Community discussions

MikroTik App
 
dakinet
just joined
Topic Author
Posts: 7
Joined: Thu Jul 27, 2017 10:28 am

Network two LAN-s through WireGuard

Thu Sep 12, 2024 4:44 pm

Hi everyone,

I'm new to this forum and currently facing an issue with configuring WireGuard to connect two MikroTik routers (hEX S, wAP ac LTE kit) over a DigitalOcean-hosted Ubuntu v24 server. Both routers are intended to operate within the same subnet (192.168.69.0/24). Despite spending several days setting up and poring over manuals, I'm unable to establish connectivity between the two routers, which are currently on my workbench (they will be separated by a significant distance in the future).

Here's a more detailed breakdown of my issue:

When I attempt to ping from either MikroTik router, I get the following responses indicating that the host is unreachable:
[admin@MikroTik] > ping 192.168.69.161
  SEQ HOST             SIZE TTL TIME       STATUS
    0 10.0.0.1           84  64 86ms687us  host unreachable
    1 10.0.0.1           84  64 86ms31us   host unreachable
From the Ubuntu server, pinging any of the MikroTik IPs results in:
root@ubuntu-vm:~# ping 192.168.69.161
PING 192.168.69.161 (192.168.69.161) 56(84) bytes of data.
From 10.0.0.1 icmp_seq=1 Destination Host Unreachable
...
--- 192.168.69.161 ping statistics ---
4 packets transmitted, 0 received, +4 errors, 100% packet loss, time 3094ms
The WireGuard interface seems to be up with the following configuration:
root@ubuntu-vm:~# wg
interface: wg0
  public key: <public key server>
  private key: (hidden)
  listening port: 51830

peer: <public key1>
  endpoint: 67.123.228.14:51830
  allowed ips: 10.0.0.2/32
  latest handshake: 1 minute, 35 seconds ago
  transfer: 70.59 KiB received, 23.84 KiB sent

peer: <public key2>
  endpoint: 67.123.228.14:16432
  allowed ips: 10.0.0.3/32
  latest handshake: 1 minute, 50 seconds ago
  transfer: 341.47 KiB received, 388.53 KiB sent

peer: <public key3>
  allowed ips: 10.0.0.4/32, 192.168.69.0/24
Each peer's allowed IPs are properly set, and the interface and peers appear to be configured correctly. However, connectivity between the routers remains unsuccessful.
You do not have the required permissions to view the files attached to this post.
 
rplant
Member
Member
Posts: 468
Joined: Fri Sep 29, 2017 11:42 am

Re: Network two LAN-s through WireGuard

Fri Sep 13, 2024 3:43 pm

Some thoughts.
A rough outline of what I would do.
To hopefully create an approximation to what you appear to want.
(Sorry there will likely be errors in this)

This assumes somewhere near default config of the Mikrotiks.
With a LAN interface list.


The 192.168.169.0/24 is broken up into a bunch of /28 (or smaller) subnets.
Each router can have 1 or more subnets from this assigned to it.
(Ideally contiguous, but...)

Another address range 192.168.170.0/24 will be assigned to the wireguard interfaces.
(Mainly for diagnostic purposes)


R1 will have 192.168.169.1/28 assigned to its bridge.
Subnet range 192.168.169.64/28 will also be assigned to this router.
192.168.70.1/24 is assigned to Wireguard1

R2 will have 192.168.169.16/28 assigned to its bridge.
192.168.70.2/24 is assigned to Wireguard1

R3 will have 192.168.169.32/28 assigned to its bridge.
192.168.70.3/24 is assigned to Wireguard1

All routers will have the following static route added to them.

192.168.169.0/24 via wireguard1
(They will also have a 192.168.169.xx/28 via their bridge from their IP address setting)

All routers will have wireguard1 added to the LAN interface list.
(Later perhaps a different list with more restrictions on access to router services)

Allowed IP List:
Each router's wireguard1 interface has an allowed IP list of
192.168.169.0/24 and 192.168.170.0/24

DHCP Server:
Each router's bridge dhcp server will have one or more IP address pools covering its ranges
The subnet mask handed out is /24
The default gateway is itself
DNS is itself?
The router's IP address netmask is not /24 normally will be /28

eg.
R1 bridge DHCP server

R1 bridge ip address = 192.168.169.1/28 <- Note /28

DHCP Subnet mask /24
ip pools 192.168.169.2-192.168.169.15 and 192.168.169.64-192.168.169.80
(because 2 subnets assigned to R1)
Default Gateway 192.168.169.1
DNS 192.168.169.1

R1 also needs a static route 192.168.169.64/28 via Bridge for the 2nd subnet.

R2 bridge DHCP server

R2 bridge ip address = 192.168.169.1/28
DHCP Subnet mask /24
ip pool 192.168.169.17-192.168.169.31
Default Gateway 192.168.169.16
DNS 192.168.169.17


** Bridge Proxy Arp **
Each router's bridge will need to have proxy arp enabled. ** Important **

So for example when an arp request is made from 192.168.169.3 (connected to R1)
for 192.168.169.20 (connected to R2), then R1 answers the Arp, gets the
packet and forwards it to wireguard and to the Ubuntu server which then
forwards to R2, and similar for the reply email.

**************

Ubuntu Server

R1 wireguard peer will have allowed addresses of 192.168.169.0/28 and 192.168.170.1/32
R2 wireguard peer will have allowed addresses of 192.168.169.16/28 and 192.168.170.2/32
R3 wireguard peer will have allowed addresses of 192.168.169.32/28 and 192.168.170.3/32

Ubuntu server wireguard ip address can be 192.168.170.254/24
If Ubuntu requires a local 192.168.169.x network, perhaps 192.168.169.240/28

May need routes for 192.168.169.0/24 via Wireguard

Ubuntu Firewall will likely cause issues.

Should initially be able to ping the 192.168.170.x ip addresses to at least know the wireguard links
are connected.

Once this is working, if you require some layer 2 stuff between the router's lans you could look at the following.

HOW TO: mDNS and SSDP over Wireguard
viewtopic.php?t=194842

The complete SSDP + mDNS solution for network segmentation
viewtopic.php?t=197542
 
rplant
Member
Member
Posts: 468
Joined: Fri Sep 29, 2017 11:42 am

Re: Network two LAN-s through WireGuard

Sat Sep 14, 2024 6:32 am

If you do want full l2 connectivity, perhaps you should investigate ZeroTier
(which is supported by Mikrotik)
I have not tried it, but I believe it will do this.
 
jvincze84
just joined
Posts: 12
Joined: Mon Apr 29, 2024 10:22 am

Re: Network two LAN-s through WireGuard

Mon Sep 16, 2024 11:08 am

Hi,

I don't fully understand your desired setup. But I think I have some similar connectivity.
I'm using WG to connect Mikrotik Routers and linux servers to connect each other.

The most importatnt that I have a VPS Debian Server with FIX IP Address. This is my WG "server".
My WG subnet is: 10.8.0.0/24 ->Deb
Home LAN (AC3): 172.16.0.0/22 --> R1
Remote place (WAP R + LTE):192.168.150.0/24 -->R2
I can access my R2 network via Deb from R1.

Debain WG Config:
[Interface]
Address = 10.8.0.8/24
ListenPort = 51820
PrivateKey = ********************

[Peer] # Config File: hap-ac3.conf
PublicKey = ********************
PresharedKey = ********************
AllowedIPs = 10.8.0.68/32,172.16.0.0/22

[Peer] # Config File: mikrotik-wapr-lte.conf
PublicKey = ********************
PresharedKey = ********************
AllowedIPs = 10.8.0.69/32,192.168.150.0/24
R1 Wireguard Config
/interface wireguard
add listen-port=51820 mtu=1420 name=wg-vps12
/interface wireguard peers
add allowed-address=10.8.0.0/24,192.168.150.0/24,192.168.100.0/24 endpoint-address=lxc14.dummy-domain.com endpoint-port=51820 interface=wg-vps12 persistent-keepalive=30s preshared-key="****************" public-key=\
    "*******************"
R2 Wireguard Config:
/interface wireguard
add listen-port=13628 mtu=1420 name=wg-vps13
/interface wireguard peers
add allowed-address=10.8.0.0/24 endpoint-address=lxc14.dummy-domain.com endpoint-port=51820 interface=wg-vps13 name=vps13 persistent-keepalive=30s preshared-key="***********" public-key=\
    "*******************"
Here come's the tricky part. You need to masquerade some traffic.

R1 Configuration:
/ip firewall address-list
add address=192.168.150.0/24 list=wg-vpn-routes
add address=192.168.100.0/24 list=wg-vpn-routes
masquerade :
/ip firewall nat
add action=masquerade chain=srcnat comment="wireguard vpn masq" dst-address=10.8.0.0/24 out-interface=wg-vps12 src-address=172.16.0.0/22
add action=masquerade chain=srcnat comment="wireguard routes" dst-address-list=wg-vpn-routes out-interface=wg-vps12 src-address=172.16.0.0/22
The first rule is needed to access WG network (10.8.0.0/24) from clients sitting behind the R1 router (172.16.0.0/22).
For example access 10.8.0.100 from 172.16.0.33

The second one is for access R2's network from R1.:
For axample: access 192.168.150.25 from 172.16.0.33

But this is not enough, you need to configure Debian, as well.
# iptables
/usr/sbin/iptables -P FORWARD ACCEPT
# IP Forward
sysctl net.ipv4.ip_forward
net.ipv4.ip_forward = 1
I can suggest that after the connection is working fine, you shoud restric the FORWARD chain.

Another really important part of the microtik config is the propery set IP address of the WG interface:

R1:
/ip address
add address=10.8.0.68/24 interface=wg-vps12 network=10.8.0.0
R2:
/ip address
add address=10.8.0.69/24 interface=wg-vps13 network=10.8.0.0
And the "AllowedIPs" in all config is also really important.
If you want to access different which does not have route set on both side the connection have to masqueraded.

Additionally I post here my routes:

R1:
[admin@MikroTikAc3] > /ip/route/print 
Flags: D - DYNAMIC; A - ACTIVE; c - CONNECT, s - STATIC, v - VPN
Columns: DST-ADDRESS, GATEWAY, DISTANCE
#     DST-ADDRESS         GATEWAY     DISTANCE
  DAv 0.0.0.0/0           pppoe-out1         1
  DAc 10.8.0.0/24         wg-vps12           0
  DAc 10.200.0.0/24       vlan200            0
  DAc 10.242.0.0/16       zt1                0
  DAc 145.236.238.205/32  pppoe-out1         0
  DAc 172.16.0.0/22       bridge1            0
  DAc 192.168.1.0/24      vlan100            0
0  As 192.168.100.0/24    wg-vps12           1
1  As 192.168.150.0/24    wg-vps12           1
There are two important parts:
  • Static Route to 192.168.150.0/24
  • And the Dynamic Route to 10.8.0.0/24 (This is created automatically)



R2:
[admin@wAPRLTE] > /ip/route/print 
Flags: D - DYNAMIC; A - ACTIVE; c - CONNECT, m - MODEM
Columns: DST-ADDRESS, GATEWAY, DISTANCE
    DST-ADDRESS       GATEWAY   DISTANCE
DAm 0.0.0.0/0         lte1             2
DAc 10.8.0.0/24       wg-vps13         0
DAc 94.44.54.123/32   lte1             0
DAc 192.168.150.0/24  bridge1          0
As I mentioned I don't fully understand your needs, but maybe my config helps you to understand and adapt.
.

Who is online

Users browsing this forum: Google [Bot], GoogleOther [Bot], Partial and 29 guests