Community discussions

MikroTik App
 
ohkwarig
just joined
Topic Author
Posts: 8
Joined: Tue Nov 02, 2021 7:18 pm

Wireguard Connection between two sites  [SOLVED]

Tue Nov 02, 2021 7:27 pm

I have a new RB5009UG+S+IN which is running RouterOS 7.1rc5

I have two locations (home and work) which I'm trying to bridge using Wireguard. Prior to getting the RB5009, I used OpenVPN. Work has a commodity router running lede/openwrt.

Home uses the 192.168.88 address space. Work uses the 192.168.9 address space. Under OpenVPN, I had things setup so that traffic was intelligently routed between the two networks. I'm trying to do the same with Wireguard.

I'm finding the Wireguard wiki and documentation to be rather opaque. There is a set of instructions at <https://help.mikrotik.com/docs/display/ROS/WireGuard> on linking two locations, but they presume that you're using two mikrotik devices, and they don't explain the reasons for taking certain actions.

I'm able to get home and work to handshake successfully, but that's the extent of what I'm able to do. I have somewhat more experience on the OpenWRT, so I'm more confident that what I'm doing there is correct. I believe my issues are starting at the heading "IP and routing configuration" on the page linked above. I'm unable to determine what the importance of the address line ("/ip/address add address=10.255.255.1/30 interface=wireguard1") is or if the address 10.255.255.1 is magic in some way -- it doesn't appear on the diagram above. I'm also unable, as far as I can tell, to set any address for the interface in openwrt.

I want to be able to tell the RB5009 "if you see a packet destined for 192.168.9, send it over the wireguard interface" but I can't seem to figure out a way to do that.

thanks for help in advance
 
felixka
Frequent Visitor
Frequent Visitor
Posts: 58
Joined: Mon Oct 19, 2020 4:12 am
Location: Canada

Re: Wireguard Connection between two sites

Wed Nov 03, 2021 5:24 pm

The 10.255.255.1/30 network essentially provides two IP addresses: 10.255.255.1 and 10.255.255.2. These are there to facilitate the routing between the two endpoints on the tunnel. These should be chosen such that they are "out of the way" of any of the other subnets you're using.

You are in fact able to add IPv4 and IPv6 addresses to wireguard interfaces on OpenWrt the same way you would on any other type of interface:
uci add_list network.wg0.addresses="10.255.255.2/30"
Where wg0 is your Wireguard interface name

See if adding the IP address solves the routing problem for you.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19107
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Wireguard Connection between two sites

Wed Nov 03, 2021 6:31 pm

Please describe the network setup at both ends........
For example its not clear if you have an MT at both ends
and/or if the MTs are directly connected to an ISP modem or behind another router etc.........
 
ohkwarig
just joined
Topic Author
Posts: 8
Joined: Tue Nov 02, 2021 7:18 pm

Re: Wireguard Connection between two sites

Wed Nov 03, 2021 6:54 pm

Please describe the network setup at both ends........
For example its not clear if you have an MT at both ends
and/or if the MTs are directly connected to an ISP modem or behind another router etc.........
Work (openwrt) <---> ISP fiber modem <---> Internet <---> ISP cable modem <---> Home (MT RB5009)

I have not yet had the opportunity to try the other user's suggestion about assigning an IP on the OpenWRT side. I hope to be able to later today.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19107
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Wireguard Connection between two sites

Wed Nov 03, 2021 7:30 pm

Please describe the network setup at both ends........
For example its not clear if you have an MT at both ends
and/or if the MTs are directly connected to an ISP modem or behind another router etc.........
Work (openwrt) <---> ISP fiber modem <---> Internet <---> ISP cable modem <---> Home (MT RB5009)

I have not yet had the opportunity to try the other user's suggestion about assigning an IP on the OpenWRT side. I hope to be able to later today.
So the OpenWRT has the listening port and your attempting to get to work from home or vice versa?
 
ohkwarig
just joined
Topic Author
Posts: 8
Joined: Tue Nov 02, 2021 7:18 pm

Re: Wireguard Connection between two sites

Wed Nov 03, 2021 7:34 pm



Work (openwrt) <---> ISP fiber modem <---> Internet <---> ISP cable modem <---> Home (MT RB5009)

I have not yet had the opportunity to try the other user's suggestion about assigning an IP on the OpenWRT side. I hope to be able to later today.
So the OpenWRT has the listening port and your attempting to get to work from home or vice versa?
Home is listening -- the MT device. Work is making the connection. The handshake is successful. Routing is not.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19107
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Wireguard Connection between two sites

Wed Nov 03, 2021 8:03 pm

Okay at HOME (server router).
Assuming this is connected to the ISP modem.
In any case,
(1) Hence INPUT Chain requires the listening port allowed UDP, in-interface-list=WAN

(2) Wireguard Settings;

WIREGUARD TAB: name given to interface (lets say WG-HOME, Listen port, Private Key (not used external to the router), Public Key (key needed at OPENWRT router).

PEERS TAB: Interface name from above (WG-HOME) , Public Key (as provided by OPENWRT router), Endpoint is WANIP of Opernwrt router (or dyndns name for router), Allowed address (Typically the allowed subnet from the peer location)

(3) Route Rule to ensure that Wireguard Traffic from Work when its shunted out the internet, gets returned through the tunnel back to work......
For example the same subnet you noted in peers tab.
dst address: allowed subnet Gateway=WG-HOME

That should be it for the home router/
One does not need to assign an IP address to the Wireguard gateway.
But please confirm is it internet that you want access to or LAN resources at home????

Finally post your config for review
/export hide-sensitive file=anynameyouwish
 
ohkwarig
just joined
Topic Author
Posts: 8
Joined: Tue Nov 02, 2021 7:18 pm

Re: Wireguard Connection between two sites

Thu Nov 04, 2021 1:05 am

The 10.255.255.1/30 network essentially provides two IP addresses: 10.255.255.1 and 10.255.255.2. These are there to facilitate the routing between the two endpoints on the tunnel. These should be chosen such that they are "out of the way" of any of the other subnets you're using.

You are in fact able to add IPv4 and IPv6 addresses to wireguard interfaces on OpenWrt the same way you would on any other type of interface:
uci add_list network.wg0.addresses="10.255.255.2/30"
Where wg0 is your Wireguard interface name

See if adding the IP address solves the routing problem for you.
Thanks, that makes sense.

Unfortunately, I tried it and it didn't work. At this point, I'm wondering if I made a major error on the OpenWRT end. I'm thinking of restoring the configuration to OpenWRT as it was just before I started the upgrade (or sidegrade) process. Debugging two systems has so many more wonderful possibilities for mistakes...
 
User avatar
Halfeez92
Member Candidate
Member Candidate
Posts: 101
Joined: Tue Oct 30, 2012 12:58 pm
Location: 127.0.0.1
Contact:

Re: Wireguard Connection between two sites

Thu Nov 04, 2021 6:07 am

I have a new RB5009UG+S+IN which is running RouterOS 7.1rc5

I have two locations (home and work) which I'm trying to bridge using Wireguard. Prior to getting the RB5009, I used OpenVPN. Work has a commodity router running lede/openwrt.

Home uses the 192.168.88 address space. Work uses the 192.168.9 address space. Under OpenVPN, I had things setup so that traffic was intelligently routed between the two networks. I'm trying to do the same with Wireguard.

I'm finding the Wireguard wiki and documentation to be rather opaque. There is a set of instructions at <https://help.mikrotik.com/docs/display/ROS/WireGuard> on linking two locations, but they presume that you're using two mikrotik devices, and they don't explain the reasons for taking certain actions.

I'm able to get home and work to handshake successfully, but that's the extent of what I'm able to do. I have somewhat more experience on the OpenWRT, so I'm more confident that what I'm doing there is correct. I believe my issues are starting at the heading "IP and routing configuration" on the page linked above. I'm unable to determine what the importance of the address line ("/ip/address add address=10.255.255.1/30 interface=wireguard1") is or if the address 10.255.255.1 is magic in some way -- it doesn't appear on the diagram above. I'm also unable, as far as I can tell, to set any address for the interface in openwrt.

I want to be able to tell the RB5009 "if you see a packet destined for 192.168.9, send it over the wireguard interface" but I can't seem to figure out a way to do that.

thanks for help in advance
Have you set a route for that subnet thru wireguard? Try this command on your RB5009
/ip/route/add dst-address=192.168.9.0/24 gateway=Your-Remote-WG-Interface-IP
 
ohkwarig
just joined
Topic Author
Posts: 8
Joined: Tue Nov 02, 2021 7:18 pm

Re: Wireguard Connection between two sites

Thu Nov 04, 2021 4:14 pm

So, first off, I have to confess a grievous sin. I thought that the work router was directly bridged to the internet, but it turns out that the last time my ISP had someone here, he reconfigured the routers. So, there was actually not a direct connection from my work (WRT) router to the internet. That has been fixed...

The VPN is still not working, though. The handshake goes through, but the routing still doesn't work. I'm continuing to troubleshoot.

Thank you all for your patience, and it's just another reminder to verify topology even when you think you're certain...
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19107
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Wireguard Connection between two sites

Thu Nov 04, 2021 4:25 pm

So, first off, I have to confess a grievous sin. I thought that the work router was directly bridged to the internet, but it turns out that the last time my ISP had someone here, he reconfigured the routers. So, there was actually not a direct connection from my work (WRT) router to the internet. That has been fixed...

The VPN is still not working, though. The handshake goes through, but the routing still doesn't work. I'm continuing to troubleshoot.

Thank you all for your patience, and it's just another reminder to verify topology even when you think you're certain...
THus you need to forward the listening port from the first router at work (connected to the ISP) to the router hosting wireguard.
 
ohkwarig
just joined
Topic Author
Posts: 8
Joined: Tue Nov 02, 2021 7:18 pm

Re: Wireguard Connection between two sites

Thu Nov 04, 2021 6:31 pm

THus you need to forward the listening port from the first router at work (connected to the ISP) to the router hosting wireguard.
Okay, I have done that and confirmed it's working because I can access ssh on an alternate port...

I have put the mikrotik /export below with confidential stuff (I think) redacted.
# nov/04/2021 12:13:30 by RouterOS 7.1rc5
# software id = REMOVED
#
# model = RB5009UG+S+
# serial number = REMOVED
/interface bridge
add admin-mac=DC:2C:6E:28:EF:55 auto-mac=no comment=defconf name=bridge
/interface wireguard
add listen-port=13231 mtu=1420 name=wireguard1
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=default-dhcp ranges=192.168.88.128-192.168.88.254
/ip dhcp-server
add address-pool=default-dhcp interface=bridge name=defconf
/interface bridge port
add bridge=bridge comment=defconf ingress-filtering=no interface=ether2
add bridge=bridge comment=defconf ingress-filtering=no interface=ether3
add bridge=bridge comment=defconf ingress-filtering=no interface=ether4
add bridge=bridge comment=defconf ingress-filtering=no interface=ether5
add bridge=bridge comment=defconf ingress-filtering=no interface=ether6
add bridge=bridge comment=defconf ingress-filtering=no interface=ether7
add bridge=bridge comment=defconf ingress-filtering=no interface=ether8
add bridge=bridge comment=defconf ingress-filtering=no interface=sfp-sfpplus1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/interface wireguard peers
add interface=wireguard1 persistent-keepalive=25s public-key=\
    "REMOVED"
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
    192.168.88.0
add address=10.255.255.1/24 interface=wireguard1 network=10.255.255.0
/ip dhcp-client
add comment=defconf interface=ether1
# RESERVED LEASES REMOVED
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf dns-server=\
    192.168.88.94,192.168.88.98 domain=lan gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes
# DNS REMOVED
/ip firewall filter
add action=accept chain=input comment="allow wireguard in" dst-port=13231 \
    protocol=udp
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=accept chain=forward comment="wireguard office to home" \
    dst-address=192.168.88.0/24 src-address=192.168.9.0/24
add action=accept chain=forward comment="wireguard home to office" \
    dst-address=192.168.9.0/24 src-address=192.168.88.0/24
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat comment="secure smtp" dst-address=MYIP \
    dst-port=587 log=yes log-prefix=smtp protocol=tcp to-addresses=\
    192.168.88.98 to-ports=25
add action=dst-nat chain=dstnat comment=smtp dst-address=MYIP \
    dst-port=25 log=yes log-prefix=smtp protocol=tcp to-addresses=\
    192.168.88.98 to-ports=25
add action=dst-nat chain=dstnat comment="alternate ssh" dst-address=\
    REMOVED dst-port=22310 in-interface=ether1 log=yes log-prefix=ssh \
    protocol=tcp to-addresses=192.168.88.98 to-ports=22
add action=masquerade chain=srcnat comment="hairpin nat attempt https://help.m\
    ikrotik.com/docs/display/ROS/NAT#NAT-HairpinNAT" disabled=yes \
    dst-address=192.168.88.98 log=yes log-prefix=hairpin out-interface=bridge \
    protocol=tcp src-address=192.168.88.0/24
/ip route
add disabled=no distance=1 dst-address=192.168.9.0/24 gateway=wireguard1 \
    pref-src="" routing-table=main scope=30 suppress-hw-offload=no \
    target-scope=10
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www address=192.168.0.0/16
set ssh disabled=yes
set api disabled=yes
set winbox address=192.168.88.0/24
set api-ssl address=192.168.88.0/24
/ip upnp
set enabled=yes
/ip upnp interfaces
add interface=ether1 type=external
add interface=bridge type=internal
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
    33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
/system clock
set time-zone-autodetect=no time-zone-name=America/Indiana/Indianapolis
/system package update
set channel=development
/system routerboard settings
set cpu-frequency=auto
# SCHEDULER AND SCRIPTS REMOVED
/tool bandwidth-server
set enabled=no
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool mac-server ping
set enabled=no
Are there any red flags in here? If it all looks good, then it must be on the OpenWRT side.

As it stands now, though, a ping from work will hit 10.255.255.2 (work's WG ip). A ping from home will hit 10.255.255.1 (home's WG ip). A ping from home will not hit 10.255.255.2 and a ping from work will not hit 10.255.255.1. And hosts cannot contact hosts on the other network.
Last edited by ohkwarig on Mon Nov 08, 2021 12:49 am, edited 1 time in total.
 
rplant
Member Candidate
Member Candidate
Posts: 287
Joined: Fri Sep 29, 2017 11:42 am

Re: Wireguard Connection between two sites

Fri Nov 05, 2021 8:18 am

Hi,
You need some allowed addresses in the mikrotik peers setting.
10.255.255.0/24 and 192.168.9.0/24

You should then be able to ping 10.255.255.2 from the openwrt router, and hopefully also work workstations.

Though you may need to add similar allowed peers at the openwrt end first.
If nothing, check there are stats at bottom of peer entry form
 
ohkwarig
just joined
Topic Author
Posts: 8
Joined: Tue Nov 02, 2021 7:18 pm

Re: Wireguard Connection between two sites

Fri Nov 05, 2021 3:54 pm

Hi,
You need some allowed addresses in the mikrotik peers setting.
10.255.255.0/24 and 192.168.9.0/24
Awesome, thank you and that's done.

Unfortunately, still no joy.

For the record, here's the output of
pgrep -f -a wg; wg show; wg showconf wg0
on the work (OpenWRT) side:
3 kworker/0:0-wg-
2304 wg-crypt-wg0
2936 kworker/0:2-wg-
interface: wg0
  public key: REMOVED
  private key: (hidden)
  listening port: 13231

peer: REMOVED
  endpoint: REMOVED:13231
  allowed ips: 192.168.88.0/24, 10.255.255.0/24
  latest handshake: 1 minute, 21 seconds ago
  transfer: 211.74 KiB received, 238.59 KiB sent
  persistent keepalive: every 25 seconds
[Interface]
ListenPort = 13231
PrivateKey = REMOVED

[Peer]
PublicKey = REMOVED
AllowedIPs = 192.168.88.0/24, 10.255.255.0/24
Endpoint = REMOVED:13231
PersistentKeepalive = 25
Output of
ip address show; ip route show table all
on the work (OpenWRT) side:
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP qlen 1000
    link/ether REMOVED brd ff:ff:ff:ff:ff:ff
    inet REMOVED/23 brd REMOVED scope global eth0
       valid_lft forever preferred_lft forever
    inet6 REMOVED/64 scope link
       valid_lft forever preferred_lft forever
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel master br-lan state UP qlen 1000
    link/ether REMOVED brd ff:ff:ff:ff:ff:ff
7: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    link/ether 84:16:f9:d6:e7:fb brd ff:ff:ff:ff:ff:ff
    inet 192.168.9.1/24 brd 192.168.9.255 scope global br-lan
       valid_lft forever preferred_lft forever
    inet6 fde3:e6b9:a6dd::1/60 scope global noprefixroute
       valid_lft forever preferred_lft forever
    inet6 fe80::8616:f9ff:fed6:e7fb/64 scope link
       valid_lft forever preferred_lft forever
8: wg0: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN qlen 1000
    link/[65534]
    inet 10.255.255.2/24 brd 10.255.255.255 scope global wg0
       valid_lft forever preferred_lft forever
9: wlan1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-lan state UP qlen 1000
    link/ether 84:16:f9:d6:e7:fb brd ff:ff:ff:ff:ff:ff
    inet6 fe80::8616:f9ff:fed6:e7fb/64 scope link
       valid_lft forever preferred_lft forever
10: wlan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-lan state UP qlen 1000
    link/ether 84:16:f9:d6:e7:fa brd ff:ff:ff:ff:ff:ff
    inet6 fe80::8616:f9ff:fed6:e7fa/64 scope link
       valid_lft forever preferred_lft forever
default via REMOVED dev eth0  src REMOVED
10.255.255.0/24 dev wg0 scope link
HOME_IP_REMOVED via WORK_IP_REMOVED dev eth0
REMOVED/23 dev eth0 scope link  src REMOVED
192.168.9.0/24 dev br-lan scope link  src 192.168.9.1
192.168.88.0/24 dev wg0 scope link
broadcast 10.255.255.0 dev wg0 table local scope link  src 10.255.255.2
local 10.255.255.2 dev wg0 table local scope host  src 10.255.255.2
broadcast 10.255.255.255 dev wg0 table local scope link  src 10.255.255.2
broadcast REMOVED dev eth0 table local scope link  src REMOVED
local REMOVED dev eth0 table local scope host  src REMOVED
broadcast REMOVED dev eth0 table local scope link  src REMOVED
broadcast 127.0.0.0 dev lo table local scope link  src 127.0.0.1
local 127.0.0.0/8 dev lo table local scope host  src 127.0.0.1
local 127.0.0.1 dev lo table local scope host  src 127.0.0.1
broadcast 127.255.255.255 dev lo table local scope link  src 127.0.0.1
broadcast 192.168.9.0 dev br-lan table local scope link  src 192.168.9.1
local 192.168.9.1 dev br-lan table local scope host  src 192.168.9.1
broadcast 192.168.9.255 dev br-lan table local scope link  src 192.168.9.1
fde3:e6b9:a6dd::/64 dev br-lan  metric 1024
unreachable fde3:e6b9:a6dd::/48 dev lo  metric 2147483647
fe80::/64 dev eth0  metric 256
fe80::/64 dev br-lan  metric 256
fe80::/64 dev wlan1  metric 256
fe80::/64 dev wlan0  metric 256
local ::1 dev lo table local  metric 0
anycast fde3:e6b9:a6dd:: dev br-lan table local  metric 0
local fde3:e6b9:a6dd::1 dev br-lan table local  metric 0
anycast fe80:: dev eth0 table local  metric 0
anycast fe80:: dev br-lan table local  metric 0
anycast fe80:: dev wlan1 table local  metric 0
anycast fe80:: dev wlan0 table local  metric 0
local fe80::8616:f9ff:fed6:e7fa dev wlan0 table local  metric 0
local fe80::8616:f9ff:fed6:e7fb dev br-lan table local  metric 0
local fe80::8616:f9ff:fed6:e7fb dev wlan1 table local  metric 0
local fe80::8616:f9ff:fed6:e7fc dev eth0 table local  metric 0
multicast ff00::/8 dev br-lan table local  metric 256
multicast ff00::/8 dev eth0 table local  metric 256
multicast ff00::/8 dev wg0 table local  metric 256
multicast ff00::/8 dev wlan1 table local  metric 256
multicast ff00::/8 dev wlan0 table local  metric 256
output of
uci show firewall
on the work (OpenWRT) side:
firewall.@defaults[0]=defaults
firewall.@defaults[0].input='ACCEPT'
firewall.@defaults[0].output='ACCEPT'
firewall.@defaults[0].forward='REJECT'
firewall.@defaults[0].synflood_protect='1'
firewall.lan=zone
firewall.lan.name='lan'
firewall.lan.input='ACCEPT'
firewall.lan.output='ACCEPT'
firewall.lan.forward='ACCEPT'
firewall.lan.network='lan'
firewall.wan=zone
firewall.wan.name='wan'
firewall.wan.input='REJECT'
firewall.wan.output='ACCEPT'
firewall.wan.forward='REJECT'
firewall.wan.masq='1'
firewall.wan.mtu_fix='1'
firewall.wan.network='wan' 'wan6' 'wg0'
firewall.@forwarding[0]=forwarding
firewall.@forwarding[0].src='lan'
firewall.@forwarding[0].dest='wan'
firewall.@rule[0]=rule
firewall.@rule[0].name='Allow-DHCP-Renew'
firewall.@rule[0].src='wan'
firewall.@rule[0].proto='udp'
firewall.@rule[0].dest_port='68'
firewall.@rule[0].target='ACCEPT'
firewall.@rule[0].family='ipv4'
firewall.@rule[1]=rule
firewall.@rule[1].name='Allow-Ping'
firewall.@rule[1].src='wan'
firewall.@rule[1].proto='icmp'
firewall.@rule[1].icmp_type='echo-request'
firewall.@rule[1].family='ipv4'
firewall.@rule[1].target='ACCEPT'
firewall.@rule[2]=rule
firewall.@rule[2].name='Allow-IGMP'
firewall.@rule[2].src='wan'
firewall.@rule[2].proto='igmp'
firewall.@rule[2].family='ipv4'
firewall.@rule[2].target='ACCEPT'
firewall.@rule[3]=rule
firewall.@rule[3].name='Allow-DHCPv6'
firewall.@rule[3].src='wan'
firewall.@rule[3].proto='udp'
firewall.@rule[3].src_ip='fc00::/6'
firewall.@rule[3].dest_ip='fc00::/6'
firewall.@rule[3].dest_port='546'
firewall.@rule[3].family='ipv6'
firewall.@rule[3].target='ACCEPT'
firewall.@rule[3].enabled='0'
firewall.@rule[4]=rule
firewall.@rule[4].name='Allow-MLD'
firewall.@rule[4].src='wan'
firewall.@rule[4].proto='icmp'
firewall.@rule[4].src_ip='fe80::/10'
firewall.@rule[4].icmp_type='130/0' '131/0' '132/0' '143/0'
firewall.@rule[4].family='ipv6'
firewall.@rule[4].target='ACCEPT'
firewall.@rule[5]=rule
firewall.@rule[5].name='Allow-ICMPv6-Input'
firewall.@rule[5].src='wan'
firewall.@rule[5].proto='icmp'
firewall.@rule[5].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type' 'router-solicitation' 'neighbour-solicitation' 'router-advertisement' 'neighbour-advertisement'
firewall.@rule[5].limit='1000/sec'
firewall.@rule[5].family='ipv6'
firewall.@rule[5].target='ACCEPT'
firewall.@rule[5].enabled='0'
firewall.@rule[6]=rule
firewall.@rule[6].name='Allow-ICMPv6-Forward'
firewall.@rule[6].src='wan'
firewall.@rule[6].dest='*'
firewall.@rule[6].proto='icmp'
firewall.@rule[6].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type'
firewall.@rule[6].limit='1000/sec'
firewall.@rule[6].family='ipv6'
firewall.@rule[6].target='ACCEPT'
firewall.@rule[6].enabled='0'
firewall.@include[0]=include
firewall.@include[0].path='/etc/firewall.user'
firewall.@redirect[0]=redirect
firewall.@redirect[0].target='DNAT'
firewall.@redirect[0].src='wan'
firewall.@redirect[0].dest='lan'
firewall.@redirect[0].proto='tcp'
firewall.@redirect[0].src_dport='REMOVED'
firewall.@redirect[0].dest_port='22'
firewall.@redirect[0].name='alt port ssh'
firewall.@redirect[0].dest_ip='192.168.9.92'
output of
uci show network
on the work (OpenWRT) side:
network.loopback=interface
network.loopback.proto='static'
network.loopback.ipaddr='127.0.0.1'
network.loopback.netmask='255.0.0.0'
network.loopback.device='lo'
network.globals=globals
network.globals.ula_prefix='fde3:e6b9:a6dd::/48'
network.lan=interface
network.lan.proto='static'
network.lan.netmask='255.255.255.0'
network.lan.ip6assign='60'
network.lan.ipaddr='192.168.9.1'
network.lan.dns='192.168.9.92' '192.168.9.90'
network.lan.device='br-lan'
network.wan=interface
network.wan.proto='dhcp'
network.wan.peerdns='0'
network.wan.dns='192.168.9.92' '192.168.9.90'
network.wan.device='eth0'
network.wan6=interface
network.wan6.proto='dhcpv6'
network.wan6.reqaddress='try'
network.wan6.reqprefix='auto'
network.wan6.device='eth0'
network.@switch[0]=switch
network.@switch[0].name='switch0'
network.@switch[0].reset='1'
network.@switch[0].enable_vlan='1'
network.@switch_vlan[0]=switch_vlan
network.@switch_vlan[0].device='switch0'
network.@switch_vlan[0].vlan='1'
network.@switch_vlan[0].ports='2 3 4 5 0'
network.@switch_vlan[1]=switch_vlan
network.@switch_vlan[1].device='switch0'
network.@switch_vlan[1].vlan='2'
network.@switch_vlan[1].ports='1 6'
network.@device[0]=device
network.@device[0].name='br-lan'
network.@device[0].type='bridge'
network.@device[0].ports='eth1'
network.wg0=interface
network.wg0.proto='wireguard'
network.wg0.private_key='REMOVED'
network.wg0.defaultroute='0'
network.wg0.peerdns='0'
network.wg0.delegate='0'
network.wg0.addresses='10.255.255.2/24'
network.wg0.listen_port='13231'
network.wgserver=wireguard_wg0
network.wgserver.public_key='REMOVED'
network.wgserver.endpoint_host='REMOVED'
network.wgserver.endpoint_port='13231'
network.wgserver.route_allowed_ips='1'
network.wgserver.persistent_keepalive='25'
network.wgserver.description='home'
network.wgserver.allowed_ips='192.168.88.0/24' '10.255.255.0/24'
Thanks again in advance for all of the assistance. I feel like I owe everyone a few beers.
 
rplant
Member Candidate
Member Candidate
Posts: 287
Joined: Fri Sep 29, 2017 11:42 am

Re: Wireguard Connection between two sites

Sat Nov 06, 2021 5:07 am

Hi,

Sorry, not sure.
wg0 on the openwrt box is wan, so you will be unlikely to connect from home end.

But it looks like you should be able to ping and connect from the work end to the home end.
Perhaps try pinging from openwrt to mikrotik.
ping 10.255.255.1
then from lan interface of openwrt to mikrotik
ping 10.255.255.1 -I 192.168.9.1
ping 192.168.88.1
ping 192.168.88.94 (Maybe)
ping 192.168.88.94 -I 192.168.9.1

Perhaps trial with wg0 being LAN
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19107
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Wireguard Connection between two sites

Sat Nov 06, 2021 6:07 pm

Sorry cannot help on the openwrt side of the house but the RB5009 as a client wireguard device is straightforward.

WG Setup
WG settings
-Give WG interface a name, lets call it WG-Client
-Listen port NOT required
-Private key (internal use only)
-Public key (needed on Openwrt setup)

Peer settings
-Interface is WG-Client
-Public Key (provided by openwrt router)
-Endpoint WANIP of openwrt (best to use a dyndns name if not static)
-Enpoint port (the listening port set on the openwrt router)
-Allowed address: 192.168.9.0/24 {to be clear this setting says these are the allowable possible destination addresses to be used in the tunnel}
-Pesistent keep alive set at your preference aka 35 seconds for example

IP ADDRESS for wireguard interface NOT REQUIRED

IP Route REQUIRED, to ensure all traffic for work lan is sent through the wg tunnel.

/ip route (almost)
add dst-address=0.0.0.0/0 gateway=WANgatewayIP (either manually entered or done through client settings)
add dst-address=192.168.9.0/24 gateway=WG-Client

To prevent any potential leakage of requests to go through the MT client Router WAN side, if and when the tunnel connection is down for any reason *****, it is best to use a route rule approach and thus the final config would look like.
add dst-address=0.0.0.0/0 gateway=WANgatewayIP (either manually entered or done through client settings)
add dst-address=192.168.9.0/24 gateway=WG-Client routing-table=USETUNNEL

Route Rule
Source address=192.168.88.0/24
Action: Lookup Only in Table
Table: USETUNNEL

++++++++++++++++++++++++++++++++++++++

******* (courtesy of Sindy).
The hierarchy of routes was unclear (as I was not quite sure how to ensure the route to the tunnel would be matched or take prioirity over the standard route already on the router since there would be overlap!!!!
(since 0.0.0.0/0 (the standard route) also covers the IP addresses 192.168.9.0/24)
Priority goes by.......

1. Route-Mark, has the highest priority
2. Next, among all routes with the same routing-mark and matching the destination address of the packet, the system looks for one with the longest prefix in dst-address
In this case 192.168.9.0/24 describes a longer prefix than 0.0.0.0/0. (24 vs 0, I think)
3. Finally, distance can be used, if all of the above are identical, a lower distance will ensure one route is matched before the other.........

The question remains, how to ensure when the tunnel is down 192.168.9.0/24 doesnt leak out elsewhere.
I note on 7.0X beta RC whatever, the use of PROHIBIT and BLACKHOLE are no longer available.

I had thought that this would work.
0.0.0.0/0 gateway=wanipgateway {main table} distance=default
192.168.9.0/24 gateway=WG {main table} distance=default ( any destination due to the longer preference here would take precedence as required)
192.168.9.0/24 type=blackhole distance=default +1 (when the tunnel was down no leakage could occur to the client WANIP)

However, blackhole is like DROP in firewall rules, no indications to LAN users there is a problem just no results.
Thus like reject, PROHIBIT would provide at least an error message return.

0.0.0.0/0 gateway=wanipgateway {main table} distance=default
192.168.9.0/24 gateway=WG {main table} distance=default ( any destination due to the longer preference here would take precedence as required)
192.168.9.0/24 type=prohibit distance=default +1

As stated, blackhole and prohibit are not available and thus one is left with the one clear SOLUTION:

/ip route
add dst-address=0.0.0.0/0 gw=wanIPgateway {standard route either manually entered or by ip client checkbox}
add dst-address=192.168.9.0/24 gw=wg-client routing-mark=USETUNNEL

/ip route rule
source-address=192.168.88.0/24
action: Lookup-Only-In-Table
table=USETUNNEL
Last edited by anav on Sun Nov 07, 2021 5:17 pm, edited 2 times in total.
 
User avatar
Halfeez92
Member Candidate
Member Candidate
Posts: 101
Joined: Tue Oct 30, 2012 12:58 pm
Location: 127.0.0.1
Contact:

Re: Wireguard Connection between two sites

Sun Nov 07, 2021 8:32 am

Sorry cannot help on the openwrt side of the house but the RB5009 as a client wireguard device is straightforward.

WG Setup
WG settings
-Give WG interface a name, lets call it WG-Client
-Listen port NOT required
-Private key (internal use only)
-Public key (needed on Openwrt setup)

Peer settings
-Interface is WG-Client
-Public Key (provided by openwrt router)
-Endpoint WANIP of openwrt (best to use a dyndns name if not static)
-Enpoint port (the listening port set on the openwrt router)
-Allowed address: 192.168.9.0/24 {to be clear this setting says these are the allowable possible destination addresses to be used in the tunnel}
-Pesistent keep alive set at your preference aka 35 seconds for example

IP ADDRESS for wireguard interface NOT REQUIRED

IP Route REQUIRED, to ensure all traffic for work lan is sent through the wg tunnel.

/ip route (almost)
add dst-address=0.0.0.0/0 gateway=WANgatewayIP (either manually entered or done through client settings)
add dst-address=192.168.9.0/24 gateway=WG-Client

To prevent any potential leakage of requests to go through the MT client Router WAN side, it is best to use a route rule approach and thus the final config would look like.
add dst-address=0.0.0.0/0 gateway=WANgatewayIP (either manually entered or done through client settings)
add dst-address=192.168.9.0/24 gateway=WG-Client routing-table=USETUNNEL

Route Rule
Source address=192.168.88.0/24
Action: Lookup Only in Table
Table: USETUNNEL
Why would you not to put ip address on the WG interface? On the Openwrt end it uses 10.255.255.1 right? You should put 10.255.255.2 on the RB5009 ends, then you would create a route to gateway 10.255.255.1 to access destination 192.168.9.0/24. Make sure to add the 10.255.255.0/24 address to allow on RB5009 peers also.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19107
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Wireguard Connection between two sites

Sun Nov 07, 2021 4:42 pm

Absolutely no need for an address on the WG interface.
The RB5009 setup I recommended will route all traffic from 192.168.88.0/24 through the tunnel whenever a destination address of 192.168.9.0/24 is utilized.

That is what the OP wants! Why are you assuming different requirements??

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Furthermore, I know jack squat about openwrt settings but if this was instead an MT router.
Here is how I would handle it from an MT wireguard router perspective (SERVER).

Besides the normal ALLOW RULE in the input chain in-interface-list=WAN, UDP for the listening port
{note: If the MT router was behind an ISP router, the ISP router would have to port forward the listening port udp to the MT router.}

WIREGUARD ROUTER (server)
Wireguard Settings
- name required, so use WG-Server
-Listen port xxxxxx
- Private key {internal use}
- Public Key ( for use on the RB5009 client router)

Peer Settings
- Interface, from above WG-Server
- Public Key (provided by the RB5009)
- Endpoint they WANIP of the RB5009, I would use the ip cloud name for the router (free dyndns name)
- Endpoint port, not required.
- Allowed address 192.168.88.0/24 (the subnet that will be coming through the tunnel)

No requirement to state any IP address for this WG interface either.
Two other requirements need to be addressed:
(1) Forward chain firewall rule to ensure client traffic is allowed to reach server LAN subnet.
add chain=forward action=accept in-interface=WG-Server dst-address=192.168.9.0/24

(2) Route rule on Server router to ensure return traffic does indeed go back through the tunnel.
dst-address=192.168.88.0/24 Gateway=WG-Server
 
ohkwarig
just joined
Topic Author
Posts: 8
Joined: Tue Nov 02, 2021 7:18 pm

Re: Wireguard Connection between two sites

Mon Nov 08, 2021 12:46 am

Ah, I got it! I had to move the wg0 interface on the work-client side into the LAN firewall zone.

For anyone who finds this in the future, here's the setup script I used on the OpenWRT side:

(I removed the preshared key code simply to remove a potential complicating factor. You could easily re-insert it.)
#!/bin/sh
#wireguard setup client
# from https://openwrt.org/docs/guide-user/services/vpn/wireguard/client

# Configuration parameters
WG_IF="wg0"
WG_SERV="SERVER_PUBLIC_ADDRESS"
WG_PORT="13231"
WG_ADDR="10.255.255.2/24"

# Generate keys
umask go=
#wg genkey | tee wgserver.key | wg pubkey > wgserver.pub
if [ ! -f wgclient.key ]; then
  wg genkey | tee wgclient.key | wg pubkey > wgclient.pub
else
  echo "wgclient.key already exists"
fi
#wg genpsk > wgclient.psk

# Client private key
WG_KEY="$(cat wgclient.key)"
 
# Pre-shared key
#WG_PSK="$(cat wgclient.psk)"
 
# Server public key
WG_PUB="REMOVED"

# Configure firewall
uci rename firewall.@zone[0]="lan"
uci rename firewall.@zone[1]="wan"
uci del_list firewall.wan.network="${WG_IF}"
uci add_list firewall.wan.network="${WG_IF}"
uci commit firewall
/etc/init.d/firewall restart

# Configure network
uci -q delete network.${WG_IF}
uci set network.${WG_IF}="interface"
uci set network.${WG_IF}.proto="wireguard"
uci set network.${WG_IF}.private_key="${WG_KEY}"
uci add_list network.${WG_IF}.addresses="${WG_ADDR}"
#uci add_list network.${WG_IF}.addresses="${WG_ADDR6}"
 
# Add VPN peers
uci -q delete network.wgserver
uci set network.wgserver="wireguard_${WG_IF}"
uci set network.wgserver.public_key="${WG_PUB}"
#uci set network.wgserver.preshared_key="${WG_PSK}"
uci set network.wgserver.endpoint_host="${WG_SERV}"
uci set network.wgserver.endpoint_port="${WG_PORT}"
uci set network.wgserver.route_allowed_ips="1"
uci set network.wgserver.persistent_keepalive="25"
uci add_list network.wgserver.allowed_ips="192.168.88.0/24"
uci add_list network.wgserver.allowed_ips="10.255.255.0/24"
#uci add_list network.wgserver.allowed_ips="::/0"
uci commit network
/etc/init.d/network restart

echo "DONE?"
And then, if you want to move that interface into the lan firewall-zone -- please note that this carries with it potential security issues, though I don't believe any more issues than setting up routing properly.
#!/bin/sh
WG_IF="wg0"

uci del_list firewall.wan.network="${WG_IF}"
uci add_list firewall.lan.network="${WG_IF}"
uci commit firewall
/etc/init.d/firewall restart
Thanks so much to all who helped with this. I know OpenWRT is not the target audience for this board, but you all made it possible for me to work through this.

thanks again!
 
User avatar
Halfeez92
Member Candidate
Member Candidate
Posts: 101
Joined: Tue Oct 30, 2012 12:58 pm
Location: 127.0.0.1
Contact:

Re: Wireguard Connection between two sites

Mon Nov 08, 2021 2:03 pm

Absolutely no need for an address on the WG interface.
The RB5009 setup I recommended will route all traffic from 192.168.88.0/24 through the tunnel whenever a destination address of 192.168.9.0/24 is utilized.

That is what the OP wants! Why are you assuming different requirements??

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Furthermore, I know jack squat about openwrt settings but if this was instead an MT router.
Here is how I would handle it from an MT wireguard router perspective (SERVER).

Besides the normal ALLOW RULE in the input chain in-interface-list=WAN, UDP for the listening port
{note: If the MT router was behind an ISP router, the ISP router would have to port forward the listening port udp to the MT router.}

WIREGUARD ROUTER (server)
Wireguard Settings
- name required, so use WG-Server
-Listen port xxxxxx
- Private key {internal use}
- Public Key ( for use on the RB5009 client router)

Peer Settings
- Interface, from above WG-Server
- Public Key (provided by the RB5009)
- Endpoint they WANIP of the RB5009, I would use the ip cloud name for the router (free dyndns name)
- Endpoint port, not required.
- Allowed address 192.168.88.0/24 (the subnet that will be coming through the tunnel)

No requirement to state any IP address for this WG interface either.
Two other requirements need to be addressed:
(1) Forward chain firewall rule to ensure client traffic is allowed to reach server LAN subnet.
add chain=forward action=accept in-interface=WG-Server dst-address=192.168.9.0/24

(2) Route rule on Server router to ensure return traffic does indeed go back through the tunnel.
dst-address=192.168.88.0/24 Gateway=WG-Server
I don't understand. Why in my environment, I try not to put ip address on wg interface, then I create a route using wg internet, but I got error 22 (invalid argument).
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19107
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Wireguard Connection between two sites

Mon Nov 08, 2021 2:24 pm

Show your config, cant help without it.
 
User avatar
Halfeez92
Member Candidate
Member Candidate
Posts: 101
Joined: Tue Oct 30, 2012 12:58 pm
Location: 127.0.0.1
Contact:

Re: Wireguard Connection between two sites

Mon Nov 08, 2021 3:29 pm

Show your config, cant help without it.
This is my Work CHR (both of them are in virtual lab)
# nov/08/2021 13:26:43 by RouterOS 7.1rc4
# software id = 
#
/interface bridge
add name=bridge1
/interface wireguard
add listen-port=13231 mtu=1420 name=wireguard1
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/interface wireguard peers
add allowed-address=0.0.0.0/0 endpoint-address=192.168.244.130 endpoint-port=13231 interface=wireguard1 public-key="LF4YC4zRBTIkWkRfYh+O6MFlgb3eHjXAuslYj+GpmD8="
/ip address
add address=192.168.12.1/24 interface=bridge1 network=192.168.12.0
/ip dhcp-client
add interface=ether1
/ip firewall filter
add action=accept chain=input dst-port=13231 protocol=udp
/ip route
add disabled=no distance=1 dst-address=192.168.13.0/24 gateway=wireguard1 pref-src="" routing-table=main scope=30 suppress-hw-offload=no target-scope=10
/system identity
set name=Work
/system logging
add topics=wireguard
This is my Home CHR
# nov/08/2021 13:28:03 by RouterOS 7.1rc4
# software id = 
#
/interface bridge
add name=bridge1
/interface wireguard
add listen-port=13231 mtu=1420 name=wireguard1
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/interface wireguard peers
add allowed-address=0.0.0.0/0 endpoint-address=192.168.244.128 endpoint-port=13231 interface=wireguard1 public-key="G0u/uLbWi81NwQqFI4fmNxNEUOUo5+U2u3R2WYqweDY="
/ip address
add address=192.168.13.1/24 interface=bridge1 network=192.168.13.0
/ip dhcp-client
add interface=ether1
/ip firewall filter
add action=accept chain=input dst-port=13231 protocol=udp
/ip route
add disabled=no distance=1 dst-address=192.168.12.0/24 gateway=wireguard1 pref-src="" routing-table=main scope=30 suppress-hw-offload=no target-scope=10
/system identity
set name=Home
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19107
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Wireguard Connection between two sites

Mon Nov 08, 2021 4:57 pm

Which one do you consider the Server and the Peer for the initial connection...................

What type of tunnel are you looking for.
a. CHR home to go out CHR work internet?
b. CHR home to access CHR work Lan subnets?

or vice versa

c. CHR work to go out CHR home internet
d. CHR work to access CHR home LAN subnets

Who is online

Users browsing this forum: No registered users and 17 guests