Community discussions

MikroTik App
 
darkmachine83
just joined
Topic Author
Posts: 9
Joined: Sat Jan 19, 2019 8:28 pm

multiple wireguard connections over wifi hotspot

Sat Apr 16, 2022 11:31 pm

Hello, I need help on how I can create for multiple wlan interfaces a connection using wireguard for each of the wlans. I show a basic diagram of the problem. Thanks in advance.
You do not have the required permissions to view the files attached to this post.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19101
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: multiple wireguard connections over wifi hotspot

Tue Apr 19, 2022 3:26 pm

The requirement is not based on users so quite frankly I dont understand why you need a wireguard tunnel for each WLAN.
I only see one subnet of users and they are all on the same subnet.

Do you mean each WLAN is like a different ISP, WAN1, WAN2, WAN3 ???

The wireguard server what is that, another mikrotik at another location or a 3rd party vpn provider. (If its the latter they need to provide you with 3 wireguard IP addressess for example.)
 
darkmachine83
just joined
Topic Author
Posts: 9
Joined: Sat Jan 19, 2019 8:28 pm

Re: multiple wireguard connections over wifi hotspot

Wed Apr 20, 2022 3:45 am

Thanks for replying, indeed each user on the subnet must have their wan out through their wireguard client. the wireguard server is a third party server installed on a ubuntu server. that is, I put a wireguard tunnel on each wlan.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19101
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: multiple wireguard connections over wifi hotspot

Wed Apr 20, 2022 4:29 am

Third party is NOT unbuntu server, third party is a company that provides Wireguard through an internet server at some location.
I am assuming you have access to the ubuntu server etc, so that you have some way on the ubuntu setup.

Your answer is still not clear,
Are all users, that appear to be on the same subnet go over the same WAN to the wifi hotspot?

You really need to post the SXT config
/export file=anynameyouwish
 
darkmachine83
just joined
Topic Author
Posts: 9
Joined: Sat Jan 19, 2019 8:28 pm

Re: multiple wireguard connections over wifi hotspot

Wed Apr 20, 2022 3:49 pm

yes, the wireguard server on the internet is mine. here is my config, i left out some things in the config that didn't matter.
Thanks again :D
You do not have the required permissions to view the files attached to this post.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19101
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: multiple wireguard connections over wifi hotspot

Wed Apr 20, 2022 4:59 pm

(1) naming issue.
....................
/interface wireguard
add disabled=yes listen-port=13231 mtu=1420 name=wg2
/interface wireguard peers
add allowed-address=::/0 disabled=yes endpoint-address=xxxxxxxx \
endpoint-port=443 interface=wg1 persistent-keepalive=25s public-key=\
"xxxxxxx"

(2) you have two DROP rules on the forward chain, get rid of the first one!! You should be allowing the LAN access to WG not some non-existing wlan5~!~
add action=drop chain=forward
add action=accept chain=forward comment="allow LAN to wireguard" \
in-interface=wlan5 out-interface=wg1
add action=drop chain=forward

(3) WHY MANGLE??? Are you doing load balancing on the three WANS??? If not how do you apportion WAN to the users??

(4) Why use wg gateway IP 10.66.6.1 ??? (you only need the wireguard interface name? and what is wlan 5?
add disabled=yes distance=1 dst-address=0.0.0.0/0 gateway=10.66.66.1%wg1 \
pref-src=0.0.0.0 routing-table=wlan5 scope=30 suppress-hw-offload=no \
target-scope=10
 
darkmachine83
just joined
Topic Author
Posts: 9
Joined: Sat Jan 19, 2019 8:28 pm

Re: multiple wireguard connections over wifi hotspot

Wed Apr 20, 2022 7:10 pm

Sorry, I already adjusted the settings.
My original configuration is with 10 wlan, each person must have access to their wifi portal, and when that person has authenticated, the wireguard tunnel would connect automatically. I tried to make a configuration but it did not connect me, my IP is 110.220.40.3 in the configuration.
thank you
You do not have the required permissions to view the files attached to this post.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19101
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: multiple wireguard connections over wifi hotspot

Wed Apr 20, 2022 7:49 pm

So to be clear,
the requirement is a one to one relationship.............
user1 to WAN1 (WLAN1)
user2 to WAN2 (WLAN2)
...........
user10 to WAN10 (WLAN10)

Also clarify that each user is accessing internet via the wirguard tunnels, if so quite correct,
you need 10 wireguard interfaces on the client as well to avoid overlapping peers.
 
darkmachine83
just joined
Topic Author
Posts: 9
Joined: Sat Jan 19, 2019 8:28 pm

Re: multiple wireguard connections over wifi hotspot

Wed Apr 20, 2022 10:11 pm

Yes effectively. what with an example of 3 wlan is enough for me to continue working. wireguard tunnels are not a problem, I can generate as many as I want. The problem is that with this Wi-Fi multiportal connection, the tunnels do not connect to me. any suggestion?
thanks

pd: if there was any configuration that responded to this situation, other than mine, it would still work for me and I change all my configuration.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19101
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: multiple wireguard connections over wifi hotspot

Wed Apr 20, 2022 11:11 pm

Very confusing, is this the scenario then..........
There is one hotspot wifi that the STX. Since only one authentication can be done from one WLAN, you require multiple WLANs for all to log into the hotspot. ... if that makes sense......... So the user has to authenticate to the hotspot and then the user has internet connectivity and then you want them them to go through a wireguard tunnel for internet. Close??
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19101
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: multiple wireguard connections over wifi hotspot

Thu Apr 21, 2022 1:48 am

I am not sure that is even possible?? Never mind the wireguard I mean the initial connecting.........
 
darkmachine83
just joined
Topic Author
Posts: 9
Joined: Sat Jan 19, 2019 8:28 pm

Re: multiple wireguard connections over wifi hotspot

Thu Apr 21, 2022 4:06 am

forgetting the wireguard connection. My configuration connects through the SXT to all users, giving each one a different portal to the wifi, this works perfectly.
I want to add the tunnel to each of those connections. And that automatically that the user is authenticated to the wifi, logically the tunnel must see the wireguard server and connect, I think...
user1 -> wlan1
user2 -> wlan2
etc
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: multiple wireguard connections over wifi hotspot

Thu Apr 21, 2022 4:35 am

I can't play with it now, but it shouldn't be too hard. Basically you need "two layers of multi WAN". First for wlans, you have that. Then you need to make WG tunnels each use own wlan. For that you set different listen port for each WG interface and then mark routing based on this source port. Then comes second layer, where WG interfaces are actual WAN interfaces used by clients. So you need another routing table for each, and from there it's standard multi WAN.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19101
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: multiple wireguard connections over wifi hotspot

Thu Apr 21, 2022 4:43 pm

forgetting the wireguard connection. My configuration connects through the SXT to all users, giving each one a different portal to the wifi, this works perfectly.
That is what I am having difficulty understanding.
Do you create a separate virtual WLAN for each client ??
How is each v WLAN then connected to the wireless portal...........????

In any case not possible without mangling......... sorry.
 
darkmachine83
just joined
Topic Author
Posts: 9
Joined: Sat Jan 19, 2019 8:28 pm

Re: multiple wireguard connections over wifi hotspot

Thu Apr 21, 2022 8:46 pm

Exactly, each user has their vwlan with a portal, each vwlan is connected as a client to the AP. What I want is that when the user authenticates, the wireguard tunnel connects.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19101
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: multiple wireguard connections over wifi hotspot

Thu Apr 21, 2022 9:00 pm

Sob is on the right track.........lucky guess I am assuming. :-)
 
darkmachine83
just joined
Topic Author
Posts: 9
Joined: Sat Jan 19, 2019 8:28 pm

Re: multiple wireguard connections over wifi hotspot

Thu Apr 21, 2022 9:16 pm

yes, I think Sob is right, I hope to have some more concrete clue from him at some point :). but thank you very much Anav for the help too
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: multiple wireguard connections over wifi hotspot

Fri Apr 22, 2022 1:20 am

Experiment a little bit, I can't do everything. :)

First multi WAN for wlans:
/ip dhcp-client
add interface=wlan1
add interface=wlan2
add interface=wlan3
/routing table
add fib name=wlan1
add fib name=wlan2
add fib name=wlan3
/ip route
add dst-address=0.0.0.0/0 gateway=<gateway address>%wlan1 routing-table=wlan1
add dst-address=0.0.0.0/0 gateway=<gateway address>%wlan2 routing-table=wlan2
add dst-address=0.0.0.0/0 gateway=<gateway address>%wlan3 routing-table=wlan3
Basic config of tunnels:
/interface wireguard
add listen-port=60001 mtu=1420 name=wg1 private-key="..."
add listen-port=60002 mtu=1420 name=wg2 private-key="..."
add listen-port=60003 mtu=1420 name=wg3 private-key="..."
/interface wireguard peers
add allowed-address=0.0.0.0/0 endpoint-address=<server address> endpoint-port=<server port> interface=wg1 public-key="..."
add allowed-address=0.0.0.0/0 endpoint-address=<server address> endpoint-port=<server port> interface=wg2 public-key="..."
add allowed-address=0.0.0.0/0 endpoint-address=<server address> endpoint-port=<server port> interface=wg3 public-key="..."
/ip address
add address=10.66.66.101/24 interface=wg1
add address=10.66.66.102/24 interface=wg2
add address=10.66.66.103/24 interface=wg3
This makes tunnels use the right wlans and fixes source addresses:
/ip firewall mangle
add action=mark-routing chain=output new-routing-mark=wlan1 passthrough=no protocol=udp src-port=60001
add action=mark-routing chain=output new-routing-mark=wlan2 passthrough=no protocol=udp src-port=60002
add action=mark-routing chain=output new-routing-mark=wlan3 passthrough=no protocol=udp src-port=60003
/ip firewall nat
add action=masquerade chain=srcnat out-interface=wlan1
add action=masquerade chain=srcnat out-interface=wlan2
add action=masquerade chain=srcnat out-interface=wlan3
Second multi WAN for tunneled traffic:
/routing table
add fib name=wg1
add fib name=wg2
add fib name=wg3
/ip route
add dst-address=0.0.0.0/0 gateway=wg1 routing-table=wg1
add dst-address=0.0.0.0/0 gateway=wg2 routing-table=wg2
add dst-address=0.0.0.0/0 gateway=wg3 routing-table=wg3
/routing rule
add action=lookup src-address=192.168.88.11/32 table=wg1
add action=lookup src-address=192.168.88.12/32 table=wg2
add action=lookup src-address=192.168.88.13/32 table=wg3
add action=lookup src-address=10.66.66.101/32 table=wg1
add action=lookup src-address=10.66.66.102/32 table=wg2
add action=lookup src-address=10.66.66.103/32 table=wg3
Optional masquerade (depends on what addresses server allows for clients, 10.66.66.x or 192.168.88.x):
/ip firewall nat
add action=masquerade chain=srcnat out-interface=wg1
add action=masquerade chain=srcnat out-interface=wg2
add action=masquerade chain=srcnat out-interface=wg3
 
darkmachine83
just joined
Topic Author
Posts: 9
Joined: Sat Jan 19, 2019 8:28 pm

Re: multiple wireguard connections over wifi hotspot

Fri Apr 22, 2022 2:55 am

Thanks, I'm going to try a vwlan to see what happens. I'll post results soon. Thanks :D

Who is online

Users browsing this forum: Ahrefs [Bot], morphema, Ponytred, spookymulder84 and 25 guests