Route packets between WireGuard tunnels

s3rgb · Sun Jun 26, 2022 8:49 pm

Hi All,

I'm trying to setup routing between two WireGuard tunnels on CCR1009-7G-1C-1S+PC. The idea is as follows:

I have vpn-out tunnel where my router is a client.
Another tunnel vpn-proxy is listening for incoming connections from road-warriors.
I have a vpn-out routing table that contains one route for 0.0.0.0/0 through vpn-out.
A few bridges are configured to use this table.
I'm trying to route all traffic from vpn-proxy through vpn-out. <--- This part does not work.

In order to selectively route traffic through vpn-out interface I'm using routing rules. With the current configuration I see that packets from vpn-proxy are routed through my regular WAN interface pppoe-wan and get dropped because of firewall rules. I cannot understand why they are not routed through vpn-out. It seems like this rule is ignored:

/routing rule
add action=lookup-only-in-table disabled=no interface=vpn-proxy table=vpn-out

I'm using similar rules for a few bridges and it works there. I've attached a full config. Is there anything obviously wrong there? Thanks in advance!

# model = CCR1009-7G-1C-1S+
/interface bridge
add name=guest-bridge
add name=iot-bridge
add igmp-snooping=yes name=lan-bridge
add name=mgmt-bridge
add name=vpn-bridge
/interface wireguard
add listen-port=13232 mtu=1420 name=vpn-out
add listen-port=13233 mtu=1420 name=vpn-proxy
/interface vlan
add interface=combo1 name=combo1.4 vlan-id=4
add interface=combo1 name=combo1.6 vlan-id=6
add interface=ether1 name=ether1.10 vlan-id=10
add interface=ether1 name=ether1.20 vlan-id=20
add interface=ether1 name=ether1.30 vlan-id=30
add interface=ether1 name=ether1.40 vlan-id=40
add interface=ether1 name=ether1.69 vlan-id=69
add interface=ether4 name=ether4.10 vlan-id=10
/interface bonding
add mode=802.3ad name=nas-bonding slaves=ether2,ether3
/interface pppoe-client
add add-default-route=yes disabled=no interface=combo1.6 name=pppoe-wan user=\
    internet
/interface list
add comment="interfaces that are allowed to access WAN" name=allowed-wan
add comment="interfaces tha are allowed management access" name=allowed-mgmt
add comment="WAN interfaces" name=wan
add comment="interfaces tha should use vpn-out as WAN" name=allowed-vpn-out
add comment="intarfaces that are allowed to do DNS requests" include=\
    allowed-wan,allowed-vpn-out name=allowed-dns
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=lan-pool ranges=192.168.10.100-192.168.10.254
add name=mgmt-pool ranges=192.168.69.100-192.168.69.254
add name=guest-pool ranges=192.168.20.100-192.168.20.254
add name=vpn-pool ranges=192.168.40.100-192.168.40.254
add name=iot-pool ranges=192.168.30.100-192.168.30.254
/ip dhcp-server
add address-pool=mgmt-pool interface=mgmt-bridge name=mgmt-dhcp
add address-pool=guest-pool interface=guest-bridge name=guest-dhcp
add address-pool=iot-pool interface=iot-bridge name=iot-dhcp
add address-pool=vpn-pool interface=vpn-bridge name=vpn-dhcp
add address-pool=lan-pool interface=lan-bridge name=lan-dhcp
/port
set 0 name=serial0
set 1 name=serial1
/routing table
add disabled=no fib name=vpn-out
/interface bridge port
add bridge=mgmt-bridge frame-types=admit-only-untagged-and-priority-tagged \
    interface=ether7
add bridge=mgmt-bridge frame-types=admit-only-untagged-and-priority-tagged \
    interface=ether1.69
add bridge=lan-bridge frame-types=admit-only-untagged-and-priority-tagged \
    interface=ether1.10
add bridge=guest-bridge frame-types=admit-only-untagged-and-priority-tagged \
    interface=ether1.20
add bridge=iot-bridge frame-types=admit-only-untagged-and-priority-tagged \
    interface=ether1.30
add bridge=vpn-bridge frame-types=admit-only-untagged-and-priority-tagged \
    interface=ether1.40
add bridge=lan-bridge interface=nas-bonding
add bridge=lan-bridge frame-types=admit-only-untagged-and-priority-tagged \
    interface=ether4.10
/interface list member
add interface=mgmt-bridge list=allowed-wan
add interface=guest-bridge list=allowed-vpn-out
add interface=iot-bridge list=allowed-vpn-out
add interface=lan-bridge list=allowed-wan
add interface=vpn-bridge list=allowed-vpn-out
add interface=mgmt-bridge list=allowed-mgmt
add interface=lan-bridge list=allowed-mgmt
add interface=pppoe-wan list=wan
add interface=lan-bridge list=allowed-vpn-out
add interface=vpn-proxy list=allowed-vpn-out
/interface ovpn-server server
set auth=sha1,md5
/interface wireguard peers
add allowed-address=0.0.0.0/0 comment=mullvad endpoint-address=\
    nl5-wireguard.mullvad.net endpoint-port=51820 interface=vpn-out \
    persistent-keepalive=25s public-key=\
    "33BoONMGCm2vknqozRsHmHQY6ZHEEZ4851TkY="
add allowed-address=10.6.0.2/32 comment=sergii-phone interface=vpn-proxy \
    public-key="aB7vBiDPEkpuC/ie7GcODmSiPHCKvSe3tTQlV8="
/ip address
add address=192.168.69.1/24 interface=mgmt-bridge network=192.168.69.0
add address=192.168.10.1/24 interface=lan-bridge network=192.168.10.0
add address=192.168.20.1/24 interface=guest-bridge network=192.168.20.0
add address=192.168.30.1/24 interface=iot-bridge network=192.168.30.0
add address=192.168.40.1/24 interface=vpn-bridge network=192.168.40.0
add address=10.64.160.22/24 interface=vpn-out network=10.64.160.0
add address=10.6.0.1/24 interface=vpn-proxy network=10.6.0.0
/ip dhcp-server lease
add address=192.168.10.20 client-id=1:0:11:32:94:e2:59 mac-address=\
    00:11:32:94:E2:59 server=lan-dhcp
add address=192.168.10.25 client-id=1:ec:8e:b5:25:f8:e5 mac-address=\
    EC:8E:B5:25:F8:E5 server=lan-dhcp
/ip dhcp-server network
add address=192.168.10.0/24 dns-server=192.168.10.1 gateway=192.168.10.1
add address=192.168.20.0/24 dns-server=192.168.20.1 gateway=192.168.20.1
add address=192.168.30.0/24 dns-server=192.168.30.1 gateway=192.168.30.1
add address=192.168.40.0/24 dns-server=192.168.40.1 gateway=192.168.40.1
add address=192.168.69.0/24 dns-server=192.168.69.1 gateway=192.168.69.1
/ip dns
set allow-remote-requests=yes servers=1.1.1.1,1.0.0.1
/ip firewall filter
add action=accept chain=input comment="accept established and related" \
    connection-state=established,related
add action=drop chain=input comment="drop invalind" connection-state=invalid
add action=accept chain=input comment=\
    "accept DNS UDP requests from allowed-dns" dst-port=53 in-interface-list=\
    allowed-dns protocol=udp
add action=accept chain=input comment=\
    "accept WireGuard connections for vpn-proxy" dst-port=13233 \
    in-interface-list=wan protocol=udp
add action=accept chain=input comment=\
    "accept DNS TCP requests from allowed-dns" dst-port=53 in-interface-list=\
    allowed-dns protocol=tcp
add action=accept chain=input comment="accept connections from allowed-mgmt" \
    in-interface-list=allowed-mgmt
add action=drop chain=input comment="drop other input"
add action=fasttrack-connection chain=forward comment="enable fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="accept established and related" \
    connection-state=established,related
add action=drop chain=forward comment="drop invalid" connection-state=invalid
add action=accept chain=forward comment=\
    "accept forward from allowed-wan interfaces to WAN" in-interface-list=\
    allowed-wan out-interface-list=wan
add action=accept chain=forward comment=\
    "accept forward from allowed-vpn-out interfaces to vpn-out" \
    in-interface-list=allowed-vpn-out out-interface=vpn-out
add action=accept chain=forward comment=\
    "accept forward from all mgmt-allowed interfaces" in-interface-list=\
    allowed-mgmt
add action=drop chain=forward comment="drop other forward"
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=wan
add action=masquerade chain=srcnat out-interface=vpn-out
/ip route
add disabled=no dst-address=0.0.0.0/0 gateway=vpn-out routing-table=vpn-out \
    suppress-hw-offload=no
/routing rule
add action=lookup disabled=no interface=guest-bridge min-prefix=0 table=main
add action=lookup disabled=no interface=guest-bridge table=vpn-out
add action=lookup disabled=no interface=iot-bridge min-prefix=0 table=main
add action=lookup disabled=no interface=iot-bridge table=vpn-out
add action=lookup disabled=no interface=vpn-bridge min-prefix=0 table=main
add action=lookup disabled=no interface=vpn-bridge table=vpn-out
add action=lookup disabled=no min-prefix=0 src-address=192.168.10.20/32 \
    table=main
add action=lookup disabled=no src-address=192.168.10.20/32 table=vpn-out
add action=lookup-only-in-table disabled=no interface=vpn-proxy table=vpn-out
/system clock
set time-zone-name=Europe/Amsterdam

sindy · Sun Jun 26, 2022 11:01 pm

It looks like a bug to me. Try using src-address=10.6.0.0/24 instead of interface=vpn-proxy in the rule.

s3rgb · Sun Jun 26, 2022 11:28 pm

It looks like a bug to me. Try using src-address=10.6.0.0/24 instead of interface=vpn-proxy in the rule.

Thanks for your suggestion. I've tried that and it did not work. After than I tried to reboot the router - and boom, it works. I put back interface=vpn-proxy instead of the src-address=10.6.0.0/24 and it worked as well! I did another reboot, just in case, but it still works

So reboot was the solution. Is reboot something one is expected to do when configuring Mikrotik routers?

sindy · Mon Jun 27, 2022 7:23 am

Is reboot something one is expected to do when configuring Mikrotik routers?

Normally not, but we deal with RouterOS 7.x here, which is still quite fresh

Route packets between WireGuard tunnels [SOLVED]

Route packets between WireGuard tunnels

Re: Route packets between WireGuard tunnels

Re: Route packets between WireGuard tunnels [SOLVED]

Re: Route packets between WireGuard tunnels

Who is online