Community discussions

MikroTik App
 
pesvoja
just joined
Topic Author
Posts: 4
Joined: Tue Jul 02, 2019 12:58 pm

Ping over WireGuard tunnel

Wed Feb 09, 2022 12:38 pm

Dear forum users, I would like to kindly ask you for help.

I am implementing the setup described here: https://help.mikrotik.com/docs/display/ROS/WireGuard to understand this excellent technology. My setup differs just a bit:
- I do not have any firewall rules yet to prevent any blocking issues while still learning
- I do have a "real" public IPs on WAN interfaces. By "real" I mean that these are not routed over internet, these are routed via another third Mikrotik to simulate real environment
- local IPs differ

Let me post an image from the link above to make my description clear:
Image
- I can ping from Workstation 1 to Workstation 3, for example
- I do samba sharing and transmit files over the tunnel, with RB2011iL-RM on both sides (600 MHz CPU) I have what I expected in terms of speed, processor is on 90%
- The overall experience is great, I really love the simplicity of Wireguard configuration, I can still remember headache from IPSec and OpenVPN server configuration:-)

However, I probably miss some knowledge here and thus, kindly ask you for education me. Let's say I am logged in Office1 router:
- I can ping local machine Workstation1
- I can ping all IPs on local interfaces (WAN IP, local interface IP - the gateway for Workstation1, the wireguard local IP - 10.255.255.1)
- I can ping Office2 router WAN public IP - but this is just routing, nothing to do with the tunnel
- I cannot ping Office2 wireguard IP - 10.255.255.2
- I cannot ping Office2 local interface IP - the gateway for Workstation3
- I cannot ping any workstation behind the Office2 router FROM the Office1 router

What am I missung here?
Thank you, Petr
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18959
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Ping over WireGuard tunnel

Wed Feb 09, 2022 6:06 pm

What src address are you using for the pinging.
Be sure to use one that is an allowed IP address at the other end
 
pesvoja
just joined
Topic Author
Posts: 4
Joined: Tue Jul 02, 2019 12:58 pm

Re: Ping over WireGuard tunnel

Thu Feb 10, 2022 12:48 am

Thanks for reply!
Office1 local network is 192.168.2.0, eth2 IP = 192.168.2.200
Office2 local network is 192.168.1.0, eth2 IP = 192.168.1.200
Office1 WireGuard Peer Allowed Addresses = 192.168.1.0/24
Office2 WireGuard Peer Allowed Addresses = 192.168.2.0/24
Office1 WireGuard interface = 10.255.255.1/30
Office2 WireGuard interface = 10.255.255.2/30

The issue is NOT that I cannot ping, for example 192.168.1.5 (local machine) from 192.168.2.5 (local machine) and vice versa. This works, tunnel works. So the ICMP packets go through the tunnel.
What makes me crazy is that I cannot ping the other end directly from the router. For example I cannot ping 10.255.255.2 from Office1 router (host unreachable). I cannot ping 192.168.1.200 from Office1 router either.
In short, I cannot ping router interface IPs from the other router except of the WAN IP, which is routed, not tunneled.
I do not know why and it makes my mad because I miss some piece of knowledge.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18959
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Ping over WireGuard tunnel

Thu Feb 10, 2022 1:35 am

Yes but how are you pinging from the router?
Do you choose advanced settings and use a source address thats included in the Allowed addresses???
 
holvoetn
Forum Guru
Forum Guru
Posts: 5317
Joined: Tue Apr 13, 2021 2:14 am
Location: Belgium

Re: Ping over WireGuard tunnel

Thu Feb 10, 2022 6:43 am

If you want to ping the wg ip addresses from the other end, those need to be added on the peer's allowed addresses as well.
E.g. on office1 you need to add 10.255.255.2/30 or it will never enter the tunnel.
It's not needed to use those endpoint addresses for the tunnel to work but it you want to reach them, you need to do something with it.

There also have the be routes for 192.168.1.0/24 and 10.255.255.0/30 with wireguard as interface on office1 (and similar for office2).
Are those routes present ?

Might be easier to show config for both devices.
/export show-sensitive file=whatever
Strip private/public keys and any other sensitive info (Mac adresses).
Then post between code quotes.
 
pesvoja
just joined
Topic Author
Posts: 4
Joined: Tue Jul 02, 2019 12:58 pm

Re: Ping over WireGuard tunnel

Thu Feb 10, 2022 11:54 am

I definitely did not know that wg interface addresses need to be added on the peer's allowed addresses as well. I was thinking it is somehow by default because gw interface IPs are in the same subnet.
I also did not know that there is no need to assign IPs to the wg interfaces. It is layer 3 communication, right?
# feb/10/2022 10:19:41 by RouterOS 7.1.1
#
# model = RB2011iL
# Office1
/interface ethernet
set [ find default-name=ether1 ] name=ether1-WAN
set [ find default-name=ether2 ] name=ether2-LAN
set [ find default-name=ether3 ] disabled=yes
set [ find default-name=ether4 ] disabled=yes
set [ find default-name=ether5 ] disabled=yes
set [ find default-name=ether6 ] disabled=yes
set [ find default-name=ether7 ] disabled=yes
set [ find default-name=ether8 ] disabled=yes
set [ find default-name=ether9 ] disabled=yes
set [ find default-name=ether10 ] disabled=yes
/interface wireguard add listen-port=13231 mtu=1420 name=wireguard1 private-key="XXXXXXXXX"
/interface lte apn set [ find default=yes ] ip-type=ipv4
/interface wireless security-profiles set [ find default=yes ] supplicant-identity=MikroTik
/port set 0 name=serial0
/ip settings set max-neighbor-entries=8192
/ipv6 settings set disable-ipv6=yes max-neighbor-entries=8192
/interface wireguard peers
add allowed-address=192.168.1.0/24 endpoint-address=XXX.XXX.XXX.XXX \
    endpoint-port=13231 interface=wireguard1 public-key=\
    "XXXXXXXXX"
/ip address
add address=192.168.2.200/24 interface=ether2-LAN network=192.168.2.0
add address=10.255.255.1/30 interface=wireguard1 network=10.255.255.0
/ip dhcp-client
add interface=ether1-WAN use-peer-dns=no use-peer-ntp=no
/ip dns
set servers=8.8.8.8
/ip firewall filter
add action=accept chain=input comment="accept established,related,untracked" \
    connection-state=established,related,untracked
add action=drop chain=input comment="drop invalid" connection-state=invalid
add action=accept chain=input comment="accept ICMP" protocol=icmp
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1-WAN
/ip route
add dst-address=192.168.1.0/24 gateway=wireguard1
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/system clock
set time-zone-name=Europe/Prague
/system identity
set name=XXX
/system ntp client
set enabled=yes
/system ntp client servers
add address=cz.pool.ntp.org
/system package update
set channel=testing

Office2 RB:
# feb/10/2022 10:19:17 by RouterOS 7.1.1
#
# model = RB2011iL
# Office2
/interface ethernet
set [ find default-name=ether1 ] name=ether1-WAN
set [ find default-name=ether2 ] name=ether2-LAN
set [ find default-name=ether3 ] disabled=yes
set [ find default-name=ether4 ] disabled=yes
set [ find default-name=ether5 ] disabled=yes
set [ find default-name=ether6 ] disabled=yes
set [ find default-name=ether7 ] disabled=yes
set [ find default-name=ether8 ] disabled=yes
set [ find default-name=ether9 ] disabled=yes
set [ find default-name=ether10 ] disabled=yes
/interface wireguard add listen-port=13231 mtu=1420 name=wireguard1 private-key="XXXXXXXXX"
/interface lte apn set [ find default=yes ] ip-type=ipv4
/interface wireless security-profiles set [ find default=yes ] supplicant-identity=MikroTik
/port set 0 name=serial0
/ip settings set max-neighbor-entries=8192
/ipv6 settings set disable-ipv6=yes max-neighbor-entries=8192
/interface wireguard peers
add allowed-address=192.168.2.0/24 endpoint-address=XXX.XXX.XXX.XXX \
    endpoint-port=13231 interface=wireguard1 public-key=\
    "XXXXXXXXX"
/ip address
add address=XXX.XXX.XXX.XXX/30 interface=ether1-WAN network=XXX.XXX.XXX.XXX
add address=192.168.1.200/24 interface=ether2-LAN network=192.168.1.0
add address=10.255.255.2/30 interface=wireguard1 network=10.255.255.0
/ip dns
set servers=8.8.8.8
/ip firewall filter
add action=accept chain=input comment="accept established,related,untracked" \
    connection-state=established,related,untracked
add action=drop chain=input comment="drop invalid" connection-state=invalid
add action=accept chain=input comment="accept ICMP" protocol=icmp
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1-WAN
/ip route
add disabled=no dst-address=0.0.0.0/0 gateway=XXX.XXX.XXX.XXX
add dst-address=192.168.2.0/24 gateway=wireguard1
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/system clock
set time-zone-name=Europe/Prague
/system identity
set name=XXX
/system ntp client
set enabled=yes
/system ntp client servers
add address=cz.pool.ntp.org
Thank you guys for your time!!!
 
holvoetn
Forum Guru
Forum Guru
Posts: 5317
Joined: Tue Apr 13, 2021 2:14 am
Location: Belgium

Re: Ping over WireGuard tunnel  [SOLVED]

Thu Feb 10, 2022 12:37 pm

As indicated, if you want to be able to ping those 10.255.25-addresses, you need to add them in the allowed addresses of the peer and in the required routes. You do not have that now.

That last part is because otherwise your device will not know what to do with those addresses. Actually it will, it will send them over the default gateway up to the first router that will drop them for being private IP addresses. But that's not what you want here, so a proper route is needed to send 10.255.255.0/30 to wireguard.

That first part is needed because it will otherwise never be allowed to enter the tunnel of the peer (what is not going in, will never come out :lol: )
So peer settings on office1 you add 10.255.255.2/30 as allowed address. If you ping from Office1 to 10.255.255.2, it will then be allowed to go over the tunnel (provided the routes are ok).
On Office2 you add 10.255.255.1/30 as allowed address.

Personal remark/question (since I have been chasing some ghosts as well myself lately with the EXACT same behavior):
how did you get those 2 devices on ROS7 ?
Coming from ROS6 and then upgrade version A, upgrade version B, upgrade version C up to what it is now ?
Or did you start from a CLEAN device, upgrade to the version you have now and then start to configure wireguard ?
Did you ever since those devices are on ROS7 apply a reset to clean configuration from scratch and then apply the settings again ?

That last action (and copying carefully all settings from before without touching anything which was present default unless really needed) was what ultimately solved my issue.
A couple of guys here also scrutinized my setup (including anav and Sob), nothing was found which could cause that issue.
Only the clean reset made things working after applying the exact same WG-setup I had before.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18959
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Ping over WireGuard tunnel

Thu Feb 10, 2022 4:01 pm

(1) Do not get confused about what is supposed to be in Allowed Addresses. Allowed addresses is the place where the admin details information about the remote site.

A. either legitimate destination addresses (like a subnet at the other site, or all IPs if wanting to go out the internet of the other site).
(for local outbound traffic to enter the tunnel). The router takes any user traffic and finds the appropriate route and if the associated interface is Wireguard, the router attempts to match the destination address with the first peer allowed address and if there is a match sends the traffic to that peer, and if not the next peer and so on. Hence one should not have overlap of outbound peer addresses as the latter peers will never get matched.

AND/OR (depends - one way or two way traffic flow)

B. Incoming addresses ( what IPs are coming in from the remote site(s)
(for remote inbound traffic to exit the tunnel). THis is more straighforward filter action, if the incoming IP address is not on the peer Allowed Address List, it is dropped!

(2) There is NO requirement to put the IP address of the WG interface into Allowed Addresses. Stick to the requirements laid out above.

(3) It is not mandatory to add an IP address to the wg interface on MT devices. This MT manually entered IP address is NOT part of any wireguard parameters and is not passed/communicated between wireguard settings on MT devices.

(4) One should not confuse the IP address of the wireguard interface with any entries in the Allowed addresses.
In fact if one does add the IP address ensure its completely separate from any other subnet, so its clearly not confused.

+++++++++++++++++++++++++++++++

Conclusion: Thus if you want to use the PING functionality of the local router (TOOLS --> ping) you should ensure two things.

A. you are pinging a legitimate destination IP at the remote site
- the router will find the appropriate route for that traffic, hit the wireguard interface, check if that destination address is on the local wg interface peer list and then will let the traffic enter the tunnel.

B. the source address (via ping advanced settings tab) is an IP address that is on the REMOTE Site peer allowed address settings. If that source address is not listed on the remote device peer settings, the remote router will drop it like a hot potatoe.
 
User avatar
mozerd
Forum Veteran
Forum Veteran
Posts: 871
Joined: Thu Oct 05, 2017 3:39 pm
Location: Canada
Contact:

Re: Ping over WireGuard tunnel

Thu Feb 10, 2022 4:42 pm

It is layer 3 communication, right?
Yes, WireGuard works at Layer 3 communication .... that is ABSOLUTLY correct. :shock:
WireGuard: Next Generation Kernel Network Tunnel
WireGuard is a secure network tunnel, operating at layer 3, implemented as a kernel virtual network interface for Linux
.........
The virtual tunnel interface is based on a proposed fundamental principle of secure tunnels: an association between a peer public key and a tunnel source IP address.
 
pesvoja
just joined
Topic Author
Posts: 4
Joined: Tue Jul 02, 2019 12:58 pm

Re: Ping over WireGuard tunnel

Thu Feb 10, 2022 10:05 pm

@holvoetn, @anav: thank you for supporting me, all works for me now, just added allowed addresses!!! :-)

Regarding getting to ROS7:
- for those boards already in production I do update to latest version 6.X.X and finally perform upgrade to 7.X.X
- when I purchase a new device, I always reset configuration, make internet working and do update/upgrade of basically no configured device except of few settings to download update
- when updated, I perform configuration from scratch to practice. It is not that I do all commands from scratch, but I have several sets of commands for firewalls, hardening etc. - I adapt it and use it
- then I do export and check whether or not there is something I do not want
A couple of guys here also scrutinized my setup (including anav and Sob), nothing was found which could cause that issue.
Only the clean reset made things working after applying the exact same WG-setup I had before.
- this is basically what I do with new devices
- but I had no problem with already running devices in production

Guys, thank you!

PS: "what is not going in, will never come out " - I am going to ask my wife about that:-))
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18959
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Ping over WireGuard tunnel

Thu Feb 10, 2022 11:23 pm

She will probably reply: "its harder going in"
 
SaS
just joined
Posts: 15
Joined: Thu Aug 04, 2022 9:17 pm

Re: Ping over WireGuard tunnel

Sat Aug 06, 2022 5:22 pm

Hi,

I'm also trying wireguard (using ROS7.4).
My setup uses 10.255.255.0/30 as routing-subnet (-> 10.255.255.1 on the one side and 10.255.255.2 on the other).
Is it really neccessary that every device behind the routers need an additional routing entry for 10.255.255.0/30 with the wireguard-router as gateway?

Thanks
Sascha
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18959
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Ping over WireGuard tunnel

Sat Aug 06, 2022 10:41 pm

Start your own thread with diagram etc as I dont understand your question and would have to see configs at both ends........

Who is online

Users browsing this forum: No registered users and 69 guests