Community discussions

MikroTik App
 
Binser
newbie
Topic Author
Posts: 40
Joined: Fri Dec 28, 2018 7:50 pm

Using Wireguard with my Commercial VPN Provider - Please Help :)

Fri Jan 14, 2022 7:46 pm

Hello,

I am trying to get WIreguard to work on my haP ac2 so that all WAN traffic goes through my commercial VPN provider.

Basically I want the router to do the job that my provider's Windows software is doing right now, except I want it to handle also traffic from my other connected devices, not just the Windows PC.

This is what I have done so far:

I got the .conf files from my provider for my chosen endpoint locations. I didn't find any way to import them directly into ROS v7.2Rc1, so I transfered the information manually.

The files have the following format:
[Interface]
PrivateKey = xxx
Address = xxx/32
DNS = xxx

[Peer]
PublicKey = xxx
AllowedIPs = 0.0.0.0/0
Endpoint = xxx:443
PresharedKey = xxx

Then I setup a Wireguard Interface and Peer and added it to the LAN group like this:
/interface wireguard
add listen-port=13231 mtu=1420 name=VPNProvider
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=VPNProvider list=LAN
/interface ovpn-server server
set auth=sha1,md5
/interface wireguard peers
add allowed-address=0.0.0.0/0 comment="BKK" disabled=yes \
    endpoint-address=xxx endpoint-port=443 \
    interface=VPNProvider persistent-keepalive=25s public-key=\
    "xxx"
add allowed-address=0.0.0.0/0 comment=FRA endpoint-address=\
    xxx endpoint-port=443 interface=VPNProvider \
    persistent-keepalive=25s public-key=\
    "xxx"
Ok, that's how far I have come. The Peer seems to handshake, but the connection isn't working as planned.

I am not surprised, because from what I have read, I also need to set up a route and some firewall rules and maybe something else too.

And so here I would like some help from the more experienced members, because these are very sensitive areas and I don't want to do anything wrong.

Also I hope that this thread with your help could be an asset for other people who simply would like to set up their VPN provider in their MikroTik router, since I could not find any tutorial on various provider's websites.

Actually it would be great if MikroTik could add this to the Quick Set since I think this would be of great interest to the home user.

Thank you for your kind help.
 
msatter
Forum Guru
Forum Guru
Posts: 2451
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: Using Wireguard with my Commercial VPN Provider - Please Help :)

Fri Jan 14, 2022 7:58 pm

Make that WAN: add interface=VPNProvider list=LAN

I am working on script to read those kind of config files.

Hope changing the LAN to WAN helps.

You need also to add an masquerade to NAT.
/ip/firewall/nat
add action=masquerade chain=srcnat out-interface=VPNProvider
In /ip/address you have to add the Address = xxx/32 from the file.

/ip/address
add address=xxxx network=xxxx interface=VPNProvider
Last edited by msatter on Fri Jan 14, 2022 8:22 pm, edited 3 times in total.
Loving my freedom and so, no Twitter, no Meta/Facebook/Instagram/WhatsApp, no Apple and no Alphabet/Google, no Amazon/Cloudfront/AWS. Earthquakes here for gas for Germany.

Running:
RouterOS 7.1.1 and 6.49 / Winbox 3.32 64bits
 
Binser
newbie
Topic Author
Posts: 40
Joined: Fri Dec 28, 2018 7:50 pm

Re: Using Wireguard with my Commercial VPN Provider - Please Help :)

Fri Jan 14, 2022 8:08 pm

Thank you for your suggestion.

I did this:
/interface wireguard
add listen-port=13231 mtu=1420 name=VPNProvider
/interface list member
add interface=VPNProvider list=WAN
But I still see no traffic.

Such a script would be great!
 
msatter
Forum Guru
Forum Guru
Posts: 2451
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: Using Wireguard with my Commercial VPN Provider - Please Help :)

Fri Jan 14, 2022 8:09 pm

I was still editing my post and have a new go at it.

To test the connection directly if you can ping an external IP on your new VPNProvider interface.
Loving my freedom and so, no Twitter, no Meta/Facebook/Instagram/WhatsApp, no Apple and no Alphabet/Google, no Amazon/Cloudfront/AWS. Earthquakes here for gas for Germany.

Running:
RouterOS 7.1.1 and 6.49 / Winbox 3.32 64bits
 
Binser
newbie
Topic Author
Posts: 40
Joined: Fri Dec 28, 2018 7:50 pm

Re: Using Wireguard with my Commercial VPN Provider - Please Help :)

Fri Jan 14, 2022 8:17 pm

Ok, thank you.

Could it be that you meant

add action=masquerade chain=srcnat out-interface=VPNProvider

instead of:
add action=masquerade chain=srcnat out-interface-list=VPNProvider

???
 
msatter
Forum Guru
Forum Guru
Posts: 2451
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: Using Wireguard with my Commercial VPN Provider - Please Help :)

Fri Jan 14, 2022 8:21 pm

Yes, that works for you and I have now also the address part complete for you. This creates the routing entries you need.

Update:
I use the -list because of more than one connection.
Loving my freedom and so, no Twitter, no Meta/Facebook/Instagram/WhatsApp, no Apple and no Alphabet/Google, no Amazon/Cloudfront/AWS. Earthquakes here for gas for Germany.

Running:
RouterOS 7.1.1 and 6.49 / Winbox 3.32 64bits
 
msatter
Forum Guru
Forum Guru
Posts: 2451
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: Using Wireguard with my Commercial VPN Provider - Please Help :)

Fri Jan 14, 2022 8:42 pm

You should have also a /interface/wireguard where you can enter the private key:
/interface/wireguard
add name="VPNprovider" mtu=1420 listen-port=13231 private-key="XXXXXXXXXXXXXX" 
You have also a pre-shared key and use it, to have even better encyption of you traffic.
Last edited by msatter on Fri Jan 14, 2022 8:50 pm, edited 2 times in total.
Loving my freedom and so, no Twitter, no Meta/Facebook/Instagram/WhatsApp, no Apple and no Alphabet/Google, no Amazon/Cloudfront/AWS. Earthquakes here for gas for Germany.

Running:
RouterOS 7.1.1 and 6.49 / Winbox 3.32 64bits
 
Binser
newbie
Topic Author
Posts: 40
Joined: Fri Dec 28, 2018 7:50 pm

Re: Using Wireguard with my Commercial VPN Provider - Please Help :)

Fri Jan 14, 2022 8:45 pm

Ok, I now did this:
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat out-interface=VPNProvider

/ip address
add address=xxx.xx.xxx.31 interface=VPNProvider network=xxx.xx.xxx.0
I tried to enter:
/ip address
add address=xxx.xx.xxx.31[b]/32[/b] interface=VPNProvider network=xxx.xx.xxx.0
but it wouldn't take it. Maybe there was a fault in the configuration file with the network and I must enter another number instead of "/32"?

Regarding
add action=masquerade chain=srcnat out-interface=VPNProvider
I suggested to use this, because the "Out.Interface List" selection box only showed the choices: "LAN, WAN, all, dynamic, none, and static". So I couldn't select VPNProvider and also it wasn't accepted in Terminal until I changed it to "out-interface=VPNProvider".

I tried pinging 8.8.8.8 on the new interface, and it is working.

However, when I open my browser and use https://www.doileak.com/classic.html I still see all the information of my local ISP.
 
Binser
newbie
Topic Author
Posts: 40
Joined: Fri Dec 28, 2018 7:50 pm

Re: Using Wireguard with my Commercial VPN Provider - Please Help :)

Fri Jan 14, 2022 8:56 pm

Looking at this, it puzzles me. You should have also a /interface/wireguard where you can enter the private key:
Yes, that is strange, because when I do " /interface/wireguard print" I see the private and public keys, as well as in the GUI.

I have a preshared key and I entered in the Peers section. There is no entry for a pre-shared key in the Wireguard section.

But when I do "/interface/wireguard export" the keys don't show. Maybe a bug in 7.2Rc1?
Which of your two peers match the WireGuard connection?
Both peers are different locations of the same provider. My thinking was to disable all peers (locations, f.e. Chicago, USA) and enable only the one I want to tunnel through, f.e. France. This way I can chose what location to tunnel through. Is there a mistake in this logic?

So in other words, the first peer is disabled, the second peer is enabled.
Last edited by Binser on Fri Jan 14, 2022 8:59 pm, edited 1 time in total.
 
msatter
Forum Guru
Forum Guru
Posts: 2451
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: Using Wireguard with my Commercial VPN Provider - Please Help :)

Fri Jan 14, 2022 8:58 pm

Switch these:
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat out-interface=VPNProvider
And make in /interface/list a new list WireGuard and use that like I do to differentiate traffic. Because VPNProvider is a member of list WAN the first NAT you have now grabs it and it goes unencrypted to your current ISP.
Swapping those lines solve that but better is to make a separate interface list WireGuard as I did.
Loving my freedom and so, no Twitter, no Meta/Facebook/Instagram/WhatsApp, no Apple and no Alphabet/Google, no Amazon/Cloudfront/AWS. Earthquakes here for gas for Germany.

Running:
RouterOS 7.1.1 and 6.49 / Winbox 3.32 64bits
 
msatter
Forum Guru
Forum Guru
Posts: 2451
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: Using Wireguard with my Commercial VPN Provider - Please Help :)

Fri Jan 14, 2022 9:04 pm

It not a bug but a feature. If you want to export your keys then use: export show-sensitive

Thank you Mikrotik for this extra protection! :-)

Yes that could work and the proof is in eating the pudding. ;-)
Loving my freedom and so, no Twitter, no Meta/Facebook/Instagram/WhatsApp, no Apple and no Alphabet/Google, no Amazon/Cloudfront/AWS. Earthquakes here for gas for Germany.

Running:
RouterOS 7.1.1 and 6.49 / Winbox 3.32 64bits
 
Binser
newbie
Topic Author
Posts: 40
Joined: Fri Dec 28, 2018 7:50 pm

Re: Using Wireguard with my Commercial VPN Provider - Please Help :)

Fri Jan 14, 2022 9:15 pm

Ok, thanks for your input.

So I did this:
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add name=WireguardVPN
/interface list member
add interface=VPNProvider list=WireguardVPN
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WireguardVPN
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
But still no pudding! :D

Doileak still shows my local ISP even with the masquerade rules changed.
 
msatter
Forum Guru
Forum Guru
Posts: 2451
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: Using Wireguard with my Commercial VPN Provider - Please Help :)

Fri Jan 14, 2022 9:20 pm

I don't remember if this is also needed:
/ip/route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=VPNProvider pref-src="" routing-table=VPNProvider scope=30 suppress-hw-offload=yes \
    target-scope=10
    
 /routing/table/
 add disabled=no fib name=VPNProvider
Now can you decide which traffic has to trough WireGuard by new-mark-routing in Mangle.

This should complete it and it should now work for you.

Update: it should work now and it a lot to setup and there could be simpler configs with VRF but I did not use that, or better I got it not working correctly. ;-)

The script I am making does only set the values in /interface/wireguard and /ip/address and adding the configuration above is still manual work.

Update 2: Try without this:

add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN

...because it also matches WireGuard traffic on the WAN. We have changed traffic that to an other interface.....
Loving my freedom and so, no Twitter, no Meta/Facebook/Instagram/WhatsApp, no Apple and no Alphabet/Google, no Amazon/Cloudfront/AWS. Earthquakes here for gas for Germany.

Running:
RouterOS 7.1.1 and 6.49 / Winbox 3.32 64bits
 
Binser
newbie
Topic Author
Posts: 40
Joined: Fri Dec 28, 2018 7:50 pm

Re: Using Wireguard with my Commercial VPN Provider - Please Help :)

Fri Jan 14, 2022 10:07 pm

Ok, I have done the following changes:
/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=VPNProvider \
    pref-src="" routing-table=main scope=30 suppress-hw-offload=yes \
    target-scope=10
/routing table
 add disabled=no fib name=VPNProvider
and it now works! Thank you so so much for your wonderful and patient help, msatter! :mrgreen:

I can also switch locations by disabling the currently active peer and enabling another one as planned, but in addition I also have to briefly disable and reenable the VPNprovider Wireguard Interface. GREAT!!!!

Couple of loose ends which hopefully you can help me with too:
1.) My question about
"I tried to enter:
/ip address
add address=xxx.xx.xxx.31[b]/32[/b] interface=VPNProvider network=xxx.xx.xxx.0
but it wouldn't take it. Maybe there was a fault in the configuration file with the network and I must enter another number instead of "/32"?"

2.) Doileak still shows my ISP DNS instead of my VPN provider's DNS. How can I change it, so that ONLY when I have the Wireguard interface enabled - INCLUDING the corresponding Peer (since every Peer will have a different DNS), only then will the DNS change.
And if I don't use my VPN provider, then I have the usual ISP default peer or 9.9.9.9 / 1.1.1.1 DNS active?

EDIT: On point 2.) - I just noticed that it is not the Peer DNS that needs to change, but my VPN provider gives the DNS in the Wireguard Interface, not the Peer. However, I suspect there must be something going on behind the scenes on my provider's server and then a different DNS is added via the server depending on location.
 
msatter
Forum Guru
Forum Guru
Posts: 2451
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: Using Wireguard with my Commercial VPN Provider - Please Help :)

Fri Jan 14, 2022 10:29 pm

The address is the same as for network, both without the range /32.

Redirecting (ROS7) the local DNS client through the WireGuard connection. Hope it works.
/routing rule
add action=lookup disabled=no dst-address=1.1.1.1/32 interface=VPNProvider table=VPNProvider
add action=lookup disabled=no dst-address=9.9.9.9/32 interface=VPNProvider table=VPNProvider

Update to point 2. The DNS server of your provider is mostly only accessible from the ISP network. So going through your VPN to that DNS mostly does not work.
Using the two DNS servers provided by the VPN provider works only inside the VPN. So switching over to external DNS severs should solve both problems.

Update 3: if you enable the rules then youneed to have the WireGuard running.
Loving my freedom and so, no Twitter, no Meta/Facebook/Instagram/WhatsApp, no Apple and no Alphabet/Google, no Amazon/Cloudfront/AWS. Earthquakes here for gas for Germany.

Running:
RouterOS 7.1.1 and 6.49 / Winbox 3.32 64bits
 
Binser
newbie
Topic Author
Posts: 40
Joined: Fri Dec 28, 2018 7:50 pm

Re: Using Wireguard with my Commercial VPN Provider - Please Help :)

Fri Jan 14, 2022 11:02 pm

Right now, Winbox shows
/ip address
add address=xxx.xx.xxx.31 interface=VPNProvider network=xxx.xx.xxx.0
in red and as invalid when I have the VPNProvider interface disabled.

When I enable the VPNProvider interface it becomes enabled and apparently valid.

I am concerned I would be doing something wrong when I would change
/ip address
add address=xxx.xx.xxx.31 interface=VPNProvider network=xxx.xx.xxx.0
to
/ip address
add address=xxx.xx.xxx.0 interface=VPNProvider network=xxx.xx.xxx.0
as I understand it you have suggested. I would think there must be a reason the provider gave the specific IP address with a 31 at the end.

Regarding the DNS situation, I did add
/routing rule
add action=lookup disabled=no dst-address=1.1.1.1/32 interface=VPNProvider table=VPNProvider
add action=lookup disabled=no dst-address=9.9.9.9/32 interface=VPNProvider table=VPNProvider
yet, it has no effect and still shows my ISP's NS server.

My regular DNS settings are:
/ip dns
set allow-remote-requests=yes servers=1.1.1.1,9.9.9.9
/ip dns static
add address=192.168.82.1 comment=defconf name=router.lan
but it should be noted, that I am currently at a hotel and my personal haP ac2 is behind the hotel's router - which of course would be the main use case of this VPN configuration.
Last edited by Binser on Fri Jan 14, 2022 11:04 pm, edited 1 time in total.
 
msatter
Forum Guru
Forum Guru
Posts: 2451
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: Using Wireguard with my Commercial VPN Provider - Please Help :)

Fri Jan 14, 2022 11:03 pm

Combining this and using Netwatch:
/routing rule
add action=lookup disabled=no dst-address=198.0.0.1/32 interface=VPNProvider table=VPNProvider
/tool netwatch
add disabled=no down-script="# DNS ISP\r\
    \n/ip dns\r\
    \nset server=123.3.4.5,123.3.4.6" host=198.0.0.1 interval=10s up-script=\
    "# VPN DNS\r\
    \n/ip dns\r\
    \nset server=198.0.01,198.0.0.2"
Every 10 seconds Netwatch looks if the VPN is up by checking if it can reach the DNS of the VPN provider. If available then it switches to those DNS servers. If not reachable it will switch in 10 seconds to the ISP DNS servers.
You have to change the dummy IP addresses to the correct ones of the ISP and the VPN provider.

I can't make it any easier..... ;-)
Loving my freedom and so, no Twitter, no Meta/Facebook/Instagram/WhatsApp, no Apple and no Alphabet/Google, no Amazon/Cloudfront/AWS. Earthquakes here for gas for Germany.

Running:
RouterOS 7.1.1 and 6.49 / Winbox 3.32 64bits
 
Binser
newbie
Topic Author
Posts: 40
Joined: Fri Dec 28, 2018 7:50 pm

Re: Using Wireguard with my Commercial VPN Provider - Please Help :)

Fri Jan 14, 2022 11:06 pm

Should I delete
/routing rule
add action=lookup disabled=no dst-address=1.1.1.1/32 interface=VPNProvider table=VPNProvider
add action=lookup disabled=no dst-address=9.9.9.9/32 interface=VPNProvider table=VPNProvider
these routing rules before I try the new Netwatch solution?
 
msatter
Forum Guru
Forum Guru
Posts: 2451
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: Using Wireguard with my Commercial VPN Provider - Please Help :)

Fri Jan 14, 2022 11:13 pm

Right now, Winbox shows

as I understand it you have suggested. I would think there must be a reason the provider gave the specific IP address with a 31 at the end.
It is not a big deal and the address you use is and range of /32 or one IP. The network can have a wider range and the xxx.0 at the end means a range of /24. Better is as I wrote to have also the network as an range of /32 and that is done by replacing xxx.0 by xxx.31 in your case. Creating just a little window.

When the WG interface goes down the the line in routing changes to red, indicating it not active.

yet, it has no effect and still shows my ISP's NS server.

My regular DNS settings are:
/ip dns
set allow-remote-requests=yes servers=1.1.1.1,9.9.9.9
/ip dns static
add address=192.168.82.1 comment=defconf name=router.lan
but it should be noted, that I am currently at a hotel and my personal haP ac2 is behind the hotel's router - which of course would be the main use case of this VPN configuration.
Extra, change the packet size to 1232 as recommended these days. It 'will' then fit any VPN tunnel it has to go trough:
/ip dns
set max-udp-packet-size=1232
I have made extra posting above for the DNS and disable the earlier added rules. Disable first and test. If it the Netwatch works then delete.

Let me know if that works and it is also new stuff for me.
Loving my freedom and so, no Twitter, no Meta/Facebook/Instagram/WhatsApp, no Apple and no Alphabet/Google, no Amazon/Cloudfront/AWS. Earthquakes here for gas for Germany.

Running:
RouterOS 7.1.1 and 6.49 / Winbox 3.32 64bits
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 10152
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Using Wireguard with my Commercial VPN Provider - Please Help :)

Fri Jan 14, 2022 11:24 pm

Interesting for one of my clients I had bump up the MTU to 1500 to get his particular set of applications to work. (both sides of the tunnel have to match).
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
MTUNA Certified, by the Ascerbic Llama!
 
msatter
Forum Guru
Forum Guru
Posts: 2451
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: Using Wireguard with my Commercial VPN Provider - Please Help :)

Fri Jan 14, 2022 11:32 pm

Interesting for one of my clients I had bump up the MTU to 1500 to get his particular set of applications to work. (both sides of the tunnel have to match).
This is about the packet size returned by the DNS server. DNSSEC packet can be huge and then a fallback to TCP is made. This packet size is recommended by the DNS flag day 2020.

https://dnsflagday.net/2020/

I am not certain with WireGuard and 1420 is deflault. But using 1500 was no problem...I did not check if the packets had to be fragmented. I had no speed advantage so I went back to 1420
Loving my freedom and so, no Twitter, no Meta/Facebook/Instagram/WhatsApp, no Apple and no Alphabet/Google, no Amazon/Cloudfront/AWS. Earthquakes here for gas for Germany.

Running:
RouterOS 7.1.1 and 6.49 / Winbox 3.32 64bits
 
Binser
newbie
Topic Author
Posts: 40
Joined: Fri Dec 28, 2018 7:50 pm

Re: Using Wireguard with my Commercial VPN Provider - Please Help :)

Fri Jan 14, 2022 11:54 pm

I did now as you suggested:
/ip address
add address=xxx.31 interface=VPNProvider network=xxx.31
It is very very late here in SEAsia right now, so please understand that I need to go to bed now and will continue on the netwatch and DNS matter tomorrow.

Thank you very much for all your help - I really learned a lot tonight and I am very happy we got this configuration working.
 
msatter
Forum Guru
Forum Guru
Posts: 2451
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: Using Wireguard with my Commercial VPN Provider - Please Help :)

Sat Jan 15, 2022 12:24 pm

I tried it myself and the rules did not work and so you can disable those for now.

To get Netwatch working I had to create a dedicated line in routing:
/ip route
add disabled=no distance=1 dst-address=198.x.x.1/32 gateway=VPNProvider pref-src="" routing-table=main scope=30 suppress-hw-offload=no target-scope=10

Notice the table is main because Netwatch is using main and we are bending it towards the VPN. Using the DNS server IP because that is unique fore that VPN.

I have now also created an script to extract the needed data from the config files and in the next days I hope that I can complete whole script that also put the values in the WireGuard settings.

The output of the config reading script and the values are placed in variables and then it is easy to put those in the correct fields in WireGuard.
Privatekey       aK8xN5bxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxmw28/fHg=
Local-address:   xx.xx.xx.31/32 
Network:         xx.xx.xx.31 
DNS:             198.0.0.1,198.0.0.2
PeerPubkey:      KgTUhxxxxxxxxxxxxxxxxCksG4sRg=
PersistentKA:    300
EndpointAddres:  xx.xx.xx.xx
EndpointPort:    51820
PresharedKey: 

Update:
I have completed the script that you could have yesterday so well: viewtopic.php?p=905767#p905767
Loving my freedom and so, no Twitter, no Meta/Facebook/Instagram/WhatsApp, no Apple and no Alphabet/Google, no Amazon/Cloudfront/AWS. Earthquakes here for gas for Germany.

Running:
RouterOS 7.1.1 and 6.49 / Winbox 3.32 64bits
 
Binser
newbie
Topic Author
Posts: 40
Joined: Fri Dec 28, 2018 7:50 pm

Re: Using Wireguard with my Commercial VPN Provider - Please Help :)

Wed Jan 19, 2022 6:59 pm

I just wanted to give a quick update:

I am still trying to get this to work, but I am very exhausted and frustrated at the moment, also because I just had a ceramic bridge break in my mouth, but also because I do get a connection to my vpn provider, but it is so slow that I cannot even finish any speedtest and it is just a fraction of the speed as if I use the wireguard app directly using exactly the same config data.

I am still in the process of trying to figure out the whys.

I will come back in the next few days and hopefully can give some more information.

Thank you for your patience and for sticking with me in this process.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 10152
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Using Wireguard with my Commercial VPN Provider - Please Help :)

Wed Jan 19, 2022 8:25 pm

In the meantime, sit back with a cup of tea, or a bottle of beer and read through this it may help you.
viewtopic.php?t=182340

By the way, if you are sending traffic from a subnet on your router to the VPN provider there is NO NEED to masquerade the traffic (so recommend removing that rule).
All that is required typically is an IP route stating something like dst-address=0.0.0.0/0 gwy=wg interface.

IF you have multiple subnets and only one subnet should go out the tunnel for internet then you will need to create a table and add a route rule..........
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
MTUNA Certified, by the Ascerbic Llama!

Who is online

Users browsing this forum: akram, Bing [Bot], Semrush [Bot], simsrw73 and 17 guests