Community discussions

MikroTik App
 
Elleh
just joined
Topic Author
Posts: 11
Joined: Sat Dec 04, 2021 12:30 am

Router as Wireguard client - Pages not loading correctly

Tue Jan 18, 2022 3:18 pm

Hello everyone, as the title says I'm trying to configure a Wireguard tunnel, my router (Chateau LTE12) is the client and it has to redirect all the internet traffic (coming from a 4G SIM with a dynamic public IP) to my VPS server. After many and many failed attempts I managed to get something working by following anav's great guide (viewtopic.php?p=906311&hilit=wireguard+client#p906311), the only extra thing I did was adding the Wireguard interface to the WAN list. But, despite seeing the public IP address of my VPS server and getting the speeds I was expecting, web pages take an insane amount of time to load (sometimes they don't even load at all) and I have no idea what's causing it. I'm running RouterOS 7.1.1 stable, my firewall and NAT settings are set to default.
Could anyone help me? Thanks in advance.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19103
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Router as Wireguard client - Pages not loading correctly

Tue Jan 18, 2022 6:40 pm

Well its a work in progress and the part TBC is probably the part you need LOL.
In any case without seeing your config its hard to say.
/export hide-sensitive file=anynameyouwish

Also from the last part of the article "NETWORK DIAGRAM" can you provide a network diagram that shows the WG relationships??
 
User avatar
own3r1138
Long time Member
Long time Member
Posts: 681
Joined: Sun Feb 14, 2021 12:33 am
Location: Pleiades
Contact:

Re: Router as Wireguard client - Pages not loading correctly

Tue Jan 18, 2022 7:13 pm

@Elleh
This might be an MTU issue.
viewtopic.php?t=182072
You can check my config as I was doing the same thing.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19103
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Router as Wireguard client - Pages not loading correctly

Tue Jan 18, 2022 7:22 pm

If so, for one application I was using I had to use an MTU setting of 1500 at both ends of the tunnel - see if that makes a difference!
 
Elleh
just joined
Topic Author
Posts: 11
Joined: Sat Dec 04, 2021 12:30 am

Re: Router as Wireguard client - Pages not loading correctly

Tue Jan 18, 2022 7:35 pm

Thank you for your replies!
Here's my configuration, I've just hid the public IP and key of my VPS server:
# jan/18/2022 17:49:50 by RouterOS 7.1.1
# software id = ZSTJ-AJBS
#
# model = RBD53G-5HacD2HnD
# serial number = C8CA0CD5C253
/interface bridge
add admin-mac=48:8F:5A:11:29:A5 auto-mac=no comment=defconf name=bridge
/interface ethernet
set [ find default-name=ether1 ] speed=10Mbps
set [ find default-name=ether2 ] speed=10Mbps
set [ find default-name=ether3 ] full-duplex=no speed=10Mbps
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-eC \
    country=italy disabled=no distance=indoors frequency=auto installation=\
    indoor mode=ap-bridge ssid=MikroTik-2.4G wireless-protocol=802.11
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=\
    20/40/80mhz-eeeC country=italy disabled=no distance=indoors frequency=\
    auto installation=indoor mode=ap-bridge ssid=MikroTik-5G \
    wireless-protocol=802.11
/interface wireguard
add listen-port=51820 mtu=1420 name=wg0
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface lte apn
add apn=myinternet.wind default-route-distance=1 ip-type=ipv4 name=WindTre \
    use-network-apn=no use-peer-dns=no
/interface lte
set [ find ] allow-roaming=no apn-profiles=WindTre band=1,3 name=lte1 \
    network-mode=lte
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk mode=\
    dynamic-keys supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=dhcp interface=bridge name=defconf
/queue simple
add name="All Bandwith" priority=1/1 target="192.168.88.10/32,192.168.88.11/32\
    ,192.168.88.12/32,192.168.88.17/32,192.168.88.18/32,192.168.88.23/32"
add max-limit=128k/17M name=TV target=\
    192.168.88.19/32,192.168.88.20/32,192.168.88.21/32,192.168.88.22/32
add max-limit=1M/10M name=Phones target=\
    192.168.88.13/32,192.168.88.14/32,192.168.88.15/32,192.168.88.16/32
/routing table
add disabled=no fib name=wg
/interface bridge port
add bridge=bridge comment=defconf interface=ether1
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=wlan1
add bridge=bridge comment=defconf interface=wlan2
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=lte1 list=WAN
add interface=wg0 list=WAN
/interface wireguard peers
add allowed-address=0.0.0.0/0 endpoint-address=<VPS PUBLIC IP> endpoint-port=\
    51820 interface=wg0 persistent-keepalive=20s public-key=\
    "<VPS SERVER PUBLIC KEY>"
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
    192.168.88.0
add address=10.6.0.2/24 interface=wg0 network=10.6.0.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-server lease
add address=192.168.88.20 client-id=1:74:a7:ea:7e:8b:9f mac-address=\
    74:A7:EA:7E:8B:9F server=defconf
add address=192.168.88.10 client-id=1:30:9c:23:84:63:ba mac-address=\
    30:9C:23:84:63:BA server=defconf
add address=192.168.88.15 client-id=1:58:20:59:16:f:ab mac-address=\
    58:20:59:16:0F:AB server=defconf
add address=192.168.88.22 mac-address=38:A6:CE:CB:7F:7C server=defconf
add address=192.168.88.21 mac-address=D0:58:FC:03:50:92 server=defconf
add address=192.168.88.13 client-id=1:7e:60:bb:7a:b0:42 mac-address=\
    7E:60:BB:7A:B0:42 server=defconf
add address=192.168.88.19 client-id=1:54:bd:79:12:a6:6a mac-address=\
    54:BD:79:12:A6:6A server=defconf
add address=192.168.88.14 client-id=1:a4:4b:d5:c8:c6:d8 mac-address=\
    A4:4B:D5:C8:C6:D8 server=defconf
add address=192.168.88.17 client-id=1:0:e4:21:15:ce:ae mac-address=\
    00:E4:21:15:CE:AE server=defconf
add address=192.168.88.11 client-id=1:d0:50:99:99:66:5a mac-address=\
    D0:50:99:99:66:5A server=defconf
add address=192.168.88.12 client-id=1:e4:be:ed:20:cd:aa mac-address=\
    E4:BE:ED:20:CD:AA server=defconf
add address=192.168.88.18 client-id=1:80:60:b7:b1:24:b mac-address=\
    80:60:B7:B1:24:0B server=defconf
add address=192.168.88.16 client-id=1:e0:cc:f8:82:1c:36 mac-address=\
    E0:CC:F8:82:1C:36 server=defconf
add address=192.168.88.23 client-id=1:0:24:d6:f6:aa:4 mac-address=\
    00:24:D6:F6:AA:04 server=defconf
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf dns-server=1.1.1.1,1.0.0.1 \
    gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes servers=1.1.1.1,1.0.0.1
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=wg0 pref-src="" \
    routing-table=wg scope=30 suppress-hw-offload=no target-scope=10
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
    33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
/routing rule
add action=lookup-only-in-table disabled=no src-address=192.168.88.1/24 \
    table=wg
/system clock
set time-zone-name=Europe/Rome
/system routerboard settings
set auto-upgrade=yes cpu-frequency=auto
/system routerboard mode-button
set enabled=yes on-event=dark-mode
/system scheduler
add interval=1d name="LTE Disable" on-event="interface disable lte1" policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-date=dec/20/2021 start-time=03:59:55
add interval=1d name="LTE Enable" on-event="interface enable lte1" policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-date=dec/20/2021 start-time=04:00:00
/system script
add comment=defconf dont-require-permissions=no name=dark-mode owner=*sys \
    policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    source="\r\
    \n   :if ([system leds settings get all-leds-off] = \"never\") do={\r\
    \n     /system leds settings set all-leds-off=immediate \r\
    \n   } else={\r\
    \n     /system leds settings set all-leds-off=never \r\
    \n   }\r\
    \n "
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool sms
set port=lte1 receive-enabled=yes

Network diagram (hope it's clear enough):
192.168.88.0/24 (default subnet, all devices connected to the router) ----> Chateau LTE12 (Router, WAN is the lte1 interface) ---> Wireguard Tunnel ---> VPS Server

Regarding the Wireguard Tunnel:
- (Client) Router's IP: 10.6.0.2/24
- (Server) Server's IP: 10.6.0.1/24
- Tunnel: 10.6.0.0

I just tried to change the MTU on my router, default for Wireguard is 1420 while for lte1 is 1500. Now they're both at 1500 but it doesn't look like there's much of a difference so far... But I'll definetely give a proper look to your config own3r, thanks for sharing it!
 
User avatar
own3r1138
Long time Member
Long time Member
Posts: 681
Joined: Sun Feb 14, 2021 12:33 am
Location: Pleiades
Contact:

Re: Router as Wireguard client - Pages not loading correctly

Tue Jan 18, 2022 8:12 pm

@Elleh
Can you share your other routes too?

/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=wg0 pref-src="" routing-table=wg scope=30 suppress-hw-offload=no target-scope=10
    
I think this is wrong.

/routing rule
add action=lookup-only-in-table disabled=no src-address=192.168.88.1/24 \
    table=wg
    

/routing rule add action=lookup-only-in-table disabled=no dst-address=10.10.12.0/24 src-address=10.10.12.0/24 table=main
/routing rule add action=lookup-only-in-table disabled=no dst-address=0.0.0.0/0 src-address=10.10.12.0/24 table=via-wg
you have to add your WG to your LAN interface list
You need NAT also if your ISP doing a DNS filtering you need a DST nat for that too.

For web access over the tunnel, I had to set my MTU to 1320 any higher than that would not work for me. This is might not be the case for you. My connection is PPPOE for WAN.
 
Elleh
just joined
Topic Author
Posts: 11
Joined: Sat Dec 04, 2021 12:30 am

Re: Router as Wireguard client - Pages not loading correctly

Tue Jan 18, 2022 9:57 pm

Sure, here are the other routes:
Untitled.png
But I don't think the problem is here, I can ping 10.6.0.1 from the router and my PC without any packets lost. I tried setting the MTU to 1320 and lower values, but nothing changes, so I reverted it to default (Wireguard: 1420, LTE: 1500). If I add the Wireguard interface to both LAN and WAN the connection drops, the only way I managed to have it somehow working is by either:
- Adding it only to WAN
- Creating a NAT masquerade rule for the Wireguard interface

I gave a look at your configuration, but I think it's more complex than what I'm trying to achieve. The Wireguard tunnel should be configuered correctly considering I can ping the server and I have access to the internet, I there's just something that is making requests time out or take way too much time.
You do not have the required permissions to view the files attached to this post.
 
User avatar
own3r1138
Long time Member
Long time Member
Posts: 681
Joined: Sun Feb 14, 2021 12:33 am
Location: Pleiades
Contact:

Re: Router as Wireguard client - Pages not loading correctly

Tue Jan 18, 2022 10:37 pm

The ping inside your private IP is okay but can you check your client route to the outside if it passed your private IP to VPS? I would recommend using torch to see if the outgoing traffic from MT will match at the VPS WG interface.
I read your first topic its looks like we had the same goal noting more than usual. the WG interface must be a LAN member, not WAN or you could create a new list and add it to that list and then add your interface list to be accepted in the input chain before the drop !LAN.
Last edited by own3r1138 on Tue Jan 18, 2022 11:07 pm, edited 1 time in total.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19103
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Router as Wireguard client - Pages not loading correctly

Tue Jan 18, 2022 10:47 pm

My problem is more basic (slow learner), I still dont understand what is the topology.

Audience ROUTER connected to the internet via ISP modem locally ?

LTE ROUTER at some remote location??

I just dont see the relationship between LTE and Audience, and further I have no clue of the relationship between a server and internet traffic............
Totally lost dont have an iota of a sense of what you want to do or how you are attempting to address it.
 
User avatar
own3r1138
Long time Member
Long time Member
Posts: 681
Joined: Sun Feb 14, 2021 12:33 am
Location: Pleiades
Contact:

Re: Router as Wireguard client - Pages not loading correctly

Tue Jan 18, 2022 10:58 pm

@anav
He wants to pass his internet traffic VIA WG to a WG server( The VPS ).
 
Elleh
just joined
Topic Author
Posts: 11
Joined: Sat Dec 04, 2021 12:30 am

Re: Router as Wireguard client - Pages not loading correctly

Tue Jan 18, 2022 11:00 pm

Uhm ok I'll try to be a bit more clear about my situation.
I have a Chateau LTE12, it's a standard Mikrotik router with the addition of a 4G modem, unfortunately the area where I live is not well covered by the various ISPs, so 4G is my only available option. I have my SIM (unlimited data + dynamic public IP) in the Chateau LTE12, all my internet traffic comes from that. Since my ISP is applying any sort of shaping and filters to my connection (which is fair, in the end a 4G SIM isn't supposed to replace a standard wired connection), I'm trying to route all my traffic to my VPS server through a Wireguard tunnel.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19103
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Router as Wireguard client - Pages not loading correctly

Tue Jan 18, 2022 11:34 pm

Thats a start.
You have a chateau LTE router with a sim card supplying internet to your network.

You dont have an ISP, you have a cellular connection?

Where is your VPS server in all of this??
Why would a VPS server have any sort of ability to run wireguard ??
 
Elleh
just joined
Topic Author
Posts: 11
Joined: Sat Dec 04, 2021 12:30 am

Re: Router as Wireguard client - Pages not loading correctly

Wed Jan 19, 2022 12:05 am

Well my ISP is the SIM provider in this case. The VPS server is outside my network, it has a public IP, it runs on Ubuntu and an instance of Wireguard has been installed on that machine. I need to redirect all my internet traffic to avoid all the various filters of my ISP, I chose Wireguard as it's a light protocol and it gives an overall good performance.
 
User avatar
own3r1138
Long time Member
Long time Member
Posts: 681
Joined: Sun Feb 14, 2021 12:33 am
Location: Pleiades
Contact:

Re: Router as Wireguard client - Pages not loading correctly

Wed Jan 19, 2022 1:00 am

So you need exactly what I have done. except, my VPS was a CHR. then you should add your entire DHCP IP Pool to your address list with a connection/Packet mark/route mark
Last edited by own3r1138 on Wed Jan 19, 2022 5:59 pm, edited 2 times in total.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19103
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Router as Wireguard client - Pages not loading correctly

Wed Jan 19, 2022 1:33 am

SO the MT Router is the client initially connecting to the VPS Ubuntu?
Well thats now much clearer and you want to run the users out the VPS server for internet.

My issue is all your IP addresses look the same, lets GET OFF That train.......

First off on the client you dont need an ip address at all.

Nothing special on the MT WIREGUARD SETTINGS
On the Peer settings......
allowed address=0.0.0.0/0
Endpoint address=public IP of your vbs/ubuntu
Port: is the active listening port on the vbs/ubuntu wireguard settings
Set persistant keep alive like to 25 seconds.....

On the MT router
REMOVE THIS WRONG!! - add interface=wg0 list=WAN
REMOVE THIS NOT NEEDED - add address=10.6.0.2/24 interface=wg0 network=10.6.0.0

For IP routes, I am assuming there is already a route for LTE that works, so currently all users go out the internet.
Okay I see it good!

Therefore your right in having the extra IP Route rule to ensure all users get sent to the tunnel for internet.
/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=wg0 pref-src="" \
routing-table=wg scope=30 suppress-hw-offload=no target-scope=10

Clearly you figured out the making of the table aspect!
/routing table
add disabled=no fib name=wg

The IP route rule looks okay WAIT A MINUTE>>>>>>>>>>>>>>>>>>>>>
/routing rule
add action=lookup-only-in-table disabled=no src-address=192.168.88.1/24 \
table=wg

should be
/routing rule
add action=lookup-only-in-table disabled=no src-address=192.168.88.0/24 \
table=wg
 
Elleh
just joined
Topic Author
Posts: 11
Joined: Sat Dec 04, 2021 12:30 am

Re: Router as Wireguard client - Pages not loading correctly

Wed Jan 19, 2022 4:13 pm

First of all I want to thank you both for your help, as you can see I'm still a beginner with RouterOS.

@anav, I followed your advice, unfortunately I didn't manage to get it working and I lost the ability of pinging the server inside the Wireguard tunnel. I did a few tests and I think this was actually necessary: add address=10.6.0.2/24 (even without the /24 it works) interface=wg0 network=10.6.0.0

@own3r1138, I gave an in depth look at your configuration and I tried to replicate it. I managed to understand what you've done until your second last post, the last one has commands that involve lists and I don't know what interfaces/IPs are in there. The only thing I changed in the mark routing rule was the source address where I put my entire subnet (192.168.88.0/24), but I haven't understood the "!LOCAL" in destination address list that you added in your second last post. Now the Wireguard tunnel works like it did with my config with the difference that I can't ping the VPS (which isn't really a problem for me), I still get a few time out requests but I now have the Wireguard interface only in the LAN list, so that's a positive. I guess your last post could be the key for making this whole thing working correctly.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19103
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Router as Wireguard client - Pages not loading correctly

Wed Jan 19, 2022 5:16 pm

Hi Elleh,
Please post your current config on the ROUTER
AND!!!!
The wireguard config on the ubuntu
 
User avatar
own3r1138
Long time Member
Long time Member
Posts: 681
Joined: Sun Feb 14, 2021 12:33 am
Location: Pleiades
Contact:

Re: Router as Wireguard client - Pages not loading correctly

Wed Jan 19, 2022 5:21 pm

@Elleh
!LOCAL means everything that is not in the LOCAL address list will be marked to route through the WireGuard tunnel.
for the ping, I think it's something to do with your allowed address in the peers.
even without the /24 it works
so actually, It's a 10.6.0.2/32 when you didn't use a /24 CIDR.
For using a 0.0.0.0 at the ubuntu Peer. I think none of the peers at the server should have a 0.0.0.0/0 as an allowed address. Every peer is a client-server like. That Peer should have a specified /32 IP address as an allowed address, if there is any other connectivity is needed for that connection then it should be allowed at the client peer and pass through a tunnel with the client src IP (10.6.0.2/32) So no bogus peer could use the same IP as the Peer IP.
But I'm usually more wrong than right so that's just my assumption.
firewall-address-list.png
dhcp-leases.png
ip-address.png
interface.png
interface-list-2.png
You do not have the required permissions to view the files attached to this post.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19103
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Router as Wireguard client - Pages not loading correctly

Wed Jan 19, 2022 6:37 pm

LIke I said, need to see the latest config on the MT (client end)
and the Wireguard settings from ubuntu....(server end), speculating is a waste of time. ;-)
 
Elleh
just joined
Topic Author
Posts: 11
Joined: Sat Dec 04, 2021 12:30 am

Re: Router as Wireguard client - Pages not loading correctly  [SOLVED]

Wed Jan 19, 2022 7:02 pm

I think I did it, and I can even choose to pass only certain devices to the Wireguard tunnel and leaving the others on my regular network! So far I'm not getting any timed out requests and the speeds are very comparable to a Windows client. Of course a big thank you to anav for your great guide and to own3r1138 for sharing your configuration from which I took a lot of inspiration :)
Since I think this could be helpful to others, I'm sharing my configuration (which is built on top of the Mikrotik default settings)...

1) Wireguard
- Wireguard interface:
- Name: wg0
- MTU: 1420 (default)
- Listen port: doesn't matter as the router is a client
- Private and public key: automatically generated
- Peers:
- Interface: wg0
- Public key: <Server public IP address>
- Endpoint port: listening port of the server
- Allowed adresses: 0.0.0.0/0
- Persistent keepalive: 20 secs

2) Interfaces / Interface List
- Added the wg0 interface to the LAN list

3) IP / Addresses
- Address: 10.6.0.2 (address of the router in the Wireguard tunnel)
- Network: 10.6.0.0 (Wireguard tunnel)
- Interface: wg0

4) IP / DNS
- Servers: favourite DNS servers

5) IP / DHCP Server / Networks
- DNS Servers: same as the above ones

6) Routing / Tables
- Name: wg
- FIB: yes

7) IP / Firewall / Mangle
- Rule 1:
- Chain: prerouting
- Protocol: 6 (tcp)
- Dst. Port: 53
- Src. Address List: DHCP Pool or Address list of allowed devices
- Action: mark connection
- New Connection Mark: wg-dns
- Passthrough: yes
- Rule 2:
- Chain: prerouting
- Protocol: 17 (udp)
- Dst. Port: 53
- Src. Address List: DHCP Pool or Address list of allowed devices
- Action: mark connection
- New Connection Mark: wg-dns
- Passthrough: yes
- Rule 3:
- Chain: prerouting
- Connection Mark: wg-dns
- Action: mark routing
- New Routing Mark: wg
- Passthrough: yes
- Rule 4:
- Chain: prerouting
- Dst. Address: ! 192.168.88.0/24
- Src. Address List: DHCP Pool or Address list of allowed devices
- Action: mark connection
- New Connection Mark: wg
- Passthrough: yes
- Rule 5:
- Chain: prerouting
- Connection Mark: wg
- Src. Address List: DHCP Pool or Address list of allowed devices
- Action: mark routing
- New Routing Mark: wg
- Passthrough: no
- Rule 6:
- Chain: forward
- Protocol: 6 (tcp)
- Connection Mark: wg
- TCP Flags: syn
- Action: change MSS
- New TCP MSS: clamp to pmtu
- Passthrough: yes

8) IP / Firewall / NAT
- Rule 1:
- Chain: dstnat
- Connection Mark: wg-dns
- Action: dst-nat
- To Addresses: 10.6.0.1 (Address of the server in the Wireguard tunnel)
- Rule 2:
- Chain: srcnat
- Out. Interface: wg0
- Action: masquerade

9) IP / Routes / Routes
- Dst. Address: 0.0.0.0/0
- Gateway: wg0
- Distance: 1
- Routing Table: wg

10) IP / Routes / Rules
- Rule 1:
- Src. Address: 10.6.0.0/24 (Wireguard tunnel)
- Dst. Address: 10.6.0.0/24 (Wireguard tunnel)
- Action: lookup only in table
- Table: main
- Rule 2:
- Src. Address: 10.6.0.0/24 (Wireguard tunnel)
- Dst. Address: 0.0.0.0/0
- Action: lookup only in table
- Table: wg
Last edited by Elleh on Thu Jan 20, 2022 10:17 am, edited 2 times in total.
 
User avatar
own3r1138
Long time Member
Long time Member
Posts: 681
Joined: Sun Feb 14, 2021 12:33 am
Location: Pleiades
Contact:

Re: Router as Wireguard client - Pages not loading correctly

Wed Jan 19, 2022 7:40 pm

@Elleh
good to know that you could follow the post I wrote cuz my whole idea was to help others and would not be what I wanted if my post could not accomplish that.
But I have three comments for you.
- Peers:
Allowed adresses: 0.0.0.0/0, 10.6.0.2/24
should be 0.0.0.0/0 or 0.0.0.0/0, 10.6.0.0/24 or 0.0.0.0/0, 10.6.0.2/32
But 0.0.0.0/0 is included the 10.6.0.2/24 so I don't see any logic behind it altho I did the same thing from the Mikrotik WIKI site to site example
4) IP / DNS
so this will not pass your DNS query through the WG tunnel so DNS filtering by the ISP may be applied for some DNS ( I think if its TLS1.3 it won't get filtered don't quote me on this)
88 IP / Firewall / Mangle
- Rule 1:
Src. Address: 192.168.88.0/24
you should not include your whole IP address range here as you clearly will route your gateway and broadcast address to the tunnel too.
it should only be your DHCP IP Pool /ip pool 192.168.88.2-192.168.88.200 or whatever

IP / Firewall / NAT
The action should be src nat as the IP is static ( I read this in the MikroTik wiki ) I would be happy if someone can shine some light on this matter.

I think you also made mistake in using the MTU your outgoing packet from your WG interface must have MTU mark with the syn flag or MSS size !0-1420 change to 1420 as MSS change action.
and I quod " I just tried to change the MTU on my router, default for Wireguard is 1420 while for lte1 is 1500. "
 
Elleh
just joined
Topic Author
Posts: 11
Joined: Sat Dec 04, 2021 12:30 am

Re: Router as Wireguard client - Pages not loading correctly

Wed Jan 19, 2022 7:53 pm

You're right regarding the peer and the mangle rules, I've updated my configuration. For the NAT rule I'll be very honest, I just copied the default rule and instead of having WAN in the out interface list i just put my Wireguard interface. As for the DNS, I'm currently using 1.1.1.1 and my ISP doesn't do any filtering on DNS, but I think I'll copy your 3 rules anyway :)
 
User avatar
own3r1138
Long time Member
Long time Member
Posts: 681
Joined: Sun Feb 14, 2021 12:33 am
Location: Pleiades
Contact:

Re: Router as Wireguard client - Pages not loading correctly

Wed Jan 19, 2022 8:00 pm

I updated my last replay read the last part.
 
Elleh
just joined
Topic Author
Posts: 11
Joined: Sat Dec 04, 2021 12:30 am

Re: Router as Wireguard client - Pages not loading correctly

Wed Jan 19, 2022 8:10 pm

Uhm I think rule 3 in firewall / mangle takes care of the MTU. I tried to change the MTU of the Wireguard interface to 1500 when I was working on my old configuration, everything now is set to default (Wireguard interface: 1420, LTE1: 1500).
 
User avatar
own3r1138
Long time Member
Long time Member
Posts: 681
Joined: Sun Feb 14, 2021 12:33 am
Location: Pleiades
Contact:

Re: Router as Wireguard client - Pages not loading correctly

Wed Jan 19, 2022 8:27 pm

I'm not sure how the MTU exactly works it's out of my league. For NOW! :d
But I think that will work if your VPS server will accept a PMTU in ICMP. if not you have to change that with an MSS action. I could be totally wrong :d
 
Elleh
just joined
Topic Author
Posts: 11
Joined: Sat Dec 04, 2021 12:30 am

Re: Router as Wireguard client - Pages not loading correctly

Wed Jan 19, 2022 8:36 pm

Well, guess I'll leave everything as it is for now :)
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19103
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Router as Wireguard client - Pages not loading correctly

Wed Jan 19, 2022 10:44 pm

Uhm I think rule 3 in firewall / mangle takes care of the MTU. I tried to change the MTU of the Wireguard interface to 1500 when I was working on my old configuration, everything now is set to default (Wireguard interface: 1420, LTE1: 1500).
I would say the two WG interface settings on each end of the tunnel should have the same MTU setting, what they are attached to after that matters less.
 
User avatar
own3r1138
Long time Member
Long time Member
Posts: 681
Joined: Sun Feb 14, 2021 12:33 am
Location: Pleiades
Contact:

Re: Router as Wireguard client - Pages not loading correctly

Wed Jan 19, 2022 10:55 pm

@anav
could you explain this to me if what I think is correct or not please?
VPS server will accept a PMTU in ICMP
and also
IP / Firewall / NAT
The action should be src nat as the IP is static ( I read this in the MikroTik wiki ) I would be happy if someone can shine some light on this matter.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19103
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Router as Wireguard client - Pages not loading correctly

Thu Jan 20, 2022 12:36 am

I am not a network genius LOL, more like a nework dummy, so I let others give guidance on such matters LOL
 
Elleh
just joined
Topic Author
Posts: 11
Joined: Sat Dec 04, 2021 12:30 am

Re: Router as Wireguard client - Pages not loading correctly

Thu Jan 20, 2022 10:22 am

I've updated my config to include the DNS queries. Yesterday night I didn't have any issue so I think it's safe to say everything is working fine! For those who have to rely on particular connections where the ISP has fun by putting an insane amount of filters the Wireguard option in the router is simply amazing.

Who is online

Users browsing this forum: Ahrefs [Bot], alan3664, deadmaus911, itvisionpk, kolopeter and 64 guests