.0.0.0/0 wire-aws, if enabled, that is when i lose connection to the internet.
Maybe i am typing the wrong gateway 192.168.100.1 ? That is the local IP for the Mikrotik router, should i use something else?
Simple TO: /interface wireguard peers
add allowed-address=192.168.69.0/24 disabled=no endpoint-address=xx.xx.xx.xx
endpoint-port=51001 interface=wire-aws persistent-keepalive=25s
public-key=“osi1xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx=”
/ip address
add address=192.168.100.1/24 comment=defconf interface**=bridge** network=
192.168.100.0
/ip dhcp-server network
add address=192.168.100.0/24 dns-server=**192.168.69.1 gateway=192.168.100.1
/ip dns
set allow-remote-requests=yes servers=1.1.1.1
/ip firewall filter
********** entire rule removed ********** and replaced by. add action=accept chain=input comment=“Admin via WG” in-interface=wire-aws src-address-list=Authorized
add action=accept chain=forward comment=Wireguard-forward disabled=no
out-interface=wire-aws src-address=192.168.100.0/24
/ip firewall nat
********** entire rule removed ********** and replaced by IF NECESSARY
add action=masquerade chain=srcnat out-interface=wire-aws comment=“required if not identifying the MT subnet as allowed IPs on AWS peer settings**”
/ip route { assuming that the IP DHCP client has default route selected=yes, and peer dns = no } add dst-address=0.0.0.0/0 gateway=wire-aws routing-table=use-WG /routing table add fib name=use-WG
/routing rule add src-address=192.168.100.0/24 action=lookup table=use-WG
Note1: To ensure that while away from the router, you can access the router for config purposes you create a list of road warrior IP addresses- Authorized, that you would use to connect to the AWS remotely. ( laptop, smartphone etc…) Remember, with your setup the entire LAN already has access to winbox. Accessing the winbox via the Wireguard connection is the safe and proper way to do it from remote locations.
Note2: If you want users on the Lan to NEVER use the local WAN (ether1), in case the Wireguard connection is broken for whatever reason, then ensure you modify the action in the routing rule to: action=lookup-only-in-table
Note:3 The reason to sourcenat the wireguard interface is normally for third party VPNs where they only expect and allow one IP address. If on the AWS you can allow the 192.168.100.0/24 subnet on the peer allowed IPs, then there is no need for the extra source nat rule.
I encourage you to ask as many questions as you need to understand all the changes… In that way you will become more independent!
Routing tables are also a possibility but not needed per se.
I seem to recall a similar discussion between you and Sob with exactly the same proposal by you.
192.168.100.1 is local for your router.
Your ISP gateway is … ? I guess 192.168.1.1, from your screenshot ?
I prefer the routing table method as it provides more flexibility and functionality.
I dont presume that all users must use tunnel 100% of the time.
More often than nought, the admin will want to retain the ability for one IP (one of his) to be able to access the local WAN
Then there is the scenario where wireguard is not available for whatever reason, and all users can still access the local WAN in this situation.
As per my note, by simply changing the action too lookup-only-in-table on the rule that forces all uses to go to table=use-WG, that removes access to the local WAN for all users and thus covers off that need as well.
Max flex, and future growth, anything else is sub-optimal… Would you eat French Chocolate if you could eat Belgian Chocolate, hell no! Same thing.
An example of the admin bypassing the tunnel for one of his admin IPs, could be a static IP - .66 on his wifi cellphone… and ORDER of rules is critical!! /routing table add fib name=use-WG /ip routing rules add src-address=192.168.100.66/32 action=lookup-only-in-table table=main
add src-address=192.168.100.0/24 action=lookup table=use-WG
Thank you guys.
I tried the modifications suggested and somewhere at the last steps in the use-WG part i lost the winbox connection to the router and had to hard reset it to regain access back to it.
Before that i keep testing to see if the client was already being routed through the tunnel but it was not working.
I restored the router with a backup i had, so now is clean again. I upgraded the firmware and OS to the latest version on the way.
Im busy with some work now, i will get back and try again soon and post the configuration minus the use-WG option , i can take care of the winbox issue later.
Thank you
As holvoe noted,
lets say take ether5 off the bridge.
give it an Ip address
add address=192.168.55.1/24 interface=ether5 network=192.168.55.0
Ensure ether5 is part of LAN LIST on interface members.
Then to complete the config do it by connecting your PC to ether5 and give the pc an IPV4 address static of lets say 192.168.55.5
Should be good to go.
, and may lack education or seem unwelcoming, you demonstrate a positive attitude and helpful demeanor.