Community discussions

MikroTik App
 
User avatar
n4bz0r
just joined
Topic Author
Posts: 11
Joined: Thu Jan 27, 2022 2:27 am

Having trouble setting up WireGuard

Fri Jun 03, 2022 12:17 am

Hello!

The goal: set up a VPN tunnel and pass traffic to certain sites through it.

I've managed to do just that via ProtonVPN IPsec tunnel just a week ago. But, as of today, our government started to block connections to the popular VPN providers (HOO-RAH!). As a result, my IPsec tunnel doesn't work anymore.

WireGuard still seems to work, though. I've managed to establish connection to the server via the Windows client. So now I'm trying to set the thing up on my router.

I've kinda figured a few things out, but I'm still very new to WireGuard and RoS 7 routing (and routing in general) so I'm struggling to make sense of what I have to do in order for things to start working. On top of that, some of the issues might be due to my ISP's potential molestations of VPN connections.

Here are the pieces of the puzzle I've managed to put together:
/ip firewall
address-list add address=example.com list=PASS_THROUGH_VPN
mangle add action=mark-routing chain=prerouting dst-address-list=PASS_THROUGH_VPN new-routing-mark=through-vpn passthrough=yes

# WireGuard-related settings were taken from the ProtonVPN connection config
/interface wireguard 
add listen-port=13231 mtu=1420 name=proton-vpn private-key=omitted
peers add allowed-address=0.0.0.0/0 endpoint-address=omitted endpoint-port=51820 interface=proton-vpn persistent-keepalive=25s public-key=omitted

/routing 
table add disabled=no fib name=through-vpn
rule add action=lookup-only-in-table routing-mark=through-vpn table=through-vpn disabled=no

/ip 
address add address=10.2.0.2/24 interface=proton-vpn network=10.2.0.0 # The address is taken from the connection config
route add dst-address=10.2.0.0/24 gateway=proton-vpn routing-table=through-vpn
route add dst-address=0.0.0.0/0 gateway=proton-vpn routing-table=through-vpn

# I suppose I need something like this, but I'm not yet sure what address and port to use. The rule is currently disabled
/ip firewall filter add action=accept chain=input comment="accept: wireguard peer" connection-state=new disabled=yes log=yes protocol=udp src-address=??? src-port=???

To me, it seems like I should be almost there. Almost, but not quite, apparently. I can ping 10.2.0.1 from the router (which is a remote ProtonVPN DNS server located in the same subnet the interface is), but the sites from the address-list won't open on the connected to the router devices. Where do I go from here? Not really sure how to start troubleshooting this. Any help would be greatly appreciated.

Thanks!

Router: hAP ac2
Firmware: RouterOS 7.2.3
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: Having trouble setting up WireGuard

Fri Jun 03, 2022 3:22 am

You want this:
/ip firewall nat
add chain=srcnat out-interface=proton-vpn action=masquerade
And the first manual route to 10.2.0.0/24 is not needed.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19113
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Having trouble setting up WireGuard

Fri Jun 03, 2022 6:39 am

Can you confirm if proton wireguard gave you a fixed Wireguard IP, or a subnet??

On local MT router how many subnets/vlans do you have.
Do you want all subnets to go out vpn for internet?
Do you want any subnet to reach local servers?
Do you want any users to reach local servers?
 
User avatar
n4bz0r
just joined
Topic Author
Posts: 11
Joined: Thu Jan 27, 2022 2:27 am

Re: Having trouble setting up WireGuard

Fri Jun 03, 2022 3:00 pm

Hello! Thanks for the responses!

Going to reply in separate posts, the markup seems to get a bit messy.
 
User avatar
n4bz0r
just joined
Topic Author
Posts: 11
Joined: Thu Jan 27, 2022 2:27 am

Re: Having trouble setting up WireGuard

Fri Jun 03, 2022 3:04 pm

You want this:
/ip firewall nat add chain=srcnat out-interface=proton-vpn action=masquerade
Oh, good catch! Actually, I have a masquarade rule. And I even added proton-vpn interface to the WAN list. But, for some reason, I disabled the list entry with proton-vpn interface while tinkering around and then forgot to enable it back :)

Here is the rule, just in case:
/ip firewall nat add action=masquerade chain=srcnat comment=masquerade out-interface-list=WAN
.
And the first manual route to 10.2.0.0/24 is not needed.
Right, 0.0.0.0/0 should catch 10.2.0.0/24. Removed.

After adding the proton-vpn interface entry back to the WAN list and removing the route, sites started to open. Yay! Thanks :)

The load times aren't that great for some reason, though (takes about 20 seconds to start loading a page). I suspect this might be due to some misconfiguration as the servers aren't currently under heavy load (~60% at the moment). Going to try to switch the servers and see if it gets better.
Last edited by n4bz0r on Fri Jun 03, 2022 3:20 pm, edited 1 time in total.
 
User avatar
n4bz0r
just joined
Topic Author
Posts: 11
Joined: Thu Jan 27, 2022 2:27 am

Re: Having trouble setting up WireGuard

Fri Jun 03, 2022 3:09 pm

Can you confirm if proton wireguard gave you a fixed Wireguard IP, or a subnet??
That was my understanding. Here is what the interface part of the config looks like:

[Interface]
PrivateKey = omitted
Address = 10.2.0.2/32
DNS = 10.2.0.1
.
On local MT router how many subnets/vlans do you have.
Do you want all subnets to go out vpn for internet?
Do you want any subnet to reach local servers?
Do you want any users to reach local servers?
These seem like leading questions :)

I have a few VLANs. Some VLANs have access to each other. Generally, VLANs should connect to the internet directly (without using the tunnel), but when they are trying to reach certain sites from the list, the traffic should be routed through VPN. This is done to access the sites blocked by the ISP. WireGuard tunnel shouldn't interfere with the communication between subnets and local machines.
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: Having trouble setting up WireGuard

Fri Jun 03, 2022 6:26 pm

Do you have fasttrack rule in /ip/firewall/filter? That can slow things down, because it doesn't go well together with mangle rules.
 
User avatar
n4bz0r
just joined
Topic Author
Posts: 11
Joined: Thu Jan 27, 2022 2:27 am

Re: Having trouble setting up WireGuard

Fri Jun 03, 2022 7:09 pm

Do you have fasttrack rule in /ip/firewall/filter? That can slow things down, because it doesn't go well together with mangle rules.

Glad you asked! I forgot I had a few quesions about fasttrack. I do have the rule, but I have altered it so it (presumably) wouldn't process the marked traffic:
/ip firewall filter add action=fasttrack-connection chain=forward connection-state=established,related hw-offload=yes \
realm=!1024 \ # That must be what's shown in WinBox as routing-table=!through-vpn
routing-mark=!through-vpn

I don't really know how fasttrack rule affects anything vpn-related, but, reading through the IPsec guide, I've read that it might mess things up. So first I removed the rule altogether, but then (after running a few BTests) I realized that performance without fasttrack isn't really great. So I brought the rule back, but, this time, I excluded the marked traffic via connection-mark attribute in the fasttrack rule. Haven't noticed any issues and the sites were opening quite fast.

Here, with WireGuard, I did a similar thing. But, of course, I had to switch from connection marking to route marking and, as you can see, I simply used two available rules without really knowing which one would work best (cover more ground, so to speak). I'd appreciate if you could elaborate which one I should use. Or maybe I should leave them both? Or, well, maybe I can't have fasttrack at all with this kind of setup :)

Thanks!
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: Having trouble setting up WireGuard

Fri Jun 03, 2022 11:40 pm

You need to mark connections and then mark routing based on connection mark. That's because firewall rules apply to all packets in any direction. So even if you exclude outgoing packets based on routing mark, the same rule will still apply to any response to these connections that's coming back. So something like:
/ip firewall mangle
add chain=prerouting connection-state=new dst-address-list=PASS_THROUGH_VPN action=mark-connection new-connection-mark=VPNconn passthrough=yes
add chain=prerouting in-interface-list=LAN connection-mark=VPNconn action=mark-routing new-routing-mark=through-vpn
And condition for fasttrack rule can be just connection-mark=no-mark.
 
User avatar
n4bz0r
just joined
Topic Author
Posts: 11
Joined: Thu Jan 27, 2022 2:27 am

Re: Having trouble setting up WireGuard

Sat Jun 04, 2022 1:22 am

You need to mark connections and then mark routing based on connection mark
Not sure I fully understand why just yet, but this seem to have sped the things up a great deal. It's now impossible to tell if the traffic goes through VPN or not. I think some of the sites open even faster than on my regular connection!

I now only have one question left. Is there anything I should know security-wise when setting up a WireGuard tunnel? Some common pitfalls? My firewall is set up fairly tight - allow communication between certain interface/address lists, drop everything else - which seems to suffice, but I still can't help but feel that I might be overlooking something.

Thank you!
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: Having trouble setting up WireGuard

Sat Jun 04, 2022 5:37 pm

If local 192.168.88.100 (or whatever you have) wanted to connect to 1.2.3.4 (which was listed in PASS_THROUGH_VPN), you marked routing for this packet and then routing-mark=!through-vpn in fasttrack rule made sure that fasttrack didn't touch it. But then came first response packet from 1.2.3.4 to 192.168.88.100, it didn't get any routing mark and fasttrack rule applied to it.

Now the connection gets marked with first request packet and if the packet is from LAN then it gets routing mark. But response packet is automatically recognized as part of connection and it gets connection mark. And fasttrack rule won't touch it, because it takes only packets without connection mark.

As for firewall, keep it simple, allow what needs to be allowed and block the rest. Or in (many) more words: viewtopic.php?t=180838
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19113
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Having trouble setting up WireGuard

Sat Jun 04, 2022 7:30 pm

Post the complete config and I will have a look.
/export file=anynameyouwish
 
User avatar
n4bz0r
just joined
Topic Author
Posts: 11
Joined: Thu Jan 27, 2022 2:27 am

Re: Having trouble setting up WireGuard

Sat Jun 04, 2022 11:04 pm

If local 192.168.88.100 (or whatever you have) wanted to connect to [...]
Ah, I see. That makes sense. I think I got it now. Thanks for the elaboration!

As for firewall, keep it simple, allow what needs to be allowed and block the rest
Yeah, I went down exactly this road. Monitoring and figuring what needs to go where as I go :)

Post the complete config and I will have a look.
That's very kind of you! The config is a bit cluttered with WLAN settings, DHCP-leases, static DNS records, and such. So I reformatted and trimmed it down for the ease of comprehension. The order of the commands might be screwed up, and there might be some typos, but I believe it would be easier to read it this way. Feel free not to if it's still too much trouble, though. Going through the entire config feels like a bit too much to ask for.
You do not have the required permissions to view the files attached to this post.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19113
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Having trouble setting up WireGuard

Sun Jun 05, 2022 5:24 am

(1) You lost me with this one.
/interface wireguard peers add allowed-address="omitted" endpoint-address="omitted" \
endpoint-port="omitted" interface=proton-vpn persistent-keepalive=25s public-key="omitted"

That is critical to understand and ensure your setup is good and is not a security risk at all.
You are connecting to a third party VPN for internet so the setting would be 0.0.0.0/0 what is the big secret.??

(2) Missing IP pool, dhcp server, dhcp server network for vlan4000!!

(3) YOu can get rid of the bits of your firewall rule "connection-state=new" does nothing for you.

(4) BY adding the wireguard interface to the WAN interface, can I surmize that you have two purposes for this:
a. the purpose is that the firewall rule VLAN to WAN , includes such traffic to enter the tunnel (and later we use mangle rules to limit which destination addresses are permitted for these users).

add comment="forward: accept access-to-internet list -> wan"
chain=forward action=accept \
in-interface-list=ACCESS_TO_INTERNET out-interface-list=WAN


b. to sourcenat all subnet users to the IP of the wireguard interface......

/ip firewall nat add chain=srcnat action=masquerade comment=masquerade out-interface-list=WAN

(5) What I dont understand is which subnets are supposed to use the Wireguard tunnel?
I get the feeling you want all users to use proton for internet.......
From reading there are some websites for which you dont wan them to access or is it only a few websites they should be allowed to visit.

I am thinking there may be an easier way to do this..............
 
User avatar
n4bz0r
just joined
Topic Author
Posts: 11
Joined: Thu Jan 27, 2022 2:27 am

Re: Having trouble setting up WireGuard

Sun Jun 05, 2022 3:31 pm

Thanks for taking a look!

so the setting would be 0.0.0.0/0 what is the big secret.??
Ah, not a secret, really. It is 0.0.0.0/0. I was editing out Proton-specific configuration details, thought this one would be irrelevant too.

(2) Missing IP pool, dhcp server, dhcp server network for vlan4000!!
That was a deliberate choice. Don't need them just yet :)

(3) YOu can get rid of the bits of your firewall rule "connection-state=new" does nothing for you.
Hm. The idea behind the rules was to be as specific as possible. Setting the rules this way should also cut out unwanted connection states like invalid and untracked. Have I missed something and these connection states can still leak?

(4) BY adding the wireguard interface to the WAN interface, can I surmize that you have two purposes for this
That's just a way of enabling masquerading on the WG interface. As you've mentioned, I am in fact connecting to a third-party VPN so having my internal network behind NAT seemed like a sensible thing to do security-wise at the time. Should I create a separate masquerade rule instead? I might very well be missing something and this doesn't work as intended.

Now, currently, my biggest concern is if my firewall is tight enough that I won't have to add rules like:
add action=drop chain=forward connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
As a matter of fact, I do have this rule enabled, but just to monitor if there are any connections of this kind being made (none so far). I'm planning to remove it later on so I removed it from the posted configuration.

I get the feeling you want all users to use proton for internet.......
I've mentioned the general idea in this post. I am currently not limiting users from using WG tunnel, quite the opposite. I've set the thing up so they could access the sites from the list via the tunnel. Might narrow down the list of VLANs that have access to that later on, though — my VMs aren't really supposed to visit blocked sites :D

There is a centralized registry of the sites all our ISPs are obliged to block. If they don't, they might get fined or worse, so they comply. Some of the finest examples of currently blocked sites are: all independent news sources, facebook, instagram, twitter. So we have to use VPN to read news and browse tanned butts. But that's about it, the rest shouldn't go through VPN. Blocked sites -> WG, rest -> normal routing path. Note the mangle rules which only mark connection to sites from the list to be routed through VPN.

-------------------

Edit:
I just realized that the unused ACCESS_TO_BLOCKED_SITES list might've steered you off. The VLAN structure, inter-VLAN access and such are currently under development so the inside-network-config part isn't final yet. I.e. clients accessing something isn't much of a concern atm. The concern is someone outside accessing the clients through a scary tunnel :) The connection marking rule was supposed to look like this:
add action=mark-connection chain=prerouting new-connection-mark=pass-through-vpn \
    in-interface-list=ACCESS_TO_BLOCKED_SITES \
    dst-address-list=PASS_THROUGH_VPN \
    connection-state=new passthrough=yes
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19113
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Having trouble setting up WireGuard

Sun Jun 05, 2022 9:41 pm

Then this works..........
add action=mark-connection chain=prerouting new-connection-mark=pass-through-vpn \
in-interface-list=ACCESS-TO-BLOCKED_SITES
dst-address-list=PASS_THROUGH_VPN \
connection-state=new passthrough=yes

+
add action=mark-routing chain=prerouting new-routing-mark=through-vpn
dst-address-list=!VLAN-Subnets
connection-state=new passthough=yes

Hint: You have to make a firewall address list of the VLAN subnets..........
In this manner you dont mark the return traffic and it gets routed properly back to the subnets and not back out the tunnel again.


Alternatively you could have
add action=mark-routing chain=prerouting new-routing-mark=through-vpn
in-interface-list=VLAN
connection-state=new passthough=yes

and the mark routing will match only on the outgoing traffic and not on the return traffic.
Last edited by anav on Sun Jun 05, 2022 10:41 pm, edited 7 times in total.
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: Having trouble setting up WireGuard

Sun Jun 05, 2022 10:04 pm

Not the blue one. First, it's not needed, because connection mark is assigned automatically by conntrack. And second, it's wrong, you can't use out-interface-list in prerouting. And when marking routing, you want it only for outgoing traffic.

Edit: I don't like people who edit their posts too much. ;)
 
User avatar
n4bz0r
just joined
Topic Author
Posts: 11
Joined: Thu Jan 27, 2022 2:27 am

Re: Having trouble setting up WireGuard

Sun Jun 05, 2022 10:25 pm

Oh gawd. I've already written a response for anav elaborating why the suggested line shouldn't work, was about to post, and the message is already gone :D

Anyway, I think I'll leave my understanding of how this works here to help others avoid a pitfall I've already managed to step in :)

Right now the combination of rules works as follows.
  1. Router sees a connection from a local machine to an address from the list, the mangle rule marks this connection
  2. Router sees the marked connection and modifies the routing mark so the destination would be looked up in another routing table
  3. The http request goes through the route from through-vpn table
  4. The http response comes back and gets returned to the sender

If you're to deliberately mark the http response too (or to merely forget to specify that only LAN->WAN should be marked), it would get marked with the route mark too, and their destination is going to be looked up in the table which only has a wireguard gateway (through-vpn table). Which in return is going to cause an explosion.

That's my understanding which isn't to be relied upon :D Feel free to correct me if I'm wrong.

PS: I've made an isolated, default-configuration-oriented script for those willing to implement a similar setup (already partially tested on my human-friend-test-subject!). Going to post it soon if I'll find no issues with it.
Last edited by n4bz0r on Sun Jun 05, 2022 10:33 pm, edited 2 times in total.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19113
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Having trouble setting up WireGuard

Sun Jun 05, 2022 10:27 pm

Sob check my post above your post. I went back in time and changed the world.
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: Having trouble setting up WireGuard

Mon Jun 06, 2022 12:53 am

You have the power to go back in time and change the world, and you waste it on changing forum posts? And the change is still wrong. ;) I mean the first one, there's srcnat, so responses in prerouting won't have any LAN address as destination, it will be whatever srcnat used as new source. The other one is fine.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19113
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Having trouble setting up WireGuard

Mon Jun 06, 2022 1:18 am

You have the power to go back in time and change the world, and you waste it on changing forum posts?
Oh I forgot one small detail, I am also now your father ;-)
 
teleport
newbie
Posts: 48
Joined: Mon Sep 07, 2020 11:51 pm

Re: Having trouble setting up WireGuard

Mon Jun 27, 2022 2:50 am

can someone condense the thread to best practice(and working setup) needed to setup wireguard client on Mikrotik to connect to protonVPN.thanks
 
mkuser1
just joined
Posts: 3
Joined: Sun Dec 10, 2023 7:40 pm
Location: Serbia

Re: Having trouble setting up WireGuard

Sun Jan 14, 2024 10:50 pm

can someone condense the thread to best practice(and working setup) needed to setup wireguard client on Mikrotik to connect to protonVPN.thanks
I completely agree. There are at least 50 treads with proton/wireguard but none of them is the new user friendly, nor working!
ROS is complicated for pros ... so please forum gurus make short instructions to be used over SSH with all traffic through VPN and some traffic through VPN... and you will help all of us!
Default instructions from Proton itself are not usable.
 
infabo
Long time Member
Long time Member
Posts: 621
Joined: Thu Nov 12, 2020 12:07 pm

Re: Having trouble setting up WireGuard

Sun Jan 14, 2024 11:02 pm

Default instructions from Proton itself are not usable.
it is hard to take you serious after such a statement.

see https://protonvpn.com/support/wireguard-configurations/

They have a downloadable configuration file and instructions for several platforms. ROS may be not covered but one statement from protonvpn site applies to ROS: "This means that advanced users can use any WireGuard client that also matches official specifications to connect to Proton VPN servers using WireGuard. This includes WireGuard clients built into routers."

So I did the research for you. Here is your how to setup Proton VPN on ROS. https://protonvpn.com/support/wireguard ... k-routers/
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19113
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Having trouble setting up WireGuard

Mon Jan 15, 2024 12:20 am

Since the instructions provided are dated and not quite spot on, will put a revamped version in the wireguard user article.
In the meantime will post it here as well. No leading questions there mate........ I am trying to extract facts and requirements so that a coherent config can be compiled.
If your story keeps changing then its hard to ensure that any solution is optimal for the endstate.

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
This is generic enough and re-iterates Sobs advice...........

(7b) THIRD PARTY VPN ---> PROTON VPN - Typically for external internet access!

INFORMATION NEEDED FROM PROTON
i. Endpoint address and Endpoint port
24.223.67.23:12345
ii. Private Wireguard Key - you use this when createing the wg interface as they will then already have your public key which they need!
iii. DNS server - this is for you to use as appropriately ( typically in the local subnet going out wireguard in the dhcp server-network dns-server settings )
10.10.30.4
iv. IP address assigned - the key here is that they only really give you one IP address and thus you will need sourcenat your traffic going out this tunnel.
10.10.10.34

MT SETTINGS
v. create MT interface, give it a name and a random listenting port, does not have to be same as listening port of Proton. interface=wireguard1
v. create IP address, and stick to the normal address format ip address add address=10.10.10.34/24 network=10.10.10.0 DONE!
vi. add Source-nat traffic out wireguard, and you have two choices: either add chain=srcnat action=masquerade out-interface=wireguard1
OR
add the interface wireguard1 to the WAN Interface List and the same functionality is achieved by the default sourcenat rule.
vii Allow subnet to reach wiregard add chain=forward action=accept src-address=localsubnet out-interface=wireguard1
viii PEER settings: allowed-ips=0.0.0.0/0 interface=wireguard1 endpoint= 24.223.67.23:12345 public key=".." persistent keep-alive=35s
ix If applicable modify DNS setting of subnet

THE TRICKY PART - How to get your local traffic into wireguard.
Option1 - Routing Rules
Option2 - Mangling

In both cases, common to both Routing Rules and Mangling you need to two things first!
1. Create a table
/routing table add fib name=useWG

2. Create a route for that traffic with the new table:
/ip route
add dst-address=0.0.0.0/0 gateway=wireguard1 routing-table=useWG


OPTION1 ROUTING RULES - The idea is to identify the source subnet(s) and then send them out the table. The use of action=lookup, means if the tunnel fails the users will have a fallback position of reaching the internet via the normal WAN. If you do not want this flexibility, select action=lookup-only-in-table The other consideration is that if you want any local traffic to be able to reach the subnet and expect replies or need users in the subnet going out wireguard1 to also be able to reach other local subnets you need to add additional routing rules FIRST in the order.

/routing rule add dst-address=localSubnet action=lookup-only-in-table table=main comment="allow replies to local subnet or traffic to local subnet"
/routing rule add src-address=subnet4wireguard action=lookup table=useWG comment="force all subnet traffic into tunnel"


OPTION 2 MANGLING The idea here is that mangles are required if you have too many users to send out the tunnel for single routing rules, but they do not constitute and entire subnet or are from various subnets. Use of a firewalll address list will be essential to identify the users by IP, that are going to be sent out the tunnel. Be aware that mangle rules take precedence over the other method routing rules, if there is overlap.

Although one could simply use one set of mangle rule I prefer two sets, in order to establish the ability to use NO-MARK on my fasttrack rule. In this manner I can continue to use fastrack for all other traffic, especially useful for one with multiple subnets and not all go out the tunnel for internet.

add chain=prerouting action=mark-connection connection-mark=no-mark src-address-list=WG-USERS new-connection-mark=outbound-WG passthrough=yes
add chain=prerouting action=mark-routing connection-mark=outbound-WG new-routing-mark=useWG
passthrough=no

You may well ask and should ask, hey but what about return traffic to other local users or traffic originating to other local users.......
To ensure this to be true we add the following to be complete and order is important or at least logical.
add chain=prerouting action=accept src-address-list=WG-USERS out-interface-list=LAN
add chain=prerouting action=mark-connection connection-mark=no-mark src-address-list=WG-USERS new-connection-mark=outbound-WG passthrough=yes
add chain=prerouting action=mark-routing connection-mark=outbound-WG new-routing-mark=useWG
passthrough=no[/size][/i]
Last edited by anav on Mon Jan 15, 2024 4:48 am, edited 2 times in total.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19113
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Having trouble setting up WireGuard

Mon Jan 15, 2024 1:30 am

As for the PROTON LINKED ARTICLE LETS REVIEW. ( its been updated since the last time I looked at so good they are trying to keep it current/correct )

PARA1: Correct for any third party VPN you have to download a specific file with your particular parameters.
PARA2: Nothing wrong here but on the sourcenat file there is NO REQUIREMENT to put in the source address of any subnet or list.

( sourcenat is not the place to "control" traffic flow, that is the function of firewall rules ( permission) and IP routes ( the path to get somewhere ). The function of sourcenat is to modify the source address of the outgoing packet for a particular reason. In this case, its because the third party provider is only expecting one IP address and in wireguard, the processing will drop any IPs not on the peers allowed 'Remote' IPs............ )

PARA3: OUT TO LUNCH, not sure what the heck this is, but not seen on any configuration.
/ip route
add disabled=no distance=1 dst-address=0.0.0.0/1 gateway=10.2.0.1 pref-src="" routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add disabled=no distance=1 dst-address=128.0.0.0/1 gateway=10.2.0.1 pref-src="" routing-table=main scope=30 suppress-hw-offload=no target-scope=10


As I stated, one needs ONLY one route associated with the TABLE created. The route states traffic to all destinations will go out the wireguard tunnel if assigned to the special table.
/ip route
add dst-address=0.0.0.0/0 gateway=wireguard1 routing-table=useWG.


PARA8 DNS: AVOID - I am unsure what they are doing here. Certainly would not suggest bastardizing an MT config with
/ip dns
set servers=10.10.30.4
/ip dhcp-client
set 0 use-peer-dns=no


For a single subnet or multiple subnets the advice is to put in the provided DNS server on the subnets dhcp network-server settings.
In the case of a source address list approach, its trickier.
I have not thought about it but off the top of my head I would probably try using DSTNAT rules.

add chain=dstnat action=dstnat src-address=list=WG-USERS dst-port=53 protocol=udp to-address=10.10.30.4
add chain=dstnat action=dstnat src-address=list=WG-USERS dst-port=53 protocol=tcp to-address=10.10.30.4


& an accompanying IP ROUTE seeing as the MT router will not have a clue about the existence of that IP address or a path to it and we dont want it going out the WAN looking for it.
/ip route
add dst-address=10.10.34.4 gateway=wireguard1 routing-table=main


PARA9 BAD ADVICE - in general one still needs access to the main WAN for many reasons.

Who is online

Users browsing this forum: anav, Google [Bot], GoogleOther [Bot], Jeans, jmszuch1, NxtGen [Bot], sindy and 106 guests