Community discussions

MikroTik App
 
Newbienoob
just joined
Topic Author
Posts: 9
Joined: Thu Jan 05, 2023 6:37 pm

Wireguard Questions

Thu Jan 05, 2023 7:17 pm

Hello to all!

I have an issue with creating something that to most of you its a walk in the park but due to my incompetence its not so easy for me.
I thought I would make a schematic/topology to how I was thinking of implementing my plan.
(See Attached schematic before reading more)
WG Tunnel Created and working.
Question 1: Should Wireguard MTU between server and clients be 1420? (just a yes or no would do)

Question 2: Every time i reboot the client peer on WG tunnel, the tunnel doesn't go up automatically. Why is that?

Question 3: My target is to route all traffic from the Wifi Client dhcp pool over to WG Server (Internet Gateway)
Should my gateway be the remote WG Server IP, the local WG Client IP, the WLAN IP or the bridge1 ip?
What about DNS IP?

Question 4: What are the basic rules to allow all traffic and protocols to pass over the tunnel?
Currently I am having problems with HTTPS Sites, Teams and sometimes Webex.

Attached (client.config.txt) you will also find the configuration I have. Its a lot of trial and error so if you find something unnecessary or wrong do correct me.

Thank you for reading.
You do not have the required permissions to view the files attached to this post.
 
Newbienoob
just joined
Topic Author
Posts: 9
Joined: Thu Jan 05, 2023 6:37 pm

Re: Wireguard Questions

Wed Jan 11, 2023 11:26 pm

I figured out why 1420 is used and why the tunnel is down when i reboot the client.
Question 3 and 4 remain a mystery
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19103
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Wireguard Questions

Thu Jan 12, 2023 2:37 am

my guess is that you provide no route for local client users to enter the tunnel..............
 
Newbienoob
just joined
Topic Author
Posts: 9
Joined: Thu Jan 05, 2023 6:37 pm

Re: Wireguard Questions

Fri Jan 27, 2023 9:31 pm

I find it impossible to make Microsoft Teams to work with the default wireguard config.
For Teams to function correctly, you must open TCP ports 80 and 443 from the clients to the internet, and UDP ports 3478 through 3481 from the clients to the internet. The TCP ports are used to connect to web-based content such as SharePoint Online, Exchange Online, and the Teams Chat services.
I would like some help to set this up, is this through Filter Rules or NAT? ANy ideas?
 
Njumaen
Frequent Visitor
Frequent Visitor
Posts: 77
Joined: Wed Feb 24, 2016 8:41 pm
Location: Bielefeld, Germany
Contact:

Re: Wireguard Questions

Fri Jan 27, 2023 10:05 pm

Question 2: Every time i reboot the client peer on WG tunnel, the tunnel doesn't go up automatically. Why is that?
Wireguard is stateless. Tunnel get's active with the first sent package.

Solution: create a scheduled ping to on @startup
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19103
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Wireguard Questions

Fri Jan 27, 2023 10:08 pm

One should match the client and server MTU settings if possible.
If you are going to a third party provider they often provide MTU settings and so you should try to match that.
In this case seem to be connecting to another MT device.

First of, give the wireguard address something unique and NOT the same as your LAN.
10.10.1.1/24 at the server network=10.10.1.0
10.10.1.2/24 at the Client network=10.10.1.0

Why does your bridge need an address if you are giving the WLAN an address?
Either attach the WLANs to the bridge or dont have a bridge!!

YOu should post both configs or else cannot comment in context and accurately on the setup.
It would appear the entire bridge needs to go through the tunnel...............

Is this router facing the internet, you dont have adequate filter rules............
You are missing a table and routing rules.........
You are missing a route...
 
Newbienoob
just joined
Topic Author
Posts: 9
Joined: Thu Jan 05, 2023 6:37 pm

Re: Wireguard Questions

Sat Jan 28, 2023 1:32 pm

One should match the client and server MTU settings if possible.
If you are going to a third party provider they often provide MTU settings and so you should try to match that.
In this case seem to be connecting to another MT device.
Correct, I have the same MTU to both sides.
First of, give the wireguard address something unique and NOT the same as your LAN.
10.10.1.1/24 at the server network=10.10.1.0
10.10.1.2/24 at the Client network=10.10.1.0
Its already done as per OP schematic.
Why does your bridge need an address if you are giving the WLAN an address?
Either attach the WLANs to the bridge or dont have a bridge!!
Because, I read somewhere in forums, in order to have a WLAN IP you need to set the ip on the bridge due to MT Prerequisites (Cannot have a slave interface with IP or something).
YOu should post both configs or else cannot comment in context and accurately on the setup.
It would appear the entire bridge needs to go through the tunnel...............

Is this router facing the internet, you dont have adequate filter rules............
You are missing a table and routing rules.........
You are missing a route...
Attached the server config.
server_config.txt
You do not have the required permissions to view the files attached to this post.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19103
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Wireguard Questions

Sat Jan 28, 2023 6:43 pm

Need to see both client and server wg configs........
 
Newbienoob
just joined
Topic Author
Posts: 9
Joined: Thu Jan 05, 2023 6:37 pm

Re: Wireguard Questions

Sun Feb 05, 2023 4:59 pm

Hello,

Client is at the top in the OP and server config is at the bottom.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19103
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Wireguard Questions

Sun Feb 05, 2023 5:24 pm

Client side

(1) Address/Subnets
a. The wireguard subnet should be separate and distinct.
b. The wlan1 address is a nonsense entry as you already have it attached to the bridge as a bridge port and you gave the bridge DHCP responsibility.

Fix those issues up first.

(2) Firewall rules are non-existant and not helpful.

(3) The first two routes make no sense to me.

(4) no need to sourcnat wg, as the traffic is going to another MT device under your control (where you can identify allowed IPs of Client LAN subnet )
Other source nat rule seems a bit off ditch the icmp bit.

(5) Why is upnp enabled??

(6) Is there any other subnet on the router? The reason I ask is how do you expect as admin on this router ( one of the IPs on the subnet ) to be able to access the router for config purposes if you are being sent into the tunnel for wireguard?????

Who is online

Users browsing this forum: 0xAA55, madstupid and 41 guests