Community discussions

MikroTik App
 
User avatar
RudiOnTheAir
just joined
Topic Author
Posts: 18
Joined: Fri Sep 23, 2022 10:06 pm

RouterOS 7.5 as Wireguard client

Sat Sep 24, 2022 1:00 am

Hi

My first post.;)
I'm new in playing with routeros on a new RB2011UiAS-2HnD. Since some weeks i'm running on docker a wireguard server with wg-easy gui.
Very nice. Adding clients is so easy. Ich have downloaded the .conf file für the mikrotik client, and honestly i'm not sure why there is no handshake.

Tried to find some tutorials, but in most cases, the mikrotik is the server. And thats not what i want to do...

The wg client seems to transmit, but no answer. Is is possible, the he can't reach the remote server? The router itself can...

Thanks in advance...
 
User avatar
own3r1138
Long time Member
Long time Member
Posts: 681
Joined: Sun Feb 14, 2021 12:33 am
Location: Pleiades
Contact:

Re: RouterOS 7.5 as Wireguard client

Sat Sep 24, 2022 3:17 am

 
User avatar
RudiOnTheAir
just joined
Topic Author
Posts: 18
Joined: Fri Sep 23, 2022 10:06 pm

Re: RouterOS 7.5 as Wireguard client

Sat Sep 24, 2022 3:30 pm

That looks extensive.

I thought I just have to set up a peer with the data provided by the Wireguard server.

My conf file for the wg client looks like this. My other clients (mobile, desktop...) don't need more information like that...
-------------------------------
[Interface]
PrivateKey = kBb/1TG3sQRoxxxxxxxxxxxxx31vB113+B9y52k=
Address = 10.8.0.13/24
DNS = 8.8.8.8

[Peer]
PublicKey = E1X0GkYMieiKNWzNudxxxxxxxxxxxxLbDBDE=
PresharedKey = B70hkZ/56/pdK9QVRxxxxxxxxxxxxxvDoPTDyjr7U=
AllowedIPs = 0.0.0.0/0, ::/0
PersistentKeepalive = 25
Endpoint = wg.mydomain.net:51820
---------------------------------------------------------------------------------------
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19103
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: RouterOS 7.5 as Wireguard client

Sat Sep 24, 2022 5:06 pm

Try an Ip address of 10.8.0.13/32 for client setting
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: RouterOS 7.5 as Wireguard client

Sun Sep 25, 2022 12:18 am

Is it just me, or is there still no RouterOS config posted? It's quite likely that you made some mistake there, when you entered data from WG config file, but if nobody else can see it, it's difficult to help.
 
User avatar
RudiOnTheAir
just joined
Topic Author
Posts: 18
Joined: Fri Sep 23, 2022 10:06 pm

Re: RouterOS 7.5 as Wireguard client

Sun Sep 25, 2022 12:24 pm

I'm afraid I still have to deal with posting the config.... ;)
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19103
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: RouterOS 7.5 as Wireguard client

Sun Sep 25, 2022 1:59 pm

Use the export command in terminal and it will show under files.
Download it to your puter,, open it in notepad, remove serial number and any public WANIP info and keys and then paste in forum.
Use code tags on the config (next to bold underline etc. - black square with white square brackets,)
 
User avatar
RudiOnTheAir
just joined
Topic Author
Posts: 18
Joined: Fri Sep 23, 2022 10:06 pm

Re: RouterOS 7.5 as Wireguard client

Sun Sep 25, 2022 2:43 pm

OK, learning by doing. I know, there are no firewallrules, but i don't get the tunnel handshake running... And i don't know, if that is the reason...
# sep/25/2022 13:31:51 by RouterOS 7.5
# software id = VE92-QR7V
#
# model = RB2011UiAS-2HnD
# serial number = xxxxxxxxxxxxxx
/interface bridge
add admin-mac=DC:2C:6E:3F:37:9F auto-mac=no comment=defconf name=bridge
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX \
    disabled=no distance=indoors frequency=auto installation=indoor mode=\
    ap-bridge ssid=MikroTik-3F37A8 wireless-protocol=802.11
/interface wireguard
add listen-port=51820 mtu=1420 name=wireguard-vpn
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=default-dhcp interface=bridge name=defconf
/port
set 0 name=serial0
/interface bridge port
add bridge=bridge comment=defconf ingress-filtering=no interface=ether2
add bridge=bridge comment=defconf ingress-filtering=no interface=ether3
add bridge=bridge comment=defconf ingress-filtering=no interface=ether4
add bridge=bridge comment=defconf ingress-filtering=no interface=ether5
add bridge=bridge comment=defconf ingress-filtering=no interface=ether6
add bridge=bridge comment=defconf ingress-filtering=no interface=ether7
add bridge=bridge comment=defconf ingress-filtering=no interface=ether8
add bridge=bridge comment=defconf ingress-filtering=no interface=ether9
add bridge=bridge comment=defconf ingress-filtering=no interface=ether10
add bridge=bridge comment=defconf ingress-filtering=no interface=sfp1
add bridge=bridge comment=defconf ingress-filtering=no interface=wlan1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ip settings
set max-neighbor-entries=8192
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=*13 list=LAN
/interface ovpn-server server
set auth=sha1,md5
/interface wireguard peers
add allowed-address=0.0.0.0/0 endpoint-address=wg.mydomain.net endpoint-port=\
    51820 interface=wireguard-vpn persistent-keepalive=25s public-key=\
    "E1X0GkYMieiKNWzxxxxxxxxxxx0rTwncA22LbDBDE="
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
    192.168.88.0
add address=10.8.0.13/24 interface=wireguard-vpn network=10.8.0.0
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
/lcd
set time-interval=hour
/lcd interface pages
set 0 interfaces="sfp1,ether1,ether2,ether3,ether4,ether5,ether6,ether7,ether8\
    ,ether9,ether10"
/system clock
set time-zone-name=Europe/Berlin
/system identity
set name=RouterOS
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19103
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: RouterOS 7.5 as Wireguard client

Sun Sep 25, 2022 4:24 pm

Hmmm, not much there.

(1) The mac-server by itself is not using a secure protocol and should be set to NONE.
/tool mac-server
set allowed-interface-list=LAN

(2) You are missing the fact that you need to send out your subnet through the tunnel.
I dont see any IP routes so assuming you set the route "add default route" in your IP DHCP client settings.
You need to uncheck that and make routes manually so it will all be clear.
something as simple as:
add dst-address=0.0.0.0/0 gwy=ISPgatewayIP

Then you need to add 3 thiings.
a. routing table
b. routing rule
c. route

/routing table add name=useWG fib
/routing rule add src-address=192.168.88.0/24 action=lookup table=useWG

note: If you used action=lookup-only-in-table, then if the wireguard connection was down, there would be no internet access at all. With the current setting I prescribed, the router if the wireguard is down, will go back to the main table and find the local route through the local WANIP and router users out to the internet.

YOUR ROUTES
add dst-address=0.0.0.0/0 gwy=ISPgatewayIP
add dst-address=0.0.0.0/0 gwy=wireguard-vpn table=useWG

(3) We also have to consider whether or not source nat is required for wireguard traffic.
WHERE ARE YOU SENDING THIS TRAFFIC TOO? If the mt router is a client what is the server???

a. if another mT router elsewhere and the allowed IPs include 192.168.88.0/24, no need for anything on sourcenat
b. if a third party VPN provider then they are expecting all traffic to have the IP 10.0.8.13 and thus you need this additional nat rule....

add chain=srcnat action=masquerade out-interface=wireguard-vpn

(4) As far as firewall rules go, there is nothing block your LAN to go out wireguard as the default rules are loosely goosey so its not clear what is or isnt allowed.
Better to be a tad more explicit at least in the forward chain.
FROM:
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN


TO:
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid

add action=accept chain=forward comment="allow normal internet" in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="to wg tunnel for internet" in-interface-list=LAN out-interface=wireguard-vpn
add action=accept chain=forward comment="allow port forwarding" connection-nat-state=dstnat
add action=drop chain=forward comment="drop all else"
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: RouterOS 7.5 as Wireguard client

Sun Sep 25, 2022 4:57 pm

I dont see any IP routes so assuming you set the route "add default route" in your IP DHCP client settings.
You need to uncheck that and make routes manually so it will all be clear.
something as simple as:
add dst-address=0.0.0.0/0 gwy=ISPgatewayIP
Sorry, but this is nonsense. If you get address from ISP using DHCP, you also get default route the same way. You could set it manually and it would work, sure, but where would you even get the gateway address from? You can't just take the one you see when default route from DHCP is enabled, because it can change.
 
User avatar
RudiOnTheAir
just joined
Topic Author
Posts: 18
Joined: Fri Sep 23, 2022 10:06 pm

Re: RouterOS 7.5 as Wireguard client

Sun Sep 25, 2022 5:05 pm

Hmm,

I can't say that I know more now than before. First I wanted to connect the Wireguard client to my Wireguard server.
The router will later be used for Hamradio connections. If Wireguard works, I could edit the configuration together with other radio amateurs.
My Wireguard server is publicly accessible on the Internet. Other peers in the Wireguard network should be able to access the MT's web interface.

AT the end, the MT should work as follows:

eth1 or sfp1 - WAN1 Internet (dhcp client)
eth2 - WAN2 Hamradio 5 Ghz antenna to Hamnet (some kind of intranet of radioamateurs) (https://hamnetdb.net/map.cgi)
eth3-5 - Hamradio LAN (no NAT, the hamnet clients have its own v4 addressrange.)
eth6-10 Other LAN

The Idea.
The clients on eth3-5 can reach other hamnet client via eth2.
If eth2 has no connectivity, the clients on eth3-5 can choose itself the 2nd route via eth1/sfp1. Don't know, if this is possible.. ;)
The Clients in eth6-10 can only route via eth1/sfp1. (NAT, Public Internet)

The MT Interface should be accessible via Hamnet eth2, and via Wireguard from the public internet.

I assume there are other radio amateurs here in the forum. Maybe my idea is stupid.;)
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19103
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: RouterOS 7.5 as Wireguard client

Sun Sep 25, 2022 5:07 pm

Well True, we dont know what the IP DHCP client looks like, so follow sobs advice and keep the default route as is.
We can just assume its there.............. i prefer seeing ( as seeing is believing).
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19103
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: RouterOS 7.5 as Wireguard client

Sun Sep 25, 2022 5:09 pm

Not a bad idea at all.

However, I may have misread your intentions totally.
Are you meaning to use the mikrotik router as the server or the client...........................
All this time I thought you were using the router to connect to a remote wireguard server somewhere??????????????
Now it appears you want the mt router to act as a server for incoming external clients.........

Can you please add a network diagram to clear it up?
 
User avatar
RudiOnTheAir
just joined
Topic Author
Posts: 18
Joined: Fri Sep 23, 2022 10:06 pm

Re: RouterOS 7.5 as Wireguard client

Sun Sep 25, 2022 5:35 pm

However, I may have misread your intentions totally.
Are you meaning to use the mikrotik router as the server or the client...........................
The MT should connect to my external Wireguard server. So i can reach him to make mods, without beeing on its position.
For now, we have only mobile LTE internet. No other way to connect from pub. internet.
All this time I thought you were using the router to connect to a remote wireguard server somewhere??????????????
Now it appears you want the mt router to act as a server for incoming external clients.........
Yes, the MT wireguard should only act as client (peer).
Via the wireguard interface (10.8.0.13) i want to reach the WebGUI of the MT.
Can you please add a network diagram to clear it up?
Ur right. I will try it to make a diagram...
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19103
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: RouterOS 7.5 as Wireguard client

Sun Sep 25, 2022 6:09 pm

I see....
So the Server is off site, and you want to use the server to reach your MT whenever you are away from it for config purpose and other purposes.
So the Server is simply a conduit to all the users that need to reach your router.
 
User avatar
RudiOnTheAir
just joined
Topic Author
Posts: 18
Joined: Fri Sep 23, 2022 10:06 pm

Re: RouterOS 7.5 as Wireguard client

Sun Sep 25, 2022 6:28 pm

I see....
So the Server is off site, and you want to use the server to reach your MT whenever you are away from it for config purpose and other purposes.
So the Server is simply a conduit to all the users that need to reach your router.
Yes, my Wireguard Server is simply a Vserver with fixed v4 IP and domain. Running docker and wireguard in it...
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19103
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: RouterOS 7.5 as Wireguard client

Sun Sep 25, 2022 7:16 pm

In that case..............

(1) Allowed IPs is too wide........ 0.0.0.0/0 is typically for when local users are going out the internet of your server or some other wireguard location, and that does not appear to be the case.
SO........
You need to put the IP of the wireguard subnet and every subnet that you think will be coming into the router. I believe you will not have any subnets coming into or going out the router but only single wireguard clients and thus you only need the wireguard subnet info.

From
/interface wireguard peers
add allowed-address=0.0.0.0/0 endpoint-address=wg.mydomain.net endpoint-port=\
51820 interface=wireguard-vpn persistent-keepalive=25s public-key=\
"E1X0GkYMieiKNWzxxxxxxxxxxx0rTwncA22LbDBDE="


TO:

/interface wireguard peers
add allowed-address=10.8.0.0/24 endpoint-address=wg.mydomain.net endpoint-port=\
51820 interface=wireguard-vpn persistent-keepalive=25s public-key=\
"E1X0GkYMieiKNWzxxxxxxxxxxx0rTwncA22LbDBDE="

(2) Missing a rule for you as admin to configure the router remotely............ Placing it before the last rule.....
Note replace XX with whatever wireguard IP you set to the admin windows client or ipad client etc...

add action=accept chain=input in-interface=wireguard-vpn src-address=10.8.0.XX/32 comment="admin remote access"
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN


(3) Missing firewall rules to ensure remote traffic works properly.
Replace this firewall
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN


As follows:
add action=accept chain=forward in-interface-list=LAN out-interface-list=WAN comment="allow internet"
add action=accept chain=forward in-interface=wireguard-vpn dst-address=192.168.88.0/24 comment="allow wireguard to lan"
add action=accept chain=forward comment="allow port forwarding" connection-nat-state=dstnat
add action=drop comment="drop all else"


(4) For routes, the default route created by the wireguard address will ensure that return traffic back through the tunnel will go out correctly. No other routes required as all incoming users have an IP address on the existing wireguard network and no remote lan subnets coming in NOR any local subnets going out.

(4) Source NAT, nothing special required as no local users going out at third party VPN provider.
 
User avatar
RudiOnTheAir
just joined
Topic Author
Posts: 18
Joined: Fri Sep 23, 2022 10:06 pm

Re: RouterOS 7.5 as Wireguard client

Sun Sep 25, 2022 8:04 pm

Thanks for your work, will test it later this evening.
But, regardless of the firewall rules. Shouldn't the Wireguard client establish the connection without these rules? There is no "handshake". I can see only transmit traffic on the wg interface....
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19103
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: RouterOS 7.5 as Wireguard client

Sun Sep 25, 2022 8:12 pm

You should be able to see the initial traffic heading out the router wan on the wireguard port...................... unless the other end responds you wont see any handshaking.
I suspect at this point its your VS server the remote wireguard instance that is being the problem,
best to post all the config of that here...........
 
holvoetn
Forum Guru
Forum Guru
Posts: 5404
Joined: Tue Apr 13, 2021 2:14 am
Location: Belgium

Re: RouterOS 7.5 as Wireguard client

Sun Sep 25, 2022 8:58 pm

Wireguard always transmits.
It is only when you see incoming, then you know it works.
 
User avatar
RudiOnTheAir
just joined
Topic Author
Posts: 18
Joined: Fri Sep 23, 2022 10:06 pm

Re: RouterOS 7.5 as Wireguard client

Mon Sep 26, 2022 9:44 am

You should be able to see the initial traffic heading out the router wan on the wireguard port...................... unless the other end responds you wont see any handshaking.
I suspect at this point its your VS server the remote wireguard instance that is being the problem,
best to post all the config of that here...........
My Wireguard instance can't be the problem. There are 20 clients connected and running. As the WG is running in docker, there is no way to see logs. That is something i have to activate, and that is nothing i can do now, without disconnecting all clients.
 
User avatar
RudiOnTheAir
just joined
Topic Author
Posts: 18
Joined: Fri Sep 23, 2022 10:06 pm

Re: RouterOS 7.5 as Wireguard client

Mon Sep 26, 2022 11:37 am

What if i don't set the correct public key on the right position. In WT, i habe Wireguard and peer. In both there is a pubkey setting.. As i don't need the MT running as wireguard server, witch key from the WG server conf has to inserted on the peer position?? I'm confused...
 
holvoetn
Forum Guru
Forum Guru
Posts: 5404
Joined: Tue Apr 13, 2021 2:14 am
Location: Belgium

Re: RouterOS 7.5 as Wireguard client

Mon Sep 26, 2022 12:41 pm

If the key-pairs are not correct, there will be no communication.
Take peer A and peer B (there is no client/server in wireguard, only peers).

On Peer A you enter Public key of interface of peer B.
On Peer B you enter Public key of interface of peer A.

See here for more info:
https://help.mikrotik.com/docs/display/ROS/WireGuard
 
User avatar
RudiOnTheAir
just joined
Topic Author
Posts: 18
Joined: Fri Sep 23, 2022 10:06 pm

Re: RouterOS 7.5 as Wireguard client

Mon Sep 26, 2022 2:11 pm

My public Wireguard peer is running a gui called wg-easy. All keys are autogenerated and afaik not changeable. For every peer i can download a *.conf file with this content.
[Interface]
PrivateKey = kBb/1TG3sQRoESyB******************vB113+B9y52k=
Address = 10.8.0.13/24
DNS = 8.8.8.8

[Peer]
PublicKey = E1X0GkYMieiKN******************uTwncA22LbDBDE=
PresharedKey = B70hkZ/56/p******************HnbhJq/vDoPTDyjr7U=
AllowedIPs = 0.0.0.0/0, ::/0
PersistentKeepalive = 25
Endpoint = wg.domain.net:51820
The public key under [Peer] seems to be the public (so called server) peer key. It is the same on all files!
I assume the key must be written in the MT in the peer section??

I can see on the "server" the key for my MT peer. If that has to be written in the "Interfacesection" on the MT, i can't change it. It is read only. Maybe with commandline??
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19103
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: RouterOS 7.5 as Wireguard client

Mon Sep 26, 2022 2:29 pm

YOur allowed IP settings are not correct necessarily on the server.. if that is what is showing. I have no clue what you mean by my PUBLIC wireguard PEER. If its the device with the Public IP it acts as a server for the connection. So it has multiple peers, whereas the rest of the clients have only one peer.

It should be........

peer 1 -------- its-wireguardIP/32,anysubnets
peer2 ---------- its-wireguardIP/32,anysubnets
peer3 etc.....

and not 0.0.0.0/0

where anysubnets means any subnet coming from the peer to the server (could happen if a peer is a router and the wg server has any other servers that users may want to access)
where anysubnets means any subnet heading toward the peer (could happen if two of the peers are routers)


+++++++++++++++++++++++++++++++
 
User avatar
RudiOnTheAir
just joined
Topic Author
Posts: 18
Joined: Fri Sep 23, 2022 10:06 pm

Re: RouterOS 7.5 as Wireguard client

Mon Sep 26, 2022 2:54 pm

With the setting
AllowedIPs = 0.0.0.0/0, ::/0
all traffic on the peer goes though the vpn. On some of my clients, i use this to see german TV, becourse my "server" is located in germany.
On Clients i don't want this, ich have to use 10.8.0.0/24
I have no clue what you mean by my PUBLIC wireguard PEER. If its the device with the Public IP it acts as a server for the connection. So it has multiple peers, whereas the rest of the clients have only one peer.
Yes, the public system has many peers. The software running on it is:
https://github.com/WeeJeWel/wg-easy
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19103
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: RouterOS 7.5 as Wireguard client

Mon Sep 26, 2022 3:45 pm

Okay understood.
The server should have (on its peer settings) on each peer ---> allowed IPs set to the IP address of the peer/32 and any subnets coming from the peers.

The peers at their end, for its allowed IPs, should have the IP address of the wireguard subnet ( x,y.z.0/24 ), and any LAN subnets they are going to visit
UNLESS they are going out internet which then would use 0.0.0.0/0 which covers all of the above anyway.

The confusion on my part was not knowing what you were showing..........
if it was client settings (which I now know it was), then you had the ADDRESS incorrect (should have been .13./32 and not .13/24 and should be changed for all peers).
If it was server settings, then the allowed IPs were incorrect.
 
User avatar
RudiOnTheAir
just joined
Topic Author
Posts: 18
Joined: Fri Sep 23, 2022 10:06 pm

Re: RouterOS 7.5 as Wireguard client

Mon Sep 26, 2022 4:26 pm

If you are interested in testing, i could sent you via mail a test config, active for some days. With it, your can use ist on your desktop client, and that should work on a MT router as well..
 
User avatar
own3r1138
Long time Member
Long time Member
Posts: 681
Joined: Sun Feb 14, 2021 12:33 am
Location: Pleiades
Contact:

Re: RouterOS 7.5 as Wireguard client

Mon Sep 26, 2022 5:06 pm

I run my WG at my CHR but other than that its the same.
2022-09-26_17-30-19.jpg
You do not have the required permissions to view the files attached to this post.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19103
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: RouterOS 7.5 as Wireguard client

Mon Sep 26, 2022 6:00 pm

Yes, that only confirms that the server side uses /32 for the peer address and that at the peer side they are going out at the internet of your server device.
If your server device was also an MT router, then quite possibly depending upon firewall rules on the router, you could ( assuming you were the client ) then configure the router and access the routers local subnets as well.

I dont need to test anything LOL. You have the issues. :-)
-ensure the clients all have a /32 for their own address on the interface setting (assuming non-mt devices).
-ensure the clients if need internet have on peer settings allowed-ips=0.0.0.0/0
-ensure the clients if only need access to server for pinging, control etc. have on peer setting subnet of IP wireguard IP address x.y.z.0/24
-ensure the client if only need access to subnets at or beyond the server have on peers settngs x.y.z.0/24,subnetA,subnetB etc.....
Just ensure on the servers Peer settings, all allowed IPs (for each peer are /32)

When you do that let me know if still having issues.
Last edited by anav on Mon Sep 26, 2022 6:54 pm, edited 2 times in total.
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: RouterOS 7.5 as Wireguard client

Mon Sep 26, 2022 6:02 pm

Keys should be like this:
/interface wireguard
add <other options> private-key="key from Interface/PrivateKey"
/interface wireguard peers
add <other options> public-key="key from Peer/PublicKey" preshared-key="key from Peer/PresharedKey"
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19103
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: RouterOS 7.5 as Wireguard client

Mon Sep 26, 2022 6:11 pm

Thanks Sob, not familiar with manipulating keys, to me its clear/simple.
a. the server on the wireguard interface settings, provides/generates ONE PUBLIC KEY for all clients within the same interface (for export)
b. each client on the interface side, produces/generates its own public key. (for export)

Hence, each client has the same public Key from the router which they put in their own client peer settings. (import)
Hence, the router has a separate client key for each Peer in its peer settings. (import)
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: RouterOS 7.5 as Wireguard client

Mon Sep 26, 2022 6:30 pm

Seems obvious to me too, even the names in WG config and RouterOS config are (almost) same, but an extra hint can't hurt.
 
User avatar
own3r1138
Long time Member
Long time Member
Posts: 681
Joined: Sun Feb 14, 2021 12:33 am
Location: Pleiades
Contact:

Re: RouterOS 7.5 as Wireguard client

Mon Sep 26, 2022 6:47 pm

Is this a typo?
-ensure the clients if need internet have on peer settings allowed-ips=0.0.0.0/24
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19103
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: RouterOS 7.5 as Wireguard client

Mon Sep 26, 2022 6:55 pm

yes and thanks!
 
User avatar
own3r1138
Long time Member
Long time Member
Posts: 681
Joined: Sun Feb 14, 2021 12:33 am
Location: Pleiades
Contact:

Re: RouterOS 7.5 as Wireguard client

Mon Sep 26, 2022 6:59 pm

You're very welcome.
 
User avatar
RudiOnTheAir
just joined
Topic Author
Posts: 18
Joined: Fri Sep 23, 2022 10:06 pm

Re: RouterOS 7.5 as Wireguard client

Tue Sep 27, 2022 9:06 am

I don't get it...

Here i have all keys at one place. That is the public server all clients are connecting to. All keys are generated by the server and i cannot change them.

If i'm understand right, the two pub keys has to exchanged. The pub key from server "WJI2xJ3..." has to imported in the MT peer setting. Together with the Presharedkey..
But the pub key from "Wireguard" interface setting is maybe the problem. I cannot change any keys on the server!!!
The key, beginning with "pjG9xABXlQ..." , generated by the server, has to imported in the Interface settings of the MT.?!

I'm sorry this has to be so complicated.
>>>>>>>>>> This file can downloaded from client (peer) or read by QR Code.

[Interface]
PrivateKey = cE9i1nynqEbAP5*****************DyQuuygHw=
Address = 10.8.0.13/24
DNS = 8.8.8.8


[Peer]
PublicKey = E1X0GkYMieiKNWz****************0rTwncA22LbDBDE=
PresharedKey = BMEQOgVJlMGd****************lvde194CZAZjIe0=
AllowedIPs = 0.0.0.0/0, ::/0
PersistentKeepalive = 25
Endpoint = wg.domain.net:51820

>>>>>>>>>>> Thats all. No more information for every peer.!!

##############################################################
##############################################################

>>>>>>>>>>> The "server", who all peers are connecting to, has two configs.
>>>>>>>>>>> None of the keys on that server i am able to change!

Server wg.conf  (part of)

# Client: db0et-router (8c13e49d-****-4b34-9785-aebcfa84df99)
[Peer]
PublicKey = pjG9xABXlQvjyrF**************GdH8UfF51hnPEMKDM=
PresharedKey = BMEQOgVJlMG******************vde194CZAZjIe0=
AllowedIPs = 10.8.0.13/32


##############################################################

Server wg.json
{
  "server": {
    "privateKey": "WJI2xJ3VEB1TG************4ix8CJWqqEJDsWh38=",
    "publicKey": "E1X0GkYMieiKNW***************rTwncA22LbDBDE=",
    "address": "10.8.0.1"
  },
##############################################################

 
holvoetn
Forum Guru
Forum Guru
Posts: 5404
Joined: Tue Apr 13, 2021 2:14 am
Location: Belgium

Re: RouterOS 7.5 as Wireguard client

Tue Sep 27, 2022 9:22 am

If the key-pairs are not correct, there will be no communication.
Take peer A and peer B (there is no client/server in wireguard, only peers).

On Peer A you enter Public key of interface of peer B.
On Peer B you enter Public key of interface of peer A.

See here for more info:
https://help.mikrotik.com/docs/display/ROS/WireGuard
On Peer MT:
Public key = "E1X0GkYMieiKNW***************rTwncA22LbDBDE=" (That's the public key from the interface if I interpret the config you posted correctly)
Preshared key = "BMEQOgVJlMGd****************lvde194CZAZjIe0="

Shoot me a config at <username> AT gmail DOT com
I'll set up a connection from my side on a MT device.
 
User avatar
RudiOnTheAir
just joined
Topic Author
Posts: 18
Joined: Fri Sep 23, 2022 10:06 pm

Re: RouterOS 7.5 as Wireguard client

Tue Sep 27, 2022 9:27 am

Keys should be like this:
/interface wireguard
add <other options> private-key="key from Interface/PrivateKey"
There it is not possible to insert the pub key, that the mt interface should use...?? (no autogenerate)
 
User avatar
RudiOnTheAir
just joined
Topic Author
Posts: 18
Joined: Fri Sep 23, 2022 10:06 pm

Re: RouterOS 7.5 as Wireguard client

Tue Sep 27, 2022 9:34 am

Shoot me a config at <username> AT gmail DOT com
I'll set up a connection from my side on a MT device.
Done

WTF...
~$ ping 10.8.0.14
PING 10.8.0.14 (10.8.0.14) 56(84) bytes of data.
64 bytes from 10.8.0.14: icmp_seq=1 ttl=63 time=35.8 ms
64 bytes from 10.8.0.14: icmp_seq=2 ttl=63 time=33.7 ms
 
holvoetn
Forum Guru
Forum Guru
Posts: 5404
Joined: Tue Apr 13, 2021 2:14 am
Location: Belgium

Re: RouterOS 7.5 as Wireguard client

Tue Sep 27, 2022 10:25 am

Yeah, spookey, isn't it :lol:

And now I need to take a good look if I was in line with my comments.
EDIT: I was.

Config:
[xyz@mAPLite] /interface/wireguard> export show-sensitive 
# sep/27/2022 09:23:25 by RouterOS 7.6beta8
# software id = IFN6-V3SY
#
# model = RBmAPL-2nD
# serial number = <serial>
/ip address
add address=10.8.0.14/24 interface=TESTWG network=10.8.0.0
/interface wireguard
add listen-port=51820 mtu=1420 name=TESTWG private-key=\
    "<private key>"
/interface wireguard peers
add allowed-address=10.8.0.0/24 endpoint-address=<endpoint address> endpoint-port=51820 interface=\
    TESTWG persistent-keepalive=25s preshared-key="rSgJ3NCQBn5rTjO1vmgTb5+tCWfG8A4mVoWB1LZxeYk=" \
    public-key="E1X0GkYMieiKNWzNudK3xmQjI1ih0rTwncA22LbDBDE="
Last edited by holvoetn on Tue Sep 27, 2022 4:11 pm, edited 1 time in total.
 
User avatar
RudiOnTheAir
just joined
Topic Author
Posts: 18
Joined: Fri Sep 23, 2022 10:06 pm

Re: RouterOS 7.5 as Wireguard client

Tue Sep 27, 2022 11:14 am

Post #42 and it works. There is a handshake. And i don't know why and what happens. Maybe i have played to much around , tested to much possibillities.
Think, the next steps are using the firewall to allow access to the webgui... Like anav #17 has written...

thank you for your patience... :)
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: RouterOS 7.5 as Wireguard client

Tue Sep 27, 2022 4:06 pm

But the pub key from "Wireguard" interface setting is maybe the problem. I cannot change any keys on the server!!!
And you don't need to. Public key is derived from private key. So if you set private key for WG interface on client, then its public key will be the one that server expects.

Edit: I mean in this case, when whole config was generated by server (just for the record, to not confuse someone who may find this thread later).
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19103
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: RouterOS 7.5 as Wireguard client

Tue Sep 27, 2022 4:30 pm

The answer is obvious, the OP shouldn't wear sunglasses inside, harder to see things that way. ;-)
 
User avatar
RudiOnTheAir
just joined
Topic Author
Posts: 18
Joined: Fri Sep 23, 2022 10:06 pm

Re: RouterOS 7.5 as Wireguard client

Wed Sep 28, 2022 4:52 pm

;))

Don't know, if it was a good idea to start from scratch... :) There were so many preconfigured things and im removed all and started with an empty config.
Have my needed to bridges. Port 3 to6 / Port 7 - 10. DHCP is serving adresses. But internet works only on the bridge-lan. And!!! wireguard has the same like yesterday.

My problem could be the firewall settings. I've added some rules, to learn how it works. (ping allowed or not..) But i don't think it will work to restore the firewall settings from previous setup.
For example, i have no Interface lists. Don't know, why i need them...

Anyone?? ;)
# sep/28/2022 15:46:47 by RouterOS 7.5
# software id = VE92-QR7V
#
# model = RB2011UiAS-2HnD
# serial number = C44F0F387D53
/interface bridge
add name=bridge-hamnet
add name=bridge-lan
/interface ethernet
set [ find default-name=ether1 ] name=ether1-wan1
set [ find default-name=ether2 ] name=ether2-hamnet-antenna
set [ find default-name=ether3 ] name=ether3-hamnet
set [ find default-name=ether4 ] name=ether4-hamnet
set [ find default-name=ether5 ] name=ether5-hamnet
set [ find default-name=ether6 ] name=ether6-hamnet
set [ find default-name=ether7 ] name=ether7-lan
set [ find default-name=ether8 ] name=ether8-lan
set [ find default-name=ether9 ] name=ether9-lan
set [ find default-name=ether10 ] name=ether10-lan
set [ find default-name=sfp1 ] name=sfp1-wan2
/interface wireless
set [ find default-name=wlan1 ] ssid=MikroTik
/interface wireguard
add listen-port=51820 mtu=1420 name=wireguard-vpn private-key=\
    "sC6gdvCrND############a1JHirIxa+HM="
/interface list
add name=WAN
add name=HAMNET   ????? Have deleted them... In export not????????
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_pool_hamnet ranges=192.168.88.10-192.168.88.25
add name=dhcp_pool_lan ranges=192.168.10.1-192.168.10.100
/ip dhcp-server
add address-pool=dhcp_pool_hamnet interface=bridge-hamnet name=dhcp1
add address-pool=dhcp_pool_lan interface=bridge-lan name=dhcp2
/port
set 0 name=serial0
/interface bridge port
add bridge=bridge-hamnet interface=ether3-hamnet
add bridge=bridge-hamnet interface=ether4-hamnet
add bridge=bridge-hamnet interface=ether5-hamnet
add bridge=bridge-hamnet interface=ether6-hamnet
add bridge=bridge-lan interface=ether7-lan
add bridge=bridge-lan interface=ether8-lan
add bridge=bridge-lan interface=ether9-lan
add bridge=bridge-lan interface=ether10-lan
add bridge=bridge-lan interface=wlan1
/interface wireguard peers
add allowed-address=10.8.0.0/24 endpoint-address=wg.domain.net \
    endpoint-port=51820 interface=wireguard-vpn persistent-keepalive=25s \
    preshared-key="BMEQOgVJlM################194CZAZjIe0=" public-key=\
    "E1X0GkYMiei###########rTwncA22LbDBDE="
/ip address
add address=192.168.88.1/24 interface=bridge-hamnet network=192.168.88.0
add address=192.168.10.254/24 interface=bridge-lan network=192.168.10.0
add address=10.8.0.13/24 interface=wireguard-vpn network=10.8.0.0
/ip dhcp-client
add interface=ether1-wan1
/ip dhcp-server network
add address=192.168.10.0/24 dns-server=192.168.10.254 gateway=192.168.10.254 \
    ntp-server=192.168.10.254
add address=192.168.88.0/24 dns-server=192.168.88.1 gateway=192.168.88.1 \
    ntp-server=192.168.88.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8
/ip firewall filter
add action=drop chain=input comment="WAN > FW drop ping" in-interface=\
    ether1-wan1 protocol=icmp
add action=accept chain=input comment="accept established,related,tracket" \
    connection-state=established,related,untracked
add action=accept chain=input comment="LAN + Hamnet > FW accept" \
    in-interface=bridge-lan
add action=accept chain=input in-interface=bridge-hamnet
add action=accept chain=input comment="Wireguard > FW accept" in-interface=\
    wireguard-vpn
/ip firewall nat
add action=masquerade chain=srcnat ipsec-policy=out,none out-interface=\
    ether1-wan1 src-address=192.168.10.0/24
/system clock
set time-zone-name=Europe/Berlin
/system ntp client
set enabled=yes
/system ntp server
set enabled=yes multicast=yes
/system ntp client servers
add address=de.pool.ntp.org
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19103
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: RouterOS 7.5 as Wireguard client

Wed Sep 28, 2022 9:06 pm

;))
For example, i have no Interface lists. Don't know, why i need them..
There is no such thing as good or bad, just choices and consequences ;-)

Who is online

Users browsing this forum: syslog and 42 guests