I would like to configure hEX to serve as a hub in a hub-spoke wireguard configuration. The spokes being computers connected to the LAN side and computers on the WAN side of the router.
The problem is that for some reason I can get hub-spoke wireguard connection only from either WAN computer or from the LAN computer and never both of them at the same time.
My intended topology is 192.168.2.4 (10.0.1.4) <---> [LAN 192.168.2.1 - hEX - 192.168.1.3 WAN] <---> 192.168.1.148 (10.0.1.148)
Where IPs in the brackets are for wireguard interfaces. hEX has 7.1 routerOS installed. Both LAN and WAN computers run linux.
The computer on the LAN side:
Code: Select all
[Interface]
#LAN side
PrivateKey = LLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLL=
Address = 10.0.1.4/32
[Peer]
#hEX
PublicKey = HHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHH=
Endpoint = 192.168.1.3:13232
AllowedIPs = 10.0.1.0/24
PersistentKeepalive = 25
Code: Select all
[Interface]
#WAN side
PrivateKey = WWWWWWWWWWWWWWWWWWWWWWWWWW=
Address = 10.0.1.148/32
[Peer]
#hEX
PublicKey = HHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHH=
Endpoint = 192.168.1.3:13232
AllowedIPs = 10.0.1.0/24
PersistentKeepalive = 25
Code: Select all
/interface/wireguard/ print
0 R ;;; Router3
name="wg0" mtu=1420 listen-port=13232
private-key="ppppppppppppppppppppppppppppppppppppppppppppp="
public-key="HHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHH="
Code: Select all
/inteface/wireguard/peers/ print
Columns: INTERFACE, PUBLIC-KEY, ENDPOINT-PORT, ALLOWED-ADDRESS
# INTERFACE PUBLIC-KEY ENDPOINT-PORT ALLOWED-ADDRESS
0 wg0 llllllllllllllllllllllllllllll= 0 10.0.1.0/24
1 wg0 wwwwwwwwwwwwwwwwwwwwwwwwwwwwww= 0 10.0.1.0/24
Code: Select all
/ip/address/ print
Flags: D - DYNAMIC
Columns: ADDRESS, NETWORK, INTERFACE
# ADDRESS NETWORK INTERFACE
;;; defconf
0 192.168.2.1/24 192.168.2.0 bridge
1 10.0.1.3/24 10.0.1.0 wg0
2 D 192.168.1.3/24 192.168.1.0 ether1
Code: Select all
/ip/route/ print
Flags: D - DYNAMIC; A - ACTIVE; c, d, y - COPY
Columns: DST-ADDRESS, GATEWAY, DISTANCE
DST-ADDRESS GATEWAY DISTANCE
DAd 0.0.0.0/0 192.168.1.1 1
DAc 10.0.1.0/24 wg0 0
DAc 192.168.1.0/24 ether1 0
DAc 192.168.2.0/24 bridge 0
Code: Select all
Flags: X - disabled, I - invalid; D - dynamic
0 D ;;; special dummy rule to show fasttrack counters
chain=forward action=passthrough
1 ;;; defconf: accept established,related,untracked
chain=input action=accept connection-state=established,related,untracked
2 ;;; defconf: drop invalid
chain=input action=drop connection-state=invalid
3 ;;; defconf: accept ICMP
chain=input action=accept protocol=icmp
4 ;;; defconf: accept to local loopback (for CAPsMAN)
chain=input action=accept dst-address=127.0.0.1
5 chain=input action=accept protocol=udp src-address=10.0.1.0/24 in-interface=wg0 dst-port=13232
log=no
6 ;;; defconf: drop all not coming from LAN
chain=input action=drop in-interface-list=!LAN
7 ;;; defconf: accept in ipsec policy
chain=forward action=accept ipsec-policy=in,ipsec
8 ;;; defconf: accept out ipsec policy
chain=forward action=accept ipsec-policy=out,ipsec
9 ;;; defconf: fasttrack
chain=forward action=fasttrack-connection hw-offload=yes connection-state=established,related
10 ;;; defconf: accept established,related, untracked
chain=forward action=accept connection-state=established,related,untracked
11 ;;; defconf: drop invalid
chain=forward action=drop connection-state=invalid
12 ;;; defconf: drop all from WAN not DSTNATed
chain=forward action=drop connection-state=new connection-nat-state=!dstnat
in-interface-list=WAN
13 chain=input action=accept protocol=tcp dst-address=192.168.1.3 dst-port=443 log=no
log-prefix=""
Code: Select all
ping 192.168.1.3
Code: Select all
ping 10.0.1.3
Code: Select all
ping 192.168.1.3
Code: Select all
ping 10.0.1.3
Code: Select all
ping 10.0.1.4
Or neither of them works.
To switch between those scenarios it is enough to edit on hEX an endpoint-port of one of the peers in /interface/wireguard/peers/ and remove the change.
Any idea what's wrong?
Thanks!