Community discussions

MikroTik App
 
sevo
just joined
Topic Author
Posts: 5
Joined: Sat Apr 02, 2022 1:30 pm

LAN 2 LAN Wireguard tunnel

Sat Apr 02, 2022 1:49 pm

Hi all, i am struggling for the couple of days now trying to connect to of my routers via Wireguard tunnel and access my local LANs from either side.
The setup is as follows:
Router 1 ( my home)
Mikrotik hex switch latest 7.1.5 firmware
Internet > router > HAP Ac 2 wifi router

Router 2 ( my father's house) Openwrt BT HUB 5A
fiber optik modem > router ( PPPoE connection) > LAN with some NVR and IP cameras.
My idea is to be able to access the lan from either side without any problems as they are in my local lan.

Here is the configuration of my Mikrotik router
# jan/02/2022 14:43:04 by RouterOS 7.1.5
# software id = 2Y0D-P7Z5
#
# model = RB750Gr3
# serial number = 
/interface bridge
add admin-mac=XXXXXXXXX auto-mac=no comment=defconf name=bridge
/interface ethernet
set [ find default-name=ether1 ] mac-address=XXXXXXXXX
/interface wireguard
add listen-port=13231 mtu=1420 name=wireguard1
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip ipsec proposal
set [ find default=yes ] disabled=yes enc-algorithms=3des
/ip pool
add name=dhcp ranges=192.168.88.30-192.168.88.80
add name=vpn-pool ranges=192.168.8.10-192.168.8.12
/ip dhcp-server
add address-pool=dhcp interface=bridge name=defconf
/port
set 0 name=serial0
/ppp profile
add dns-server=192.168.8.250 local-address=192.168.8.250 name=vpn-profile \
    remote-address=vpn-pool use-encryption=yes
/routing table
add fib name=""
/user group
set full policy="local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,pas\
    sword,web,sniff,sensitive,api,romon,dude,tikapp,rest-api"
/interface bridge port
add bridge=bridge comment=defconf ingress-filtering=no interface=ether2
add bridge=bridge comment=defconf ingress-filtering=no interface=ether3
add bridge=bridge comment=defconf ingress-filtering=no interface=ether4
add bridge=bridge comment=defconf ingress-filtering=no interface=ether5
/ip neighbor discovery-settings
set discover-interface-list=all
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface detect-internet
set detect-interface-list=all
/interface l2tp-server server
set authentication=mschap1,mschap2
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/interface ovpn-server server
set auth=sha1 certificate=server-certificate cipher=aes128,aes192,aes256 \
    default-profile=vpn-profile require-client-certificate=yes
/interface wireguard peers
add allowed-address=192.168.9.4/32 comment=Phone interface=wireguard1 \
    public-key=""
add allowed-address=192.168.9.5/32 comment=MacBookAir interface=wireguard1 \
    public-key=""
add allowed-address=192.168.9.0/24,192.168.1.0/24 comment="Openwrt VPN" \
    endpoint-address=no-ip.com endpoint-port=51820 interface=wireguard1 \
    persistent-keepalive=25s public-key=\
    ""
/ip address
add address=192.168.88.1/24 comment=defconf interface=ether2 network=\
    192.168.88.0
add address=/24 interface=ether1 network=0
add address=192.168.9.2/24 interface=wireguard1 network=192.168.9.0
/ip cloud
set update-time=no
/ip dhcp-client
add comment=defconf disabled=yes interface=ether1
/ip dhcp-server lease
add address=192.168.88.48 comment="NUC wifi" mac-address= \
    server=defconf
add address=192.168.88.49 comment="NUC cable" mac-address= \
    server=defconf
add address=192.168.88.43 comment="Raspberry pi 4" mac-address=\
     server=defconf
add address=192.168.88.52 client-id=1: mac-address=\
     server=defconf
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.49 gateway=\
    192.168.88.1
/ip dns
set allow-remote-requests=yes servers=192.168.88.49
/ip dns static
add address=192.168.88.1 disabled=yes name=router.lan
add address=192.168.88.49 name="Home DNS"
/ip firewall filter
add action=accept chain=input comment="Allow OpenVPN" dst-port= protocol=\
    tcp
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=accept chain=input comment="Wireguard VPN" dst-port=13231 \
    in-interface-list=WAN protocol=udp
add action=accept chain=input protocol=ipsec-esp
add action=accept chain=input port=1701,500,4500 protocol=udp
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat comment="OpenVPN Server NUC" disabled=yes \
    in-interface=ether1 log=yes log-prefix=VPN protocol=udp to-addresses=\
    192.168.88.49 to-ports=1122
add action=dst-nat chain=dstnat comment=Wireguard dst-port=52994 \
    in-interface=ether1 protocol=udp to-addresses=192.168.88.49 to-ports=\
    52994
add action=redirect chain=dstnat disabled=yes dst-port=53 protocol=tcp \
    src-port="" to-ports=53
add action=redirect chain=dstnat disabled=yes dst-port=53 protocol=udp \
    to-ports=53
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set irc disabled=yes
set h323 disabled=yes
set sip disabled=yes
set pptp disabled=yes
set udplite disabled=yes
set dccp disabled=yes
set sctp disabled=yes
/ip ipsec policy
set 0 disabled=yes dst-address=0.0.0.0/0 src-address=0.0.0.0/0
/ip route
add disabled=no dst-address=0.0.0.0/0 gateway=
add disabled=yes distance=1 dst-address=192.168.1.0/24 gateway=bridge \
    pref-src=192.168.1.1 routing-table=main scope=10 suppress-hw-offload=no \
    target-scope=10
add check-gateway=ping disabled=no distance=1 dst-address=192.168.9.0/32 \
    gateway=bridge pref-src="" routing-table=main scope=30 \
    suppress-hw-offload=no target-scope=10
/ip service
set telnet disabled=yes
set ftp disabled=yes
set ssh port=
/ppp secret
add name=sevim profile=vpn-profile
/system clock
set time-zone-name=Europe/
/system identity
set name=MikroTikRouter
/system ntp client
set enabled=yes
/system ntp client servers
add address=192.168.88.49
/tool graphing interface
add
/tool graphing queue
add
/tool graphing resource
add
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN



And here is the Openwrt config:
config interface 'vpn'
	option proto 'wireguard'
	option private_key ''
	option listen_port '51820'
	list addresses '192.168.9.1/24'
	list addresses 'fdf1:e8a1:8d3f:9::1/64'

config wireguard_vpn
	option public_key ''
        option description 'Phone'
	option route_allowed_ips '1'
	list allowed_ips '192.168.9.20'

config wireguard_vpn
	option public_key ''
	option description 'mikrotik'
	option route_allowed_ips '1'
	option persistent_keepalive '25'
	option endpoint_port '13231'
	option endpoint_host 'home public IP'
	list allowed_ips '192.168.9.2'
	list allowed_ips '192.168.88.0/24'
	list allowed_ips '192.168.9.0/24'

config wireguard_vpn
	option route_allowed_ips '1'
	option public_key ''
	option description 'Macbook'
	list allowed_ips '192.168.9.21/24'

config route
	option target '192.168.9.1/24'
	option gateway '192.168.1.0/24'
	option netmask '192.168.9.0/24'
	option interface 'vpn'
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19107
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: LAN 2 LAN Wireguard tunnel

Sat Apr 02, 2022 7:11 pm

(1) Is the initial connection established between the houses based on the Mikrotik being the Server ??? (not for the data flow which is two way, but for the connection piece, as it is for the mobile devices)

On the Mikrotik Peer Setting for OPENVPN Peer...... ( also assume the subnet at your other house has a lan subnet of 192.168.1.0/24 )

add allowed-address=192.168.9.0/24,192.168.1.0/24 comment="Openwrt VPN" \
endpoint-address=no-ip.com endpoint-port=51820 interface=wireguard1 \ ??????????
persistent-keepalive=25s public-key=\ ?????????

this should be 192.168.9.1/32

(2) Where are all your forward chain firewall rules???

(3) Should be changed to bridge
/ip address
add address=192.168.88.1/24 comment=defconf interface=ether2 network=\
192.168.88.0

(4) What is the purpose of this Route???
add check-gateway=ping disabled=no distance=1 dst-address=192.168.9.0/32 \
gateway=bridge pref-src="" routing-table=main scope=30 \
suppress-hw-offload=no target-scope=10
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: LAN 2 LAN Wireguard tunnel

Sat Apr 02, 2022 7:25 pm

You need route to remote subnet 192.168.1.0/24, which you have, but disabled and with wrong gateway, it should be one of:
/ip route
add dst-address=192.168.1.0/24 gateway=wireguard1
add dst-address=192.168.1.0/24 gateway=192.168.9.1
And on the other side, I never tried WG with OpenWRT, but the last "config route" looks completely wrong, I'd say it shouldn't be there.
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: LAN 2 LAN Wireguard tunnel

Sat Apr 02, 2022 7:47 pm

@anav:

(1) Both sides have public addresses, so connection can be initiated from either side. As for allowed addresses, the day has come, young @anav, to reveal the last(?) secret to you, I didn't tell you the whole truth before. In this case, 192.168.9.0/24 is not wrong, because WG's cryptorouting works similar to regular routing, where broad route can be overriden by more specific one. So this allows e.g. Phone to have local .4 when connected to RB, but also to use remote .20 when connected to remote router.

(2) In export, it's MikroTik's default firewall, it blocks new connections from WAN and allows everything else.

(3) Yes (but it's not breaking anything).

(4) To confuse enemies if they take over the router. ;)
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19107
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: LAN 2 LAN Wireguard tunnel

Sat Apr 02, 2022 7:57 pm

Oh I was not fussed about it, if it was clear that both side could BY design connect but I was still gathering requirements information before making any final assessments........
Any device used as a relay the .0 makes sense.......
 
sevo
just joined
Topic Author
Posts: 5
Joined: Sat Apr 02, 2022 1:30 pm

Re: LAN 2 LAN Wireguard tunnel

Sat Apr 02, 2022 8:51 pm

(1) Is the initial connection established between the houses based on the Mikrotik being the Server ??? (not for the data flow which is two way, but for the connection piece, as it is for the mobile devices)

On the Mikrotik Peer Setting for OPENVPN Peer...... ( also assume the subnet at your other house has a lan subnet of 192.168.1.0/24 )

add allowed-address=192.168.9.0/24,192.168.1.0/24 comment="Openwrt VPN" \
endpoint-address=no-ip.com endpoint-port=51820 interface=wireguard1 \ ??????????
persistent-keepalive=25s public-key=\ ?????????

this should be 192.168.9.1/32

(2) Where are all your forward chain firewall rules???

(3) Should be changed to bridge
/ip address
add address=192.168.88.1/24 comment=defconf interface=ether2 network=\
192.168.88.0

(4) What is the purpose of this Route???
add check-gateway=ping disabled=no distance=1 dst-address=192.168.9.0/32 \
gateway=bridge pref-src="" routing-table=main scope=30 \
suppress-hw-offload=no target-scope=10
1) yes the initial connection is established when i activate the tunnel, but can not ping anything from the LAN from either side

2) I have no idea where, i am not a total noob but close to it :)

3) will change it and see what happens

4) i thought that with this route i can give access to my local bridge LAN

The idea as i said im my first post is that when i am at home on my laptop when i type address from my father's house i will be able to access it, for example if i want to see the feed from the NVR and IP cams, or a local home server that i am planning on installing, and vise versa.Like i have at my home a nextcloud server and if i want to show pictures to my family so i can do it without using WG on my phone or laptop.I do realize that probably it is not a safe practice to connect two networks like that all the time,thats why probably i will activate the tunnel only when i need it.
Thanks for ypur replies.


p.s
my openvpn server on the router is not in use, once the wg support was added to mikrotik i stopped using it.


p.s2
i posted the same question at Openwrt forum if anyone is interested in
https://forum.openwrt.org/t/lan-to-lan- ... net/123818
 
eduplant
Member Candidate
Member Candidate
Posts: 139
Joined: Tue Dec 19, 2017 9:45 am

Re: LAN 2 LAN Wireguard tunnel

Mon Apr 04, 2022 12:32 am

I had to diagram this for myself to make heads or tails of it. Agreed with @sob here, I think the main problem is just a basic routing issue rather than anything wrong with your Wireguard configuration. To confirm, can your routers ping each other on the addresses (192.168.9.2 <-> 192.168.9.1) you've assigned to the Wireguard link? That looks like it should be possible as it is currently configured and would confirm you can get packets across the tunnel.
sevo_topology_guess.png
You do not have the required permissions to view the files attached to this post.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19107
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: LAN 2 LAN Wireguard tunnel

Mon Apr 04, 2022 2:22 am

Reference your diagram, can only speak to MT,
On the MT side of the house the IP address for the Wireguard interface ensures any ping traffic to the wireguard interface will be returned etc.....
So the only route required is
add dst-address=192.168.1.0/24 gateway=wireguard1 table=main

However relooking at the config I found this puzzling rule...............
add action=dst-nat chain=dstnat comment=Wireguard dst-port=52994 \
in-interface=ether1 protocol=udp to-addresses=192.168.88.49 to-ports=\
52994


I cannot figure out its purpose????
 
eduplant
Member Candidate
Member Candidate
Posts: 139
Joined: Tue Dec 19, 2017 9:45 am

Re: LAN 2 LAN Wireguard tunnel

Mon Apr 04, 2022 2:24 am

So the only route required is
add dst-address=192.168.1.0/24 gateway=wireguard1 table=main
Correct, maybe I should have been more clear that the red routes are present in the configs and should be removed and the green routes are their replacement.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19107
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: LAN 2 LAN Wireguard tunnel

Mon Apr 04, 2022 2:26 am

Either address or wg interface name works, less typos if you uses the name I find.
 
sevo
just joined
Topic Author
Posts: 5
Joined: Sat Apr 02, 2022 1:30 pm

Re: LAN 2 LAN Wireguard tunnel

Mon Apr 04, 2022 12:41 pm

Reference your diagram, can only speak to MT,
On the MT side of the house the IP address for the Wireguard interface ensures any ping traffic to the wireguard interface will be returned etc.....
So the only route required is
add dst-address=192.168.1.0/24 gateway=wireguard1 table=main

However relooking at the config I found this puzzling rule...............
add action=dst-nat chain=dstnat comment=Wireguard dst-port=52994 \
in-interface=ether1 protocol=udp to-addresses=192.168.88.49 to-ports=\
52994


I cannot figure out its purpose????
This is my second WG server on my home NUC server , that i use as road warrior setup, the wg interface on the router has two purposes
1 to establish conn with other router
2 if anything happened to my home server and i can not access it, i have at least some access to my LAN through my router, i am traveling a lot so sometimes the wife and the little one are without internet so i have to figure out why,ISP or the little one pulled all the cords and cables from the wifi router, ask me how i know :)
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19107
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: LAN 2 LAN Wireguard tunnel

Mon Apr 04, 2022 2:56 pm

Why dont you wireguard into it vice port forward into it??
Seems like a very insecure method to me............
 
sevo
just joined
Topic Author
Posts: 5
Joined: Sat Apr 02, 2022 1:30 pm

Re: LAN 2 LAN Wireguard tunnel  [SOLVED]

Mon Apr 04, 2022 3:24 pm

Why dont you wireguard into it vice port forward into it??
Seems like a very insecure method to me............
What do you mean? actually to use the WG on the home server instead?

UPDATE:

I have managed to make it work as intended thanks to all of you!!!!

Please see below the latest configs from both sides MT and OpenWrt

MT:
# apr/05/2022 08:23:54 by RouterOS 7.1.5
# software id = 2Y0D-P7Z5
#
# model = RB750Gr3
# serial number = 
/interface bridge
add admin-mac= auto-mac=no comment=defconf name=bridge
/interface ethernet
set [ find default-name=ether1 ] mac-address=
/interface wireguard
add listen-port=13231 mtu=1420 name=wireguard1
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip ipsec proposal
set [ find default=yes ] disabled=yes enc-algorithms=3des
/ip pool
add name=dhcp ranges=192.168.88.30-192.168.88.80
add name=vpn-pool ranges=192.168.8.10-192.168.8.12
/ip dhcp-server
add address-pool=dhcp interface=bridge name=defconf
/port
set 0 name=serial0
/ppp profile
add dns-server=192.168.8.250 local-address=192.168.8.250 name=vpn-profile \
    remote-address=vpn-pool use-encryption=yes
/routing table
add fib name=""
/user group
set full policy="local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,pas\
    sword,web,sniff,sensitive,api,romon,dude,tikapp,rest-api"
/interface bridge port
add bridge=bridge comment=defconf ingress-filtering=no interface=ether2
add bridge=bridge comment=defconf ingress-filtering=no interface=ether3
add bridge=bridge comment=defconf ingress-filtering=no interface=ether4
add bridge=bridge comment=defconf ingress-filtering=no interface=ether5
/ip neighbor discovery-settings
set discover-interface-list=all
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface detect-internet
set detect-interface-list=all
/interface l2tp-server server
set authentication=mschap1,mschap2
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/interface ovpn-server server
set auth=sha1 certificate=server-certificate cipher=aes128,aes192,aes256 \
    default-profile=vpn-profile require-client-certificate=yes
/interface wireguard peers
add allowed-address=192.168.9.4/32 comment=Phone interface=wireguard1 \
    public-key=""
add allowed-address=192.168.9.5/32 comment=MacBookAir interface=wireguard1 \
    public-key="="
add allowed-address=192.168.9.2/32,192.168.9.1/32,192.168.1.0/24 comment=\
    "Openwrt VPN" endpoint-port=51820 interface=wireguard1 \
    persistent-keepalive=25s public-key=\
    ""
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
    192.168.88.0
add address=public IP/24 interface=ether1 network=.0
add address=192.168.9.2/24 interface=wireguard1 network=192.168.9.0
/ip cloud
set update-time=no
/ip dhcp-client
add comment=defconf disabled=yes interface=ether1
/ip dhcp-server lease
add address=192.168.88.48 comment="NUC wifi" mac-address=:D6 \
    server=defconf
add address=192.168.88.49 comment="NUC cable" mac-address=:7F \
    server=defconf
add address=192.168.88.43 comment="Raspberry pi 4" mac-address=\
    DC:A6:32:8B:BC:94 server=defconf
add address=192.168.88.52 client-id=:f6 mac-address=\
    B:F6 server=defconf
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.49 gateway=\
    192.168.88.1
/ip dns
set allow-remote-requests=yes servers=192.168.88.49
/ip dns static
add address=192.168.88.1 disabled=yes name=router.lan
add address=192.168.88.49 name="Home DNS"
/ip firewall filter
add action=accept chain=input comment="Allow OpenVPN" dst-port=1194 protocol=\
    tcp
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=accept chain=input comment="Wireguard VPN" dst-port=13231 \
    in-interface-list=WAN protocol=udp
add action=accept chain=input protocol=ipsec-esp
add action=accept chain=input port=1701,500,4500 protocol=udp
add action=accept chain=forward comment="OpenWRT Wireguard" dst-address=\
    192.168.1.0/24 src-address=192.168.88.0/24
add action=accept chain=forward dst-address=192.168.88.0/24 src-address=\
    192.168.1.0/24
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat comment="OpenVPN Server NUC" disabled=yes \
    in-interface=ether1 log=yes log-prefix=VPN protocol=udp to-addresses=\
    192.168.88.49 to-ports=1122
add action=dst-nat chain=dstnat comment=Wireguard dst-port=52994 \
    in-interface=ether1 protocol=udp to-addresses=192.168.88.49 to-ports=\
    52994
add action=redirect chain=dstnat disabled=yes dst-port=53 protocol=tcp \
    src-port="" to-ports=53
add action=redirect chain=dstnat disabled=yes dst-port=53 protocol=udp \
    to-ports=53
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set irc disabled=yes
set h323 disabled=yes
set sip disabled=yes
set pptp disabled=yes
set udplite disabled=yes
set dccp disabled=yes
set sctp disabled=yes
/ip ipsec policy
set 0 disabled=yes dst-address=0.0.0.0/0 src-address=0.0.0.0/0
/ip route
add disabled=no dst-address=0.0.0.0/0 gateway=XX.XX.XX.1
add disabled=no dst-address=192.168.1.0/24 gateway=wireguard1 routing-table=\
    main suppress-hw-offload=no
/ip service
set telnet disabled=yes
set ftp disabled=yes
set ssh port=2
/ppp secret
add name=sevim profile=vpn-profile
/system clock
set time-zone-name=Europe/
/system identity
set name=MikroTikRouter
/system ntp client
set enabled=yes
/system ntp client servers
add address=192.168.88.49
/tool graphing interface
add
/tool graphing queue
add
/tool graphing resource
add
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool sniffer
set filter-interface=wireguard1
OpenWrt
config interface 'loopback'
	option ifname 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fde5:fe4e:f4fe::/48'

config atm-bridge 'atm'
	option vpi '1'
	option vci '32'
	option encaps 'llc'
	option payload 'bridged'
	option nameprefix 'dsl'

config dsl 'dsl'
	option annex 'a'
	option tone 'av'
	option ds_snr_offset '0'

config interface 'lan'
	option type 'bridge'
	option proto 'static'
	option ip6assign '60'
	option ifname 'eth0 eth0.1 vpn'
	list ipaddr '192.168.1.1/24'

config device 'lan_eth0_1_dev'
	option name 'eth0.1'
	option macaddr 'xx:xx:xx:xx:xx:xx'

config interface 'wan'
	option proto 'pppoe'
	option username 'user'
	option password 'pass'
	option ifname 'eth0.2'
	option macaddr ''
	option ipv6 '0'
	option delegate '0'
	option mtu '1500'
	option metric '1'

config device 'wan_dsl0_dev'
	option name 'dsl0'
	option macaddr 'xx.xx.xx.xx.xx'

config interface 'wan6'
	option ifname '@wan'
	option proto 'dhcpv6'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option ports '0 1 2 4 6t'

config switch_vlan
	option device 'switch0'
	option vlan '2'
	option ports '5 6t'

config interface 'vpn'
	option proto 'wireguard'
	option private_key ''
	option listen_port '51820'
	list addresses '192.168.9.1/24'
	list addresses 'fdf1:e8a1:8d3f:9::1/64'

config wireguard_vpn
	option public_key ''
	option description 'phone'
	option route_allowed_ips '1'
	list allowed_ips '192.168.1.0/32'
	list allowed_ips '192.168.9.5'

config wireguard_vpn
	option public_key ''
	option description 'mikrotik'
	option route_allowed_ips '1'
	option persistent_keepalive '25'
	list allowed_ips '192.168.9.2'
	list allowed_ips '192.168.88.0/24'

config wireguard_vpn
	option route_allowed_ips '1'
	option public_key ''
	option description 'Macbook'
	list allowed_ips '192.168.9.4'

Now I have to test if I have access to these subnets via my road warrior setup ( phone and laptop) if not try to make the adjustments, but even I don't I will keep it like this, It took me a lot of time and other people time as well. Once again thank you very very much!



UPDATE #2

So the situation is as follows:
When i connect with my phone or laptop to my MT's WG I:
1) can ping 192.168.88.0 subnet
2) can access 192.168.88.49 port 80 nextcloud
3) can not access any other ports on the same IP (strange) i have a pi-hole running on port 8888, but no luck!
4) can not access 192.168.88.1 via winbox or mikrotik android app, but can access the other wifi router on 192.168.88.2!?
5) Can not ping any IP on 192.168.1.0 subnet
##############################
When i connect with my phone to the other side to the Openwrt router's WG:
1) can not ping anything from 192.168.88.0 subnet
2) have access to the router and the 192.168.1.0 subnet

I was thinking of client isolation? maybe this is the problem, what do you think?


UPDATE #3

Happy to report that the part of the problems in update #2 were actually my problem ( I doubt someone was thinking something else :D ) and not a problem in the configuration. So the only thing to do was to look in my home server firewall and allow everything from Wireguard subnet, now I can access the home server (192.168.88.49) and all its services from 192.168.9.0 subnet.
Only thing to sort out is pinging 192.168.1.1 while connected directly to the MT router from my phone.


Latest UPDATE:
# 04/10/2022 08:59:44 by RouterOS 7.1.5
# software id = 2Y0D-P7Z5
#
# model = RB750Gr3
# serial number = 
/interface bridge
add admin-mac= auto-mac=no comment=defconf name=bridge
/interface ethernet
set [ find default-name=ether1 ] mac-address=
/interface wireguard
add listen-port=13231 mtu=1420 name=wireguard1
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip ipsec proposal
set [ find default=yes ] disabled=yes enc-algorithms=3des
/ip pool
add name=dhcp ranges=192.168.88.30-192.168.88.80
add name=vpn-pool ranges=192.168.8.10-192.168.8.12
/ip dhcp-server
add address-pool=dhcp interface=bridge name=defconf
/port
set 0 name=serial0
/ppp profile
add dns-server=192.168.8.250 local-address=192.168.8.250 name=vpn-profile \
    remote-address=vpn-pool use-encryption=yes
/routing table
add fib name=""
/user group
set full policy="local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,pas\
    sword,web,sniff,sensitive,api,romon,dude,tikapp,rest-api"
/interface bridge port
add bridge=bridge comment=defconf ingress-filtering=no interface=ether2
add bridge=bridge comment=defconf ingress-filtering=no interface=ether3
add bridge=bridge comment=defconf ingress-filtering=no interface=ether4
add bridge=bridge comment=defconf ingress-filtering=no interface=ether5
/ip neighbor discovery-settings
set discover-interface-list=all
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface l2tp-server server
set authentication=mschap1,mschap2
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/interface ovpn-server server
set auth=sha1 certificate=server-certificate cipher=aes128,aes192,aes256 \
    default-profile=vpn-profile require-client-certificate=yes
/interface wireguard peers
add allowed-address=192.168.9.4/32 comment=Phone interface=wireguard1 \
    public-key=""
add allowed-address=192.168.9.5/32 comment=MacBookAir interface=wireguard1 \
    public-key=""
add allowed-address=\
    192.168.9.2/32,192.168.88.0/24,192.168.1.0/24,192.168.9.0/24 comment=\
    "Openwrt VPN" endpoint-address=OPENWRT DDNS IP endpoint-port=51820 \
    interface=wireguard1 persistent-keepalive=25s public-key=\
    ""
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
    192.168.88.0
add address=public IP/24 interface=ether1 network=public IP mask
add address=192.168.9.2/24 interface=wireguard1 network=192.168.9.0
/ip cloud
set update-time=no
/ip dhcp-client
add comment=defconf disabled=yes interface=ether1
/ip dhcp-server lease
add address=192.168.88.48 comment="NUC wifi" mac-address= \
    server=defconf
add address=192.168.88.49 comment="NUC cable" mac-address= \
    server=defconf
add address=192.168.88.43 comment="Raspberry pi 4" mac-address=\
     server=defconf
add address=192.168.88.52 client-id= mac-address=\
     server=defconf
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.49 gateway=\
    192.168.88.1
/ip dns
set allow-remote-requests=yes servers=192.168.88.49
/ip dns static
add address=192.168.88.1 disabled=yes name=router.lan
add address=192.168.88.49 name="Home DNS"
/ip firewall filter
add action=accept chain=input comment="Allow OpenVPN" disabled=yes dst-port=\
    1194 protocol=tcp
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=accept chain=input comment="Wireguard VPN NUC" dst-port=13231 \
    in-interface-list=WAN protocol=udp
add action=accept chain=input comment="Wireguard VPN" dst-address=\
    192.168.88.0/24 src-address=192.168.9.0/24
add action=accept chain=input comment="Wireguard VPN" disabled=yes \
    dst-address=192.168.9.0/24 in-interface=wireguard1 src-address=\
    192.168.1.0/24
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat comment=Wireguard dst-port=52994 \
    in-interface=ether1 protocol=udp to-addresses=192.168.88.49 to-ports=\
    52994
add action=redirect chain=dstnat disabled=yes dst-port=53 protocol=tcp \
    src-port="" to-ports=53
add action=redirect chain=dstnat disabled=yes dst-port=53 protocol=udp \
    to-ports=53
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set irc disabled=yes
set h323 disabled=yes
set sip disabled=yes
set pptp disabled=yes
set udplite disabled=yes
set dccp disabled=yes
set sctp disabled=yes
/ip ipsec policy
set 0 disabled=yes dst-address=0.0.0.0/0 src-address=0.0.0.0/0
/ip route
add disabled=no dst-address=0.0.0.0/0 gateway=
add disabled=no distance=1 dst-address=192.168.1.0/24 gateway=wireguard1 \
    pref-src="" routing-table=main scope=30 suppress-hw-offload=no \
    target-scope=10
add disabled=yes distance=1 dst-address=192.168.88.0/24 gateway=wireguard1 \
    pref-src=0.0.0.0 routing-table=main scope=30 suppress-hw-offload=no \
    target-scope=10
/ip service
set telnet disabled=yes
set ftp disabled=yes
set ssh port=
/ppp secret
add name= profile=vpn-profile
/system clock
set time-zone-name=Europe/
/system identity
set name=MikroTikRouter
/system ntp client
set enabled=yes
/system ntp client servers
add address=192.168.88.49
/tool graphing interface
add
/tool graphing queue
add
/tool graphing resource
add
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool sniffer
set filter-interface=wireguard1
This solves all issues. Case closed Thanks again everyone!

Who is online

Users browsing this forum: Amazon [Bot], GoogleOther [Bot], ret411, wsantos and 24 guests