Community discussions

MikroTik App
 
dazzaling69
Member Candidate
Member Candidate
Topic Author
Posts: 104
Joined: Wed Feb 22, 2017 12:01 pm

Wireguard VPN access to the routerbox

Tue May 31, 2022 11:08 pm

I have an RB750GR3 and have set up some Wireguard VPN access points for remote devices like iPhones and Windows boxes. All works fine, but I can't connect to the routerbox - how can I do this?

I have an address range 192.168.10.1/24 that I have allowed in /ip address. The local LAN served by the routerbox is at 10.160.1.1 (/24) and my peers start at 192.168.10.2. I can connect to the internet if I specify DNS server at 1.1.1.1, but not if I specify either 192.168.10.1 or 10.160.1.1 (which seems to contradict the guidance).

I would like to be able to connect to the whole 10.160.1.1/24 range but the routerbox won't connect. How can I do that? Sometimes I have got the rest of that range to connect but I'm not sure how I did that.

I'm also interested to know how I can restrict connection to a NAS box in the local LAN IP address range and SMB traffic only, but that is a less important question.

Darren.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19107
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Wireguard VPN access to the routerbox

Wed Jun 01, 2022 1:50 pm

an organized approach will help, your all over the map situation recount is not all that helpful

Network diagram would help.
Also list of requirements (what users need)
a. iphone user access to subnet .50 on Router A
b. android user access to internet on Router A
c. admin laptop access to Router A, for config purposes.
Etc
etc.

Then a proper network setup can be done.
viewtopic.php?t=182340
 
dazzaling69
Member Candidate
Member Candidate
Topic Author
Posts: 104
Joined: Wed Feb 22, 2017 12:01 pm

Re: Wireguard VPN access to the routerbox

Wed Jun 01, 2022 5:46 pm

Public IP Public IP
LAN ----------------------------------------------------------- MT Routerbox ---------------- Internet ---------------------- Client 1, e.g., iPhone
10.160.1.0/24 10.160.100.1 WG 192.168.10.1/24 192.168.10.2/32
DNS server 10.160.1.1 DNS 1.1.1.1
Allowed IPs 0.0.0.0/0
I have a firewall filter rule which, off the top of my head, is
add action=accept chain=input dst-port=13231 protocol=udp src-address=192.168.10.0/24

Does this help? It should be a vanilla road warrior setup. It works for internet traffic, I just can't see (all of) the LAN range, most specifically 10.160.100.1

Darren.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19107
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Wireguard VPN access to the routerbox

Thu Jun 02, 2022 4:34 am

post config
/export file=anynameyouwish
 
dazzaling69
Member Candidate
Member Candidate
Topic Author
Posts: 104
Joined: Wed Feb 22, 2017 12:01 pm

Re: Wireguard VPN access to the routerbox

Thu Jun 02, 2022 11:11 am

Thanks for the reply. Attachment from /export hide-sensitive. I can access my LAN from my iPhone but not 10.160.100.1. Other 10.160.100.x addresses can be accessed.
WireguardTroubleshoot.rsc
You do not have the required permissions to view the files attached to this post.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19107
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Wireguard VPN access to the routerbox

Sat Jun 04, 2022 3:12 pm

Where is the network diagram. Nothing is clear.
How many Access points do you have?
How many Access points are hosting as a wireguard server?
Why would wifi clients on the AP require wireguard to access the local network?
How are the window boxes communicating with the APs??

All very confusing.
What is wireguard being used for??
To reach internet at remote site
To reach subnet at remote site

There is no indication of a remote site here.
Where does the router fit in the above equation.
 
dazzaling69
Member Candidate
Member Candidate
Topic Author
Posts: 104
Joined: Wed Feb 22, 2017 12:01 pm

Re: Wireguard VPN access to the routerbox

Sat Jun 04, 2022 8:13 pm

Hi,

Thanks for taking a look at the configuration.

There’s nothing as sophisticated as site to site cross -LAN setups going on. I have one home LAN with an MT router and a few personal devices. I want the personal devices to connect to my home LAN when I’m out of the house. So, specifically, I want my personal devices to connect to both the internet and the LAN via WireGuard.

One thing to add is that this basically all seems to work - except I can't access the router IP address 10.160.100.1. I can access, e.g., 10.160.100.30. I suspect this is a loopback issue but I can't figure it out.

Darren.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19107
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Wireguard VPN access to the routerbox

Sun Jun 05, 2022 2:10 pm

Okay, this is fairly straightforward then, laptop or iphone to home for internet, to subnets and to configure router.
As in all wireguard setups.
1. configure the wireguard settings.
2. ensure firewall rules allow traffic.
3. ensure routes are provided

Since it appears that the MT router is internet facing (public IP), there is less complication.

Not sure why you have two bridges?? I removed it, also all the interfaces keeping it WAN and LAN for now, simplify simplify simplify.

Removed IP DHCP client ether1 --->, all is configured from your pppoe menus....... thus not required.

Not sure the purpose of your IP arp but left that in there.

IP address was set to ether3 an error, it should be bridge.

DISABLED THIS RULE FOR NOW DURING TESTING....
/ip firewall address-list
add address=0.0.0.0/8 comment=RFC6890 list=NotPublic disabled=yes

I loathe people who mix forward chain and input chain rules, gets confusing fast and more prone to errors.

Why do you need destination addresses in your input chain for ipsec????
THe input chain is too the router?? I left them in but cannot recall ever seeing destination addresses in this spot ?????
Your IP is pppoe and not static correct?, so if its the routers WANIP it would have to be changed anyway, in any case NOT required.
I see these rules are disabled for now........

Instead of saying drop all traffic not coming from LAN, simply state
accept traffic coming from LAN, Add the wireguard interface to the LAN list and you now have access to the router via firewall rules.

Last input chain rule should simply be drop all. JUST MAKE SURE you do this rule AFTER, allowing LAN access rule above.

It seems you have multiple rule for allowing wireguard to the forward chain......
just need
add chain=forward action=accept in-interface=wireguard1 and now you have access to any subnets and to WAN.

However I dont like wide open necessarily and it also shows that you have no rule allowing specifically LAN to WAN traffic.
I dont like implied anything and nail down what traffic flow is permitted and the rest is dropped.

Dont understand this one. What would be the purpose of trying to wireguard to your iphone from the home router.
A little better I suppose is attempting to wireguard to a work desktop from home but what would you be doing in this case??

add action=accept chain=forward comment="Wireguard Forward" disabled=yes \
dst-address=192.168.10.0/24 src-address=10.160.100.0/24

Modifed the end of the forwaard chain to make it clear allow port forwarding, allow lan to wan, and drop all else...

Lots going on lots disabled, so not sure what the intent is regarding vpn. Hopefully you will get rid of everything but wireguard LOL.

Looking at routes, the pppoe route for all WAN traffic is handled (add default route).
Since you have IP address for wireguard........ this is autogenerated:
<DAC> dst-address=192.168.10.0/24 gateway=wireguard1 table=main

Covers the return flow (from subnets and internet) from external originated traffic (aka phone or desktop)
Covers outgoing flow (from local subnet) to laptop if that is a valid need

 jan/04/1970 03:58:14 by RouterOS 7.2.3
# model = RouterBOARD 750G r3
/interface bridge
add admin-mac=6C:3B:6B:7E:AD:EF auto-mac=no comment=\
    "created from master port" name=bridge1 protocol-mode=none
/interface ethernet
set [ find default-name=ether1 ] advertise=\
    100M-half,100M-full,1000M-half,1000M-full rx-flow-control=auto speed=\
    100Mbps tx-flow-control=auto
set [ find default-name=ether2 ] name=ether2-master rx-flow-control=auto \
    speed=100Mbps tx-flow-control=auto
set [ find default-name=ether3 ] speed=100Mbps
set [ find default-name=ether4 ] speed=100Mbps
set [ find default-name=ether5 ] speed=100Mbps
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1 name=pppoe-out1 \
    service-name=Vodafone use-peer-dns=yes user=\
    dsl002066683@broadband.vodafone.co.uk
/interface wireguard
add listen-port=13231 mtu=1420 name=wireguard1
/interface list
add name=LAN
add name=WAN
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip ipsec policy group
add name="Group VPN"
/ip ipsec profile
set [ find default=yes ] dh-group=modp1024 dpd-interval=1h enc-algorithm=\
    aes-256,aes-128,3des hash-algorithm=sha256 lifetime=1h
add dh-group=modp2048,modp1536,modp1024 enc-algorithm=aes-256,aes-192,aes-128 \
    hash-algorithm=sha256 name="Profile VPN"
/ip ipsec peer
add exchange-mode=ike2 local-address=90.255.245.65 name="Peer VPN" passive=\
    yes profile="Profile VPN"
/ip ipsec proposal
set [ find default=yes ] disabled=yes enc-algorithms=\
    aes-256-cbc,aes-128-cbc,3des lifetime=8h pfs-group=none
add auth-algorithms=sha256 disabled=yes enc-algorithms=\
    aes-256-cbc,aes-256-gcm name=myproposal pfs-group=modp2048
add auth-algorithms=sha256,sha1 lifetime=8h name="Proposal VPN" pfs-group=\
    none
/ip pool
add name=dhcp ranges=10.160.100.30-10.160.100.130
add name=VPN_Pool ranges=192.168.11.10-192.168.11.100
/ip dhcp-server
add address-pool=dhcp interface=bridge1 lease-time=1h name=defconf
/ip ipsec mode-config
add address-pool=VPN_Pool address-prefix-length=32 name="Modeconf VPN" \
    split-include=0.0.0.0/0 static-dns=192.168.11.1 system-dns=no
/port
set 0 name=serial0
/ppp profile
set *FFFFFFFE local-address=192.168.89.1 remote-address=VPN_Pool
/routing bgp template
set default disabled=no output.network=bgp-networks
/routing ospf instance
add disabled=no name=default-v2
add disabled=no name=default-v3 version=3
/routing ospf area
add disabled=yes instance=default-v2 name=backbone-v2
add disabled=yes instance=default-v3 name=backbone-v3
/routing table
add fib name=VPN
/snmp community
set [ find default=yes ] addresses=0.0.0.0/0
/user group
set full policy="local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,pas\
    sword,web,sniff,sensitive,api,romon,dude,rest-api"
/interface bridge port
add bridge=bridge1 ingress-filtering=no interface=ether3
add bridge=bridge1 ingress-filtering=no interface=ether4
add bridge=bridge1 ingress-filtering=no interface=ether5
add bridge=bridge1 ingress-filtering=no interface=ether2-master
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ipv6 settings
set max-neighbor-entries=8192
/interface detect-internet
set detect-interface-list=NONE
/interface l2tp-server server
set authentication=mschap2 use-ipsec=yes
/interface list member
add interface=bridge1 list=LAN
add interface=ether1 list=WAN
add interface=pppoe-out1 list=WAN
/interface ovpn-server server
set auth=sha1,md5
/interface pptp-server server
# PPTP connections are considered unsafe, it is suggested to use a more modern VPN protocol instead
set enabled=yes
/interface sstp-server server
set default-profile=default-encryption enabled=yes
/interface wireguard peers
add allowed-address=192.168.10.2/32 comment=iPhone interface=wireguard1 \
    public-key="lh1V7h9b4YnavEDrDhokyZGUMfTnQPUgZkE6zabQEj4="
add allowed-address=192.168.10.3/32 comment="Work Desktop" interface=\
    wireguard1 public-key="i8IiqYCyUi6Qmg5L0wfdNg+Stpgtz5PSGrGxgX8etGY="
/ip address
add address=10.160.100.1/24 comment=defconf interface=bridge1 network=\
    10.160.100.0
add address=192.168.10.1/24 comment=WireGuard1 interface=wireguard1 network=\
    192.168.10.0
/ip arp
add address=10.160.100.140 comment=D-Link interface=bridge1 mac-address=\
    6C:19:8F:CC:40:1C
add address=10.160.100.201 interface=bridge1 mac-address=0C:96:BF:51:D8:32
/ip cloud
set ddns-enabled=yes
/ip dhcp-server lease
add address=10.160.100.79 mac-address=60:B4:F7:F5:E9:0A server=defconf
add address=10.160.100.34 mac-address=60:B4:F7:F5:E8:B0 server=defconf
add address=10.160.100.85 mac-address=60:B4:F7:F5:E4:9C server=defconf
add address=10.160.100.76 mac-address=60:B4:F7:F5:E9:58 server=defconf
add address=10.160.100.46 client-id=1:0:18:dd:24:d:e8 mac-address=\
    00:18:DD:24:0D:E8 server=defconf
add address=10.160.100.65 client-id=33:30:44:33:32:44:41:32:45:43:34:32 \
    mac-address=30:D3:2D:A2:EC:42 server=defconf
add address=10.160.100.31 client-id=1:f4:8e:38:3f:77:f7 mac-address=\
    F4:8E:38:3F:77:F7 server=defconf
add address=10.160.100.30 client-id=1:0:11:32:b7:b2:15 mac-address=\
    00:11:32:B7:B2:15 server=defconf
add address=10.160.100.74 client-id=1:3c:2a:f4:f5:bf:7e mac-address=\
    3C:2A:F4:F5:BF:7E server=defconf
add address=10.160.100.52 client-id=1:b8:27:eb:21:63:14 mac-address=\
    B8:27:EB:21:63:14 server=defconf
add address=10.160.100.68 client-id=1:ec:71:db:2e:8c:e0 mac-address=\
    EC:71:DB:2E:8C:E0 server=defconf
/ip dhcp-server network
add address=10.160.100.0/24 comment=defconf domain=campbell-andrews.com \
    gateway=10.160.100.1 netmask=24
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=10.160.100.1 name=router
add address=10.160.100.30 comment="Point to the NAS box" name=\
    dazzaling69.synology.me
add address=10.160.100.30 comment="Point Campbell-Andrews traffic to NAS" \
    disabled=yes name=campbell-andrews.com
add address=10.160.100.30 comment="Send internal mail traffic to server" \
    name=mail.campbell-andrews.com
add address=8.8.8.8 name=test.lan
/ip firewall address-list
add address=0.0.0.0/8 comment=RFC6890 list=NotPublic  disabled=yes
/ip firewall filter
add action=accept chain=input comment=\
    "Maintain related and established connections" connection-state=\
    established,related
add action=accept chain=input comment="Allow Wireguard" dst-port=13231 \
    protocol=udp
add action=accept chain=input comment=\
    "Accept all traffic from ike2-vpn clients / ipsec-in" disabled=yes \
    ipsec-policy=in,ipsec src-address=192.168.11.0/24
add action=drop chain=input comment="drop invalid" connection-state=invalid
add action=accept chain=input comment="ICMP Accept Rule" log=yes log-prefix=\
    ICMP protocol=icmp
add action=accept chain=input comment="Allow IPSec_ESP" disabled=yes \
    dst-address=90.255.245.65 protocol=ipsec-esp
add action=accept chain=input comment="Allow UDP 500,4500 IPSEC" disabled=yes \
    dst-address=90.255.245.65 dst-port=500,4500 protocol=udp
add action=accept chain=input in-interface-list=LAN
add action=drop chain=input comment="Drop all other packets"

add action=fasttrack-connection chain=forward comment=\
    "Fasttrack everything but IPSEC traffic" connection-mark=!ipsec \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="defconf: accept established,related" \
    connection-state=established,related
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=accept chain=forward in-interface-list=LAN  out-interface-list=WAN comment=\
 "allow subnet and WG to internet"
add action=accept chain=forward in-interface=wireguard1 dst-address=10.160.100.0/24 comment=\
    "Allow WG to subnets"
add action=accept chain=forward comment="allow Subnet to WG Desktop" disabled=yes \
    dst-address=192.168.10.3/32 src-address=10.160.100.0/24
add action=accept chain=forward comment="allow port forwarding"\
    connection-nat-state=dstnat
add action=drop chain=forward comment="drop all else"
/ip firewall mangle
add action=change-mss chain=forward comment="TCP MSS CUT for ike2 vpn" \
    ipsec-policy=in,ipsec new-mss=1360 passthrough=yes protocol=tcp \
    src-address=192.168.11.0/24 tcp-flags=syn tcp-mss=!0-1360
add action=change-mss chain=forward comment="TCP MSS CUT for ike2 vpn" \
    dst-address=192.168.11.0/24 ipsec-policy=out,ipsec new-mss=1360 \
    passthrough=yes protocol=tcp tcp-flags=syn tcp-mss=!0-1300
add action=mark-connection chain=forward comment=\
    "Mark IPSEC connections to exclude them from fasttrack - out" \
    ipsec-policy=out,ipsec new-connection-mark=ipsec passthrough=yes
add action=mark-connection chain=forward comment=\
    "Mark IPSEC connections to exclude them from fasttrack - In" \
    ipsec-policy=in,ipsec new-connection-mark=ipsec passthrough=yes
/ip firewall nat
add action=dst-nat chain=dstnat disabled=yes in-interface=pppoe-out1 \
    protocol=ipsec-esp to-addresses=10.160.100.30
add action=dst-nat chain=dstnat comment="Synology L2TP VPN" disabled=yes \
    dst-port=500,1701,4500 in-interface=pppoe-out1 log=yes log-prefix=\
    "Synology VPN" protocol=udp to-addresses=10.160.100.30
add action=dst-nat chain=dstnat comment=Email dst-port=25,465,587,110,993,995 \
    in-interface=pppoe-out1 log=yes log-prefix=Email protocol=tcp \
    to-addresses=10.160.100.30
add action=dst-nat chain=dstnat comment="Plex TCP" dst-port=32400 \
    in-interface=pppoe-out1 log=yes log-prefix=PlexNAT protocol=tcp \
    to-addresses=10.160.100.30 to-ports=32400
add action=masquerade chain=srcnat comment=\
    "MSQRD all WAN traffice / non-ipsec" ipsec-policy=out,none \
    out-interface-list=WAN
/ip ipsec identity
add auth-method=eap-radius certificate=Cert,DigiCertCA generate-policy=\
    port-strict mode-config="Modeconf VPN" peer="Peer VPN" \
    policy-template-group="Group VPN"
add auth-method=digital-signature certificate=*8 disabled=yes \
    generate-policy=port-strict match-by=certificate mode-config=\
    "Modeconf VPN" peer="Peer VPN" policy-template-group="Group VPN" \
    remote-id=user-fqdn:cl@VPN
/ip ipsec policy
set 0 disabled=yes dst-address=0.0.0.0/0 proposal=myproposal src-address=\
    0.0.0.0/0
add comment="Policy template for Road warriors" dst-address=192.168.11.0/24 \
    group="Group VPN" proposal="Proposal VPN" src-address=0.0.0.0/0 template=\
    yes
/ip route
add check-gateway=ping disabled=yes dst-address=0.0.0.0/0 gateway=pppoe-out1 \
    routing-table=VPN
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www-ssl certificate=Cert disabled=no port=10443
set api disabled=yes
set api-ssl disabled=yes
/ip smb
set allow-guests=no domain=WORKGROUP enabled=yes interfaces=bridge1
/ip smb users
add name=Darren read-only=no
/ip ssh
set allow-none-crypto=yes forwarding-enabled=remote
/ip tftp
add real-filename=/flash/pub/CISCO/SIPDefault.cnf req-filename=SIPDefault.cnf
add real-filename=/flash/pub/CISCO/OS79XX.TXT req-filename=OS79XX.TXT
add real-filename=/flash/pub/CISCO/SIP000821ACFE4F.cnf req-filename=\
    SIP000821ACFE4F.cnf
add real-filename=/flash/pub/CISCO/P0S3-8-12-00.loads req-filename=\
    P0S3-8-12-00.loads
add real-filename=/flash/pub/CISCO/P0S3-8-12-00.sb2 req-filename=\
    P0S3-8-12-00.sb2
add real-filename=/flash/pub/CISCO/P003-8-12-00.bin req-filename=\
    P003-8-12-00.bin
add real-filename=/flash/pub/CISCO/P003-8-12-00.sbn req-filename=\
    P003-8-12-00.sbn
add real-filename=/flash/pub/CISCO/dialplan.xml req-filename=dialplan.xml
add read-only=no real-filename=/flash/pub/Dell_Switch req-filename=\
    Dell_Switch
add read-only=no real-filename=/flash/pub/Dell_Running req-filename=\
    Dell_Running
add read-only=no real-filename=/flash/pub/Dell_Startup req-filename=\
    Dell_Startup
add real-filename=x10xx_boot-10025.rfb req-filename=x10xx_boot-10025.rfb
/ip upnp
set enabled=yes
/ipv6 nd
set [ find default=yes ] advertise-dns=no
/ppp secret
add name=Darren remote-address=10.160.100.254 service=l2tp
/radius
add address=10.160.100.30 service=ipsec src-address=10.160.100.1
/snmp
set contact=Routerboard trap-interfaces=all trap-target=10.160.100.30 \
    trap-version=3
/system clock
set time-zone-name=Europe/London
/system logging
add topics=ipsec
/system ntp client
set enabled=yes
/system ntp server
set enabled=yes manycast=yes multicast=yes
/system ntp client servers
add address=194.35.252.7
add address=130.88.203.12
/system resource irq rps
set ether1 disabled=no
set ether3 disabled=no
set ether4 disabled=no
set ether5 disabled=no
set ether2-master disabled=no
/system routerboard settings
set auto-upgrade=yes
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=LAN
.....................

As for the work laptop, i am not quite sure how that works.............. I am assuming you have allowed IPs on the windows wireguard client of 0.0.0.0/0?
and that the MT router never sees the actual subnet IP address the desktop is on but only the assigned wireguard IP address as source traffic (thus current allowed IPs at MT works)!
 
dazzaling69
Member Candidate
Member Candidate
Topic Author
Posts: 104
Joined: Wed Feb 22, 2017 12:01 pm

Re: Wireguard VPN access to the routerbox

Tue Jun 07, 2022 9:49 pm

Hi. Thanks for the detailed notes. I used this as a masterclass - thanks! Rather than just uploading your config I used it as a means to understand more what I am doing. I think I followed your guide well but I still can't connect to the MT router at 10.160.100.1. Everything else works perfectly.

Would you mind looking at my work and seeing what might be wrong?

As for connecting from router to a desktop, that was not my intent. All the devices connect to the router so they can access the LAN.

Darren.
You do not have the required permissions to view the files attached to this post.
 
dazzaling69
Member Candidate
Member Candidate
Topic Author
Posts: 104
Joined: Wed Feb 22, 2017 12:01 pm

Re: Wireguard VPN access to the routerbox

Tue Jun 07, 2022 9:58 pm

Actually, one of the last firewall filters changes I made broke the WireGuard WAN access…
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19107
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Wireguard VPN access to the routerbox

Tue Jun 07, 2022 11:51 pm

Just looking at the config, it appears you are using the MT as a wg Server and you have three clients connecting,, Iphone, hp tablet, work desktop

So what is missing in the first rule, clue look at second rule!!

add action=accept chain=forward comment="Allow Subnet and WG to internet" \
in-interface=bridge1 out-interface=pppoe-out1
add action=accept chain=forward comment="Allow Wireguard to Subnets" \
dst-address=10.160.100.0/24 in-interface=wireguard1

Basically the wg subnet is not part of bridge one, so figure out how to add the wg interface with Bridge1 hint use an interface list if wanting it to be one rule,
or simply add a second rule for wg access to the internet.

In any case as I pointed out the config needs much work.
 
dazzaling69
Member Candidate
Member Candidate
Topic Author
Posts: 104
Joined: Wed Feb 22, 2017 12:01 pm

Re: Wireguard VPN access to the routerbox

Wed Jun 08, 2022 1:17 pm

I tried that and I can't make LAN access to Wireguard work, although WAN traffic filters fine. Is it an ordering of the firewall rules issue?

You said the config needs a lot of work. I thought I had done a lot of that work - I basically manually changed the config to look very similar to your modified one. Is there somewhere you think I should focus?

Thank you for your help so far - it's much appreciated.

Darren.
 
dazzaling69
Member Candidate
Member Candidate
Topic Author
Posts: 104
Joined: Wed Feb 22, 2017 12:01 pm

Re: Wireguard VPN access to the routerbox

Wed Jun 08, 2022 6:17 pm

I got it to work using the method you suggested. I am now back to the situation of being able to access my subnet remotely but STILL no 10.160.100.1 access. This doesn't make any sense to me :-(

Everything works except this one thing. Perhaps I should be asking a different question, which is how should I best remote admin my MT router when I'm not at home?
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19107
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Wireguard VPN access to the routerbox

Thu Jun 09, 2022 5:24 am

I wireguard to my router and use the MT iphone app to config the router.
 
dazzaling69
Member Candidate
Member Candidate
Topic Author
Posts: 104
Joined: Wed Feb 22, 2017 12:01 pm

Re: Wireguard VPN access to the routerbox

Thu Jun 09, 2022 10:29 am

Because I can't access the router using the remote iPhone app doesn't work either.

Do you think I should report this as a fault with the current software?
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19107
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Wireguard VPN access to the routerbox

Thu Jun 09, 2022 4:32 pm

Your config is the issue, not wireguard.
If you want to post your latest config I will have a look.
 
dazzaling69
Member Candidate
Member Candidate
Topic Author
Posts: 104
Joined: Wed Feb 22, 2017 12:01 pm

Re: Wireguard VPN access to the routerbox

Fri Jun 10, 2022 10:37 am

OK. Thank you. File attached.
You do not have the required permissions to view the files attached to this post.
 
dazzaling69
Member Candidate
Member Candidate
Topic Author
Posts: 104
Joined: Wed Feb 22, 2017 12:01 pm

Re: Wireguard VPN access to the routerbox

Mon Jun 13, 2022 7:49 pm

PS. I updated to the latest stable release and no change to the behaviour. The router stubbornly refuses to be addressable.
 
dazzaling69
Member Candidate
Member Candidate
Topic Author
Posts: 104
Joined: Wed Feb 22, 2017 12:01 pm

Re: Wireguard VPN access to the routerbox

Sat Jun 18, 2022 1:11 pm

Hi Anav,

Have you had a chance to look at the config? Any help will be very much appreciated.

Darren.
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: Wireguard VPN access to the routerbox  [SOLVED]

Sun Jun 19, 2022 1:45 am

It seems that @anav is MIA.

As for your problem, access to 10.160.100.1 from WG is blocked by firewall. If it should be unlimited, you can use:
/ip firewall filter
add chain=input in-interface=wireguard1 action=accept
Otherwise add other conditions like src-address=192.168.10.3 as needed.
 
dazzaling69
Member Candidate
Member Candidate
Topic Author
Posts: 104
Joined: Wed Feb 22, 2017 12:01 pm

Re: Wireguard VPN access to the routerbox

Mon Jun 20, 2022 11:00 am

Thanks for stepping in there. That simple change was all it needed. Obvious when you look at it.

Are there any other security or performance improvements you'd suggest?

Thanks to you and also to Anav for the previous help.

Darren.
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: Wireguard VPN access to the routerbox

Thu Jun 23, 2022 4:38 am

One tip, order of rules matters. So if you look at filter rules in input chain (in 10Jun.rsc), #6-8 are useless, because #9 would drop matching packets anyway. It's not the rules themselves, but their position. Correct order would be:

1, 6, 5, 7, 2, 3, 4, 9 (8 is useless)

Last rule in forward chain is useless too, because nothing will ever get to it through the unconditional drop before it.
 
dazzaling69
Member Candidate
Member Candidate
Topic Author
Posts: 104
Joined: Wed Feb 22, 2017 12:01 pm

Re: Wireguard VPN access to the routerbox

Tue Jun 28, 2022 2:33 pm

Thanks again for your help. I made the changes you proposed and they seemed to work fine. I didn't notice any real-world impact either way - perhaps because I don't really stress the system.

Can you explain why that change in order might have an impact? I'm interested for my own education.
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: Wireguard VPN access to the routerbox

Tue Jun 28, 2022 3:13 pm

Order of rules matters, because router goes through them from top and checks if conditions match for current packet. If they do, then that rule is used and all following ones are skipped.

Some changes make functional difference. For example, the rule that blocks packets from internet that have non-public source addresses, if you have it after rule that accepts Wireguard packets, then it's pointless, because WG rule will accept even packets with non-public source. Same for dropping packets with invalid connection state, you don't want them at all (usually), so you need to deal with them before some other rule accepts them.

Other changes can help with performance. The idea is to process majority of packets as soon as possible, i.e. the lower number or rules that have to be checked, the better. That's why accepting established and related is first, because it's what vast majority of packets are. As for new connections (after you dealt with established, related and invalid), most of them will be from LAN (definitely more than e.g. new WG connections), so you want that near top.

Performance wise, you won't really see any difference with just few rules like you have, but it's still good to know about it. Maybe one day you'll need firewall with thousand rules, and then it will matter.

Who is online

Users browsing this forum: Amazon [Bot], godel0914, GoogleOther [Bot], mbovenka, toffline and 70 guests