Community discussions

MikroTik App
 
gigabyte091
Forum Guru
Forum Guru
Topic Author
Posts: 1171
Joined: Fri Dec 31, 2021 11:44 am
Location: Croatia

Wireguard Site to Site and road warrior combination

Tue Jan 10, 2023 3:56 pm

Hello,

I have situation where I will have two offices connected by VPN (Wireguard).

Right now, I have one office, with Public IP and I have 5-6 client PC on remote locations that are connected to the office by Wireguard. That part is working fine.

But what worries me is that now i will have second office, connected to the mobile network and i configured site to site VPN for test between my main office and remote office and that worked but only from PCs that are in main office.

Setup that was first on main router there are two wg interfaces, each one with their IP address and different port. And one interface was for clients and another one for site to site VPN.

Then i tried next, i deleted second interface on the main router (the one with the Public IP) and i tried to add remote router as a client and i added static routes to the main table. Result ? Tunnel is established without a problem, but i can ping main network from the remote network but not vice versa.

My question until tommorrow when i can post configurations is, is there any rule on how to solve this ?

Today was just an experiment and i was unable to find solution to this on the internet.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19107
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Wireguard Site to Site and road warrior combination

Tue Jan 10, 2023 6:48 pm

Love to help............... fun for me!
BUT.........
Need proper set of requirements, don't want to chase a moving target.
SO

a. list/identify the user(s), or groups of users
b. Detail what traffic flows they should be able to do and not to do
c. include the admin and here you need to specify from where to where for what purpose

Note: C will take the most time,
- admin at location R1, will that person config R1 from there, R2 from there?
- admin at location R2, will that person config R1 from there, R2 from there?
- admin at road warrior location ( what purposes )

NOTE: for users above, detail.
R1 local users needs
R2 local users needs
remote warrriors needs........

Assumptions Clear:
- R1 is the router with a publicly accessible WANIP and thus the server for connection purposes.............
- R2 does not have a public IP and thus cannot act as a server for connection purposes......

viewtopic.php?t=182340
 
gigabyte091
Forum Guru
Forum Guru
Topic Author
Posts: 1171
Joined: Fri Dec 31, 2021 11:44 am
Location: Croatia

Re: Wireguard Site to Site and road warrior combination

Tue Jan 10, 2023 8:36 pm

So, for now i can give you this information until tomorrow when i will post R1 and R2 config.

First things first, if someone maybe ask why not simply use wireguard client software... Well, this devices are not PCs but part of security system and they are managed by configuration software via LAN so my only option is to use site to site VPN.

a. All users on main network (R1 router) should have access to remote network (R2 router)
All road warrior users should have access to the remote network (R2 router) via main network (R1 router) as both remote network (mobile LTE network) and road warriors do not have public IPs. (They all need access because technicians need to have remote access in case there is support needed).

b. For now traffic flow is road warriors to main network (R1 router) and vice versa and what is needed is traffic flow from main network (R1 router) to the remote network (R2 router) (Later, when real PCs are installed to the remote network then traffic should be in both directions), and road warriors to the remote network (R2 router).

c. Admin access to remote router R2 from R1 and one of the road warriors (Winbox)
No admin acces from R2 to R1

If i missed something or if any other information is needed no problem.
 
gigabyte091
Forum Guru
Forum Guru
Topic Author
Posts: 1171
Joined: Fri Dec 31, 2021 11:44 am
Location: Croatia

Re: Wireguard Site to Site and road warrior combination

Wed Jan 11, 2023 7:48 am

So here is the current setup:

Remote router R2
# jan/11/2023 06:16:58 by RouterOS 7.6
# software id = ---------
#
# model = RBwAPR-2nD
# serial number = ------------
/interface bridge
add admin-mac=XX:XX:XX:XX:XX:XX auto-mac=no comment=defconf name=bridge
/interface lte
# A newer version of modem firmware is available!
set [ find default-name=lte1 ] allow-roaming=no band=""
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX \
    distance=indoors frequency=auto installation=outdoor mode=ap-bridge ssid=\
    MikroTik-8DADB3 wireless-protocol=802.11
/interface wireguard
add listen-port=13231 mtu=1420 name=WG_VPN_STS
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface lte apn
set [ find default=yes ] apn=internet.telemach.hr ip-type=ipv4 name=Telemach \
    use-network-apn=no
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/ip pool
add name=default-dhcp ranges=192.168.10.2-192.168.10.254
/ip dhcp-server
add address-pool=default-dhcp interface=bridge name=defconf
/interface ppp-client
add apn=internet name=ppp-out1 port=usb1
/interface bridge port
add bridge=bridge comment=defconf ingress-filtering=no interface=ether1
add bridge=bridge comment=defconf ingress-filtering=no interface=wlan1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ip settings
set max-neighbor-entries=8192
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=lte1 list=WAN
/interface ovpn-server server
set auth=sha1,md5
/interface wireguard peers
add allowed-address=10.0.0.1/24,192.168.1.0/24 endpoint-address=172.217.22.14 \
    endpoint-port=13231 interface=WG_VPN_STS public-key=\
    "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA="
/ip address
add address=192.168.10.1/24 comment=LAN interface=bridge network=192.168.10.0
add address=10.0.0.6 comment=VPN interface=WG_VPN_STS network=10.0.0.0
/ip dhcp-server network
add address=192.168.10.0/24 comment=defconf gateway=192.168.10.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=accept chain=input comment=VPN dst-port=13231 in-interface=lte1 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
/ip route
add disabled=no distance=1 dst-address=192.168.1.0/24 gateway=WG_VPN_STS \
    pref-src="" routing-table=main scope=30 suppress-hw-offload=no \
    target-scope=10
/system clock
set time-zone-name=Europe/Zagreb
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
And main router R1
# jan/11/2023 06:33:00 by RouterOS 7.6
# software id = ---------
#
# model = RB760iGS
# serial number = ------------
/interface bridge
add admin-mac=XX:XX:XX:XX:XX:XX auto-mac=no comment=defconf name=bridge \
/interface wireguard
add comment=Interface_1_S_to_C listen-port=13231 mtu=1420 name=WG_VPN
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.1.1-192.168.1.254
/ip dhcp-server
add address-pool=dhcp interface=bridge name=defconf
/port
set 0 name=serial0
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=sfp1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/interface ovpn-server server
set auth=sha1,md5
/interface wireguard peers
add allowed-address=10.0.0.3/32 comment="----------" interface=WG_VPN \
    public-key="BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB="
add allowed-address=10.0.0.4/32 comment="----------" interface=WG_VPN \
    public-key="CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC="
add allowed-address=10.0.0.2/32 comment="----------" interface=\
    WG_VPN public-key="DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD="
add allowed-address=10.0.0.5/32 comment="----------" \
    interface=WG_VPN public-key=\
    "EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE="
add allowed-address=10.0.0.6/32,192.168.10.0/24 comment="remote R2" interface=\
    WG_VPN public-key="FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF="
/ip address
add address=192.168.1.1/24 comment=LAN interface=bridge network=192.168.1.0
add address=172.217.22.14/30 comment=WAN interface=ether1 network=172.217.22.12
add address=10.0.0.1/24 comment="VPN S to C" interface=WG_VPN network=\
    10.0.0.0
/ip arp
add address=192.168.1.3 interface=bridge mac-address=XX:XX:XX:XX:XX:XX
/ip dhcp-client
add comment=defconf disabled=yes interface=ether1
/ip dhcp-server lease
-------------------------------------------------------------------------------
/ip dhcp-server network
add address=192.168.1.0/24 comment=defconf dns-server=192.168.1.1 gateway=\
    192.168.1.1
/ip dns
set allow-remote-requests=yes servers=192.168.1.24,172.217.10.75,172.217.10.76
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=accept chain=input comment="Wireguard VPN S to C" dst-port=13231 \
    in-interface=ether1 protocol=udp
add action=accept chain=input comment="Winbox VPN config" dst-port=8291 \
    in-interface=WG_VPN protocol=tcp
add action=accept chain=input comment="defconf: accept ICMP" disabled=yes \
    protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
/ip route
add disabled=no distance=1 dst-address=192.168.10.0/24 gateway=WG_VPN \
    pref-src="" routing-table=main scope=30 suppress-hw-offload=no \
    target-scope=10
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
    33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
/snmp
set enabled=yes
/system clock
set time-zone-name=Europe/Zagreb
/system identity
set name=Ured_HexS
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool romon
set enabled=yes
With this setup i can ping main network from the remote network but not vice versa.

Public IP, DNS servers, Wireguard ports and public keys are changed.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19107
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Wireguard Site to Site and road warrior combination  [SOLVED]

Wed Jan 11, 2023 5:17 pm

R2
(1)Allowed IPs........
TO:
/interface wireguard peers
add allowed-address=10.0.0.0/24,192.168.1.0/24 endpoint-address=172.217.22.14 \
endpoint-port=13231 interface=WG_VPN_STS public-key=\

(2) Input chain, rule is only required for server device for connections can be removed.... R2 is only a client.........
add action=accept chain=input comment=VPN dst-port=13231 in-interface=lte1 \
protocol=udp


(3) Firewall input chain rules are lacking............to loose........ add!! and in proper order....

TO:
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1

add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input src-address-list=Authorized
add action=accept chain=input in-interface-list=LAN dst-port=53 protocol=tcp
add action=accept chain=input in-interface-list=LAN dst-port=53 protocol=udp
add action=drop chain=input comment="drop all else"

Note: I saw out of sequence after, in the rules some more input chain rules near the end, but they should be now removed except for the default rule invalid which I added to the top set of rules above.

Where firewall address list of authorized looks something like.
add IPaddress of local admin on R2 list=Authorized
add IPaddress of remote admin on R1 list=Authorized
add IPaddress of remote admin on wireguard (aka home pc or mobile laptop or iphone, you could have several to add here)


(4) On the forward chain firewall rules this is where you should define who can access the local subnet..........
TO:
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=forward comment="allow internet traffic" in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="allow port forwarding" connection-nat-state=dstnat
add action=drop chain=forward


That is the starting point, then we need to add rules for wireguard access.
So you have this.......
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=forward comment="allow internet traffic" in-interface-list=LAN out-interface-list=WAN

add action=accept chain=forward in-interface=WG_VPN_STS dst-address=192.168.10.0/24 { allows all road warriors and R1 users coming over WG to access the local LAN }
add action=accept chain=forward in-interface=bridge out-interface=WG_VPN_STS { enables pinging currently and future R2 to R1 traffic when permitted at the far side }
add action=accept chain=forward comment="allow port forwarding" connection-nat-state=dstnat
add action=drop chain=forward


++++++++++++++++++++++++++++++++++++++++++++

R1

Firewall rules...... Again this is what needs most work fixed below....... ( note fastrack rule in forward chain comes before the accepted established rule )

/ip firewall filter
{ Input Chain }
(default rules)
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" disabled=yes \
protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1

(user rules)
add action=accept chain=input comment="Wireguard VPN S to C" dst-port=13231 \
in-interface=ether1 protocol=udp
add action=accept chain=input src-address-list=Management
add action=accept chain=input in-interface-list=LAN dst-port=53 protocol=tcp
add action=accept chain=input in-interface-list=LAN dst-port=53 protocol=udp
add action=drop chain=input comment="drop all else"
{ Forward Chain }
(default rules)
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid

(user rules)
add action=accept chain=forward in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="allow port forwarding" connection-nat-state=dstnat
add action=accept chain=forward in-interface=WG-VPN out-interface=WG-VPN { allows remote warriors to enter R1 (exit tunnel) and then head to R2 (re-enter tunnel)
add action=accept chain=forward in-interface=WG-VPN src-address-list=Permitted dst-address=192.168.1.0/24 { allow remote warriors users to access local subnet but not R2 users }
add action=drop chain=forward comment="drop all else"

Note: where firewall address list of Management consists of
add ip address=local admin at R1 list=Management
add ip address=remote admin roadwarrior via WG list=Management

Note: where firewall address list Permitted consists of
add IPaddress 10.0.0.2 list=Permitted
add IPaddress 10.0.0.3 list=Permitted
add IPaddress 10.0.0.4 list=Permitted
add IPaddress 10.0.0.5 list=Permitted

Note: when you decide to allow R2 users to access R1 local subnet the you can modify the rule too ( and get rid of authorized list Permitted)
add action=accept chain=forward in-interface=WG-VPN dst-address=192.168.1.0/24
+++++++++++++++++++++++++++++++++++++++++++++++++++++
 
gigabyte091
Forum Guru
Forum Guru
Topic Author
Posts: 1171
Joined: Fri Dec 31, 2021 11:44 am
Location: Croatia

Re: Wireguard Site to Site and road warrior combination

Wed Jan 11, 2023 7:27 pm

Thank you @anav, tomorrow morning i will go trough your configuration in peace, make changes and report back here with new configuration and results.

As i can see from your post, only problem are firewall rules ? Or is this just a first step in repairing my configuration :lol:
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19107
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Wireguard Site to Site and road warrior combination

Wed Jan 11, 2023 7:40 pm

Hopefully just FW rules.
 
gigabyte091
Forum Guru
Forum Guru
Topic Author
Posts: 1171
Joined: Fri Dec 31, 2021 11:44 am
Location: Croatia

Re: Wireguard Site to Site and road warrior combination

Wed Jan 11, 2023 8:02 pm

We will see tomorrow...
 
gigabyte091
Forum Guru
Forum Guru
Topic Author
Posts: 1171
Joined: Fri Dec 31, 2021 11:44 am
Location: Croatia

Re: Wireguard Site to Site and road warrior combination

Thu Jan 12, 2023 8:18 am

Ok, so i tried to make changes as you suggested and now i can't ping anything.

Here is new configuration:

R2
# jan/12/2023 06:44:46 by RouterOS 7.6
# software id = ---------
#
# model = RBwAPR-2nD
# serial number = ------------
/interface bridge
add admin-mac=XX:XX:XX:XX:XX:XX auto-mac=no comment=defconf name=bridge
/interface lte
set [ find default-name=lte1 ] allow-roaming=no band=""
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX \
    distance=indoors frequency=auto installation=outdoor mode=ap-bridge ssid=\
    MikroTik-8DADB3 wireless-protocol=802.11
/interface wireguard
add listen-port=13231 mtu=1420 name=WG_VPN_STS
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface lte apn
set [ find default=yes ] apn=internet.telemach.hr ip-type=ipv4 name=Telemach \
    use-network-apn=no
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/ip pool
add name=default-dhcp ranges=192.168.10.2-192.168.10.254
/ip dhcp-server
add address-pool=default-dhcp interface=bridge name=defconf
/interface ppp-client
add apn=internet name=ppp-out1 port=usb1
/interface bridge port
add bridge=bridge comment=defconf ingress-filtering=no interface=ether1
add bridge=bridge comment=defconf ingress-filtering=no interface=wlan1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ip settings
set max-neighbor-entries=8192
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=lte1 list=WAN
/interface ovpn-server server
set auth=sha1,md5
/interface wireguard peers
add allowed-address=10.0.0.0/24,192.168.1.0/24 endpoint-address=172.217.22.14 \
    endpoint-port=13231 interface=WG_VPN_STS public-key=\
    "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA="
/ip address
add address=192.168.10.1/24 comment=LAN interface=bridge network=192.168.10.0
add address=10.0.0.6 comment=VPN interface=WG_VPN_STS network=10.0.0.0
/ip dhcp-server network
add address=192.168.10.0/24 comment=defconf gateway=192.168.10.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall address-list
add address=192.168.10.254 comment="Admin on R2" list=Authorized
add address=192.168.1.57 comment="Admin on R1" list=Authorized
add address=10.0.0.3 comment="Admin RW" list=Authorized
/ip firewall filter
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input src-address-list=Authorized
add action=accept chain=input dst-port=53 in-interface-list=LAN protocol=tcp
add action=accept chain=input dst-port=53 in-interface-list=LAN protocol=udp
add action=drop chain=input comment="drop all else"
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=accept chain=forward comment="Allow internet traffic" \
    in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="allows all road warriors and R1 users\
    \_coming over WG to access the local LAN" dst-address=192.168.10.0/24 \
    in-interface=WG_VPN_STS
add action=accept chain=forward comment="enables pinging currently and future \
    R2 to R1 traffic when permitted at the far side" in-interface=bridge \
    out-interface=WG_VPN_STS
add action=accept chain=forward comment="Allow port forwarding " \
    connection-nat-state=dstnat
add action=drop chain=forward
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new disabled=yes in-interface-list=WAN
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    disabled=yes in-interface-list=!LAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
/ip route
add disabled=no distance=1 dst-address=192.168.1.0/24 gateway=WG_VPN_STS \
    pref-src="" routing-table=main scope=30 suppress-hw-offload=no \
    target-scope=10
/system clock
set time-zone-name=Europe/Zagreb
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
R1:
# jan/12/2023 07:06:03 by RouterOS 7.6
# software id = ----------
#
# model = RB760iGS
# serial number = ------------
/interface bridge
add admin-mac=XX:XX:XX:XX:XX:XX auto-mac=no comment=defconf name=bridge
/interface wireguard
add comment=Interface_1_S_to_C listen-port=13231 mtu=1420 name=WG_VPN
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.1.1-192.168.1.254
/ip dhcp-server
add address-pool=dhcp interface=bridge name=defconf
/port
set 0 name=serial0
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=sfp1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/interface ovpn-server server
set auth=sha1,md5
/interface wireguard peers
add allowed-address=10.0.0.3/32 comment="----------" interface=WG_VPN \
    public-key="BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB="
add allowed-address=10.0.0.4/32 comment="----------" interface=WG_VPN \
    public-key="CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC="
add allowed-address=10.0.0.2/32 comment="----------" interface=\
    WG_VPN public-key="DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD="
add allowed-address=10.0.0.5/32 comment="----------" \
    interface=WG_VPN public-key=\
    "EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE="
add allowed-address=10.0.0.6/32,192.168.10.0/24 comment="remote R2" interface=\
    WG_VPN public-key="FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF="
/ip address
add address=192.168.1.1/24 comment=LAN interface=bridge network=192.168.1.0
add address=172.217.22.14/30 comment=WAN interface=ether1 network=172.217.22.12
add address=10.0.0.1/24 comment="VPN S to C" interface=WG_VPN network=\
    10.0.0.0
/ip arp
add address=192.168.1.3 interface=bridge mac-address=XX:XX:XX:XX:XX:XX
/ip dhcp-client
add comment=defconf disabled=yes interface=ether1
/ip dhcp-server lease
----------------------------------------------------------------------------------------
/ip dhcp-server network
add address=192.168.1.0/24 comment=defconf dns-server=192.168.1.1 gateway=\
    192.168.1.1
/ip dns
set allow-remote-requests=yes servers=192.168.1.24,172.217.10.75,172.217.10.76
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall address-list
add address=192.168.1.57 list=Management
add address=10.0.0.2 list=Management
add address=10.0.0.3 list=Management
add address=10.0.0.2 list=Permitted
add address=10.0.0.3 list=Permitted
add address=10.0.0.4 list=Permitted
add address=10.0.0.5 list=Permitted
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" disabled=yes \
    protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input comment="Wireguard VPN S to C" dst-port=13231 \
    in-interface=ether1 protocol=udp
add action=accept chain=input src-address-list=Management
add action=accept chain=input dst-port=53 in-interface-list=LAN protocol=tcp
add action=accept chain=input dst-port=53 in-interface-list=LAN protocol=udp
add action=drop chain=input comment="drop all else"
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=accept chain=forward in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="Allow port forwarding" \
    connection-nat-state=dstnat
add action=accept chain=forward comment="allows remote warriors to enter R1 (e\
    xit tunnel) and then head to R2 (re-enter tunnel)" in-interface=WG_VPN \
    out-interface=WG_VPN
add action=accept chain=forward comment=\
    "allow remote warriors users to access local subnet but not R2 users" \
    dst-address=192.168.1.0/24 in-interface=WG_VPN src-address-list=Permitted
add action=drop chain=forward comment="drop all else"
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    disabled=yes in-interface-list=!LAN
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new disabled=yes in-interface-list=WAN
add action=accept chain=input comment="Winbox VPN config" disabled=yes \
    dst-port=8291 in-interface=WG_VPN protocol=tcp
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
/ip route
add disabled=no distance=1 dst-address=192.168.10.0/24 gateway=WG_VPN \
    pref-src="" routing-table=main scope=30 suppress-hw-offload=no \
    target-scope=10
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
    33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
/snmp
set enabled=yes
/system clock
set time-zone-name=Europe/Zagreb
/system identity
set name=Ured_HexS
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool romon
set enabled=yes
EDIT:

Road warriors to R1 is working, i just tested it but R1 and RW to R2 not working. When i tried to log on to R2 from RW it says connection refused (mikrotik mobile app)
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19107
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Wireguard Site to Site and road warrior combination

Thu Jan 12, 2023 2:58 pm

So R2 is not connected at all via wireguard?
Do you see in a log if R2 hits the Input chain rule on R1?
Do you see any traffic on R1 indicating at least the keep alives from R2?

Lets look at R2.
1. you have the correct port number for the wg interface 13231
2. Allowed addresses are set correctly to allow any incoming wireguard ping traffic from R1 or road warriors and you have allowed any users from R1 and RWs.......

I will assume you have not mixed up the keys between the two devices!! Will assume endpoint address is correct.

3. IP address for is incorrect. Should have spotted that earlier but it could make a difference! Since this is a MT device..
Should be
add address=10.0.0.6/24 comment=VPN interface=WG_VPN_STS network=10.0.0.0

4. The first input chain rule is in the wrong order, it should be first........( you dont need the ipsec forward chain rules so lets dump those to make the config cleaner and the fastrack rule should be first in the forward chain and you didnt remove some of the redundant rules..........
out of order in orange and rules to remove in purple.

/ip firewall filter
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input src-address-list=Authorized
add action=accept chain=input dst-port=53 in-interface-list=LAN protocol=tcp
add action=accept chain=input dst-port=53 in-interface-list=LAN protocol=udp
add action=drop chain=input comment="drop all else"
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec

++++++++++++++++++++++++++++++++++
The fastrack rule should be FIRST in the forward chain ( since we dont need the ipsec rules in your scenario so you can remove them too)
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related hw-offload=yes

++++++++++++++++++++++++++++++++++++++++++++++++++++
This should be the first rule in the input chain!
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked

add action=accept chain=forward comment="Allow internet traffic" \
in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="allows all road warriors and R1 users\
\_coming over WG to access the local LAN" dst-address=192.168.10.0/24 \
in-interface=WG_VPN_STS
add action=accept chain=forward comment="enables pinging currently and future \
R2 to R1 traffic when permitted at the far side" in-interface=bridge \
out-interface=WG_VPN_STS
add action=accept chain=forward comment="Allow port forwarding " \
connection-nat-state=dstnat
add action=drop chain=forward
+++++++++++++++++
Remove these rules
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new disabled=yes in-interface-list=WAN
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
disabled=yes in-interface-list=!LAN


5. Looking at the allow rules........
The input chain looks good with only a few specified users with access to the config.
The forward chain looks good in that we allow road warriors and r1 users to exit the tunnel and visit the LAN as well as all bridge users to enter the tunnel.

6. In terms of routes the autogenerated route from the IP address will allow all routing of RWs etc and the the extra route for R1 users will allow for that return traffic to be handled.

IN summary, the minor problems are the firewall and the major problem is probably due to the ip address which could affect the auto created route......
If fixing these problems does not solve it then the issue is with R1.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19107
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Wireguard Site to Site and road warrior combination

Thu Jan 12, 2023 3:13 pm

R2 looks good, I note that you have the correct order for firewall rules on this router!!!
BuT you need to get rid of the old rules you stuck at the end.........
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
disabled=yes in-interface-list=!LAN
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new disabled=yes in-interface-list=WAN
add action=accept chain=input comment="Winbox VPN config" disabled=yes \
dst-port=8291 in-interface=WG_VPN protocol=tcp



I would like to add one more user rule that is missing in the forward chain as show below in blue..... and move the port forwarding rule as well.

add action=accept chain=forward in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment=\
"allow remote warriors users to access local subnet but not R2 users" \
dst-address=192.168.1.0/24 in-interface=WG_VPN src-address-list=Permitted
add action=accept chain=forward comment="allow R1 users to access tunnel for R2"
src-address=192.168.1.0/24 out-interface=WG_VPN

add action=accept chain=forward comment="allows remote warriors to enter R1 \
(exit tunnel) and then head to R2 (re-enter tunnel)" in-interface=WG_VPN \
out-interface=WG_VPN
add action=accept chain=forward comment="Allow port forwarding" \
connection-nat-state=dstnat
 
gigabyte091
Forum Guru
Forum Guru
Topic Author
Posts: 1171
Joined: Fri Dec 31, 2021 11:44 am
Location: Croatia

Re: Wireguard Site to Site and road warrior combination

Thu Jan 12, 2023 3:21 pm

So this is R2 new firewall rules, i think this is okay now:
/ip firewall address-list
add address=192.168.10.254 comment="Admin on R2" list=Authorized
add address=192.168.1.57 comment="Admin on R1" list=Authorized
add address=10.0.0.3 comment="Admin RW" list=Authorized
/ip firewall filter
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input src-address-list=Authorized
add action=accept chain=input dst-port=53 in-interface-list=LAN protocol=tcp
add action=accept chain=input dst-port=53 in-interface-list=LAN protocol=udp
add action=drop chain=input comment="drop all else"
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=accept chain=forward comment="Allow internet traffic" \
    in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="allows all road warriors and R1 users\
    \_coming over WG to access the local LAN" dst-address=192.168.10.0/24 \
    in-interface=WG_VPN_STS
add action=accept chain=forward comment="enables pinging currently and future \
    R2 to R1 traffic when permitted at the far side" in-interface=bridge \
    out-interface=WG_VPN_STS
add action=accept chain=forward comment="Allow port forwarding " \
    connection-nat-state=dstnat
add action=drop chain=forward
Still nothing
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19107
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Wireguard Site to Site and road warrior combination

Thu Jan 12, 2023 3:44 pm

The order is still not correct, what is the first rule of the input chain for example and you didnt post a complete config so I have no idea if you fixed the IP address setting.
Also you didnt confirm if on R1 that a request to connect was logged on the input chain rule from R2 etc...
 
gigabyte091
Forum Guru
Forum Guru
Topic Author
Posts: 1171
Joined: Fri Dec 31, 2021 11:44 am
Location: Croatia

Re: Wireguard Site to Site and road warrior combination

Thu Jan 12, 2023 4:57 pm

Sorry, i had to go to another location so i was trying at least to post firewall rules changes for R2.

Right now i'm at home so i have access to R1 router but not R2, i'm not sure how to check if there is request in logs, i opened logs but i can't find anything about wireguard, only changes that i made.

I restarted the counters and i can see that anything related to wireguard did not recieved or transmitted any packages.

As for an IP address i changed /32 to /24 and IP stayed the same, 10.0.0.6

First rule on the input chain is accept ICMP.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19107
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Wireguard Site to Site and road warrior combination

Thu Jan 12, 2023 5:23 pm

As stated this should be the first rule of the input chain on R2
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked


Try this on R1 to see initial connection requests.....
FROM
add action=accept chain=input comment="Wireguard VPN S to C" dst-port=13231 \
in-interface=ether1 protocol=udp


TO:
add action=log chain=input dst-port=13231 protocol=udp log-prefix=Incoming WG Requests
add action=accept chain=input comment="Wireguard VPN S to C" dst-port=13231 \
in-interface=ether1 protocol=udp


Also, post lastest config on R1 please since that should be accessible. Is it (R1) a static WANIP or can change from time to time?
 
gigabyte091
Forum Guru
Forum Guru
Topic Author
Posts: 1171
Joined: Fri Dec 31, 2021 11:44 am
Location: Croatia

Re: Wireguard Site to Site and road warrior combination

Thu Jan 12, 2023 5:44 pm

So this is the latest R1 config, with changes you suggested:
 jan/12/2023 16:37:04 by RouterOS 7.6
# software id = ---------
#
# model = RB760iGS
# serial number = ------------
/interface bridge
add admin-mac=XX:XX:XX:XX:XX:XX auto-mac=no comment=defconf name=bridge
/interface wireguard
add comment=Interface_1_S_to_C listen-port=13231 mtu=1420 name=WG_VPN
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.1.1-192.168.1.254
/ip dhcp-server
add address-pool=dhcp interface=bridge name=defconf
/port
set 0 name=serial0
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=sfp1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/interface ovpn-server server
set auth=sha1,md5
/interface wireguard peers
add allowed-address=10.0.0.3/32 comment="----------" interface=WG_VPN \
    public-key="BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB="
add allowed-address=10.0.0.4/32 comment="----------" interface=WG_VPN \
    public-key="CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC="
add allowed-address=10.0.0.2/32 comment="----------" interface=\
    WG_VPN public-key="DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD="
add allowed-address=10.0.0.5/32 comment="----------" \
    interface=WG_VPN public-key=\
    "EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE="
add allowed-address=10.0.0.6/24,192.168.10.0/24 comment="remote R2" interface=\
    WG_VPN public-key="FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF="
/ip address
add address=192.168.1.1/24 comment=LAN interface=bridge network=192.168.1.0
add address=172.217.22.14/30 comment=WAN interface=ether1 network=172.217.22.12
add address=10.0.0.1/24 comment="VPN S to C" interface=WG_VPN network=\
    10.0.0.0
/ip arp
add address=192.168.1.3 interface=bridge mac-address=XX:XX:XX:XX:XX:XX
/ip dhcp-client
add comment=defconf disabled=yes interface=ether1
/ip dhcp-server lease
---------------------------------------------------------------------------------------------
/ip dhcp-server network
add address=192.168.1.0/24 comment=defconf dns-server=192.168.1.1 gateway=\
    192.168.1.1
/ip dns
set allow-remote-requests=yes servers=192.168.1.24,172.217.10.75,172.217.10.76
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall address-list
add address=192.168.1.57 list=Management
add address=10.0.0.2 list=Management
add address=10.0.0.3 list=Management
add address=10.0.0.2 list=Permitted
add address=10.0.0.3 list=Permitted
add address=10.0.0.4 list=Permitted
add address=10.0.0.5 list=Permitted
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" disabled=yes \
    protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=log chain=input dst-port=13231 log-prefix="Incoming WG Requests" \
    protocol=udp
add action=accept chain=input comment="Wireguard VPN S to C" dst-port=13231 \
    in-interface=ether1 protocol=udp
add action=accept chain=input src-address-list=Management
add action=accept chain=input dst-port=53 in-interface-list=LAN protocol=tcp
add action=accept chain=input dst-port=53 in-interface-list=LAN protocol=udp
add action=drop chain=input comment="drop all else"
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=accept chain=forward in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment=\
    "allow remote warriors users to access local subnet but not R2 users" \
    dst-address=192.168.1.0/24 in-interface=WG_VPN src-address-list=Permitted
add action=accept chain=forward comment=\
    "allow R1 users to access tunnel for R2" out-interface=WG_VPN \
    src-address=192.168.1.0/24
add action=accept chain=forward comment="allows remote warriors to enter R1 (e\
    xit tunnel) and then head to R2 (re-enter tunnel)" in-interface=WG_VPN \
    out-interface=WG_VPN
add action=accept chain=forward comment="Allow port forwarding" \
    connection-nat-state=dstnat
add action=drop chain=forward comment="drop all else"
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
/ip route
add disabled=no dst-address=192.168.10.0/24 gateway=WG_VPN routing-table=main \
    suppress-hw-offload=no
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
    33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
/snmp
set enabled=yes
/system clock
set time-zone-name=Europe/Zagreb
/system identity
set name=Ured_HexS
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool romon
set enabled=yes
R1 WANIP is static and can't change, dhcp client is disabled on the R1 and connection information is entered manually.

I still can't see anything in logs, only that user is logged in from 10.0.0.2
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19107
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Wireguard Site to Site and road warrior combination

Thu Jan 12, 2023 6:30 pm

In allowed IP on the R1
FROM
add allowed-address=10.0.0.6/24,192.168.10.0/24 comment="remote R2" interface=\

TO
add allowed-address=10.0.0.6/32,192.168.10.0/24 comment="remote R2" interface=\

+++++++++++++++++++++++++++++++++++++++++
The log rule should show each time a new connection attempt is made from any user.
So fire one up from any remote warrior 10.0.0.3, 4, 5 and you should see it logged like you did for 10.0.0.2

If you are not seeing an attempt from 10.0.0.6 ( you may know what public IP is used for that, as its the only way to recognize for sure it came from R2 ) Check whats my IP from R2 for example.
 
gigabyte091
Forum Guru
Forum Guru
Topic Author
Posts: 1171
Joined: Fri Dec 31, 2021 11:44 am
Location: Croatia

Re: Wireguard Site to Site and road warrior combination

Thu Jan 12, 2023 6:56 pm

I changed CIDR as you suggested, and in logs i can see firewall, info -> incoming wireguard request, and then mac address, src IP and dst IP, for my laptop and mobile phone, and in wireguard peers i can see last handshake was couple seconds ago but nothing from R2
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19107
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Wireguard Site to Site and road warrior combination

Thu Jan 12, 2023 7:03 pm

Yeah its tuff to troubleshoot when you cannot access R2......
I have an SSTP backup through a third party to reach my R2 (similar setup).

The other thing is to ensure you have a script to restart the tunnel if down on R2.........
See para 6 - viewtopic.php?t=182340

I cannot recall if your R1 is a static WANIP in which case that would not be needed it should just connect ( but still need a user to initiate a tunnel )
I wonder if the restart time on the WAN1IP takes too long, whether or not the R2 attempts to connect to it for wg will stop regardless. if so the script may still be a good idea.....

Can you confirm users at R2 can access their internet locally, ie get out to the WWW ????
Last edited by anav on Thu Jan 12, 2023 7:16 pm, edited 1 time in total.
 
gigabyte091
Forum Guru
Forum Guru
Topic Author
Posts: 1171
Joined: Fri Dec 31, 2021 11:44 am
Location: Croatia

Re: Wireguard Site to Site and road warrior combination

Thu Jan 12, 2023 7:15 pm

Yes, R1 have static WANIP, we upgraded our service to fiber few months ago.

I can't access R2 until tomorrow :/ but i do have same router at home... and working data plan for it... If i upload configuration to it, maybe this router can serve for testing ? I could use same IP, i only need to change public keys in peers if im right ?
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19107
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Wireguard Site to Site and road warrior combination

Thu Jan 12, 2023 7:17 pm

Just create another peer on R1
allowed IPs=10.0.0.7/32

Can you confirm R2 users have internet access locally and can reach the www?
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19107
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Wireguard Site to Site and road warrior combination

Thu Jan 12, 2023 7:21 pm

Looking at R2 what is the purpose of the ppp client usb ???

Also just for giggles add the following.
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=lte1 list=WAN
add interface=Telemach list=WAN
 
gigabyte091
Forum Guru
Forum Guru
Topic Author
Posts: 1171
Joined: Fri Dec 31, 2021 11:44 am
Location: Croatia

Re: Wireguard Site to Site and road warrior combination

Thu Jan 12, 2023 7:34 pm

So i just connected my home router so i will change configuration now.

I can confirm that on both routers, one that is in my office and now my router can access the internet.

Regarding ppp client usb, i really don't know, this router was brand new out of the box, only thing i changed was firmware, lte firmware and IP address from 88.1 to 10.1, this router don't even have usb port, only one eth port...
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19107
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Wireguard Site to Site and road warrior combination

Thu Jan 12, 2023 7:40 pm

Just need to confirm R2 has internet access at this point............ as I dont see what else the issue could be...........
 
gigabyte091
Forum Guru
Forum Guru
Topic Author
Posts: 1171
Joined: Fri Dec 31, 2021 11:44 am
Location: Croatia

Re: Wireguard Site to Site and road warrior combination

Thu Jan 12, 2023 8:02 pm

R2 that's in my office have internet for sure. I can confirm that tomorrow. Should I proceed with test router ? Or do you suggest that i continue tomorrow ? I can bring R2 home so i can continue with testing during the weekend.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19107
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Wireguard Site to Site and road warrior combination

Thu Jan 12, 2023 8:13 pm

Testing from the office location is best........ Taking it home will confirm that its a location issue perhaps............
If you want to do more testing with another router it cant hurt.
 
gigabyte091
Forum Guru
Forum Guru
Topic Author
Posts: 1171
Joined: Fri Dec 31, 2021 11:44 am
Location: Croatia

Re: Wireguard Site to Site and road warrior combination

Thu Jan 12, 2023 9:02 pm

So, i manually added every firewall rule as for some reason when i run winbox with wine when i enter = sign terminal reports error...

This is the result:
# jan/12/2023 19:56:31 by RouterOS 7.6
# software id = -------------
#
# model = RBwAPR-2nD
# serial number = ------------
/interface bridge
add admin-mac=XX:XX:XX:XX:XX:XX auto-mac=no comment=defconf name=bridge
/interface wireguard
add listen-port=13231 mtu=1420 name=WG_1
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
add apn=telemach.hr ip-type=ipv4 name="Telemach bonovi"
/interface lte
set [ find default-name=lte1 ] allow-roaming=no apn-profiles=\
    "Telemach bonovi" band=""
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
add authentication-types=wpa-psk,wpa2-psk mode=dynamic-keys name=\
    Backup_AP_AUTH supplicant-identity=""
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-g/n channel-width=20/40mhz-XX \
    country=croatia disabled=no distance=indoors frequency=auto installation=\
    indoor mode=ap-bridge security-profile=Backup_AP_AUTH ssid=Backup_AP \
    wireless-protocol=802.11 wps-mode=disabled
/ip pool
add name=dhcp ranges=192.168.20.2-192.168.20.254
/ip dhcp-server
add address-pool=dhcp interface=bridge name=defconf
/interface ppp-client
add apn=internet name=ppp-out1 port=usb1
/interface bridge port
add bridge=bridge comment=defconf ingress-filtering=no interface=ether1
add bridge=bridge comment=defconf ingress-filtering=no interface=wlan1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ip settings
set max-neighbor-entries=8192
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=lte1 list=WAN
/interface ovpn-server server
set auth=sha1,md5
/interface wireguard peers
add allowed-address=10.0.0.0/24,192.168.1.0/24 endpoint-address=172.217.22.14 \
    endpoint-port=13231 interface=WG_1 public-key=\
    "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF="
/ip address
add address=192.168.20.1/24 comment=defconf interface=ether1 network=\
    192.168.20.0
add address=10.0.0.7/24 interface=WG_1 network=10.0.0.0
/ip dhcp-server network
add address=192.168.20.0/24 comment=defconf gateway=192.168.20.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall address-list
add address=192.168.20.254 list=Authorized
add address=192.168.1.57 list=Authorized
add address=10.0.0.3 list=Authorized
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input src-address-list=Authorized
add action=accept chain=input dst-port=53 in-interface-list=LAN protocol=tcp
add action=accept chain=input dst-port=53 in-interface-list=LAN protocol=udp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=accept chain=forward comment="allow internet traffic" \
    in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="allows all road warriors and R1 users\
    \_coming over WG to access the local LAN" dst-address=192.168.20.0/24 \
    in-interface=WG_1
add action=accept chain=forward comment="enables pinging currently and future \
    R2 to R1 traffic when permitted at the far side" in-interface=bridge \
    out-interface=WG_1
add action=accept chain=forward comment="Allow port forwarding" \
    connection-nat-state=dstnat
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
add action=drop chain=input comment="drop all else"
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
/ip route
add disabled=no dst-address=192.168.1.0/24 gateway=WG_1 routing-table=main \
    suppress-hw-offload=no
/ip upnp
set enabled=yes
/ip upnp interfaces
add interface=bridge type=internal
add interface=lte1 type=external
/system clock
set time-zone-name=Europe/Zagreb
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
With this i managed to establish tunnel and even ping test router from R1, but not vice versa... Then i run out of mobile data... so i don't have internet connection anymore on this router...
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19107
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Wireguard Site to Site and road warrior combination

Thu Jan 12, 2023 9:05 pm

Well drinking and configuring are not the best mix ;-)

What is that supposed to represent, you didnt identify what is what in the zoo..... not sure what you are testing??
 
gigabyte091
Forum Guru
Forum Guru
Topic Author
Posts: 1171
Joined: Fri Dec 31, 2021 11:44 am
Location: Croatia

Re: Wireguard Site to Site and road warrior combination

Thu Jan 12, 2023 9:20 pm

I apologize for not being clear, so this was my router at home. I saw that wireguard tunnel went up as i added firewall rules.

And i managed to ping that router from main router R1. Pinging from my router to R1 didn't work and now im not sure if the reason is configuration or the fact that i spent all data...

Yea... As for drinking i think cold beer could solve firewall rules :lol: :lol:

I will take router from office home tomorrow because i think bringing in third router will just cause more confusion... I will try to arrange rules in correct order
 
gigabyte091
Forum Guru
Forum Guru
Topic Author
Posts: 1171
Joined: Fri Dec 31, 2021 11:44 am
Location: Croatia

Re: Wireguard Site to Site and road warrior combination

Fri Jan 13, 2023 9:19 am

So a little update, just for fun, i tried to disable all drop rules on R2 and now i can establish tunnel and i can ping from R1 to R2, from RW to R2. But i noticed one thing, tunnel is not established if i don't plug in pc... as soon as i plugged in PC tunnel was established.

So this should suggest that problem is with firewall rules on R2. Also i noticed that R2 can ping 8.8.8.8 but when i enter www.google.com i get error Ping request could not find host www.google.com

So i pinpointed problem to this firewall rule:
add action=drop chain=input comment="drop all else"
I moved it to the bottom of filter rules and now it's working. Only problem is now with DNS.

New R2
# jan/13/2023 08:34:00 by RouterOS 7.6
# software id = ---------
#
# model = RBwAPR-2nD
# serial number = ------------
/interface bridge
add admin-mac=XX:XX:XX:XX:XX:XX auto-mac=no comment=defconf name=bridge
/interface lte
set [ find default-name=lte1 ] allow-roaming=no band=""
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX \
    distance=indoors frequency=auto installation=outdoor mode=ap-bridge ssid=\
    MikroTik-8DADB3 wireless-protocol=802.11
/interface wireguard
add listen-port=13231 mtu=1420 name=WG_VPN_STS
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface lte apn
set [ find default=yes ] apn=internet.telemach.hr ip-type=ipv4 name=Telemach \
    use-network-apn=no
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/ip pool
add name=default-dhcp ranges=192.168.10.2-192.168.10.254
/ip dhcp-server
add address-pool=default-dhcp interface=bridge name=defconf
/interface ppp-client
add apn=internet name=ppp-out1 port=usb1
/interface bridge port
add bridge=bridge comment=defconf ingress-filtering=no interface=ether1
add bridge=bridge comment=defconf ingress-filtering=no interface=wlan1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ip settings
set max-neighbor-entries=8192
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=lte1 list=WAN
/interface ovpn-server server
set auth=sha1,md5
/interface wireguard peers
add allowed-address=10.0.0.0/24,192.168.1.0/24 endpoint-address=172.217.22.14 \
    endpoint-port=13231 interface=WG_1 public-key=\
    "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF="
/ip address
add address=192.168.10.1/24 comment=LAN interface=bridge network=192.168.10.0
add address=10.0.0.6/24 comment=VPN interface=WG_VPN_STS network=10.0.0.0
/ip dhcp-server network
add address=192.168.10.0/24 comment=defconf gateway=192.168.10.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall address-list
add address=192.168.10.254 comment="Admin on R2" list=Authorized
add address=192.168.1.57 comment="Admin on R1" list=Authorized
add address=10.0.0.3 comment="Admin RW" list=Authorized
/ip firewall filter
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input dst-port=53 in-interface-list=LAN protocol=tcp
add action=accept chain=input dst-port=53 in-interface-list=LAN protocol=udp
add action=accept chain=input src-address-list=Authorized
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=accept chain=forward comment="Allow internet traffic" \
    in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="allows all road warriors and R1 users\
    \_coming over WG to access the local LAN" dst-address=192.168.10.0/24 \
    in-interface=WG_VPN_STS
add action=accept chain=forward comment="enables pinging currently and future \
    R2 to R1 traffic when permitted at the far side" in-interface=bridge \
    out-interface=WG_VPN_STS
add action=accept chain=forward comment="Allow port forwarding " \
    connection-nat-state=dstnat
add action=drop chain=forward
add action=drop chain=input comment="drop all else"
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
/ip route
add disabled=no dst-address=192.168.1.0/24 gateway=WG_VPN_STS routing-table=\
    main suppress-hw-offload=no
/system clock
set time-zone-name=Europe/Zagreb
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19107
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Wireguard Site to Site and road warrior combination

Fri Jan 13, 2023 1:28 pm

Moving the input chain rule drop all else is only valid if by mistake you had it located before any other INPUT chain rules.
The router views the chains as separate so there is no effect moving an input chain rule at the end of the forward chain.

So you must have had it in a wrongs spot?

What do you mean DNS issue?
 
gigabyte091
Forum Guru
Forum Guru
Topic Author
Posts: 1171
Joined: Fri Dec 31, 2021 11:44 am
Location: Croatia

Re: Wireguard Site to Site and road warrior combination

Fri Jan 13, 2023 2:02 pm

Its possible that it was in the wrong spot, i think it was below input rules but above forward rules. So drop rules go after accepted rules ? And same goes for forward rules ?

For DNS problems, well i can ping for eg. 8.8.8.8 but when i tried to ping google.com ping failed.

Im taking that router home with me for more testing and to study more changes that i made. I don't want just copy paste configuration, my goal is to learn something
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19107
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Wireguard Site to Site and road warrior combination

Fri Jan 13, 2023 2:33 pm

No, there are no rules about accept and drop as your implying. Each rule has a purpose and that is what has to be understood.
In the context of a drop rule at the end of the input chain and one for the forward chain, the premise is, that we
keep the necessary default rules, then we add the needed traffic for users, and finally drop all other traffic in that chain

input, to the router (wan to router, lan to router )
forward, through the router ( wan to lan, lan to lan, lan to wan )
 
gigabyte091
Forum Guru
Forum Guru
Topic Author
Posts: 1171
Joined: Fri Dec 31, 2021 11:44 am
Location: Croatia

Re: Wireguard Site to Site and road warrior combination

Fri Jan 13, 2023 4:29 pm

Is there any forum topic regarding firewall and rules that you would recommend to read ?

New update, i connected router at home and now again no handshake between R2 and R1, also there is nothing in R1 logs... Can't ping from R1 to R2 and if i want to connect to R2 from RW it says connection refused in mikrotik app.

I really don't understand why isn't working now... Oh yea, and now i can ping google.com and i can use browser... I didn't change anything now... i double checked...
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19107
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Wireguard Site to Site and road warrior combination

Fri Jan 13, 2023 6:23 pm

Post the config of the Router you have at home that you are talking about (config).
 
gigabyte091
Forum Guru
Forum Guru
Topic Author
Posts: 1171
Joined: Fri Dec 31, 2021 11:44 am
Location: Croatia

Re: Wireguard Site to Site and road warrior combination

Fri Jan 13, 2023 8:44 pm

So here is the latest R2 config:
# jan/13/2023 19:32:37 by RouterOS 7.6
# software id = ---------
#
# model = RBwAPR-2nD
# serial number = ------------
/interface bridge
add admin-mac=XX:XX:XX:XX:XX:XX auto-mac=no comment=defconf name=bridge
/interface lte
set [ find default-name=lte1 ] allow-roaming=no band=""
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX \
    distance=indoors frequency=auto installation=outdoor mode=ap-bridge ssid=\
    MikroTik-8DADB3 wireless-protocol=802.11
/interface wireguard
add listen-port=13231 mtu=1420 name=WG_VPN_STS
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface lte apn
set [ find default=yes ] apn=internet.telemach.hr ip-type=ipv4 name=Telemach \
    use-network-apn=no
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/ip pool
add name=default-dhcp ranges=192.168.10.2-192.168.10.254
/ip dhcp-server
add address-pool=default-dhcp interface=bridge name=defconf
/interface ppp-client
add apn=internet name=ppp-out1 port=usb1
/interface bridge port
add bridge=bridge comment=defconf ingress-filtering=no interface=ether1
add bridge=bridge comment=defconf ingress-filtering=no interface=wlan1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ip settings
set max-neighbor-entries=8192
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=lte1 list=WAN
/interface ovpn-server server
set auth=sha1,md5
/interface wireguard peers
add allowed-address=10.0.0.0/24,192.168.1.0/24 endpoint-address=172.217.22.14 \
    endpoint-port=13231 interface=WG_VPN_STS public-key=\
    "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF="
/ip address
add address=192.168.10.1/24 comment=LAN interface=bridge network=192.168.10.0
add address=10.0.0.6/24 comment=VPN interface=WG_VPN_STS network=10.0.0.0
/ip dhcp-server network
add address=192.168.10.0/24 comment=defconf gateway=192.168.10.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall address-list
add address=192.168.10.254 comment="Admin on R2" list=Authorized
add address=192.168.1.57 comment="Admin on R1" list=Authorized
add address=10.0.0.3 comment="Admin RW" list=Authorized
/ip firewall filter
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input dst-port=53 in-interface-list=LAN protocol=tcp
add action=accept chain=input dst-port=53 in-interface-list=LAN protocol=udp
add action=accept chain=input src-address-list=Authorized
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=accept chain=forward comment="Allow internet traffic" \
    in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="allows all road warriors and R1 users\
    \_coming over WG to access the local LAN" dst-address=192.168.10.0/24 \
    in-interface=WG_VPN_STS
add action=accept chain=forward comment="enables pinging currently and future \
    R2 to R1 traffic when permitted at the far side" in-interface=bridge \
    out-interface=WG_VPN_STS
add action=accept chain=forward comment="Allow port forwarding " \
    connection-nat-state=dstnat
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward
add action=drop chain=input comment="drop all else"
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
/ip route
add disabled=no dst-address=192.168.1.0/24 gateway=WG_VPN_STS routing-table=\
    main suppress-hw-offload=no
/system clock
set time-zone-name=Europe/Zagreb
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19107
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Wireguard Site to Site and road warrior combination

Fri Jan 13, 2023 9:07 pm

Can you clarify for me what is going with internet as I have no clue how LTE works.
I am confused because you have three different Names involved
lte1 (interface lte)
Telemach (interface lte apn)
ppp-out1 (interface ppp-client)

and then for some reason you have wlan1 on the bridge, I am going to assume this one is strictly normal wifi on the bridge and nothing to do with LTE.


To be on the safe side put this....
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=lte1 list=WAN
add interface=Telemach list=WAN
add interface=ppp-out1 list=WAN


Firewall rule order
FROM ( ones that need to move in orange ) ( changed bridge to src address in one rule in blue )
/ip firewall filter
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input dst-port=53 in-interface-list=LAN protocol=tcp
add action=accept chain=input dst-port=53 in-interface-list=LAN protocol=udp
add action=accept chain=input src-address-list=Authorized
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid

add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related hw-offload=yes
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked

add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=accept chain=forward comment="Allow internet traffic" \
in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="allows all road warriors and R1 users\
\_coming over WG to access the local LAN" dst-address=192.168.10.0/24 \
in-interface=WG_VPN_STS
add action=accept chain=forward comment="enables pinging currently and future \
R2 to R1 traffic when permitted at the far side" in-interface=bridge\
out-interface=WG_VPN_STS
add action=accept chain=forward comment="Allow port forwarding " \
connection-nat-state=dstnat
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid

add action=drop chain=forward
add action=drop chain=input comment="drop all else"


TO
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input dst-port=53 in-interface-list=LAN protocol=tcp
add action=accept chain=input dst-port=53 in-interface-list=LAN protocol=udp
add action=accept chain=input src-address-list=Authorized
add action=drop chain=input comment="drop all else"
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid[
add action=accept chain=forward comment="Allow internet traffic" \
in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="allows all road warriors and R1 users\
\_coming over WG to access the local LAN" dst-address=192.168.10.0/24 \
in-interface=WG_VPN_STS
add action=accept chain=forward comment="enables pinging currently and future \
R2 to R1 traffic when permitted at the far side" in-interface=bridge \
out-interface=WG_VPN_STS
add action=accept chain=forward comment="Allow port forwarding " \
connection-nat-state=dstnat
add action=drop chain=forward
 
gigabyte091
Forum Guru
Forum Guru
Topic Author
Posts: 1171
Joined: Fri Dec 31, 2021 11:44 am
Location: Croatia

Re: Wireguard Site to Site and road warrior combination

Fri Jan 13, 2023 9:43 pm

Here is updated configuration:
# jan/13/2023 20:36:21 by RouterOS 7.6
# software id = ---------
#
# model = RBwAPR-2nD
# serial number = ------------
/interface bridge
add admin-mac=XX:XX:XX:XX:XX:XX auto-mac=no comment=defconf name=bridge
/interface lte
set [ find default-name=lte1 ] allow-roaming=no band=""
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX \
    distance=indoors frequency=auto installation=outdoor mode=ap-bridge ssid=\
    MikroTik-8DADB3 wireless-protocol=802.11
/interface wireguard
add listen-port=13231 mtu=1420 name=WG_VPN_STS
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface lte apn
set [ find default=yes ] apn=internet.telemach.hr ip-type=ipv4 name=Telemach \
    use-network-apn=no
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/ip pool
add name=default-dhcp ranges=192.168.10.2-192.168.10.254
/ip dhcp-server
add address-pool=default-dhcp interface=bridge name=defconf
/interface ppp-client
add apn=internet name=ppp-out1 port=usb1
/interface bridge port
add bridge=bridge comment=defconf ingress-filtering=no interface=ether1
add bridge=bridge comment=defconf ingress-filtering=no interface=wlan1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ip settings
set max-neighbor-entries=8192
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=lte1 list=WAN
add interface=ppp-out1 list=WAN
/interface ovpn-server server
set auth=sha1,md5
/interface wireguard peers
add allowed-address=10.0.0.0/24,192.168.1.0/24 endpoint-address=172.217.22.14 \
    endpoint-port=13231 interface=WG_VPN_STS public-key=\
    "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF="
/ip address
add address=192.168.10.1/24 comment=LAN interface=bridge network=192.168.10.0
add address=10.0.0.6/24 comment=VPN interface=WG_VPN_STS network=10.0.0.0
/ip dhcp-server network
add address=192.168.10.0/24 comment=defconf gateway=192.168.10.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall address-list
add address=192.168.10.254 comment="Admin on R2" list=Authorized
add address=192.168.1.57 comment="Admin on R1" list=Authorized
add address=10.0.0.3 comment="Admin RW" list=Authorized
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input dst-port=53 in-interface-list=LAN protocol=tcp
add action=accept chain=input dst-port=53 in-interface-list=LAN protocol=udp
add action=accept chain=input src-address-list=Authorized
add action=drop chain=input comment="drop all else"
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=forward comment="Allow internet traffic" \
    in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="allows all road warriors and R1 users\
    \_coming over WG to access the local LAN" dst-address=192.168.10.0/24 \
    in-interface=WG_VPN_STS
add action=accept chain=forward comment="enables pinging currently and future \
    R2 to R1 traffic when permitted at the far side" in-interface=bridge \
    out-interface=WG_VPN_STS
add action=accept chain=forward comment="Allow port forwarding " \
    connection-nat-state=dstnat
add action=drop chain=forward
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
/ip route
add disabled=no dst-address=192.168.1.0/24 gateway=WG_VPN_STS routing-table=\
    main suppress-hw-offload=no
/system clock
set time-zone-name=Europe/Zagreb
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
I couldn't add Telemach in interface list because there is no such interface.

So if i understand lte1 interface is LTE modem inside router
Telemach is name for APN profile that i use for LTE modem so i can connect to mobile network (that information is provided by mobile operator)
this ppp-out1 i don't know what is it, maybe is used by router and/or modem to establish connection but as far as i can see it's disabled... and if i enable it there is no traffic.

wlan1 is wireless network and i disabled that because i don't use it.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19107
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Wireguard Site to Site and road warrior combination

Fri Jan 13, 2023 9:57 pm

All looks good to me,
Can you post the latest R1.................
 
gigabyte091
Forum Guru
Forum Guru
Topic Author
Posts: 1171
Joined: Fri Dec 31, 2021 11:44 am
Location: Croatia

Re: Wireguard Site to Site and road warrior combination

Fri Jan 13, 2023 10:11 pm

Here is R1
# jan/13/2023 21:03:41 by RouterOS 7.6
# software id = ---------
#
# model = RB760iGS
# serial number = ------------
/interface bridge
add admin-mac=XX:XX:XX:XX:XX:XX auto-mac=no comment=defconf name=bridge
/interface wireguard
add comment=Interface_1_S_to_C listen-port=13231 mtu=1420 name=WG_VPN
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.1.1-192.168.1.254
/ip dhcp-server
add address-pool=dhcp interface=bridge name=defconf
/port
set 0 name=serial0
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=sfp1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/interface ovpn-server server
set auth=sha1,md5
/interface wireguard peers
add allowed-address=10.0.0.3/32 comment="----------" interface=WG_VPN \
    public-key="BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB="
add allowed-address=10.0.0.4/32 comment="----------" interface=WG_VPN \
    public-key="CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC="
add allowed-address=10.0.0.2/32 comment="----------" interface=\
    WG_VPN public-key="DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD="
add allowed-address=10.0.0.5/32 comment="----------" \
    interface=WG_VPN public-key=\
    "EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE="
add allowed-address=10.0.0.6/24,192.168.10.0/24 comment="remote R2" interface=\
    WG_VPN public-key="FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF="
/ip address
add address=192.168.1.1/24 comment=LAN interface=bridge network=192.168.1.0
add address=172.217.22.14/30 comment=WAN interface=ether1 network=172.217.22.12
add address=10.0.0.1/24 comment="VPN S to C" interface=WG_VPN network=\
    10.0.0.0
/ip arp
add address=192.168.1.3 interface=bridge mac-address=XX:XX:XX:XX:XX:XX
/ip dhcp-client
add comment=defconf disabled=yes interface=ether1
/ip dhcp-server lease
---------------------------------------------------------
/ip dhcp-server network
add address=192.168.1.0/24 comment=defconf dns-server=192.168.1.1 gateway=\
    192.168.1.1
/ip dns
set allow-remote-requests=yes servers=192.168.1.24,172.217.10.75,172.217.10.76
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall address-list
add address=192.168.1.57 list=Management
add address=10.0.0.2 list=Management
add address=10.0.0.3 list=Management
add address=10.0.0.2 list=Permitted
add address=10.0.0.3 list=Permitted
add address=10.0.0.4 list=Permitted
add address=10.0.0.5 list=Permitted
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" disabled=yes \
    protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=log chain=input dst-port=13231 log-prefix="Incoming WG Requests" \
    protocol=udp
add action=accept chain=input comment="Wireguard VPN S to C" dst-port=13231 \
    in-interface=ether1 protocol=udp
add action=accept chain=input src-address-list=Management
add action=accept chain=input dst-port=53 in-interface-list=LAN protocol=tcp
add action=accept chain=input dst-port=53 in-interface-list=LAN protocol=udp
add action=drop chain=input comment="drop all else"
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=accept chain=forward in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment=\
    "allow remote warriors users to access local subnet but not R2 users" \
    dst-address=192.168.1.0/24 in-interface=WG_VPN src-address-list=Permitted
add action=accept chain=forward comment=\
    "allow R1 users to access tunnel for R2" out-interface=WG_VPN \
    src-address=192.168.1.0/24
add action=accept chain=forward comment="allows remote warriors to enter R1 (e\
    xit tunnel) and then head to R2 (re-enter tunnel)" in-interface=WG_VPN \
    out-interface=WG_VPN
add action=accept chain=forward comment="Allow port forwarding" \
    connection-nat-state=dstnat
add action=drop chain=forward comment="drop all else"
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
/ip route
add disabled=no dst-address=192.168.10.0/24 gateway=WG_VPN routing-table=main \
    suppress-hw-offload=no
add disabled=no dst-address=192.168.20.0/24 gateway=WG_VPN routing-table=main \
    suppress-hw-offload=no
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
    33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
/snmp
set enabled=yes
/system clock
set time-zone-name=Europe/Zagreb
/system identity
set name=Ured_HexS
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool romon
set enabled=yes
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19107
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Wireguard Site to Site and road warrior combination

Sat Jan 14, 2023 3:19 pm

(1) As I stated previously For R1 the allowed IPs for peer of R2 needs to change.
From
add allowed-address=10.0.0.6/24,192.168.10.0/24 comment="remote R2" interface=\
WG_VPN public-key="FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF="

TO
add allowed-address=10.0.0.6/32,192.168.10.0/24 comment="remote R2" interface=\
WG_VPN public-key="FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF="


(2) Not sure where this came from probably testing, since it doesnt relate to any other settings probably just not used........
add disabled=no dst-address=192.168.20.0/24 gateway=WG_VPN routing-table=main \
suppress-hw-offload=no



Fix the main item above and retry........
Two other thoughts......... how are you pinging aka from where to where............
a. source being the router itself via winbox (its ping function)
b. from an admin IP?

Secondly it may be needed to netinstall R2 and reapply the settings....... as a measure since we cannot find any other issues.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19107
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Wireguard Site to Site and road warrior combination

Sat Jan 14, 2023 4:49 pm

Also, there is no WAN access in these setups so one should not be able to get to the WWW through the wireguard tunnel, its strictly for LAN subnet access and to config the router for the admin........
 
gigabyte091
Forum Guru
Forum Guru
Topic Author
Posts: 1171
Joined: Fri Dec 31, 2021 11:44 am
Location: Croatia

Re: Wireguard Site to Site and road warrior combination

Sat Jan 14, 2023 5:00 pm

I changed this in my config and it's still the same, no handshake. RW to R1 is working just fine.

I tried and updated R1 and R2 to ROS v7.7 but still same thing.

For pinging R2 im using R1 and ping command in terminal. (I tried ping from tools menu but same thing)

And yes, i can't access internet when VPN is active on laptop.

If needed i can do netinstall, only i need to take my wife laptop as my laptop only have linux on it.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19107
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Wireguard Site to Site and road warrior combination

Sat Jan 14, 2023 5:58 pm

Out of ideas at the moment...........
Not sure why the tunnel doesnt connect at all...........
I suspect its something simple like the private and public key are mixed up or an incorrect entry has been made......

It makes no sense that the rule on R1 is not even triggered by an attempt to connect from R2. do you have the endpoint IP address and port correct???
 
gigabyte091
Forum Guru
Forum Guru
Topic Author
Posts: 1171
Joined: Fri Dec 31, 2021 11:44 am
Location: Croatia

Re: Wireguard Site to Site and road warrior combination

Sat Jan 14, 2023 6:22 pm

What's bother me the most is that yesterday it was working until i powered off R2 to bring it home...

I will check everything once again when i arrive home...
 
gigabyte091
Forum Guru
Forum Guru
Topic Author
Posts: 1171
Joined: Fri Dec 31, 2021 11:44 am
Location: Croatia

Re: Wireguard Site to Site and road warrior combination

Sun Jan 15, 2023 1:51 pm

So i entered public key again, checked IP and nothing... I noticed about 340B of data that was exchanged between routers and i saw last handshake timer started but no connection...

So only thing that is left is netinstall...

Before this topic i tried to make site to site vpn with dedicated WG interface and it did work. Road warirors had they interface on main router and R2 had his interface on main router
 
gigabyte091
Forum Guru
Forum Guru
Topic Author
Posts: 1171
Joined: Fri Dec 31, 2021 11:44 am
Location: Croatia

Re: Wireguard Site to Site and road warrior combination

Mon Jan 16, 2023 7:37 am

So just as I was ready to do netinstall, tunnel comes up... ping is working, RW to R2 is working... I tried to reboot R2 couple of times, just to see if tunnel goes up and it does...

One question, is it possible that router didn't want to establish connection because there was no device connected ?
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19107
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Wireguard Site to Site and road warrior combination

Mon Jan 16, 2023 5:05 pm

Not sure how the mT works, I suspect a user has to start the process by attempting to make a connection through the tunnel? Not sure if the interface exists on the client if it automatically connects regardless.......

Not suprised though the config is good.
 
gigabyte091
Forum Guru
Forum Guru
Topic Author
Posts: 1171
Joined: Fri Dec 31, 2021 11:44 am
Location: Croatia

Re: Wireguard Site to Site and road warrior combination

Mon Jan 16, 2023 6:21 pm

I left router at work, connected to PC and I can ping it from home, so it's working for now. Tomorrow i will take router home with me to test it on a different location. (It shoudn't matter but, it wasn't working yesterday and today it's working)

Maybe it's a good idea to set Persistent keepalive on R2 to ping every minute or so R1 so connection stay up ? On PC you bring connection up by... clicking connect, but mikrotik should connect automatically, even without device on a network ?

So if i want for R2 to access R1 i should just remove permited address list from firewall rule and if i understand correctly it should allow for devices behind R2 to ping and access 192.168.1.0/24 network ?
Also, i was reading a little about firewall rules and if i want for example to allow internet access for road warriors then i should create filter rule like this ?
chain=forward action=accept src-address-list=Permitted 
      in-interface=WG_VPN out-interface=ether1 log=no log-prefix=""
Where i tell router that i want to forward traffic from the tunnel to WAN if address is on the permitted list.

Also, if i want to add n number of additional routers to VPN i have to create special rules for them on R1 ?

If i understand correctly, this firewall rules applies not just for R2 but for every router and traffic coming from wireguard interface
allow R1 users to access tunnel for R2
      chain=forward action=accept src-address=192.168.1.0/24 
      out-interface=WG_VPN log=no log-prefix=""
allows remote warriors to enter R1 (exit tunnel) and then head to R2>
e-enter tunnel)
      chain=forward action=accept in-interface=WG_VPN out-interface=WG_VPN 
      log=no log-prefix="" 
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19107
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Wireguard Site to Site and road warrior combination

Mon Jan 16, 2023 7:57 pm

(1) Yes!!! Every MT client device should have keep alive setup......... Thus after initial connection it will stay up forever.

(2) Yes, if you desire R2 staff to visit R1 devices simply remove the src-address list entry!

(3) NOW YOU ARE SCOPE CREEPING LOL . If you want to allow road warriors to access internet of R1, then you have added a layer of complication.

a. at the RW client site wireguard configs, the only allowed IPs that are needed is 0.0.0.0/0
b. At R1, the rule you created for the forward chain is good in that it permits incoming RWs access to the local internet ( but not R2 )

add chain=forward action=accept in-interface=WG_VPN out-interface-list=WAN src-address-list=Permitted

c. the other consideration is return traffic from the internet, since it will be road warriors that all fall within the IP address of the wireguard on R1, any return traffic with source of RW IP will be recognized by the Router and will be sent to the tunnel. So nothing extra here.

(4) If you want to add additional RWs to connect to R1, then you will need to
a. configure RW client accordingly ( for lan access or internet access )
b. on R1 for each new client add another PEER line accordingly.

(5) Dont quite understand the question as you point to two different rules. However, to restate you are allowing R1 Users to enter the tunnel. Realistically they are not required to access someones iphone/ipad/desktop and its setup as I did so R1 users can reach R2 without refinement.
So the rule could be.......
chain=forward action=accept src-address=192.168.1.0/24 out-interface=WG_VPN dst-address=192.168.10.0/24 and thus cutting off R1 users from reaching any RW assets.

In this case, if you are R1 admin on the subnet 192.168.1.0/24 you would not be able to reach or ping a RW client device since its confined to R2.
Thus you have to be really clear on requirements before making changes............

(6) The second rule which allows RWs to exit the tunnel at R1 and then re-enter the tunnel if necessary depending upon routing, ensures an effective/efficient relay occurs at R1.

If one wanted to dictate which RWs were allowed access to what then you would need to create additional rules and/or make use of source and dst address lists etc.
All depends upon well understood and communicated requirements.
 
gigabyte091
Forum Guru
Forum Guru
Topic Author
Posts: 1171
Joined: Fri Dec 31, 2021 11:44 am
Location: Croatia

Re: Wireguard Site to Site and road warrior combination

Tue Jan 17, 2023 7:58 am

(1) Yes!!! Every MT client device should have keep alive setup......... Thus after initial connection it will stay up forever.
I put 2 minutes, is that okay or should be this interval longer or shorter ?

I tried this filter rule that you confirmed is good and now i have internet access on RW and speedtest was quite suprising, our office fiber connection is 75/75Mbps and i get on my laptop 71 DL / 72 UL Mbps with 16 ms avg ping which is great.
NOW YOU ARE SCOPE CREEPING LOL .

I know, but now i have everything in one topic to save in my archive hehe

This is final R1 config
# jan/17/2023 06:50:22 by RouterOS 7.7
# software id = ---------
#
# model = RB760iGS
# serial number = ------------
/interface bridge
add admin-mac=XX:XX:XX:XX:XX:XX auto-mac=no comment=defconf name=bridge
/interface wireguard
add comment=Interface_1_S_to_C listen-port=13231 mtu=1420 name=WG_VPN
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.1.1-192.168.1.254
/ip dhcp-server
add address-pool=dhcp interface=bridge name=defconf
/port
set 0 name=serial0
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=sfp1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/interface ovpn-server server
set auth=sha1,md5
/interface wireguard peers
add allowed-address=10.0.0.3/32 comment="----------" interface=WG_VPN \
    public-key="BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB="
add allowed-address=10.0.0.4/32 comment="----------" interface=WG_VPN \
    public-key="CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC="
add allowed-address=10.0.0.2/32 comment="----------" interface=\
    WG_VPN public-key="DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD="
add allowed-address=10.0.0.5/32 comment="----------" \
    interface=WG_VPN public-key=\
    "EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE="
add allowed-address=10.0.0.6/24,192.168.10.0/24 comment="remote R2" interface=\
    WG_VPN public-key="FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF="
/ip address
add address=192.168.1.1/24 comment=LAN interface=bridge network=192.168.1.0
add address=172.217.22.14/30 comment=WAN interface=ether1 network=172.217.22.12
add address=10.0.0.1/24 comment="VPN S to C" interface=WG_VPN network=\
    10.0.0.0
/ip arp
add address=192.168.1.3 interface=bridge mac-address=XX:XX:XX:XX:XX:XX
/ip dhcp-client
---------------------------------------------------------------------------------------------
/ip dhcp-server network
add address=192.168.1.0/24 comment=defconf dns-server=192.168.1.1 gateway=\
    192.168.1.1
/ip dns
set allow-remote-requests=yes servers=192.168.1.24,172.217.10.75,172.217.10.76
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall address-list
add address=192.168.1.57 list=Management
add address=10.0.0.2 list=Management
add address=10.0.0.3 list=Management
add address=10.0.0.2 list=Permitted
add address=10.0.0.3 list=Permitted
add address=10.0.0.4 list=Permitted
add address=10.0.0.5 list=Permitted
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=drop chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=log chain=input dst-port=13231 log-prefix="Incoming WG Requests" \
    protocol=udp
add action=accept chain=input comment="Wireguard VPN S to C" dst-port=13705 \
    in-interface=ether1 protocol=udp
add action=accept chain=input src-address-list=Management
add action=accept chain=input dst-port=53 in-interface-list=LAN protocol=tcp
add action=accept chain=input dst-port=53 in-interface-list=LAN protocol=udp
add action=drop chain=input comment="drop all else"
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=accept chain=forward in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment=\
    "allow remote warriors users to access local subnet but not R2 users" \
    dst-address=192.168.1.0/24 in-interface=WG_VPN src-address-list=Permitted
add action=accept chain=forward comment=\
    "allow R1 users to access tunnel for R2" out-interface=WG_VPN \
    src-address=192.168.1.0/24
add action=accept chain=forward comment="allows remote warriors to enter R1 (e\
    xit tunnel) and then head to R2 (re-enter tunnel)" in-interface=WG_VPN \
    out-interface=WG_VPN
add action=accept chain=forward comment="allow RW to access the Internet" \
    in-interface=WG_VPN out-interface=ether1 src-address-list=Permitted
add action=accept chain=forward comment="Allow port forwarding" \
    connection-nat-state=dstnat
add action=drop chain=forward comment="drop all else"
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
/ip route
add disabled=no dst-address=192.168.10.0/24 gateway=WG_VPN routing-table=main \
    suppress-hw-offload=no
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
    33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
/snmp
set enabled=yes
/system clock
set time-zone-name=Europe/Zagreb
/system identity
set name=Ured_HexS
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool romon
set enabled=yes
Today i will test R2 at home, to see if it works and that's it
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19107
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Wireguard Site to Site and road warrior combination

Tue Jan 17, 2023 2:35 pm

R1 peer settings:
You still have not corrected the one small error on R1 LOL............
add allowed-address=10.0.0.6/24,192.168.10.0/24 comment="remote R2" interface=\

should be
add allowed-address=10.0.0.6/32,192.168.10.0/24 comment="remote R2" interface=\

Also the second of two rules are confusing me in the input chain....
add action=log chain=input dst-port=13231 log-prefix="Incoming WG Requests" \
protocol=udp
add action=accept chain=input comment="Wireguard VPN S to C" dst-port=13705 \
in-interface=ether1 protocol=udp


The first rule does nothing but log stuff, which is fine!!!
BUT The second rule accepts traffic but has the wrong port number

How is anything working LOL.......
 
gigabyte091
Forum Guru
Forum Guru
Topic Author
Posts: 1171
Joined: Fri Dec 31, 2021 11:44 am
Location: Croatia

Re: Wireguard Site to Site and road warrior combination

Tue Jan 17, 2023 4:53 pm

ImageI corrected that but when I copy peers from previous configuration so i don't have to manually change everything everytime i want to post configuration i always forget that old config have that /24... And port is correct, i just forgot to change it :lol: :lol:

Don't worry, all of that is already changed, my copy/paste is to blame for this...

But new info, all day everything was working like it should. I take router home aaaaaand guess what... I had to go to the city but i left R2 router and laptop running so i can try to connect to it and first it was taking a long time to connect but it worked, then i rebooted R2 and now in R1 i can see that there is a handshake but i can't ping R2 or laptop...

And i set persistent keepalive on R2...

WTF really... Same router, same SIM card, what is different is location... I will try with SIM card from another operator for f... sake...
You do not have the required permissions to view the files attached to this post.
 
gigabyte091
Forum Guru
Forum Guru
Topic Author
Posts: 1171
Joined: Fri Dec 31, 2021 11:44 am
Location: Croatia

Re: Wireguard Site to Site and road warrior combination

Tue Jan 17, 2023 6:57 pm

Update

I arrived home and turn on laptop from standby, i tried to ping R2, nothing, and as soon as 3 minutes passed there was another handshake and it worked for some time, now i have 4 minutes from last handshake and again it's not working... Then i tried just for fun ping server at my office network and bam, handshake and ping is working...

Is this operator problem ? Is it possible that they block something ? At office it's working like it should...

Also i noticed that if i connect to VPN with RW when i search what is my IP i get my public IP at work (and that is okay because i go to the internet trough R1) But on laptop that is connected to R2 i get different IP address... Shouldn't i get public address of R1 ?
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19107
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Wireguard Site to Site and road warrior combination

Tue Jan 17, 2023 8:06 pm

Remember R1 is up all the time and accessible.
For any RW to connect to R2, the tunnel has to be established between R2 to R1.

So as long at the R2 to R1 tunnel is up it should be rather quick to access or ping..........
I do not quite understand the finicky nature being described ............ puzzler.

I would be better informed if you instead actually attempted work, as in access R2 config/winbox or R2 device/server to fully establish no connectivity vice connectivity AS OPPOSED to use pinging.


As for part two of questions...........
if on laptop connected to R1 for internet purposes and ask what is my IP you get the WANIP of R1. ( rw to WAN foward chain rule)

If on laptop and you wish to connect to R2, whats my IP will not get R2 WANIP unless you have wg to WAN forward chain permissions on R3, otherwise RW will not be able to the www and ask whats my IP!
 
gigabyte091
Forum Guru
Forum Guru
Topic Author
Posts: 1171
Joined: Fri Dec 31, 2021 11:44 am
Location: Croatia

Re: Wireguard Site to Site and road warrior combination

Tue Jan 17, 2023 8:28 pm

I would be better informed if you instead actually attempted work, as in access R2 config/winbox or R2 device/server to fully establish no connectivity vice connectivity AS OPPOSED to use pinging.
So now i tried to connect from R2 to some web config pages that some devices on R1 network uses and it works for now. (I permitted R2 devices to access R1)

Laptop and router were off so this time tunnel was established as soon as router started.

I mean, i consider this solved, everything is working. Thank You anav again for your help :D
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19107
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Wireguard Site to Site and road warrior combination

Tue Jan 17, 2023 8:29 pm

No worries, I like puzzles and getting satisfaction!! and most of all you have learned some!!
 
gigabyte091
Forum Guru
Forum Guru
Topic Author
Posts: 1171
Joined: Fri Dec 31, 2021 11:44 am
Location: Croatia

Re: Wireguard Site to Site and road warrior combination

Tue Jan 17, 2023 10:48 pm

Yea, learning was the main point for me. As for puzzles, this one was good, when something should work but it doesn't...

Who is online

Users browsing this forum: Google [Bot], mbezuidenhout and 40 guests