Wireguard + VPS to access CG-NAT Network

RouterOS General
1

Hello all,

I’m struggling configuring an MT router to allow access to local network through wireguard. At the moment I’ve setup an VPS with wireguard server and router connects to it sucessfully.
The ISP router is an LTE router with CGNAT, not possible to open ports or making routes. I’m attaching a diagram to make it clear.
Diagram.png
The goal is to make Laptop1 reach ISP Router’s LAN subnet devices (192.168.90.5,192.168.90.10, etc.). I’ve tried to follow @anav posts here on the forum (really helpful) but I feel that there’s something I miss or not doing correctly.

Also as a side note, I’ve tested the new BTH feature and works okay (also I can access remote local subnet) and zerotier too, both working. The reason of make this myself is to use non ARM MT devices (I have many of them deployed and won’t be changed soon…)

Here’s the MT CAP config (removed wireless configs):

/interface bridge
add name=bridge1
/interface wireguard
add listen-port=13230 mtu=1420 name=wireguard1
/interface list
add name=WAN
add name=LAN
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/interface bridge port
add bridge=bridge1 ingress-filtering=no interface=wlan1
add bridge=bridge1 ingress-filtering=no interface=wlan2
add bridge=bridge1 ingress-filtering=no interface=ether1
add bridge=bridge1 interface=ether2
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/ip settings
set max-neighbor-entries=8192
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface list member
add interface=ether1 list=WAN
add interface=ether2 list=LAN
add interface=wlan2 list=LAN
add interface=wlan1 list=LAN
add interface=wireguard1 list=LAN
/interface wireguard peers
add allowed-address=10.252.1.2/32 endpoint-address=VPS_IP endpoint-port=51825 interface=wireguard1 persistent-keepalive=10s public-key=\
    "JgMJWdSc9y REDACTED="
/interface wireless cap
# 
set discovery-interfaces=bridge1 enabled=yes interfaces=wlan1,wlan2
/ip address
add address=192.168.90.2/24 interface=ether1 network=192.168.90.0
add address=10.252.1.1/24 interface=wireguard1 network=10.252.1.0
/ip dhcp-client
add disabled=yes interface=bridge1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4
/ip firewall filter
add action=accept chain=input comment=wireguard1 dst-port=13230 protocol=udp
/ip firewall nat
add action=masquerade chain=srcnat comment=wireguard1 src-address=10.252.1.0/24
/routing bfd configuration
add disabled=no

Wireguard VPS configuration

[Interface]
Address = 10.252.1.1/24
ListenPort = 51825
PrivateKey = SA15+eO REDACTED=
MTU = 1450
PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
Table = auto

#LAPTOP1 XPS
[Peer]
PublicKey = TYqXQ6ol REDACTED=
PresharedKey =  XrNVwpl REDACTED =
AllowedIPs = 10.252.1.5/32

#MT CAP
[Peer]
PublicKey = myLFBZB REDACTED =
PresharedKey = NiBoqM8d REDACTED =
AllowedIPs = 10.252.1.2/32

Client Wireguard Configuration

[Interface]
PrivateKey = kMtZpke REDACTED=
Address = 10.252.1.5/32
DNS = 1.1.1.1
MTU = 1450

[Peer]
PublicKey = JgMJWd REDACTED=
PresharedKey = XrNVwplxZ REDACTED=
AllowedIPs = 10.252.1.5/24
Endpoint = REDACTED:51825
PersistentKeepalive = 15
2

Okay… THe big error right off the bat is using the same IP structure on your LAN behind the CAP as the LAN structure of the ISP router. Which means you are missing an ip address, a pool, a dhcp-server and a dhcp-server network.

\

  1. MT CAP wireguard Ip address is wrong, should be:
    add address=10.252.1****.2****/24 interface=wireguard1 network=10.252.1.0

  2. MT CAP peer setttings for the VPS is wrong should be:
    /interface wireguard peers
    add allowed-address=10.252.1**.0/24** endpoint-address=VPS_IP endpoint-port=51825 interface=wireguard1 persistent-keepalive=10s public-key=
    “JgMJWdSc9y REDACTED=”

  3. MT CAP missing address for your bridge etc!!
    /ip address
    add address=192.168.50.1/24 interface=bridge1 network=192.168.50.0
    /ip pool
    add name=dhcp_poolbridge ranges=192.168.50.2-192.168.50.254
    /ip dhcp-server
    add address-pool=dhcp_poolbridge interface=bridge name=dhcp1
    /ip dhcp-server network
    add address=192.168.50.0/24 dns-server=192.168.50.1 gateway=192.168.50.1

  4. You have no route made..
    /ip route
    add dst-address=0.0.0.0/0 gateway=192.168.90.1 routing-table=main

  5. NAT rule is wrong. simply need.
    /ip firewall nat
    add action=masquerade chain=srcnat out-interface-list=WAN

  6. No firewall rules so everything is allowed, we can keep that for now but not a good long term plan.

VPS
8. Allowed IPs for Miktrotik change to…
AllowedIPs = 10.252.1.2/32,192.168.50.0/24

  1. Need a firewall rule on vps to allow incoming wireguard traffic and outgoing wireguard traffic (acting as a relay).
    I dont know vps but in the MT it would look like.
    add chain=forward action=accept in-interface=wireguard1 out-interface=wireguard1

(traffic coming from a peer is allowed then to re-enter the tunnel for another peer etc.)

3

Hello anav,

Thank you for taking your time to reply me, really appreciate it.

  • Corrected points #1 and #2 on my MT
  • As point #3, I have a quick question: The MT device (in this case a CAP), is just a dumb access point with an fixed IP address on local network (192.168.90.2) the DCHP server is located at ISP Router with IP (192.168.90.1). It’s still necessary to create another DHCP server? I believe CAP is technically acting as a bridge instead of a router. I’m correct?
  • Point #4

Sorry for that, appears that the command used

export

didn’t export routes content, maybe exists another command, pasting an screenshot here:

tik.PNG
No firewall rules, and NAT rule corrected

At the moment I can ping CAP ip 10.252.1.2 from laptop wireguard client 10.252.1.5, still trying to ping 192.168.90.x equipment from laptop but no joy… will try some changes.

Again thank you in advance for your help

4

Well thats a completely different kettle of fish.
Because you had a WAN interface list, I assumed you wanted the capac to act as a router not an AP/switch.
Also I dont use capsman, why bother if you only have the one device, aka not required???

What I have to think about is whether or not a capac in the ap/switch setup can be an effective wireguard client.
We can experiment LOL.

5

Hello anav,

Regarding the interfaces list I’ve started from Mikrotiks default configuration, the only thing that I’ve done is to change to CAP via quickset with Static Ip address.
The reason to use CAP AC XL for this wireguard thing, is because is a device that I have more or less at hand at a remote location with CGNAT. (In reality I can access the remote network and lan devices via Zerotier installed on remote lan computer).


Basically I’ve tried this same device with the new back to home feature and it’s working good (to access lan side of CAP AC XL), basically I want to do the same but manually with my own VPS, the reason to do that is to add non ARM devices that I have on remote clients (I don’t need so much speed).

Best regards

6 
interface bridge
add name=bridge1
/interface wireguard
add listen-port=13230 mtu=1420 name=wireguard1
/interface list
add name=[color=#008000]MANAGE[/color]
/ip neighbor discovery-settings
set discover-interface-list=[color=#008000]MANAGE[/color]
/interface bridge port
add bridge=bridge1 ingress-filtering=no interface=wlan1
add bridge=bridge1 ingress-filtering=no interface=wlan2
add bridge=bridge1 ingress-filtering=no interface=ether1
/ip neighbor discovery-settings
set discover-interface-list=[color=#008000]MANAGE[/color]
/interface list member
add interface=bridge1 list=[color=#008000]MANAGE[/color]
add interface=wireguard1 list=[color=#008000]MANAGE[/color]
add interface=ether2 list=[color=#008000]MANAGE[/color]
/interface wireguard peers
add allowed-address=10.252.1.[color=#0000FF][b]0/24[/b][/color]endpoint-address=VPS_IP endpoint-port=51825 interface=wireguard1 persistent-keepalive=10s public-key=\
    "JgMJWdSc9y REDACTED="
/ip address
add address=192.168.90.2/24 interface=bridge1 network=192.168.90.0
add address=10.252.1.2/24 interface=wireguard1 network=10.252.1.0
add address=192.168.55.1/24  interface=ether2  network=192.168.55.0
/ip dns
set allow-remote-requests=yes servers192.168.90.1,8.8.8.8,8.8.4.4
/routing table
add fib name=TO-WG
/ip firewall filter list
add ip-address=admin-ip1 list=[color=#0080FF]Authorized[/color]  comment="local admin laptop/deskop - static lease"
add ip-address=admin-ip2 list=[color=#0080FF]Authorized[/color] comment="local admin smartphone/ipad - static lease"
add ip-address=10.252.1.5 list=[color=#0080FF]Authorized[/color] comment="remote admin IP"
etc....
/ip firewall filter
[b]add action=drop chain=input in-interface-list=MANAGE dst-port=winboxPORT protocol=tcp \
    src-address-list=![color=#0080FF]Authorized[/color][/b]
/ip route
add dst-address=0.0.0.0/0 gateway=192.168.90.1 routing-table=main
add dst-address=0.0.0.0/0 gateway=wireguard1  routing-table=TO-WG
add dst-address=10.252.1.0/24 gateway=wireguard1 routing-table=main comment="route return traffic"
/routing rule
add src address=192.168.90.5/32 action=lookup  table=TO-WG
add src address=192.168.90.10/32 action=lookup  table=TO-WG
add src address=192.168.90.11/32 action=lookup  table=TO-WG
/tool mac-server
set allowed-interface-list=NONE
/tool mac-server mac-winbox
set allowed-interface-list=[color=#008000]MANAGE[/color]