Community discussions

MikroTik App
 
Alex3comEner
just joined
Topic Author
Posts: 16
Joined: Wed May 12, 2021 9:57 am

SSH by Wireguard

Thu Mar 03, 2022 3:20 pm

Hello,

I configured a Hap Lite to work with a wireguard ubuntu server.

The ubuntu server as port forwarding rules to the Mikrotik and Mikrotik get the request and distribute to the devices under its LAN.

All servers under the lan are reachable by port forwarding:

So if you request:

www.myubuntu-server.dom:10152 -> you are able to reach the internal server under any connessions.

The point is that the SSH of Mikrotik does not answer the request.

If I add a Firewall filter on Mikrotik I can see the SSH request arriving, but I don't understand why the SSH connection doesn't start.

Can someone help me?
 
404Network
Member Candidate
Member Candidate
Posts: 285
Joined: Wed Feb 16, 2022 2:04 pm

Re: SSH by Wireguard

Thu Mar 03, 2022 5:16 pm

So just to understand.
a. the initial WG connection is from local MT (client) to remote site Ubuntu Server.
b. The traffic flow within the tunnel you wish to exercise is FROM device with access to Ubuntu (via wireguard) or device on ubuntu network?

You want to access SSH server on LAN of MT OR
You want to config MT via SSH?

Network diagram and config of MT would also be helpful
/export file=anynameyouwish
 
Alex3comEner
just joined
Topic Author
Posts: 16
Joined: Wed May 12, 2021 9:57 am

Re: SSH by Wireguard

Thu Mar 03, 2022 9:30 pm

This is the network map.
Unfortunatelly hap lite has a bug on export configuration and it doesn't work.
Immagine.png

I want to access SSH to Mikrotik, so I can change or apply changes.
You do not have the required permissions to view the files attached to this post.
 
tangent
Forum Guru
Forum Guru
Posts: 1351
Joined: Thu Jul 01, 2021 3:15 pm
Contact:

Re: SSH by Wireguard

Thu Mar 03, 2022 9:43 pm

Unfortunatelly hap lite has a bug on export configuration and it doesn't work.

From your question, one presumes that you can SSH into it from the LAN, so instead of exporting the config to a file, say "ssh myrouter /export > localfile.txt". Now you have a copy of the config in a file on your local machine that you can attach to a post here.

Note that in ROS v7, the old "hide-sensitive" option is now the default, so you don't need to add that. You must be using ROS v7 if you're talking about WireGuard, assuming WireGuard is running on the router. If not, you're off-topic here.

I want to access SSH to Mikrotik, so I can change or apply changes.

Your diagram adds more confusion than light.

First, why are you showing NAT rules on the Ubuntu box? Surely NAT is the hAP Lite's job? Are you pressing the Ubuntu box into the role of a NAT router instead?

Second, your arrow doesn't go through the hAP Lite, but instead directly through the "WireGuard" cloud. Is there indeed a bypass here, or is the diagram wrong?

Third, why are you bothering with port forwarding at all, if you're also using WireGuard? The point of WG is that you're connected to the internal LAN from outside, at which point port-forwards aren't necessary. Surely you just need something like "ssh -p 2210 admin@192.168.88.1".
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19107
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: SSH by Wireguard

Thu Mar 03, 2022 10:11 pm

Concur with tangent.
It looks like you have lets say a laptop connected anywhere on the WWW, could be at work, could be a hotel etc.

1. Wireguard from personal device to UBUNTU (Tunnel #1)
2. Wireguard from haplite to UBUNTU (Tunnel #2)

This assumes that the UBUNTU can be reached by public IP from wherever to initiate and establish working tunnels.
Once established between the haplite and UBUNTU it would just stay up continually.
Your personal device would be connected as you see fit.

Cannot help you with anything but the MT side of the house however.
In general it would look like.

WIREGUARD INTERFACE
Name= Wg-hap2 { haplite tunnel #2)
Private key: xxxxxxxxxxxxxx
Public key: yyyyyyyyyyyy Need to provide this for UBUNTU on its peer entry for public key

PEER SETTING
Name=Wg-hap2
Public key: zzzzzzzzzzzzzzz Provided by UBUNTU on the wireguard interface for Tunnel #2
Endpoint: IP address or dyndns name for UBUNTU WAN
Port: Wg port set on UBUNTU as listening port for Tunnel #2.
Keep alive: Set to something like 40 seconds
Allowed IPs: In this case we are concerned about traffic coming to the haplite to configure the haplite via SSH.
Thus the allowed IPs = the source IPs of your personal devices.
If its an iphone or something where you set an Address for your wireguard IP, use this IP.
If its a fixed IP on a subnet on a LAN, then use the fixed IP. It should be the SOURCE address of the devices.
So you can list them all separately or if they were all within the same subnet, just use the subnet!

Assuming your UBUNTU is setup properly this should provide a working two way tunnel once established.

Firewall rules setup on HAPLITE
add chain=input action=accept in-interface=Wg-hap2 is probably good enough.
add chain=input acction=accept in-interface=Wg-hap2 dst-port= YOUR SSH PORT is better!
add chain=input action=accept in-interface=Wg-hap2 dst-port= YOUR SSH PORT src-address-list=authorized.

Where "authorized" is a firewall address list: { would match your list of allowed IPs for example }
add address=IP of iphone list=authorized
add address=IP of Ipad list=authorized
add address=IP of laptop list=authorized

Routing
Just have to make sure that there is a route for RETURN TRAFFIC Back through the tunnel.
dst-address=IPof admin device1 gateway=Wg-hap2 table=main
dst-address=IPof admin device2 gateway=Wg-hap2 table=main.
etc.
or if all in one subnet
dst-address=Ipsubnet of admin devices gateway=Wg-hap2 table=main.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19107
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: SSH by Wireguard

Thu Mar 03, 2022 10:14 pm

If you want more assistance please provide config
/export file=anynameyouwish for haplite

IF this is not what you wanted then you really need to state each requirement separately and clearly..........
 
Alex3comEner
just joined
Topic Author
Posts: 16
Joined: Wed May 12, 2021 9:57 am

Re: SSH by Wireguard

Fri Mar 04, 2022 1:00 am

Ok....
Unfortunatelly:

/export file=anynameyouwish for haplite
Doesn't work!

I would like to!

The PC is on the internet and make an SSH request to Ubuntu server that have a public IP on the port that will be forwarded to the Microtik

Ubuntu server has a port forwarding to the Microtik Hap lite connected by wireguard.

All works fine with a secondary port forwarding in Mikrotik, so it's possible to reach the server under the lan of Mikrotic.
In fact I have Rute table/Filter/Mangle and route lookup

So under mikrotik all works perfectly.

the issue is SSH of mikrotic do not answer even I see traffic in:
add chain=input action=accept in-interface=Wg-hap2

My task is to connect in SSH to Mikrotic.

Why doesn't SSH answer?
Do I need a route lookup too?

PS:
From LAN SSH answer correctly
 
tangent
Forum Guru
Forum Guru
Posts: 1351
Joined: Thu Jul 01, 2021 3:15 pm
Contact:

Re: SSH by Wireguard

Fri Mar 04, 2022 1:57 am

/export file=anynameyouwish for haplite
Doesn't work!

Yes, you already wrote that, which is why I gave you the workaround: /export via SSH from a box on the LAN with the hAP Lite. There is no "file=" parameter at all in my version. You're redirecting the /export output through the SSH pipe to a file local to the SSH client machine.

I've also got a fair guess why the on-hAP version isn't working for you: you've filled its tiny flash with other stuff, so there is no more room left over for a config export.


The PC is on the internet and make an SSH request to Ubuntu server that have a public IP on the port that will be forwarded to the Microtik

You're doing things the hard way. It would be easier to either:

  1. Use "ssh -R" to do the port-forwarding back through the tunnel
  2. Connect over the WG link, which doesn't require port-forwards at all
 
Alex3comEner
just joined
Topic Author
Posts: 16
Joined: Wed May 12, 2021 9:57 am

Re: SSH by Wireguard

Fri Mar 04, 2022 10:07 am

Yes, you already wrote that which is why I gave you the workaround: /export via SSH from a box on the LAN with the hAP Lite. There is no "file=" parameter at all in my version. You're redirecting the /export output through the SSH pipe to a file local to the SSH client machine.
I tried this way too... it doesn't work too... it stops at the same point. It's a bug I reported in this forum too, some months ago, but I don't know how to report fully a bug to Microtik.

I am trying the hard way because it will be a web server doing that.
Use "ssh -R" to do the port-forwarding back through the tunnel
Can you explain a little more about it?
I understood the problem is the ssh is blocked on the request back.
How should I setup this "ssh -R"??

Thanks in advance
 
404Network
Member Candidate
Member Candidate
Posts: 285
Joined: Wed Feb 16, 2022 2:04 pm

Re: SSH by Wireguard

Fri Mar 04, 2022 2:15 pm

Why not just simply SSH through the two wireguard tunnels as I noted.
I could do the same thing with winbox, is SSH that useless???
 
Alex3comEner
just joined
Topic Author
Posts: 16
Joined: Wed May 12, 2021 9:57 am

Re: SSH by Wireguard

Fri Mar 04, 2022 3:27 pm

Why not just simply SSH through the two wireguard tunnels as I noted.
Because the web server that has to send SSH command doesn't have the possibility to have the tunnel.
I could do the same thing with winbox, is SSH that useless???
from a web server is need SSH is not possible to use Winbox protocol.

Use "ssh -R" to do the port-forwarding back through the tunnel
Can you explain how to activate the answer back to the wireguard tunnel?
 
404Network
Member Candidate
Member Candidate
Posts: 285
Joined: Wed Feb 16, 2022 2:04 pm

Re: SSH by Wireguard

Fri Mar 04, 2022 3:36 pm

Sorry Alex, what you say makes no sense.

I have SSH on my laptop,
I have SSH on my MT device.
I Dont give a crap about some SSH server in between, that is just noise.
All I need is a wireguard tunnel path from laptop to MT to configure it.
From what I understand you can wireguard to a site from both laptop and Mikrotik and therefore you can create this pathway.

Clearly I dont understand your network situation, perhaps a better diagram may help?

For example Lets say my winbox port was 35355
My laptop client wireguard assigned address was 10.10.10.5/32
The IP address to access winbox on the Mikrotik device was 192.168.10.1 (trusted LAN on mikrotik)

Therefore all I would need to do on my winbox client on my laptop after establishing the tunnel/turning it on is to
put 192.168.10.1:35355 and of course the right username and password and BAM I would be configuring the Mikrotik via wireguard.
On the laptop allowed IPs, for peer settings, would be 192.168.10.0/24

At the end of the first tunnel (whatever device you are using (some linux thing)
You need to ensure allowed IPs = 10.10.10.5/32
Then you need to allow that traffic to travel to tunnel2 via firewall rules (in-interface=wg1 out-interface=wg2)
You need a route on the linux machine for return traffic,
dst-address=10.10.10.0/24 gwy=wg1 table=main
On Wireguard 2 tunnel for peers allowed IPs, include 192.168.10.0/24

At the mikrotik device you need allowed ips of 10.10.10.5/32
You need input chain rule in-interface=wg2 dst-port=winbox port src-address=10.10.10.5.32
At mikrotik device you need IP route to allow return traffic
dst-address=10.1010.0/24 gwy=wireguard2 table=main
 
Alex3comEner
just joined
Topic Author
Posts: 16
Joined: Wed May 12, 2021 9:57 am

Re: SSH by Wireguard

Fri Mar 04, 2022 7:37 pm

Let's try to clarify a little better:

FIrst a better network map:
Immagine.png
The task is reaching in SSH any mikrotic connected to the main wireguard server.

The request coming from internet go to the main server on a port (for example) 10501

here the NAT will move to the mikrotic device with a FORWARDING iptables:
iptables -t nat -A PREROUTING -p tcp -i eth0 --dport 10501 -j DNAT --to-destination 10.66.66.3:2201
iptables -A FORWARD -p tcp -d 10.66.66.3 --dport 2201 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT


I put the SSH listeing on the port 2201 of mikrotic but it seems that if the request arrived from the Wireguard tunner SSH doesn't answer.
I don't understand why? Beucase I am able to move any request to any sub NAT under the Mikrotik

Hope the question is clear.
Sorry if I wasn't clear.
You do not have the required permissions to view the files attached to this post.
 
404Network
Member Candidate
Member Candidate
Posts: 285
Joined: Wed Feb 16, 2022 2:04 pm

Re: SSH by Wireguard

Fri Mar 04, 2022 8:01 pm

That is getting clearer, its me that is lacking in experience of such servers.
What the heck are you connecting to that is in the RED??

What is it? Where is located? Why do you have access to configure it?
Its the missing link? Is it an online CLOUD COmputer you have access too??

Let assume its a cloud computer.
All you need to do is connect to this cloud computer via wireguard, from your laptop,k and you are showing you can connect the two Mikrotik products via wireguard to this red object.
Therefore you have all the tools you need to connect via SSH from your laptop to each MT device.

The other elements are you need some connection initially the the MIKROTIK devices to setup their wireguard settings and firewall permissions and routes.
You need access to the red object to configure WIFI and any firewall rules and routes required.
 
tangent
Forum Guru
Forum Guru
Posts: 1351
Joined: Thu Jul 01, 2021 3:15 pm
Contact:

Re: SSH by Wireguard

Fri Mar 04, 2022 9:30 pm

FIrst a better network map:

Yes, that's considerably different, so you can disregard a fair bit of what I wrote before based on the prior diagram.

The task is reaching in SSH any mikrotic connected to the main wireguard server.

Have you tried a 2-level SSH from the machine in the upper right corner of your new diagram? Using OpenSSH commands, it'd be:

me@local$ ssh myserver.com
me@myserver$ ssh -p 2201 admin@10.66.66.3

The first command presumes that you have the user name and port set up in ~/.ssh/config for myserver.com. I put them on the second command since you gave them above, but you haven't for myserver.com, so it's up to you to manage that detail.

The WG tunnel should have created a route that allows the second command to succeed, and for the reply from first MT box to come back to myserver.com. If so, you're logged into the first MT box via SSH, as you wanted.

here the NAT will move to the mikrotic device with a FORWARDING iptables:

It seems you're trying to "snap" that double SSH link to present the MT box's SSH server on a public IP. I'm not in a good position to help you with that. I simply wouldn't bother with this step. If you had to have it debugged, it's off-topic here.

From my perspective, the address translations on myserver.com cause needless confusion and fail to add a compelling level of functionality over what you have without them. I can see that it'd be nice to have, but it isn't essential, so why fight it until you get the simpler case working?

if the request arrived from the Wireguard tunner SSH doesn't answer.

Is that still true with all the myserver.com NAT stuff out of the way and with the "ssh 10.66.66.3" command above?

If that also fails, then you have a case where you're on-topic with debugging MikroTik's implementation of WireGuard.

If it succeeds, then as far as I'm concerned, you've got a solution, since the two commands above can be collapsed to a single command:

me@local$ ssh -t myserver.com ssh -p 2201 admin@10.66.66.3

That will bounce you through myserver.com to the SSH server on the MT box at WireGuard IP 10.66.66.3.

As for my suggestion to use "ssh -R" above, that requires a copy of OpenSSH on the LAN side with the MT boxes, which you don't show. If you have such a thing, it allows a direct connection without the "ssh -t" relay trick, but I'm not going to detail it if it doesn't apply to your situation.

One further thought: what you diagram now looks like a better use case for ZeroTier than WireGuard. WG is point-to-point, but what you're showing now is a cloud of devices across the Internet that need to behave as if they were all on a single LAN. That's what ZeroTier does.

I'm not saying you need to get rid of your WG + SSH setup, just that some of your pain is coming from choosing that over ZeroTier.
 
404Network
Member Candidate
Member Candidate
Posts: 285
Joined: Wed Feb 16, 2022 2:04 pm

Re: SSH by Wireguard

Fri Mar 04, 2022 11:08 pm

zerotier is available on less devices which can be problematic.
 
tangent
Forum Guru
Forum Guru
Posts: 1351
Joined: Thu Jul 01, 2021 3:15 pm
Contact:

Re: SSH by Wireguard

Fri Mar 04, 2022 11:16 pm

zerotier is available on less devices which can be problematic.

Including the hAP Lite, I see now.

As I said, though, it isn't essential to switch from WireGuard. It'd have just been nicer, is all.
 
Alex3comEner
just joined
Topic Author
Posts: 16
Joined: Wed May 12, 2021 9:57 am

Re: SSH by Wireguard

Sat Mar 05, 2022 10:45 am

Thank you!!!!

You are perfectly right.
So, I can SSH to my server and from there to Microtik hAp lite
Tested and it works :)
I never thought about this possibility.

But it remains a question... Why I can forward http / https / ftp / RTSP .... but the SSH I can't

what is wrong in my iptables:

iptables -t nat -A PREROUTING -p tcp -i eth0 --dport 10201 -j DNAT --to-destination 10.66.66.3:2201
iptables -A FORWARD -p tcp -d 10.66.66.3 --dport 2201 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

I was thinking I can forward easily the service so I could make it accessible from outside.
What is wrong with my approach?

PS:
about wireguard.... I am in love with it... I already have C# interface to manage them...and Router OS.... so, not a question to move from it.... sorry :D

Who is online

Users browsing this forum: No registered users and 12 guests