Community discussions

MikroTik App
 
FedericoR
just joined
Topic Author
Posts: 1
Joined: Thu Dec 29, 2022 11:42 pm

Wireguard site-to-site with roadwarriors

Fri Dec 30, 2022 12:21 am

Hi forum, glad to be a newcomer in the Mikrotik family!

I'm playing with two RB3011 (example of client A and B) connecting to a cloud CHR to get a Wireguard site-to-site tunnel with routed subnet, so client A can reach B services (and vice-versa).
Everything is working and i can reach the respective lan
             to internet
                  ▲
                  │
           ┌──────┴──────┐
           │   VPS CHR   │
           │   WG SRV    ├───────────────────────┐
           │             │                       │
        ┌──┤10.0.0.254/24├───┐                   │
        │  └─────────────┘   │                   │
        │                    │                   │
        │                    │                   │
WG A 10.0.0.1/32      WG B 10.0.0.2/32      RoadWarrior

192.168.10.1/24       192.168.11.1/24
        │                    │
        │                    │
      LAN                   LAN
    Services              Services
Now i want to add some roadwarriors to the mix, those can be:
1. employees - access the whole subnet (and maybe route all traffic through the local gw of the site A or B)
2. 3rd party support - only access to a specific ip on the remote subnet

I'd like roadwarriors connect to the cloud CHR and get them to the right subnet (site A or B) with the right "permissions". I'm having problem with this, any hint?
Maybe anyone can point to me the right scenario on /viewtopic.php?t=182340 ? TY

Example config - WG Server (VPS CHR)

/interface ethernet
set [ find default-name=ether1 ] disable-running-check=no
/interface wireguard
add listen-port=13231 mtu=1420 name=wireguard1
/interface wireguard peers
add allowed-address=10.0.0.1/32,192.168.10.0/24 comment=WG-VPN-A interface=wireguard1 persistent-keepalive=20s public-key=\
    "RtTNNObHABsmOPPt/rwshR0MPvDPux2BYaAXzy/uWGs="
add allowed-address=10.0.0.2/32,192.168.11.0/24 comment=WG-VPN-B interface=wireguard1 persistent-keepalive=20s public-key=\
    "Ii84aE2MK++lAf1/0IK4TbTMnMoWfpH/xfteDczo1io="
/ip address
add address=10.0.0.254/24 interface=wireguard1 network=10.0.0.0
/ip dhcp-client
add interface=ether1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,1.1.1.1
/ip firewall filter
add action=accept chain=input comment="default configuration" connection-state=established,related
add action=accept chain=input protocol=icmp
add action=accept chain=input comment=Wireguard dst-port=13231 port="" protocol=udp
add action=accept chain=forward disabled=yes dst-port=13231 protocol=udp
add action=fasttrack-connection chain=forward comment=FastTrack connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="Established, Related" connection-state=established,related
add action=drop chain=forward comment="Drop invalid" connection-state=invalid log=yes log-prefix=invalid
add action=drop chain=input
/ip route
add disabled=no distance=1 dst-address=192.168.10.0/24 gateway=wireguard1 pref-src="" routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add disabled=no distance=1 dst-address=192.168.11.0/24 gateway=wireguard1 pref-src="" routing-table=main scope=30 suppress-hw-offload=no target-scope=10
/system identity
set name=WG-VPN-SRV
/system ntp client
set enabled=yes
/system ntp client servers
add address=time.google.com
add address=time.cloudflare.com

____________________
Example config - Site B

/interface wireguard
add listen-port=13231 mtu=1420 name=wireguard1
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_pool0 ranges=192.168.11.2-192.168.11.254
/ip dhcp-server
add address-pool=dhcp_pool0 interface=ether2 name=dhcp1
/port
set 0 name=serial0
/interface wireguard peers
add allowed-address=10.0.0.254/32,10.0.0.1/32,192.168.10.0/24 endpoint-address=5.75.228.xx endpoint-port=13231 interface=wireguard1 \
    persistent-keepalive=20s public-key="flh3JvJD6xi4l9yBLC2hhPTAHteiTjlF+kokx4ZrrUM="
/ip address
add address=192.168.11.1/24 interface=ether2 network=192.168.11.0
add address=10.0.0.2/24 interface=wireguard1 network=10.0.0.0
/ip dhcp-client
add interface=ether1 use-peer-dns=no
/ip dhcp-server network
add address=192.168.11.0/24 dns-server=192.168.11.1 gateway=192.168.11.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,1.1.1.1
/ip firewall nat
add action=masquerade chain=srcnat
/ip route
add disabled=no dst-address=192.168.10.0/24 gateway=wireguard1 routing-table=main suppress-hw-offload=no
/system clock
set time-zone-name=Europe/Rome
/system identity
set name=WG-VPN-B
/system ntp client
set enabled=yes
/system ntp client servers
add address=time.google.com
add address=time.cloudflare.com

Who is online

Users browsing this forum: akakua, ItchyAnkle, Lumpy, menyarito and 87 guests