Community discussions

MikroTik App
 
gigabyte091
Forum Guru
Forum Guru
Topic Author
Posts: 1165
Joined: Fri Dec 31, 2021 11:44 am
Location: Croatia

Wireguard VPN setup

Wed Jan 05, 2022 11:15 am

Hi,

I'm trying to access my office test network from my home and mikrotik's default VPN is working like a charm but i've read that is not very secure so i would like to create VPN connection using Wiregurard.

Problem is, all tutorials that I have found is site to site, or between two routers. I only need to connect from my laptop to the network but in more secure way.

Right now I'm using Mikrotik VPN but I'm using my own DDNS (NO-IP) and I'm connecting to network via Windows built-in VPN client.

Is there any trusted tutorial on how to configure Wireguard ? Or is it better for me to add another router at home ?
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 26322
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: Wireguard VPN setup

Wed Jan 05, 2022 11:18 am

the default VPN checkbox in Quickset activates IPsec. Arguably it is the most secure VPN.
 
gigabyte091
Forum Guru
Forum Guru
Topic Author
Posts: 1165
Joined: Fri Dec 31, 2021 11:44 am
Location: Croatia

Re: Wireguard VPN setup

Wed Jan 05, 2022 11:40 am

So basically there is no need for Wireguard in my case ?
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 26322
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: Wireguard VPN setup

Wed Jan 05, 2022 11:49 am

Yes, use the Windows built in L2TP+IPsec client, like this:
https://www.watchguard.com/help/docs/he ... n10_c.html

It is very secure and easier to use too.
 
gigabyte091
Forum Guru
Forum Guru
Topic Author
Posts: 1165
Joined: Fri Dec 31, 2021 11:44 am
Location: Croatia

Re: Wireguard VPN setup

Wed Jan 05, 2022 12:36 pm

Ok, I tried that, but I can't connect.

I'm using Windows 11, and when I need to select VPN type I have L2TP/IPsec with certificate and L2TP/IPsec with pre-shared key.

I select L2TP/IPsec with pre-shared key but where do I get that key ? I entered my password and when i tried to connect i get error message in windows saying: "The network connection between your computer and the VPN serrver could not be established because the remote server is not responding.

In router log i get this: respond new phase 1 (Identity protection): My WAN address of the router i want to connect to[500]<=>My WAN address of the client PC[20042]
ISAKMP-SA established My WAN address of the router i want to connect to[4500]-My WAN address of the client PC[20059]spi:(long sequence of random numbers and letters)

Then when i get error:
purging ISAKMP-SA My WAN address of the router i want to connect to[4500]-My WAN address of the client PC[20059]spi:(long sequence of random numbers and letters)
ISAKMP-SA deleted My WAN address of the router i want to connect to[4500]-My WAN address of the client PC[20059]spi:(long sequence of random numbers and letters) rekey:1

Also after 20 minutes i started to get pptp,ppp errors, user 12345678 auth failed, as someone is trying to connect to the router.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19100
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Wireguard VPN setup

Wed Jan 05, 2022 2:21 pm

Do you configure the MT router at work?
If so wireguard is very easy to implement.
 
gigabyte091
Forum Guru
Forum Guru
Topic Author
Posts: 1165
Joined: Fri Dec 31, 2021 11:44 am
Location: Croatia

Re: Wireguard VPN setup

Wed Jan 05, 2022 3:19 pm

I have some basic knowledge about networking and my VPN setup was basic, so enabling VPN on quick setup page, setting up a password, adding address pool for VPN connection and configuring windows client (setting VPN to Automatic and entering username and password). But with that type of connection, router was showing that im using PPTP and i wanted something more secure.

Unfortunately, advanced stuff like this is out of my league and I'm not sure if tutorials on youtube are trustworthy as i don't wanna make our network vulnerable. I was looking at tutorials but for now, all of them involve 2 routers.

I have default firewall rule installed on the router.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19100
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Wireguard VPN setup

Wed Jan 05, 2022 5:16 pm

The question was.
a. do you control and have legitimate access to the router at work?

The ask is
b. post your routers confg
/export hide-sensitive file=anynameyouwish
(and be sure to remove any public IPs showing)

THe comment is
c. Best move you ever made was to avoid youtube before learning about the config on the router................too many rabbit holes.
 
gigabyte091
Forum Guru
Forum Guru
Topic Author
Posts: 1165
Joined: Fri Dec 31, 2021 11:44 am
Location: Croatia

Re: Wireguard VPN setup

Wed Jan 05, 2022 6:06 pm

A. Yes, I'm the only one with the access to the router.

B. I can't post it until monday as tomorrow is national holiday but I have one router at home and i can set it up tomorrow and try to make VPN at home between that router and a laptop.

C. Yea, i found videos from Mikrotik on youtube, i think that i can trust them, but the others, who knows.
 
User avatar
own3r1138
Long time Member
Long time Member
Posts: 681
Joined: Sun Feb 14, 2021 12:33 am
Location: Pleiades
Contact:

Re: Wireguard VPN setup

Thu Jan 06, 2022 1:04 am

@gigabyte091
I select L2TP/IPsec with pre-shared key but where do I get that key ? I entered my password and when i tried to connect i get error message in windows saying: "The network connection between your computer and the VPN serrver could not be established because the remote server is not responding.
2022-01-06_02-28-59.png
You do not have the required permissions to view the files attached to this post.
 
gigabyte091
Forum Guru
Forum Guru
Topic Author
Posts: 1165
Joined: Fri Dec 31, 2021 11:44 am
Location: Croatia

Re: Wireguard VPN setup

Thu Jan 06, 2022 8:08 am

So this is my current setup, i have this router at home, it's new out of the box so there is no configuration beside default one. I copied key and when i paste it i get VPN Addresss from the quickset menu. Now when i tried to connect to the router(i didn't use that VPN address but my public address) i get this error from windows: "The L2TP connection attempt failedd because the security layer encountered a processing error during initial negotiations with the remote computer.

Below is config

# jan/06/2022 06:55:02 by RouterOS 7.1.1
# software id = KL0T-VH4S
#
# model = RBD53iG-5HacD2HnD
# serial number = XXXXXXXXXXX
/interface bridge
add admin-mac=XX:XX:XX:XX:XX:XX auto-mac=no comment=defconf name=bridge
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX \
    disabled=no distance=indoors frequency=auto installation=indoor mode=\
    ap-bridge ssid=MikroTik-7E5179 wireless-protocol=802.11
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=\
    20/40/80mhz-XXXX disabled=no distance=indoors frequency=auto \
    installation=indoor mode=ap-bridge ssid=MikroTik-7E517A \
    wireless-protocol=802.11
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface lte apn
set [ find default=yes ] ip-type=ipv4
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.88.10-192.168.88.254
add name=vpn ranges=192.168.89.2-192.168.89.255
/ip dhcp-server
add address-pool=dhcp interface=bridge name=defconf
/ppp profile
set *FFFFFFFE local-address=192.168.89.1 remote-address=vpn
/interface bridge port
add bridge=bridge comment=defconf ingress-filtering=no interface=ether2
add bridge=bridge comment=defconf ingress-filtering=no interface=ether3
add bridge=bridge comment=defconf ingress-filtering=no interface=ether4
add bridge=bridge comment=defconf ingress-filtering=no interface=ether5
add bridge=bridge comment=defconf ingress-filtering=no interface=wlan1
add bridge=bridge comment=defconf ingress-filtering=no interface=wlan2
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface detect-internet
set detect-interface-list=WAN internet-interface-list=WAN
/interface l2tp-server server
set enabled=yes
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/interface pptp-server server
set enabled=yes
/interface sstp-server server
set default-profile=default-encryption enabled=yes
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
    192.168.88.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=accept chain=input comment="allow IPsec NAT" dst-port=4500 \
    protocol=udp
add action=accept chain=input comment="allow IKE" dst-port=500 protocol=udp
add action=accept chain=input comment="allow l2tp" dst-port=1701 protocol=udp
add action=accept chain=input comment="allow pptp" dst-port=1723 protocol=tcp
add action=accept chain=input comment="allow sstp" dst-port=443 protocol=tcp
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat comment="masq. vpn traffic" src-address=\
    192.168.89.0/24
/ip upnp
set enabled=yes
/ip upnp interfaces
add interface=bridge type=internal
add interface=ether1 type=external
/ppp secret
add name=vpn
/system clock
set time-zone-name=Europe/Zagreb
/system leds
set 0 interface=wlan1 leds=led1,led2,led3,led4,led5 type=\
    wireless-signal-strength
set 1 leds=poe-led type=poe-out
/system routerboard settings
set cpu-frequency=auto
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: Wireguard VPN setup

Thu Jan 06, 2022 2:04 pm

It's a bit incomplete. It should be better with this:
/ppp profile
add local-address=192.168.89.1 name=vpn remote-address=vpn
/ppp secret
add name=<l2tpusername> password=<l2tppassword> profile=vpn service=l2tp
/interface l2tp-server server
set authentication=mschap2 default-profile=vpn enabled=yes ipsec-secret=<ipsecsecret> use-ipsec=required
Also add ipsec-policy=in,ipsec to firewall rule for port 1701, because you want L2TP only with IPSec. And don't forget to disable PPTP and SSTP, if you don't plan to use them.
 
tangent
Forum Guru
Forum Guru
Posts: 1351
Joined: Thu Jul 01, 2021 3:15 pm
Contact:

Re: Wireguard VPN setup

Thu Jan 06, 2022 2:34 pm

i've read that is not very secure

Post your reference.

Once you drill down past the one-click canned feature in MT's GUIs, you'll find that IPSec over L2TP is complicated. You can say just about anything you like about it and be correct for some given configuration.

Contrast WireGuard, which has only one common configuration. We can thus make general statements about its security without getting caught up in quibbling about configuration details.

Is WireGuard more secure than IPSec? Maybe! Send your configuration to a cryptanalyst along with a large check, and you might get an answer.

i would like to create VPN connection using Wiregurard.

I posted a very simple configuration here. If your MT router is on the border, you can drop the src-nat rule, simplifying it further. Or, see the post at the top of the thread for more ideas.

is it better for me to add another router at home ?

WireGuard lets you treat either end as the "server" part. The choice of best configuration simply depends on which end is easier to point at. If one end has a stable public IP, that's the better end as compared to one behind NAT with a dynamic public IP.

But, you can get around that too, as your comments about dynamic DNS suggest. My posted configuration accounts for that.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19100
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Wireguard VPN setup

Thu Jan 06, 2022 3:08 pm

WireGuard lets you treat either end as the "server" part. The choice of best configuration simply depends on which end is easier to point at. If one end has a stable public IP, that's the better end as compared to one behind NAT with a dynamic public IP.
This is an important point, the concept of server/peer is really only valid for the initial process of connecting. Once established one can move traffic back and forth only limited by your ability to configure the two ends of the tunnel (configs on MT routers). Very flexible!!

As for WG not being secure, stop reading scribbles on toilet walls in bus stations ;-PP
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: Wireguard VPN setup

Thu Jan 06, 2022 3:18 pm

Once you drill down past the one-click canned feature in MT's GUIs, you'll find that IPSec over L2TP is complicated.
Sort of yes, but the option to simply specify IPSec secret for L2TP server, and have system configure rest of IPSec automatically, makes the whole thing much easier. And it works, so it's good. Upside is that you don't have to install any extra software on client, it can sometimes help.
 
gigabyte091
Forum Guru
Forum Guru
Topic Author
Posts: 1165
Joined: Fri Dec 31, 2021 11:44 am
Location: Croatia

Re: Wireguard VPN setup

Thu Jan 06, 2022 3:46 pm

So, this is config after changes @sob suggested
# jan/06/2022 14:22:55 by RouterOS 7.1.1
# software id = KL0T-VH4S
#
# model = RBD53iG-5HacD2HnD
# serial number = xxxxxxxxxxxxxxxxx
/interface bridge
add admin-mac=xxxxxxxxxxxxxxxxxxx auto-mac=no comment=defconf name=bridge
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX \
    disabled=no distance=indoors frequency=auto installation=indoor mode=\
    ap-bridge ssid=MikroTik-7E5179 wireless-protocol=802.11
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=\
    20/40/80mhz-XXXX disabled=no distance=indoors frequency=auto \
    installation=indoor mode=ap-bridge ssid=MikroTik-7E517A \
    wireless-protocol=802.11
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface lte apn
set [ find default=yes ] ip-type=ipv4
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.88.10-192.168.88.254
add name=vpn ranges=192.168.89.2-192.168.89.255
/ip dhcp-server
add address-pool=dhcp interface=bridge name=defconf
/ppp profile
add local-address=192.168.89.1 name=vpn remote-address=vpn
set *FFFFFFFE local-address=192.168.89.1 remote-address=vpn
/interface bridge port
add bridge=bridge comment=defconf ingress-filtering=no interface=ether2
add bridge=bridge comment=defconf ingress-filtering=no interface=ether3
add bridge=bridge comment=defconf ingress-filtering=no interface=ether4
add bridge=bridge comment=defconf ingress-filtering=no interface=ether5
add bridge=bridge comment=defconf ingress-filtering=no interface=wlan1
add bridge=bridge comment=defconf ingress-filtering=no interface=wlan2
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface detect-internet
set detect-interface-list=WAN internet-interface-list=WAN
/interface l2tp-server server
set authentication=mschap2 default-profile=vpn enabled=yes use-ipsec=required
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/interface sstp-server server
set default-profile=default-encryption
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
    192.168.88.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=accept chain=input comment="allow IPsec NAT" dst-port=1701 \
    protocol=udp
add action=accept chain=input comment="allow IKE" dst-port=500 protocol=udp
add action=accept chain=input comment="allow l2tp" dst-port=1701 protocol=udp
add action=accept chain=input comment="allow pptp" dst-port=1723 protocol=tcp
add action=accept chain=input comment="allow sstp" dst-port=443 protocol=tcp
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat comment="masq. vpn traffic" src-address=\
    192.168.89.0/24
/ip upnp
set enabled=yes
/ip upnp interfaces
add interface=bridge type=internal
add interface=ether1 type=external
/ppp secret
add name=vpn profile=default-encryption service=l2tp
add name=l2tp profile=vpn service=l2tp
/system clock
set time-zone-name=Europe/Zagreb
/system leds
set 0 interface=wlan1 leds=led1,led2,led3,led4,led5 type=\
    wireless-signal-strength
set 1 leds=poe-led type=poe-out
/system routerboard settings
set cpu-frequency=auto
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
Now I'm getting: phase 1 negotiation failed due to time up. I made new VPN connection on client PC with pre-shared key I entered during setup.
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: Wireguard VPN setup

Thu Jan 06, 2022 4:44 pm

The rule you changed from original port 4500 is wrong, it was correct before. I meant to change original rule for port 1701. Both ports 500 and 4500 can also be combined in one rule. And I forgot one more, even though it probably won't be used much, because client is going to be usually behind NAT. So the right rules you need are:
/ip firewall filter
add chain=input protocol=udp dst-port=500,4500 action=accept
add chain=input protocol=ipsec-esp action=accept
add chain=input protocol=udp dst-port=1701 ipsec-policy=in,ipsec action=accept
 
gigabyte091
Forum Guru
Forum Guru
Topic Author
Posts: 1165
Joined: Fri Dec 31, 2021 11:44 am
Location: Croatia

Re: Wireguard VPN setup

Thu Jan 06, 2022 5:15 pm

New config
# jan/06/2022 16:03:04 by RouterOS 7.1.1
# software id = KL0T-VH4S
#
# model = RBD53iG-5HacD2HnD
# serial number = XXXXXXXXXX
/interface bridge
add admin-mac=XXXXXXXXXX auto-mac=no comment=defconf name=bridge
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX \
    disabled=no distance=indoors frequency=auto installation=indoor mode=\
    ap-bridge ssid=MikroTik-7E5179 wireless-protocol=802.11
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=\
    20/40/80mhz-XXXX disabled=no distance=indoors frequency=auto \
    installation=indoor mode=ap-bridge ssid=MikroTik-7E517A \
    wireless-protocol=802.11
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface lte apn
set [ find default=yes ] ip-type=ipv4
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.88.10-192.168.88.254
add name=vpn ranges=192.168.89.2-192.168.89.255
/ip dhcp-server
add address-pool=dhcp interface=bridge name=defconf
/ppp profile
add local-address=192.168.89.1 name=vpn remote-address=vpn
set *FFFFFFFE local-address=192.168.89.1 remote-address=vpn
/interface bridge port
add bridge=bridge comment=defconf ingress-filtering=no interface=ether2
add bridge=bridge comment=defconf ingress-filtering=no interface=ether3
add bridge=bridge comment=defconf ingress-filtering=no interface=ether4
add bridge=bridge comment=defconf ingress-filtering=no interface=ether5
add bridge=bridge comment=defconf ingress-filtering=no interface=wlan1
add bridge=bridge comment=defconf ingress-filtering=no interface=wlan2
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface detect-internet
set detect-interface-list=WAN internet-interface-list=WAN
/interface l2tp-server server
set authentication=mschap2 default-profile=vpn enabled=yes use-ipsec=required
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/interface sstp-server server
set default-profile=default-encryption
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
    192.168.88.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=accept chain=input comment="allow IPsec NAT" dst-port=4500 \
    protocol=udp
add action=accept chain=input comment="allow IKE" dst-port=500 protocol=udp
add action=accept chain=input comment="allow l2tp" dst-port=1701 protocol=udp
add action=accept chain=input comment="allow pptp" dst-port=1723 protocol=tcp
add action=accept chain=input comment="allow sstp" dst-port=443 protocol=tcp
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
add action=accept chain=input dst-port=500,450 protocol=udp
add action=accept chain=input protocol=ipsec-esp
add action=accept chain=input dst-port=1701 ipsec-policy=in,ipsec protocol=\
    udp
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat comment="masq. vpn traffic" src-address=\
    192.168.89.0/24
/ip upnp
set enabled=yes
/ip upnp interfaces
add interface=bridge type=internal
add interface=ether1 type=external
/ppp secret
add name=vpn profile=default-encryption service=l2tp
add name=l2tp profile=vpn service=l2tp
/system clock
set time-zone-name=Europe/Zagreb
/system leds
set 0 interface=wlan1 leds=led1,led2,led3,led4,led5 type=\
    wireless-signal-strength
set 1 leds=poe-led type=poe-out
/system routerboard settings
set cpu-frequency=auto
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
Log output is now(short version)

When i click connect on the router i get almost instant
respond new phase 1 (Identity protection):192.168.1.104[500]<=>xxx.xxx.xxx.xxx[3255]
ISAKMP-SA established 192.168.1.104[4500]-xxx.xxx.xxx.xxx[16825] spi:xxxxxxxxxxxxxxxxxxxxxxxxxx

then after some time
purging ISAKMP-SA 192.168.1.104[4500]-xxx.xxx.xxx.xxx[16825] spi:xxxxxxxxxxxxxxxxxxxxxxxxxx
ISAKMP-SA deleted 192.168.1.104[4500]-xxx.xxx.xxx.xxx[16825] spi:xxxxxxxxxxxxxxxxxxxxxxxxxx rekey:1

Then this process go one more time and after that window display error.

This router is connected to my ISP DSL router but i assigned static ip address to my mikrotik and i put that IP address in DMZ so ISP's router firewall shouldn't be a problem.

Is maybe a problem that i checked VPN box at first setup ? I can see now that after all config changes box is not checked anymore.
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: Wireguard VPN setup  [SOLVED]

Thu Jan 06, 2022 5:27 pm

That's problem with client. Microsoft assumes that server has public address directly, i.e. it's not behind NAT. And when it is, Windows need to be told to work with it:

https://docs.microsoft.com/en-us/troubl ... t-t-device

You want value 2. I don't understand why they didn't change defaults already. It doesn't really reinforce the claim that L2TP/IPSec is easy to use. :)
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: Wireguard VPN setup

Thu Jan 06, 2022 5:36 pm

One more thing, I didn't examine the latest config at first, but now I quickly checked it, and added firewall rules are in wrong place. Order of firewall rules matters. They should be where your original ones for given ports are. But since you already have yours, remove mine and just update yours for port 1701 (add ipsec-policy=in,ipsec to it). You can keep mine for protocol=ipsec-esp, but I think it probably won't do anything for server behing NAT (I'm almost sure, but not entirely 100% sure).
 
gigabyte091
Forum Guru
Forum Guru
Topic Author
Posts: 1165
Joined: Fri Dec 31, 2021 11:44 am
Location: Croatia

Re: Wireguard VPN setup

Thu Jan 06, 2022 6:33 pm

It works !!!! :D :D :D :D :D

So all this time was problem with Windows ? As i was getting same error in Windows and same log entry in router.

I tried before I changed firewall rules, as I just saw your post but it works. I deleted all rules and updated my as you instructed. Here is the latest config:
# jan/06/2022 17:28:06 by RouterOS 7.1.1
# software id = KL0T-VH4S
#
# model = RBD53iG-5HacD2HnD
# serial number = xxxxxxxxxx
/interface bridge
add admin-mac=xxxxxxxxxx auto-mac=no comment=defconf name=bridge
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX \
    disabled=no distance=indoors frequency=auto installation=indoor mode=\
    ap-bridge ssid=MikroTik-7E5179 wireless-protocol=802.11
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=\
    20/40/80mhz-XXXX disabled=no distance=indoors frequency=auto \
    installation=indoor mode=ap-bridge ssid=MikroTik-7E517A \
    wireless-protocol=802.11
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface lte apn
set [ find default=yes ] ip-type=ipv4
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.88.10-192.168.88.254
add name=vpn ranges=192.168.89.2-192.168.89.255
/ip dhcp-server
add address-pool=dhcp interface=bridge name=defconf
/ppp profile
add local-address=192.168.89.1 name=vpn remote-address=vpn
set *FFFFFFFE local-address=192.168.89.1 remote-address=vpn
/interface bridge port
add bridge=bridge comment=defconf ingress-filtering=no interface=ether2
add bridge=bridge comment=defconf ingress-filtering=no interface=ether3
add bridge=bridge comment=defconf ingress-filtering=no interface=ether4
add bridge=bridge comment=defconf ingress-filtering=no interface=ether5
add bridge=bridge comment=defconf ingress-filtering=no interface=wlan1
add bridge=bridge comment=defconf ingress-filtering=no interface=wlan2
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface detect-internet
set detect-interface-list=WAN internet-interface-list=WAN
/interface l2tp-server server
set authentication=mschap2 default-profile=vpn enabled=yes use-ipsec=required
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/interface sstp-server server
set default-profile=default-encryption
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
    192.168.88.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=accept chain=input comment="allow IPsec NAT" dst-port=4500 \
    protocol=udp
add action=accept chain=input comment="allow IKE" dst-port=500 protocol=udp
add action=accept chain=input comment="allow l2tp" dst-port=1701 \
    ipsec-policy=in,ipsec protocol=udp
add action=accept chain=input comment="allow pptp" dst-port=1723 protocol=tcp
add action=accept chain=input comment="allow sstp" dst-port=443 protocol=tcp
add action=accept chain=input comment="allow ipsec-esp" protocol=ipsec-esp
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat comment="masq. vpn traffic" src-address=\
    192.168.89.0/24
/ip upnp
set enabled=yes
/ip upnp interfaces
add interface=bridge type=internal
add interface=ether1 type=external
/ppp secret
add name=vpn profile=vpn service=l2tp
add name=l2tp profile=vpn service=l2tp
/system clock
set time-zone-name=Europe/Zagreb
/system leds
set 0 interface=wlan1 leds=led1,led2,led3,led4,led5 type=\
    wireless-signal-strength
set 1 leds=poe-led type=poe-out
/system routerboard settings
set cpu-frequency=auto
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
Only problem is, when I ping 192.168.88.1 i get response, second time i try to ping half of the packets are dropped. And PC that is on 192.168.88.249 can't be pinged.
Also, I can ping 192.168.1.0 addresses, i presume i have to make firewall rule so i can't ping outside 192.168.88.0
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19100
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Wireguard VPN setup

Thu Jan 06, 2022 7:12 pm

YEAH!! Success.
Now go to the hospital to suture up the head wounds from banging your head against the LT2P VPN wall.
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: Wireguard VPN setup

Thu Jan 06, 2022 7:38 pm

Non-pingable PC can be because of PC's own firewall, it's another weird default config in Windows. I don't see any explanation for dropped pings to 192.168.88.1 in your config.
 
gigabyte091
Forum Guru
Forum Guru
Topic Author
Posts: 1165
Joined: Fri Dec 31, 2021 11:44 am
Location: Croatia

Re: Wireguard VPN setup

Thu Jan 06, 2022 8:16 pm

Well, maybe it's the problem that I'm using mobile phone as hotspot for the client laptop. And I was getting ping value from 49 ms up to 300 ms.

This was only the test setup, now i need to replicate this on monday on my office router. I'm also using VPN address provided by mikrotik, I think there is no need for dedicated DDNS.

Can I disable PPTP and SSTP firewall rule because I'm not using that so there is no need to be active ?

@anav
I think this was a good experience, but as I work with electronics and programming microcontrolers I learned how to keep my head cool so no need for a trip to the ER hehe
I definitely learned a lot today, and thank you all for your help and patience. I think that topic should be called L2TP VPN setup.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19100
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Wireguard VPN setup

Thu Jan 06, 2022 9:17 pm

No worries, always good to make progress and yes, its always a good idea to disable services not being used.
 
gigabyte091
Forum Guru
Forum Guru
Topic Author
Posts: 1165
Joined: Fri Dec 31, 2021 11:44 am
Location: Croatia

Re: Wireguard VPN setup

Mon Jan 10, 2022 8:01 am

Tested on my office network and it's working like a charm. I only modified username, password and IPsec secret (i created radnom 40 char key for that) so that I'm not using default username "vpn" and i disabled PPTP and SSTP servers and disabled their firewall rule.

Now in the city where mobile network signal is better there is no dropped pings.

Only one thing that i noticed, i can't connect using Mikrotik's VPN address, so I tried to ping it from client PC i get Mikrotik's WAN address (192.168.10.8 at my case) but when i tried to ping my DDNS address i get my normal public IP and i can connect. At home when i ping test router VPN address i get my Public IP.

At work we have hybrid DSL/LTE router and I have assigned static IP for Mikrotik and i put that IP in DMZ so router from ISP forward all ports to Mikrotik (no devices are connected to ISP router except mikrotik), i did that at home while testing and it was working.
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: Wireguard VPN setup

Mon Jan 10, 2022 4:26 pm

I'm not sure if I understand you, but of course you need to be using public address (or DDNS hostname), private ones are not reachable from internet. If I misunderstood what you're trying to say, try to explain it in more details.
 
gigabyte091
Forum Guru
Forum Guru
Topic Author
Posts: 1165
Joined: Fri Dec 31, 2021 11:44 am
Location: Croatia

Re: Wireguard VPN setup

Tue Jan 11, 2022 8:13 am

I thought that VPN address at Quickset page can be used instead of the dedicated DDNS service.

At my home test setup i use that address instead of DDNS and it was working.
 
holvoetn
Forum Guru
Forum Guru
Posts: 5403
Joined: Tue Apr 13, 2021 2:14 am
Location: Belgium

Re: Wireguard VPN setup

Tue Jan 11, 2022 8:33 am

I thought that VPN address at Quickset page can be used instead of the dedicated DDNS service.

At my home test setup i use that address instead of DDNS and it was working.
That is Mikrotik's own DDNS service.
Check IP/Cloud, you will see it there again.
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: Wireguard VPN setup

Tue Jan 11, 2022 1:21 pm

Yes, your <something>.sn.mynetname.net should work too, it should resolve to same public address as other DDNS you use.
 
gigabyte091
Forum Guru
Forum Guru
Topic Author
Posts: 1165
Joined: Fri Dec 31, 2021 11:44 am
Location: Croatia

Re: Wireguard VPN setup

Tue Jan 11, 2022 5:21 pm

I will check it one more tomorrow, but at home, mikrotik address is resolved as my public IP.

But at work mikrotik address is resolved as an IP address that router gets from ISP router (192.168.10.8)
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: Wireguard VPN setup

Tue Jan 11, 2022 6:03 pm

Such option exists (/ip cloud advanced set use-local-address=yes). You don't want it, because 192.168.10.8 is not reachable from internet. But if you'd set it by mistake, hostname should be resolved to this address everywhere.
 
gigabyte091
Forum Guru
Forum Guru
Topic Author
Posts: 1165
Joined: Fri Dec 31, 2021 11:44 am
Location: Croatia

Re: Wireguard VPN setup

Wed Jan 12, 2022 8:30 am

That was an error, i just checked and that box, Use local IP was checked, i unchecked it and rebooted the router. Now it's working.

Now I'm trying to make site to site link, i have wAP LTE kit that i will use for remote site and in R2 (wAP LTE) in interface menu i selected L2TP client, then i entered user, password, IPsec key and address to connect.

Maybe in the future i add another router for another remote site.

Routers connect immediately but i can't ping anything. I added firewall rules to the R2. Here is the configuration of office router R1 and remote site router R2

R2 (wAP LTE KIT)
# jan/12/2022 07:18:27 by RouterOS 7.1.1
# software id = J61H-4XD4
#
# model = RBwAPR-2nD
# serial number = XXXXXXXXXXXX
/interface bridge
add admin-mac=XX:XX:XX:XX:XX:XX auto-mac=no comment=defconf name=bridge
/interface lte
set [ find ] allow-roaming=no band="" name=lte1
/interface l2tp-client
add connect-to=xxxxxxxxxxxxxxxxxxxxxxx disabled=no name=l2tp-out1 use-ipsec=yes \
    user="**************"
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX \
    distance=indoors frequency=auto installation=outdoor mode=ap-bridge ssid=\
    MikroTik-7FCF0A wireless-protocol=802.11
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface lte apn
set [ find default=yes ] apn=internet.isp.provider ip-type=ipv4 name=ISPName
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.25.244-192.168.25.254
add name=vpn ranges=192.168.89.2-192.168.89.255
/ip dhcp-server
add address-pool=dhcp interface=bridge name=defconf
/ppp profile
set *FFFFFFFE local-address=192.168.89.1 remote-address=vpn
/interface bridge port
add bridge=bridge comment=defconf ingress-filtering=no interface=ether1
add bridge=bridge comment=defconf ingress-filtering=no interface=wlan1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ip settings
set max-neighbor-entries=8192
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface l2tp-server server
set use-ipsec=yes
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=lte1 list=WAN
/interface sstp-server server
set default-profile=default-encryption
/ip address
add address=192.168.25.1/24 comment=defconf interface=bridge network=\
    192.168.25.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-server network
add address=192.168.25.0/24 gateway=192.168.25.1 netmask=24
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.25.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=accept chain=input comment="allow IPsec NAT" dst-port=4500 \
    protocol=udp
add action=accept chain=input comment="allow IKE" dst-port=500 protocol=udp
add action=accept chain=input comment="allow l2tp" dst-port=1701 \
    ipsec-policy=in,ipsec protocol=udp
add action=accept chain=input comment="allow ipsec-esp" protocol=ipsec-esp
add action=accept chain=input comment="allow pptp" disabled=yes dst-port=1723 \
    protocol=tcp
add action=accept chain=input comment="allow sstp" disabled=yes dst-port=443 \
    protocol=tcp
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat comment="masq. vpn traffic" src-address=\
    192.168.89.0/24
/ip upnp
set enabled=yes
/ip upnp interfaces
add interface=bridge type=internal
add interface=lte1 type=external
/ppp secret
add name=vpn
/system clock
set time-zone-name=Europe/Zagreb
/system leds
# using RSRP, modem-signal-threshold ignored
add interface=lte1 leds=led1 type=modem-signal
# using RSRP, modem-signal-threshold ignored
add interface=lte1 leds=led2 modem-signal-threshold=-71 type=modem-signal
# using RSRP, modem-signal-threshold ignored
add interface=lte1 leds=led3 modem-signal-threshold=-51 type=modem-signal
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
R1 (Office router)
[code]# jan/12/2022 07:24:41 by RouterOS 7.1.1
# software id = CD7M-66CD
#
# model = RB952Ui-5ac2nD
# serial number = xxxxxxxxxxxxxxxxxxxxxx
/interface bridge
add admin-mac=xxxxxxxxxxxxxxxxxxxxxxxx auto-mac=no comment=defconf name=bridge
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-g/n country=croatia disabled=no \
    distance=indoors frequency=2472 installation=indoor mode=ap-bridge ssid=\
    "Fidens 2.4G" wireless-protocol=802.11
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=\
    20/40/80mhz-XXXX country=croatia disabled=no distance=indoors frequency=\
    auto installation=indoor mode=ap-bridge ssid="Fidens 5G" \
    wireless-protocol=802.11
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface lte apn
set [ find default=yes ] ip-type=ipv4
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk mode=\
    dynamic-keys supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.1.1-192.168.1.254
add name=vpn ranges=192.168.89.2-192.168.89.255
/ip dhcp-server
add address-pool=dhcp interface=bridge name=defconf
/ppp profile
add local-address=192.168.89.1 name=VPN_Ured remote-address=vpn
set *FFFFFFFE local-address=192.168.89.1 remote-address=vpn
/interface bridge port
add bridge=bridge comment=defconf ingress-filtering=no interface=ether2
add bridge=bridge comment=defconf ingress-filtering=no interface=ether3
add comment=defconf ingress-filtering=no interface=ether4
add bridge=bridge comment=defconf ingress-filtering=no interface=ether5
add bridge=bridge comment=defconf ingress-filtering=no interface=wlan1
add bridge=bridge comment=defconf ingress-filtering=no interface=wlan2
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ip settings
set max-neighbor-entries=8192
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface detect-internet
set detect-interface-list=all
/interface l2tp-server server
set authentication=mschap2 default-profile=VPN_Ured enabled=yes use-ipsec=\
    required
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/interface sstp-server server
set default-profile=default-encryption
/ip address
add address=192.168.1.1/24 comment=defconf interface=bridge network=\
    192.168.1.0
/ip arp
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
/ip cloud
set ddns-enabled=yes ddns-update-interval=15m
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server lease
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
/ip dhcp-server network
add address=192.168.1.0/24 comment=defconf gateway=192.168.1.1 netmask=24
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.1.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=accept chain=input comment="allow IPsec NAT" dst-port=4500 \
    protocol=udp
add action=accept chain=input comment="allow IKE" dst-port=500 protocol=udp
add action=accept chain=input comment="allow l2tp" dst-port=1701 \
    ipsec-policy=in,ipsec protocol=udp
add action=accept chain=input comment="allow pptp" disabled=yes dst-port=1723 \
    protocol=tcp
add action=accept chain=input comment="allow sstp" disabled=yes dst-port=443 \
    protocol=tcp
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=accept chain=input comment="allow ipsec-esp" protocol=ipsec-esp
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat comment="Port 21 za FTP server" dst-address=\
    192.168.10.8 dst-port=21 in-interface=ether1 protocol=tcp to-addresses=\
    192.168.1.39 to-ports=21
add action=masquerade chain=srcnat comment="masq. vpn traffic" src-address=\
    192.168.89.0/24
add action=dst-nat chain=dstnat comment="Divar IP kockica" disabled=yes \
    dst-address=192.168.10.8 dst-port=442 in-interface=ether1 protocol=tcp \
    to-addresses=192.168.1.139 to-ports=442
add action=dst-nat chain=dstnat comment="VDC BL2/0 - VPN" disabled=yes \
    dst-address=192.168.10.8 dst-port=500 in-interface=ether1 protocol=udp \
    to-addresses=192.168.1.6 to-ports=500
add action=dst-nat chain=dstnat disabled=yes dst-address=192.168.10.8 \
    dst-port=4500 in-interface=ether1 protocol=udp to-addresses=192.168.1.6 \
    to-ports=4500
/ip firewall service-port
set udplite ports=500
/ip upnp
set enabled=yes
/ip upnp interfaces
add interface=bridge type=internal
add interface=ether1 type=external
/ppp secret
add name="Kre\9Ao@VPN" profile=VPN_Ured service=l2tp
/system clock
set time-zone-name=Europe/Zagreb
/system ntp client
set enabled=yes
/system ntp client servers
add address=161.53.128.17
add address=45.87.77.15
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool netwatch
add comment="Divar IP3000 \"Kockica\"" host=192.168.1.139
add comment="NAS server" host=192.168.1.39
add comment="Biostar 2 server" host=192.168.1.20
add comment="Dinioin IP4000" down-script="Ispad kamere" host=192.168.20.108 \
    up-script="Kamera ukljucena"
[/code]
 
User avatar
own3r1138
Long time Member
Long time Member
Posts: 681
Joined: Sun Feb 14, 2021 12:33 am
Location: Pleiades
Contact:

Re: Wireguard VPN setup

Wed Jan 12, 2022 9:42 am

try to disable FastTrack in the forward rule then restart. try if it works, Also if it site to site. then just use WG as you are already running 7.1.1 its super EZ for a site to site
check this link.
https://help.mikrotik.com/docs/display/ROS/WireGuard
 
gigabyte091
Forum Guru
Forum Guru
Topic Author
Posts: 1165
Joined: Fri Dec 31, 2021 11:44 am
Location: Croatia

Re: Wireguard VPN setup

Wed Jan 12, 2022 1:21 pm

So I followed instructions from the website (but i changed IP so it match my used IP) and i can't establish connection, but i noticed that on my LTE router, Internet IP address is in 10.X.X.X range, and Public IP is in 81.X.X.X range so i think that is the problem, and in the cloud menu there is message "Router is behind a NAT. Remote connection might not work."

Also, in this section
Office1

/ip/firewall/filter
add action=accept chain=input dst-port=13231 protocol=udp src-address=192.168.80.1
Office2

/ip/firewall/filter
add action=accept chain=input dst-port=13231 protocol=udp src-address=192.168.90.1
Instead 192.168.90.1 I put DDNS but it won't accept it, i mean i know it's not a valid IP range but i don't have static IP addresses
 
holvoetn
Forum Guru
Forum Guru
Posts: 5403
Joined: Tue Apr 13, 2021 2:14 am
Location: Belgium

Re: Wireguard VPN setup

Wed Jan 12, 2022 1:28 pm

When you start from a cgnat device (is the case for a lot of lte devices) you need to point towards a device with either fixed ip, either something with ddns ( but not cgnat).
 
gigabyte091
Forum Guru
Forum Guru
Topic Author
Posts: 1165
Joined: Fri Dec 31, 2021 11:44 am
Location: Croatia

Re: Wireguard VPN setup

Wed Jan 12, 2022 2:01 pm

I can always ask an ISP provider to remove me from CGNAT if possible. That should solve the problem.

Here is R1 config (Office router)
# jan/12/2022 12:50:10 by RouterOS 7.1.1
# software id = CD7M-66CD
#
# model = RB952Ui-5ac2nD
# serial number = ******************
/interface bridge
add admin-mac=************** auto-mac=no comment=defconf name=bridge
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-g/n country=croatia disabled=no \
    distance=indoors frequency=2472 installation=indoor mode=ap-bridge ssid=\
    "Fidens 2.4G" wireless-protocol=802.11
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=\
    20/40/80mhz-XXXX country=croatia disabled=no distance=indoors frequency=\
    auto installation=indoor mode=ap-bridge ssid="Fidens 5G" \
    wireless-protocol=802.11
/interface wireguard
add listen-port=13231 mtu=1420 name=wireguard1
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface lte apn
set [ find default=yes ] ip-type=ipv4
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk mode=\
    dynamic-keys supplicant-identity=MikroTik
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha512
/ip pool
add name=dhcp ranges=192.168.1.1-192.168.1.254
add name=vpn ranges=192.168.89.2-192.168.89.255
/ip dhcp-server
add address-pool=dhcp interface=bridge name=defconf
/ppp profile
add local-address=192.168.89.1 name=VPN_Ured remote-address=vpn
set *FFFFFFFE local-address=192.168.89.1 remote-address=vpn
/interface bridge port
add bridge=bridge comment=defconf ingress-filtering=no interface=ether2
add bridge=bridge comment=defconf ingress-filtering=no interface=ether3
add comment=defconf ingress-filtering=no interface=ether4
add bridge=bridge comment=defconf ingress-filtering=no interface=ether5
add bridge=bridge comment=defconf ingress-filtering=no interface=wlan1
add bridge=bridge comment=defconf ingress-filtering=no interface=wlan2
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ip settings
set max-neighbor-entries=8192
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface detect-internet
set detect-interface-list=all
/interface l2tp-server server
set authentication=mschap2 default-profile=VPN_Ured enabled=yes use-ipsec=\
    required
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/interface sstp-server server
set default-profile=default-encryption
/interface wireguard peers
add allowed-address=192.168.25.0/24 endpoint-address=\
    +++++++++++++++.sn.mynetname.net endpoint-port=13231 interface=wireguard1 \
    public-key="++++++++++++++++++++++++++++++++++++++++++++"
/ip address
add address=192.168.1.1/24 comment=defconf interface=bridge network=\
    192.168.1.0
add address=10.255.255.1/30 interface=wireguard1 network=10.255.255.0
/ip arp

/ip cloud
set ddns-enabled=yes ddns-update-interval=15m
/ip dhcp-client

/ip dhcp-server network
add address=192.168.1.0/24 comment=defconf gateway=192.168.1.1 netmask=24
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.1.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=accept chain=input comment="allow IPsec NAT" dst-port=4500 \
    protocol=udp
add action=accept chain=input comment="allow IKE" dst-port=500 protocol=udp
add action=accept chain=input comment="allow l2tp" dst-port=1701 \
    ipsec-policy=in,ipsec protocol=udp
add action=accept chain=input comment="allow pptp" disabled=yes dst-port=1723 \
    protocol=tcp
add action=accept chain=input comment="allow sstp" disabled=yes dst-port=443 \
    protocol=tcp
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=accept chain=input comment="allow ipsec-esp" protocol=ipsec-esp
add action=accept chain=forward dst-address=192.168.1.0/24 src-address=\
    192.168.25.0/24
add action=accept chain=forward dst-address=192.168.25.0/24 src-address=\
    192.168.1.0/24
add action=accept chain=input dst-port=13231 protocol=udp src-address=\
    10.3.191.181
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat comment="Port 21 za FTP server" dst-address=\
    192.168.10.8 dst-port=21 in-interface=ether1 protocol=tcp to-addresses=\
    192.168.1.39 to-ports=21
add action=masquerade chain=srcnat comment="masq. vpn traffic" src-address=\
    192.168.89.0/24
add action=dst-nat chain=dstnat comment="Divar IP kockica" disabled=yes \
    dst-address=192.168.10.8 dst-port=442 in-interface=ether1 protocol=tcp \
    to-addresses=192.168.1.139 to-ports=442
add action=dst-nat chain=dstnat comment="VDC BL2/0 - VPN" disabled=yes \
    dst-address=192.168.10.8 dst-port=500 in-interface=ether1 protocol=udp \
    to-addresses=192.168.1.6 to-ports=500
add action=dst-nat chain=dstnat disabled=yes dst-address=192.168.10.8 \
    dst-port=4500 in-interface=ether1 protocol=udp to-addresses=192.168.1.6 \
    to-ports=4500
/ip firewall service-port
set udplite ports=500
/ip route
add dst-address=192.168.25.0/24 gateway=wireguard1
/ip upnp
set enabled=yes
/ip upnp interfaces
add interface=bridge type=internal
add interface=ether1 type=external
/ppp secret
add name="+++++++++" profile=VPN_Ured service=l2tp
/system clock
set time-zone-name=Europe/Zagreb
/system ntp client
set enabled=yes
/system ntp client servers
add address=161.53.128.17
add address=45.87.77.15
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool netwatch
And R2 (LTE)
# jan/12/2022 12:56:13 by RouterOS 7.1.1
# software id = J61H-4XD4
#
# model = RBwAPR-2nD
# serial number = ++++++++++++
/interface bridge
add admin-mac=+++++++++++++ auto-mac=no comment=defconf name=bridge
/interface lte
set [ find ] allow-roaming=no band="" name=lte1
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX \
    distance=indoors frequency=auto installation=outdoor mode=ap-bridge ssid=\
    MikroTik-7FCF0A wireless-protocol=802.11
/interface wireguard
add listen-port=13231 mtu=1420 name=wireguard1
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface lte apn
set [ find default=yes ] apn=internet.+++++++ ip-type=ipv4 name=++++++++++
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.25.244-192.168.25.254
add name=vpn ranges=192.168.89.2-192.168.89.255
/ip dhcp-server
add address-pool=dhcp interface=bridge name=defconf
/ppp profile
set *FFFFFFFE local-address=192.168.89.1 remote-address=vpn
/interface bridge port
add bridge=bridge comment=defconf ingress-filtering=no interface=ether1
add bridge=bridge comment=defconf ingress-filtering=no interface=wlan1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ip settings
set max-neighbor-entries=8192
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface l2tp-server server
set use-ipsec=yes
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=lte1 list=WAN
/interface sstp-server server
set default-profile=default-encryption
/interface wireguard peers
add allowed-address=192.168.1.0/24 endpoint-address=\
    xxxxxxxxxxxxxxxx.sn.mynetname.net endpoint-port=13231 interface=wireguard1 \
    public-key="++++++++++++++++++++++++++++++++++++++++++"
/ip address
add address=192.168.25.1/24 comment=defconf interface=bridge network=\
    192.168.25.0
add address=10.255.255.2/30 interface=wireguard1 network=10.255.255.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-server network
add address=192.168.25.0/24 gateway=192.168.25.1 netmask=24
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.25.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=accept chain=input comment="allow IPsec NAT" dst-port=4500 \
    protocol=udp
add action=accept chain=input comment="allow IKE" dst-port=500 protocol=udp
add action=accept chain=input comment="allow l2tp" dst-port=1701 \
    ipsec-policy=in,ipsec protocol=udp
add action=accept chain=input comment="allow ipsec-esp" protocol=ipsec-esp
add action=accept chain=input dst-port=13231 protocol=udp src-address=\
    ++++++++++++++
add action=accept chain=forward dst-address=192.168.25.0/24 src-address=\
    192.168.1.0/24
add action=accept chain=forward dst-address=192.168.1.0/24 src-address=\
    192.168.25.0/24
add action=accept chain=input comment="allow pptp" disabled=yes dst-port=1723 \
    protocol=tcp
add action=accept chain=input comment="allow sstp" disabled=yes dst-port=443 \
    protocol=tcp
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat comment="masq. vpn traffic" src-address=\
    192.168.89.0/24
/ip route
add dst-address=192.168.1.0/24 gateway=wireguard1
/ip upnp
set enabled=yes
/ip upnp interfaces
add interface=bridge type=internal
add interface=lte1 type=external
/ppp secret
add name=vpn
/system clock
set time-zone-name=Europe/Zagreb
/system leds
# using RSRP, modem-signal-threshold ignored
add interface=lte1 leds=led1 type=modem-signal
# using RSRP, modem-signal-threshold ignored
add interface=lte1 leds=led2 modem-signal-threshold=-71 type=modem-signal
# using RSRP, modem-signal-threshold ignored
add interface=lte1 leds=led3 modem-signal-threshold=-51 type=modem-signal
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
How can I point router towards something with static IP, and towards what ? Only thing that i can think of that is constant is DNS server (google for example)
 
User avatar
own3r1138
Long time Member
Long time Member
Posts: 681
Joined: Sun Feb 14, 2021 12:33 am
Location: Pleiades
Contact:

Re: Wireguard VPN setup

Wed Jan 12, 2022 2:15 pm

@gigabyte091
this is wrong you didn't follow the WIKI. from what I can see you did not create your /IP route
R1
/ip
add address=10.255.255.1/30 interface=wireguard1 network=10.255.255.0

/ip route ?
where is the route for wireguard1 ?


add action=accept chain=input dst-port=13231 protocol=udp src-address=\
10.3.191.181
What is 10.3.191.81 ?
I see where you going with this you don't need an src address as you don't own a public IP on both sides of your tunnel. just change the default port in the WG interface and firewall rules to some random unused port number.

same thing with LTE R2


you don't include your WG interface as a LAN interface list
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN

include 10.255.255.0/24 in here for ping and troubleshoot.
add allowed-address=192.168.25.0/24 endpoint-address=\
+++++++++++++++.sn.mynetname.net endpoint-port=13231 interface=wireguard1 \
Last edited by own3r1138 on Wed Jan 12, 2022 3:00 pm, edited 3 times in total.
 
holvoetn
Forum Guru
Forum Guru
Posts: 5403
Joined: Tue Apr 13, 2021 2:14 am
Location: Belgium

Re: Wireguard VPN setup

Wed Jan 12, 2022 2:26 pm

How can I point router towards something with static IP, and towards what ? Only thing that i can think of that is constant is DNS server (google for example)
You can try but I doubt Google will participate :?

On a serious note:
Your tunnel has (at least) 2 ends. One of those need to have a "real" IP address. Static or dynamic with ddns, doesn't matter. But not CGNAT (ok, it's also an IP address but not usable for our purposes here).
If you have no devices under your control having such an address, you may have to revert to a public VPN provider which you can then use as pivot point for setting up your VPN.

For the end behind CGNAT, use the internal IP address of 'the other side' as endpoint. Since WG is able to set up the tunnel from one end, the other end will follow once connection has been made.
 
gigabyte091
Forum Guru
Forum Guru
Topic Author
Posts: 1165
Joined: Fri Dec 31, 2021 11:44 am
Location: Croatia

Re: Wireguard VPN setup

Thu Jan 13, 2022 8:10 am

@own3r1138

This is the screenshot from both of my routers, setup from yesterday, so i didn't change anything yet. I will delete configuration and start over, no problem. So instead 13231 i choose any random port, don't add src addresses and i can add tunnel IP to allowed addresses.

@holvoetn

I have Public IP from my DSL line ISP provider, it's not static but i have DDNS address that i use if i need to and small program that is always running and refreshing public IP every 5 minutes. And I have mikrotik's DDNS address also.
R1 and R2 config.jpg
You do not have the required permissions to view the files attached to this post.
 
User avatar
own3r1138
Long time Member
Long time Member
Posts: 681
Joined: Sun Feb 14, 2021 12:33 am
Location: Pleiades
Contact:

Re: Wireguard VPN setup

Thu Jan 13, 2022 9:46 am

@gigabyte091
Hello,
I deleted my own site-to-site config, If I wasn't I would gladly share it with you. anyway, I had another issue so I create a topic about it one instance of my setup is literally in every screenshot that I took.
you could use it as a reference besides the WIKI. The WireGuard interface name is "WG STS"

viewtopic.php?t=182072
 
gigabyte091
Forum Guru
Forum Guru
Topic Author
Posts: 1165
Joined: Fri Dec 31, 2021 11:44 am
Location: Croatia

Re: Wireguard VPN setup

Thu Jan 13, 2022 10:01 am

Thank you, i just writed another post at the same time as you. I probably forgot to input something... That's what you get when you try to do 3 diferent things at the same time...

So i deleted configuration and start over and go line by line, and it's working, i can ping from windows apart my W11 laptop... I read that ICMP is disabled... (but i can ping phone that is connected to WiFi), i can scan devices with IP tool, and access devices that have web interface.


So if I understand correctly if I want to add another router (R3) i need to:

Create interface on R3, create peer on R3 and R1 for new connection

On R1 i need to add new dst address to IP/Route

On R3 i need to add new address to wireguard interface (10.255.255.3/30) and dst-address

And i need to configure firewall rules.

Or do I need new interface with new port ?
 
User avatar
own3r1138
Long time Member
Long time Member
Posts: 681
Joined: Sun Feb 14, 2021 12:33 am
Location: Pleiades
Contact:

Re: Wireguard VPN setup

Thu Jan 13, 2022 10:07 am

@gigabyte091
I don't think that you need to add a new interface for that.
"I read that ICMP is disabled." what do you mean?
 
gigabyte091
Forum Guru
Forum Guru
Topic Author
Posts: 1165
Joined: Fri Dec 31, 2021 11:44 am
Location: Croatia

Re: Wireguard VPN setup

Thu Jan 13, 2022 10:16 am

Okey, thank you for your help, i will try another router later that day, I'm waiting for SIM card to be delivered.

When i do that, i will make sure to take some time and make some kind of tutorial with pictures for the others (Including L2TP that was explained earlier in the posts). Maybe someone find that usefull.

ICMP responses are disabled by default in Windows 11 and must be enabled manually if needed. Here is the link if someone have same problem: https://superuser.com/questions/1683853 ... 11-machine
 
holvoetn
Forum Guru
Forum Guru
Posts: 5403
Joined: Tue Apr 13, 2021 2:14 am
Location: Belgium

Re: Wireguard VPN setup

Thu Jan 13, 2022 2:42 pm

Indeed, default Windows firewall behavior.
Nowadays a Windows PC is not the first device you should try to ping for testing.
It might fail more then you would expect (and most don't even think about thát firewall and assume wrongfully there is something not ok with their network).
 
User avatar
own3r1138
Long time Member
Long time Member
Posts: 681
Joined: Sun Feb 14, 2021 12:33 am
Location: Pleiades
Contact:

Re: Wireguard VPN setup

Thu Jan 13, 2022 2:59 pm

I think your windows are not signed in with the domain controller cuz if it was you could ping inside your echo replay domain firewall rule.
 
gigabyte091
Forum Guru
Forum Guru
Topic Author
Posts: 1165
Joined: Fri Dec 31, 2021 11:44 am
Location: Croatia

Re: Wireguard VPN setup

Fri Jan 14, 2022 9:31 am

So I tested setup with another router, and it's working but one of them after reset is having a problem connecting to main router. But I noticed that if I connect laptop to the router then connection is established. Maybe I should make another interface on office router R1 for router R3 and diferent listening port ?
 
User avatar
own3r1138
Long time Member
Long time Member
Posts: 681
Joined: Sun Feb 14, 2021 12:33 am
Location: Pleiades
Contact:

Re: Wireguard VPN setup

Fri Jan 14, 2022 10:22 am

@gigabyte091
Do you have one interface and two peers in every MT right now?
 
holvoetn
Forum Guru
Forum Guru
Posts: 5403
Joined: Tue Apr 13, 2021 2:14 am
Location: Belgium

Re: Wireguard VPN setup

Fri Jan 14, 2022 10:55 am

And every peer a DIFFERENT internal IP address ?
 
gigabyte091
Forum Guru
Forum Guru
Topic Author
Posts: 1165
Joined: Fri Dec 31, 2021 11:44 am
Location: Croatia

Re: Wireguard VPN setup

Fri Jan 14, 2022 1:30 pm

So in R1 (Office router) I have one interface and two peers, R2 (LTE1) one interface and one peer (towards R1), R3 (LTE2) one interface and one peer (towards R1).

R1 have 10.255.255.1/30 as pointed in https://help.mikrotik.com/docs/display/ROS/WireGuard
R2 have 10.255.255.2/30
R3 have 10.255.255.3/30 <- I think this is an error, 10.255.255.3 cant be in that subnet mask, I can have only 2 addresses if I'm right ?
 
holvoetn
Forum Guru
Forum Guru
Posts: 5403
Joined: Tue Apr 13, 2021 2:14 am
Location: Belgium

Re: Wireguard VPN setup

Fri Jan 14, 2022 1:59 pm

/30 is 2 bits to play with hence 4 adresses, not counting 0 so effectively 3 usable adresses.
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: Wireguard VPN setup

Fri Jan 14, 2022 3:24 pm

Two usable addresses, last one is broadcast. Just use bigger one, it's private addresses, there's enough of them. Also, this subnet is not strictly necessary, it would work even if it didn't exist at all, because the example has routes to remote subnets with gateway=wireguard1 anyway.
 
holvoetn
Forum Guru
Forum Guru
Posts: 5403
Joined: Tue Apr 13, 2021 2:14 am
Location: Belgium

Re: Wireguard VPN setup

Fri Jan 14, 2022 3:33 pm

I agree with using bigger netmask.
But ...
Two usable addresses, last one is broadcast.
Last time I checked my binary math:
2 bits:
00 = 0d
01= 1d
10 = 2d
11 = 3d
That's 4. Minus 00 (which is the indicator of the subnet), remains 3.
Broadcast is 255d = 11111111b (or 0xFF if you want)
Or are you referring to 11b as broadcast for that /30 subnet ?
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: Wireguard VPN setup

Fri Jan 14, 2022 4:13 pm

Yes, for that /30 subnet. Try it, assign 10.255.255.1/30 to one end of link, 10.255.255.3/30 to another, and you can see yourself how it won't work.
 
holvoetn
Forum Guru
Forum Guru
Posts: 5403
Joined: Tue Apr 13, 2021 2:14 am
Location: Belgium

Re: Wireguard VPN setup

Fri Jan 14, 2022 4:21 pm

OK, got it.
 
gigabyte091
Forum Guru
Forum Guru
Topic Author
Posts: 1165
Joined: Fri Dec 31, 2021 11:44 am
Location: Croatia

Re: Wireguard VPN setup

Fri Jan 14, 2022 9:42 pm

Why did they put that subnet in tutorial if not needed ?

I was thinking of changing subnet from /30 to /29, that would give me 6 usable addresses.

What is interesting, the last router that I added is working like a charm, the one with 10.255.255.3 address... The one with 10.255.255.2 is the one that have problems. If I connect laptop for example then it like it should.
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: Wireguard VPN setup

Sat Jan 15, 2022 12:01 am

I don't have any perfect answer. One reason is that "it's what you do", interfaces typically get addresses assigned to them. But that's not good enough. Another is that it makes traceroute work well, without address on interface there's a hole. But you can fix it by adding pref-src to the route to remote subnet. Or if you do some dynamic routing, some protocols may need addresses (I'm not sure about details). But if you don't and have only simple static config, you don't care about that. Other ideas are welcome...
 
gigabyte091
Forum Guru
Forum Guru
Topic Author
Posts: 1165
Joined: Fri Dec 31, 2021 11:44 am
Location: Croatia

Re: Wireguard VPN setup

Sat Jan 15, 2022 11:04 am

So do you think that changing subnet from /30 to /29 would solve a problem ? Or there is something else that is not right ?

I will post config on Monday.
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: Wireguard VPN setup

Sat Jan 15, 2022 9:02 pm

No. In fact, you can omit those 10.255.255.x addresses completely, they currently don't do anything useful, you don't use them as gateways for routes, and you don't even allow them in allowed-address, so they can't pass through tunnels.
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: Wireguard VPN setup

Sat Jan 15, 2022 9:05 pm

One thing I noticed in last posted configs, you most likely don't want src-address=10.3.191.181 in this:
/ip firewall filter
add action=accept chain=input dst-port=13231 protocol=udp src-address=10.3.191.181
 
gigabyte091
Forum Guru
Forum Guru
Topic Author
Posts: 1165
Joined: Fri Dec 31, 2021 11:44 am
Location: Croatia

Re: Wireguard VPN setup

Sun Jan 16, 2022 7:43 am

Oh, that is an old config, in new config i don't have src addresses at all, I deleted the old config on all routers and started over. I only have endpoint addresses (mikrotik's own DDNS addresses).

I did some tests, I open 2 ping windows on R1 and i start pinging both of routers, and router that i added the last needs only about 1 minute to start responding to the ping.

The first router is not responding at all except if i have laptop connected for example. If laptop is connected it works like it should.

Other router doesn't have anything connected to it.
 
User avatar
jvanhambelgium
Forum Veteran
Forum Veteran
Posts: 985
Joined: Thu Jul 14, 2016 9:29 pm
Location: Belgium

Re: Wireguard VPN setup

Sun Jan 16, 2022 11:02 am

Took me a while to get it working on my Chromecast (with GoogleTV) yesterday because the WireGuard-app is very basic on that thing. But indeed works fine once done, my Plex server now sees it coming in as a "remote" client etc.
I'll give it a try when I'm away from home and want to access some home-resources (like Plex)
 
gigabyte091
Forum Guru
Forum Guru
Topic Author
Posts: 1165
Joined: Fri Dec 31, 2021 11:44 am
Location: Croatia

Re: Wireguard VPN setup

Mon Jan 17, 2022 10:59 am

So this is R1 config (main, office router)
# jan/17/2022 09:44:17 by RouterOS 7.1.1
# software id = CD7M-66CD
#
# model = RB952Ui-5ac2nD
# serial number = **********
/interface bridge
add admin-mac=********** auto-mac=no comment=defconf name=bridge
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-g/n country=croatia disabled=no \
    distance=indoors frequency=2472 installation=indoor mode=ap-bridge ssid=\
    "Fidens 2.4G" wireless-protocol=802.11
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=\
    20/40/80mhz-XXXX country=croatia disabled=no distance=indoors frequency=\
    auto installation=indoor mode=ap-bridge ssid="Fidens 5G" \
    wireless-protocol=802.11
/interface wireguard
add listen-port=***** mtu=1420 name=wg1
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface lte apn
set [ find default=yes ] ip-type=ipv4
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk mode=\
    dynamic-keys supplicant-identity=MikroTik
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha512
/ip pool
add name=dhcp ranges=192.168.1.1-192.168.1.254
add name=vpn ranges=192.168.89.2-192.168.89.255
/ip dhcp-server
add address-pool=dhcp interface=bridge name=defconf
/ppp profile
add local-address=192.168.89.1 name=VPN_Ured remote-address=vpn
set *FFFFFFFE local-address=192.168.89.1 remote-address=vpn
/interface bridge port
add bridge=bridge comment=defconf ingress-filtering=no interface=ether2
add bridge=bridge comment=defconf ingress-filtering=no interface=ether3
add comment=defconf ingress-filtering=no interface=ether4
add bridge=bridge comment=defconf ingress-filtering=no interface=ether5
add bridge=bridge comment=defconf ingress-filtering=no interface=wlan1
add bridge=bridge comment=defconf ingress-filtering=no interface=wlan2
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ip settings
set max-neighbor-entries=8192
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface detect-internet
set detect-interface-list=all
/interface l2tp-server server
set authentication=mschap2 default-profile=VPN_Ured enabled=yes use-ipsec=\
    required
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/interface sstp-server server
set default-profile=default-encryption
/interface wireguard peers
add allowed-address=192.168.25.0/24,10.255.255.0/24 endpoint-address=\
    **********.sn.mynetname.net endpoint-port=***** interface=wg1 \
    public-key="********************************************"
add allowed-address=192.168.20.0/24,10.255.255.0/24 endpoint-address=\
    **********.sn.mynetname.net endpoint-port=***** interface=wg1 \
    public-key="********************************************"
/ip address
add address=192.168.1.1/24 comment=defconf interface=bridge network=\
    192.168.1.0
add address=10.255.255.1/29 interface=wg1 network=10.255.255.0
/ip arp

/ip cloud
set ddns-enabled=yes ddns-update-interval=15m
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server lease

/ip dhcp-server network
add address=192.168.1.0/24 comment=defconf gateway=192.168.1.1 netmask=24
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.1.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=accept chain=input comment="allow IPsec NAT" dst-port=4500 \
    protocol=udp
add action=accept chain=input comment="allow IKE" dst-port=500 protocol=udp
add action=accept chain=input comment="allow l2tp" dst-port=1701 \
    ipsec-policy=in,ipsec protocol=udp
add action=accept chain=input comment="allow pptp" disabled=yes dst-port=1723 \
    protocol=tcp
add action=accept chain=input comment="allow sstp" disabled=yes dst-port=443 \
    protocol=tcp
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=accept chain=input comment=Wireguard dst-port=30700 protocol=udp
add action=accept chain=forward comment=\
    "Wireguard FWD GRAWE_VDC_HEINZELOVA -> URED" dst-address=192.168.1.0/24 \
    src-address=192.168.25.0/24
add action=accept chain=forward comment=\
    "Wireguard FWD URED -> GRAWE_VDC_HEINZELOVA" dst-address=192.168.25.0/24 \
    src-address=192.168.1.0/24
add action=accept chain=forward comment="Wireguard FWD FIDENS_LTE - > URED" \
    dst-address=192.168.1.0/24 src-address=192.168.20.0/24
add action=accept chain=forward comment="Wireguard FWD URED -> FIDENS_LTE" \
    dst-address=192.168.20.0/24 src-address=192.168.1.0/24
add action=accept chain=input comment="allow ipsec-esp" protocol=ipsec-esp
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat comment="Port 21 za FTP server" dst-address=\
    192.168.10.8 dst-port=21 in-interface=ether1 protocol=tcp to-addresses=\
    192.168.1.39 to-ports=21
add action=masquerade chain=srcnat comment="masq. vpn traffic" src-address=\
    192.168.89.0/24
add action=dst-nat chain=dstnat comment="Divar IP kockica" disabled=yes \
    dst-address=192.168.10.8 dst-port=442 in-interface=ether1 protocol=tcp \
    to-addresses=192.168.1.139 to-ports=442
add action=dst-nat chain=dstnat comment="VDC BL2/0 - VPN" disabled=yes \
    dst-address=192.168.10.8 dst-port=500 in-interface=ether1 protocol=udp \
    to-addresses=192.168.1.6 to-ports=500
add action=dst-nat chain=dstnat disabled=yes dst-address=192.168.10.8 \
    dst-port=4500 in-interface=ether1 protocol=udp to-addresses=192.168.1.6 \
    to-ports=4500
/ip firewall service-port
set udplite ports=500
/ip route
add dst-address=192.168.25.0/24 gateway=wg1
add dst-address=192.168.20.0/24 gateway=wg1
/ip upnp
set enabled=yes
/ip upnp interfaces
add interface=bridge type=internal
add interface=ether1 type=external
/ppp secret
add name="********" profile=VPN_Ured service=l2tp
/system clock
set time-zone-name=Europe/Zagreb
/system ntp client
set enabled=yes
/system ntp client servers
add address=161.53.128.17
add address=45.87.77.15
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool netwatch
add comment="Divar IP3000 \"Kockica\"" host=192.168.1.139
add comment="NAS server" host=192.168.1.39
add comment="Biostar 2 server" host=192.168.1.20
add comment="Dinioin IP4000" down-script="Ispad kamere" host=192.168.20.108 \
    up-script="Kamera ukljucena"
And this is R3 (LTE router 2), this is the one that don't want to connect if there is nothing connected to it.
# jan/17/2022 09:55:08 by RouterOS 7.1.1
# software id = J61H-4XD4
#
# model = RBwAPR-2nD
# serial number = **********
/interface bridge
add admin-mac=********** auto-mac=no comment=defconf name=bridge
/interface lte
set [ find ] allow-roaming=no band="" name=lte1
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX \
    distance=indoors frequency=auto installation=outdoor mode=ap-bridge ssid=\
    MikroTik-7FCF0A wireless-protocol=802.11
/interface wireguard
add listen-port=***** mtu=1420 name=wg1
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface lte apn
set [ find default=yes ] apn=********************* ip-type=ipv4 name=Telemach
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.25.244-192.168.25.254
add name=vpn ranges=192.168.89.2-192.168.89.255
/ip dhcp-server
add address-pool=dhcp interface=bridge name=defconf
/ppp profile
set *FFFFFFFE local-address=192.168.89.1 remote-address=vpn
/interface bridge port
add bridge=bridge comment=defconf ingress-filtering=no interface=ether1
add bridge=bridge comment=defconf ingress-filtering=no interface=wlan1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ip settings
set max-neighbor-entries=8192
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface l2tp-server server
set use-ipsec=yes
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=lte1 list=WAN
/interface sstp-server server
set default-profile=default-encryption
/interface wireguard peers
add allowed-address=192.168.1.0/24,10.255.255.0/24 endpoint-address=\
    **********.sn.mynetname.net endpoint-port=30700 interface=wg1 \
    public-key="********************************************"
/ip address
add address=192.168.25.1/24 comment=defconf interface=bridge network=\
    192.168.25.0
add address=10.255.255.2/30 interface=wg1 network=10.255.255.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-server network
add address=192.168.25.0/24 gateway=192.168.25.1 netmask=24
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.25.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=accept chain=input comment=Wireguard dst-port=30700 protocol=udp
add action=accept chain=forward comment="fwd wireguard" dst-address=\
    192.168.25.0/24 src-address=192.168.1.0/24
add action=accept chain=forward comment="fwd wireguard" dst-address=\
    192.168.1.0/24 src-address=192.168.25.0/24
add action=accept chain=input comment=WinBox dst-port=8291 protocol=tcp \
    src-address=192.168.1.20
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
add action=accept chain=input comment="allow IPsec NAT" disabled=yes \
    dst-port=4500 protocol=udp
add action=accept chain=input comment="allow IKE" disabled=yes dst-port=500 \
    protocol=udp
add action=accept chain=input comment="allow l2tp" disabled=yes dst-port=1701 \
    ipsec-policy=in,ipsec protocol=udp
add action=accept chain=input comment="allow ipsec-esp" disabled=yes \
    protocol=ipsec-esp
add action=accept chain=input comment="allow pptp" disabled=yes dst-port=1723 \
    protocol=tcp
add action=accept chain=input comment="allow sstp" disabled=yes dst-port=443 \
    protocol=tcp
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    disabled=yes ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    disabled=yes ipsec-policy=out,ipsec
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat comment="masq. vpn traffic" src-address=\
    192.168.89.0/24
/ip route
add dst-address=192.168.1.0/24 gateway=wg1
/ip upnp
set enabled=yes
/ip upnp interfaces
add interface=bridge type=internal
add interface=lte1 type=external
/ppp secret
add name=vpn
/system clock
set time-zone-name=Europe/Zagreb
/system identity
set name=GRAWE_VDC_HEINZELOVA
/system leds
# using RSRP, modem-signal-threshold ignored
add interface=lte1 leds=led1 type=modem-signal
# using RSRP, modem-signal-threshold ignored
add interface=lte1 leds=led2 modem-signal-threshold=-71 type=modem-signal
# using RSRP, modem-signal-threshold ignored
add interface=lte1 leds=led3 modem-signal-threshold=-51 type=modem-signal
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19100
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Wireguard VPN setup

Mon Jan 17, 2022 2:04 pm

Please provide a network diagram showing the devices involved.
 
gigabyte091
Forum Guru
Forum Guru
Topic Author
Posts: 1165
Joined: Fri Dec 31, 2021 11:44 am
Location: Croatia

Re: Wireguard VPN setup

Mon Jan 17, 2022 4:26 pm

Here it is, it's not much but i tried to give as much details as possible.
Drawing1.jpg
Office R1 is in DMZ because due to or office connection (DSL/LTE hybrid) we can't put router into the bridge mode.
You do not have the required permissions to view the files attached to this post.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19100
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Wireguard VPN setup

Mon Jan 17, 2022 5:17 pm

Okay this is starting to make more sense.
Now you have R1, R2, and R3
What is the plan tunnels between each R1-R2 and R1-R3 and R2-R3 (3 tunnels total)

So for each connection detail
a. which is server and which is client for the initial connection establishing the tunnels
b. is traffic for each connection going to be two way or one way ( in other words do users, on both devices travel out over the tunnel)
- server to client y/n
- client to server y/n
- both y/n
(Hint its either y/y/y or n/y/n or y/n/n
c. if traffic is to subnets, or to internet

Example lets say Green is Server, blue is client

R1-R2 -----------> n/y/n -----------> n / to subnet and internet / n- not applicable
R2-R3 -----------> y/y/y ----------------> internet / subnet / y- not applicable
R1-R3 ------------> y/n/n --------------> subnet / n / n- not applicable

Conclusions
Router 1 connects as a client to Router 2 (server) and R1 users will need to access R2 subnets and R2 internet
Router 2 connects as a client to Router 3 (server) and R3 users will access R2 internet and R2 users will access R3 subnets
Router 1 connects as a client to Router 3 (server) and R3 users will access R1 subnets.

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Finally last step is access router for config purposes
R1 to others y/n if so which ones will be managed
R2 to others y/n if so which ones will be managed
R3 to others y/n if so which ones will be managed

R1 - N
R2 - Y (R1, R3)
R3 -Y (R1, R2)

Conclusion no configuring of routers will take place from admin at location R1
Admin at location R2 will want to be able to config R1 or R3
Admin if at location R3 will want to be able to config R1 or R2
Typically only one admin is at play from one location though so its probably one or the other..............

That is the level of detail and requirements needed to properly config........ :-)
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: Wireguard VPN setup

Tue Jan 18, 2022 1:35 am

Some mistakes in configs:

R1 has 10.255.255.0/24 in allowed-address for both peers, that's wrong, you can't have overlapping subnets. Use only 10.255.255.x/32 for each peer. That's on R1, and also on R2 and R3, if you are going to add direct tunnel between them. If not, and you'd want R2 and R3 communicate with each other via R1, they'd each need 10.255.255.0/<larger mask> and also subnets of the other one in their allowed-address.

R1 has 10.255.255.1/29 as address, R2 has 10.255.255.2/30 as address, and you have /24 in allowed-address. You should pick one large enough subnet and use it everywhere.

But neither of the above should break communication between LAN subnets.

And about "this is the one that don't want to connect if there is nothing connected to it", WG is by default silent, it only connects when there are some data to be sent. If you want it to be more active, setting keepalive for peer should do the trick.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19100
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Wireguard VPN setup

Tue Jan 18, 2022 1:53 am

Good attempt to muddle through the config, (noted the same things).
I wanted a clear path and thus set the bar high for a definitive set of requirements logically laid out prior to commenting/recommending.
With the response hopefully to be provided, the mistakes in the config will be highlighed and changes needed more readily added.
It was too messy for me to respond to with any guidance worth writing down for now.
 
gigabyte091
Forum Guru
Forum Guru
Topic Author
Posts: 1165
Joined: Fri Dec 31, 2021 11:44 am
Location: Croatia

Re: Wireguard VPN setup

Tue Jan 18, 2022 7:39 am

@anav

I will try to provide you as much information as possible.

a. which is server and which is client for the initial connection establishing the tunnels ?

R1 should be the server, as it's the main router in our network and R2 and R3 are clients as I see it.

b. is traffic for each connection going to be two way or one way ( in other words do users, on both devices travel out over the tunnel)

Yes, traffic is going to be two way

c. if traffic is to subnets, or to internet

I presume to subnets, as i only need to access device on remote network and the router itself.

Finally last step is access router for config purposes

So only R1 should be able to admin R2 and R3

If I forgot something just say.

@Sob

Okey, I added /24 subnet because that is in the tutorial, so if i understand you right, for tunnels i shouldn't use /24 subnet, as right way is to change subnet to /32, so R1 should be 10.255.255.1/32, R2 should be 10.255.255.2/32 and R3 should be 10.255.255.3/32 so WG interface on R1 can only comunicate with WG interface on R2 and R3 like they are directly connected by cable and have static IP ?

I don't need R2 to communicate with R3 as all the data is comming back to R1 and any configuration is sent via R1 to R2 or R3

And about "this is the one that don't want to connect if there is nothing connected to it", WG is by default silent, it only connects when there are some data to be sent. If you want it to be more active, setting keepalive for peer should do the trick.

I didn't know that, maybe that is the problem all the time, because, if I setup ping on 192.168.1.1 and start pinging 192.168.25.1 it says timeout, until i connect laptop for example, then it took about 3 seconds or less to start seeing response to pings.
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: Wireguard VPN setup

Tue Jan 18, 2022 5:57 pm

There are two things, peer's allowed-address and routes (that can be also created dynamically from IP address). They are related, but not the same.

IP addresses and routes are same as with regular interfaces. You can have R1 with .1/29, R2 with .2/29, R3 with .3/29, etc. It just says that other addresses from that subnet are reachable on that interface where this IP address is. It's definitely true for R1, which can reach both R2 and R3 on same WG interface. It may be also true for R2 and R3, only without direct link, communication between them will have to go via R1.

But then you have allowed-address, and it's slightly different, it belongs to peer and says what can come from peer and what can be sent to peer. So for R1, definition for R2 must be only .2/32 (plus its LAN subnet), because you don't want R2 sending traffic from e.g. R3's .3. Same for R3, peer's definition on R1 should be only .3/32 (plus LAN). In your config you have 0/24 for both, that wouldn't work, because router wouldn't know if it should send e.g. .2 to R2 or R3. On R2 and R3 it can be different, they can have full subnet for R1 as peer, because that allows also routing between them via R1.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19100
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Wireguard VPN setup

Tue Jan 18, 2022 6:35 pm

Gigabyte I have started a user article to help you and me (sob doesnt need any.......yet, reading my posts may lead to madness) work through these setups, that on the surface seem simple but when gets to have a few more requirements, it gets trickier.
Not completed but you get the idea.
viewtopic.php?t=182340
 
gigabyte091
Forum Guru
Forum Guru
Topic Author
Posts: 1165
Joined: Fri Dec 31, 2021 11:44 am
Location: Croatia

Re: Wireguard VPN setup

Tue Jan 18, 2022 7:37 pm

There are two things, peer's allowed-address and routes (that can be also created dynamically from IP address). They are related, but not the same.

IP addresses and routes are same as with regular interfaces. You can have R1 with .1/29, R2 with .2/29, R3 with .3/29, etc. It just says that other addresses from that subnet are reachable on that interface where this IP address is. It's definitely true for R1, which can reach both R2 and R3 on same WG interface. It may be also true for R2 and R3, only without direct link, communication between them will have to go via R1.

But then you have allowed-address, and it's slightly different, it belongs to peer and says what can come from peer and what can be sent to peer. So for R1, definition for R2 must be only .2/32 (plus its LAN subnet), because you don't want R2 sending traffic from e.g. R3's .3. Same for R3, peer's definition on R1 should be only .3/32 (plus LAN). In your config you have 0/24 for both, that wouldn't work, because router wouldn't know if it should send e.g. .2 to R2 or R3. On R2 and R3 it can be different, they can have full subnet for R1 as peer, because that allows also routing between them via R1.
I think I get it, so interface address is the same for example as address that laptop, and other devices gets from the router and they have their subnet, (in our case we assign that address manually) but allowed address says router where to send our data, and it must be only one address, that's why we are using /32 subnet so that data from 10.255.255.1/32 end up at 10.255.255.2/32 like is supposed to, but if i leave that at /24 then data can end up where is not suppose to.
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: Wireguard VPN setup

Tue Jan 18, 2022 8:10 pm

If you leave overlapping subnets in allowed-address, it won't work correct (I think only first peer will). And no, it doesn't have to be strictly /32. If it's interface with multiple peers, only important thing is to have not overlaps. So in R1, it must be /32 for peers R2 and R3. But on R2 and R3 that have only one peer, it can be whole subnet. But if you know that they only need to communicate with R1 and never with others, it can be just R1's /32.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19100
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Wireguard VPN setup

Tue Jan 18, 2022 8:16 pm

Allow address has two functions and it depends if your device is the source of traffic flow or recipient of traffic flow.
If you are source, peer settings are the destination IPs that the local router can select to ENTER the tunnel.
If you are recipient, peer settings are the filtered/allowed source IPs that the local router will permit to EXIT the tunnel.

As was explained to me, the first example I use the word select, because the router will 'capture' the outbound destination address
and then search all the peer addresses for a match, when its matched the traffic will pass. Therefore, its quite possible that a different peer with the same destination address will never get matched because the router always finds the first peer........... Not sure if I have that exactly right.........

The second case of incoming traffic I use the word filter because its not a selection but more is it allowed.............
 
gigabyte091
Forum Guru
Forum Guru
Topic Author
Posts: 1165
Joined: Fri Dec 31, 2021 11:44 am
Location: Croatia

Re: Wireguard VPN setup

Tue Jan 18, 2022 10:56 pm

Thank you both, i understand now. I will make config changes tomorrow, and i think we can continue on the other topic.
 
gigabyte091
Forum Guru
Forum Guru
Topic Author
Posts: 1165
Joined: Fri Dec 31, 2021 11:44 am
Location: Croatia

Re: Wireguard VPN setup

Thu Jan 20, 2022 7:47 am

So, little update from me, I took your advice @Sob, and in address list I put 10.255.255.1/29 for R1 or main router, 10.255.255.2/29 for R2 or LTE1 router, and 10.255.255.3/29 for R3 or LTE2 router, and it working for now, tunnel is established even without anything connected to the router. (Also changed allowed addresses)

If I understand correctly, I can, in address list on R1 (main router, the one with two peers) put only 10.255.255.1, there is no need for /29, and in allowed addresses on R2 and R3 i can put 10.255.255.1/32. But if I put for example on R2 in address list under WG interface 10.255.255.2/32 it won't work because it's not the same network anymore ? that would be 10.255.255.2 network so there must be /29 or other CIDR.
 
gigabyte091
Forum Guru
Forum Guru
Topic Author
Posts: 1165
Joined: Fri Dec 31, 2021 11:44 am
Location: Croatia

Re: Wireguard VPN setup

Thu Jan 20, 2022 10:03 am

And router with x.x.25.1 network again sometimes won't connect to R1 if no device is connected. When I say sometimes, i unplugged them, leave for 5 minutes, then reconnect them, and both routers connects, then i leave them disconnected for half hour, reconnected them, and it's working. Then i tried again for 5 minutes and router with 192.168.20.1 connects, and 25.1 no. When I connect laptop then i can see that router is connected and stays connected for some time if I disconnect laptop.

When i tried to ping again, 192.168.20.1 router says timeout first two pings, and then it's working. 192.168.25.1 says timeout until i connect PC. Is this possible CGNAT problem ?
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: Wireguard VPN setup

Sun Jan 23, 2022 4:01 am

If by "address list" you mean IP addresses in "/ip address", you need /29 mask on all routers, because it creates dynamic connected route. If R1 has 10.255.255.1/29, it knows that 10.255.255.2 and 10.255.255.3 are reachable using WG interface. With 10.255.255.1/32 it wouldn't know that.

As for the problem with not automatically connecting, you can use Netwatch and let it ping 10.255.255.1, that should bring the tunnel up.
 
gigabyte091
Forum Guru
Forum Guru
Topic Author
Posts: 1165
Joined: Fri Dec 31, 2021 11:44 am
Location: Croatia

Re: Wireguard VPN setup

Sun Jan 23, 2022 8:04 am

Yes, i left /29 subnet. (IP/Addresses) It's working now. I noticed that it connects without a problem if there is some device that go to the internet. I can setup Netwatch and check every 5 or so minutes for link up or down. Should i setup some script to ping interface if link is down ? or ping that netwatch sends is enough for link to reestablish ?
 
gigabyte091
Forum Guru
Forum Guru
Topic Author
Posts: 1165
Joined: Fri Dec 31, 2021 11:44 am
Location: Croatia

Re: Wireguard VPN setup

Sun Jan 23, 2022 8:46 am

If R1 has 10.255.255.1/29, it knows that 10.255.255.2 and 10.255.255.3 are reachable using WG interface. With 10.255.255.1/32 it wouldn't know that.
Because if I use /32 then 10.255.255.1 would be separate network ? Then it wouldn't be reachable from /29, for eg. 10.255.255.2/29
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: Wireguard VPN setup

Sun Jan 23, 2022 8:56 pm

Netwatch alone is fine. If the target address is reachable using tunnel, you have something trying to actively use it, so it forces router to contact peer.

Netmasks at both ends don't necessarily have to match (but it's usually good idea if they do), it can work even when they are different. Main point of netmask added to IP address is that it automatically creates route to given subnet. You can have .1/32, but then router would have no idea where to look for .2, etc. That could be fixed by adding a route manually, but that's extra step, netmask for IP address is easier.
 
gigabyte091
Forum Guru
Forum Guru
Topic Author
Posts: 1165
Joined: Fri Dec 31, 2021 11:44 am
Location: Croatia

Re: Wireguard VPN setup

Mon Jan 24, 2022 8:15 am

So in that case we would need to add addresses manually for each router we need our main router to reach in Route List ?

And i presume that it is also needed to add routes manually into other routers so they can know where to reach main router ?

So i setup Netwatch on main router and LTE routers. Main router says that both links are up, LTE1 says link is up, but LTE2 says link is down.

But this is weird, if i ping from LTE2 to the main router, so 192.168.25.1 to 192.168.1.1 it says timeout, but if i ping from the connected laptop i get reply...
 
Zacharias
Forum Guru
Forum Guru
Posts: 3459
Joined: Tue Dec 12, 2017 12:58 am
Location: Greece

Re: Wireguard VPN setup

Mon Jan 24, 2022 2:00 pm

Here it is, it's not much but i tried to give as much details as possible.

Drawing1.jpg

Office R1 is in DMZ because due to or office connection (DSL/LTE hybrid) we can't put router into the bridge mode.
So that i can understand better, you were trying to access the R1 that is behind the ISPs Router from your home using the ISPs Public IP ?
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: Wireguard VPN setup

Mon Jan 24, 2022 7:30 pm

If you don't use proper mask for IP address, and therefore you don't get automatic routes, you need to add required routes manually. But unless you have some really good reason to do it this way, IP address with right mask is simple and correct way. So right now I'd stick with /29 on all routers.

Netwatch on LTE2 watching main router's 10.255.255.1 should bring the tunnel up. I'm not re-reading the whole thread to find what you have now, but make sure that:

- on main router, WG peer for LTE2 includes its 10.255.255.3/32 in allowed-address
- on LTE2, WG peer for main router includes either 10.255.255.1/32 or 10.255.255.0/29 in allowed-address

You can also add logging rule, to see what Netwatch sends and where:
/ip firewall mangle
add chain=output dst-address=10.255.255.1 action=log
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19100
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Wireguard VPN setup

Mon Jan 24, 2022 8:53 pm

This is not rocket science.
To recap
FOR INITIAL CONNECTION - R1 is considered the server and R2, and R3 are clients
FOR TRAFFIC FLOWS - one way only as, R1 admin (lets say its 192.168.1.20) requires access to a device, on the remote network and to configure the remote router.
However looking at your firewall rules............
WHY ARE YOU GIVING R3 Subnet access to R1 Subnet?? I will assume this is an error in your config!!

The problem is looking at your diagram is whether or not your office, ISP router DSL, is reachable by you to forward ports. I will assume the answer is YES, as you noted DMZ previous, and thus we can stick with the plan for Initial Connection.


OFFICE ROUTER R1 CHANGES
/interface wireguard
add listen-port=30700 mtu=1420 name=wg1
public key="xxx" { to be used on the remote MT Devices, R2 & R3, in their peer settings }
/interface detect-internet
set detect-interface-list=all { Please set this to none for all testing }
/interface wireguard peers
add allowed-address=192.168.1.20 { outbound flow, selected by R1 router to enter the tunnel & no inbound users! }
endpoint-address:port=n/a
interface=wg1
public-key="yyy" { from R2 }
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
add allowed-address=192.168.1.20 { outbound flow, selected by R1 router to enter the tunnel and no inbound users! }
endpoint-address=n/a
interface=wg1
public-key="zzz" { from R3 }

/ip address { no IP address required for R1 or R2 users because there is no single user traffic or whole subnet for that matter, coming from R1/R2 }
/ip firewall filter
add action=accept chain=input comment="allow l2tp" dst-port=1701 \
ipsec-policy=in,ipsec protocol=udp

add action=accept chain=input comment=Wireguard dst-port=30700 protocol=udp { moved up in order to be with other vpn INPUT chain rules }
add action=accept chain=input comment="allow pptp" disabled=yes dst-port=1723 \
protocol=tcp

add action=accept chain=forward comment=\
"Wireguard FWD GRAWE_VDC_HEINZELOVA -> URED" dst-address=192.168.1.0/24 \ { remove - in error }
src-address=192.168.25.0/24
add action=accept chain=forward comment=\
"Wireguard FWD URED -> GRAWE_VDC_HEINZELOVA" dst-address=192.168.25.0/24 \ { remove - in error }
src-address=192.168.1.0/24
add action=accept chain=forward comment="Wireguard FWD FIDENS_LTE - > URED" \ { remove - in error }
dst-address=192.168.1.0/24 src-address=192.168.20.0/24
add action=accept chain=forward comment="Wireguard FWD URED -> FIDENS_LTE" \ { remove - in error }
dst-address=192.168.20.0/24 src-address=192.168.1.0/24
/ip route
add dst-address=192.168.25.0/24 gateway=wg1 table=main { will direct 192.168.1.20 to access R2 through wg1 }
add dst-address=192.168.20.0/24 gateway=wg1 table=main ( will direct 192.168.1.20 to access R3 through wg1 }
/ip upnp
set enabled=yes DONT why do you need this ???
/tool mac-server
set allowed-interface-list=LAN Should be set to none!
/tool mac-server mac-winbox
set allowed-interface-list=LAN

RECOMMEND REDO FIREWALL RULES, they are out of order and not conducive to a clean set of rules.

REMOTE SITE R3 CHANGES
/interface wireguard
add listen-port=3700 mtu=1420 name=wg1 { listen port not required but it may be used to derive public key? cannot remember if true }
public key="zzz" { To give to R1 }
/ip pool
add name=dhcp ranges=192.168.25.244-192.168.25.254 { In error, MODIFY, according to your diagram R3 contains 192.168.20.0/24 }
add name=dhcp ranges=192.168.20.244-192.168.20.254
add name=vpn ranges=192.168.89.2-192.168.89.255
/interface wireguard peers
add allowed-address=192.168.1.20/32 { we filter for incoming IP address from admin, not the entire subnet !! }
endpoint-address=R1-mynetname.net { from R1 }
endpoint-port=30700 interface=wg1 \
public-key="xxx"
/ip address { no IP address required for wg interface }
add address=192.168.20.1/24 comment=defconf interface=bridge network=\ { changed to reflect proper subnet .20 }
192.168.20.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-server network
add address=192.168.20.0/24 gateway=192.168.20.1 netmask=24 { fixed }
/ip firewall filter
add action=accept chain=input comment=Wireguard dst-port=30700 protocol=udp { Remove not required }
add action=accept chain=forward comment="fwd wireguard" in-interface=wg1 dst-address=\
192.168.20.0/24 src-address=192.168.1.20/32 { fixed IPs, addition of in-interface=wg1 is optional }
add action=accept chain=forward comment="fwd wireguard" dst-address=\ { remove, not required }
192.168.1.0/24 src-address=192.168.25.0/24

add action=accept chain=input comment=WinBox dst-port=8291 protocol=tcp \
src-address=192.168.1.20/32 in-interface=wg1 { optional addition }
/ip route
add dst-address=192.168.1.0/24 gateway=wg1
/ip upnp
set enabled=yes { WHY same comment as previous }
/tool mac-server
set allowed-interface-list=LAN { Set to NONE }
/tool mac-server mac-winbox
set allowed-interface-list=LAN
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19100
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Wireguard VPN setup

Mon Jan 24, 2022 9:09 pm

ROUTER R1 FW RULES CLEANED UP. ( I removed disabled rules )
/ip firewall filter
add action=accept chain=input connection-state=established,related,untracked
add action=drop chain=input connection-state=invalid
add action=accept chain=input protocol=icmp
add action=accept chain=input comment="allow ipsec-esp" protocol=ipsec-esp
add action=accept chain=input comment="allow IPsec NAT" dst-port=4500 \
    protocol=udp
add action=accept chain=input comment="allow IKE" dst-port=500 protocol=udp
add action=accept chain=input comment="allow l2tp" dst-port=1701 \
 ipsec-policy=in,ipsec protocol=udp
add action=accept chain=input comment=Wireguard dst-port=30700 protocol=udp
add action=accept chain=input comment="allow LAN access" in-interface-list=LAN
add action=drop  chain=input comment="drop all else"
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward  \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward connection-state=established,related,untracked
add action=drop chain=forward connection-state=invalid
add action=accept chain=forward in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="allow port forwarding" connection-nat-state=dstnat
add action=drop chain=forward comment="drop all else"
 
gigabyte091
Forum Guru
Forum Guru
Topic Author
Posts: 1165
Joined: Fri Dec 31, 2021 11:44 am
Location: Croatia

Re: Wireguard VPN setup

Tue Jan 25, 2022 8:16 pm

Sorry for not responding so fast, I caught some kind of cold... So I was in bed all day... waiting for COVID test

So right now everything is working, I just saw your post with recommended changes so i didn't do any of them right now, one of the router is on location right now and the other will be deployed in about 2 days.

I believe that is not rocket science, I'm really sorry if my "beginner knowledge" grinds your gears. I see that you removed some of the configuration that was added when I was following tutorial, actually, quite a lot of original configuration is removed. As I can see, you removed 10.255.255.x addresses ? For one of the WG interfaces you wrote that it doesn't need address and I can see there is no some of the firewall rules from the tutorial ?

I will post config of all routers tomorrow because i think we got lost in all the informations.

As for uPnP, we have devices (i can't really give more information due to sensitive nature of the system) that won't work if uPnP is not enabled. Heck, we even had problems with carriers... only one carrier works, other ones no...

I found EVE NG, maybe that is not a bad solution for learning networking...
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19100
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Wireguard VPN setup

Tue Jan 25, 2022 9:54 pm

Sorry the comment was not directed at you but at others that seemed to be making the config more complex than necessary. Again my apologies.
Probably covid, it hits diff people in different ways, some full of phlegm and hard to breathe other headaches backaches etc......
Should be over in 5 days.

By all means if you are happy with the setup and its working for you, ignore my suggestions. Best to have a working config rather than a mess of two!!
Got it your stuck with UPNP due to 'being forced' to use less than stellar devices stuck in the middle ages.
 
User avatar
mozerd
Forum Veteran
Forum Veteran
Posts: 872
Joined: Thu Oct 05, 2017 3:39 pm
Location: Canada
Contact:

Re: Wireguard VPN setup

Tue Jan 25, 2022 10:40 pm

Got it your stuck with UPNP due to 'being forced' to use less than stellar devices stuck in the middle ages.
Nothing wrong with UPnP .... I and many of my clients use it ... and have been doing that for many Years .... many many years ... The only people afraid of UPnP are those that do ot know how to exploit it and more importantly implement it properly with effective firewall controls .....

The only people stuck in the middle ages are those that are tied to Lamas and elephants :lol:
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19100
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Wireguard VPN setup

Tue Jan 25, 2022 11:03 pm

Got it your stuck with UPNP due to 'being forced' to use less than stellar devices stuck in the middle ages.
Nothing wrong with UPnP .... I and many of my clients use it ... and have been doing that for many Years .... many many years ... The only people afraid of UPnP are those that do ot know how to exploit it and more importantly implement it properly with effective firewall controls .....

The only people stuck in the middle ages are those that are tied to Lamas and elephants :lol:
Thanks Mozerd, for the refresher. What special considerations for security should be taken, that are not already dealt with in standard firewall rules etc..
(note my experience is older games that require UPNP for example)
Last edited by anav on Tue Jan 25, 2022 11:04 pm, edited 1 time in total.
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: Wireguard VPN setup

Tue Jan 25, 2022 11:04 pm

Problem with UPnP is lacking security. But it's simple tool for trusted networks, and if you use it as such, it's fine. In the past it was made even worse by bad implementations, where some routers supposedly allowed access even from internet, so anyone could forward ports as they pleased, to any destination. That's where the "never ever enable the evil UPnP" recommendation comes from. But it's not that bad. And you do need something like UPnP. Even with IPv6, where you ideally don't have NAT, but will usually have firewall blocking incoming connections, sometimes you will need a way to automatically allow something (there's Port Control Protocol, but implementation doesn't seem to be going very fast).
 
User avatar
mozerd
Forum Veteran
Forum Veteran
Posts: 872
Joined: Thu Oct 05, 2017 3:39 pm
Location: Canada
Contact:

Re: Wireguard VPN setup

Tue Jan 25, 2022 11:29 pm

Thanks Mozerd, for the refresher. What special considerations for security should be taken, that are not already dealt with in standard firewall rules etc..
Many moons ago @Sob provided me with some important info related to MikroTik and UPnP …. Following is the thread
viewtopic.php?t=131524
Enjoy !
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19100
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Wireguard VPN setup

Wed Jan 26, 2022 2:48 am

Nice!
So as expected you need to ensure the devices have access to the ROUTER SERVICE (be it dns, ntp etc.) and this time for UPNP.
/ip firewall filter add action=accept chain=input comment="INPUT Allow UPnP port 1900 udp" dst-port=1900 log-prefix=UPnP protocol=udp src-address-list=UPnPdevices
/ip firewall filter add action=accept chain=input comment="INPUT Allow UPnP port 2828 tcp" dst-port=2828 log-prefix=UPnP protocol=tcp src-address-list=UPnPdevices


My question is, did you use UPNP so that devices could talk to what where?? (use cases being solved)

NAS?
Apple Time Capsule?
Xbox?
 
gigabyte091
Forum Guru
Forum Guru
Topic Author
Posts: 1165
Joined: Fri Dec 31, 2021 11:44 am
Location: Croatia

Re: Wireguard VPN setup

Wed Jan 26, 2022 8:26 am

@anav
There is no need to apologize, and it would be foolish of me to ignore your advices after all the help you provided. And if there is better and more efficient way of configuring this than Mikrotik's tutorial that is fine with me. Just like electronics... You can make circuit 100 different ways and it will work, but only few are correct ones, and efficient.

I hope you get better soon :D

So this is config at the moment, i didn't make any changes to firewall rules yet as I don't want to loose connection.

I presume that I have to remove from R1 this:
add action=accept chain=forward comment=\
    "Wireguard FWD GRAWE_VDC_HEINZELOVA -> URED" dst-address=192.168.1.0/24 \
    src-address=192.168.25.0/24
add action=accept chain=forward comment=\
    "Wireguard FWD URED -> GRAWE_VDC_HEINZELOVA" dst-address=192.168.25.0/24 \
    src-address=192.168.1.0/24
add action=accept chain=forward comment="Wireguard FWD FIDENS_LTE - > URED" \
    dst-address=192.168.1.0/24 src-address=192.168.20.0/24
add action=accept chain=forward comment="Wireguard FWD URED -> FIDENS_LTE" \
    dst-address=192.168.20.0/24 src-address=192.168.1.0/24
From R2 this:
add action=accept chain=forward comment=\
    "Wireguard FWD DECATHLON_VDC_ZADAR -> URED" dst-address=192.168.1.0/24 \
    src-address=192.168.25.0/24
add action=accept chain=forward comment=\
    "Wireguard FWD URED -> DECATHLON_VDC_ZADAR" dst-address=192.168.25.0/24 \
    src-address=192.168.1.0/24
And from R3 this:
add action=accept chain=forward comment="Wireguard FWD LTE -> Ured" \
    dst-address=192.168.1.0/24 src-address=192.168.20.0/24
add action=accept chain=forward comment="Wireguard Ured -> LTE" dst-address=\
    192.168.20.0/24 src-address=192.168.1.0/24
If that is the case, why it's added in tutorial ?

R1 - 192.168.1.0/24 - Office router
# jan/26/2022 06:36:59 by RouterOS 7.1.1
# software id = CD7M-66CD
#
# model = RB952Ui-5ac2nD
# serial number = **********
/interface bridge
add admin-mac=**:**:**:**:**:** auto-mac=no comment=defconf name=bridge
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-g/n country=croatia disabled=no \
    distance=indoors frequency=2472 installation=indoor mode=ap-bridge ssid=\
    "Fidens 2.4G" wireless-protocol=802.11
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=\
    20/40/80mhz-XXXX country=croatia disabled=no distance=indoors frequency=\
    auto installation=indoor mode=ap-bridge ssid="Fidens 5G" \
    wireless-protocol=802.11
/interface wireguard
add listen-port=30700 mtu=1420 name=wg1
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface lte apn
set [ find default=yes ] ip-type=ipv4
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk mode=\
    dynamic-keys supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.1.1-192.168.1.254
add name=vpn ranges=192.168.89.2-192.168.89.255
/ip dhcp-server
add address-pool=dhcp interface=bridge name=defconf
/ppp profile
add local-address=192.168.89.1 name=VPN_Ured remote-address=vpn
set *FFFFFFFE local-address=192.168.89.1 remote-address=vpn
/interface bridge port
add bridge=bridge comment=defconf ingress-filtering=no interface=ether2
add bridge=bridge comment=defconf ingress-filtering=no interface=ether3
add comment=defconf ingress-filtering=no interface=ether4
add bridge=bridge comment=defconf ingress-filtering=no interface=ether5
add bridge=bridge comment=defconf ingress-filtering=no interface=wlan1
add bridge=bridge comment=defconf ingress-filtering=no interface=wlan2
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ip settings
set max-neighbor-entries=8192
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface detect-internet
set detect-interface-list=all
/interface l2tp-server server
set authentication=mschap2 default-profile=VPN_Ured enabled=yes use-ipsec=\
    required
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/interface sstp-server server
set default-profile=default-encryption
/interface wireguard peers
add allowed-address=192.168.25.0/24,10.255.255.2/29 comment=\
    GRAWE_VDC_HEINZELOVA endpoint-address=**********.sn.mynetname.net \
    endpoint-port=30700 interface=wg1 persistent-keepalive=30s public-key=\
    "********************************************"
add allowed-address=192.168.20.0/24,10.255.255.3/29 comment=FIDENS_LTE \
    endpoint-address=**********.sn.mynetname.net endpoint-port=30700 \
    interface=wg1 persistent-keepalive=30s public-key=\
    "********************************************"
/ip address
add address=192.168.1.1/24 comment=defconf interface=bridge network=\
    192.168.1.0
add address=10.255.255.1/29 comment=VPN interface=wg1 network=10.255.255.0
/ip cloud
set ddns-enabled=yes ddns-update-interval=15m
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server network
add address=192.168.1.0/24 comment=defconf gateway=192.168.1.1 netmask=24
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.1.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=accept chain=input comment=Wireguard dst-port=30700 protocol=udp
add action=accept chain=forward comment=\
    "Wireguard FWD GRAWE_VDC_HEINZELOVA -> URED" dst-address=192.168.1.0/24 \
    src-address=192.168.25.0/24
add action=accept chain=forward comment=\
    "Wireguard FWD URED -> GRAWE_VDC_HEINZELOVA" dst-address=192.168.25.0/24 \
    src-address=192.168.1.0/24
add action=accept chain=forward comment="Wireguard FWD FIDENS_LTE - > URED" \
    dst-address=192.168.1.0/24 src-address=192.168.20.0/24
add action=accept chain=forward comment="Wireguard FWD URED -> FIDENS_LTE" \
    dst-address=192.168.20.0/24 src-address=192.168.1.0/24
add action=accept chain=input comment="allow IPsec NAT" dst-port=4500 \
    protocol=udp
add action=accept chain=input comment="allow IKE" dst-port=500 protocol=udp
add action=accept chain=input comment="allow l2tp" dst-port=1701 \
    ipsec-policy=in,ipsec protocol=udp
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=accept chain=input comment="allow ipsec-esp" protocol=ipsec-esp
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat comment="Port 21 za FTP server" dst-address=\
    192.168.10.8 dst-port=21 in-interface=ether1 protocol=tcp to-addresses=\
    192.168.1.39 to-ports=21
add action=masquerade chain=srcnat comment="masq. vpn traffic" src-address=\
    192.168.89.0/24
add action=dst-nat chain=dstnat disabled=yes dst-address=192.168.10.8 \
    dst-port=4500 in-interface=ether1 protocol=udp to-addresses=192.168.1.6 \
    to-ports=4500
/ip firewall service-port
set udplite ports=500
/ip route
add dst-address=192.168.25.0/24 gateway=wg1
add dst-address=192.168.20.0/24 gateway=wg1
/ip upnp
set enabled=yes
/ip upnp interfaces
add interface=bridge type=internal
add interface=ether1 type=external
/ppp secret
add name="**********" profile=VPN_Ured service=l2tp
/system clock
set time-zone-name=Europe/Zagreb
/system ntp client
set enabled=yes
/system ntp client servers
add address=161.53.128.17
add address=45.87.77.15
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=none
/tool netwatch
add comment=DECATHLON_VDC_ZADAR host=192.168.20.1 interval=5m
add comment=GRAWE_VDC_HENZELOVA host=192.168.25.1 interval=5m
R2 - 192.168.25.0/24 - LTE1
# jan/26/2022 06:39:09 by RouterOS 7.1.1
# software id = J61H-4XD4
#
# model = RBwAPR-2nD
# serial number = **********
/interface bridge
add admin-mac=**:**:**:**:**:** auto-mac=no comment=defconf name=bridge
/interface lte
set [ find ] allow-roaming=no band="" name=lte1
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX \
    distance=indoors frequency=auto installation=outdoor mode=ap-bridge ssid=\
    MikroTik-7FCF0A wireless-protocol=802.11
/interface wireguard
add listen-port=30700 mtu=1420 name=wg1
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface lte apn
set [ find default=yes ] apn=******************** ip-type=ipv4 name=Telemach
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.25.244-192.168.25.254
add name=vpn ranges=192.168.89.2-192.168.89.255
/ip dhcp-server
add address-pool=dhcp interface=bridge name=defconf
/ppp profile
set *FFFFFFFE local-address=192.168.89.1 remote-address=vpn
/interface bridge port
add bridge=bridge comment=defconf ingress-filtering=no interface=ether1
add bridge=bridge comment=defconf ingress-filtering=no interface=wlan1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ip settings
set max-neighbor-entries=8192
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface l2tp-server server
set use-ipsec=yes
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=lte1 list=WAN
/interface sstp-server server
set default-profile=default-encryption
/interface wireguard peers
add allowed-address=192.168.1.0/24,10.255.255.1/29 endpoint-address=\
    ************.sn.mynetname.net endpoint-port=30700 interface=wg1 \
    persistent-keepalive=30s public-key=\
    "********************************************"
/ip address
add address=192.168.25.1/24 comment=defconf interface=bridge network=\
    192.168.25.0
add address=10.255.255.2/29 comment=VPN interface=wg1 network=10.255.255.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-server network
add address=192.168.25.0/24 gateway=192.168.25.1 netmask=24
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.25.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=accept chain=input comment=Wireguard dst-port=30700 protocol=udp
add action=accept chain=forward comment=\
    "Wireguard FWD DECATHLON_VDC_ZADAR -> URED" dst-address=192.168.1.0/24 \
    src-address=192.168.25.0/24
add action=accept chain=forward comment=\
    "Wireguard FWD URED -> DECATHLON_VDC_ZADAR" dst-address=192.168.25.0/24 \
    src-address=192.168.1.0/24
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=accept chain=input comment=WinBox dst-port=8291 in-interface=wg1 \
    protocol=tcp src-address=192.168.1.20
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat comment="masq. vpn traffic" src-address=\
    192.168.89.0/24
/ip route
add dst-address=192.168.1.0/24 gateway=wg1
/ip upnp
set enabled=yes
/ip upnp interfaces
add interface=bridge type=internal
add interface=lte1 type=external
/ppp secret
add name=vpn
/system clock
set time-zone-name=Europe/Zagreb
/system identity
set name=GRAWE_VDC_HEINZELOVA
/system leds
# using RSRP, modem-signal-threshold ignored
add interface=lte1 leds=led1 type=modem-signal
# using RSRP, modem-signal-threshold ignored
add interface=lte1 leds=led2 modem-signal-threshold=-71 type=modem-signal
# using RSRP, modem-signal-threshold ignored
add interface=lte1 leds=led3 modem-signal-threshold=-51 type=modem-signal
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool netwatch
add comment=RUTER_URED host=192.168.1.1
R3 - 192.168.20.0/24 - LTE 3
# jan/26/2022 06:38:20 by RouterOS 7.1.1
# software id = P3N3-9GCJ
#
# model = RBwAPR-2nD
# serial number = **********
/interface bridge
add admin-mac=**:**:**:**:**:** auto-mac=no comment=defconf name=bridge
/interface lte
set [ find ] allow-roaming=no band="" name=lte1
/interface wireguard
add listen-port=30700 mtu=1420 name=wg1
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface lte apn
set [ find default=yes ] apn=***************** name=Telemach \
    use-network-apn=no
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
add authentication-types=wpa-psk,wpa2-psk eap-methods="" group-ciphers=\
    tkip,aes-ccm mode=dynamic-keys name=WPA/WPA2 supplicant-identity="" \
    unicast-ciphers=tkip,aes-ccm
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-g/n country=croatia disabled=no \
    distance=indoors frequency=auto mode=ap-bridge security-profile=WPA/WPA2 \
    ssid=Fidens_Hotspot wireless-protocol=802.11 wps-mode=disabled
/ip pool
add name=dhcp ranges=192.168.20.248-192.168.20.254
/ip dhcp-server
add address-pool=dhcp interface=bridge lease-time=1d name=defconf
/interface bridge port
add bridge=bridge comment=defconf interface=ether1
add bridge=bridge comment=defconf interface=wlan1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=lte1 list=WAN
/interface wireguard peers
add allowed-address=192.168.1.0/24,10.255.255.1/32 endpoint-address=\
    **********.sn.mynetname.net endpoint-port=30700 interface=wg1 \
    persistent-keepalive=30s public-key=\
    "********************************************"
/ip address
add address=192.168.20.1/24 comment=defconf interface=bridge network=\
    192.168.20.0
add address=10.255.255.3/29 comment=VPN interface=wg1 network=10.255.255.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-server network
add address=192.168.20.0/24 comment=defconf dns-server=192.168.20.1 gateway=\
    192.168.20.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.20.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=accept chain=input comment=Wireguard dst-port=30700 protocol=udp
add action=accept chain=forward comment="Wireguard FWD LTE -> Ured" \
    dst-address=192.168.1.0/24 src-address=192.168.20.0/24
add action=accept chain=forward comment="Wireguard Ured -> LTE" dst-address=\
    192.168.20.0/24 src-address=192.168.1.0/24
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=accept chain=input comment="Winbox " dst-port=8291 protocol=tcp \
    src-address=192.168.1.20
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
/ip route
add dst-address=192.168.1.0/24 gateway=wg1
/ip upnp
set enabled=yes
/ip upnp interfaces
add interface=bridge type=internal
add interface=lte1 type=external
/system clock
set time-zone-name=Europe/Zagreb
/system identity
set name=DECATHLON_VDC_ZADAR
/system leds
# using RSRP, modem-signal-threshold ignored
add interface=lte1 leds=led1 type=modem-signal
# using RSRP, modem-signal-threshold ignored
add interface=lte1 leds=led2 modem-signal-threshold=-71 type=modem-signal
# using RSRP, modem-signal-threshold ignored
add interface=lte1 leds=led3 modem-signal-threshold=-51 type=modem-signal
 
User avatar
mozerd
Forum Veteran
Forum Veteran
Posts: 872
Joined: Thu Oct 05, 2017 3:39 pm
Location: Canada
Contact:

Re: Wireguard VPN setup

Thu Jan 27, 2022 3:23 pm

My question is, did you use UPNP so that devices could talk to what where?? (use cases being solved)

NAS?
Apple Time Capsule?
Xbox?
xBox = multiplayer gaming and chat over the internet
ATC = remote access for streaming and file access include iTunes Library [client/server]
NAS = remote access for streaming and file access include iTunes Library [client/server]

Also the majority of IoT devices are UPnP enabled like my security cameras etc. etc etc.
 
gigabyte091
Forum Guru
Forum Guru
Topic Author
Posts: 1165
Joined: Fri Dec 31, 2021 11:44 am
Location: Croatia

Re: Wireguard VPN setup

Mon Jan 31, 2022 8:28 am

Also the majority of IoT devices are UPnP enabled like my security cameras etc. etc etc.
Yea I can confirm that, almost, if not all of vendors have UPnP enabled devices, especially if they provide cloud based storage and mobile apps. And some vendors although they have UPnP (Bosch for example), that UPnP is not working as it should (Bosch for example) so you have to manually open about 3 or 4 ports on the router for cloud services to work.

Heck even my thermostat for central heating and floor heating is online...

Who is online

Users browsing this forum: anav, Bing [Bot], Nospam, qatar2022 and 50 guests