Community discussions

MikroTik App
 
RRERF
just joined
Topic Author
Posts: 4
Joined: Thu Dec 08, 2022 6:33 pm

Hub and Spoke with WireGuard and OSPF

Thu Dec 08, 2022 7:09 pm

Hello

I'm trying to build a Hub and Spoke Construction (as you can see in the Picture).


20221208_HubAndSpoke.png



Now following works:
- WireGuard is connecting from Clients to Server
- I can Ping the Server-Addresses with the Clients and so on.
- ONE Client is connecting to the Server with OSPF (as a Neighbor, State: Full).
- The Routing Server-Client / Client-Server works to this one Client, wich is shown as Neighbor (State: Full).

What not works:
- The other Clients do not connect to OSPF of the Server-Router


My Configs (just WireGuard & OSPF):
Server-Router:
/routing id
add disabled=no id=192.168.250.254 name=id-1 select-dynamic-id=""
/routing ospf instance
add disabled=no name=ospf-instance-1 router-id=id-1
/routing ospf area
add disabled=no instance=ospf-instance-1 name=backbone
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/interface list member
add interface=Internet list=WAN
add interface=VisuLAN list=LAN
add interface="PEWO VPN" list=LAN
add interface=loopback list=LAN
/interface wireguard peers
add allowed-address=192.168.251.2/32,172.17.2.0/24,224.0.0.0/24,192.168.250.0/24 comment="VPN002 Zuerich Gruenau Tiefgarage" interface="PEWO VPN" \
    persistent-keepalive=15s public-key="***********************="
add allowed-address=192.168.251.1/32,172.17.1.0/24,224.0.0.0/24,192.168.250.0/24 comment="VPN001 TestRouter" interface="PEWO VPN" persistent-keepalive=15s public-key=\
    "***************************="
/ip route
add disabled=no distance=1 dst-address=10.10.0.0/24 gateway=10.10.0.1 pref-src="" routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add disabled=no distance=20 dst-address=0.0.0.0/0 gateway=172.31.1.1%Internet pref-src="" routing-table=main scope=30 suppress-hw-offload=no target-scope=10
/routing ospf interface-template
add area=backbone disabled=no interfaces="PEWO VPN" networks=192.168.251.0/24 type=ptp
add area=backbone disabled=no interfaces=VisuLAN networks=10.10.0.0/16 passive type=ptp
add area=backbone disabled=no interfaces=loopback networks=192.168.250.254/32 type=ptp
/routing ospf static-neighbor
add address="192.168.251.1%PEWO VPN" area=backbone disabled=no
add address="192.168.251.2%PEWO VPN" area=backbone disabled=no

Client-Router Client 1 (the others are similar, with Changed IP-Addresses):
/routing id
add disabled=no id=192.168.250.1 name=id-1 select-dynamic-id=""
/routing ospf instance
add disabled=no name=ospf-instance-1 router-id=id-1
/routing ospf area
add disabled=no instance=ospf-instance-1 name=backbone
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add interface=ether1 list=WAN
add interface="PEWO VPN001" list=LAN
add interface=loopback list=LAN
/interface wireguard peers
add allowed-address=192.168.251.254/32,10.10.0.0/16,224.0.0.0/24,192.168.250.0/24 \
    endpoint-address=SERVER-IP endpoint-port=PORT interface="PEWO VPN001" \
    persistent-keepalive=15s public-key="***********************="
/ip address
add address=172.17.1.1/24 comment=defconf interface=bridge network=172.17.1.0
add address=192.168.250.1 interface=loopback network=192.168.250.1
add address=192.168.251.1/24 interface="PEWO VPN001" network=192.168.251.0
/routing ospf interface-template
add area=backbone disabled=no interfaces="PEWO VPN001" networks=192.168.251.0/24 type=ptp
add area=backbone disabled=no interfaces=bridge networks=172.17.1.0/24 passive type=ptp
add area=backbone disabled=no interfaces=loopback networks=192.168.250.1/32 type=ptp
/routing ospf static-neighbor
add address="192.168.251.254%PEWO VPN001" area=backbone disabled=no


Thank you all for Helping!
You do not have the required permissions to view the files attached to this post.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19099
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Hub and Spoke with WireGuard and OSPF

Thu Dec 08, 2022 9:32 pm

(1) In allowed IPs, the server needs to have the wireguard IP address in the format for each peer of /32.
Thee clients should have the wireguard IP address in the format of the subent .0/24

(2) Remove empty entries............
/ip route
add disabled=no distance=1 dst-address=10.10.0.0/24 gateway=10.10.0.1 pref-src="" routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add disabled=no distance=20 dst-address=0.0.0.0/0 gateway=172.31.1.1%Internet pref-src="" routing-table=main scope=30 suppress-hw-offload=no target-scope=10

(3) Having duplicate subnets/ peers to go to is going to be confusing.................. and will not work!~
/interface wireguard peers
add allowed-address=192.168.251.2/32,172.17.2.0/24,224.0.0.0/24,192.168.250.0/24 comment="VPN002 Zuerich Gruenau Tiefgarage" interface="PEWO VPN" \
persistent-keepalive=15s public-key="***********************="
add allowed-address=192.168.251.1/32,172.17.1.0/24,224.0.0.0/24,192.168.250.0/24 comment="VPN001 TestRouter" interface="PEWO VPN" persistent-keepalive=15s public-key=\


In this case, any user on your Server, or remote user coming into the server, looking to reach another spoke, requesting to go the second peer will always be directed to the first peer. ( second rule never visited)

(4) By the way a good rule to have on the Server Router is......... thus making it clear any spoke to spoke traffic via the hub is permitted.
add action=accept chain=forward in-inteface=wg-interface-name out-interface=wg-interface-name

(5) The Hub Router is missing many routes for the subnets where either the router needs to know where to send the return traffic (back through the tunnel) or where to send local requests for those subnets (to enter the tunnel).

(6) Its becoming clear you dont know squat about wireguard and yet seem to happily and merrily go very complex with OPSF and wireguard.
For example. WTF is this.......
/interface wireguard peers
add allowed-address=192.168.251.254/32,10.10.0.0/16,224.0.0.0/24,192.168.250.0/24\
endpoint-address=SERVER-IP endpoint-port=PORT interface="PEWO VPN001" \
persistent-keepalive=15s public-key="***********************="
/ip address
add address=172.17.1.1/24 comment=defconf interface=bridge network=172.17.1.0
add address=192.168.250.1 interface=loopback network=192.168.250.1



Allowed IPs has nothing to do with any addresses locally!! Its only considering external subnets (what to visit, or what may visit you).
The format appears to be wrong in the address missing .1/24 ??
 
RRERF
just joined
Topic Author
Posts: 4
Joined: Thu Dec 08, 2022 6:33 pm

Re: Hub and Spoke with WireGuard and OSPF

Thu Dec 08, 2022 10:51 pm

Thank you for quick Answer.

For explenations: it's a RouterOS-VM in a Hosting-Center.

(1) done

(2)
- add disabled=no distance=1 dst-address=10.10.0.0/24 gateway=10.10.0.1 pref-src="" routing-table=main scope=30 suppress-hw-offload=no target-scope=10
Without this rule, i can't access the next VM on the Cloud-Hosting-System, because the DHCP-Address (10.10.0.4/16) does not bring the Virtual Gateway (10.10.0.1), wich is needed to contact the other virtual machines...

- add disabled=no distance=20 dst-address=0.0.0.0/0 gateway=172.31.1.1%Internet pref-src="" routing-table=main scope=30 suppress-hw-offload=no target-scope=10
This is my Internet-Connection

(3)
- I've read, that 224.0.0.0/24 is needed for OSPF-Broadcast. Doesn't i need this?
- I have replaced the address 192.168.250.0/24 with 192.168.250.XXX/32

(4)
Thanks, it's implemented.

(5)
In the working OSPF-Client, the Routes come up (out of OSPF) for both directions.

(6)
Yes, i have not understand, which addresses have to be filled in by "Allowed Address".


The Rule: add address=192.168.250.1 interface=loopback network=192.168.250.1 is the Loopback-Bridge-Address what i have made for the Router-ID
was in a toutorial from Mikrotik)...

So, what can i do, to bring my system up to work?
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19099
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Hub and Spoke with WireGuard and OSPF

Thu Dec 08, 2022 11:28 pm

The IP address 250.1 seems hokey to me and would avoid.
Know nothing about OSPF so cant help you there, but allowed IP rules are allowed IP rules and should be followed...... no duplicates!!!

As far as the first two comments, I didnt mean get rid of the rules I mean get rid of the empty fields pref-src=""
 
RRERF
just joined
Topic Author
Posts: 4
Joined: Thu Dec 08, 2022 6:33 pm

Re: Hub and Spoke with WireGuard and OSPF

Fri Dec 09, 2022 12:32 pm

Perfect, so the WireGuard situation is cleaned up.

Do you know, who can help me with ospf?
 
eduplant
Member Candidate
Member Candidate
Posts: 139
Joined: Tue Dec 19, 2017 9:45 am

Re: Hub and Spoke with WireGuard and OSPF  [SOLVED]

Sun Dec 11, 2022 8:38 pm

Looks like you have OSPF set to type=ptp. From OSPF's perspective, the Wireguard interface is a single interface even if more than one remote peer can send packets to it. In P2P mode it's going to assume that there is only one peer on the interface and use the usual multicast/broadcast mechanism. Whatever router connects first is likely to be the one that forms the neighbor adjacency and everything else is out of luck.

It looks like you are fine with a static enumeration of the peers since you've configured /routing ospf static-neighbor but I'm pretty sure that doesn't take effect for interfaces in P2P mode. In type=nbma mode, the neighbors will be formed using unicast hellos so that should make sure each configured peer on the wireguard link gets one.
 
RRERF
just joined
Topic Author
Posts: 4
Joined: Thu Dec 08, 2022 6:33 pm

Re: Hub and Spoke with WireGuard and OSPF

Mon Dec 12, 2022 6:09 pm

Thank you so mouch, now it works!

Who is online

Users browsing this forum: No registered users and 15 guests