Community discussions

MikroTik App
 
rahuljj
just joined
Topic Author
Posts: 10
Joined: Thu Mar 05, 2015 6:19 pm

Wireguard site to site with OSPF

Sat Jan 08, 2022 10:58 am

Hi
i have searched most of the forums for this, couldn't find any solution so i am posting this.

i want to use wireguard site to site with OSPF , i successfully created wireguard peers on all remote sites and connected to the central site , all traffic flows perfectly with static routes ,

I want remove the static routes and use OSPF. do OSPF support wireguard on ROS7

Regards
 
mindlesstux
just joined
Posts: 15
Joined: Tue Mar 17, 2009 3:20 pm
Location: Charlotte, NC, USA
Contact:

Re: Wireguard site to site with OSPF

Sat Jan 08, 2022 6:32 pm

Does it support it? Yes, I have it working on my CHR vm... Just waiting on ZeroTier support for CHR now.
[admin@mikrotik] > /ip/route/print detail 
Flags: D - dynamic; X - disabled, I - inactive, A - active; c - connect, s - static, r - rip, b - bgp, o - ospf, d - dhcp, v - vpn, m - modem, y - copy; H - hw-offloaded; + - ecmp 
.... *SNIP* ....
   DAc   dst-address=10.10.0.0/30 routing-table=main gateway=wgDECtoLANUSG immediate-gw=wgDECtoLANUSG distance=0 scope=10 suppress-hw-offload=no local-address=10.10.0.1%wgDECtoLANUSG 

   DAo   dst-address=10.10.10.10/32 routing-table=main gateway=192.168.26.6%wgDECtoVULv6 immediate-gw=wgDECtoVULv6 distance=110 scope=20 target-scope=10 suppress-hw-offload=no 
.... *SNIP* ....
 
OlofL
Member Candidate
Member Candidate
Posts: 113
Joined: Mon Oct 12, 2015 2:37 pm

Re: Wireguard site to site with OSPF

Sun Jan 09, 2022 12:21 pm

Yes, this is how I use it with OSPF. I use it as site2site. The mikrotik side is behind NAT/dynamic IP (it has fiber with 4G failover).
Note that you have to allow-address 0.0.0.0/0 if you dont know all networks that should be allowed in the future.
The most important part is to add wireguard interface as ptp :)
/interface wireguard
add listen-port=32657 mtu=1420 name=wg1
/interface wireguard peers
add allowed-address=0.0.0.0/0 endpoint-address=xx.xx.xx.xx endpoint-port=1998 interface=wg1 \
    persistent-keepalive=30s public-key="xxxxxx"

/routing ospf instance
add name=ospf-instance-1
/routing ospf area
add area-id=10.18.5.16 instance=ospf-instance-1 name=ospf-area-1 no-summaries nssa-translator=\
    candidate type=nssa
/routing ospf interface-template
add area=ospf-area-1 interfaces=wg1 type=ptp
 
rahuljj
just joined
Topic Author
Posts: 10
Joined: Thu Mar 05, 2015 6:19 pm

Re: Wireguard site to site with OSPF

Mon Jan 10, 2022 3:18 am


Hi

Thank you , It worked like a charm , i was not using the 0.0.0.0/0 in the allowed addresses, Thanks again




Yes, this is how I use it with OSPF. I use it as site2site. The mikrotik side is behind NAT/dynamic IP (it has fiber with 4G failover).
Note that you have to allow-address 0.0.0.0/0 if you dont know all networks that should be allowed in the future.
The most important part is to add wireguard interface as ptp :)
/interface wireguard
add listen-port=32657 mtu=1420 name=wg1
/interface wireguard peers
add allowed-address=0.0.0.0/0 endpoint-address=xx.xx.xx.xx endpoint-port=1998 interface=wg1 \
    persistent-keepalive=30s public-key="xxxxxx"

/routing ospf instance
add name=ospf-instance-1
/routing ospf area
add area-id=10.18.5.16 instance=ospf-instance-1 name=ospf-area-1 no-summaries nssa-translator=\
    candidate type=nssa
/routing ospf interface-template
add area=ospf-area-1 interfaces=wg1 type=ptp
 
blurrybird
newbie
Posts: 38
Joined: Sun Jan 19, 2020 12:25 pm

Re: Wireguard site to site with OSPF

Sun Feb 27, 2022 7:58 am

When I use wg and allow 0.0.0.0/0 I end up with wg's kernel routes causing havoc.

- Suddenly all traffic goes via the wg tunnel (rather than just site-to-site traffic)
- Suddenly when configuring BGP over the top, routing loops occur.

How have you mitigated that?
 
JoshDi
newbie
Posts: 37
Joined: Fri May 21, 2021 4:49 pm

Re: Wireguard site to site with OSPF

Sun Feb 27, 2022 10:32 pm

When I use wg and allow 0.0.0.0/0 I end up with wg's kernel routes causing havoc.

- Suddenly all traffic goes via the wg tunnel (rather than just site-to-site traffic)
- Suddenly when configuring BGP over the top, routing loops occur.

How have you mitigated that?
For WG, you should put the subnet(s) that are on the two site-to-site links, and networks you want accessible over WG into the allowed-networks field.

0.0.0.0/0 tells WG to allow all networks and make the WG link your default gateway (0.0.0.0/0). Allowed Networks 0.0.0.0/0 should only be used if you want all traffic to go through the WG interface, which it seems like you don't want to occur.
 
tonci
just joined
Posts: 10
Joined: Sat Jul 11, 2015 2:07 pm

Re: Wireguard site to site with OSPF

Tue Aug 16, 2022 1:34 am

Client of mine has mulit s2s full mesh topology (attach) and I finally managed to implement wireguard (vpn interconnections) and ospf
I'm still not sure whether this was possible to solve with just one WG interface per router or not, because I still do not have enough experience with WG, but everytime I added peer with the same allowed network on the same WG interface, the whole installation failed.
So, as soon as I created WG interface for every vpn connection everything worked out-of-the box ... routers mt1, ... mt4 are in full mesh (3 wg interfaces each )
This is the topology in GNS3 :
ms2s+wg+ospf.png
routers mt5 and mt6 are playing "internet" role (10.9.0.0/16) , so there is no (ospf) broadcast between routers, and mt6 is nat-ing WG vpn connections from routers mt7 and mt8. OSPF type is "nbma"
Everything works pretty stable, ospf recalculates routes fast and accurate ....
You do not have the required permissions to view the files attached to this post.
 
aoakeley
Member Candidate
Member Candidate
Posts: 170
Joined: Mon May 21, 2012 11:45 am

Re: Wireguard site to site with OSPF

Thu Aug 18, 2022 5:04 am

0.0.0.0/0 tells WG to allow all networks and make the WG link your default gateway (0.0.0.0/0). Allowed Networks 0.0.0.0/0 should only be used if you want all traffic to go through the WG interface, which it seems like you don't want to occur.
.
I am not seeing this (WG becoming the default link if you use 0.0.0.0/0). I have a lot of WireGuard networks all using OSPF between a lot of sites. I have never seen this routing change.
For me simply 0.0.0.0/0 just allows all traffic to traverse the WG link, if I route it to do so. I have hundreds of wireguard tunnels and have never seen 0.0.0.0/0 in the wireguard config create a default route.
I am now nervous that IF this does start happening as you say I am going to have a lot of broken networks.

simple example of one of my configs.
/interface wireguard
add listen-port=13238 mtu=1420 name=wireguard-core
/interface wireguard peers
add allowed-address=0.0.0.0/0 endpoint-address=119.1.1.1 endpoint-port=\
13238 interface=wireguard-core persistent-keepalive=30s public-key=\
"6l7XP/CXXXXXXXXXXXXXXXXXXXXGB2jh0="

routing ospf instance
add disabled=no name=default-v2 router-id=10.255.255.11
/routing ospf area
add disabled=no instance=default-v2 name=backbone-v2
/routing ospf interface-template
add area=backbone-v2 disabled=no interfaces=bridge-local
add area=backbone-v2 cost=5 disabled=no interfaces=wireguard-core type=ptp
add area=backbone-v2 disabled=no interfaces=ether2
Last edited by aoakeley on Thu Aug 18, 2022 5:06 am, edited 1 time in total.
 
aoakeley
Member Candidate
Member Candidate
Posts: 170
Joined: Mon May 21, 2012 11:45 am

Re: Wireguard site to site with OSPF

Thu Aug 18, 2022 5:05 am


So, as soon as I created WG interface for every vpn connection everything worked out-of-the box ... routers mt1, ... mt4 are in full mesh (3 wg interfaces each )
...
.
Yes this is how I do it.
One interface for each connection. All on different ports.
 
blindlight
just joined
Posts: 1
Joined: Tue Jan 04, 2022 6:56 pm

Re: Wireguard site to site with OSPF

Tue Sep 06, 2022 6:31 pm

With ospf v2 and network type ptp, you need to add 224.0.0.0/24 to allowed address to both peer.
Don't forget add wireguard to ospf template interface.
 
aoakeley
Member Candidate
Member Candidate
Posts: 170
Joined: Mon May 21, 2012 11:45 am

Re: Wireguard site to site with OSPF

Wed Sep 07, 2022 2:58 am

With ospf v2 and network type ptp, you need to add 224.0.0.0/24 to allowed address to both peer.
Why not just use 0.0.0.0/0 ? then you can just route anything you want down the wireguard connections.

Andrew
 
User avatar
sirbryan
Member Candidate
Member Candidate
Posts: 298
Joined: Fri May 29, 2020 6:40 pm
Location: Utah
Contact:

Re: Wireguard site to site with OSPF

Sat Nov 12, 2022 11:05 pm

I'm designing a system with one aggregation point for multiple remote routers. The routers run OSPF between each other, then BGP via loopbacks to the Route Reflectors. The OSPF sessions advertise the infrastructure network so all routers know how to get to each other and the RR's, while BGP announces the customer subnets behind each router.

Today I got the first backup links between routers working. The WG/VPN link takes over when the remote router's primary link fails.

Initially I had set OSPF on the WG link to PTP and allowed 224.0.0.0/24 on the aggregation router's WG interface (the "client" router is set to 0.0.0.0/0). Then I realized I would not be able to assign 224.0.0.0/24 to any future router (without making a new WG instance).

So the way to do it if you want one WG instance with multiple peers is to set the WG interfaces on all routers to "nbma" and create static neighbors (<IP address of remote router>% <interface name>) for each WG peer with a small polling interval. The OSPF sessions came right up and I was able to remove the 224.0.0.0/24 subnet from Allowed IP's.

The only gotcha is remembering to add all subnets the remote router is going to advertise via OSPF/BGP to the Allowed IP list.
 
jadawin
just joined
Posts: 2
Joined: Wed May 27, 2020 1:39 pm

Re: Wireguard site to site with OSPF

Tue Jun 20, 2023 8:01 pm

With ospf v2 and network type ptp, you need to add 224.0.0.0/24 to allowed address to both peer.
Thank you

This is what was missing in my configuration

Who is online

Users browsing this forum: No registered users and 23 guests