Community discussions

MikroTik App
 
scrool
just joined
Topic Author
Posts: 3
Joined: Sat Aug 07, 2021 12:30 pm

Remote road warrior connected through wireguard cannot reach LAN machines

Tue Jan 18, 2022 1:59 am

I'm wondering if anybody could give me a hint how to configure remote road warrior over wireguard to connect to machines on LAN.

Firstly, a network diagram:
Mikrotik-wireguard-road-warrior.drawio.png

Secondly, a config file:
mikrotik-config.rsc

Thirdly, a background story. Originally I have configured my Mikrotik router through the Quick set with LAN adresses 192.168.1.3/24. That's why you'll see "defconf" references. On the top of that I have created Wireguard tunnel with 10.-something-/24. I was able to reach out router, machines in wireguard network and also machines on LAN. It turned out that some WiFi hotspots/networks uses same network as my LAN. That's why I have decided to change IP addresses of both LAN and wireguard networks.

You can see visual representation of new subnets on this link. In particular it is network 172.31.32.0/19 (172.31.32.1 - 172.31.63.254) where:
  • 172.31.32.0/20 (172.31.32.1 - 172.31.47.254) is LAN network - in the config commented as "newconf"
  • 172.31.48.0/20 (172.31.48.1 - 172.31.63.254) is Wireguard network - in the config commented as "wireguard"

PC is Linux machine configured through Network Manager. I believe relevant sections of config file follows:
[connection]
id=wg1
type=wireguard
interface-name=wg1

[wireguard-peer.<REDACTED>]
endpoint=192.0.2.99:51003
allowed-ips=172.31.48.0/20;

[ipv4]
address1=172.31.48.42/32
method=manual
I have tried various combinations of allowed-ips without much luck. I have also tried to replace this host by a client running on Android phone.

Virtual server is jail running on FreeNAS. Also instead of it I've tried to reach out physical Linux machine without luck.

Once I establish a wireguard tunel, I'm able to reach out to router's and file server's wireguard addresses. What I'm not able to reach out is the virtual server, which has only LAN address.
You do not have the required permissions to view the files attached to this post.
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: Remote road warrior connected through wireguard cannot reach LAN machines

Tue Jan 18, 2022 2:43 am

You have really large subnets, @anav won't like that. :D Don't worry if you don't get it.

Anyway, without examining all details, it's pretty clear, why you can't reach 172.31.34.1 from client, when it has allowed-ips=172.31.48.0/20. It's not in that subnet.

What you probably want is:

- both servers with /20 mask (and same goes for all other devices in LAN)
- allowed-ips=172.31.32.0/20 or allowed-ips=172.31.32.0/19 on client
- no WG client on file server (at least I don't see what it's good for), you can simply access it using 172.31.32.33
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19107
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Remote road warrior connected through wireguard cannot reach LAN machines

Tue Jan 18, 2022 3:57 am

Got it covered.......
viewtopic.php?t=182340

well almost have Server Config left to enter (which is where the OP probably needs work).
 
scrool
just joined
Topic Author
Posts: 3
Joined: Sat Aug 07, 2021 12:30 pm

Re: Remote road warrior connected through wireguard cannot reach LAN machines  [SOLVED]

Tue Jan 18, 2022 3:39 pm

You have really large subnets, @anav won't like that. :D Don't worry if you don't get it.
I don't get it, nor mind. :D

- both servers with /20 mask (and same goes for all other devices in LAN)
- allowed-ips=172.31.32.0/20 or allowed-ips=172.31.32.0/19 on client
Thanks, it works!

- no WG client on file server (at least I don't see what it's good for), you can simply access it using 172.31.32.33
Since I needed to access that server somehow remotely, I did so. I can remove that one now.

----------------

Just to recap how it looks now:
Mikrotik-wireguard-road-warrior-working.drawio.png
On Mikrotik I changed from:
/ip dhcp-server network add address=172.31.32.0/20 comment=newconf dns-server=172.31.32.3 domain=m9.scrool.net gateway=172.31.32.3 netmask=19
to
/ip dhcp-server network add address=172.31.32.0/20 comment=newconf dns-server=172.31.32.3 domain=m9.scrool.net gateway=172.31.32.3 netmask=20

And on PC (client) side from:
allowed-ips=172.31.48.0/20
to
allowed-ips=172.31.32.0/19
(so I can reach out also devices in Wireguard network).
You do not have the required permissions to view the files attached to this post.

Who is online

Users browsing this forum: menyarito and 49 guests