Community discussions

MikroTik App
 
zoltix
just joined
Topic Author
Posts: 20
Joined: Mon Jul 01, 2013 11:10 pm

v7.1[STABLE] rb951G : wireguard to route all traffic through the vpn.

Sun Dec 12, 2021 8:53 pm

Hello,
Since this morning, I tried to configure my old rb951G with wireguard to route all traffic through the vpn.
First, I did a complete reset, and updated my router to version 7.1(stable).
The configuration file from my provider

[Interface]
PrivateKey = Privxxxxxxxxxxxxxx
Address = 192.168.140.2/32
DNS = 109.236.87.2, 23.237.56.98

[Peer]
PublicKey = PubXXXXXXXXXX
AllowedIPs = 0.0.0.0/0
Endpoint = 62.X.X.X:443

After that, in winbox, I configured an interface for wireguard (translated in the script)

/interface wireguard add listen-port=13231 mtu=1420 name=wireguard1 listen-port=13231 private-key=Privxxxxxxxxxxxxxx
/interface wireguard peers
add allowed-address=0.0.0.0/O interface=wireguard1 public-key=PubXXXXXXXXXX endpoint=62.X.X.X:443 enpointport=443

My interface seems to be correct and working but no new IP address appears in /ip address print.

IP DHCP client : uncheck "use dns peer" and "use dns ntp" also (I'm also tried to modifed the value of "Default route Distance")
IP Dns : I configured a static dns with google(8.8.8.8 and 8.8.4.4) and unchecked in the
IP address : /add address=192.168.140.2/32 interface=wireguard1 network=1192.168.140.2

Here I tried 2 things:
1) I tried to change
/interface list change wan to wireguard1. But not working

2) in firewall-NAT create rule with maskarable with wireguard1 as output interface and disable old one
firewall-FILTER Create 3 rules : accept all in,out,forward
create a new route 0.0.0.0/24 to wireguard1
Not working
Can you help me configure a vpn client with wiregard to route all traffic through the vpn?

Thanks in advance
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19106
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: v7.1[STABLE] rb951G : wireguard to route all traffic through the vpn.

Sun Dec 12, 2021 9:32 pm

First off what is the network design?

You going out to the internet through a wireguard tunnel to your provider?
MT is the client and the cloud provider site is the Server???

If so then at your end you dont need a complete setup.
Here is what it should look like!

INTERFACE WG (your device)
Name: Wireguard-Provider
Listen Port: Not required
private key ( for internal MT use)
Public key (what the provider will need from you)

PEER WG (settings to connect to their device)
Name: (same as above)
Public Key: The one the provider gave you!
Endpoint: The WANIP of the provider or their dyndns URL
Endpoint Port: The Port that the provider gave you to use.
Allowed Addresses: 0.0.0.0/0 ( that will allow you to use any Destination IP address through the tunnel, assuming your using the Provider to go out to the internet)
Preshared key not used
Persistant Keep Alive, set at something like 30 secs.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19106
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: v7.1[STABLE] rb951G : wireguard to route all traffic through the vpn.

Sun Dec 12, 2021 9:38 pm

You are making many unnecessary changes to your config.........no need!

Please post your FULL config
/export hide-sensitive file=anynameyouwish
(ensure you hide your own WANIP and gateway and the public IP of the Server).

The question I have is who do you want to use the tunnel and when?
How many subnets or Vlans do you have

In other words describe the use cases for the tunnel....which will help drive any changes to the config.
 
zoltix
just joined
Topic Author
Posts: 20
Joined: Mon Jul 01, 2013 11:10 pm

Re: v7.1[STABLE] rb951G : wireguard to route all traffic through the vpn.

Sun Dec 12, 2021 10:06 pm

Hi,
Thank you for your quick answers.
I'm already tested the vpn with my laptop(linux). It's work fine.
ps: I'm sorry, I'm not a network specialist. I am learning
My topology is simple and I would like my router to be a vpn box
VPNProvider -> tunnel(wireguard) through internet -> Mikrotik(vpn client) -> LAN.
I was inspired by this link https://myvpn.run/support/mikrotik
The configuration of my router.
# dec/12/2021 20:48:49 by RouterOS 7.1
# software id = G8HE-TXJB
#
# model = 951G-2HnD
# serial number = 46990236E84B
/interface bridge
add admin-mac=D4:CA:6D:07:1B:31 auto-mac=no comment=defconf name=bridge
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX \
    distance=indoors frequency=auto installation=indoor mode=ap-bridge ssid=\
    MikroTik-071B35 wireless-protocol=802.11
/interface wireguard
add listen-port=13231 mtu=1420 name=wireguard1
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=default-dhcp interface=bridge name=defconf
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=wlan1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=wireguard1 list=WAN
/interface wireguard peers
add allowed-address=0.0.0.0/0 endpoint-address=62.X.X.X endpoint-port=\
    443 interface=wireguard1 public-key=\
    "XXXXXXXXXXXXXXI="
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
    192.168.88.0
add address=192.168.140.2 interface=wireguard1 network=192.168.140.0
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=\
    192.168.88.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=forward
add action=accept chain=input
add action=accept chain=output
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat disabled=yes out-interface=wireguard1
/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=192.168.20.1%ether1 \
    pref-src="" routing-table=main scope=30 suppress-hw-offload=no \
    target-scope=10
add disabled=yes distance=1 dst-address=0.0.0.0/0 gateway=wireguard1 \
    pref-src="" routing-table=main scope=30 suppress-hw-offload=no \
    target-scope=10
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
    33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
/system clock
set time-zone-name=Europe/Brussels
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: v7.1[STABLE] rb951G : wireguard to route all traffic through the vpn.  [SOLVED]

Sun Dec 12, 2021 11:05 pm

/interface wireguard
add name=wireguard1 private-key=Privxxxxxxxxxxxxxx
/interface wireguard peers
add interface=wireguard1 endpoint-address=62.X.X.X endpoint-port=443 public-key="PubXXXXXXXXXX" allowed-address=0.0.0.0/0
/ip address
add interface=wireguard1 address=192.168.140.2
/ip route
add dst-address=62.X.X.X comment=wgserver disabled=yes
add dst-address=0.0.0.0/0 gateway=wireguard1
/ip dhcp-client
add add-default-route=no interface=ether1 script=":local route [/ip route find comment=\"wgserver\"]\r\
    \n:if (\$bound=1) do={\r\
    \n  /ip route set \$route gateway=\$\"gateway-address\" disabled=no\r\
    \n} else={\r\
    \n  /ip route set \$route disabled=yes\r\
    \n}" use-peer-dns=no use-peer-ntp=no
/interface list member
add interface=wireguard1 list=WAN
/ip dns
set allow-remote-requests=yes servers=109.236.87.2,23.237.56.98
 
zoltix
just joined
Topic Author
Posts: 20
Joined: Mon Jul 01, 2013 11:10 pm

Re: v7.1[STABLE] rb951G : wireguard to route all traffic through the vpn.

Sun Dec 12, 2021 11:41 pm

Yippee, it works. But right after your settings, nothing happens. I restarted the router and it works like a charm.

remark : I have to delete the existing dhcp client. and recreate with your script.
Maybe you can explain me the script of dhcp to modify the routes?

Thanks
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: v7.1[STABLE] rb951G : wireguard to route all traffic through the vpn.

Mon Dec 13, 2021 12:03 am

If you want to route everything through WG, you need route to WG server (one IP address) to still use your ISP's gateway. Script takes care of that. It finds prepared route (by comment), sets gateway and enables it. If dhcp client loses address, it again finds the route and disables it (even though it's not strictly necessary). And since there's no other route except via WG, you don't need to worry about leaks. Either WG works and you have access to internet, or it doesn't and there's no access to anywhere.
 
zoltix
just joined
Topic Author
Posts: 20
Joined: Mon Jul 01, 2013 11:10 pm

Re: v7.1[STABLE] rb951G : wireguard to route all traffic through the vpn.

Mon Dec 13, 2021 12:12 am

a last thing,
Script=":local route [/ip route find comment=\"wgserver\"]\r\
    \n:if (\$bound=1) do={\r\
    \n  /ip route set \$route gateway=\$\"gateway-address\" disabled=no\r\
    \n} else={\r\
    \n  /ip route set \$route disabled=yes\r\
    \n}"
in line 2 : the variable subsitution for "$bound" , I don't understand where the value from ?

Yet thanks
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: v7.1[STABLE] rb951G : wireguard to route all traffic through the vpn.

Mon Dec 13, 2021 1:14 am

That, with few others, is set by dhcp client:
bound - 1 - lease is added/changed; 0 - lease is removed
server-address - server address
lease-address - lease address provided by server
interface - name of interface on which client is configured
gateway-address - gateway address provided by server
vendor-specific - stores value of option 43 received from DHCP server
lease-options - array of received options
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19106
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: v7.1[STABLE] rb951G : wireguard to route all traffic through the vpn.

Mon Dec 13, 2021 4:30 am

There is a clear and simple way to get from x to y, and you have complicated a new beginner with scripts.................

Firstly, I would ask the OP to figure out what he really wants before jumping in.
For example does the OP want all his internet traffic to go through the VPN.
Does he want the users to go through the normal ISP if the tunnel is not working for any reason.

Does the Op want a split scenario, one if he plugs in his laptop goes through the vpn tunnel, but wants most of the other users or specific devices to use the regular internet/WANIP.

If one has email with the ISP provider going through the tunnel may not work............
So there are other considerations..........

There is no need for an address for the wg interface either.....
If its a simple case of the only one subnet he has all going through the tunnel for internet then one only needs to add one route with a route rule.
dest 0.0.0.0/0 Gateway=ISP gateway IP (if the tunnel breaks then the users will still have access to the internet through this route depending on route rule)
dst 0.0.0.0/0 Gateway=WG interface routing-table=VPNTUNNEL

Route Rule: src address =subnet of bridge / Action: lookup in Table / Table: VPNTUNNEL ( if you want them to be able to use the regular WAN if tunnel is down)
Route Rule: src address =subnet of bridge / Action: lookup ONLY in Table / Table: VPNTUNNEL ( if tunnel is down, then no traffic is passed. )
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: v7.1[STABLE] rb951G : wireguard to route all traffic through the vpn.

Mon Dec 13, 2021 5:03 am

OP's wish, as indicated in first post, is:
to route all traffic through the vpn
Isn't it true that it's exacly what my solution accomplishes? :) All traffic, including router's (*), gets routed through WG tunnel.

(*) Except traffic to server's address, because that has to go to ISP. And I admit that I took a shortcut and it's all traffic to server's address, not just the port used for WG.
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: v7.1[STABLE] rb951G : wireguard to route all traffic through the vpn.

Mon Dec 13, 2021 5:09 am

There is no need for an address for the wg interface either.....
Then how will it work? What source address will router use for outgoing tunneled traffic? Isn't it likely that server allows client to use only that one address? It's true that it doesn't have to be assigned to router, but then you'd need srcnat rule with it.
 
zoltix
just joined
Topic Author
Posts: 20
Joined: Mon Jul 01, 2013 11:10 pm

Re: v7.1[STABLE] rb951G : wireguard to route all traffic through the vpn.

Mon Dec 13, 2021 12:41 pm

Sorry, I wasn't clear in my question.
I understand what you said and I thank you for it.
My question was simply about scripting. I don't understand where the value of the "$bound" variable in line 3 of the code comes from.
if (\$bound=1)
Script=":local route [/ip route find comment=\"wgserver\"]\r\
    \n:if (\$bound=1) do={\r\
    \n  /ip route set \$route gateway=\$\"gateway-address\" disabled=no\r\
    \n} else={\r\
    \n  /ip route set \$route disabled=yes\r\
    \n}"
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: v7.1[STABLE] rb951G : wireguard to route all traffic through the vpn.

Mon Dec 13, 2021 12:59 pm

Once again, it's one of variables set by dhcp client. Maybe instead of quoting manual, link to it will be better?

https://wiki.mikrotik.com/wiki/Manual:I ... Properties
 
zoltix
just joined
Topic Author
Posts: 20
Joined: Mon Jul 01, 2013 11:10 pm

Re: v7.1[STABLE] rb951G : wireguard to route all traffic through the vpn.

Mon Dec 13, 2021 2:12 pm

thanks so much
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19106
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: v7.1[STABLE] rb951G : wireguard to route all traffic through the vpn.

Mon Dec 27, 2021 12:05 am

There is no need for an address for the wg interface either.....
Then how will it work? What source address will router use for outgoing tunneled traffic? Isn't it likely that server allows client to use only that one address? It's true that it doesn't have to be assigned to router, but then you'd need srcnat rule with it.
no comment at this time, executive privilege, the 5th an all that.
 
thund3r
just joined
Posts: 6
Joined: Wed Feb 18, 2015 11:11 pm

Re: v7.1[STABLE] rb951G : wireguard to route all traffic through the vpn.

Thu Mar 03, 2022 4:33 am

@Sob
I tried this configuration on Router OS 7.1.1, but it's not working.
I can ping 192.168.140.2 and 192.168.140.1 from both sides
But routing other addresses didn't work (
/interface wireguard
add name=wireguard1 private-key=Privxxxxxxxxxxxxxx
/interface wireguard peers
add interface=wireguard1 endpoint-address=62.X.X.X endpoint-port=443 public-key="PubXXXXXXXXXX" allowed-address=0.0.0.0/0
/ip address
add interface=wireguard1 address=192.168.140.2
/ip route
add dst-address=62.X.X.X comment=wgserver disabled=yes
add dst-address=0.0.0.0/0 gateway=wireguard1
/ip dhcp-client
add add-default-route=no interface=ether1 script=":local route [/ip route find comment=\"wgserver\"]\r\
    \n:if (\$bound=1) do={\r\
    \n  /ip route set \$route gateway=\$\"gateway-address\" disabled=no\r\
    \n} else={\r\
    \n  /ip route set \$route disabled=yes\r\
    \n}" use-peer-dns=no use-peer-ntp=no
/interface list member
add interface=wireguard1 list=WAN
/ip dns
set allow-remote-requests=yes servers=109.236.87.2,23.237.56.98
Can you clarify?
1) Do we need setup WAN or wireguard out interface in NAT masquerade rule
2) Does NAT must be on Wireguard server?


Configuration for wireguard server (debian)
[Interface]
Address = 192.168.140.1/24
DNS = 1.1.1.1
PrivateKey = 
ListenPort = 51820
PostUp   = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o ens5 -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o ens5  -j MASQUERADE

[Peer]
#Peer #1
PublicKey = 
PresharedKey = 
AllowedIPs = 192.168.140.2/24, 172.16.0.0/16
                                         
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: v7.1[STABLE] rb951G : wireguard to route all traffic through the vpn.

Thu Mar 03, 2022 5:56 am

1) If server thinks that client has only single address (i.e. it doesn't have route to client's LAN), then you need srcnat/masquerade on client's WG interface. But your config looks like there's route, so it's not necessary.

2) If server is also under your control, you'll need srcnat/masquerade there too for outgoing traffic (unless you'd have enough public addresses to give one to client).
 
thund3r
just joined
Posts: 6
Joined: Wed Feb 18, 2015 11:11 pm

Re: v7.1[STABLE] rb951G : wireguard to route all traffic through the vpn.

Thu Mar 03, 2022 12:40 pm

@sol
Thank you for your answer!
That's strange.
Here is a schema of my network

Image
I don't know why is my image not showing?
https://pasteboard.co/z7yxq65vpXp3.png

I ran your configuration with the script running on the start of DHCP client and I have this routes:
# /etc/wireguard# iptables -L -v -n
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     all  --  wg0    *       0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     all  --  *      wg0     0.0.0.0/0            0.0.0.0/0           

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
# /etc/wireguard# iptables -t nat -L -v -n
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
   89  6865 MASQUERADE  all  --  *      ens5    0.0.0.0/0            0.0.0.0/0           

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Wireguard server configuration
Interface
Address = 192.168.100.1/24
DNS = 1.1.1.1
PrivateKey = 
ListenPort = 51820
PostUp   = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o ens5 -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o ens5  -j MASQUERADE

Peer
#Peer #1
PublicKey = 
PresharedKey = 
AllowedIPs = 192.168.100.2/24, 172.16.0.0/16
Route table on the mikrotik router
> ip route/ print
Flags: D - DYNAMIC; A - ACTIVE; c, s, d, y - COPY; + - ECMP
Columns: DST-ADDRESS, GATEWAY, DISTANCE
#      DST-ADDRESS       GATEWAY          DISTANCE
0  As+ 0.0.0.0/0         aws-wg                  1
;;; wgserver
1  As  5.5.5.5/32    3.3.3.3         1
  DAc  3.3.3.0/23  ether1                  0
  DAc  172.16.1.0/24     bridge                  0
  DAc  192.168.100.0/24  aws-wg                  0
Also, I added aws-wg interface to the list of WAN interfaces.
I opened all input, output, forward traffic on mikrotik.
I tried both with and without NAT settings both on server and router.

I managed to:
ping:
wg server <-> wg client (192.168.100.1 <-> 192.168.100.2)
work station <-> wg server (172.16.1.10 <-> 192.168.100.1)
wg server -> internet (192.168.100.1 -> 1.1.1.1)

Not pinging:
172.16.1.1 (192.168.100.1) - 1.1.1.1
work station 172.16.1.10 - 1.1.1.1
 
404Network
Member Candidate
Member Candidate
Posts: 285
Joined: Wed Feb 16, 2022 2:04 pm

Re: v7.1[STABLE] rb951G : wireguard to route all traffic through the vpn.

Thu Mar 03, 2022 1:50 pm

Just so its clear in my head. This variation of wireguard is not routing some Lan members through a wireguard tunnel, this is a scenario where one
creates a tunnel for the WAN connection?
I am assuming this has to be a device behind a main router or am I wrong?
( one has to have plain jane internet to start with)..........

If so, what are the advantages or disadvantages of creating a tunnel with this functionality/pathway......??

Who is online

Users browsing this forum: sid5632 and 39 guests