Community discussions

MikroTik App
 
papageno
just joined
Topic Author
Posts: 13
Joined: Wed Apr 19, 2023 4:04 pm
Location: Tallinn
Contact:

Connection between Wireguard and L2TP/IPSEC

Wed May 17, 2023 4:24 pm

Hello, to not assume things and post messy descriptions, I start with a scheme:

Image

What is working now:
1) Connection between Location 1 and Location 2 LANs. I can access all LAN devices of both Location 1/2 networks from either Location 1 or 2.
2) I can access Location 1 LAN from a Mobile Device that connects to Location 1.

What is not working and I am trying to acheive:
I would need to access also Location 2 LAN devices from Mobile Device that connects to Location 1 router. This means connecting L2TP/IPSEC and Wireguard somehow in Location 1. That is something I haven't found out yet how to.

The image of Location 1 /IP/Routes when Wireguard is up and also one L2TP/IPSEC device is connected:

Image
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Connection between Wireguard and L2TP/IPSEC

Wed May 17, 2023 7:41 pm

To recap:
R1 user to remote R2 devices via wireguard working fine.
Remote Ipsec clients to R1 LAN via L2TP working fine.
Require remote Ipsec clients to reach R1, then enter WG tunnel to reach R2 LAN.

Requirements
R1
FW rules --> allow remote ipsec clients to enter tunnel
IP Routes --> provide a path for remote ipsec clients to enter tunnel, but not interfering with their ability to reach local R1 LAn.
Note: The IP route created for local R1 LAN subnets to reach R2 LAN subnets should also work for L2TP clients.
No change to peer settings for R2 as assuming its the same subnets already being accessed by local R1 users.

R2
FW rules --> allow remote ipsec clients to exit tunnel and access R2 LAN
IP routes --> Ensure a return path route for ispec traffic after hitting R2 devices.
Peer settings --> Add subnet for incoming ISPEC clients.

+++++++++++++++++++++++++++++++++++++++++++++++++++

Can you provide your current config on both routers.............
 
papageno
just joined
Topic Author
Posts: 13
Joined: Wed Apr 19, 2023 4:04 pm
Location: Tallinn
Contact:

Re: Connection between Wireguard and L2TP/IPSEC

Thu May 18, 2023 4:57 pm

Thanks @anav, luckily it was possible without getting physically to Location 1. Just learnt that Mikrotik router does not have ssh client but there were other devices to ssh further to Location 2 router.
exportTik.txt
You do not have the required permissions to view the files attached to this post.
 
CTSsean
Frequent Visitor
Frequent Visitor
Posts: 61
Joined: Fri Sep 15, 2017 12:56 pm

Re: Connection between Wireguard and L2TP/IPSEC

Thu May 18, 2023 5:25 pm

Thanks @anav, luckily it was possible without getting physically to Location 1. Just learnt that Mikrotik router does not have ssh client but there were other devices to ssh further to Location 2 router.

exportTik.txt
what? All tik devices have ssh clients / servers.
 
papageno
just joined
Topic Author
Posts: 13
Joined: Wed Apr 19, 2023 4:04 pm
Location: Tallinn
Contact:

Re: Connection between Wireguard and L2TP/IPSEC

Thu May 18, 2023 6:35 pm

Thanks, yes.
I was silly enough to try simply ssh instead of going to /system first.
That is an example- you have to know how things work. A bit embarassing but a lesson learnt again.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Connection between Wireguard and L2TP/IPSEC

Thu May 18, 2023 9:14 pm

ON the LTE6kit, I am assuming its not connected directly to the internet and that its behind some sort of natted routing device.
The reason I ask is because you have input chain rules that are fairly wide open like to winbox for example??
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Connection between Wireguard and L2TP/IPSEC

Thu May 18, 2023 9:18 pm

I would start my looking at your peer settings for each device. It surprized me they converse properly via wireguard,

LTE6
/interface wireguard peers
add allowed-address=10.1.10.0/30,10.1.1.0/24 endpoint-address=*********** endpoint-port=8088 interface=WGClientWLehtpuu persistent-keepalive=10s \
public-key=""
/ip address
add address=10.1.11.1/24 interface=ether1 network=10.1.11.0
add address=10.1.10.2/30 interface=WGClientWLehtpuu network=10.1.10.0


/ip route
add disabled=no distance=1 dst-address=10.1.1.0/24 gateway=10.1.10.1 pref-src="" routing-table=main scope=30 suppress-hw-offload=no target-scope=10



RB1100
/interface wireguard peers
add allowed-address=10.1.10.0/30,10.1.11.0/24 interface=WGServerLPuu persistent-keepalive=10s public-key="IR9g9NTTtkSS0RY2WzjF1lcvs9mNZW7Log7P9id1z1k="
/ip address
.....
add address=10.1.1.1/24 interface=BrLAN_01-11 network=10.1.1.0 { LAN }
add address=10.1.10.1/30 interface=WGServerLPuu network=10.1.10.0


/ip route
add disabled=no distance=1 dst-address=10.1.11.0/24 gateway=10.1.10.2 pref-src="" routing-table=main scope=30 suppress-hw-offload=no target-scope=10



CORRECTED:

LTE6
/interface wireguard peers
add allowed-address=10.1.10.0/24,10.1.1.0/24
endpoint-address=***** endpoint-port=8088 interface=WGClientWLehtpuu persistent-keepalive=10s \
public-key=""
/ip address
add address=10.1.11.1/24 interface=ether1 network=10.1.11.0 { LAN }
add address=10.1.10.2/24 interface=WGClientWLehtpuu network=10.1.10.0
{ Larger pool required if adding more clients }

/ip route
add disabled=no distance=1 dst-address=10.1.1.0/24 gateway=WGClientWLehtpuu pref-src="" routing-table=main scope=30 suppress-hw-offload=no target-scope=10

RB1100
/interface wireguard peers
add allowed-address=10.1.10.2/32,10.1.11.0/24 interface=WGServerLPuu { persistent keep alive not relevant to server for handshake }
public-key="="
/ip address
add address=192.168.88.1/24 interface=E13_Mgmt network=192.168.88.0 (MGMT)
add address=10.1.1.1/24 interface=BrLAN_01-11 network=10.1.1.0 (LAN)
add address=10.1.10.1/24 interface=WGServerLPuu network=10.1.10.0


/ip route
add disabled=no distance=1 dst-address=10.1.11.0/24 gateway=WGServerLPuu pref-src="" routing-table=main scope=30 suppress-hw-offload=no target-scope=10

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

If by chance you wanted to remote into either router via wireguard, the connecting point would be the RB1100
Just need to add the peers.
add allowed-address=10.1.10.3/32 interface=,
Last edited by anav on Thu May 18, 2023 10:11 pm, edited 1 time in total.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Connection between Wireguard and L2TP/IPSEC  [SOLVED]

Thu May 18, 2023 10:03 pm

With that cleaned up one needs to now add the VPN clients going to RB1100, to be able to continue the journey to the LTE..........

Additions: LTE6

add allowed-address=10.1.10.0/24,10.1.1.0/24,10.10.10.0/24
add distance=1 dst-address=10.10.10.0/24 gateway=WGClientWLehtpuu routing-table=main

Additions RB1100 - nil that I can see.

However, with bloated and messy firewall rules, something could block traffic, not readily apparent.
 
papageno
just joined
Topic Author
Posts: 13
Joined: Wed Apr 19, 2023 4:04 pm
Location: Tallinn
Contact:

Re: Connection between Wireguard and L2TP/IPSEC

Sat May 20, 2023 10:47 am

Thank you @anav for taking time to answer.

I will try to make it work, first I have to get to location 1 and have a possibility in near future to access physically location 2 if things go wrong.
With RouterOs novices, errors are quite frequent, this is my experience (with myself).
I will also in first order make both 1100 and LTE6 firewalls decent. I searched and found your firewall guidance in useful articles section.
You took your time to write the guide so now it is my turn to take time for reading and trying to understand. No questions here.
 
papageno
just joined
Topic Author
Posts: 13
Joined: Wed Apr 19, 2023 4:04 pm
Location: Tallinn
Contact:

Re: Connection between Wireguard and L2TP/IPSEC

Wed May 24, 2023 3:36 pm

Had a chance to implement the changes and corrections that @anav suggested.
Now I can indeed access LAN of Location 2 also from phone that connects with L2TP/IPSEC..
Will also try wireguard from mobile devices, I initially set up L2TP/IPSEC because it does not require an extra app on iPhone and iPad.

Now the next thing is to follow the instructions and sort out firewalls of both devices... making use of safe mode.

EDIT: thanks to the above instructions I tried to set up wireguard clients on iPhone/iPad/Mac: they work flawlessly. Mac official WG GUI app is a bit tricky to set up but in 10 minutes the guesswork is done and stuff works.

Who is online

Users browsing this forum: Bing [Bot], TeWe and 88 guests