Hi,

could someone please point me to the right direction? I am not Mikrotik guru, but learning still.. I have on my MT configured NordVPN based on https://support.nordvpn.com/Connectivity/Router/1360295132/MikroTik-IKEv2-setup-with-NordVPN.htm and I am sending few local IPs (from multiple VLANs) to the NordVPN tunel based on IP address Llist (connection marking). This is working OK. Later I configured OpenVPN server on MT. I am connecting to the VPN from Windows client, VPN is working OK. Also I am sending Windows OpenVPN traffic to the NordVPN my marking connection using IP address list. This is working OK and my Windows 10 client can surf the internet over OpenVPN —> NordVPN tunnel.

Now the problematic part is that I wanted to the same for Wireguard VPN, send all VPN client traffic to the NordVPN tunnel but this is not working when I am marking connections using IP address list for Wireguard IPs. When I disable IP address list (connection marking) for Wireguard client VPN IP, wireguard client can get to internet using my hope ISP without problems. I just cannot forward wireguard client’s traffic over NordVPN tunnel. In logs I see that traffic is router to the tunnel but probaby not returning?
Not sure why with OpenVPN it works without issues, but with Wireguard VPN with the “same config” it is not working..

any help appreciated.

Your explanation is very confusing.

Part 1 - Nord VPN is working for some clients (local users)

Part2 - Open VPN is working for some clients (external users coming into the router)

Part3 - Wireguard VPN is not working for all clients. (external users coming into the router)


I am not sure why you are complicating life by having three different VPNs…

Are you trying to
1> Send all incoming wireguard traffic to the router, then to the nordvpn? ( external users )

Please post the config of the MT device /export file=anynameyouwish

hi,

I am learning and testing / comparing various scenarios / options. Consider this all as test Hope I will describe it more clear :
Part 1 - Nord VPN is working for some clients (local users)

I have permanent NordVPN tunnel on my MT device and for some IPs from my home I routing their traffic over NordVPN, testing private VPN options / anonymizations..

Part2 - Open VPN is working for some clients (external users coming into the router)

I was testing VPN options in case I want to connect from e.g. public wifi and be safe regarding connection.. Therefore I was testing OpenVPN. Next test was if my OpenVPN client (windows) can reach NordVPN tunnel on my MT and get to the internet over NordVPN tunnel, this is working.

Part3 - Wireguard VPN is not working for all clients. (external users coming into the router)
as long as OpenVPN is slow, I was testing Wireguard VPN the same way as OpenVPN, it is fast, I can secure and route all windows vpn client traffic through my MT and my ISP (as OpenVPN). But next test was to route this client over my NordVPN as I did with OpenVPN.. but this is not working.. Packets are marked and going to the NordVPN tunnel.. but internet is not working then for wireguard vpn client..

Why not just stick with wireguard VPN all they way?
What kind of VPN is this nord vpn?

Why not just stick with wireguard VPN all they way?
want to test more options, relaying on MT and NordVPN setup
What kind of VPN is this nord vpn?
NordVPN on MT is: “IKEv2 EAP VPN tunnel to a NordVPN server”.

Well wireguard from users to the MT is relatively easy.
Then you simply have to"
a. allow in firewall rules, the incoming MT users to the 3rdpartyVPN
b. ensure a path for routing of same users to 3rdparty VPN and return back through WG tunnel

If you were using WIREGUARD on the connection to the third party VPN, you could make it all the same interface and simplify a bit.

b. ensure a path for routing of same users to 3rdparty VPN and return back through WG tunnel

I see in logs that traffic from wg client is going to NordVPN tunnel… but I do not see if that is coming back.. technically OpenVPN was working without issues with this scenario.. In logs I also did not see traffic coming back.. not sure what am I missing with wg vpn..

I am using only dynamic routes which are created automatically..

Without seeing your config, who knows.
/export hide sensitive…

here is the “obsfucated and truncated” config, I changed ports, names or deleted lot of lines, from FW rules, VLANs,.. which I thought would not be necessary or related to this issue (e.g. communication between vlans, DHCP, IP pools, logs, etc..). If something will be missing, please let me know.

by RouterOS 7.3beta40

model = RouterBOARD 750G r3

/interface bridge
add admin-mac=xx:xx:xx:xx:xx auto-mac=no frame-types=
admit-only-vlan-tagged mtu=1500 name=bridge vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] comment=WAN
set [ find default-name=ether3 ] comment=“VLAN1 - Management”
set [ find default-name=ether4 ] comment=TRUNK
set [ find default-name=ether5 ] comment=TRUNK
/interface ovpn-server
add name=ovpn-in1 user=xxxxxxxx
Interface" user=xxxxxxx1
/interface wireguard
add listen-port=12345 mtu=1492 name=wireguard1
/interface vlan
add interface=bridge name=VLAN1-test6 vlan-id=1
add interface=bridge name=vlan10-LAN vlan-id=10
add interface=bridge name=vlan11-test7 vlan-id=31

/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add exclude=LAN include=all name=“test ipsec”
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik

/ip ipsec mode-config
add connection-mark=NordVPN-mark name=NordVPN responder=no src-address-list=
NordVPN use-responder-dns=no
/ip ipsec policy group
add name=NordVPN
/ip ipsec profile
set [ find default=yes ] enc-algorithm=aes-256,aes-192,aes-128
hash-algorithm=sha256
add dh-group=modp2048 enc-algorithm=aes-256 hash-algorithm=sha384 name=
NordVPN
/ip ipsec peer
add address=xxx.xxx exchange-mode=ike2 name=NordVPN profile=NordVPN
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha256 pfs-group=modp2048
add auth-algorithms=sha256 name=home pfs-group=modp2048
add name=NordVPN pfs-group=none
/ip pool
add name=VPN-OpenVPN ranges=192.168.254.100-192.168.254.105
add name=vlan13-test5 ranges=192.168.42.100-192.168.42.150


/port
set 0 name=serial0
/ppp profile

/queue type
add kind=pfifo name=OpenVPN pfifo-limit=250
/queue interface
set ovpn-in1 queue=OpenVPN
/routing bgp template
set default disabled=no output.network=bgp-networks
/routing ospf instance
add disabled=no name=default-v2
/routing ospf area
add disabled=yes instance=default-v2 name=backbone-v2
/system logging action

/interface bridge port
add bridge=bridge comment=defconf frame-types=
admit-only-untagged-and-priority-tagged interface=ether2 pvid=10
add bridge=bridge comment=defconf frame-types=
admit-only-untagged-and-priority-tagged interface=ether3 pvid=11
add bridge=bridge comment=defconf frame-types=
admit-only-untagged-and-priority-tagged interface=ether4 pvid=40
add bridge=bridge comment=defconf ingress-filtering=no interface=ether5
/ip neighbor discovery-settings
set discover-interface-list=none protocol=“”
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface bridge vlan
add bridge=bridge tagged=bridge,ether5 vlan-ids=10
add bridge=bridge tagged=bridge,ether5 untagged=ether4 vlan-ids=
add bridge=bridge tagged=bridge,ether5 vlan-ids=100


/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/interface ovpn-server server
set auth=sha1 certificate=OpenVPN-Server cipher=aes256 enabled=yes port=1234
protocol=udp require-client-certificate=yes tls-version=only-1.2
/interface wireguard peers
add allowed-address=192.168.99.100/32 interface=wireguard1 public-key=
“xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx”
/ip address

add address=192.168.42.1/24 interface=vlan13-test5 network=192.168.42.0
add address=192.168.99.1/24 interface=wireguard1 network=192.168.99.0

/ip firewall address-list
add address=0.0.0.0/8 comment=RFC6890 list=NotPublic
add address=10.0.0.0/8 comment=RFC6890 list=NotPublic
add address=100.64.0.0/10 comment=RFC6890 list=NotPublic
add address=127.0.0.0/8 comment=RFC6890 list=NotPublic
add address=169.254.0.0/16 comment=RFC6890 list=NotPublic
add address=172.16.0.0/12 comment=RFC6890 list=NotPublic
add address=192.0.0.0/24 comment=RFC6890 list=NotPublic
add address=192.0.2.0/24 comment=RFC6890 list=NotPublic
add address=192.168.0.0/16 comment=RFC6890 list=NotPublic
add address=192.88.99.0/24 comment=RFC3068 list=NotPublic
add address=198.18.0.0/15 comment=RFC6890 list=NotPublic
add address=198.51.100.0/24 comment=RFC6890 list=NotPublic
add address=203.0.113.0/24 comment=RFC6890 list=NotPublic
add address=224.0.0.0/4 comment=RFC4601 list=NotPublic
add address=192.168.200.0/24 comment=“TESTVLAN host” list=NordVPN
add address=192.168.0.0/16 list=NOT_for_NordVPN
add address=10.0.0.0/8 list=NOT_for_NordVPN
add address=172.16.0.0/16 list=NOT_for_NordVPN
add disabled=yes list=ALL
add address=192.168.30.0-192.168.30.148 list=NordVPN
add address=192.168.99.100 list=NordVPN // this is WG client marked to go to NordVPN tunnel

/ip firewall filter
add action=drop chain=forward comment=“DROP not public IP reach LAN”
in-interface=ether1 log=yes log-prefix=DROP-ALL-PRIVATE-IP-IN
src-address-list=NotPublic
add action=drop chain=forward comment=“Drop all packets from local network to
internet which should not exist in public network” dst-address-list=
NotPublic log=yes log-prefix=DROP-ALL-PRIVATE-IP-OUT out-interface=ether1
add action=accept chain=forward comment=“Test one way FW rule between VLAns”
connection-state=established,related log-prefix=
ACCEPT-ESTABLISHED-RELATED
add action=accept chain=input comment=
“Accept established and related packets” connection-state=
established,related

add action=accept chain=input comment=“Wireguard VPN” port=12345 protocol=udp
add action=accept chain=forward comment=“Wireguard allow internet”
in-interface=wireguard1 out-interface=ether1
add action=accept chain=input comment=“WireGuard allow DNS” dst-address=
192.168.99.1 in-interface=wireguard1 port=53 protocol=udp

add action=drop chain=forward comment=“defconf: drop invalid”
connection-state=invalid log=yes log-prefix=
DROP-ALL-INVALID-PACKETS-FORWARD
add action=drop chain=input comment=“Drop invalid packets” connection-state=
invalid log=yes log-prefix=DROP-ALL-INVALID-PACKETS-INPUT
add action=drop chain=input comment=
“Drop all packets which are not destined to routes IP address”
dst-address-type=!local log-prefix=DROP-ALL-NOT-DESTINATED-TO-ROUTES
add action=drop chain=input comment=
“Drop all packets which does not have unicast source IP address” log=yes
log-prefix=DROP-ALL-INPUT-NO-UNICAST-SRC-IP src-address-type=!unicast
add action=drop chain=forward log=yes log-prefix=
DROP-ALL-FORWARD-NO-UNICAST-SRC-IP
add action=drop chain=forward comment=
“Drop new connections from internet which are not dst-natted”
connection-nat-state=!dstnat connection-state=new in-interface=ether1
add action=drop chain=forward comment=“BLOCK ALL?” log=yes log-prefix=
DROP-ALL-FORWARD
/ip firewall mangle
add action=passthrough chain=prerouting disabled=yes dst-address-list=ALL
log=yes src-address-list=NOT_for_NordVPN
add action=mark-connection chain=prerouting comment=
“Mark packets for NordVPN” dst-address-list=!NOT_for_NordVPN log=yes
new-connection-mark=NordVPN-mark passthrough=yes src-address-list=NordVPN
add action=change-mss chain=forward comment=
“lowering MTU due to NordVPN issues” new-mss=1300 passthrough=yes
protocol=tcp tcp-flags=syn tcp-mss=1301-65535
/ip firewall nat
add action=masquerade chain=srcnat comment=“defconf: masquerade”
ipsec-policy=out,none out-interface-list=WAN

/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set irc disabled=yes
set h323 disabled=yes
set sip disabled=yes
set pptp disabled=yes
set udplite disabled=yes
set dccp disabled=yes
set sctp disabled=yes
/ip ipsec identity
add auth-method=eap certificate=“” eap-methods=eap-mschapv2 generate-policy=
port-strict mode-config=NordVPN peer=NordVPN policy-template-group=
NordVPN username=xxxxxxxxxx
/ip ipsec policy
set 0 proposal=home
add dst-address=0.0.0.0/0 group=NordVPN proposal=NordVPN src-address=
0.0.0.0/0 template=yes

/ppp secret
add name=openvpn-user1 profile=“OpenVPN - clients” service=ovpn

Besides an improperly devised bridge setup and the awful use of vlan1 and the bloated disorganized Firewall rule mess, the comment I would like to focus on is the need to mangle traffic to NordVPN?
Is there some local traffic that you do want to go to Nord VPN and some local traffic you dont want to go to Nord VPn for internet???
Assuming you want.
a. all external incoming wireguard clients to go out Nord VPN
b. no external incoming wireguard clients are going to local devices (except for sub para c. next)
c. you want to be able to configure MT router from an external wireguard client

Highly recommend

• you read this for VLANS - http://forum.mikrotik.com/t/using-routeros-to-vlan-your-network/126489/1
• you read this for firewall - https://forum.mikrotik.com/viewtopic.php?t=180838
• you read this for wireguard - https://forum.mikrotik.com/viewtopic.php?p=906311

This seems blatantly wrong… I thought you wanted your incoming external wireguard clients to go out the NORD VPN for internet, not your local ISP for internet???
add action=accept chain=forward comment=“Wireguard allow internet”
in-interface=wireguard1 out-interface=ether1

This supports the assertion that you really dont understand firewall rules and have no business adding any rules other than the default until the basics are learned. The last rule is actually an excellent approach which, if you knew what it meant, means you dont need all your user added block rules above that. You only need allow rules (except for keeping the default invalid rule).
add action=drop chain=forward comment=“BLOCK ALL?” log=yes log-prefix=
DROP-ALL-FORWARD

I will have to build it from scratch, know that.. lot of e.g. fw rules, were one time tests, but have no hits now but left them there..also the same with all config, one time tests.. speaking of the goal, my OpenVPN fw rules are configured with the same way and WG fw rules, even reaching ethernet1.. but when in OpenVPN case I marked that IP for NordVPN connection it will go to NordVPN tunnel, which for WG setup (with the same rules) is not working.. and yes in my test scenario some OpenVPN client will directly go to my ISP (that is why ethernet1 forward) and some are going to NordVPN.. just do not get it why with OpenVPN it works and with WG not.. I am no pro in this.. not my focus in general..

Yes, but I cannot help if you requirements are wishy washy.
Detailed clear requirements I can work with and a config that is cleaned up and organized is much more conducive to problem solving

Local MT router:
subnet A needs to reach…]
subnet B needs to reach…]
user 1 on subnet C needs to reach
user2 on subnet C needs to reach
Rest of subnet C needs to reach…

External Client1 - come in on wireguard go out NordVPN internet
External Client2 - come in on wireguard go out my local ISP
Admin external client - come in wireguard and go out NordVPN OR config the local router.

ETC. ETC…

If you get organized, gladly will help. otherwise its not productive.

Amen brother AMEN …

@anav … what a GREAT resource you are … this forum is very luck to have you …

Its the very patient experts on the forum that allow me to meander all over the map till I get something close to good enough LOL.