Community discussions

MikroTik App
 
User avatar
Paco
just joined
Topic Author
Posts: 16
Joined: Mon Dec 22, 2014 10:50 pm
Location: Sofia, Bulgaria

OpenVPN scenario to Wireguard

Sat Aug 06, 2022 12:28 am

Hello,

I have 3 routers that has saw their local networks each others over OpenVPN server running on one of it.

Router 1: RoS .7.4
My Home Router: RB4011iGS+5HacQ2HnD - Configured OpenVPN as server running on tcp (because if I use udp and route all lan traffic from router 2 or/and router 3 via openvpn server connection (with marking traffic), I see errors between random times " nothing received for a while"). On tcp working like a boss, but with udp for OpenVPN on RoS 7.4 is NOT stable ... at this time.

Router 1 Lan network: 172.17.72.0/22

---
Router 2: RoS .7.4
My mobillity router: 962UiGS-5HacT2HnT (I have configured Failver scenario with Wifi-Wan/LTE-Wan - when I going to vacation I get the router and connect it to hotel wifi/or I using 4G modem to have interenet) - configured as openvpn client to my home router
Router 2 Lan network: 172.27.72.0/22
---
Router 3: RoS .7.4
Router on my villa for cameras: RB941-2nD - the small guy
Router 3 Lan network: 172.28.0.0/24

===========

Router 2 and router 3 has configured ppp profile called: openvpn-client-mikrotik-main and has configured on up/down to running scripts:

after-openvpn-client-mikrotik-main-up
after-openvpn-client-mikrotik-main-down

That script on router 2 adding additional static route for local network 172.28.0.0/24 with pref source IP that router get from openvpn server to see router 3.

That script on router 3 is same but with the difference adding additional static route for local network 172.27.72.0/22 with pref source IP that router get from openvpn server to see router 2

router 1 succesfully see 172.27.72.0/22 and 172.28.0.0/24
router 2 succesfully see: 172.17.72.0/22 and 172.28.0.0/24
router 3 succesfully see: 172.17.72.0/22 and 172.27.72.0/22

Everything with that my configuration is working as expected. ;))))

BUT .. Today I tried to shutdown openvpn interfaces with idea to migrate that all to wireguard.

Im tried make it work with that scenario:



Router1:
Wireguard interface: Wireguard-Server
IP address on Wireguard-Server: 198.19.198.1/24
--
2 Peers:
Router2 and Router 3 on Wireguard interface: Wireguard-Server without endpoint connection with allow addresses:

198.19.198.2/32 and 172.27.72.0/22 for Router2
198.19.198.3/32 and 172.28.0.0/24 for Router3


Router 2:
Wireguard interface: Wireguard-to-MikroTik-Main
IP address on Wireguard-to-MikroTik-Main: 198.19.198.2/24
--
Peers:
Router 1 with endpoint address and port and allow addresses:
198.19.198.1/32 and 172.17.72.0/22

Router 3:
Wireguard interface: Wireguard-to-MikroTik-Main
IP address on Wireguard-to-MikroTik-Main: 198.19.198.3/24
--
Peers:
Router 1 with endpoint address and port and allow addresses:
198.19.198.1/32 and 172.17.72.0/22




And so... Router 2 and Router 3 successfully connected to wireguard-server on server 1.

On Router 1 I added static route for 172.27.72.0/22 (router 2) with gateway Wireguard-Server and another static route for 172.28.0.0/24 (router 3) again with gateway Wireguard-Server.
From router 1 I successfuly ping and access devices behind router 2 and router 3.

On Router 2 I added static route for 172.17.72.0/22 with gateway Wireguard-to-MikroTik-Main and successfuly access devices behind Router 1 from router 2.

On router 3 I also added static route for 172.17.72.0/22 with gateway Wireguard-to-MikroTik-Main and successfuly access devices behind Router 1 from router 3.

Here is the problem:
Router 2 and Router3 unable to ping / access each others.

+ From router 1 I have access to devices behind router 2 and 3.
+ From router 2 I have access to router 1 and devices behind it.
+ From router 3 I have access to router 1 and devices behind it.

But

- From router 2 unable to access/ping router 3 and devices behind it.
- From router 3 unable to access/ping router 2 and devices behind it.

I tried to add additional static route on Router 2 -> 172.28.0.0/24 with gateway Wireguard-to-MikroTik-Main with idea make it work and access local network on router 3 from router 2. Also tried and with Gateway and pref source 198.19.198.1

Also tried to add additional static route on Router 3 -> 172.27.72.0/22 with gateway Wireguard-to-MikroTik-Main with idea to access local network on router 2 from router 3. Also tried and with gateway and pref source 198.19.198.1,

but that not work.
May be I unable to understand correctly logic of wireguard. I'll be happy if any of you help me with that if my scenario with openvpn is possible to worked on wireguard.
Last edited by Paco on Fri Sep 30, 2022 11:23 am, edited 1 time in total.
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: OpenVPN scenario to Wireguard

Sat Aug 06, 2022 12:48 am

You need to fix also allowed addresses on routers 2 and 3. Now you allow only subnet behind router 1.
 
User avatar
Paco
just joined
Topic Author
Posts: 16
Joined: Mon Dec 22, 2014 10:50 pm
Location: Sofia, Bulgaria

Re: OpenVPN scenario to Wireguard

Sat Aug 06, 2022 1:24 am

On router1 I have two peers on created on interface Wireguard-Server:
Allowed address for Router 2 peer:
198.19.198.2/32 and 172.27.72.0/22
Allowed address for Router 3 peer:
198.19.198.3/32 and 172.28.0.0/24

On Router 2 - WG -> Peers
I have only one Peer -> Router 1 with allowed address:
198.19.198.1/32 (router 1 wg ip address)
172.17.72.0/22 (router 1 localnet)
->> Here I must add in allowed addresses and:
198.19.198.3/32 (router 3 wg ip address)
172.28.0.0/24 (router 3 localnet)

And on Router 3
->> I must add in allowed addresses:
198.19.198.2/32 (router 2 wg ip address)
172.27.72.0/22 (router 2 localnet)

Right? Am I understanding what you are saying correctly?
Is there anything extra I need to do to make router 2 and 3 to see each other?
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: OpenVPN scenario to Wireguard

Sat Aug 06, 2022 1:44 am

That's correct. Remember that allowed addresses is what can be on the other side, so there can be incoming packets with that source and outgoing packets with that destination. Nothing extra is required, aside from adjusting firewall if you didn't allow this traffic already.
 
User avatar
Paco
just joined
Topic Author
Posts: 16
Joined: Mon Dec 22, 2014 10:50 pm
Location: Sofia, Bulgaria

Re: OpenVPN scenario to Wireguard

Sat Aug 06, 2022 2:03 am

That's correct. Remember that allowed addresses is what can be on the other side, so there can be incoming packets with that source and outgoing packets with that destination. Nothing extra is required, aside from adjusting firewall if you didn't allow this traffic already.
Thank you very much, @Sob.
I'll try again tomorrow and I'll update the post.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: OpenVPN scenario to Wireguard

Sat Aug 06, 2022 3:28 am

That's correct. Remember that allowed addresses is what can be on the other side, so there can be incoming packets with that source and outgoing packets with that destination. Nothing extra is required, aside from adjusting firewall if you didn't allow this traffic already.
To add (pun intended) to that.

Allowed addresses which is critical for all peer settings, has two purposes.

(1) Originating Outgoing Traffic:
At the local end of the tunnel, it is used to
Let the router know that the IP addresses the local users want to reach (the remote IPs) are associated with the wireguard tunnel.
The router can then match the correct wireguard peer tunnel and routing containing those remote IPs. So in this outgoing case, to enter the tunnel,
the router acts as a matcher and selector.

(2) Incoming External Traffic:
At the local end of the tunnel is used to
Let the router know the IP addresses (with remote user source IPs) that want to exit the tunnel are legit and associated with that peer and can be allowed to exit the tunnel and enter the local Router (depending upon firewall rules action of course).

Thus when you put down allowed addresses, its very important to understand it could be a one way consideration or a two way consideration.
In either case both are dependent upon the remote site IPs (servers, users etc.)

You can read more here........
viewtopic.php?t=182340
 
User avatar
Paco
just joined
Topic Author
Posts: 16
Joined: Mon Dec 22, 2014 10:50 pm
Location: Sofia, Bulgaria

Re: OpenVPN scenario to Wireguard

Sat Aug 06, 2022 11:57 pm

Hello again,
After add allowed networks on:

On Router 2 - WG -> Peers
198.19.198.1/32 (router 1 wg ip address)
172.17.72.0/22 (router 1 localnet)
198.19.198.3/32 (router 3 wg ip address)
172.28.0.0/24 (router 3 localnet)

and

On Router 3 - WG -> Peers
198.19.198.1/32 (router 1 wg ip address)
172.17.72.0/22 (router 1 localnet)
198.19.198.2/32 (router 2 wg ip address)
172.27.72.0/22 (router 2 localnet)


router 1 succesfully see 172.27.72.0/22 and 172.28.0.0/24
router 2 succesfully see: 172.17.72.0/22 and 172.28.0.0/24
router 3 succesfully see: 172.17.72.0/22 and 172.27.72.0/22

I have only one think that unable to make to work..

In my OpenVPN scenario on Router 2 I have configured address list called "VPN-Default-Route" and IP addresses on that list I able to default routed via OpenVPN Client to Router 1 and I access world from Public IP of Router 1:

IP -> Firewall -> address lists:
/ip firewall address-list add address=172.27.72.0/22 comment="Main Local Network" list=LocalNet-OpenVPN
/ip firewall address-list add address=172.27.72.21 comment="Main Laptop Lenovo" list=VPN-Default-Route
IP -> Firewall -> Mangle
/ip firewall mangle add action=mark-routing chain=prerouting comment="Setting up marker OpenVPN-Traffic on traffic, generated from IP the addresses in VPN-Default-Route list and excluding going to the IP addresses in LocalNet-OpenVPN list" dst-address-list=!LocalNet-OpenVPN new-routing-mark=OpenVPN-Traffic passthrough=yes src-address-list=VPN-Default-Route
IP -> Routes
/ip route add comment="Routing traffic with marker OpenVPN-Traffic via OpenVPN-to-MikroTik-Main" disabled=no distance=1 dst-address=0.0.0.0/0 gateway=OpenVPN-to-MikroTik-Main pref-src=0.0.0.0 routing-table=OpenVPN-Traffic scope=30 suppress-hw-offload=yes target-scope=10
When that Route rule is enabled - my laptop with local ip 172.27.72.21 on router 2 access world via Public IP address on Router 1 (OpenVPN server)

The route and the mangle rule that I used for my OpenVPN connection are currently is disabled.

I have create new ones for Wireguard:
/ip firewall mangle add action=mark-routing chain=prerouting comment="Setting up marker WireGuard-Traffic on traffic, generated from IP the addresses in VPN-Default-Route list and excluding going to the IP addresses in LocalNet-OpenVPN list" dst-address-list=!LocalNet-OpenVPN new-routing-mark=WireGuard-Traffic passthrough=yes src-address-list=VPN-Default-Route
/routing table add fib name=WireGuard-Traffic
/ip route add comment="Routing traffic with marker WireGuard-Traffic via WireGuard-VPN-Client" disabled=no distance=1 dst-address=0.0.0.0/0 gateway=WireGuard-VPN-Client routing-table=WireGuard-Traffic scope=30 suppress-hw-offload=yes target-scope=10
--
And when I trying to access google from my laptop I got:
$ ping google.com
PING google.com (172.217.17.110) 56(84) bytes of data.
From _gateway (172.27.72.1) icmp_seq=1 Destination Host Unreachable
From _gateway (172.27.72.1) icmp_seq=2 Destination Host Unreachable
From _gateway (172.27.72.1) icmp_seq=3 Destination Host Unreachable
From _gateway (172.27.72.1) icmp_seq=4 Destination Host Unreachable

Also tried to disable mangle rule and following steps on viewtopic.php?t=182340
4. IP Route - To force all users out Wireguard for internet vice local ISP. You should have the default route already in place, either automatically because in IP DHCP Client you have YES selected for use ISP as default route, OR you should have created one manually.
add dst-address=0.0.0.0/0 gwy=ISP gateway-IP table=main.

THREE STEPS:
Add table
/routing table add name=useWG fib

Add routing rule (use as many route rules as you have subnets, use route rules for any individual exceptions on a subnet that should not go out the wireguard interface for internet)
/routing rule add src-address=192.168.20.0/24 action=lookup table=useWG

Add additional route
dst-address=0.0.0.0/0 gwy=wireguard1 table=useWG

Note: lookup means use the table indicated for traffic but if the table is not available, look for another routing (which means check table=main to see if any alive routes exist and use that one).
If you had selected lookup-only-in-table, then the router would not look else where if the wg tunnel was not available and traffic would be dropped.
In my case:
--
/routing table add fib name=WireGuard-Traffic
/routing rule add action=lookup disabled=no src-address=172.27.72.21/32 table=WireGuard-Traffic
/ip route add comment="Routing traffic with marker WireGuard-Traffic via WireGuard-VPN-Client" disabled=no distance=1 dst-address=0.0.0.0/0 gateway=WireGuard-VPN-Client routing-table=WireGuard-Traffic scope=30 suppress-hw-offload=yes target-scope=10
But not work.. and I got Destination Host Unreachable

I unable to understand what I missed up.. I'll be happy to explain me how to make and that worked when I use wireguard vpn.
Thanks in advance
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: OpenVPN scenario to Wireguard  [SOLVED]

Sun Aug 07, 2022 12:37 am

Routing is same for OpenVPN and WG, problem is still WG's allowed addresses. If on the other end of tunnel can be whole internet, then any address needs to be allowed, i.e. 0.0.0.0/0. That's what you need as allowed addresses on router 2 for peer router 1. You can remove the rest (addresses and subnets of routers 1 and 3), because this covers everything. You don't need to change allowed addresses on router 1, because from its perspective peer router 2 is still only its address and subnet.
 
User avatar
Paco
just joined
Topic Author
Posts: 16
Joined: Mon Dec 22, 2014 10:50 pm
Location: Sofia, Bulgaria

Re: OpenVPN scenario to Wireguard

Sun Aug 07, 2022 12:58 am

Thanks a lot again @Sob.

On Router 2 in WG -> peers - I removed

198.19.198.1/32 (router 1 wg ip address)
172.17.72.0/22 (router 1 localnet)
198.19.198.3/32 (router 3 wg ip address)
172.28.0.0/24 (router 3 localnet)

and I added only: 0.0.0.0/0

Now my laptop behind router 2 access internet via wan IP address on router 1.

Who is online

Users browsing this forum: almdandi, Bing [Bot], korg and 77 guests