Community discussions

MikroTik App
 
TheSirStumfy
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 90
Joined: Sun Oct 14, 2018 7:54 pm

WireGuard to Branch office over VPN

Thu May 05, 2022 5:35 pm

I have a problem I can not seem to solve.

I have a Branch office router that is making an OVPN to Main.
I am making a WG interface to the main.

Everything on the Main network works over WG but Branch I can not reach.
HOWEVER there is also a L2TP connection to Main, and that one can reach Branch no problem:

Topography:
VPNs (client) -------------------- Main ------------------------OVPN ---------------------- Branch
WG 10.0.10.2 ----------------- 192.168.10.0/24 --------10.0.13.2---------- 192.168.13.0/24
L2TP 10.0.13.2


The Branch subnet is routed to the OVPN GW on Main (Network DST 192.168.13.0/24 to GW 10.0.13.2 at distance 1)
Branch has allow on input chain for VPN address IPs.

As stated L2TP has no problems going trough, however WG can not reach it.
Is WG in some way special that it needs sth extra? On client side? On server side? NAT perhaps?
Last edited by TheSirStumfy on Thu May 05, 2022 6:36 pm, edited 1 time in total.
 
tangent
Forum Guru
Forum Guru
Posts: 1333
Joined: Thu Jul 01, 2021 3:15 pm
Contact:

Re: WireGuard to Branch office over VPN

Thu May 05, 2022 5:48 pm

Since WireGuard is a VPN, I don't see why you have two other tunneling layers.

Your diagram doesn't make it clear, but it looks like you've got L2TP-in-WG-in-OVPN. That sounds like a recipe for all kinds of problems.

If you simply your configuration, some of those problems may go away, and at that point, any remaining problems will be easier to think about.
 
TheSirStumfy
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 90
Joined: Sun Oct 14, 2018 7:54 pm

Re: WireGuard to Branch office over VPN

Thu May 05, 2022 5:53 pm

Since WireGuard is a VPN, I don't see why you have two other tunneling layers.

Your diagram doesn't make it clear, but it looks like you've got L2TP-in-WG-in-OVPN. That sounds like a recipe for all kinds of problems.

If you simply your configuration, some of those problems may go away, and at that point, any remaining problems will be easier to think about.
I agree whole heartedly, this is the exact point starting the WG setup, to drop the rest. However I sadly can not disable the old VPN solutions before I get this one up and running.
 
TheSirStumfy
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 90
Joined: Sun Oct 14, 2018 7:54 pm

Re: WireGuard to Branch office over VPN

Thu May 05, 2022 5:57 pm

Also to clear the diagram, every VPN is separate with separate subnets. Its not a VPN in VPN in VPN...
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18968
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: WireGuard to Branch office over VPN

Thu May 05, 2022 6:01 pm

(1) Which is server and which is client for the initial wireguard connection.
(2) What are the required traffic flows .
a. main to branch subnets?
b. branch to main subnets?
c. main to internet via branch?
d. branch to internet via main?
e. others????

Are both MT devices?
Will need config on MT devices...... /export file=anynameyouwish
 
tangent
Forum Guru
Forum Guru
Posts: 1333
Joined: Thu Jul 01, 2021 3:15 pm
Contact:

Re: WireGuard to Branch office over VPN

Thu May 05, 2022 6:22 pm

every VPN is separate with separate subnets. Its not a VPN in VPN in VPN...

Okay, then that means you have three gateways configured on the client machine, one for each VPN. Look at your routing tables. I suspect you'll find that packets aren't taking the path you think they should.

You can use advanced testing tools like nmap and hping3 to force the source IP. If that works where a regular ping doesn't, it means you've got a routing problem.

Alternately, try a traceroute. It won't solve the problem, but it'll put it on display.
 
TheSirStumfy
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 90
Joined: Sun Oct 14, 2018 7:54 pm

Re: WireGuard to Branch office over VPN  [SOLVED]

Thu May 05, 2022 6:34 pm

Found it.

The Branch Address space for the OVPN connection had a /24 mask. Since the WG now has a different subnet the mask had to be changed to a /16 bit mask.

Nasty one to find, since the OVPN on the Branch was making a dynamic route (and thats default 24 bit)

Thanks to all for the input.

Who is online

Users browsing this forum: alotofbacardi, baragoon, GoogleOther [Bot] and 90 guests