Community discussions

MikroTik App
 
nickcarr
just joined
Topic Author
Posts: 12
Joined: Tue Jul 13, 2021 6:43 pm

Wireguard in a "hub-and-spoke" topology

Tue Jul 13, 2021 8:21 pm

Hi all.
I'm pretty new with WireGuard. I tested with some RB750 with 7.1beta6 (Development) software. I had R0, R1, R2, R3, R4. Each one (from R1 to R4) has it's own WG connection with R0.
I used same UDP port for all the WG VPNs. It was fine! After some days all the WG interfaces (in R0) were down, but one.
I loaded my backups, but nothing. So i started from zero. But, once again: the first WG iface goes up, the others go up only if i choose an other UDP port. Then they start working.
It's not a problem, to me, but i was sure i could use the same port for all WG VPNs.
Do you have same behaviours?
Thanks in advance.
 
mfrey
newbie
Posts: 36
Joined: Wed Jan 06, 2021 12:31 am

Re: Wireguard in a "hub-and-spoke" topology

Tue Jul 13, 2021 9:24 pm

You can't share the same port between multiple WireGuard interfaces. You can, however, add all routers as peers to a single interface. This way you can connect them all using only a single port.
 
oreggin
Member Candidate
Member Candidate
Posts: 172
Joined: Fri Oct 16, 2009 9:21 pm

Re: Wireguard in a "hub-and-spoke" topology

Mon Aug 30, 2021 2:35 pm

WireGuard is not for HUB&Spoke. Its seems it is only P2P, and if Spokes has random global addresses, you might add billions of peers on the HUB.
WireGuard is for whom has two dedicated fix global IP addresses on the two end, and Layer3 tunneling is enough. Then you gets an encrypted and fast IP tunnel.
 
mjbnz
just joined
Posts: 15
Joined: Thu Aug 06, 2020 3:05 pm

Re: Wireguard in a "hub-and-spoke" topology

Tue Sep 07, 2021 2:31 am

WireGuard is not for HUB&Spoke. Its seems it is only P2P, and if Spokes has random global addresses, you might add billions of peers on the HUB.
WireGuard is for whom has two dedicated fix global IP addresses on the two end, and Layer3 tunneling is enough. Then you gets an encrypted and fast IP tunnel.
That is incorrect - Wireguard operates quite successfully with only one peer having a fixed IP. You configure the peer IP to be
0.0.0.0
, which allows the other peer device to have a non-fixed IP.

You do however need to create unique key pairs for every set of peers..
 
oreggin
Member Candidate
Member Candidate
Posts: 172
Joined: Fri Oct 16, 2009 9:21 pm

Re: Wireguard in a "hub-and-spoke" topology

Sun Oct 30, 2022 5:18 pm

I desided to add second chance to WG, but I wasn't success.
I try to set up two peer on one router but only the first working, I can't ping to the second one. I tried to setup a triangle topology with 3 routers but only one WG link is working from the three.
/interface wireguard
add listen-port=13231 mtu=1432 name=wg1
/interface wireguard peers
add allowed-address=0.0.0.0/0 comment=hub1 disabled=yes endpoint-address=1.1.1.1 endpoint-port=13231 interface=wg1 persistent-keepalive=30s public-key="<pubkey-of-hub1>"
add allowed-address=0.0.0.0/0 comment=hub2 disabled=yes endpoint-address=2.2.2.2 endpoint-port=13231 interface=wg1 persistent-keepalive=30s public-key="<pubkey-of-hub2>"
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18959
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Wireguard in a "hub-and-spoke" topology

Sun Oct 30, 2022 5:57 pm

Finally someone who posts a config, the rest of your comments are conjecture without evidence ( aka speculative and useless)
Wireguard is peer to peer, however there is nothing wrong with a Main router being connected to by both road warriors and other routers and they can all reach each other if required.
In other words the correct configuration is required at routers at clients.

Routers can be both setup to initiate and receive the initial handshake as well.
The setups depend upon context (network diagram) and requirements, what users and admin needs to be able to accomplish.
A well stated set of requirement and the context, and anything is possible.
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: Wireguard in a "hub-and-spoke" topology

Sun Oct 30, 2022 6:01 pm

You can't have allowed-address=0.0.0.0/0 for multiple peers, because it's used also for outgoing routing. If you have one peer with 192.168.10.0/24 and another with 192.168.20.0/24, then it's clear to which one should packet to e.g. 192.168.20.100 go. But what should router do when it's 0.0.0.0/0 for both? Toss a coin?
Last edited by Sob on Sun Oct 30, 2022 6:02 pm, edited 1 time in total.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18959
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Wireguard in a "hub-and-spoke" topology

Sun Oct 30, 2022 6:01 pm

Orreggin you dont understand wireguard and how wireguard works and should be configured.
YOu tell me how the router is supposed to know when a user needs to go the internet whether or not they will go out peer A or peerB.
Let me tell you, they will always go out peerA and never peerB by the config you have. Yes, order counts in peers LOL.

What you need to do is STOP, learn, read and then implement.
viewtopic.php?t=182340

If you have at a router multiple peers that overlap the solution is to create another interface.
This is not complex nor difficult and all the different incoming or outgoing wg users will still be able to reach each other, which is dependent NOT upon being on the same wireguard interface, but any wireguard interface and associated proper firewall rules and routes (and possibly routing rules).
 
oreggin
Member Candidate
Member Candidate
Posts: 172
Joined: Fri Oct 16, 2009 9:21 pm

Re: Wireguard in a "hub-and-spoke" topology

Thu Nov 03, 2022 6:35 pm

Thanks anav, now I got that "allowed-address" is for routing decision or similar in WG.
If I have 1000 of Spokes then I need 1000 WG interface on HUB?
Dynamic routing (IGP) should works on this? What about IPv6 and MPLS?
Can I scale this up to at least 1000 spokes?
Thanks!
 
User avatar
Znevna
Forum Guru
Forum Guru
Posts: 1347
Joined: Mon Sep 23, 2019 1:04 pm

Re: Wireguard in a "hub-and-spoke" topology

Fri Nov 04, 2022 8:59 am

If I have 1000 of Spokes then I need 1000 WG interface on HUB?
No.
Don't use webfig to configure Wireguard, as it currently screws up the config, it seems. Ssomething about WebFig messing with endpoint-address field of the peers.
I'm not using WebFig exactly because of bugs like this here and there.
viewtopic.php?t=190544#p965799
Or if you do, ALWAYS CHECK THE CONFIG FROM TERMINAL.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18959
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Wireguard in a "hub-and-spoke" topology

Fri Nov 04, 2022 2:07 pm

No, for example single clients will get a single IP address there will be no overlap.
Basically you cannnot have two or more peers on the hub router with the same allowed IP address........ ( on the same wireguard interface ). I hope thats clear.
 
oreggin
Member Candidate
Member Candidate
Posts: 172
Joined: Fri Oct 16, 2009 9:21 pm

Re: Wireguard in a "hub-and-spoke" topology

Fri Nov 04, 2022 11:11 pm

Thanks Guys,

I hope now I understand the whole WG idea. I looked WG from bad direction. I tried to compare it with L2TP over IPSec or SSTP, however it simplify IPSec job and it is not a universal DMVPN solution. In IPSec I can control the traffic with IPSec policies, in WG I can control the traffic with the allowed-address option.
So my fault was I expected too much from WG. It can't replace the PPP and dynamic routing protocols flexibility. It is for what it made for. It can eliminating the sucks with thousands of combinations of cryptography settings in different implementations and other bizarre things in IPSec.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18959
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Wireguard in a "hub-and-spoke" topology

Sat Nov 05, 2022 5:24 pm

orregin you misunderstand wireguard, at least a little bit.

The crypto process is in two parts
(1) Allowed IPs yes, is very much a filter for any traffic exiting the tunnel and entering the router. When remote traffic arrives at the tunnel WG compares the source address of the payload to allowed-address and only allows the packet in if it is on the list!

(2) BUT,, Allowed IPs is a matcher and selector (not filter) for local traffic heading into the tunnel.
The router determines first which wireguard interface is to be used for routing, then Wireguard looks at the destination address of traffic and says, does this match any of the allowed IPs on any of the stated peers on the particular wireguard interfaces. It selects the first peer identified (and does not look at any others).
Thus having overlapping peers on the interface is problematic as the second one in the order will never be selected!

(3) Firewall rules on both the traffic entering the tunnel and at the other end traffic exiting the tunnel ensure the admin can apply the granularity one needs for permissible traffic.
(4) Routing for single clients is baked into wireguard using the wireguard address structure. When discussing subnets that are not native on a router but travelling through the tunnel, well they will need additional routes.
(5) Sourcenat can be used when you want to mask subnet source addresses heading into the tunnel etc.....

You will find that there is lots that can be done with MT and wireguard at least on a small scale.

(6) For such a grand scale that you are discussing sounds like tailscale or zerotier may be more manageable??

Who is online

Users browsing this forum: No registered users and 17 guests