Community discussions

MikroTik App
 
Lisance
just joined
Topic Author
Posts: 7
Joined: Fri Jun 19, 2020 7:25 am

Routing only specified domains via WireGuard tunnel

Mon Jan 31, 2022 12:40 am

Hello, need some advice here.

I've set up WireGuard tunnel from my hAP lite (ROS 7.1.1) to the third-party VPN provider using the config he is providing. I can now successfully ping 8.8.8.8 with the wireguard1 interface via Tools > Ping, so I assume it is working fine.

Now the idea is to make only specified websites go via that tunnel instead of a regular internet connection to bypass blocked by ISP resources etc. There is nothing specific in my network, just a home router and several clients using the internet.

I've made this once via the IKEv2 VPN by marking a connection with Mangle rule and Address lists, but it looks like this method won't work with the WireGuard now. I do not remember exactly how I did this, but I guess it is something with the routing and default gateway, for when I am adding an IP for the WireGuard interface in IP > Addresses now the default route for that address appears in IP > Routes and I can not do anything with it. I could be completely going in the wrong direction here and not fully understand what I am talking about, so pardon me in advance (:

Anyway, please advise on how to route only specified websites via WireGuard.

Thanks.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19103
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Routing only specified domains via WireGuard tunnel

Mon Jan 31, 2022 3:14 am

..............................
Last edited by anav on Sun Mar 13, 2022 4:30 am, edited 1 time in total.
 
Lisance
just joined
Topic Author
Posts: 7
Joined: Fri Jun 19, 2020 7:25 am

Re: Routing only specified domains via WireGuard tunnel

Mon Jan 31, 2022 12:13 pm

Just so I understand, you only want users to go out the wireguard for specific WebSites. For the rest of their internet usage they should use the standard haplite WAN correct?
Yes, this is correct.
narrow this down to public iP addresses and not domain names
Sounds not very convenient. The public IP of the domain could change over time and I am aiming for a set-and-forget configuration (as much as possible).
its probably mangle time
Can you please advise exactly how to do it? So far I have created the list in Firewall > Address lists, created a mangle rule... from this point I am not sure what should be done exactly. Should I use mark routing or mark connection? Or both? I tried both, both are working (counters are properly updated when I am accessing the websites) but I do not know what to do at this point, how to use these marks to route the traffic to the WireGuard. I tried fiddling with settings and IPs in IP > Routes, but that did not work.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19103
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Routing only specified domains via WireGuard tunnel

Mon Jan 31, 2022 2:43 pm

Sorry Im not mangled trained. I can route and route rule, and I can shovel snow, but mangling is not one of my skill sets.
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: Routing only specified domains via WireGuard tunnel  [SOLVED]

Tue Feb 01, 2022 7:08 am

Mangling and routing is the easy part:
/routing table
add name=wg fib
/ip route
add dst-address=0.0.0.0/0 gateway=<WG interface> routing-table=wg
/ip firewall address-list
add address=wtfismyip.com list=wg-dest
...
/ip firewall mangle
add chain=prerouting in-interface=<LAN> dst-address-list=wg-dest connection-state=new action=mark-connection new-connection-mark=wg-conn passthrough=yes
add chain=prerouting in-interface=<LAN> connection-mark=wg-conn action=mark-routing new-routing-mark=wg
/ip firewall nat
add chain=srcnat out-interface=<WG interface> action=masquerade
Difficult part is how to fill the address list. It's easy for simple sites with static hostnames like example.net, www.example.net, etc. But if it's somethingcompletelyrandomandchangingallthetime.example.net, it's not possible to do it this way. You could try something like:
/ip firewall mangle
add chain=forward tls-host=*.example.net action=add-dst-to-address-list address-list=wg-dest address-list-timeout=none-dynamic
Which is not great, because first connection always fails, but subsequent ones will work, so it may be usable.
 
Lisance
just joined
Topic Author
Posts: 7
Joined: Fri Jun 19, 2020 7:25 am

Re: Routing only specified domains via WireGuard tunnel

Tue Feb 01, 2022 11:48 pm

Thank you sooo much, I googled my ass out for this.
The funny thing is I did all that before my post but perhaps screwed something up, some IP or something else and it did not work.
Now I have done it all from scratch using your instructions and it worked.
 
Lisance
just joined
Topic Author
Posts: 7
Joined: Fri Jun 19, 2020 7:25 am

Re: Routing only specified domains via WireGuard tunnel

Wed Feb 02, 2022 1:50 am

While it is working, the connection to the specified in the list domains is super slow, down to timeouts sometimes or incorrect page view.
I have faced similar behavior before when routed address list via the IKEv2 tunnel and, as I recall, I fixed it with the MSS changing mangle rule.
I lurked a bit and found that it is advised to change TCP MSS for wg marked connection to "clamp to pmtu"
I did that, but it did not work. I also tried moving the rule and changing the MSS to some other values - all the same.
Maybe there are other recommendations for the WireGuard tunnel optimization? Can someone advise a proper way to get rid of that slowness?
Last edited by Lisance on Wed Feb 02, 2022 2:07 am, edited 1 time in total.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19103
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Routing only specified domains via WireGuard tunnel

Wed Feb 02, 2022 2:07 am

Try setting the MTU on both sides of the tunnel to different choices.
One that worked for me, for specific applications was 1500
 
Lisance
just joined
Topic Author
Posts: 7
Joined: Fri Jun 19, 2020 7:25 am

Re: Routing only specified domains via WireGuard tunnel

Wed Feb 02, 2022 2:11 am

Try setting the MTU on both sides of the tunnel to different choices.
Can't. As I mentioned, I am using a third-party paid VPN service provider. I only can download configs for OVPN or WireGuard and can't change MTU on their side. MTU on my side is default 1420.
 
Lisance
just joined
Topic Author
Posts: 7
Joined: Fri Jun 19, 2020 7:25 am

Re: Routing only specified domains via WireGuard tunnel

Wed Feb 02, 2022 2:26 am

Forgot to mention.
I also disabled fasttrack rule for the market connection, since I read somewhere that it also can screw up tunnel-routed connections. Still all the same.
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: Routing only specified domains via WireGuard tunnel

Wed Feb 02, 2022 2:52 am

Yes, fasttrack is common problem, it doesn't go together with mangle rules. What exactly you did with it? Or, as a simple test, temporarily disable fasttrack rule completely and see if it makes any difference.
 
Lisance
just joined
Topic Author
Posts: 7
Joined: Fri Jun 19, 2020 7:25 am

Re: Routing only specified domains via WireGuard tunnel

Wed Feb 02, 2022 11:51 am

Thank you again for pointing me in the right direction! I disabled the rule completely and it is working flawlessly even without MTU clamping.

Looks like the issue was in incorrect mark exception. I tried to disable it for the marked routing in the default fasttrack rule like so:
5    ;;; defconf: fasttrack
      chain=forward action=fasttrack-connection hw-offload=yes connection-state=established,related routing-mark=!wg log=no log-prefix="" 

while it looks like it should be marked connection:
 5    ;;; defconf: fasttrack
      chain=forward action=fasttrack-connection hw-offload=yes connection-state=established,related connection-mark=!wg-conn log=no log-prefix="" 
works fine that way with the enabled rule. Please correct me if I am wrong.

As a sidenote.
Since fasttrack was the main issue, do I even need that MTU clamping at all? If I do, what is the proper way to add it? Mainly, should I use this on routing mark or on connection mark, or both? And, just to be sure, the rule should go after both marking rules, right?
 
User avatar
tromjer
just joined
Posts: 7
Joined: Thu Jul 11, 2019 9:32 pm

Re: Routing only specified domains via WireGuard tunnel

Fri Mar 11, 2022 12:43 pm

Encountered with the same issue - some domains were super slow to open, and some are failed with timeout. Disabling a fasttrack connection didn't helped. Changing the MSS in Mangle rule solved the problem.
/ip firewall mangle add action=change-mss chain=forward new-mss=1300 out-interface=wg-home passthrough=yes protocol=tcp tcp-flags=syn tcp-mss=1301-65535
 
404Network
Member Candidate
Member Candidate
Posts: 285
Joined: Wed Feb 16, 2022 2:04 pm

Re: Routing only specified domains via WireGuard tunnel

Fri Mar 11, 2022 3:34 pm

@s0b, how does the Router distinguish between google and youtube, in other words, there are OVERLAPPING IPS for different websites URLS.
How will this technique work effectively when some sites are allowed and others not, but we have this conflict.
The concept may be tenable but the practical application on the MT is a NO GO.

I just wish you would stick to things that work and not try such extravagant outside the box configurations ;-PPP

Finally, the Sob proposed method is actually sub optimal, much better to use output chain... and KEEP fasttrack!

Step1: Identify the firewall address for the config. I will ignore any scripts etc what is important is that it exists and its populated...
firewall address list name= blocked-IPs

Step2: Mangle the output chain
/ip firewall mangle
add action=mark-routing chain=output dst-address-list=blocked-IPs new-routing-mark=useWG passthrough=yes

Step3: Create the table
/ip routing table add name=useWG fib

Step4: Create the route.
dst-address=0.0.0.0/0 gwy=wg-interface-name table=useWG
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++

in effect one would have these IP Routes
dst-address=0.0.0.0/0 gwy=wanip gateway table=main
dst-address=0.0.0.0/0 gwy=wg-interface-name table=useWG

AGAIN, this will break down very quickly in the real world due to overlapping IPs for different websites. Not even sure if this will work for httpS websites.....
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: Routing only specified domains via WireGuard tunnel

Fri Mar 11, 2022 4:05 pm

Even though it's all Google's adresseses and they can use any of them for any of their services, chances are that they don't use any for multiple services at the same time. And if they do, tough luck.

And did you forget that chain=output is only for router's own traffic?
 
404Network
Member Candidate
Member Candidate
Posts: 285
Joined: Wed Feb 16, 2022 2:04 pm

Re: Routing only specified domains via WireGuard tunnel

Fri Mar 11, 2022 4:18 pm

Even though it's all Google's adresseses and they can use any of them for any of their services, chances are that they don't use any for multiple services at the same time. And if they do, tough luck.

And did you forget that chain=output is only for router's own traffic?
Damn, yes I did, I was using that approach when considering another application. Thanks! I knew it seemed to easy.
In any case the OP should know that there can and will be issues with that approach.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19103
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Routing only specified domains via WireGuard tunnel

Sat Mar 12, 2022 3:07 pm

.............................
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19103
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Routing only specified domains via WireGuard tunnel

Sun Mar 13, 2022 4:29 am

..........................
 
darkmanlv
newbie
Posts: 35
Joined: Thu Mar 26, 2015 3:19 pm
Location: Riga, Latvia
Contact:

Re: Routing only specified domains via WireGuard tunnel

Thu May 19, 2022 11:42 am

Encountered with the same issue - some domains were super slow to open, and some are failed with timeout. Disabling a fasttrack connection didn't helped. Changing the MSS in Mangle rule solved the problem.
/ip firewall mangle add action=change-mss chain=forward new-mss=1300 out-interface=wg-home passthrough=yes protocol=tcp tcp-flags=syn tcp-mss=1301-65535
thanks, this helped.

i also route some sites to wireguard vpn and this was really slow to open, now all sites loading in seconds :)

PS: also disabling fasttrack at all also helped, but i think it is better to be enabled.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19103
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Routing only specified domains via WireGuard tunnel

Thu May 19, 2022 12:54 pm

Encountered with the same issue - some domains were super slow to open, and some are failed with timeout. Disabling a fasttrack connection didn't helped. Changing the MSS in Mangle rule solved the problem.
/ip firewall mangle add action=change-mss chain=forward new-mss=1300 out-interface=wg-home passthrough=yes protocol=tcp tcp-flags=syn tcp-mss=1301-65535
thanks, this helped.

i also route some sites to wireguard vpn and this was really slow to open, now all sites loading in seconds :)

PS: also disabling fasttrack at all also helped, but i think it is better to be enabled.
I have found that when it comes to MT, thinking is dangerous, knowing is the key! :-)
 
msatter
Forum Guru
Forum Guru
Posts: 2897
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: Routing only specified domains via WireGuard tunnel

Thu May 19, 2022 1:24 pm

I have a bit of history with MTU and VPN connections and currently I am using WireGuard and IKEv2. I have now a different way of approaching this while before I did it differently.

I am not deciding on forehand what the MTU has to be but I let the other side indicate what fits there. Returning traffic, through the VPN tunnel is recognized by ipsec-policy=in,none and that it has still a sync flag.

In Mangle:
add action=change-mss chain=forward ipsec-policy=in,none log-prefix=MSS new-mss=clamp-to-pmtu passthrough=yes protocol=tcp tcp-flags=syn comment="WG & IKEv2 Sync"

It works for me and the sites are loading/responding fast this way.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19103
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Routing only specified domains via WireGuard tunnel

Thu May 19, 2022 3:11 pm

Hi msatter can you describe how you would do this for a wireguard connection
a. scenario one, two MT devices one client and one server.
b. scenario two, one MT device server, other devices clients (of whatever ilk)

Who is online

Users browsing this forum: 0xAA55, Ahrefs [Bot], Bing [Bot], jamesperks, patrikg and 31 guests