Community discussions

MikroTik App
 
jossv
just joined
Topic Author
Posts: 4
Joined: Fri Oct 09, 2020 11:24 am

Setting up a Wireguard VPN without access to the ISP router

Sun May 09, 2021 8:49 pm

Hi, I'm trying to set up a VPN with Wireguard on a RB3011 router behind the ISP router using PAT.

The network scheme is as follows:
network diagram.png
My intention is to create a VPN that allows access to Internal Network from the internet and I am not able to make it work. I think it may be a port configuration issue of the ISP router

Is it strictly necessary to modify the configuration of router A (ISP) to make it work?

Thanks in advance
You do not have the required permissions to view the files attached to this post.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Setting up a Wireguard VPN without access to the ISP router

Sun May 09, 2021 9:21 pm

Hi jossv.
THe only end that needs to port forward is the server end of the equation.
That will be the listening port from the first router to the WANIP of the second router (its lanip on the primarys private subnet)
The listening port is at the client end configuration what they put for peer (you the server) Endpoint. YOURPUBLICWANIP:listening port

So you need to ensure:
a. the primary router has port forwarding capability
b. port forward listening port to the RB router.
The RB router is where you define your WG.
Nothing special is needed at the client end because its all outgoing traffic and thus return traffic will be accepted, even if the client is behind a router and an ISP router (same double nat).

The tricky part is the following two items:
(1) You need to add a route on the RB router to the private subnet of the client with interface being the WIREGUARD interface.
Other wise the router does not know where to send traffic back other than sending it normally to the ISP router routing.
(2) You need to add an input chain rule rule on the RB, to accept incoming traffic on the listening port for the wireguard router service.
Similar to how we accept l2tp and other ports on the input chain for other types of vpn.
 
jossv
just joined
Topic Author
Posts: 4
Joined: Fri Oct 09, 2020 11:24 am

Re: Setting up a Wireguard VPN without access to the ISP router

Sun May 09, 2021 10:10 pm

Hi jossv.
THe only end that needs to port forward is the server end of the equation.
That will be the listening port from the first router to the WANIP of the second router (its lanip on the primarys private subnet)
The listening port is at the client end configuration what they put for peer (you the server) Endpoint. YOURPUBLICWANIP:listening port

So you need to ensure:
a. the primary router has port forwarding capability
b. port forward listening port to the RB router.
The RB router is where you define your WG.
Nothing special is needed at the client end because its all outgoing traffic and thus return traffic will be accepted, even if the client is behind a router and an ISP router (same double nat).

The tricky part is the following two items:
(1) You need to add a route on the RB router to the private subnet of the client with interface being the WIREGUARD interface.
Other wise the router does not know where to send traffic back other than sending it normally to the ISP router routing.
(2) You need to add an input chain rule rule on the RB, to accept incoming traffic on the listening port for the wireguard router service.
Similar to how we accept l2tp and other ports on the input chain for other types of vpn.


First thanks for the quick reply

So, do I have to access the ISP router to do a port forwarding to RB?


This is my current configuration (I'm not sure if it's okay at all):
# may/09/2021 21:05:30 by RouterOS 7.1beta5
# software id = SQJM-HXZS
#
# model = RouterBOARD 3011UiAS
# serial number = 8EED093C5DC5
/interface bridge
add name=bridge1
/interface ethernet
set [ find default-name=ether1 ] comment=WAN
set [ find default-name=ether2 ] comment=LAN
set [ find default-name=sfp1 ] disabled=yes
/interface wireguard
add listen-port=12345 mtu=1420 name=wireguard
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=poolLAN ranges=192.168.1.15-192.168.1.254
/ip dhcp-server
add address-pool=poolLAN disabled=no interface=bridge1 name=serverDHCPLan
/interface bridge port
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=ether3
add bridge=bridge1 interface=ether4
add bridge=bridge1 interface=ether5
add bridge=bridge1 interface=ether6
add bridge=bridge1 interface=ether7
add bridge=bridge1 interface=ether8
add bridge=bridge1 interface=ether9
add bridge=bridge1 interface=ether10
/interface detect-internet
set detect-interface-list=all
/interface wireguard peers
add allowed-address=10.10.0.2/32 interface=wireguard public-key="xUmMbCnE0O2Ya/uca/r31qmnK6MYDOzK/zJJH1g5Mh8="
/ip address
add address=192.168.1.1/24 interface=bridge1 network=192.168.1.0
add address=10.10.0.1/24 network=10.10.0.0
add address=10.10.0.1/24 interface=wireguard network=10.10.0.0
/ip dhcp-client
add disabled=no interface=ether1
/ip dhcp-server network
add address=192.168.1.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=192.168.1.1 netmask=24
/ip firewall nat
add action=masquerade chain=srcnat dst-address=0.0.0.0/0 out-interface=ether1 src-address=192.168.1.0/24
add action=masquerade chain=srcnat src-address=10.10.0.0/24
/system clock
set time-zone-name=Europe/Madrid
/system routerboard settings
set auto-upgrade=yes
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Setting up a Wireguard VPN without access to the ISP router

Sun May 09, 2021 10:18 pm

If the RB is acting as a server yes you will need access to the primary router to port forward all traffic on the listening port to the RB.

Who is online

Users browsing this forum: No registered users and 20 guests