Community discussions

MikroTik App
 
btong
just joined
Topic Author
Posts: 8
Joined: Thu Sep 06, 2018 5:12 pm

Wireguard LAN to LAN (one side behind NAT) not working

Fri May 12, 2023 5:19 pm

Hi,

I'm struggling with a lab config between two CHRs running RouterOS 7.9

The topology is like this:
     LAN A -------------> Router A  -----> Internet ------> Provider (carrier NAT) --------> Router B ------------> LAN B
192.168.77.0/24                                                                                                192.168.88.0/24       


Router A has a public IP on its outside interface, router B doesn't due to the carrier NAT in the provider network. The tunnel will obviously only be able to be initiated by router B but this is OK.

I have built the following Wireguard config:

Router A
/interface wireguard
add listen-port=25070 mtu=1420 name=vpn-to-b
/interface wireguard peers
add allowed-address=192.168.77.0/24 endpoint-port=25070 interface=vpn-to-b public-key="2UZ1OE9TFaS0V/shFmTPKqLLgOeJjwovZZSbdsk/PhU="
/ip address
add address=1.2.4.7/24 interface=ether1 network=1.2.4.0
add address=192.168.77.1/24 interface=ether2 network=192.168.77.0
add address=10.255.255.2/30 interface=vpn-to-b network=10.255.255.0
/ip firewall filter
add action=accept chain=forward
add action=accept chain=input
add action=accept chain=output
/ip firewall nat
add action=accept chain=srcnat dst-address=192.168.88.0/24 src-address=192.168.77.0/24
add action=masquerade chain=srcnat out-interface=ether1 src-address=192.168.77.0/24
/ip route
add distance=1 gateway=31.22.44.1
add dst-address=192.168.88.0/24 gateway=vpn-to-b
Router B
/interface wireguard
add listen-port=25070 mtu=1420 name=vpn-to-a
/interface wireguard peers
add allowed-address=192.168.88.0/24 endpoint-address=1.2.4.7 endpoint-port=25070 interface=vpn-to-a public-key="zW5HwHVFpqDwxRt1fKb/Yv+uSNKZhLXYnLm9TwwHsUA="
/ip address
add address=10.0.0.1/24 interface=ether1 network=10.0.0.0
add address=192.168.88.1/24 interface=ether2 network=192.168.88.0
add address=10.255.255.1/30 interface=vpn-to-a network=10.255.255.0
/ip firewall filter
add action=accept chain=forward
add action=accept chain=input
add action=accept chain=output
/ip firewall nat
add action=accept chain=srcnat dst-address=192.168.77.0/24 src-address=192.168.88.0/24
add action=masquerade chain=srcnat out-interface=ether1 src-address=192.168.88.0/24
/ip route
add distance=1 gateway=10.0.0.2
add dst-address=192.168.77.0/24 gateway=vpn-to-a

The keys look OK:
Router A
[admin@A] /ip/firewall/nat> /interface wireguard print
Flags: X - disabled; R - running
 0  R name="vpn-to-b" mtu=1420 listen-port=25070 private-key="gM+uCt/2WJajqM55VwpohdZBu2VtQ/l+LIRRYHYNkE0=" public-key="zW5HwHVFpqDwxRt1fKb/Yv+uSNKZhLXYnLm9TwwHsUA="
Router B
[admin@B] /ip/firewall/nat> /interface wireguard/print
Flags: X - disabled; R - running
 0  R name="vpn-to-a" mtu=1420 listen-port=25070 private-key="cKD9fR/8bKGhunHpcsnivQFJr3ZD7DOEMgGFzqLgq2U=" public-key="2UZ1OE9TFaS0V/shFmTPKqLLgOeJjwovZZSbdsk/PhU="
 
From everything I have read, this config looks OK, except I cannot ping from B to A, and I see no packets between them. As mentioned this is running in a lab (EVE-NG) so I can easily Wireshark the traffic between the nodes of the network.

I would be grateful for any help as I can't see what's wrong here.

Thanks
 
btong
just joined
Topic Author
Posts: 8
Joined: Thu Sep 06, 2018 5:12 pm

Re: Wireguard LAN to LAN (one side behind NAT) not working

Fri May 12, 2023 5:35 pm

I should also add that the routers are both able to ping each other, and that devices behind each can ping other things across the network. So it doesn't appear to be a network issue as such.

As mentioned, I don't see any Wireguard packets attempting to communicate between the two, so it looks either like a bug, or I have something missing from my config.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Wireguard LAN to LAN (one side behind NAT) not working

Fri May 12, 2023 6:19 pm

(1) PEER SETTINGS - MODIFY

R1
allowed-address=10.255.255.1/32,192.168.88.0/24

R2
allowed-address=10.255.255.2/30,192.168.77.0/24 persistent-keep-alive=35s

Note: if you wanted to use R1 internet from R2, then replace allowed-addresses with 0.0.0.0/0

Reading for understanding ---> viewtopic.php?t=182340

(2)
IP NAT


R1 REMOVE
/ip firewall nat
add action=accept chain=srcnat dst-address=192.168.88.0/24 src-address=192.168.77.0/24

R2 REMOVE
/ip firewall nat
add action=accept chain=srcnat dst-address=192.168.88.0/24 src-address=192.168.77.0/24
 
mihyli
just joined
Posts: 3
Joined: Fri Feb 16, 2024 2:14 am

Re: Wireguard LAN to LAN (one side behind NAT) not working

Fri Feb 16, 2024 2:19 am

ok... will revive this thread...

i have wireguard s2s... already 4 peers running OK... without srcnat masquerade out-interface=wireguard...

but i added 5th peer and it's not working without masquerade when out-interface is wiregiard...

the 4 peers running ok, so i know config is no problem... can anybody explain?
Last edited by mihyli on Fri Feb 16, 2024 2:31 am, edited 1 time in total.
 
Mesquite
Member
Member
Posts: 420
Joined: Tue Jan 23, 2024 9:16 pm

Re: Wireguard LAN to LAN (one side behind NAT) not working

Fri Feb 16, 2024 4:34 am

No not without seeing your wireguard peer setting on the router ( all five ) and the client device wireguard settings......
 
mihyli
just joined
Posts: 3
Joined: Fri Feb 16, 2024 2:14 am

Re: Wireguard LAN to LAN (one side behind NAT) not working

Fri Feb 16, 2024 10:49 am

server side:
Image

client side:
Image

strange is, that i can ping client side LAN ip's from server side mikrotik's terminal, but not from server side LAN IP's

all other tunnels are working... but when i enable masquerade on wireguard outgoing, this one is working and the rest stops working.
Last edited by mihyli on Fri Feb 16, 2024 10:54 am, edited 3 times in total.
 
Mesquite
Member
Member
Posts: 420
Joined: Tue Jan 23, 2024 9:16 pm

Re: Wireguard LAN to LAN (one side behind NAT) not working

Fri Feb 16, 2024 2:42 pm

1. The client side settings should be:
allowed IPs=172.31.1.0/24, 192.168.10.0/24

Not sure why showing 6 wireguard peers, assuming the first one is for a different wg interface on the router and thus not in play for your question.
 
mihyli
just joined
Posts: 3
Joined: Fri Feb 16, 2024 2:14 am

Re: Wireguard LAN to LAN (one side behind NAT) not working

Fri Feb 16, 2024 2:46 pm

no it should not...

i dont want to pass traffic from other peers.. all peers are on one WG interface... all other peers are working without problems... config is the same. :(
 
Mesquite
Member
Member
Posts: 420
Joined: Tue Jan 23, 2024 9:16 pm

Re: Wireguard LAN to LAN (one side behind NAT) not working

Fri Feb 16, 2024 4:50 pm

Yes it should, I would guess all your other peers are incorrect.
The way to ensure traffic does not pass is the use of firewall rules at the receiving router end.....
(aka assumes peer 5 is a router)

Ex at Peer 5
add action=accept chain=forward in-interface=wireguard dst-address=subnet src-address-list=( LIST OF SPECIFIC entities allowed to LAN via wireguard )

Ex at Peer 5
add action=accept chain=input in-interface=wireguard src-address-list= (List of wireguard IPs ALLOWED to configure router remotely )

The Other Case if if the peer is a Singulard Device. like a PC. There is no concern as the allowed IPs is probably set to 0.0.0/0 ( which most single devices use which means EVERY IP and this never causes issues at the device itself security wise, and if actually set to
172.31.1.0./24,subnet-on-router..............
Think about it, there is no router config or LAN subnet for any remote users to connect to on the PC.
 
mihyli
just joined
Posts: 3
Joined: Fri Feb 16, 2024 2:14 am

Re: Wireguard LAN to LAN (one side behind NAT) not working

Fri Feb 16, 2024 5:02 pm

those peers are other mikrotiks... :) the same config works flawlessly on other... even that 10.0.0.0/24 tunnel is working...

SITE A: 192.168.10.0/24
SITE B: 10.0.0.0/24 (0.0.0.0/0 allowed IP's on wg peer)

from site A mikrotik i can ping e.g 10.0.0.8....
but from 192.168.10.5 i cannot ping 10.0.0.8....
firewall rules are OK.. traceroute stops at 192.168.10.1, which is site A mikrotik
 
Mesquite
Member
Member
Posts: 420
Joined: Tue Jan 23, 2024 9:16 pm

Re: Wireguard LAN to LAN (one side behind NAT) not working

Fri Feb 16, 2024 5:36 pm

In general only the router (server for handshake) identifies peer by /32 addresss ( peer to peer quality)
All other routers (acting as cliengs for handshake) not using 0.0.0.0/0 for allowed IPs (covers all addresses) should utilize for allowed IPS.
wireguardsubnet, remotesubnet(s)

where remote subnets details one or both possibilities
remote subnets and their users that are coming into the local router and exiting the tunnel
remote subnets that LOCAL users have as destination addresses on their traffic heading into the tunnel.

There is no cause for concern by putting wireguard subnet into allowed IPs. If you thought there was, it would be bogus as you already do so for any 0.0.0.0/0 entries.
In fact, if at the main router (server for handshake) you do not allow traffic to be relayed between peers, no cross traffic will occur anyway.
add chain=forward action=accept in-interface=wireguard out-interface=wireguard

Thus setup the proper format for wireguard routing, and ensure remote subnets are accounted for on each router needing to reach them or reply to them
/ip route
add dst-address=remotesubnet gateway=wireguard routing-table=main.


The rest is dealt with on firewall rules input chain to reach config, forward to reach subnets or to enter tunnel.
 
btong
just joined
Topic Author
Posts: 8
Joined: Thu Sep 06, 2018 5:12 pm

Re: Wireguard LAN to LAN (one side behind NAT) not working

Thu Feb 29, 2024 12:06 am

I've come back to this after not working on it for some time. I implemented the steps mentioned in an earlier reply and I now see Wireguard initiation packets being sent from B to A, but A never responds or initiates a tunnel.

My lab configs are as follows (anonymised)

A:
/interface ethernet
set [ find default-name=ether3 ] name=ether1
set [ find default-name=ether1 ] name=ether2
set [ find default-name=ether2 ] name=ether3
/interface wireguard
add listen-port=51820 mtu=1420 name=vpn-to-b
/interface wireguard peers
add allowed-address=192.168.88.0/24,10.255.255.2/32 endpoint-port=51820 interface=vpn-to-b public-key="zW5HwHVFpqDwxRt1fKb/Yv+uSNKZhLXYnLm9TwwHsUA="
/ip address
add address=1.2.3.247/24 interface=ether1 network=1.2.3.0
add address=192.168.77.1/24 interface=ether2 network=192.168.77.0
add address=10.255.255.1/30 interface=vpn-to-b network=10.255.255.0
/ip firewall filter
add action=accept chain=forward
add action=accept chain=input
add action=accept chain=output
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1 src-address=192.168.77.0/24
/ip route
add distance=1 gateway=1.2.3.1
add dst-address=192.168.88.0/24 gateway=vpn-to-b
/system identity
set name=RouterA

B:
/interface ethernet
set [ find default-name=ether3 ] name=ether1
set [ find default-name=ether1 ] name=ether2
set [ find default-name=ether2 ] name=ether3
/interface wireguard
add listen-port=51820 mtu=1420 name=vpn-to-a
/interface wireguard peers
add allowed-address=192.168.77.0/24,10.255.255.1/32 endpoint-address=1.2.3.247 endpoint-port=51820 interface=\
    vpn-to-a persistent-keepalive=35s public-key="2UZ1OE9TFaS0V/shFmTPKqLLgOeJjwovZZSbdsk/PhU="
/ip address
add address=10.0.0.1/24 interface=ether1 network=10.0.0.0
add address=192.168.88.1/24 interface=ether2 network=192.168.88.0
add address=10.255.255.2/30 interface=vpn-to-a network=10.255.255.0
/ip firewall filter
add action=accept chain=forward
add action=accept chain=input
add action=accept chain=output
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1 src-address=192.168.88.0/24
/ip route
add distance=1 gateway=10.0.0.2
add dst-address=192.168.77.0/24 gateway=vpn-to-a
/system identity
set name=RouterB
I see lots of Wireguard handshake packets but the tunnel never establishes. Feels like the config is nearly right, what am I missing?
 
Mesquite
Member
Member
Posts: 420
Joined: Tue Jan 23, 2024 9:16 pm

Re: Wireguard LAN to LAN (one side behind NAT) not working

Thu Feb 29, 2024 2:05 am

VPN is a router service.
Where have you allowed the handshake in the firewall rules??
On router B the allowed IP should be /interface wireguard peers
add allowed-address=192.168.77.0/24,10.255.255.0/30

However that is not the cause of your issues.
 
User avatar
JohnTRIVOLTA
Member
Member
Posts: 343
Joined: Sun Dec 25, 2016 2:05 pm
Location: BG/Sofia

Re: Wireguard LAN to LAN (one side behind NAT) not working

Thu Feb 29, 2024 6:51 am

I've come back to this after not working on it for some time. I implemented the steps mentioned in an earlier reply and I now see Wireguard initiation packets being sent from B to A, but A never responds or initiates a tunnel.

My lab configs are as follows (anonymised)

A:
/interface ethernet
set [ find default-name=ether3 ] name=ether1
set [ find default-name=ether1 ] name=ether2
set [ find default-name=ether2 ] name=ether3
/interface wireguard
add listen-port=51820 mtu=1420 name=vpn-to-b
/interface wireguard peers
add allowed-address=192.168.88.0/24,10.255.255.2/32 endpoint-port=51820 interface=vpn-to-b public-key="zW5HwHVFpqDwxRt1fKb/Yv+uSNKZhLXYnLm9TwwHsUA="
/ip address
add address=1.2.3.247/24 interface=ether1 network=1.2.3.0
add address=192.168.77.1/24 interface=ether2 network=192.168.77.0
add address=10.255.255.1/30 interface=vpn-to-b network=10.255.255.0
/ip firewall filter
add action=accept chain=forward
add action=accept chain=input
add action=accept chain=output
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1 src-address=192.168.77.0/24
/ip route
add distance=1 gateway=1.2.3.1
add dst-address=192.168.88.0/24 gateway=vpn-to-b
/system identity
set name=RouterA

B:
/interface ethernet
set [ find default-name=ether3 ] name=ether1
set [ find default-name=ether1 ] name=ether2
set [ find default-name=ether2 ] name=ether3
/interface wireguard
add listen-port=51820 mtu=1420 name=vpn-to-a
/interface wireguard peers
add allowed-address=192.168.77.0/24,10.255.255.1/32 endpoint-address=1.2.3.247 endpoint-port=51820 interface=\
    vpn-to-a persistent-keepalive=35s public-key="2UZ1OE9TFaS0V/shFmTPKqLLgOeJjwovZZSbdsk/PhU="
/ip address
add address=10.0.0.1/24 interface=ether1 network=10.0.0.0
add address=192.168.88.1/24 interface=ether2 network=192.168.88.0
add address=10.255.255.2/30 interface=vpn-to-a network=10.255.255.0
/ip firewall filter
add action=accept chain=forward
add action=accept chain=input
add action=accept chain=output
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1 src-address=192.168.88.0/24
/ip route
add distance=1 gateway=10.0.0.2
add dst-address=192.168.77.0/24 gateway=vpn-to-a
/system identity
set name=RouterB
I see lots of Wireguard handshake packets but the tunnel never establishes. Feels like the config is nearly right, what am I missing?
Side A, add nat rule
/ip firewall nat
add action=accept chain=srcnat dst-address=192.168.88.0/24 place-before=1
Side B, add nat rule
/ip firewall nat
add action=accept chain=srcnat dst-address=192.168.77.0/24 place-before=1
 
btong
just joined
Topic Author
Posts: 8
Joined: Thu Sep 06, 2018 5:12 pm

Re: Wireguard LAN to LAN (one side behind NAT) not working

Thu Feb 29, 2024 2:55 pm

Where have you allowed the handshake in the firewall rules??
The ip filter rules in this lab just accept everything - surely I don't have to specify this traffic specifically?
On router B the allowed IP should be /interface wireguard peers
add allowed-address=192.168.77.0/24,10.255.255.0/30
Done, but sadly no change. Also set 10.255.255.0/30 on side A as surely that has to be on that side too, if needed on B.
Side A, add nat rule
/ip firewall nat
add action=accept chain=srcnat dst-address=192.168.88.0/24 place-before=1
Side B, add nat rule
/ip firewall nat
add action=accept chain=srcnat dst-address=192.168.77.0/24 place-before=1
Done, thanks, but no change. Still just see handshakes from 10.0.0.1 -> 1.2.3.247
 
User avatar
JohnTRIVOLTA
Member
Member
Posts: 343
Joined: Sun Dec 25, 2016 2:05 pm
Location: BG/Sofia

Re: Wireguard LAN to LAN (one side behind NAT) not working

Thu Feb 29, 2024 3:22 pm

Where have you allowed the handshake in the firewall rules??
The ip filter rules in this lab just accept everything - surely I don't have to specify this traffic specifically?
On router B the allowed IP should be /interface wireguard peers
add allowed-address=192.168.77.0/24,10.255.255.0/30
Done, but sadly no change. Also set 10.255.255.0/30 on side A as surely that has to be on that side too, if needed on B.
Side A, add nat rule
/ip firewall nat
add action=accept chain=srcnat dst-address=192.168.88.0/24 place-before=1
Side B, add nat rule
/ip firewall nat
add action=accept chain=srcnat dst-address=192.168.77.0/24 place-before=1
Done, thanks, but no change. Still just see handshakes from 10.0.0.1 -> 1.2.3.247
In side A don't use "endpoint-port=xxx" on wg peer - delete it !!!
 
btong
just joined
Topic Author
Posts: 8
Joined: Thu Sep 06, 2018 5:12 pm

Re: Wireguard LAN to LAN (one side behind NAT) not working

Thu Feb 29, 2024 4:17 pm

In side A don't use "endpoint-port=xxx" on wg peer - delete it !!!
Done that too - still only unidirectional handshake traffic from B -> A

Who is online

Users browsing this forum: JSpazP and 55 guests