Can't seem to grasp WireGuard

evv2v6 · Sat Apr 27, 2024 9:30 pm

Hi

I'm trying to set up WireGuard in RouterOS, following the official guide on the wiki, however I can't seem to even connect to it. I'd like to able to access devices in vlan_a through the WireGuard VPN.
To my understanding it seems like my firewall settings are off. Could anyone smarter than me please take a look and tell me what I'm doing wrong?
Thank you :)

# 2024-04-26 17:05:52 by RouterOS 7.14.3
# model = RB962UiGS-5HacT2HnT
/interface bridge
add ingress-filtering=no name=bridge1 port-cost-mode=short protocol-mode=none \
    vlan-filtering=yes
/interface wireguard
add listen-port=10111 mtu=1420 name=wg1
/interface vlan
add interface=bridge1 name=vlan_a vlan-id=10
add interface=bridge1 name=vlan_mgmt vlan-id=99
add interface=bridge1 name=vlan_b vlan-id=30
add interface=bridge1 name=vlan_c vlan-id=20
/interface list
add name=WAN
add name=VLAN_FORBID
add name=VLAN_ALLOW
add name=MGMT
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
add authentication-types=wpa2-psk mode=dynamic-keys name=sec_plk \
    supplicant-identity=MikroTik
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-Ce \
    country=etsi disabled=no frequency=auto mode=ap-bridge \
    security-profile=sec_plk ssid=WiFi2 wireless-protocol=802.11
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=\
    20/40/80mhz-XXXX country=etsi disabled=no mode=ap-bridge \
    security-profile=sec_plk ssid=WiFi5 wps-mode=disabled
/ip pool
add name=pool_a ranges=10.0.10.2-10.0.10.254
add name=pool_c ranges=10.0.20.2-10.0.20.254
add name=pool_b ranges=10.0.30.2-10.0.30.254
add name=pool_mgmt ranges=192.168.0.10-192.168.0.254
/ip dhcp-server
add address-pool=pool_a interface=vlan_a lease-time=1w name=\
    dhcp_a
add address-pool=pool_c interface=vlan_c lease-time=10m name=dhcp_c
add address-pool=pool_b interface=vlan_b lease-time=1h name=\
    dhcp_b
add address-pool=pool_mgmt interface=vlan_mgmt lease-time=10m name=dhcp_mgmt
/interface bridge port
add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged \
    interface=ether2 internal-path-cost=10 path-cost=10 pvid=10
add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged \
    interface=ether3 internal-path-cost=10 path-cost=10 pvid=20
add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged \
    interface=wlan1 internal-path-cost=10 path-cost=10 pvid=30
add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged \
    interface=wlan2 internal-path-cost=10 path-cost=10 pvid=30
add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged \
    interface=ether4 internal-path-cost=10 path-cost=10 pvid=99
add bridge=bridge1 interface=ether5 pvid=11
/ip firewall connection tracking
set udp-timeout=10s
/ip neighbor discovery-settings
set discover-interface-list=MGMT
/ip settings
set max-neighbor-entries=8192
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface bridge vlan
add bridge=bridge1 tagged=bridge1 vlan-ids=10
add bridge=bridge1 tagged=bridge1 vlan-ids=20
add bridge=bridge1 tagged=bridge1 vlan-ids=30
add bridge=bridge1 tagged=bridge1 vlan-ids=99
add bridge=bridge1 tagged=bridge1 vlan-ids=40
add bridge=bridge1 tagged=bridge1 vlan-ids=11
/interface list member
add interface=ether1 list=WAN
add interface=vlan_mgmt list=VLAN_ALLOW
add interface=vlan_a list=VLAN_FORBID
add interface=vlan_c list=VLAN_ALLOW
add interface=vlan_b list=VLAN_ALLOW
add interface=vlan_mgmt list=MGMT
add interface=wg1 list=VLAN_ALLOW
/interface ovpn-server server
set auth=sha1,md5
/interface wireguard peers
add allowed-address=192.168.10.2/32 interface=wg1 public-key=\
/ip address
add address=192.168.0.1/24 interface=vlan_mgmt network=192.168.0.0
add address=192.168.8.111/24 interface=ether1 network=192.168.8.0
add address=10.0.10.1/24 interface=vlan_a network=10.0.10.0
add address=10.0.20.1/24 interface=vlan_c network=10.0.20.0
add address=10.0.30.1/24 interface=vlan_b network=10.0.30.0
add address=192.168.10.1/24 interface=wg1 network=192.168.10.0
/ip cloud
set update-time=no
/ip dhcp-server lease
add address=10.0.10.253 client-id=1:80:7c:62:b:7a:f6 comment=nvr mac-address=\
    80:7C:62:0B:7A:F6 server=dhcp_a
add address=10.0.10.252 client-id=1:bc:5e:33:85:36:85 mac-address=\
    BC:5E:33:85:36:85 server=dhcp_a
add address=10.0.10.251 client-id=1:bc:5e:33:85:36:84 mac-address=\
    BC:5E:33:85:36:84 server=dhcp_a
add address=10.0.10.249 client-id=1:e0:ca:3c:97:1e:ed mac-address=\
    E0:CA:3C:97:1E:ED server=dhcp_a
/ip dhcp-server network
add address=10.0.10.0/24 dns-none=yes gateway=10.0.10.1
add address=10.0.20.0/24 dns-server=192.168.0.1 gateway=10.0.20.1
add address=10.0.30.0/24 dns-server=192.168.0.1 gateway=10.0.30.1
add address=192.168.0.0/24 dns-server=192.168.0.1 gateway=192.168.0.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8
/ip firewall filter
add action=accept chain=input comment="Allow established, related" \
    connection-state=established,related
add action=accept chain=input comment="allow wg" dst-port=10111 protocol=udp
add action=accept chain=input comment="allow wg traffic" src-address=\
    192.168.10.0/24
add action=drop chain=input connection-state=invalid
add action=accept chain=input comment="VLANs with router service perms" \
    in-interface-list=VLAN_ALLOW
add action=accept chain=input in-interface=vlan_mgmt
add action=drop chain=input comment=Drop
add action=accept chain=forward comment="Allow established, related" \
    connection-state=established,related
add action=accept chain=forward comment="VLAN_ALLOW outside access" \
    connection-state=new in-interface-list=VLAN_ALLOW out-interface-list=WAN
add action=accept chain=forward in-interface=vlan_mgmt out-interface=\
    vlan_a
add action=drop chain=forward comment=Drop
/ip firewall nat
add action=masquerade chain=srcnat comment="Default masq" out-interface-list=\
    WAN
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set sip disabled=yes
/ip route
add disabled=no dst-address=0.0.0.0/0 gateway=192.168.8.1
/routing bfd configuration
add disabled=no interfaces=all min-rx=200ms min-tx=200ms multiplier=5
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp client servers
add address=pool.ntp.org
/tool bandwidth-server
set enabled=no
/tool mac-server
set allowed-interface-list=MGMT
/tool mac-server mac-winbox
set allowed-interface-list=MGMT

HokieCat · Sun Apr 28, 2024 3:05 am

I'm in much the same situation as you... new to RouterOS, just set up WireGuard, and was having similar problems but now have mine working. When you say you can't connect, do you mean that your Wireguard client can't connect at all? For example, in the RouterOS interface go to "WireGuard", and then go to the "Peers" tab. When you try to connect from the client, in the appropriate peer do you see the "Last Handshake" field update?

If it is insead that WG is connecting, but then you don't have access to anything on your network, then I do think it is an issue with your firewall. This looks good:

add action=accept chain=input comment="allow wg" dst-port=10111 protocol=udp

I don't think you need the following. It shouldn't do any harm, but the above rule should match all your WG traffic so the following would never be reached by any WG traffic.

add action=accept chain=input comment="allow wg traffic" src-address=192.168.10.0/24

Then you don't have a forward rule to allow the traffic to your VLAN. Taking a shot based on your config, I think you need something like the following to allow IP addresses from your WG address range to your VLAN's address range:

add action=accept chain=forward dst-address=10.0.10.0/24 in-interface=wg1 src-address=192.168.10.0/24 comment="Allow WG access to VLAN"

evv2v6 · Sun Apr 28, 2024 12:50 pm

Hi
I can't seem to connect at all. No last handshake in the peers menu.

anav · Sun Apr 28, 2024 3:19 pm

SKIP to 12 to fix your issue! or perhaps 4 is the problem?

(1) The real crime in the nomenclature of your vlans, you have a,b,c but you assign them to vlans 10,30,20 lol, drive me nuts.

j/k

(2) Problem here! You introduce two vlans that are NOT defined ??? They should be removed.
/interface bridge vlan
add bridge=bridge1 tagged=bridge1 vlan-ids=10
add bridge=bridge1 tagged=bridge1 vlan-ids=20
add bridge=bridge1 tagged=bridge1 vlan-ids=30
add bridge=bridge1 tagged=bridge1 vlan-ids=99
add bridge=bridge1 tagged=bridge1 vlan-ids=40
add bridge=bridge1 tagged=bridge1 vlan-ids=11

(3) Set this to NONE ( only the mac-winbox config line is secure )
/tool mac-server
set allowed-interface-list=MGMT

(4) Assuming the upstream router can port forward udp port 10111 to 192.168.8.111/32 ( aka the LANIP of your router )

(5) So far nothing should be preventing success.......will look at firewall rules next.

(6) Nothing major there, but I prefer to be it a bit more explicit for any access to config of router so modify:
add action=accept chain=input comment="allow wg traffic" in-interface=wg1 src-address=\
192.168.10.2/32

(7) You have redundant rule...............
add action=accept chain=input comment="VLANs with router service perms" \
in-interface-list=VLAN_ALLOW
add action=accept chain=input in-interface=vlan_mgmt

Ask yourself will the second rule ever be used, give the rule above it???

(8) I personally prefer to limit by IP who has access to the router and all users only to which specific services, not all of them!
Thus I would do the following:

add chain=input action=accept in-interface-list=MGMT src-address-list=[b]Authorized[/b]
add chain=input action=accept in-interface-list=VLAN_ALLOW dst-port=53,123 protocol=udp
add chain=input action=accept in-interface-list=VLAN_ALLOW dst-port=53 protocol=tcp
add chain=input action=drop comment="Drop all else"

This would necessitate adding wg1 to the MGMT interface as well AND the following
/ip firewall address-list { static dhcp leases for most }
add 192.168.0.X/32 list=Authorized comment="Admin desktop"
add 192.168.0.Y/32 list=Authorized comment="Admin laptop wifi"
add 192.168.0.AB/32 list=Authorized comment="Admin smartphone/ipad wifi"
add 192.168.10.2/32 list=Authorized comment="Admin remote laptop"
add 192.168.10.3/32 list=Authorized comment="Admin remote smartphone/ipad"

(9) If VLAN forbid is an interface never used in rules, one can simply remove it and the list member entry.

(10) Missing defautl Fastrack rule as first rule in forward chain. Typically removed if queuing or mangling all LAN traffic.
This can really improve the snapiness/performance of your router

(11) Do not need connection-state=new in forward chain rules.

(12) Be aware your forward chain rules do not permit wg to acces LAN.
You could modify this
add action=accept chain=forward in-interface=vlan_mgmt out-interface=\
vlan_a
TO:
add action=accept chain=forward in-interface-list=MGMT out-interface=\
vlan_a

or many other ways........
add action=accept chain=forward in-interface=wg dst-address=10.0.10.0/24

HokieCat · Sun Apr 28, 2024 5:48 pm

With no handshake at all, also make sure you have your WG server and WG client configured correctly:
1. In the server's peer config, make sure that the Public Key matches the public key of your client's addresses.
2. Make sure the server's peer allowed addresses matches what you have configured in your client's int
2. In the client's peer config, make sure that the Public Key matches the public key of the server.
3. Verify that you have the client's peer endpoint set correctly. It should be either your public IP address or a public DNS name that resolves to your IP and the port for WG. For example: "my.public.name:10111".
4. Assuming you want to route all client traffic through WG, the client's peer "Allowed IPs" should be "0.0.0.0/0".

If you get the connection working, in the client's interface DNS server you can list the DNS server IP address for your VLAN. You don't appear to use domains in your config, but if you even do you can include it here as well. e.g. "(DNS IP),mydomain.lan"

evv2v6 · Mon Apr 29, 2024 9:22 pm

Turns out my ISP had not opened all my ports properly

However I'd like to extend my thanks to both HokieCat and anav for giving me a sanity check.

Can't seem to grasp WireGuard [SOLVED]

Can't seem to grasp WireGuard

Re: Can't seem to grasp WireGuard

Re: Can't seem to grasp WireGuard

Re: Can't seem to grasp WireGuard [SOLVED]

Re: Can't seem to grasp WireGuard

Re: Can't seem to grasp WireGuard

Who is online