Access to Internet with WireGuard via VPN-client

drzordz · Sat Feb 25, 2023 11:36 am

Hi
On the router I have 2 Public IP: WAN (Public IP from ISP, e.g. 108.108.108.10) and a VPN-client (different public IP, e.g. 80.80.80.20). If I'm connected via WireGuard, I have access to LAN and Internet via WAN (PubIP 108.108.108.10). I would like connections established by WireGuard to connect to the Internet via VPN-client (I'll have IP 80.80.80.20). Unfortunately, I can't handle it. My config is in Attachments. I was try e.g:

add action=accept chain=forward out-interface=VPN-TV src-address-list=WG
add action=masquerade chain=srcnat out-interface=VPN-TV src-address-list=WG

Thanks for help.

anav · Sat Feb 25, 2023 4:10 pm

To be clear you cannot have internet to both local WAN and VPN WAN for your incoming WG road warrior at the same time.
We can ensure that WG traffic goes out the VPN tunnel if the VPN tunnel is working.
I dont like your firewall rule structure but if it works for you fine.....

I would get rid off the mangle attempt and do this instead......

Keep existing Table.
Keep existing Route
Delete Mangles
Add routing rule.

/routing rule add src-address=192.168.20.2 action=lookup table=table=VPN-TV-route

Note1: If the VPN tunnel is not available the wg user will then go out the local internet as per the firewall rules. If you never wanted the WG warrior to access the local internet in case VPN went down, then change action=lookup-only-in-table

Note2: UNKNOWN --> Just not sure if you need a firewall rule for WG to enter VPN tunnel in forward chain as well ?:??

Note3: IS IT MANDATORY? That users going out the VPN tunnel are source-natted?? If SO you would fail to sourcnat the WG user(s) because your list excludes them.

/ip firewall nat
add action=masquerade chain=srcnat comment="masqarade - VPN-TV" out-interface=VPN-TV src-address-list=VPN-TV-list

Note4: If you go to more WG remote users than just the single allowed peer, simply change the routing rule from single IP to subnet etc...

drzordz · Tue Feb 28, 2023 4:55 pm

To be clear you cannot have internet to both local WAN and VPN WAN for your incoming WG road warrior at the same time.

I will WG out by VPN-TV only

I dont like your firewall rule structure but if it works for you fine.....

What's wrong with my Firewall? I am new and it's very possible at I have wrong config. What can I do better?

I would get rid off the mangle attempt and do this instead......

Keep existing Table.
Keep existing Route
Delete Mangles
Add routing rule.

/routing rule add src-address=192.168.20.2 action=lookup table=table=VPN-TV-route

After I disabled WG-Mangles and added routing rule I don't have Internet and not access to LAN but I was changed something more.
Before (working LAN and WAN):

/ip firewall filter add action=accept chain=forward out-interface=ether1 src-address-list=WG
/ip firewall nat add action=masquerade chain=srcnat out-interface=ether1 src-address-list=WG
/ip firewall mangle add action=mark-connection chain=prerouting disabled=no in-interface=wg0 new-connection-mark=WG-to-VPN-mark passthrough=yes

After (working VPN-TV, not LAN):

/ip firewall filter add action=accept chain=forward out-interface=VPN-TV src-address-list=WG
/ip firewall nat add action=masquerade chain=srcnat out-interface=VPN-TV src-address-list=WG
/ip firewall mangle add action=mark-connection chain=prerouting disabled=yes in-interface=wg0 new-connection-mark=WG-to-VPN-mark passthrough=yes
/routing rule add src-address=192.168.20.2 action=lookup-only-in-table table=table=VPN-TV-route

After this change. I have IP from VPN but not LAN dev. access.

Note2: UNKNOWN --> Just not sure if you need a firewall rule for WG to enter VPN tunnel in forward chain as well ?:??

This?
/ip firewall filter add action=accept chain=forward out-interface=VPN-TV src-address-list=WG
I need this. Without this I don't have Internet.

Note3: IS IT MANDATORY? That users going out the VPN tunnel are source-natted?? If SO you would fail to sourcnat the WG user(s) because your list excludes them.

but next rule adds WG list. It doesn't work?
/ip firewall nat add action=masquerade chain=srcnat comment="masquerade - WG" out-interface=VPN-TV src-address-list=WG

anav · Tue Feb 28, 2023 5:51 pm

Post the latest config and I will have a look.

drzordz · Tue Feb 28, 2023 6:01 pm

I changed this only:

/ip firewall filter add action=accept chain=forward out-interface=VPN-TV src-address-list=WG
/ip firewall nat add action=masquerade chain=srcnat out-interface=VPN-TV src-address-list=WG
/ip firewall mangle add action=mark-connection chain=prerouting disabled=yes in-interface=wg0 new-connection-mark=WG-to-VPN-mark passthrough=yes
/routing rule add src-address=192.168.20.2 action=lookup-only-in-table table=table=VPN-TV-route

anav · Tue Feb 28, 2023 6:04 pm

My request was clear...... if you insist on snippets will move on.............. I only work with evidence not what people think they did................ regardless of best intentions surprizes always happen, learned the hardway by experience here.

drzordz · Tue Feb 28, 2023 6:48 pm

OK. I'm sending new one file

anav · Wed Mar 01, 2023 1:25 am

(1) What is the purpose of this rule: ?
add action=accept chain=input connection-state=established,related,new dst-address=10.20.30.50 src-address=10.20.30.0/24

My thought is that its not needed and should be removed.

(2)
The coloured rule is no longer needed due to drop rule at end.
add action=drop chain=input in-interface-list=!LAN

(3) The input chain invalid rule should be higher up prior to any ICMP rules.
(4) I never frig with ICMP (aka dont add any special rules for it) your choice. Are you having issues with it?

(5) I also dont understand your use of firewall address lists. If a subnet exists, then refer to the interface, or the address, no need to make an extra item.
If its two or more addresses then an interface list entry makes sense............
Where it makes sense is if you have a large number of users but not the whole subnet!

(6) The output rule is not required and needs to be removed.

(7) So I gather you are trying to remote in via the wg and then go out the l2TP vpn tunnel, okay.........
(as well as be able to config the router from the remote connection).
In addition, you want some bridge lan users to go out LT2P tunnel...............
Firewall rules are the easy part how do you propose to route all that traffic ????

(8) Sourcnat rules will need some thought.........

Example........
/ip firewall address-list
add address=10.20.30.201-10.20.30.250 list=VPN-TV-list { Okay a subset of users }
add address=192.168.20.2/32 list=Authorized comment="Remote Admin IP"
add address=10.20.30.XX list=Authorized comment="Admin desktop IP"
add address=10.20.30.XY list=Authorized comment="Admin laptop IP"
add address=10.20.30.XZ list=Authorized comment="Admin ipad/iphone IP"

/ip firewall filter
{Input Chain}
(default rules)
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
(admin rules)
add action=accept chain=input dst-port=55502 protocol=udp comment="initial wg handshake"
add action=accept chain=input protocol=ipsec-esp
add action=accept chain=input in-interface-list=LAN src-address-list=Authorized comment="admin access to config router"
add action=accept chain=input dst-port=53 in-interface=bridge-LAN in-interface-list=LAN protocol=udp
add action=accept chain=input dst-port=53 in-interface=bridge-LAN in-interface-list=LAN protocol=tcp
add action=drop chain=input comment="drop all else"
{Forward Chain}
(default rules)
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
(admin rules)
add action=accept chain=forward comment="allow internet traffic" in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward in-interface=wg0 out-interface=VPN-TV comment="admin out VPN"
add action=accept chain=forward src-address-list=VPN-TV-list out-interface=VPN-TV comment="select LAN users out VPN"
add action=accept chain=forward in-interface=wg0 dst-address=10.20.30.0/24 comment="admin access to LAN"
add action=accept chain=forward connection-nat-state=dstnat comment="port forwarding"
add action=drop chain=forward comment="drop all else"

Assuming you have a default route selected via ETHER1 IP DHCP client settings and thus no manual route is shown in the config.
The first route makes sense to me except you need an extra Routing Rule to ensure the admin, while remote, can reach the LAN.
The second route has no basis in anything that I can see on the config, or makes sense to me for now you need to get rid of it.......

/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=VPN-TV pref-src=0.0.0.0 routing-table=VPN-TV-route scope=30 suppress-hw-offload=no target-scope=10
comment="Force WG users out VPN"
add disabled=no dst-address=0.0.0.0/0 gateway=VPN-downl pref-src=0.0.0.0 routing-table=VPN-downl-route suppress-hw-offload=no

/routing rule
add action=lookup-only-in-table dst-address=10.20.30.0/24 table=main comment="allow wg user to access LAN first"
add action=lookup-only-in-table disabled=no src-address=192.168.20.0/24 table=VPN-TV-route

Adjustment to mangling......... You will see why.......... We can adjust the fastrack rule to ignore this traffic and thus keep fasstrack.
/ip firewall mangle
add action=mark-connection chain=prerouting src-address-list=VPN-TV-list dst-address-list=!10.20.30.0/24 connection-mark=no-mark new-connection-mark=TO-VPN passthrough=yes
add action=mark-routing chain=prerouting connection-mark=TO-VPN new-routing-mark=VPN-TV-route passthrough=no
/ip firewall filter
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related connection-mark=no-mark[/i]

++++++++++++++++++++++++++++++++++++++++++

I am not familiar with L2TP VPN tunnels and their ability to
a. act as an interface
b. be applied to in firewall rules.
c. be routed to as we have.

Thus I have no clue whether this will work or not LOL.

................

There is also the sourcenat hairpin rule you had, not exactly the standard format but what is the purpose of this rule?
Do you have LAN users needing to access a LAN server and if so by the WANIP of the router, vice direct lanip address.......

/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN "comment="To capture any traffic going out local WAN"
add action=masquerade chain=srcnat out-interface=VPN-TV comment="To capture any traffic going out VPN"

A hairpin nat rule looks like.
add action=masquerade chain=srcnat comment="Hairpin Nat" dst-address=10.20.30.0/24 src-address=10.20.30.0/24

Why would you set it up differently???

drzordz · Wed Mar 01, 2023 1:54 pm

(1) What is the purpose of this rule: ?
add action=accept chain=input connection-state=established,related,new dst-address=10.20.30.50 src-address=10.20.30.0/24

In one of tutorial was 'Allow WinBox Access to Router from LAN.

(2)
add action=drop chain=input in-interface-list=!LAN
(6) The output rule is not required and needs to be removed.

But is it fault rule?
ICMP rules i took from tutorial too.

I also dont understand your use of firewall address lists.

Because I want some IPs to go out over the WAN and some over the VPN

There is also the sourcenat hairpin rule you had, not exactly the standard format but what is the purpose of this rule?
Do you have LAN users needing to access a LAN server and if so by the WANIP of the router, vice direct lanip address

I have port forwarding to eg. minecraft and without this i don't have access to this.

A hairpin nat rule looks like.
add action=masquerade chain=srcnat comment="Hairpin Nat" dst-address=10.20.30.0/24 src-address=10.20.30.0/24

Why would you set it up differently???

Tutorial again? It's working. If I changed this to dst-address=10.20.30.0/24 src-address=10.20.30.0/24 it doesn't work. I can't see eg. websites.
It's 2 Attachments. One not working (everything changed with your suggestions) Seconds I changed rule order and I see was missing

add action=lookup-only-in-table dst-address=10.20.30.0/24 table=main comment="allow wg user to access LAN first"

Can You see again to my config (working)? Does it look good now?

And One more things. If I am connected via WG I have access to MT but not from LAN in mobile app. My WinBox on PC (LAN) has access only by MAC not IP:port

anav · Wed Mar 01, 2023 3:19 pm

First of all, you clearly do not understand what each firewall rule is doing and are blindly following tutorials.......
Consider this a new and improved tutorial with actual knowledge on your scenario and requirements.

This request is not clear, to much information jammed in one sentence, draw a diagram if you have to, make the text as long as it needs to be, so that what you think in your head is also clear on paper to read.
And One more things. If I am connected via WG I have access to MT but not from LAN in mobile app. My WinBox on PC (LAN) has access only by MAC not IP:port

Remember, using winbox from the laptop via wireguard you will need to put in the IP and winbox port IP:PORT#

anav · Wed Mar 01, 2023 3:59 pm

Awesome, so you have a working config now??

(1) I don't think you need the first rule ( as the second rule is how you are providing access to config the router, which already includes wg addresses!!)
add action=accept chain=input comment="Traffic WG =OK" in-interface=wg0 Should be able to remove!!
add action=accept chain=input comment="admin access to config router" in-interface-list=LAN src-address-list=Authorized

(2) Still don't understand this unknown interface ????
add action=accept chain=forward comment="Local IPs out VPN-download" out-interface=VPN-downl src-address-list=VPN-downl-list
add dst-address=0.0.0.0/0 gateway=VPN-downl pref-src=0.0.0.0 routing-table=VPN-downl-route suppress-hw-offload=no

It must be the l2tp vpn interface which will not show on regular config.............
However you should understand my confusion when you state the VPN gateway is different!!
add action=masquerade chain=srcnat comment="masqarade - VPN-TV" out-interface=VPN-TV src-address-list=VPN-TV-list

FInally, why do you insist on putting src-address-list on the route, iT IS NOT required. Dont treat it like a firewall rule in general and in this case there is no need to narrow it down.
In fact, you exclude the wireguard clients going out this route from being being sourcenatted!!!!

Ask yourself the question, who is going out that interface....................
A. we mangle users out the vpn interface
B. we route rule users out the vpn interface.
aka only those users are going out the interface so no need to narrow down anything on the route rule which right now actually prevents wireguard users from being sourcenatted.......

(3) There are other things I would do differently but if its a working config, I wont mucky muck in it.

drzordz · Fri Mar 03, 2023 1:16 pm

First of all, you clearly do not understand what each firewall rule is doing and are blindly following tutorials.......
Consider this a new and improved tutorial with actual knowledge on your scenario and requirements.

You're right. I don't understand everything, but I don't rewrite everything mindlessly either. I am trying to understand what a given rule is responsible for and in which position it should be. I am grateful for all the comments and willingness to help.
Without this

add action=accept chain=input comment="Traffic WG =OK" in-interface=wg0

I have access to LAN but not to Internet
VPN-downl i'ts other VPN client, I was delete this because It's not important here.
Config working almost fine now.

I have some problems with access to Mikrotik settings.
I have access to router:
a) from LAN with WinBox by MAC
b) from LAN by Web and IP
c) from WG with mobilAPP and IP:PORT
d) from WG by Web and IP (mobile)
e) from WG with WinBox and IP:PORT

2. I don't have access:
a) from LAN with WinBox by IP:PORT
b) from LAN with mobilAPP and MAC
c) from LAN with mobilAPP and IP:PORT
d) from WG with WinBox and MAC
e) from WG by Web and IP (laptop)

Why are there such differences. I don't understand this.

anav · Fri Mar 03, 2023 1:30 pm

Just off the top of my head........
Without this, add action=accept chain=input comment="Traffic WG =OK" in-interface=wg0, I have access to LAN but not to Internet

Makes no sense because access to the internet is a forward chain rule activity.
The input chain rule is normally for acccess to the router for config purposes but if the WG interface is NOT part of the LAN interface list, you may be
missing getting access to DNS for internet requests which is a function of the input chain..

For the latter question, most bizarre........ as usual please post latest full config, as I dont know if you have touched the working config latest provided above............

drzordz · Fri Mar 03, 2023 1:37 pm

I didn't change anything

anav · Fri Mar 03, 2023 1:49 pm

Its not working because you are a bad boy!!

/ip firewall filter
add action=accept chain=input comment="defconf: established,related,untracked =OK" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: INPUT invalid - !OK" connection-state=invalid
add action=accept chain=input comment="defconf: Input ICMP =OK" protocol=icmp
add action=accept chain=input comment="Initial WG handshake" dst-port=55502 protocol=udp
add action=accept chain=input comment="INPUT IPsec =OK" protocol=ipsec-esp
add action=accept chain=input comment="Traffic WG =OK" in-interface=wg0
add action=accept chain=input comment="admin access to config router" in-interface-list=LAN src-address-list=Authorized
add action=accept chain=input comment="DNS (udp) from LAN =OK" dst-port=53 in-interface=bridge-LAN in-interface-list=LAN protocol=udp
add action=accept chain=input comment="DNS (tcp) from LAN =OK" dst-port=53 in-interface=bridge-LAN in-interface-list=LAN protocol=tcp
add action=accept chain=input comment="PING - OK" disabled=yes icmp-options=8:0 limit=2,5:packet protocol=icmp
add action=drop chain=input comment="Other INPUT =!OK"
add action=accept chain=forward comment="defconf: IPsec In =OK" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: IPsec Out =OK" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related disabled=yes hw-offload=yes
add action=accept chain=forward comment="defconf: established,related, untracked =OK" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: FORWARD invalid - !OK" connection-state=invalid
add action=accept chain=forward comment="Internet access" in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="WG out VPN" in-interface=wg0 out-interface=VPN-TV
add action=accept chain=forward comment="Local IPs out VPN-TV" out-interface=VPN-TV src-address-list=VPN-TV-list
add action=accept chain=forward comment="Local IPs out VPN-download" out-interface=VPN-downl src-address-list=VPN-downl-list
add action=accept chain=forward comment="WG do LAN" dst-address=10.10.10.0/24 in-interface=wg0
add action=accept chain=forward comment="Port Forwarding =OK" connection-nat-state=dstnat
add action=drop chain=forward comment="Other FORWARD =!OK"
add action=accept chain=output comment="OUTPUT -OK"

TO:
add action=accept chain=input comment="DNS (udp) from LAN =OK" dst-port=53 in-interface-list=LAN protocol=udp
add action=accept chain=input comment="DNS (tcp) from LAN =OK" dst-port=53 in-interface-list=LAN protocol=tcp

REMOVE ICMP rule not required.
REMOVE ouput rule not required.

Then see what works and doesnt work.
If still the same,
Play with the detect internet settings and see if that makes a difference.

drzordz · Fri Mar 03, 2023 4:33 pm

I removed
in-interface=bridge-LAN
in

add action=accept chain=input comment="DNS (udp) from LAN =OK" dst-port=53 in-interface=bridge-LAN in-interface-list=LAN protocol=udp

and
add action=accept chain=input comment="Traffic WG =OK" in-interface=wg0
I have internet with WG connect.

Other thing without change.
I have access to router:
a) from LAN with WinBox by MAC
b) from LAN by Web and IP
c) from LAN with mobilAPP and MAC
d) from WG with mobilAPP and IP:PORT
e) from WG by Web and IP
f) from WG with WinBox and IP:PORT

2. I don't have access:
a) from LAN with WinBox by IP:PORT
b) from LAN with mobilAPP and IP:PORT
c) from WG with WinBox/mobilAPP and MAC (Unnecessary)

anav · Fri Mar 03, 2023 4:41 pm

2c. The mobile APP i have doesn't use mac, its strictly IP;Port ??? At least on my iphone LOL.

2a and 2b, you will have to be more specific
which LANIP address useing and which IP attempting to use to reach config??

drzordz · Fri Mar 03, 2023 4:54 pm

Router IP is 10.10.10.50 and I try use it in LAN (10.10.10.0/24) and WG (192.168.20.0/24).

hmmm
I am stupid now.
I tried connect WinBox in LAN with IP now and I have it. In MobilAPP i can't do this in LAN, only WG. Mobil has IP 10.10.10.240 (LAN) and 192.168.20.2 (WG). Both address are in Authorized AddressList.

anav · Fri Mar 03, 2023 4:58 pm

Just now......... maybe for a long time ;-PPP
Excellent, figuring out the rules and logic is have the fun on these devices...............

drzordz · Fri Mar 03, 2023 9:46 pm

If you can see why I don't have access to MT from mobileAPP with IP:PORT in LAN

I send last config.

anav · Sat Mar 04, 2023 5:56 pm

Just checked on my iphone I had the same issue namely because I had not:
a. changed my iphone lease on a particular WLAN I was connecting to, to a static lease.
b. added the static lease to the adminaccess firewall address list used in the input chain.

Once I did the above good to go!!

(1) So confirm on your phone that you are getting IP address
add address=10.10.10.240 from the router ( aka you have set it as a static lease)

(2) The other interfering issue may be if your phone has an IP that you decided to send out the VPN tunnel - list=VPN-TV-list
and thus you may not be able to reach the router LOL..........

drzordz · Sat Mar 04, 2023 10:44 pm

(1) So confirm on your phone that you are getting IP address
add address=10.10.10.240 from the router ( aka you have set it as a static lease)

I have it

(2) The other interfering issue may be if your phone has an IP that you decided to send out the VPN tunnel - list=VPN-TV-list
and thus you may not be able to reach the router LOL..........

This is it. When I changed IP I have access. Thanks. How sett issue as SOLVED?

anav · Sun Mar 05, 2023 3:27 am

Since you created the thread, you pick the post that solved it by going to the right hand upper corner, where quote symbol is etc.... there is also a green box with a white checkmark,,,,, voila!

drzordz · Sun Mar 05, 2023 11:05 am

Since you created the thread, you pick the post that solved it by going to the right hand upper corner, where quote symbol is etc.... there is also a green box with a white checkmark,,,,, voila!

Well, the solution was in several posts

I will mark probably the most helpful. Thanks again.

Access to Internet with WireGuard via VPN-client [SOLVED]

Access to Internet with WireGuard via VPN-client

Re: Access to Internet with WireGuard via VPN-client

Re: Access to Internet with WireGuard via VPN-client

Re: Access to Internet with WireGuard via VPN-client

Re: Access to Internet with WireGuard via VPN-client

Re: Access to Internet with WireGuard via VPN-client

Re: Access to Internet with WireGuard via VPN-client

Re: Access to Internet with WireGuard via VPN-client [SOLVED]

Re: Access to Internet with WireGuard via VPN-client

Re: Access to Internet with WireGuard via VPN-client

Re: Access to Internet with WireGuard via VPN-client

Re: Access to Internet with WireGuard via VPN-client

Re: Access to Internet with WireGuard via VPN-client

Re: Access to Internet with WireGuard via VPN-client

Re: Access to Internet with WireGuard via VPN-client

Re: Access to Internet with WireGuard via VPN-client

Re: Access to Internet with WireGuard via VPN-client

Re: Access to Internet with WireGuard via VPN-client

Re: Access to Internet with WireGuard via VPN-client

Re: Access to Internet with WireGuard via VPN-client

Re: Access to Internet with WireGuard via VPN-client

Re: Access to Internet with WireGuard via VPN-client

Re: Access to Internet with WireGuard via VPN-client

Re: Access to Internet with WireGuard via VPN-client

Who is online