Community discussions

MikroTik App
 
tuxedo0801
just joined
Topic Author
Posts: 14
Joined: Wed Mar 24, 2021 8:58 am

Routing issue with Wireguard VPN

Sun Jan 16, 2022 7:18 pm

Hi there,

I have the following setup:

Site A
* Mikrotik-Router as ISP Router and wireguard server
* ... has LAN: 192.168.200.0/24 with IP 192.168.200.1
* ... uses Wireguard-VPN: 192.168.201.0/24 with IP 192.168.201.1
* ... has static route to Site B LAN 192.168.0.0/24 via 192.168.201.3

Site B
* Linux machine, running Wiregards as Peer to conenct to Site A (which works)
* ... uses VPN Peer IP: 192.168.201.3
* ... has LAN: 192.168.0.0/24 with IP 192.168.0.133
* Site B runs a AVM FritzBox (which also provides the 192.168.0.0/24 network and is it's default gateway) for internet connectivity and has a static route configured: 192.168.200.0/24 via Gateway 192.168.0.133 (=Linux Machine with Wireguard VPN Peer)

What is working:
* Site B Linux Machine can ping Wireguard VPN 192.168.201.x network without any issue.
* Site B Linux Machine can ping Site A LAN 192.168.200.x network without any issue.
* Any PC on Site A can ping Site B's VPN peer 192.168.201.3

What is not working:
* From Site A I cannot ping on any host any 192.168.0.x IP --> Destination Host Unreachable
* From Site A Mikrotik Router Terminal I cannot ping 192.168.0.133 or any other IP from Site B LAN. --> Host unreachable

When I tcpdump the traffic in the wireguard interface on Site B's Linux Machine, I cannot see any ICMP traffic to/from 192.168.0.x Only 192.168.201.x is visible.
So, from my understanding, there is something wrong with my route on the mikrotik router to 192.168.0.0/24 network. No 192.168.0.0/24 traffic is not routed to SIte B's VPN peer.

Routing table in Site A's mikrotik router looks like this:
Flags: D - DYNAMIC; I, A - ACTIVE; c, s, v, y - COPY; H - HW-OFFLOADED
Columns: DST-ADDRESS, GATEWAY, DISTANCE
#      DST-ADDRESS        GATEWAY           DISTANCE
[...]
0  As  192.168.0.0/24     192.168.201.3            1
[...]
What am I doing wrong?

I would be pleased if anyone can enlighten me ...

br,
Alex
 
sindy
Forum Guru
Forum Guru
Posts: 10206
Joined: Mon Dec 04, 2017 9:19 pm

Re: Routing issue with Wireguard VPN

Sun Jan 16, 2022 7:36 pm

Is 192.168.0.0/24 in the allowed-address list for the peer (site B Linux machine)?
 
tuxedo0801
just joined
Topic Author
Posts: 14
Joined: Wed Mar 24, 2021 8:58 am

Re: Routing issue with Wireguard VPN

Sun Jan 16, 2022 7:58 pm

Yes:
[Peer]
PublicKey = <mykey>
AllowedIPs = 0.0.0.0/0
Endpoint = <endpoint host>:13231
PersistentKeepalive = 25
# wg
interface: wg0
  public key: <key>
  private key: (hidden)
  listening port: 13213

peer: <key>
  endpoint: <endpoint>:13231
  allowed ips: 0.0.0.0/0
  latest handshake: 29 seconds ago
  transfer: 88.67 KiB received, 92.16 KiB sent
  persistent keepalive: every 25 seconds
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: Routing issue with Wireguard VPN

Sun Jan 16, 2022 8:04 pm

And on MikroTik router (peer's allowed-address in /interface wireguard peers)?
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19125
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Routing issue with Wireguard VPN

Sun Jan 16, 2022 8:05 pm

What is the purpose of this............ on Main Router.
.. has static route to Site B LAN 192.168.0.0/24 via 192.168.201.3 ????
The connection between the two sites is via the wireguard tunnel!!

MAIN ROUTER SETTINGS
WG interface name any
Set the listening port
Generate public KEY for Remote client peer settings

PEER Settings
Add public key generated by CLient device
Allowed addresses (incoming IPs): for example if you want to allow your site b main subnet access put 192.168.0.0/24
If you only wanted to allow a specific device put 192.168.0.X/32

/ip route
add dst-address=192.168.0.0/24 gwy=wg-interface

NO NEED for IP address for Wg interface.

CLIENT Router SETTINGS
WG interface name any
Generated public Key to be used on Main Router Peer Settings.

CLient PEER settings
Allowed address: (destination IPs) --> what you want your peer users to be able to access (just a subnet on other main server router, or everything, aka internet through the other main server router??)
Typically for internet 0.0.0.0/0
Endpoint IP address ( ip cloud of other router typically used and PORT if not separated as different entries then typically in formal dyndns-name:XXXXXX
public key from Main Router Server

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

The main difference if adding an IP address for the wg interface on teh server is as follows.
/IP address
add interface=wg-interface address=192.168.0.254/24 network=192.168.0.0

Then you no longer require an IP route as it will added dynamically by the Main Router.

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

access to internet is not yet guaranteed, it depends on your firewall rules.

Methods:
1. add wg-interface as LAN interface member.
If you have an existing firewall rule, as such you are good to go.
add action=accept chain=forward in-interface-list=LAN out-interface-list=WAN

2. create a specific firewall rule for the interface.
add action=accept chain=forward in-interface=wg-interface out-interface-list=WAN
 
tuxedo0801
just joined
Topic Author
Posts: 14
Joined: Wed Mar 24, 2021 8:58 am

Re: Routing issue with Wireguard VPN

Sun Jan 16, 2022 8:08 pm

And on MikroTik router (peer's allowed-address in /interface wireguard peers)?
Thank's a lot... I think that was the issue. ... not from Site A LAN I can ping any Host on Site B LAN ...
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19125
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Routing issue with Wireguard VPN

Sun Jan 16, 2022 8:11 pm

Ahh okay now understand.....
After the initial connection of the tunnel you want LAN users on Main router to be able to access the Subnet on the remote client site.

In this case.......
MAIN ROUTER......................
I believe all you need is a firewall rule permitting such.......
add chain=forward action=accept src-address=192.168.200.0/24 out-interface=wg-interface

You already have the route established
/ip route
add dst-address=192.168.0.0/24 gwy=wg-interface

+++++++++++++++++++++++++++++++++++++++++++++++++++

THus on the pEER MT client router you need
add chain=forward action=accept src-address=192.168.200.0/24 dst-address=192.168.0.0/24

and a route
/Ip route
dst-address=192.168.200.0/24 gwy=wg-interface
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19125
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Routing issue with Wireguard VPN

Sun Jan 16, 2022 8:12 pm

Dont understand the need for static routes................... ??
 
tuxedo0801
just joined
Topic Author
Posts: 14
Joined: Wed Mar 24, 2021 8:58 am

Re: Routing issue with Wireguard VPN

Sun Jan 16, 2022 8:23 pm

I think I understand static routes, but:

A <-> WG1...WG2 <-> B

A = 192.168.200.0/24
WG = 192.168.201.0/24
WG1 = 192.168.201.1
WG2 = 192.168.201.3
B = 192.168.0.0/24

On "A" I need a route to network "B". And the gateway to network "B" is part of network WG, to be more specific, Peer WG2 ...

So, to reach network B from A I need a route to 192.168.0.0/24 via 192.168.201.3 ...

Or Am I missing something?

I can't tell the router on network "A" that it just uses interface for WG (=wireguard1)... That does not work. It needs to know IP of the gateway to network "B".

anyhow... issue is solved. was the limitation of allowed IPs on wireguard server's peer-definition.
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: Routing issue with Wireguard VPN

Sun Jan 16, 2022 8:34 pm

Interface as gateway does work with WG.
 
holvoetn
Forum Guru
Forum Guru
Posts: 5422
Joined: Tue Apr 13, 2021 2:14 am
Location: Belgium

Re: Routing issue with Wireguard VPN

Sun Jan 16, 2022 8:35 pm

I can't tell the router on network "A" that it just uses interface for WG (=wireguard1)... That does not work. It needs to know IP of the gateway to network "B".
Actually you can.
Wg will figure it out based on allowed addresses.
 
tuxedo0801
just joined
Topic Author
Posts: 14
Joined: Wed Mar 24, 2021 8:58 am

Re: Routing issue with Wireguard VPN

Sun Jan 16, 2022 8:47 pm

I can't tell the router on network "A" that it just uses interface for WG (=wireguard1)... That does not work. It needs to know IP of the gateway to network "B".
Actually you can.
Wg will figure it out based on allowed addresses.
Actually I tried... did not work. At least with my current setup not (0.0.0.0/0). Will try with 192.168.201.0/24 + 192.168.0.0/24 ...

[update]

AllowedIPs for peer set to:
192.168.201.0/24, 192.168.0.0/24
Route gateway set to "wireguard1" instead of peer IP ...
--> did not work. can't ping anymore from A to B ...

Once I set peer IP for gateway, it works again.
 
holvoetn
Forum Guru
Forum Guru
Posts: 5422
Joined: Tue Apr 13, 2021 2:14 am
Location: Belgium

Re: Routing issue with Wireguard VPN

Sun Jan 16, 2022 8:51 pm

Provide latest config.
/export hide-sensitive file= anynameyoywish
I only have wg gateway in my routes going over wireguard. No destination ip addresses.
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: Routing issue with Wireguard VPN

Sun Jan 16, 2022 9:24 pm

If WG interface doesn't have any IP address, it won't work from router itself. But subnet behind router will. To make it work from router, you'd need to either set source address for whatever you use, e.g.:
/ping src-address=192.168.200.1 address=192.168.0.1
or you can fix it globally with pref-src:
/ip route
add dst-address=192.168.0.0/24 gateway=<WG interface> pref-src=192.168.200.1

Who is online

Users browsing this forum: Ahrefs [Bot], Bing [Bot], MalkuS and 37 guests