Community discussions

MikroTik App
 
papabear23
just joined
Topic Author
Posts: 7
Joined: Sat Apr 29, 2023 8:16 am

Route Traffic through WireGuard to Internet

Mon May 15, 2023 2:38 pm

Hello, need some help in routing all traffic from one router through wireguard to WAN.

I have 2 routers, which are connected via wireguard. LocationA and LocationB.

Here is a small graph of what I have, and the blue arrow shows what I want to achieve:
schema.png
Here are also the exports for both locations:
LocationB.rsc
LocationA.rsc
I want all clients connected to router in LocationA, to have their traffic routed through wireguard to LocationB and to Internet.

I`m able to ping the local networks between the 2 routers, and I have tried creating routes and mangle-marking, however it was without any success.

Any help is more than welcome!
You do not have the required permissions to view the files attached to this post.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Route Traffic through WireGuard to Internet  [SOLVED]

Mon May 15, 2023 5:28 pm

There are many things wrong with your config,,,,,,,,,,,,,,,,,,,,,, got bogged down.
The best course of action is to read through this article and try to figure out some errors.
They exist in IP address, Peers, Routes, etc.

viewtopic.php?t=182340

Come back when you have something resembling reasonable.
 
papabear23
just joined
Topic Author
Posts: 7
Joined: Sat Apr 29, 2023 8:16 am

Re: Route Traffic through WireGuard to Internet

Mon May 15, 2023 5:30 pm

There are many things wrong with your config,,,,,,,,,,,,,,,,,,,,,, got bogged down.
The best course of action is to read through this article and try to figure out some errors.
They exist in IP address, Peers, Routes, etc.

viewtopic.php?t=182340

Come back when you have something resembling reasonable.
Hi, I am already going through you article and was praying to MK gods for your answer.
Modifying all the configs/routes and will come back with some new settings.

Thanks a again!
By any chance, do you offer some paid help as well :) ?
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Route Traffic through WireGuard to Internet

Mon May 15, 2023 6:04 pm

No but I do peruse the MT discord channel and you can message me there, if we need to spend more time on your scenario,............... but not required just yet......
 
papabear23
just joined
Topic Author
Posts: 7
Joined: Sat Apr 29, 2023 8:16 am

Re: Route Traffic through WireGuard to Internet

Mon May 15, 2023 6:10 pm

No but I do peruse the MT discord channel and you can message me there, if we need to spend more time on your scenario,............... but not required just yet......
Woah, wasn`t aware there was one. Thanks again for the directions!
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Route Traffic through WireGuard to Internet

Mon May 15, 2023 6:12 pm

Dont get too excited, no content as the content should be here. I see it merely as a connection point for follow on discussions.
 
papabear23
just joined
Topic Author
Posts: 7
Joined: Sat Apr 29, 2023 8:16 am

Re: Route Traffic through WireGuard to Internet

Mon May 15, 2023 9:14 pm

Dont get too excited, no content as the content should be here. I see it merely as a connection point for follow on discussions.
Hey, thanks a lot for that well-written guide.
I have solved it all
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Route Traffic through WireGuard to Internet

Mon May 15, 2023 10:20 pm

Awesome, glad it worked out. A good plan and diagram go along way
 
User avatar
amb3r
just joined
Posts: 16
Joined: Fri Oct 31, 2014 8:35 am

Re: Route Traffic through WireGuard to Internet

Tue Oct 03, 2023 11:40 pm

can you please share solution?
 
jpalaciog
just joined
Posts: 10
Joined: Wed Sep 06, 2023 10:05 pm

Re: Route Traffic through WireGuard to Internet

Sun Nov 26, 2023 6:10 am

Hi,
Could you please share your final setup ? I have a similar scenario and it works just partially . I want to compare to your approach.

Kind regards
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Route Traffic through WireGuard to Internet

Sun Nov 26, 2023 2:56 pm

Post your config here seeing as the OPs has solved his case and thus no interference.

/export file=anynameyouwish ( minus router serial number, public WANIP information, keys, long dhcp lease lists, any ipv6 info if not using ipv6 )
 
jpalaciog
just joined
Posts: 10
Joined: Wed Sep 06, 2023 10:05 pm

Re: Route Traffic through WireGuard to Internet

Sun Nov 26, 2023 7:05 pm

Thanks a lot
The goal is to route specific traffic on the client (anything directed to the VE IP list) through the WireGuard server to the internet, while allowing all other internet traffic to use the regular internet connection. Everything is working fine except for traffic routed through the WireGuard tunnel. While I can ping both ends of the tunnel and access local resources on both routers, I cannot reach the internet through the tunnel.

However if I use a phone client instead of a RB as client , works smoothly.

Kind regards!

Edited to point out this : That works out good with a phone client
You do not have the required permissions to view the files attached to this post.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Route Traffic through WireGuard to Internet

Mon Nov 27, 2023 2:28 am

SERVER Comments

1. This indicates an issue.......
/interface list member
add comment=defconf interface=*C list=LAN

I suspect its because you have not identified any LAN list interface members and yet you have a list??

2. This is wrong........... IF you have IP DHCP Client you should not have a separate IP address for WAN, its one or the other for a static IP.
IF its dynamic, there is no IP address entry.

2. Why do you have a keep alive set on the peers settings on the SERVER? Its the client that keeps things alive ...........

3.Firewall rules are a hot mess............. why people deviate from the defaults to such a degree is beyond me.
I suspect there are issue within these.... will take a closer look,,,,,,,,,,,,,,

CLIENT Comments

4. You have almost identical routes for the wireguard traffic, one is wrong and should be deleted. The one below that is.
/ip route
add disabled=no distance=5 dst-address=0.0.0.0/0 gateway=wireguard-oam \
pref-src=0.0.0.0 routing-table=main scope=30 suppress-hw-offload=no \
target-scope=10
 
jpalaciog
just joined
Posts: 10
Joined: Wed Sep 06, 2023 10:05 pm

Re: Route Traffic through WireGuard to Internet

Mon Nov 27, 2023 1:41 pm

SERVER Comments

1. This indicates an issue.......
/interface list member
add comment=defconf interface=*C list=LAN

I suspect its because you have not identified any LAN list interface members and yet you have a list??

2. This is wrong........... IF you have IP DHCP Client you should not have a separate IP address for WAN, its one or the other for a static IP.
IF its dynamic, there is no IP address entry.

2. Why do you have a keep alive set on the peers settings on the SERVER? Its the client that keeps things alive ...........

3.Firewall rules are a hot mess............. why people deviate from the defaults to such a degree is beyond me.
I suspect there are issue within these.... will take a closer look,,,,,,,,,,,,,,

CLIENT Comments

4. You have almost identical routes for the wireguard traffic, one is wrong and should be deleted. The one below that is.
/ip route
add disabled=no distance=5 dst-address=0.0.0.0/0 gateway=wireguard-oam \
pref-src=0.0.0.0 routing-table=main scope=30 suppress-hw-offload=no \
target-scope=10
Thank you for your suggestions. I have addressed all the points you raised in your previous post. As of now, if I ping a destination on the VE list, the traffic successfully exits through the wireguard-oam interface on the client, reaches wireguard-oam on the server, and is correctly routed to the internet. I can also observe return traffic back from the internet reaching the wireguard-oam interface on the client. However, this return traffic is not being seen by the user originating the traffic, example "ping anything.ontheVElist.com

The attached diagram illustrates the outbound traffic in cyan and the inbound traffic, which is only reaching the client's wireguard interface, in yellow.

Any assistance would be greatly appreciated.

Warmest regards
You do not have the required permissions to view the files attached to this post.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Route Traffic through WireGuard to Internet

Mon Nov 27, 2023 4:30 pm

Need facts/evidence.
So latest configs of the routers please.
 
jpalaciog
just joined
Posts: 10
Joined: Wed Sep 06, 2023 10:05 pm

Re: Route Traffic through WireGuard to Internet

Mon Nov 27, 2023 4:59 pm

Need facts/evidence.
So latest configs of the routers please.
Kind regards
You do not have the required permissions to view the files attached to this post.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Route Traffic through WireGuard to Internet

Mon Nov 27, 2023 7:05 pm

Client Router

(1) It would appear you are trying to use srcnat masquerade to route traffic. This is the wrong approach.
/ip firewall nat
add action=masquerade chain=srcnat dst-address=172.16.24.0/24 out-interface=\
wireguard-oam src-address=192.168.13.0/24


All you need is.......
add action=masquerade chain=srcnat out-interface=wireguard-oam

++++++++++++++++++++++++++++++++++++++++
When you have control over both ends its best to be accurate. The kludge of using sourcenat to change all IPs to the single WG IP, is a very useful tool for when you dont control the other end,
such as third party VPNs, Technically you can do it either way and it will work. The problem still remains that you need to ensure routing and firewall rules etc....
+++++++++++++++++++++++++++++++++++++++

(2) To ensure traffic from the client router to the server subnet has a path you need the route:
/ip route
add dst-address=172.16.24.0/24 gateway=wireguard-oam routing-table=main


(3) You need to match the route with allowed IPs but since you already have 0.0.0.0/0 its already covered! :-)

(3) To allow traffic to enter the tunnel you need firewall rule.
add chain=forward action=accept src-address=192.168.13.0/24 out-interface=wiregard-oam

(By the way find it confusing for the wireguard interface to be the same as when looking at wireguard parameters, am I looking at server device or client device?, no way to distinguish by name alone........so not helpful. :-)


To complete the circle at the other end......
SERVER ROUTER

(4) SERVER PEER SETTINGS AT SERVER ROUTER
/interface wireguard peers
add allowed-address=10.249.0.13/32,192.168.13.0/24 interface=wireguard-oam public-key=\
"averylongsecurekey"


(5) And the route back to the Client router.
/ip route
add dst-address=192.168.13.0/.24 gateway=wireguard-oam routing-table=main
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Route Traffic through WireGuard to Internet

Mon Nov 27, 2023 8:01 pm

Firewall Rules Server Router;

/ip firewall address-list { static dhcp leases or wireguard ip }
add address=172.16.24.XX list=Authorized comment="admin local desktop"
add address=172.16.24.AA list=Authorized comment="admin local laptop"
add address=172.16.24.BB list=Authorized comment="admin local smartphone/ipad"
add address=10.249.0.13 list=Authorized comment="admin remote wireguard"
add address=192.168.13.XX list=Authorized comment="admin from Client router LAN via WG"
/ip firewall
add action=accept chain=input comment="accept established,related,untracked" \
connection-state=established,related,untracked
add action=drop chain=input comment="drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input comment="admin access" src-address-list=Authorized
add action=accept chain=input comment="Allow Wireguard OAM" dst-port=443 \
protocol=udp
add action=accept chain=input comment="ALLOW SSH" dst-port=22 \
add action=accept chain=input comment="access to dns services" dst-port=53 \
protocol=udp in-interface list=LAN
add action=accept chain=input comment="access to dns services" dst-port=53 \
protocol=tcp in-interface list=LAN
add action=drop chain=input comment="DROP ALL ELSE" { enter this rule in last!! }


++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=forward comment="allow internet traffic" in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward in-interface=wireguard-oam out-interface-list=WAN comment="allow all wireguard traffic to use internet"
add action=accept chain=forward in-interface=wireguard-oam dst-address=172.16.24.0/24 disabled=yes comment=allow all wireguard traffic to LAN
add action=accept chain=forward comment="allow port forwarding" connection-nat-state=dstnat disabled=yes { enable if required }
add action=drop chain=forward comment="drop all else"
 
jpalaciog
just joined
Posts: 10
Joined: Wed Sep 06, 2023 10:05 pm

Re: Route Traffic through WireGuard to Internet

Mon Nov 27, 2023 9:08 pm

Client Router

(1) It would appear you are trying to use srcnat masquerade to route traffic. This is the wrong approach.
/ip firewall nat
add action=masquerade chain=srcnat dst-address=172.16.24.0/24 out-interface=\
wireguard-oam src-address=192.168.13.0/24


All you need is.......
add action=masquerade chain=srcnat out-interface=wireguard-oam

++++++++++++++++++++++++++++++++++++++++
When you have control over both ends its best to be accurate. The kludge of using sourcenat to change all IPs to the single WG IP, is a very useful tool for when you dont control the other end,
such as third party VPNs, Technically you can do it either way and it will work. The problem still remains that you need to ensure routing and firewall rules etc....
+++++++++++++++++++++++++++++++++++++++

(2) To ensure traffic from the client router to the server subnet has a path you need the route:
/ip route
add dst-address=172.16.24.0/24 gateway=wireguard-oam routing-table=main


(3) You need to match the route with allowed IPs but since you already have 0.0.0.0/0 its already covered! :-)

(3) To allow traffic to enter the tunnel you need firewall rule.
add chain=forward action=accept src-address=192.168.13.0/24 out-interface=wiregard-oam

(By the way find it confusing for the wireguard interface to be the same as when looking at wireguard parameters, am I looking at server device or client device?, no way to distinguish by name alone........so not helpful. :-)


To complete the circle at the other end......
SERVER ROUTER

(4) SERVER PEER SETTINGS AT SERVER ROUTER
/interface wireguard peers
add allowed-address=10.249.0.13/32,192.168.13.0/24 interface=wireguard-oam public-key=\
"averylongsecurekey"


(5) And the route back to the Client router.
/ip route
add dst-address=192.168.13.0/.24 gateway=wireguard-oam routing-table=main

Huge thanks to @anav for sharing that solution! I was at my wit's end trying to figure this out, and their post was exactly what I needed. I followed their steps exactly, and boom, problem solved!. This kind of community support is invaluable, and I'm so grateful to be a part of it.

Thanks again. You're a lifesaver!"
 
S8T8
Frequent Visitor
Frequent Visitor
Posts: 81
Joined: Thu Sep 15, 2022 7:15 pm

Re: Route Traffic through WireGuard to Internet

Mon Nov 27, 2023 9:25 pm

Hello @avav,
not that relevant with this topic but, what's the difference between:
add action=accept chain=input comment="admin access" src-address-list=Authorized
add action=drop chain=input comment="DROP ALL ELSE"
-
add action=accept chain=forward comment="allow internet traffic" in-interface-list=LAN out-interface-list=WAN
add action=drop chain=forward comment="drop all else"

and
add action=drop chain=input src-address-list=!Authorized
-
add action=drop chain=forward in-interface-list=!LAN


?
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Route Traffic through WireGuard to Internet

Mon Nov 27, 2023 9:54 pm

Philosophy.
The default rules come set for a simple user on the bridge via ether2 and wan setup to work on ether1.
The traffic is safely protected but it allows all traffic and drops some key things for general safety.

When we want to do more, add vlans and other things its much easier, as the config and requirements get complex, to simply DROP ALL traffic.
Then only put back in, what traffic is actually required. Much smaller set of rules needed and we know what traffic we need, much more so than
all the things we need to block.

The more cute rules you put in with !, the trickier the config is to read, meaning more error prone as you add layers of complexity and harder to find the error. KISS
The only drop rule (besides invalid default rule) need only be the LAST Drop all rule. The rest one focuses solely on what traffic should be accepted.

viewtopic.php?t=180838

Who is online

Users browsing this forum: ItchyAnkle, JDF, RobertsN and 72 guests