Community discussions

MikroTik App
 
noxxsan
just joined
Topic Author
Posts: 8
Joined: Sat Dec 02, 2023 2:02 am

Wireguard issues with OSPF

Thu Nov 14, 2024 11:34 pm

OSPF is not working when using a single WireGuard interface with multiple peers. However, if I use a separate WireGuard interface for each peer, it works fine.

I have multiple ISPs and sites, and I want to avoid using multiple UDP Ports/Wireguard interfaces for a single client.

Any ideas?

Main Site WG Peer A : 172.20.100.1/30
Main Site WG Peer B : 172.20.110.1/30
LAN: 172.16.5.0/24

Site A WG: 172.20.100.2/30
LAN: 192.168.120.0/24

Site B WG: 172.20.110.2/30
LAN: 192.168.150.0/24

Main Site
Image

Site A
Image

Site B
Image
 
User avatar
Larsa
Forum Guru
Forum Guru
Posts: 1603
Joined: Sat Aug 29, 2015 7:40 pm
Location: The North Pole, Santa's Workshop

Re: Wireguard issues with OSPF  [SOLVED]

Fri Nov 15, 2024 12:09 am

It’s pretty tough to help out if you don’t explain exactly what’s not working, share a brief overview of the network topology and provide a full config export (minus anything that needs to be left out for privacy reasons).

Also, using a single WireGuard interface with multiple active peers can be tricky, especially with OSPF. Why not just set up a separate WireGuard interface for each OSPF tunnel where you can assign the endpoint IP according to the tunnel subnet? It makes things way easier to manage and monitor, plus it’s the recommended practice for delegation of duties.
 
noxxsan
just joined
Topic Author
Posts: 8
Joined: Sat Dec 02, 2023 2:02 am

Re: Wireguard issues with OSPF

Tue Nov 19, 2024 5:09 pm

Why not just set up a separate WireGuard interface for each OSPF tunnel where you can assign the endpoint IP according to the tunnel subnet? It makes things way easier to manage and monitor, plus it’s the recommended practice for delegation of duties.
I see, guess i have to create one wg interface for each site and ISP.

Thanks.

Image
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 21729
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Wireguard issues with OSPF

Tue Nov 19, 2024 7:03 pm

Not necessarily, but without seeing the config, its impossible to know how badly you mucked things up! :-)

/export file=anynameyouwish (minus router serial number, any public WANIP information, keys etc.)
 
User avatar
Larsa
Forum Guru
Forum Guru
Posts: 1603
Joined: Sat Aug 29, 2015 7:40 pm
Location: The North Pole, Santa's Workshop

Re: Wireguard issues with OSPF

Tue Nov 19, 2024 7:43 pm

Suddenly an OSPF expert!? 😘
 
noxxsan
just joined
Topic Author
Posts: 8
Joined: Sat Dec 02, 2023 2:02 am

Re: Wireguard issues with OSPF

Tue Nov 19, 2024 8:33 pm

Not necessarily, but without seeing the config, its impossible to know how badly you mucked things up! :-)

/export file=anynameyouwish (minus router serial number, any public WANIP information, keys etc.)

Ok

Main Site

# 2024-11-19 15:18:06 by RouterOS 7.14.1
# software id = 
#
/interface ethernet
set [ find default-name=ether1 ] disable-running-check=no name=ether1-wan
set [ find default-name=ether2 ] disable-running-check=no name=ether2-lan
/interface wireguard
add listen-port=13255 mtu=1420 name=wireguard-site-a-isp1
add listen-port=13261 mtu=1420 name=wireguard-site-a-isp2
add listen-port=13256 mtu=1420 name=wireguard-site-b-isp1
add listen-port=13262 mtu=1420 name=wireguard-site-b-isp2
/routing ospf instance
add disabled=no name=ospf-instance-office1
add disabled=no name=ospf-instance-office2
/routing ospf area
add area-id=192.168.120.1 disabled=no instance=ospf-instance-office1 name=\
    ospf-area-office1
add area-id=192.168.150.1 disabled=no instance=ospf-instance-office2 name=\
    ospf-area-office2
/routing table
add disabled=no fib name=office1
add disabled=no fib name=office2
/system logging action
set 0 memory-lines=50000
/ipv6 settings
set disable-ipv6=yes
/interface wireguard peers
add allowed-address=172.20.100.2/32,192.168.120.0/24,224.0.0.0/24 comment=\
    "Site A" interface=wireguard-site-a-isp1 public-key=\
    "XXXXXXXXXXXXXXXXXXXXXXXXXXX="
add allowed-address=172.20.110.2/32,192.168.120.0/24,224.0.0.0/24 interface=\
    wireguard-site-a-isp2 public-key=\
    "XXXXXXXXXXXXXXXXXXXXXXXXXXX="
add allowed-address=172.20.120.2/32,192.168.150.0/24,224.0.0.0/24 comment=\
    "Site B" interface=wireguard-site-b-isp1 public-key=\
    "XXXXXXXXXXXXXXXXXXXXXXXXXXX="
add allowed-address=172.20.130.2/32,192.168.150.0/24,224.0.0.0/24 interface=\
    wireguard-site-b-isp2 public-key=\
    "XXXXXXXXXXXXXXXXXXXXXXXXXXX="
/ip address
add address=172.25.100.10/24 interface=ether1-wan network=172.25.100.0
add address=172.16.5.1/24 interface=ether2-lan network=172.16.5.0
add address=172.20.100.1/30 interface=wireguard-site-a-isp1 network=\
    172.20.100.0
add address=172.20.110.1/30 interface=wireguard-site-a-isp2 network=\
    172.20.110.0
add address=172.20.120.1/30 interface=wireguard-site-b-isp1 network=\
    172.20.120.0
add address=172.20.130.1/30 interface=wireguard-site-b-isp2 network=\
    172.20.130.0
/ip dns
set servers=1.1.1.1
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1-wan src-address=\
    172.16.5.0/24
/ip route
add disabled=no dst-address=0.0.0.0/0 gateway=172.25.100.1 routing-table=main \
    suppress-hw-offload=no
/routing ospf interface-template
add area=ospf-area-office1 comment="Site A" disabled=no interfaces=\
    wireguard-site-a-isp1 type=ptp
add area=ospf-area-office1 cost=10 disabled=no interfaces=\
    wireguard-site-a-isp2 type=ptp
add area=ospf-area-office1 disabled=no networks=172.16.5.0/24 passive
add area=ospf-area-office2 comment="Site B" cost=10 disabled=no interfaces=\
    wireguard-site-b-isp1 type=ptp
add area=ospf-area-office2 disabled=no interfaces=wireguard-site-b-isp2 type=\
    ptp
add area=ospf-area-office2 disabled=no networks=172.16.5.0/24 passive
/system clock
set time-zone-name=America/Sao_Paulo
/system identity
set name=main-site
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp client servers
add address=pool.ntp.br

Site B
# 2024-11-19 15:18:20 by RouterOS 7.14.1
# software id = 
#
/interface ethernet
set [ find default-name=ether1 ] disable-running-check=no name=ether1-wan
set [ find default-name=ether2 ] disable-running-check=no name=ether2-lan
/interface wireguard
add listen-port=13231 mtu=1420 name=wireguard1
add listen-port=13232 mtu=1420 name=wireguard2
/routing ospf instance
add disabled=no name=ospf-instance-office1
/routing ospf area
add area-id=192.168.120.1 disabled=no instance=ospf-instance-office1 name=\
    ospf-area-office1
/ipv6 settings
set disable-ipv6=yes
/interface wireguard peers
add allowed-address=172.20.100.1/32,172.16.5.10/32,224.0.0.0/24 \
    endpoint-address=177.XXX.XXX.XXX endpoint-port=13255 interface=wireguard1 \
    persistent-keepalive=30s public-key=\
    "XXXXXXXXXXXXXXXXXXXXXXXXXXX="
add allowed-address=172.20.110.1/32,172.16.5.10/32,224.0.0.0/24 \
    endpoint-address=187.XXX.XXX.XXX endpoint-port=13261 interface=wireguard2 \
    persistent-keepalive=30s public-key=\
    "XXXXXXXXXXXXXXXXXXXXXXXXXXX="
/ip address
add address=192.168.15.25/24 interface=ether1-wan network=192.168.15.0
add address=192.168.120.1/24 interface=ether2-lan network=192.168.120.0
add address=172.20.100.2/30 interface=wireguard1 network=172.20.100.0
add address=172.20.110.2/30 interface=wireguard2 network=172.20.110.0
/ip dns
set servers=1.1.1.1
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1-wan src-address=\
    192.168.120.0/24
/ip route
add disabled=no dst-address=0.0.0.0/0 gateway=192.168.15.2 routing-table=main \
    suppress-hw-offload=no
/routing ospf interface-template
add area=ospf-area-office1 disabled=no interfaces=wireguard1 type=ptp
add area=ospf-area-office1 cost=10 disabled=no interfaces=wireguard2 type=ptp
add area=ospf-area-office1 disabled=no networks=192.168.120.0/24 passive
/system clock
set time-zone-name=America/Sao_Paulo
/system identity
set name=site-a
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp client servers
add address=pool.ntp.br
Site B
# 2024-11-19 15:25:31 by RouterOS 7.14.1
# software id = 
#
/interface ethernet
set [ find default-name=ether1 ] disable-running-check=no name=ether1-wan
set [ find default-name=ether2 ] disable-running-check=no name=ether2-lan
/interface wireguard
add listen-port=13231 mtu=1420 name=wireguard1
add listen-port=13232 mtu=1420 name=wireguard2
/routing ospf instance
add disabled=no name=ospf-instance-1
/routing ospf area
add area-id=192.168.150.1 disabled=no instance=ospf-instance-1 name=\
    ospf-area-1
/ipv6 settings
set disable-ipv6=yes
/interface wireguard peers
add allowed-address=172.20.120.1/32,172.16.5.10/32,224.0.0.0/24 \
    endpoint-address=177.XXX.XXX.XXX endpoint-port=13256 interface=wireguard1 \
    persistent-keepalive=30s public-key=\
    "XXXXXXXXXXXXXXXXXXXXXXXXXXX="
add allowed-address=172.20.130.1/32,172.16.5.10/32,224.0.0.0/24 \
    endpoint-address=187.XXX.XXX.XXX endpoint-port=13262 interface=wireguard2 \
    persistent-keepalive=30s public-key=\
    "XXXXXXXXXXXXXXXXXXXXXXXXXXX="
/ip address
add address=192.168.15.26/24 interface=ether1-wan network=192.168.15.0
add address=192.168.150.1/24 interface=ether2-lan network=192.168.150.0
add address=172.20.120.2/30 interface=wireguard1 network=172.20.120.0
add address=172.20.130.2/30 interface=wireguard2 network=172.20.130.0
/ip dns
set servers=1.1.1.1
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1-wan src-address=\
    192.168.150.0/24
/ip route
add disabled=no dst-address=0.0.0.0/0 gateway=192.168.15.1 routing-table=main \
    suppress-hw-offload=no
/routing ospf interface-template
add area=ospf-area-1 disabled=no interfaces=wireguard1 type=ptp
add area=ospf-area-1 disabled=no interfaces=wireguard2 type=ptp
add area=ospf-area-1 disabled=no networks=192.168.150.0/24 passive \
    prefix-list=""
/system clock
set time-zone-name=America/Sao_Paulo
/system identity
set name=site-b
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp client servers
add address=pool.ntp.br
 
User avatar
Larsa
Forum Guru
Forum Guru
Posts: 1603
Joined: Sat Aug 29, 2015 7:40 pm
Location: The North Pole, Santa's Workshop

Re: Wireguard issues with OSPF

Tue Nov 19, 2024 10:00 pm

@anav, it’s your call!

Once you figure out what triggers OSPF LSA state changes on a single WireGuard interface (using OSPF type PTP) connected to multiple peers/subnets, adding two tunnels to your VPS will be a breeze.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 21729
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Wireguard issues with OSPF

Wed Nov 27, 2024 8:15 pm

jajajajaja, I will stick to any errors that pop from the most basic of settings!!

For all those wireguards coming in on ISP1 and ISP2, where be the mangling required to ensure handshakes go back out correct WAN??
Cool one can bypass that with OSPF, I may have to learn it after all.
 
noxxsan
just joined
Topic Author
Posts: 8
Joined: Sat Dec 02, 2023 2:02 am

Re: Wireguard issues with OSPF

Wed Nov 27, 2024 11:01 pm

I purchased an online course that includes a Failover and Load Balancing script.

The first two rules prevent packets entering through WAN1 from returning via WAN2.


Image


Main Site = CHR

Image


Edit: I don't see any issues with WireGuard itself. My guess is that OSPF Broadcast packets are behaving unpredictably because both Site A and Site B are using the same WireGuard interface.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 21729
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Wireguard issues with OSPF

Thu Nov 28, 2024 7:10 pm

I purchased an online course that includes a Failover and Load Balancing script.

The first two rules prevent packets entering through WAN1 from returning via WAN2.
Not sure how those two points are related......

but one can pay through the nose for these rules. ;-)
viewtopic.php?t=157048#p1041838

In terms of Failover, this thread is useful.
viewtopic.php?t=157048

Who is online

Users browsing this forum: No registered users and 13 guests