Community discussions

MikroTik App
 
daddyfix
just joined
Topic Author
Posts: 18
Joined: Mon Dec 14, 2020 4:25 pm

Please save my Christmas VPN Network

Mon Dec 14, 2020 5:39 pm

I have been trying to configure my RPI4 Wireguard VPN server and Mikrotik router for a few days.
Now I look and feel like the Grinch! Can Anyone please help, SantaTik? Are you out there?

Design
WIREGAURD CLIENT ----- INTERNET ----- MICROTIK RB4011iGS+RM ----- RPI4 WIREGUARD SERVER
IP 192.168.10.10------ WAN IP  ------- 192.168.1.1/24 LAN ----- 192.168.1.120, VPN 192.168.10.1 LAN

Below was used to work with my NetGear Router

RPI4 Wiregard Server wg0.conf
[Interface]
PrivateKey = iF<SECRET>2I=
Address = 192.168.10.1/24
ListenPort = 993
DNS = 192.168.1.1

### begin laptop ###
[Peer]
PublicKey = Nu<SECRET>w=
PresharedKey = 05<SECRET>U=
AllowedIPs = 0.0.0.0/1, 128.0.0.0/1, ::/1, 8000::/1
#AllowedIPs = 192.168.10.10/32
### end laptop ###

Laptop wg0.conf
[Interface]
PrivateKey = KG<SECRET>g=
Address = 192.168.10.10/24
DNS = 192.168.1.1, 208.67.222.222, 208.67.220.220
MTU = 1420

[Peer]
PublicKey = ln<SECRET>Co=
PresharedKey = 05<SECRET>pU=
Endpoint = pimedia.ca:993
AllowedIPs = 192.168.1.0/24, 192.168.10.0/24
#AllowedIPs = 192.168.0.0/16
Laptop Connection
[mcon@mcon-XPS-15-9550 ~]$ wg-quick up wg0
[#] ip link add wg0 type wireguard
[#] wg setconf wg0 /dev/fd/63
[#] ip -4 address add 192.168.10.10/24 dev wg0
[#] ip link set mtu 1420 up dev wg0
[#] resolvconf -a tun.wg0 -m 0 -x
[#] ip -4 route add 192.168.1.0/24 dev wg0

[mcon@mcon-XPS-15-9550 ~]$ ip addr show wg0
4: wg0: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN group default qlen 1000
    link/none 
    inet 192.168.10.10/24 scope global wg0
       valid_lft forever preferred_lft forever
       
[mcon@mcon-XPS-15-9550 ~]$ ifconfig wg0
wg0: flags=209<UP,POINTOPOINT,RUNNING,NOARP>  mtu 1420
        inet 192.168.10.10  netmask 255.255.255.0  destination 192.168.10.10
        unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  txqueuelen 1000  (UNSPEC)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 52  bytes 7696 (7.6 KB)
        TX errors 11  dropped 0 overruns 0  carrier 0  collisions 0

My Current MikroTik Setup

Image

Image

My Wireguard Client Connections works but I don't know how to allow traffic from the RPI4 VPN (192.168.1.120) client connections to the LAN(192.168.1.1/24)
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: Please save my Christmas VPN Network

Mon Dec 14, 2020 6:05 pm

Is 192.168.10.0/24 only on RPi? Does the rest of LAN know about it? This should make it better:
/ip route
add dst-address=192.168.10.0/24 gateway=192.168.1.120
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19125
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Please save my Christmas VPN Network

Mon Dec 14, 2020 7:38 pm

I can picture Sob wearing an elf hat!!!
 
daddyfix
just joined
Topic Author
Posts: 18
Joined: Mon Dec 14, 2020 4:25 pm

Re: Please save my Christmas VPN Network

Mon Dec 14, 2020 7:58 pm

Is 192.168.10.0/24 only on RPi? Does the rest of LAN know about it? This should make it better:
/ip route
add dst-address=192.168.10.0/24 gateway=192.168.1.120

Q. Is 192.168.10.0/24 only on RPi?

A. The RPI4 has a LAN Address of 192.168.1.120 and then it issues wireguard client addresses as 192.168.10.x

Q. Does the rest of LAN know about it?

A. I dont know how to check that

So, I added the route

Image

But i still cant communicate with my LAN from the Wireguard Client (192.168.10.10) ? <baffled>

I tried to PING a LAN IP (192.168.1.130) but it fails. Do I need to add a ICMP rule for the LAN?
[mcon@mcon-XPS-15-9550 ~]$ ping 192.168.1.130
PING 192.168.1.130 (192.168.1.130) 56(84) bytes of data.

^C
--- 192.168.1.130 ping statistics ---
22 packets transmitted, 0 received, 100% packet loss, time 21494ms
Thanks for your hints....
Last edited by daddyfix on Mon Dec 14, 2020 8:05 pm, edited 2 times in total.
 
daddyfix
just joined
Topic Author
Posts: 18
Joined: Mon Dec 14, 2020 4:25 pm

Re: Please save my Christmas VPN Network

Mon Dec 14, 2020 7:59 pm

I can picture Sob wearing an elf hat!!!
LOL
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: Please save my Christmas VPN Network

Mon Dec 14, 2020 8:55 pm

According to screenshot, you have address 192.168.10.1/24 on router, and it may not be what you want. Or what is your exact plan with subnets? Should 192.168.10.0/24 be only for VPN clients, or should some devices in LAN also have addresses from this subnet?

@anav: I can tell you don't know my native language, otherwise you couldn't guess that wrong. ;)
sob.png
(although it's just coincidence, the nickname is not based on the animal)
You do not have the required permissions to view the files attached to this post.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19125
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Please save my Christmas VPN Network

Mon Dec 14, 2020 10:04 pm

Let me guess you real name is Irvas?
or did your parents have a sense of humour Irvass ;-))

To set the record straight, to anyone, we are NOT related.
"Camelids are not ruminants taxonomically, physiologically, or behaviorally"

Hmm, I wonder if you will be able to src nat or dst nat your way out of this thread LOL........It seems your favourite rabbit out of the hat trick LOL.
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: Please save my Christmas VPN Network

Mon Dec 14, 2020 11:40 pm

This one should be easy, I'll just blame it on user error. Not only is 192.168.10.1/24 on router, it's on WAN interface on top of that. So if VPN clients connected to RPi server get addresses from same subnet, some part of this config is not right.

Otherwise no further comments for now. :)
 
daddyfix
just joined
Topic Author
Posts: 18
Joined: Mon Dec 14, 2020 4:25 pm

Re: Please save my Christmas VPN Network

Tue Dec 15, 2020 12:41 am

According to screenshot, you have address 192.168.10.1/24 on router, and it may not be what you want. Or what is your exact plan with subnets? Should 192.168.10.0/24 be only for VPN clients, or should some devices in LAN also have addresses from this subnet?
Ok. You tickled my interest.

I could change the VPN router clients IP to 192.168.1.1/24 but Im afraid that there will be a conflict with the current Mikrotik DHCP Leases on 192.168.1.1/24

Q. What is you exact plan with the subnets?

A. My main goal is to have ONLY myself and my wife connect to the VPN and access the Internet and LAN machines

Q. Should 192.168.10.0/24 be only for VPN clients, or should some devices in LAN also have addresses from this subnet?

A. Only VPN Clients can 192.168.10.0/24. All regular LAN clients have the 192.168.1.0/24 subnet
 
daddyfix
just joined
Topic Author
Posts: 18
Joined: Mon Dec 14, 2020 4:25 pm

Re: Please save my Christmas VPN Network

Tue Dec 15, 2020 12:58 am

This one should be easy, I'll just blame it on user error. Not only is 192.168.10.1/24 on router, it's on WAN interface on top of that. So if VPN clients connected to RPi server get addresses from same subnet, some part of this config is not right.

Otherwise no further comments for now. :)
Where you say 192.168.10.1/24 is on the WAN interface, what do you mean?
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: Please save my Christmas VPN Network

Tue Dec 15, 2020 2:54 am

Fifth line in your screenshot is dynamic route to 192.168.10.0/24 on ether1, which based on default route (I'm not sure why you have two, but it doesn't matter now) is your WAN port, i.e. connected to internet. The route has preferred source 192.168.10.1, which means that for some reason you added 192.168.10.1/24 as address on ether1. Unless there's a reason to have it there, which I don't know about, it looks like mistake and it shouldn't be there or anywhere else on this router. In any case, it conflicts with same subnet for VPN clients on RPi.
 
daddyfix
just joined
Topic Author
Posts: 18
Joined: Mon Dec 14, 2020 4:25 pm

Re: Please save my Christmas VPN Network

Tue Dec 15, 2020 5:30 am

Sob, You were exactly right when you had me adjust the routes as so
Is 192.168.10.0/24 only on RPi? Does the rest of LAN know about it? This should make it better:
/ip route
add dst-address=192.168.10.0/24 gateway=192.168.1.120

My problem was the wireguard setup AND the Mikrotik Route.

192.168.1.0/24 is the router LAN network

RPI4 VPN Server

[Interface]
Address = 192.168.10.1
PrivateKey = xxx
ListenPort = 993
PostUp   = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE

[Peer]
PublicKey = xxx
AllowedIPs = 192.168.10.2/32
Ensure port forwarding is set in /etc/sysctl.conf on VPN Server
net.ipv4.ip_forward=1

LAPTOP or TABLET VPN CLIENT
[Interface]
Address = 192.168.10.2
PrivateKey = xxx
ListenPort = 993

[Peer]
PublicKey = xxx
Endpoint = pimedia.ca:993
AllowedIPs = 192.168.10.0/24, 192.168.1.0/24

# This is for if you're behind a NAT and
# want the connection to be kept alive.
PersistentKeepalive = 25

Merry Christmas Sob! Without your help I would been running in circles till the New Year
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: Please save my Christmas VPN Network

Tue Dec 15, 2020 6:59 am

One tiny little detail, when you added source NAT on RPi like you did, you don't need the route (at least for connections from VPN to LAN).
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19125
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Please save my Christmas VPN Network

Tue Dec 15, 2020 2:50 pm

F#&k Me, a reindeer that eats pie, what next a Llama eating crow! ;-)
 
daddyfix
just joined
Topic Author
Posts: 18
Joined: Mon Dec 14, 2020 4:25 pm

Re: Please save my Christmas VPN Network  [SOLVED]

Sat Mar 13, 2021 10:34 pm

Today is Mar 13 2021.... My wireguard connection failed after I rebooted Mikrotik

Use this to connect the two networks (Wireguard Clients and LAN). The wireguard default server port is 51820
/ip firewall nat add chain=dstnat dst-port=<internet port> action=dst-nat protocol=udp to-addresses=<IP to Wireguard Server> to-ports=51820

Who is online

Users browsing this forum: RogerWilco and 11 guests