Community discussions

MikroTik App
 
User avatar
pcunite
Forum Guru
Forum Guru
Topic Author
Posts: 1345
Joined: Sat May 25, 2013 5:13 am
Location: USA

WireGuard server behind NAT (MikroTik router)

Mon Jul 19, 2021 11:29 pm

I have a WireGuard server (Ubuntu 20.04) running behind a MikroTik router at remote Network B. It seems to work well, with one exception I would like your thoughts on. I'm getting a "Destination host unreachable" reply (which shows up as an invalid packet in a firewall rule), but only for the first ping attempt, and I don't know why.

Network Overview:
WG_Behind_NAT.png

A lot of examples on the net show WireGuard PostUp & PostDown configs for their WireGuard server. However, since mine is behind NAT, I don't require masquerade rules and the like. I have set two rules on the MikroTik firewall/router I control at network B, namely, forwarding to the WireGuard server, and then setting the route back to the WireGuard server.

Here is my MikroTik configuration. Note, the rule to catch the invalid packets. Any harm in leaving this always on? What is creating these invalid ping replies? Pings to other networks work fine. It is only pings to hosts on the same network as the WireGuard eth0 interface that produce these. Also note that Send Redirects is on (otherwise all replies come back as invalid).

MikroTik Router setup:
/ip settings
set send-redirects=yes secure-redirects=yes rp-filter=strict tcp-syncookies=yes

/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN comment="Default masquerade"
add action=dst-nat chain=dstnat dst-port=51820 to-ports=51820 in-interface-list=WAN protocol=udp to-addresses=10.0.10.2 comment="WireGuard Server"

/ip route
add distance=1 dst-address=10.0.60.0/24 gateway=10.0.10.2 comment="Set route back to WireGuard server"

/ip firewall filter
add action=accept chain=input connection-state=established,related comment="Allow Estab & Related"
add action=drop chain=input comment="Drop"
add action=accept chain=forward connection-state=established,related comment="Allow Estab & Related"
add action=accept chain=forward connection-state=new in-interface-list=VLAN out-interface-list=WAN comment="Allow VLAN"
add action=accept chain=forward connection-state=invalid src-address=10.0.10.0/24 dst-address=10.0.60.0/24 in-interface=CORP_VLAN out-interface=CORP_VLAN comment="Why invalid for WireGuard Server?"
add action=accept chain=forward connection-nat-state=dstnat in-interface-list=WAN comment="Allow port forwards"
add action=drop chain=forward comment="Drop"
You do not have the required permissions to view the files attached to this post.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19100
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: WireGuard server behind NAT (MikroTik router)

Tue Jul 20, 2021 2:11 am

I have always RP-loose not strict but not sure if that makes a difference here.

My Wireguard MT Router behind my Main MT Router is similar to your scenario I guess. The other end is an ISP modem router combo in front of an RB4011 acting as a router and the wireguard client part of the connection ( feeds PC client)

(1) On the main router CCR1009 (on the server side) one has to set DSTNAT so that the incoming initial UDP wireguard request goes to the LANIP of the wireguard router on one of the main routers subnets.
This IP is the same as the WANIP of the wireguard server router (RB450Gx4)

(2) On the main router on the server side you need an IP route for every wireguard connection this is to ensure return internet traffic gets back to the client PC via the tunnel.
dst IP address of PC/Subnet of PC gw=LAN_gwy (in this case the LANIP of the wireguard server router)

(For example lets say the PC in question (client has an IP of 192.68.35.9 behind the rb4011 client router) and the LAN IP of the wireguard router is 192.168.31.3)
IP ROUTE
dst 192.168.35.0/24 gw=192.168.31.3

Therefore the Router which can see the outgoing PC IP address on the return traffic knows to send it to the wireguard server router.

(3) On the wireguard server router There are three things one needs,

First the capture of the initial connection which has been dst natted to the MT wirgeuard router listening port same as main router UDP protocol input chain etc..

Second on needs an IP route on the wireguard router main table to get all internet bound traffic to the main router or perhaps traffic destined for the subnets of the main router if desired
dst 0.0.0.0/0 gw=192.168.31.1

Thirdly, one needs an IP route on the wireguard router to push all return traffic coming from the NET to the wireguard interface.
dst 192.168.35.0/24 gw=wireguard interface (I dont use IP address for my wireguard and here I simply use the wireguard interface name).


Other Notes:
- I tend to use ip cloud to identify allowed IP addresses (if the other end is an MT router ..... very handy) Both for the incoming dst nat rule and for the incoming input chain vpn rule.
- I set up the connections such that I can access the RB4011 (for config purposes -winbox ) at the other site acting as the client device in front of the client PC.
- I setup the connections such that I can access the RBG450X4 (for config purposes-winbox) interface of the MT router behind the Main Router
- I setup the connections such that the pc client can access a shared printer on a subnet on the main MT router on the server side.
Last edited by anav on Tue Jul 20, 2021 2:47 pm, edited 4 times in total.
 
User avatar
pcunite
Forum Guru
Forum Guru
Topic Author
Posts: 1345
Joined: Sat May 25, 2013 5:13 am
Location: USA

Re: WireGuard server behind NAT (MikroTik router)

Tue Jul 20, 2021 4:06 am

Thank you anav, I will look into your notes and see how I comply.

Who is online

Users browsing this forum: anav, gigabyte091, GoogleOther [Bot], loloski, thomassocz, tjr and 98 guests