WireGuard VPN Access from RoadWarrior PC (outside) to 2 WireGuarded Site-to-Site Networks

cedfm00 · May 17, 2024, 10:00am

Hi all,
thank you for reading.
This is my first time posting here.

Got 2x RB1100x4 (both firmware 7.13.4) serving 2 different sites with 2 different networks.
Site-to-Site Wireguard between the 2 sites is working perfectly.
Also I’m able to connect from the outside with my PC / Smartphone using WireGuard to each of the 2 site.

But …
… when I’m connected to 1 of the sites (doesn’t matter which one) from my device [outside of both networks] using WireGuard I’m just able to connect to the addresses of the site I’m connected to and not to the addresses of the other site.

I’m wondering if it’s possible to connect to 1 of the site being able to connect also with addresse of the other site that is site-to-site Wireguarded with the 1 I’m connected to.

Please help.
Thank You

gotsprings · May 17, 2024, 3:21pm

It is… set up one site as the server. Have the other be the client. VPN to the server. Set up the routes…

Works fine.

anav · May 17, 2024, 3:37pm

Yes, lets say R1 is the Server client for handshake ( for both client peer router and client road warriors).

On R1, ensure you add a relay forward chain rule.

add chain=forward action=accept in-interface=wireguard-name out-interface=wireguard name.

R1 should have allowed IPs as follows

add comment=“R2 peer” allowed-ips=172.16.16.2/32,SUBNET1,SUBNET2 …

Where, the wireguard address on R1 is 172.16.16.1/24 and the SUBNETs refer to the remote subnets on R2 that
a. need to be reached by local R1 users or incoming remote warriors
b. are coming in via wireguard to visit local R1 subnets.
(or both a. and b.)

R1 Should have routes for any such SUBNETS
/ip route
add dst-address=SUBNET1 gateway=wireguard-name routing-table=main
add dst-address=SUBNET2 gateway=wireguard-name routing-table=main

R1 Firewall rules
-allow remote wireguard users to local subnets if applicable, can use src-address-lists or src-address to narrow down to specific users, if required.
-allow local users to enter wireguard tunnel

+++++++++++++++++++++++++++++++++++

R2 settings/
add comment= “Server Peer R1” allowed-ips=172.16.16**.0/24**,SUBNETA,SUBNETB …

Where SUBNETA,B are remote subnets on R1 etc.
Routes as required if doing so.

cedfm00 · May 20, 2024, 9:46am

Hi again and thank you both.

@anav: I was missing relay forward chain rule on R1.
Then I added it (also on R2, even if this last is probably unuseful) and also I modified allowed addresses on R1 peer, limiting IP to nnn.nnn.nnn.2/32 (previously I wrote there the entire subnet nnn.nnn.nnn.0/24) and instead, as you described, I left the entire subnet into allowed addresses on R2.
Finally I think routes, fw rules and peers are ok on both R1 and R2.

Anyway still can’t reach R2 subnets when connected to R1 via WireGuard RoadWarrior [and also can’t reach R1 subnets when connected to R2 via WireGuard RoadWarrior].

I’m attaching confs of both R1 and R2.
R1confFULL-MOD.txt (7.91 KB)
R2confFULL-MOD.txt (7.62 KB)
Please help.

Have a nice day.

anav · May 20, 2024, 6:05pm

My advice is to only use one Router as server, for the Router to Router Traffic.
The second wireguard interface I would just use for external road warrior traffic to R2, directly.

The reason being, practically speaking if R1 is not working R1-R2 connectivity is zilch and you cannot use R1 to reach R2 and so you simply need an admin backup to reach R2.
…

With that in mind.

R1 # model = RB1100x4

/interface list
add name=WAN
add name=LAN

/ip neighbor discovery-settings
set discover-interface-list=LAN

/interface list member
add interface=ether1 list=WAN
add interface=ether2 list=LAN
add interface=vlan8 list=LAN
add interface=vlan9 list=LAN
add interface=wireguard1 list=LAN
/interface wireguard peers
add allowed-address=10.10.0.100/32 comment=NB-1 interface=wireguard1 public-key=“xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx”
add allowed-address=10.10.0.101/32 comment=home-pc interface=wireguard1 public-key=“xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx”
add allowed-address=10.10.0.2/32,10.1.0.0/16,10.10.30.0/24,10.10.40.0/24 comment=“VIIT viit1.fm.it” interface=wireguard1 public-key=“xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx”

/ip firewall address-list
add address=30.0.1.AB/32 list=Authorized comment=“admin local pc”
add address=10.10.10.X/32 list=Authorized comment=“admin local laptop wifi”
add address=10.10.0.100/32 list=Authorized comment=“admin remote NB-1”
add address=10.10.0.101/32 list=Authorized comment=“admin remote desktop home”
add address=10.1.0.AB/32 list=Authorized comment=“admin on R2 desktop”
add address=10.10.30.CD/32 list=Authorized comment=“admin on R2 laptop wifi”

/ip firewall filter
{default rules to keep - order is important }
add action=accept chain=input connection-state=established,related,untracked
add action=drop chain=input connection-state=invalid
add action=accept chain=input protocol=icmp
{admin rules}
add action=accept chain=input comment=“CONSENTI WireGuard VPN” dst-port=13231 protocol=udp
add action=accept chain=input comment=“admin access” in-interface-list=LAN src-address-list=Authorized
add action=accept chain=input comment=“users to services” dst-port**=53,123** protocol=udp in-interface-list=LAN
add action=accept chain=input comment=“users to services” dst-port=53 protocol=tcp in-interface-list=LAN
add action=drop chain=input comment=“drop all else”
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
{default rules to keep}
add action=fasttrack-connection chain=forward connection-state=established,related
add action=accept chain=forward connection-state=established,related,untracked
add action=drop chain=forward connection-state=invalid
{admin rules}
add action=accept chain=forward comment=“internet traffic” in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment=“admin access” src-address-list=Authorized out-interface-list=LAN
add action=accept chain=forward comment=“Consenti WireGuard VPN [transito tra 2 sedi per RoadWarrior (esterni)]” in-interface=wireguard1 out-interface=wireguard1
add action=accept chain=forward comment=“allow local LAN to wg” in-interface-list=LAN out-interface-list=wireguard1 { limit by source address subnets and dst-address subnets as required }
add action=accept chain=forward comment=“allow remote wg to LAN” in-interface-list=wireguard1 out-interface-list=LAN { limit by source address subnets and dst-address subnets if required }
add action=accept chain=forward comment=“port forwarding” connection-nat-state=dstnat disabled=yes { enable if required or remove }
add action=drop chain=forward comment=“drop all else”

/tool mac-server
set allowed-interface-list=NONE
/tool mac-server mac-winbox
set allowed-interface-list=LAN

anav · May 20, 2024, 6:39pm

R2 # model = RB1100x4
/interface wireguard
add comment=“WireGuard VPN” listen-port=13231 mtu=1420 name=wireguard2
add comment=“Wireguard Secondary” listen-port=14321 mtu=1420 name=wg-bup

/interface list
add name=WAN
add name=LAN
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add interface=ether1 list=WAN
add interface=ether2 list=LAN
add interface=vlan6 list=LAN
add interface=vlan7 list=LAN
add interface=wg-bup list=LAN
add interface=wireguard2 list=LAN

/interface wireguard peers
add allowed-address=10.10.0.0/24,30.0.0.0/8,10.10.10.0/24,10.10.20.0/24 comment=“SD sede2.flowmeter.it” endpoint-address=nnn.nnn.nnn.109 endpoint-port=13231 interface=wireguard2 persistent-keepalive=25s public-key=“xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx”
add allowed-address=10.20.20.2/32 comment=“remote admin NB-2” interface=wg-bup public-key=“xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx”
add allowed-address=10.20.20.3/32 comment=“remote admin desktop” interface=wg-bup public-key=“xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx”

/ip firewall address-list
add address=30.0.1.AB/32 list=Authorized comment=“admin at R1 remote pc”
add address=10.10.10.X/32 list=Authorized comment=“admin at R1 remote laptop wifi”
add address=10.10.0.100/32 list=Authorized comment=“admin remote NB-1”
add address=10.10.0.101/32 list=Authorized comment=“admin remote desktop home”
add address=10.1.0.AB/32 list=Authorized comment=“admin on local desktop”
add address=10.10.30.CD/32 list=Authorized comment=“admin on local laptop wifi”
add address=10.20.20.2/32 list=Authorized comment=“admin remote backup NB-2 for R2”
add address=10.20.20.3/32 list=Authorized comment=“admin remote backup desktop for R2”

/ip firewall filter
{default rules to keep - order is important }
add action=accept chain=input connection-state=established,related,untracked
add action=drop chain=input connection-state=invalid
add action=accept chain=input protocol=icmp
{admin rules}
add action=accept chain=input comment=“Backup Handshake WireGuard VPN” dst-port=14231 protocol=udp
add action=accept chain=input comment=“admin access” in-interface-list=LAN src-address-list=Authorized
add action=accept chain=input comment=“users to services” dst-port=53,123 protocol=udp in-interface-list=LAN
add action=accept chain=input comment=“users to services” dst-port=53 protocol=tcp in-interface-list=LAN
add action=drop chain=input comment=“drop all else”
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
{default rules to keep}
add action=fasttrack-connection chain=forward connection-state=established,related
add action=accept chain=forward connection-state=established,related,untracked
add action=drop chain=forward connection-state=invalid
{admin rules}
add action=accept chain=forward comment=“internet traffic” in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment=“admin access” src-address-list=Authorized out-interface-list=LAN
add action=accept chain=forward comment=“allow local LAN to wg” in-interface-list=LAN out-interface-list=wireguard2 { limit by source address subnets and dst-address subnets as required }
add action=accept chain=forward comment=“allow remote wg to LAN” in-interface-list=wireguard2 out-interface-list=LAN { limit by source address subnets and dst-address subnets if required
add action=accept chain=forward comment=“port forwarding” connection-nat-state=dstnat disabled=yes { enable if required or remove }
add action=drop chain=forward comment=“drop all else”
/tool mac-server
set allowed-interface-list=NONE
/tool mac-server mac-winbox
set allowed-interface-list=LAN

cedfm00 · May 21, 2024, 3:40pm

Thank you @anav!
I really appreciate your prompt help!

I think I follow all steps you post but unfortunately I’m still not able to connect to addresses of R2 LAN while connected to R1 via WireGuard RoadWarrior.

WireGuard-BKP for R2 is working (and, as expected, I’m not able to connect to R1 LAN devices in this case … just to R2 LAN devices). .

I’m attaching here modified confs of both R1 and R2.
R2conf.rsc (8.7 KB)
R1conf.rsc (8.75 KB)
Could you please take a look at them and see if I miss something? (I already did it twice).

Again … THANK YOU! =)

anav · May 21, 2024, 5:24pm

Hmm try rebooting the routers, I dont see any reason why the road warrior should not be able to access the LANs on R2 ???

cedfm00 · May 22, 2024, 10:11am

@anav You’re right!
Simply rebooted both routers and everything is now working.
Thanks again!