Community discussions

MikroTik App
 
User avatar
own3r1138
Long time Member
Long time Member
Topic Author
Posts: 680
Joined: Sun Feb 14, 2021 12:33 am
Location: Pleiades
Contact:

Route Internet traffic MT via WireGuard tunnel through MT WG peer

Sun Jan 09, 2022 9:07 am

Hello,
I Cant figure out how to pass a WireGuard tunnel for my MT to a Mikrotik WG peer. My use case is to bypass the ISP firewall.
My MT has two WG interfaces WG STS and VIA WG, WG STS is a Site to Site with a different peer. I'm not sure if that is related to the issue at hand or not.
I tried different netmask #4 in the Route list with "VIA WG" gateway. I'm not sure what I have to set there.
Server Peer & IPs
srv-info.png
MT Client Peer & IPs
mt-info.png
MT Client Firewall - Interface list
mt-fw.png
MT Client Mangle
mt-mangle.png
MT Client Route
mt-route.png
Torch
torch.png
You do not have the required permissions to view the files attached to this post.
Last edited by own3r1138 on Sun Feb 27, 2022 11:29 pm, edited 2 times in total.
 
User avatar
own3r1138
Long time Member
Long time Member
Topic Author
Posts: 680
Joined: Sun Feb 14, 2021 12:33 am
Location: Pleiades
Contact:

Re: Route Internet traffic MT via WireGuard tunnel through MT WG peer

Sun Jan 09, 2022 2:17 pm

Found this somewhere in the forum, still cant. The connection is one way I don't know. the route is wrong, IP/subnet, or combination.

/ip route add disabled=no dst-address=0.0.0.0/0 gateway=WG pref-src="" routing-table=via-wg suppress-hw-offload=no
/routing rule add action=lookup-only-in-table disabled=no dst-address=10.10.12.0/24 src-address=10.10.12.0/24 table=main
/routing rule add action=lookup-only-in-table disabled=no dst-address=0.0.0.0/0 src-address=10.10.12.0/24 table=via-wg

 
User avatar
own3r1138
Long time Member
Long time Member
Topic Author
Posts: 680
Joined: Sun Feb 14, 2021 12:33 am
Location: Pleiades
Contact:

Re: Route Internet traffic MT via WireGuard tunnel through MT WG peer

Sun Jan 09, 2022 3:20 pm

Done. :d
Thanks for the help. <3
2022-01-09_16-45-52.png
You do not have the required permissions to view the files attached to this post.
 
User avatar
own3r1138
Long time Member
Long time Member
Topic Author
Posts: 680
Joined: Sun Feb 14, 2021 12:33 am
Location: Pleiades
Contact:

Re: Route Internet traffic MT via WireGuard tunnel through MT WG peer  [SOLVED]

Mon Jan 10, 2022 8:54 am

Untitled Workspace.png
So this is an update.
As I was Missed the PMTUD I also Needed to use DOH to bypass the DNS filtering and as CF does not have any AS in this region the latency was F up. so I decided to not use the DOH in the Client MT and move the DNS queries to the WG peer.
mangle
/ip firewall mangle
add action=mark-connection chain=prerouting comment="VIA WG DNS" dst-port=53 new-connection-mark=via-wg-dns passthrough=yes protocol=tcp src-address-list=VPN
add action=mark-connection chain=prerouting dst-port=53 new-connection-mark=via-wg-dns passthrough=yes protocol=udp src-address-list=VPN
add action=mark-routing chain=prerouting connection-mark=via-wg-dns new-routing-mark=via-wg passthrough=no
add action=mark-connection chain=prerouting comment="VIA WG Route" dst-address-list=!LOCO new-connection-mark=via-wg passthrough=yes src-address-list=VPN
add action=mark-routing chain=prerouting connection-mark=via-wg new-routing-mark=via-wg passthrough=no src-address-list=VPN
add action=change-mss chain=forward connection-mark=via-wg new-mss=clamp-to-pmtu passthrough=yes protocol=tcp tcp-flags=syn
NAT

/ip firewall nat
add action=masquerade chain=srcnat comment="M VIA WAN" ipsec-policy=out,none out-interface-list=WAN
add action=src-nat chain=srcnat comment="SRC-NAT Modem" dst-address=192.168.1.1 out-interface-list=DSL to-addresses=192.168.1.2
add action=src-nat chain=srcnat comment="SRC-NAT VPN - VIA WG" out-interface-list=WG to-addresses=10.10.12.240
add action=dst-nat chain=dstnat comment="DST-NAT VIA WG" connection-mark=via-wg-dns src-address-list=VPN to-addresses=10.10.12.1

address-list

/ip firewall address-list
add address=192.168.88.3 list=VPN
add address=192.168.88.2 disabled=yes list=VPN
add address=192.168.88.0/24 list=LOCO

2022-01-12_09-31-46.png
export.txt
You do not have the required permissions to view the files attached to this post.
Last edited by own3r1138 on Sun May 08, 2022 3:31 am, edited 5 times in total.
 
rama
just joined
Posts: 17
Joined: Wed Oct 26, 2016 11:44 am

Re: Route Internet traffic MT via WireGuard tunnel through MT WG peer

Tue Feb 22, 2022 3:00 pm

Thanks own3r1138 for sharing. I'll post the solution, if successful. :-?
 
404Network
Member Candidate
Member Candidate
Posts: 285
Joined: Wed Feb 16, 2022 2:04 pm

Re: Route Internet traffic MT via WireGuard tunnel through MT WG peer

Tue Feb 22, 2022 8:53 pm

Without a network diagram and a clearer description of what was being done, I have no clue what the thread is about.

For example, I accessed Router A, with a wireguard tunnel from the iphone, I then entered a different tunnel to Router B for internet.

( One might say, why not just Tunnel from iphone direct to Router B, but what if Router B cannot act as a server - and thus Router B connects to Router A, and then is available for access )
 
User avatar
own3r1138
Long time Member
Long time Member
Topic Author
Posts: 680
Joined: Sun Feb 14, 2021 12:33 am
Location: Pleiades
Contact:

Re: Route Internet traffic MT via WireGuard tunnel through MT WG peer

Tue Feb 22, 2022 10:52 pm

...
Last edited by own3r1138 on Sun Feb 27, 2022 11:23 pm, edited 2 times in total.
 
404Network
Member Candidate
Member Candidate
Posts: 285
Joined: Wed Feb 16, 2022 2:04 pm

Re: Route Internet traffic MT via WireGuard tunnel through MT WG peer

Tue Feb 22, 2022 11:43 pm

Thanks for the diagram!
Q1: so you want the Iphone to go out the SERVER WANIP for internet??
Q2: Is the wireguard interface the same one for both iphone and Server - from the perspective of the MT router (two peers)
( one wg interface in use or two?, either way there is a solution so its up to you)
 
User avatar
own3r1138
Long time Member
Long time Member
Topic Author
Posts: 680
Joined: Sun Feb 14, 2021 12:33 am
Location: Pleiades
Contact:

Re: Route Internet traffic MT via WireGuard tunnel through MT WG peer

Wed Feb 23, 2022 12:12 am

@404Network
A1
so incoming traffic that the destination is not 192.168.88.0/24 from the source address, address-list=VPN will pass through the WG tunnel. any DNS traffic from address-list=VPN will pass through the WG tunnel.
A2
There is only one WG peer at the Client MT for this tunnel. The interface/Peer name is VIA WG.
There is another WG peer for another site-to-site Tunnel, WG STS is not related to this topic.
 
404Network
Member Candidate
Member Candidate
Posts: 285
Joined: Wed Feb 16, 2022 2:04 pm

Re: Route Internet traffic MT via WireGuard tunnel through MT WG peer

Wed Feb 23, 2022 2:53 am

Your speaking a foreign language. I can never understand people who try to mix requirements and config.
I could care less about source and address lists.

See how I put into clear simple terms. Iphone user needs access to internet via WG interface at MT device.

Now you try............. what are the user requirements........
 
emilk
just joined
Posts: 17
Joined: Thu Oct 22, 2020 3:07 pm

Re: Route Internet traffic MT via WireGuard tunnel through MT WG peer

Sun May 08, 2022 12:16 am

@own3r1138

Hello, first of all, thank you for your post!
I think you did similar thing I'm trying to achieve, but few question, if you don't mind.

I have wireguard (wirehole with DNS) server running on VDS with private IP.
I want to connect my Mikrotik to it, but only want 1-2 internal IPs connect through it.
WG_config
[Interface]
Address = 10.6.0.1
ListenPort = 51820
PrivateKey = Pr_key

[Peer]
# peer3
PublicKey = Pu_key
AllowedIPs = 10.6.0.4/32


I've adapted parts of your config, but it doesn't work :)
If you don't mind looking over my config, i'd appreciate it.
I'm using different port for WireGuard, and have Firewall list disabled for one IP, as its not working.

Thank you
You do not have the required permissions to view the files attached to this post.
 
User avatar
own3r1138
Long time Member
Long time Member
Topic Author
Posts: 680
Joined: Sun Feb 14, 2021 12:33 am
Location: Pleiades
Contact:

Re: Route Internet traffic MT via WireGuard tunnel through MT WG peer

Sun May 08, 2022 12:43 am

@own3r1138
sure let me take a look.

what is the CIDR for the 10.6.0.0 network?

are these refer to what you want to passthrough ? if yes why not the same ?
/ip dhcp-server lease
add address=10.0.0.38
/ip firewall address-list
add address=10.0.0.46 comment=TV list=VPN
 
emilk
just joined
Posts: 17
Joined: Thu Oct 22, 2020 3:07 pm

Re: Route Internet traffic MT via WireGuard tunnel through MT WG peer

Sun May 08, 2022 1:04 am

@own3r1138
sure let me take a look.

what is the CIDR for the 10.6.0.0 network?

are these refer to what you want to passthrough ? if yes why not the same ?
/ip dhcp-server lease
add address=10.0.0.38
/ip firewall address-list
add address=10.0.0.46 comment=TV list=VPN
i believe its
255.255.255.255
i also cleaned config of WG SPS that you have. not sure if you opened my first attachment or updated.
 
emilk
just joined
Posts: 17
Joined: Thu Oct 22, 2020 3:07 pm

Re: Route Internet traffic MT via WireGuard tunnel through MT WG peer

Sun May 08, 2022 1:11 am

are these refer to what you want to passthrough ? if yes why not the same ?
/ip dhcp-server lease
add address=10.0.0.38
/ip firewall address-list
add address=10.0.0.46 comment=TV list=VPN
10.0.0.38 is just one i set static - not needed in forwarding

10.0.0.46 is the one i want to go through WG tunnel. Will set it to static.
 
User avatar
own3r1138
Long time Member
Long time Member
Topic Author
Posts: 680
Joined: Sun Feb 14, 2021 12:33 am
Location: Pleiades
Contact:

Re: Route Internet traffic MT via WireGuard tunnel through MT WG peer

Sun May 08, 2022 1:12 am

i believe its
255.255.255.255
i also cleaned config of WG SPS that you have. not sure if you opened my first attachment or updated.
I downloaded the config one more time
I want to be sure about what you are saying so you are saying the WG peer at the VDS IP is 10.6.0.1 the MT peer is 10.6.0.4 and the hole subnet is /32 ?
 
emilk
just joined
Posts: 17
Joined: Thu Oct 22, 2020 3:07 pm

Re: Route Internet traffic MT via WireGuard tunnel through MT WG peer

Sun May 08, 2022 1:19 am

I downloaded the config one more time
I want to be sure about what you are saying so you are saying the WG peer at the VDS IP is 10.6.0.1 the MT peer is 10.6.0.4 and the hole subnet is /32 ?
correct.
I used WireHolehttps://github.com/IAmStoxe/wirehole script to setup WG on VDS, and it works just fine with wg software client on laptop and mobile.
 
User avatar
own3r1138
Long time Member
Long time Member
Topic Author
Posts: 680
Joined: Sun Feb 14, 2021 12:33 am
Location: Pleiades
Contact:

Re: Route Internet traffic MT via WireGuard tunnel through MT WG peer

Sun May 08, 2022 1:32 am

correct.
So I don't know the exact process to run this script but the WG config is very simple in fact.
MY problem
It should not work as it is right now or you could miss lead me cuz I have no info about the VDS peer.
Let's say you have a VDS one public IP 2.2.2.2
you have WG with a network of 10.0.6.1/? as the address for the WG interface
then you have an MT peer with an IP of 10.0.6.4/?
you are saying the subnet mask for the VDS WG interface network is 255.255.255.255 so it's a /32 CIDR, this means that it only has one valid IP now how can it connect to anything other than itself?
add address=10.6.0.4/32 comment="WG VPN" interface="VIA WG" network=10.6.0.4
should be
add address=10.6.0.4/24 comment="WG VPN" interface="VIA WG" network=10.6.0.0
this network should change on both sides of the tunnel.

MY config.
WG.png
Remove the first line.
/routing rule
add action=lookup-only-in-table disabled=no src-address=10.0.0.46/32 table=via-wg
add action=lookup-only-in-table disabled=no dst-address=10.6.0.0/24 src-address=10.6.0.0/24 table=main
add action=lookup-only-in-table disabled=no dst-address=10.6.0.0/24 src-address=0.0.0.0/0 table=via-wg
This will not affect the WG but still. ( Cloudflare has a limited DNS query so as you already have a DOH let the local MT DNS server be the DNS for your DHCP )
/ip dhcp-server network
add address=10.0.0.0/24 dns-server=1.1.1.1 gateway=10.0.0.1
However, do you have fast-track enabled?
You do not have the required permissions to view the files attached to this post.
Last edited by own3r1138 on Sun May 08, 2022 3:49 am, edited 2 times in total.
 
emilk
just joined
Posts: 17
Joined: Thu Oct 22, 2020 3:07 pm

Re: Route Internet traffic MT via WireGuard tunnel through MT WG peer

Sun May 08, 2022 2:09 am

No, i do not have fasttrack.
Changed DNS server in DHCP to MT IP, and lost connection :)
Do i understand you correctly, since MT DNS is already set to CloudFare, i can just give out MT IP as DNS in DHCP?

Removed first routing rule, i think it was left over from from my previous trials.
 
User avatar
own3r1138
Long time Member
Long time Member
Topic Author
Posts: 680
Joined: Sun Feb 14, 2021 12:33 am
Location: Pleiades
Contact:

Re: Route Internet traffic MT via WireGuard tunnel through MT WG peer

Sun May 08, 2022 2:16 am

@emilk
Changed DNS server in DHCP to MT IP, and lost connection :)
This should not be the result. unless you have firewall rules.
Do i understand you correctly
Correct.
No, i do not have fasttrack.
It's okay if you don't but you will get less throughput
 
emilk
just joined
Posts: 17
Joined: Thu Oct 22, 2020 3:07 pm

Re: Route Internet traffic MT via WireGuard tunnel through MT WG peer

Wed May 11, 2022 4:31 am

@emilk
Changed DNS server in DHCP to MT IP, and lost connection :)
This should not be the result. unless you have firewall rules.
Do i understand you correctly
Correct.
No, i do not have fasttrack.
It's okay if you don't but you will get less throughput
Hello, got overworked and couldn't reply. Wanted to thank you for taking your time to reply.
I reconfigured my router. Fixed that DNS issue. looks like if you just leave IP/DHCP Server DNS setting active but blank, it would not use router's DNS settings.
ALso added fasttrack :)

Still didn't get to wireguard configuration. Will try again and post here.
Thank you again!
 
User avatar
own3r1138
Long time Member
Long time Member
Topic Author
Posts: 680
Joined: Sun Feb 14, 2021 12:33 am
Location: Pleiades
Contact:

Re: Route Internet traffic MT via WireGuard tunnel through MT WG peer

Wed May 11, 2022 4:44 am

@emilk
Wanted to thank you for taking your time to reply.
Sure.
leave IP/DHCP Server DNS setting active but blank,
of course, that's not gonna work. :D
ALso added fasttrack
Good, check the "connection-mark" you have to use "no-mark"
/ip firewall filter
add action=fasttrack-connection chain=forward comment=FastTrack connection-mark=no-mark connection-state=established,related hw-offload=yes
Still didn't get to Wireguard configuration
change the subnet and you should be good to go.
You said it does work on your smartphone, which DNS server did you use in the WG client?
 
emilk
just joined
Posts: 17
Joined: Thu Oct 22, 2020 3:07 pm

Re: Route Internet traffic MT via WireGuard tunnel through MT WG peer

Wed May 11, 2022 5:53 am

ALso added fasttrack
Good, check the "connection-mark" you have to use "no-mark"
/ip firewall filter
add action=fasttrack-connection chain=forward comment=FastTrack connection-mark=no-mark connection-state=established,related hw-offload=yes
I did not have "connection-mark=no-mark connection-state=established,related hw-offload=yes" set. So, i added "connection-mark=no-mark", but cannot find "hw-offload=yes". I'm lookin gin WinBox, maybe only through terminal?
Still didn't get to Wireguard configuration
change the subnet and you should be good to go.
You said it does work on your smartphone, which DNS server did you use in the WG client?
Wireguard WireHole script actually uses Unbound DNS. So, DNS is assigned in config, it filters everything.
But i have not added it in MT WireGuard settings, didn't even see a field for it.
 
User avatar
own3r1138
Long time Member
Long time Member
Topic Author
Posts: 680
Joined: Sun Feb 14, 2021 12:33 am
Location: Pleiades
Contact:

Re: Route Internet traffic MT via WireGuard tunnel through MT WG peer

Wed May 11, 2022 6:41 am

@emilk
maybe only through terminal?
Check it
ip firewall filter print from=[find comment=FastTrack]
Wireguard WireHole script actually uses Unbound DNS. So, DNS is assigned in the config, it filters everything.
But I have not added it in MT WireGuard settings, didn't even see a field for it.
What I meant was what did you set as a DNS server in your laptop or smartphone Wireguad client? there is no DNS in MT for WG you have to use mangle and DST-NAT as I did in my config.
The local VDS DNS server.
Public DNS
None
[Interface]
PrivateKey = base64 key
Address = 10.0.6.3/32
DNS = 10.0.6.1
or
DNS = 1.1.1.1
or no DNS

[Peer]
PublicKey = base64 key
AllowedIPs = 0.0.0.0/0, ::/0
Endpoint = vpn.domain.com:port

Who is online

Users browsing this forum: Bing [Bot], Briancer, gigabyte091, GoogleOther [Bot] and 54 guests