Community discussions

MikroTik App
 
tilat
just joined
Topic Author
Posts: 1
Joined: Sun Dec 12, 2021 10:15 pm

Route all traffic via Wireguard interface

Tue Dec 21, 2021 8:46 pm

Hi all,

I am trying to route all traffic through the wireguard interface.

Device: mikrotik hex s

Configuration:
# dec/21/2021 21:26:00 by RouterOS 7.1
# software id = B44A-P90U
#
# model = RB760iGS

/interface bridge
add name=bridge1
/interface ethernet
set [ find default-name=ether1 ] l2mtu=2026 mtu=2026
set [ find default-name=ether2 ] l2mtu=2026 mtu=2026
set [ find default-name=ether3 ] l2mtu=2026 mtu=2026
set [ find default-name=ether4 ] l2mtu=2026 mtu=2026
set [ find default-name=ether5 ] l2mtu=2026 mtu=2026
set [ find default-name=sfp1 ] disabled=yes l2mtu=2026 mtu=2026
/interface wireguard
add listen-port=13231 mtu=2026 name=wg0
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_pool0 ranges=192.168.1.2-192.168.1.254
/ip dhcp-server
add address-pool=dhcp_pool0 interface=bridge1 lease-time=1d name=dhcp1
/port
set 0 name=serial0
/routing table
add disabled=no fib name=via-wg
/interface bridge port
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=ether3
add bridge=bridge1 interface=ether4
add bridge=bridge1 interface=ether5
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface wireguard peers
add allowed-address=0.0.0.0/0 endpoint-address=77.zz.xx.yy endpoint-port=\
    63665 interface=wg0 persistent-keepalive=3s public-key=\
    "some_public_key="
/ip address
add address=192.168.1.1/24 interface=bridge1 network=192.168.1.0
add address=10.0.1.3/24 interface=wg0 network=10.0.1.0
/ip dhcp-client
add default-route-distance=10 interface=ether1
/ip dhcp-server network
add address=192.168.1.0/24 dns-server=192.168.1.1 gateway=192.168.1.1
/ip dns
set allow-remote-requests=yes
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1
/ip route
add disabled=no distance=10 dst-address=0.0.0.0/0 gateway=192.168.9.1 \
    pref-src="" routing-table=main scope=30 suppress-hw-offload=no \
    target-scope=10
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=wg0 pref-src="" \
    routing-table=via-wg scope=30 suppress-hw-offload=no target-scope=10
/system clock
set time-zone-name=Europe
WHERE
10.0.1.3 the ip of my router for wg0 interface;
10.0.1.1 the ip of my remote host for wg0 interface;
192.168.9.1 the ip of default geteway from the ISP.
the wg interface is working as expected ( i can ping the remote host from the router )

Routes:
admin@MikroTik] > /ip route print
Flags: D - DYNAMIC; A - ACTIVE; c, s, y - COPY
Columns: DST-ADDRESS, GATEWAY, DISTANCE
#     DST-ADDRESS     GATEWAY      DISTANCE
0  As 0.0.0.0/0       192.168.9.1        10
  DAc 10.0.1.0/24     wg0                 0
  DAc 192.168.1.0/24  bridge1             0
  DAc 192.168.9.0/24  ether1              0
1  As 0.0.0.0/0       wg0                 1
[code]

Symptoms: 
 1. IF I add a route "0.0.0.0/0   wg0" with default table main then i can't ping 8.8.8.8 host
 2. IF I add a route "0.0.0.0/0   wg0" with table "via-wg" then I can't ping 8.8.8.8 host
 
Question: Could someone explain what should be done in order to route all traffic via wg tunnel? 
 
 NB: I've already read several posts on this forum and it looks like I should use routing table. But I don't have a full understanding how exactly it should be done - not a network engineer. 
 Thank for any help in advance.
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: Route all traffic via Wireguard interface

Fri Dec 24, 2021 9:55 pm

You can find some inspiration here: viewtopic.php?t=181205 (I recommend mainly my posts :))
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19099
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Route all traffic via Wireguard interface

Sat Dec 25, 2021 12:32 am

Mind you the diagram from this post is very comprehensive and look ma NO HANDS (well no Ip address for wg interface were used or harmed in that photo) ;-)

viewtopic.php?t=174417#p859788

Cheers
and Merry Xmas Sob
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: Route all traffic via Wireguard interface

Sat Dec 25, 2021 1:11 am

What's with address and WG interface?

Merry Xmas to you too, and here, have a lovely picture:
xmas.png
You do not have the required permissions to view the files attached to this post.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19099
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Route all traffic via Wireguard interface

Sun Dec 26, 2021 9:46 pm

Its always good to have options............
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: Route all traffic via Wireguard interface

Sun Dec 26, 2021 10:34 pm

I don't think it answers the question.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19099
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Route all traffic via Wireguard interface

Tue Dec 28, 2021 3:38 pm

The problem for me is the OP has not fully described the WG setup.
I see ONE device only described and its not clear to me if his hex is a Server Router or a Client Router.
It is not clear what the other device or end of this tunnel consists of.

He does have the listening port configured which tells me the router hex is probably acting as a server.

Then he has wireguard peers setup but with the WRONG setup for allowed addresses (from server perspective..........
Then he has an endpoint setup which makes me think this is a Client Router.

Hence the confusion.

Finally the IP route he has 0.0.0.0/0 wg interface etc........
Tells me that the device is actually a CLIENT ROUTER .
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

In conclusion things are close, and it may be on the host side where things need to be amended?

The correct config assuming his is a client router and he wants to send all his internet bound traffic through the Remote SERVER connection.......

HEX Router

WIREGUARD INTERFACE
name: wg0
(no listening port required - client)
Private Key (YES but only for internal use)
Public Key (Yes, this is needed at the remote host and should be given to the remote host/service)

PEER INTERFACE
interface: wg0
Public Key: This is the public key given to the OP, FROM the remote Device or Service
Endpoint: 77.xx WANIP or URL of remote device/service
Endpoint Port: 63655
Allowed Address: 0.0.0.0/0
Persistent Keep alive: use something like 30 secs.....


The IP route the OP has is good although, I would do it slightly differently.
If the connection through wireguard goes down, the users will get internet through the main table.
If this is not desired ( and wants if no wg tunnel, then no internet) then the OP should use a Route Rule ......... lookup-only-in-table with source address of the LAN subnet.............

I would delete the WG Ip address, not required. and just gets in the way.
add address=10.0.1.3/24 interface=wg0 network=10.0.1.0

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

THe key to get this to work is at the remote site setup.........which we seemingly know nothing about.
I will attempt to delineate a Remote Server setup.....

WIREGUARD INTERFACE
name: wgRemote
listening port: 63655
Private Key (YES but only for internal use)
Public Key (Yes, this is needed at the client site)

PEER INTERFACE
interface: wgRemote
Public Key: This is the public key from the OP given to the Server device/service.
Allowed Address: 192.168.1.0/24

Who is online

Users browsing this forum: No registered users and 14 guests