Community discussions

MikroTik App
  4. RouterOS
  5. General

Google Home over Wireguard

Post Reply
 
jeniha
just joined
Topic Author
Posts: 3
Joined: Fri Oct 07, 2022 4:23 pm

Google Home over Wireguard

Mon Jan 16, 2023 10:37 am

Hi,
i`m wondering is it possible to use my Google Home sh*ts over wireguard.
What i mean i can use them over wireguard but with limited functionality, for example i can use all controls(changing volume, change channels, turn off and on box and etc.)on my android tv box over Google Home but over wireguard i can change only volume, cannot for example turn off and on the box over wireguard.
The setup is nothing spacial, my main network is 88.0/24, my wireguard network is 89.0/24 with default firewall rules with some little changes.
Code: Select all
# jan/16/2023 10:20:00 by RouterOS 7.6
# software id = 02F4-WMYY
#
# model = RBD52G-5HacD2HnD
# serial number = SN
/interface bridge
add admin-mac=B8:69:F4:8A:6C:97 auto-mac=no comment=defconf name=bridge
/interface ethernet
set [ find default-name=ether1 ] mac-address=MAC speed=100Mbps
set [ find default-name=ether2 ] rx-flow-control=auto speed=100Mbps \
    tx-flow-control=auto
set [ find default-name=ether3 ] speed=100Mbps
set [ find default-name=ether4 ] speed=100Mbps
set [ find default-name=ether5 ] speed=100Mbps
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-eC \
    country=bulgaria distance=indoors frequency=2447 hide-ssid=yes mode=\
    ap-bridge ssid=SSIDTest station-roaming=enabled wireless-protocol=\
    802.11
/interface wireguard
add listen-port=myport mtu=1420 name=wireguard1
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface lte apn
set [ find default=yes ] apn=internet.isp.bg authentication=pap ip-type=\
    ipv4 name=isp use-network-apn=no user=isp
add apn=internet.isp.bg ip-type=ipv4
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
add authentication-types=wpa-psk,wpa2-psk management-protection=allowed mode=\
    dynamic-keys name=SSID supplicant-identity=MikroTik
add authentication-types=wpa-psk,wpa2-psk mode=dynamic-keys name=profile \
    supplicant-identity=MikroTik
/interface wireless
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=\
    20/40/80mhz-Ceee country=bulgaria distance=indoors hide-ssid=yes mode=\
    ap-bridge security-profile=SSID skip-dfs-channels=10min-cac ssid=\
    SSID station-roaming=enabled wireless-protocol=802.11
add mac-address=BA:69:F4:8A:6C:9C master-interface=wlan2 name=wlan3 \
    security-profile=profile ssid=SSID
add hide-ssid=yes mac-address=BA:69:F4:8A:6C:9B master-interface=wlan1 name=\
    wlan4 security-profile=profile ssid=SSID
/ip kid-control
add fri=0s-1d mon=0s-1d name=system-dummy sat=0s-1d sun=0s-1d thu=0s-1d tue=\
    0s-1d tur-fri=0s-1d tur-mon=0s-1d tur-sat=0s-1d tur-sun=0s-1d tur-thu=\
    0s-1d tur-tue=0s-1d tur-wed=0s-1d wed=0s-1d
/ip pool
add name=dhcp ranges=192.168.88.50-192.168.88.150
/ip dhcp-server
add address-pool=dhcp interface=bridge name=defconf
/interface bridge filter
# wlan3 not ready
# in/out-bridge-port matcher not possible when interface (wlan3) is not slave
add action=drop chain=forward in-interface=wlan3
# wlan3 not ready
# in/out-bridge-port matcher not possible when interface (wlan3) is not slave
add action=drop chain=forward out-interface=wlan3
# wlan4 not ready
# in/out-bridge-port matcher not possible when interface (wlan4) is not slave
add action=drop chain=forward in-interface=wlan4
# wlan4 not ready
# in/out-bridge-port matcher not possible when interface (wlan4) is not slave
add action=drop chain=forward out-interface=wlan4
/interface bridge port
add bridge=bridge comment=defconf ingress-filtering=no interface=ether2
add bridge=bridge comment=defconf ingress-filtering=no interface=ether3
add bridge=bridge comment=defconf ingress-filtering=no interface=ether4
add bridge=bridge comment=defconf ingress-filtering=no interface=ether5
add bridge=bridge comment=defconf ingress-filtering=no interface=wlan1
add bridge=bridge comment=defconf ingress-filtering=no interface=wlan2
add bridge=bridge interface=wlan3
add bridge=bridge interface=wlan4
/ip firewall connection tracking
set enabled=yes
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ip settings
set max-neighbor-entries=8192
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface detect-internet
set detect-interface-list=all
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=*9 list=WAN
add interface=ether1 list=WAN
/interface ovpn-server server
set auth=sha1,md5
/interface wireguard peers
add allowed-address=192.168.89.2/24 comment="Client Phone" interface=\
    wireguard1 public-key="key"
/ip address
add address=192.168.88.1/24 interface=bridge network=192.168.88.0
add address=192.168.89.1/24 interface=wireguard1 network=192.168.89.0
/ip arp
add address=192.168.88.247 interface=bridge mac-address=MAC
add address=192.168.88.249 interface=bridge mac-address=MAC
add address=192.168.88.250 interface=bridge mac-address=MAC
/ip cloud
set ddns-update-interval=30m
/ip cloud advanced
set use-local-address=yes
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server lease
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,1.1.1.1
/ip dns static
add address=192.168.88.1 name=router.lan
/ip firewall address-list
add address=192.168.89.2 list=management
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" limit=\
    20,40:packet protocol=icmp
add action=accept chain=input comment="Allow Management IP's" \
    src-address-list=management
add action=drop chain=input comment="drop ssh brute forcers" dst-port=myport \
    protocol=tcp src-address-list=ssh_blacklist
add action=add-src-to-address-list address-list=ssh_blacklist \
    address-list-timeout=1w3d chain=input connection-state=new dst-port=myport \
    protocol=tcp src-address-list=ssh_stage3
add action=add-src-to-address-list address-list=ssh_stage3 \
    address-list-timeout=1m chain=input connection-state=new dst-port=myport \
    protocol=tcp src-address-list=ssh_stage2
add action=add-src-to-address-list address-list=ssh_stage2 \
    address-list-timeout=1m chain=input connection-state=new dst-port=myport \
    protocol=tcp src-address-list=ssh_stage1
add action=add-src-to-address-list address-list=ssh_stage1 \
    address-list-timeout=1m chain=input connection-state=new dst-port=myport \
    protocol=tcp
add action=accept chain=input comment=SSH dst-port=myport protocol=tcp
add action=drop chain=input comment="drop winbox brute forcers" dst-port=myport \
    protocol=tcp src-address-list=winbox_blacklist
add action=add-src-to-address-list address-list=winbox_blacklist \
    address-list-timeout=1w3d chain=input connection-state=new dst-port=myport \
    protocol=tcp src-address-list=winbox_stage3
add action=add-src-to-address-list address-list=winbox_stage3 \
    address-list-timeout=1m chain=input connection-state=new dst-port=myport \
    protocol=tcp src-address-list=winbox_stage2
add action=add-src-to-address-list address-list=winbox_stage2 \
    address-list-timeout=1m chain=input connection-state=new dst-port=myport \
    protocol=tcp src-address-list=winbox_stage1
add action=add-src-to-address-list address-list=winbox_stage1 \
    address-list-timeout=1m chain=input connection-state=new dst-port=myport \
    protocol=tcp
add action=accept chain=input comment=WinBox disabled=yes dst-port=myport \
    protocol=tcp
add action=accept chain=input comment=WireGuard dst-port=myport protocol=udp
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
/ip firewall service-port
set h323 disabled=yes
set pptp disabled=yes
set rtsp disabled=no
/ip kid-control device
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh port=myport
set api disabled=yes
set winbox port=myport
set api-ssl disabled=yes
/ip ssh
set allow-none-crypto=yes forwarding-enabled=both
/system clock
set time-zone-name=Europe/Sofia
/system identity
set name=NAME
/system routerboard settings
set auto-upgrade=yes
/tool bandwidth-server
set enabled=no
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=none
/tool mac-server ping
set enabled=no
Top
 
optio
Long time Member
Long time Member
Posts: 672
Joined: Mon Dec 26, 2022 2:57 pm

Re: Google Home over Wireguard

Mon Jan 16, 2023 7:20 pm

Your Android device on LAN is visible over Wireguard? In my case I can only see Apple devices and for eg. AirPlay is working over Wireguard to LAN device. Android TV box is not visible and I can't use Chromecast. I just have allow forward firewall rules between LAN and VPN interfaces. It seems that in my case SSDP discovery is blocked while mDNS is not...
Top
 
jeniha
just joined
Topic Author
Posts: 3
Joined: Fri Oct 07, 2022 4:23 pm

Re: Google Home over Wireguard

Tue Jan 17, 2023 10:21 pm

Your Android device on LAN is visible over Wireguard? In my case I can only see Apple devices and for eg. AirPlay is working over Wireguard to LAN device. Android TV box is not visible and I can't use Chromecast. I just have allow forward firewall rules between LAN and VPN interfaces. It seems that in my case SSDP discovery is blocked while mDNS is not...
Over wireguard i can ping local devices.
Top
 
optio
Long time Member
Long time Member
Posts: 672
Joined: Mon Dec 26, 2022 2:57 pm

Re: Google Home over Wireguard

Wed Jan 18, 2023 6:45 pm

ICMP protocol which is ping using is not related to SSDP discovery which is used to detect services on Google devices. I guess in my case it is multicast problem on different subnet, I will need to see how to setup IGMP proxy or PIM for this...
What I mean by "is your device visible" - can you see your Android box connected on LAN in for eg. Google Home application (or Google Chrome for Chromecast) on device connected to Wireguard?
Top
 
UpRunTech
Member Candidate
Member Candidate
Posts: 213
Joined: Fri Jul 27, 2012 12:11 pm

Re: Google Home over Wireguard

Tue Feb 21, 2023 2:02 am

See my post about getting mDNS working on Wireguard.

viewtopic.php?p=985190&hilit=mdns#p985190
Top
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19323
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:
Contact anav

Re: Google Home over Wireguard

Tue Feb 21, 2023 2:56 am

In general, zerotier is a better solution for layer2 multicasting.........
Top
Post Reply

Who is online

Users browsing this forum: wispmikrotik and 90 guests
  4. RouterOS
  5. General