Community discussions

MikroTik App
 
tirdano
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 51
Joined: Tue Mar 15, 2022 10:33 pm

Connecting to local network from outside using L2TP/Wireguard

Mon Apr 10, 2023 2:14 pm

So I have a hap lite TC router plus an Internet modem/router.
I want to setup a VPN server on hap lite to be able to connect to my local network (i.e., hap lite and internet modem/router and all of connected devices) from outside of local network.
First of all, I think that I will need an static IP. However, I was wondering about IP/Cloud which is some how acts like a dynamic DNS. (I don't know whether it is compatible with my device or not?). If it is not, I can purchase a static IP from my ISP.
I would like to use wireguard as VPN server, I don't know whether wireguard is compatible with my device or not but if it's not, I can use L2TP as well.
I am not professional in networking, so I want to ask tell me the steps that I should take with details. I think these are steps but I am not sure:
1- Connect router OS to internet (Note that I want to connect to VPN using static IP so I think I should use bridge mode but I don't know how.)
2- Starting a VPN server on router (preferably wireguard) that I can connect to that from outside.
3- Some firewall rules in order to make the config more secure.

If my mentioned steps are right, please kindly let me know how that I can do them.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Connecting to local network from outside using L2TP/Wireguard

Mon Apr 10, 2023 3:06 pm

You are on the right track for sure.
THe key is not whether the public iP is static or dynamic but is it publicly accessible.

So you either need to have an ISP Modem device that gives your router a public IP ( most common )
OR
An ISP modem Router that gets a public IP and which you can enter to at least forward ports to your router ( common )

There is much reading to be had..........
viewtopic.php?t=182373
 
tirdano
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 51
Joined: Tue Mar 15, 2022 10:33 pm

Re: Connecting to local network from outside using L2TP/Wireguard

Mon Apr 10, 2023 3:10 pm

You are on the right track for sure.
THe key is not whether the public iP is static or dynamic but is it publicly accessible.

So you either need to have an ISP Modem device that gives your router a public IP ( most common )
OR
An ISP modem Router that gets a public IP and which you can enter to at least forward ports to your router ( common )

There is much reading to be had..........
viewtopic.php?t=182373
Thanks. Let's consider this one:
So you either need to have an ISP Modem device that gives your router a public IP ( most common )
If I purchase a static IP from my ISP, how can I assign that to my router? (Not my Modem.)
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Connecting to local network from outside using L2TP/Wireguard

Mon Apr 10, 2023 3:19 pm

Why would you want to purchase a static IP if they are providing you with a public dynamic IP??
Seems like an extra cost for very little gain. I only say this because you are pinching pennies with ah haplite aka didnt buy an RB5009 for example! or an AX3!
 
tirdano
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 51
Joined: Tue Mar 15, 2022 10:33 pm

Re: Connecting to local network from outside using L2TP/Wireguard

Mon Apr 10, 2023 3:35 pm

Why would you want to purchase a static IP if they are providing you with a public dynamic IP??
Seems like an extra cost for very little gain. I only say this because you are pinching pennies with ah haplite aka didnt buy an RB5009 for example! or an AX3!
Well, this is because It seems that my IP is not public. When I check my IP address in https://www.iplocation.net/ it shows an address that is totally different with what IP address that ADSL modem shows in PPPoE setting section.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Connecting to local network from outside using L2TP/Wireguard

Mon Apr 10, 2023 3:40 pm

Sound like getting a static IP is the right approach then!!

Checking What Your IP IS:
In other words, the admin should ensure that the WANIP the router gets is the same one that the external World sees. This can be accomplished via
a. 'whats my IP' in your browser
b. Checking the public IP that shows up when one enables IP Cloud.
c. Checking what IP address is shown under the details of IP DHCP Client
d. Checking what IP address is shown in IP routes - look for a (DAC) entry and preferred source.

They should ALL be the same if your router is getting a valid Public IP. If not, then you may be getting a private IP address from your Provider.
 
tirdano
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 51
Joined: Tue Mar 15, 2022 10:33 pm

Re: Connecting to local network from outside using L2TP/Wireguard

Thu May 11, 2023 11:54 pm

Hello,
I have a public and static IP on my 4G/LTE modem right now. Hap Lite router is also connected to 4G Modem and gets IP from 4G Modem.
I also set up a virtual server on my 4G modem that forward all incoming traffic from outside to port 5142 into internal IP of MikroTik modem and to wireguard port:
Image
This is mikrotik config:
/interface wireless
set [ find default-name=wlan1 ] ssid=MikroTik
/interface wireguard
add listen-port=13231 mtu=1450 name=wireguard1
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/interface l2tp-server server
set use-ipsec=yes
/interface wireguard peers
add endpoint-address=192.168.2.1 endpoint-port=13231 interface=wireguard1 \
    public-key="1YjceDL371vHOid7**********"
/ip dhcp-client
add interface=ether1
and this is my IPhone wireguard config:
Image

However, when I activate wireguard on my IPhone, I cannot connect to internet or even to the Mikrotik or 4G router. In the mikrotik winbox the Rx is also 0 and not changing.
You do not have the required permissions to view the files attached to this post.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Connecting to local network from outside using L2TP/Wireguard

Fri May 12, 2023 4:09 am

Of course not as its probably not setup properly. The config only follows the error prone human.
Hiding parts of your config just wastes the time of us attempting to help so please provide the full export (minus router serial number and any public WANIP information).
 
tirdano
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 51
Joined: Tue Mar 15, 2022 10:33 pm

Re: Connecting to local network from outside using L2TP/Wireguard

Fri May 12, 2023 12:36 pm

Of course not as its probably not setup properly. The config only follows the error prone human.
Hiding parts of your config just wastes the time of us attempting to help so please provide the full export (minus router serial number and any public WANIP information).
Hi, Please find the config attached below.
Everything is Ok at this time and I can connect from outside to my LAN using wireguard. However, my wireguard client doesn't have access to Internet and I don't know why.
You do not have the required permissions to view the files attached to this post.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Connecting to local network from outside using L2TP/Wireguard

Fri May 12, 2023 2:28 pm

Not much of a config, but the extra source address is what is not needed.
If your traffic is.... remote users inbound, get rid of it.
 
tirdano
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 51
Joined: Tue Mar 15, 2022 10:33 pm

Re: Connecting to local network from outside using L2TP/Wireguard

Sat May 13, 2023 12:22 am

Not much of a config, but the extra source address is what is not needed.
If your traffic is.... remote users inbound, get rid of it.
I always have this problem and haven't find a solution for that. I mean I use
/export file=somename
to export config but anyone who looks at the config says the config is not complete. I really don't know why this happens.
Anyway, Attached is output of
/export verbose
I hope it could help.

By the way, I was searching in internet about this problem and somebody said this is due to port forwarding. (https://askubuntu.com/questions/1294533 ... net-access). Can you take a look at that please?
You do not have the required permissions to view the files attached to this post.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Connecting to local network from outside using L2TP/Wireguard

Sat May 13, 2023 12:32 am

Where is your wan port ???
Is this connected to another router??
Is it MT, if so need to see config..........

If not is WG port forwarded to the WANIP of this device??
 
tirdano
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 51
Joined: Tue Mar 15, 2022 10:33 pm

Re: Connecting to local network from outside using L2TP/Wireguard

Sat May 13, 2023 12:38 am

Where is your wan port ???
Is this connected to another router??
Is it MT, if so need to see config..........

If not is WG port forwarded to the WANIP of this device??
My WAN port is 5142.
Yes, It is connected to another 4G/LTE router. I am using port-forwarding on 4G router to forward traffic.
Capture.JPG
It is not MT, it is TP-Link.
You do not have the required permissions to view the files attached to this post.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Connecting to local network from outside using L2TP/Wireguard

Wed May 17, 2023 2:25 am

Okay so you have a TPLink router forwarding the port to the MT router.........
Suggest the following config then.......
I get that the Fixed static IP of the MT router on the TPLINK Lan is 192.168.2.100
Ether1 is the "wan" port.
Ether2 is unknown but lets say its connected to something........

Things I did
a. removed IP DHCP Client - not required.
b. removed unneeded srcnat and modified default for static IP.
c. add dns server to ip dhcp network settings
d. added dns settings

Give it a shot and see if things are better ( but change client MTU to 1420 or change MT to 1450, they both should be the same!! )............


/interface wireguard
add listen-port=13231 mtu=1420 name=wireguard1
/ip pool
add name=dhcp_pool0 ranges=192.168.3.2-192.168.3.254
/ip dhcp-server
add address-pool=dhcp_pool0 interface=ether2 name=dhcp1
/interface wireguard peers
add allowed-address=192.168.100.2/32 interface=wireguard1 public-key=\
"ydz3qh9st1bAgWZeKl55xIv5XXXXXXXXXXXXXXXX"
/ip address
add address=192.168.100.1/24 interface=wireguard1 network=192.168.100.0
add address=192.168.3.1/24 interface=ether2 network=192.168.3.0
/ip dns
set allow-remote-requests=yes servers=1.1.1.1,8.8.8.8

/ip dhcp-server network
add address=192.168.3.0/24 gateway=192.168.3.1 dns-server=192.168.3.1
/ip firewall nat
add chain=srcnat action=src-nat out-interface=ether1 to-addresses=192.168.2.100
/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=192.168.2.1 \
routing-table=main scope=30 suppress-hw-offload=no target-scope=10
 
tirdano
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 51
Joined: Tue Mar 15, 2022 10:33 pm

Re: Connecting to local network from outside using L2TP/Wireguard

Fri May 19, 2023 12:50 pm

Okay so you have a TPLink router forwarding the port to the MT router.........
Suggest the following config then.......
I get that the Fixed static IP of the MT router on the TPLINK Lan is 192.168.2.100
Ether1 is the "wan" port.
Ether2 is unknown but lets say its connected to something........

Things I did
a. removed IP DHCP Client - not required.
b. removed unneeded srcnat and modified default for static IP.
c. add dns server to ip dhcp network settings
d. added dns settings

Give it a shot and see if things are better ( but change client MTU to 1420 or change MT to 1450, they both should be the same!! )............


/interface wireguard
add listen-port=13231 mtu=1420 name=wireguard1
/ip pool
add name=dhcp_pool0 ranges=192.168.3.2-192.168.3.254
/ip dhcp-server
add address-pool=dhcp_pool0 interface=ether2 name=dhcp1
/interface wireguard peers
add allowed-address=192.168.100.2/32 interface=wireguard1 public-key=\
"ydz3qh9st1bAgWZeKl55xIv5XXXXXXXXXXXXXXXX"
/ip address
add address=192.168.100.1/24 interface=wireguard1 network=192.168.100.0
add address=192.168.3.1/24 interface=ether2 network=192.168.3.0
/ip dns
set allow-remote-requests=yes servers=1.1.1.1,8.8.8.8

/ip dhcp-server network
add address=192.168.3.0/24 gateway=192.168.3.1 dns-server=192.168.3.1
/ip firewall nat
add chain=srcnat action=src-nat out-interface=ether1 to-addresses=192.168.2.100
/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=192.168.2.1 \
routing-table=main scope=30 suppress-hw-offload=no target-scope=10
Thanks, works like a charm!

I decided to use two wireguard interfaces with two different WAN static IPs. Ether1 is for WAN1 and Ether2 is for WAN2. they both have static and public IPs and port forwarded to MT.
So I need two wireguard ifaces, namely wg1 and wg2.
Whenever users connect to wg1, they should access to internet through WAN1 and whenever users connect to wg2 they should access to internet through WAN2.

Can you help me in this?
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Connecting to local network from outside using L2TP/Wireguard

Fri May 19, 2023 3:37 pm

As always, only work from the latest updated config..........
Any user LAn details needed should be stated in clear requirments.
who needs what where both internal and external flows by all, exceptions should be noted.

Finally failover expections and usage of WANs in general should be discussed.
Then the config can be modified with context.
 
tirdano
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 51
Joined: Tue Mar 15, 2022 10:33 pm

Re: Connecting to local network from outside using L2TP/Wireguard

Sat May 20, 2023 4:51 pm

As always, only work from the latest updated config..........
Any user LAn details needed should be stated in clear requirments.
who needs what where both internal and external flows by all, exceptions should be noted.

Finally failover expections and usage of WANs in general should be discussed.
Then the config can be modified with context.
Hi. Here is the config.
Ether1 is connected to DSL modem with static public IP, MT gets local static IP address 192.168.1.100 from DSL modem and port 7236 on DSL modem is forwarded to MT.
Ether2 is connected to LTE modem with static public IP, MT gets local static IP address 192.168.2.100 from LTE modem and port 5036 on LTE modem is forwarded to MT.
Ether3 is connected to my laptop, I need to connect to internet through Ether2 on my laptop.
Anyone who connects to wg-iface-lte should access to internet only through Ether2.
Anyone who connects to wg-iface-dsl should access to internet only through Ether1.
Anyone who connects to any wg interface should be able to see all LAN devices.
/interface wireless
set [ find default-name=wlan1 ] ssid=MikroTik
/interface wireguard
add listen-port=7236 mtu=1420 name=wg-iface-dsl
add listen-port=5036 mtu=1420 name=wg-iface-lte
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_pool0 ranges=192.168.3.2-192.168.3.254
add name=dhcp_pool1 ranges=192.168.3.2-192.168.3.254
add name=dhcp_pool2 ranges=192.168.3.2-192.168.3.254
/ip dhcp-server
add address-pool=dhcp_pool2 interface=ether3 name=dhcp1
/interface wireguard peers
add allowed-address=192.168.100.2/32 interface=wg-iface-dsl public-key=\
    "Y8HzPJuhH5he7xqgvbqNLYX1eVfAm1oT/ClgVMzPBXo="
add allowed-address=192.168.200.2/32 interface=wg-iface-lte public-key=\
    "1Lqomm4L/nluKczxheAQskfWAH95gtph5L9Ha+FZS0s="
/ip address
add address=192.168.3.1/24 interface=ether3 network=192.168.3.0
add address=192.168.100.1/24 interface=wg-iface-dsl network=192.168.100.0
add address=192.168.200.1/24 interface=wg-iface-lte network=192.168.200.0
/ip dhcp-client
add interface=ether1 use-peer-dns=no use-peer-ntp=no
add interface=ether2 use-peer-dns=no use-peer-ntp=no
/ip dhcp-server network
add address=192.168.3.0/24 dns-server=192.168.3.1 gateway=192.168.3.1
/ip dns
set allow-remote-requests=yes servers=1.1.1.1,8.8.8.8
/ip firewall nat
add action=src-nat chain=srcnat out-interface=ether2 to-addresses=\
    192.168.2.100
add action=src-nat chain=srcnat out-interface=ether1 to-addresses=\
    192.168.1.100
This is the config that I use on my clients to connect to wg interfaces: (Assume 188.188.188.188 is public IP of DSL and 151.151.151.151 is public IP of LTE)
[Interface]
PrivateKey = wKNmmsp1fAxv5ryQps1DceXoNq6XmiBwqOyvyXfnNng=
Address = 192.168.100.2/32
DNS = 1.1.1.1
MTU = 1420
[Peer]
PublicKey = ufG1OYlNvlZt//1FoawUj+oZFffzNmOn37ybSqxyjWk=
AllowedIPs = 0.0.0.0/0
Endpoint = 188.188.188.188:7236
PersistentKeepalive = 25
[Interface]
PrivateKey = 2IfSkvQRcgB/IxHc5KFU+4jSJ7csb/JRB1FS04BxgGI=
Address = 192.168.200.2/32
DNS = 1.1.1.1
MTU = 1420
[Peer]
PublicKey = tzSGclGX633qfvll+g4vf/N8SP2Ww5fJnJdWrUdIcHo=
AllowedIPs = 0.0.0.0/0
Endpoint = 155.155.155.155:5036
PersistentKeepalive = 25

By the way, I didn't understand this:
a. removed IP DHCP Client - not required.
MT needs to get an IP from each modem, can it be done without a DHCP client?
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Connecting to local network from outside using L2TP/Wireguard

Sat May 20, 2023 11:41 pm

Can you confirm you only have one LAN, and thats connected on ether3?
Can you explain why you have three pools for the same subnet?


Remove IP DHCP Client for both interfaces. There is no dynamic assignments and thus no real purpose to this method!
You get a private IP Not public from upstream device and its static WANIP.

There are multiple ways to accomplish these things, in your case the simplest is
a. IP address of each WAN, as you have done
b. manual route (which you failed to show :-(

/ip route add dst-address=0.0.0.0/0 gateway=192.168.1.1 routing-table=main
/ip route add dst-address=0.0.0.0/0 gateway=192.168.2.1 routing-table=main

Assuming wireguard is strictly for your remote external clients (not for local LAN users).
++++++++++++++++++++++++++++++++++++++

Herein lies the problem, the initial handshake needs to be considered. There is not a problem reaching ether1 or ether2 by various means, dyndns type name.
So when the external user first hits either of the two WANs, via the necessary port, a handshake attempt is executed. However, how do we ensure the response back to the originator
goes out the same WAN and thus ISP, it came in on??

Also, what is the hierachy of wan1, wan2, for your LAN users.
How are they suppose to utilize the two WANs, is one primary and the other failover, PCC (shared) etc......
 
tirdano
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 51
Joined: Tue Mar 15, 2022 10:33 pm

Re: Connecting to local network from outside using L2TP/Wireguard

Sat May 20, 2023 11:52 pm

Can you confirm you only have one LAN, and thats connected on ether3?
Can you explain why you have three pools for the same subnet?


Remove IP DHCP Client for both interfaces. There is no dynamic assignments and thus no real purpose to this method!
You get a private IP Not public from upstream device and its static WANIP.

There are multiple ways to accomplish these things, in your case the simplest is
a. IP address of each WAN, as you have done
b. manual route (which you failed to show :-(

/ip route add dst-address=0.0.0.0/0 gateway=192.168.1.1 routing-table=main
/ip route add dst-address=0.0.0.0/0 gateway=192.168.2.1 routing-table=main

Assuming wireguard is strictly for your remote external clients (not for local LAN users).
++++++++++++++++++++++++++++++++++++++

Herein lies the problem, the initial handshake needs to be considered. There is not a problem reaching ether1 or ether2 by various means, dyndns type name.
So when the external user first hits either of the two WANs, via the necessary port, a handshake attempt is executed. However, how do we ensure the response back to the originator
goes out the same WAN and thus ISP, it came in on??

Also, what is the hierachy of wan1, wan2, for your LAN users.
How are they suppose to utilize the two WANs, is one primary and the other failover, PCC (shared) etc......
Can you confirm you only have one LAN, and thats connected on ether3?
Yes
Can you explain why you have three pools for the same subnet?
It was just a mistake.
So when the external user first hits either of the two WANs, via the necessary port, a handshake attempt is executed. However, how do we ensure the response back to the originator
goes out the same WAN and thus ISP, it came in on??
Yes, this is the main problem.
Also, what is the hierachy of wan1, wan2, for your LAN users.
There is no hierachy at all. No load balancing and no failover.
They are two separate WANs. User can decide on his/her own to connect to which WAN.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Connecting to local network from outside using L2TP/Wireguard

Sun May 21, 2023 12:13 am

I do not understand, how can a user decide which WAN they use............ its not obvious.......
 
tirdano
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 51
Joined: Tue Mar 15, 2022 10:33 pm

Re: Connecting to local network from outside using L2TP/Wireguard

Sun May 21, 2023 12:20 am

I do not understand, how can a user decide which WAN they use............ its not obvious.......
By the endpoint which connects to it using wireguard.
WAN1 IP is: 188.188.188.188
WAN2 IP is: 155.155.155.155

If user choose the first IP as endpoint then he/she should have access to internet through WAN1.
If user choose the second IP as endpoint then he/she should have access to internet through WAN2.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Connecting to local network from outside using L2TP/Wireguard

Sun May 21, 2023 12:28 am

I am talking about LAN users not wireguard users LOL
 
tirdano
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 51
Joined: Tue Mar 15, 2022 10:33 pm

Re: Connecting to local network from outside using L2TP/Wireguard

Sun May 21, 2023 12:31 am

I am talking about LAN users not wireguard users LOL
Well I am talking about wireguard users who connects remotely.
For LAN users, we can use policy-based routing to define which LAN user should connect to which WAN. can't we?
But we cannot do this for wireguard users (because of initiate handshake problem!)
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Connecting to local network from outside using L2TP/Wireguard

Sun May 21, 2023 2:19 am

Everything works together so approaching the entire WAN usage coherently is what makes sense, so what is the plan ..........

In other words
Identify what traffic LAN users require, both internally and externally.
how will the wans be used for this traffic.
 
tirdano
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 51
Joined: Tue Mar 15, 2022 10:33 pm

Re: Connecting to local network from outside using L2TP/Wireguard

Sun May 21, 2023 8:26 pm

Everything works together so approaching the entire WAN usage coherently is what makes sense, so what is the plan ..........

In other words
Identify what traffic LAN users require, both internally and externally.
how will the wans be used for this traffic.
Let's consider the simplest scenario, without any LAN device at all. We can extend the solution for more complex scenarios afterward.

I have 2 WANs.
MT gets static private IP from each WAN and ports XXXXX and YYYYY are forwarded to MT.
I want WAN1 to respond to wireguard interface A at port XXXXX.
I want WAN2 to respond to wireguard interface B at port YYYYY.
All of the peers that connected to wireguard interface A should access to 0.0.0.0/0 only through WAN1.
All of the peers that connected to wireguard interface B should access to 0.0.0.0/0 only through WAN1.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Connecting to local network from outside using L2TP/Wireguard

Sun May 21, 2023 11:35 pm

Either you have LAN subnets and users on those subnets and potentially even servers, or you dont.
Im assuming you do, and thus all is required to approach a config.

Furthermore, not knowing how the wans will be used for all traffic is simply a lack of good planning
Since you insist on thinking a config can be done in isolation and without planning, I will leave you to it.
L8r,

(PS you have a typo in your post the second WAN entry should be ....All of the peers .... "through" WAN2)
 
tirdano
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 51
Joined: Tue Mar 15, 2022 10:33 pm

Re: Connecting to local network from outside using L2TP/Wireguard

Sun May 21, 2023 11:42 pm

Either you have LAN subnets and users on those subnets and potentially even servers, or you dont.
Im assuming you do, and thus all is required to approach a config.

Furthermore, not knowing how the wans will be used for all traffic is simply a lack of good planning
Since you insist on thinking a config can be done in isolation and without planning, I will leave you to it.
L8r,

(PS you have a typo in your post the second WAN entry should be ....All of the peers .... "through" WAN2)
Well I think there is misunderstanding here. Let me explain. If there would any ambiguity, It would be my pleasure to answer.
I have two WAN with different service providers and I have static IP from both.
I want to run wireguard interface on both of them and if one of service providers have connectivity problem, I want to be able to connect to other wg interface on other service provider. Something like failover maybe.
 
wiseroute
Member
Member
Posts: 352
Joined: Sun Feb 05, 2023 11:06 am

Re: Connecting to local network from outside using L2TP/Wireguard

Mon May 22, 2023 2:30 pm

hello tirdano,
If user choose the first IP as endpoint then he/she should have access to internet through WAN1.
If user choose the second IP as endpoint then he/she should have access to internet through WAN2.
do you mean :
you want to route your remote wireguard users back to the internet - using the other wan link other than wan link the wireguard initiated?

🤔
 
tirdano
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 51
Joined: Tue Mar 15, 2022 10:33 pm

Re: Connecting to local network from outside using L2TP/Wireguard

Mon May 22, 2023 7:21 pm

hello tirdano,
If user choose the first IP as endpoint then he/she should have access to internet through WAN1.
If user choose the second IP as endpoint then he/she should have access to internet through WAN2.
do you mean :
you want to route your remote wireguard users back to the internet - using the other wan link other than wan link the wireguard initiated?

🤔
Hi,

No, the remote wireguard users should be routed back to the internet by exactly the WAN link the wireguard initiated.
 
wiseroute
Member
Member
Posts: 352
Joined: Sun Feb 05, 2023 11:06 am

Re: Connecting to local network from outside using L2TP/Wireguard

Mon May 22, 2023 7:46 pm

No, the remote wireguard users should be routed back to the internet by exactly the WAN link the wireguard initiated.
ok. that would be a double:
1. set the remote users default route lower than the pushed default route from the server.
2. set the server to push default route to remote client, and set the routing rules for remote clients back to the internet.

ok. have a good try 👍🏻 I'm off for rest.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Connecting to local network from outside using L2TP/Wireguard

Mon May 22, 2023 8:12 pm

Wiseroute dont bother playing because a configuration strictly for wireguard users supposes that there are no local LAN users or devices/servers.

So as soon as the OP is screwed because the LAN users or servers dont work, he/she will come back to state but but but.

Hence why I ask for full requirements so we dont waste our time.
 
tirdano
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 51
Joined: Tue Mar 15, 2022 10:33 pm

Re: Connecting to local network from outside using L2TP/Wireguard

Mon May 22, 2023 8:18 pm

Wiseroute dont bother playing because a configuration strictly for wireguard users supposes that there are no local LAN users or devices/servers.

So as soon as the OP is screwed because the LAN users or servers dont work, he/she will come back to state but but but.

Hence why I ask for full requirements so we dont waste our time.
Hello anav,
I don't know what do you mean when you mention full requirements. However, I want to use WAN2 as main WAN interface and WAN1 as failover. I hope it helps.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Connecting to local network from outside using L2TP/Wireguard

Mon May 22, 2023 9:35 pm

 
tirdano
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 51
Joined: Tue Mar 15, 2022 10:33 pm

Re: Connecting to local network from outside using L2TP/Wireguard

Sun May 28, 2023 12:25 pm

Hello anav,
Since I am sure that no matter how I explain there always will be some misunderstanding, I will refer to another topic, so this is exactly what I need:
viewtopic.php?t=190614&sid=173c037cb816 ... fef1ac1dea
Except this:
In this regard normal traffic will flow and the handshake should work. Note I added a distance of 2, to your vpn network.
This will ensure all users go out the pppoe-wa WAN connection for internet.
I need that all wireguard users go out the pppoe-vpn WAN connection for internet.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Connecting to local network from outside using L2TP/Wireguard

Sun May 28, 2023 3:21 pm

Crystal clear on the wireguard side but without knowing how the WANS are used on the LAN side its very difficult to provide a solution that will take that into account.

In any case simply mangle traffic coming in on each WAN,

add two tables
add two ip routes ( with new tables )
+++++++++++++++++++++++++++++++++
mangle in prerouting incoming on wan1 (mark connections)
mangle in prerouting incoming on wan2 (mark connections)
Give that WAN1 traffic a routing mark on output chain
Give that WAN2 traffic a routing mark on output chain
Create two additional routes for wan1 wan2 with table of the routing mark ( new tables which are used as routing-mark on output chain )
++++++++++++++++++++++++++++++++++++++++++++++

Thus any traffic coming in wan1 will go out wan1, any traffic coming in on wan2 will go out wan2.
Why, so the initial handshake works correctly everytime regardless of wan distance priorities on the main table.

Who is online

Users browsing this forum: holvoetn and 42 guests