Community discussions

MikroTik App
 
User avatar
anav
Forum Guru
Forum Guru
Topic Author
Posts: 19106
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

WireGuard and IP Cloud

Tue May 18, 2021 5:40 pm

I have two MT routers connected in a wireguard tunnel on RoS-7.5 beta
One is behind a CCR1009 (RB450Gx4) and the other RB4011, running behind a consumer ISP modem/router HH3000.
Works great in no small part to the kind support from Sindy. (speed tests roughly 300/300!)

However one thing I am not sure of is the interplay between Wireguard and IP Cloud for all the following instances!
(1) On the CCR I have dstnat rule to pass the initial client request for a tunnel to the WANIP of the RB450Gx4
add chain=dstnat action=dst-nat in-interface=wan src-address-list=RB4011-External dst-port=ListeningPort protocol=udp to-address=IP[ lanip(CCR)=wanip(RBG) ]
where RB4000-External=mynetname.net for the RB4011

(2) On the RB450Gx3 Wireguard interface peer settings, the endpoint IP address for the RB4011 is mynetname.net for the RB4011
(3) Likewise on the RB4011 the Wireguard peer settings to indicate the endpoint has the mynetname for the RB450Gx4

So, what should I expect to happen when two cases arise?
A. The Dynamic public WANIP of the client RB4011 changes?
B. The Dynamic public WANIP of the server RB450Gx4 changes?
(Note; the client has keep alive set at 30 secs on their WG interface.)
Last edited by anav on Mon May 31, 2021 2:15 am, edited 1 time in total.
 
User avatar
Znevna
Forum Guru
Forum Guru
Posts: 1347
Joined: Mon Sep 23, 2019 1:04 pm

Re: WireGuard and IP Cloud

Tue May 25, 2021 2:52 pm

Why the fancy title? MikroTik IP Cloud DDNS is like any other DDNS.
(2) Why did you set an endpoint on the "server" side? that is not needed, it is filled automatically with the proper IP and SRC Port when the "client" connects;
(3) When adding a DDNS as an endpoint, it should get resolved only once, upon first connection, other Wireguard clients behave this way anyway, I don't suspect MikroTik handles this differently;
A. The 'server' doesn't care if the packets come from another IP as long as they authenticate, the endpoint set on (2) gets updated with the new IP and SRC Port of the "client";
B. Is tricky, if MikroTik didn't script this, you should script it. Have a script check for DDNS IP change and if it changed update the endpoint; What gets saved for the peer endpoint? the current IP or the DDNS?
Not sure how (B) is handled in MikroTik world and I don't have any devices running ROS v7 currently.

Who is online

Users browsing this forum: No registered users and 19 guests