Community discussions

MikroTik App
 
jovaf32128
just joined
Topic Author
Posts: 24
Joined: Sun Apr 26, 2020 9:22 pm

WireGuard only for specific sites - how?

Mon Jun 13, 2022 8:48 pm

I need to open couple of the site through VPN. This is part of my config connected with wg:
/interface wireguard
add listen-port=12321 mtu=1420 name=wireguard1

/interface wireguard peers
add allowed-address=0.0.0.0/0 endpoint-address=11.22.33.44 endpoint-port=12321 interface=wireguard1 \
    persistent-keepalive=25s public-key="keykeyey"

/interface list
add name=WAN

/interface list member
add interface=ether1 list=WAN
add interface=wireguard1 list=WAN

/routing table
add disabled=no fib name=wg-my

/ip route
add disabled=no distance=10 dst-address=0.0.0.0/0 gateway=wireguard1 routing-table=wg-my scope=30 \
    suppress-hw-offload=no target-scope=10
  
/ip firewall address-list
add address=site.com list=vpnlist
  
/ip firewall mangle
add action=mark-routing chain=prerouting dst-address-list=vpnlist new-routing-mark=wg-my

/ip firewall nat
add action=masquerade chain=srcnat ipsec-policy=out,none out-interface-list=WAN
But the site from the list does not open by timeout. I made 3 logging mangle rules: on prerouting, input and forward. I see incomming packets only on prerouting rule. 2 others is empty.
But if I use just this instead of mangle and address-list:
/routing rule dst-address=special.address.ip action=lookup-only-in-table table=wg-my
then I can open needed site through vpn, but it is not useful for me - i want to use firewall address list of sites.

What is my problem with mangle rule? Why is packets got loss in the first case?

PS. Fasttrack is disabled ofcourse
Last edited by jovaf32128 on Mon Feb 27, 2023 7:42 am, edited 2 times in total.
 
tangent
Forum Guru
Forum Guru
Posts: 1351
Joined: Thu Jul 01, 2021 3:15 pm
Contact:

Re: WireGuard only for specific sites - how?

Mon Jun 13, 2022 9:11 pm

Your first code block is backwards: the "/ip route add" block configures the wireguard1 interface as the default. What you're asking for is the opposite: some other interface to be the default, but for the wireguard1 interface to be the proper route for certain target IPs.

Therefore, let the default gateway be set up normally (e.g. via DHCP) and then add static routes for the exceptions:

/ip route
add dst-address=192.0.2.0/24 gateway=wireguard1

Now all traffic to TEST-NET-1 will go out the WireGuard VPN, and everything else will bypass it.
 
jovaf32128
just joined
Topic Author
Posts: 24
Joined: Sun Apr 26, 2020 9:22 pm

Re: WireGuard only for specific sites - how?

Mon Jun 13, 2022 9:20 pm

Your first code block is backwards: the "/ip route add" block configures the wireguard1 interface as the default. What you're asking for is the opposite: some other interface to be the default, but for the wireguard1 interface to be the proper route for certain target IPs.
Why? I use routing table mark, not all traffic:
/ip route
add disabled=no distance=10 dst-address=0.0.0.0/0 gateway=wireguard1 routing-table=wg-my scope=30 suppress-hw-offload=no target-scope=10

Therefore, let the default gateway be set up normally (e.g. via DHCP) and then add static routes for the exceptions:
/ip route
add dst-address=192.0.2.0/24 gateway=wireguard1
Now all traffic to TEST-NET-1 will go out the WireGuard VPN, and everything else will bypass it.
Okay, it works, but I need to use address lists. I don't want to generate lots of ip/route rules manually.
 
tangent
Forum Guru
Forum Guru
Posts: 1351
Joined: Thu Jul 01, 2021 3:15 pm
Contact:

Re: WireGuard only for specific sites - how?

Mon Jun 13, 2022 9:43 pm

I don't see a huge distinction between addresses in a list and a list of static routes, particularly given how many rules are required to set up connection marking, multiple routing tables, and such. Unless the number of address is huge, it may be shorter to do it my way.

However, if you insist on proceeding down that path, I think you need a second NAT rule, per this example. Without it, you get no NAT thru the WG link, thus no packet flow.
 
jovaf32128
just joined
Topic Author
Posts: 24
Joined: Sun Apr 26, 2020 9:22 pm

Re: WireGuard only for specific sites - how?

Mon Jun 13, 2022 10:01 pm

Without it, you get no NAT thru the WG link
Why?
I already have main masquarade NAT rule thac includes all WAN interfaces (and WG too). It works with route rules. Do you think, it is not fit for address-list case?
 
tangent
Forum Guru
Forum Guru
Posts: 1351
Joined: Thu Jul 01, 2021 3:15 pm
Contact:

Re: WireGuard only for specific sites - how?

Mon Jun 13, 2022 10:14 pm

I think you're confusing the packet flow logic by putting "wireguard1" in "out-interface-list=WAN". The WAN list should have only the raw (non-VPN) interface(s).

But rather than keep arguing, why not try it and see?

I'm not guaranteeing I'm right. What I am saying is:

1. If it works, it works.
2. If it doesn't, you have a stronger counterargument than "but whhyyyyy?"
 
jovaf32128
just joined
Topic Author
Posts: 24
Joined: Sun Apr 26, 2020 9:22 pm

Re: WireGuard only for specific sites - how?

Mon Jun 13, 2022 10:38 pm

I think you're confusing the packet flow logic by putting "wireguard1" in "out-interface-list=WAN". The WAN list should have only the raw (non-VPN) interface(s).
I did this:
/ip firewall filter
add action=accept chain=forward connection-state=established,related in-interface=wg1 out-interface=bridge-local
add action=accept chain=forward connection-state=established,related,new in-interface=bridge-local out-interface=wg1

/ip firewall nat
add action=masquerade chain=srcnat out-interface=wg1

/ip firewall mangle
add action=mark-connection chain=prerouting dst-address-list=vpnlist in-interface=bridge-local new-connection-mark=vpn-conn
add action=mark-routing chain=prerouting connection-mark=vpn-conn in-interface=bridge-local new-routing-mark=vpn-rt

/ip firewall address-list
add address=2ip.ru list=vpnlist

/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=wg1 pref-src=0.0.0.0 routing-table=vpn-rt scope=30 suppress-hw-offload=\
    no target-scope=10
	
/routing table
add disabled=no fib name=vpn-rt
And it not works. If only I remove "routing-table=vpn-rt" from ip route, it start works with main route table and through main WAN, not wg1 :(
 
jovaf32128
just joined
Topic Author
Posts: 24
Joined: Sun Apr 26, 2020 9:22 pm

Re: WireGuard only for specific sites - how?

Wed Jun 22, 2022 2:45 pm

May anybody explain, what is wrong with part of config above?
 
jovaf32128
just joined
Topic Author
Posts: 24
Joined: Sun Apr 26, 2020 9:22 pm

Re: WireGuard only for specific sites - how?  [SOLVED]

Wed Jun 29, 2022 8:44 am

ip settings rp-filter=loose
It was in "strict"
Last edited by jovaf32128 on Tue Jan 31, 2023 1:31 pm, edited 1 time in total.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19099
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: WireGuard only for specific sites - how?

Thu Jun 30, 2022 5:24 pm

The problem here is that you need to establish a wan connection to the server and thus not ALL traffic can go out the wg tunnel.
There are ways around this which add complexity but should only be approached if necessary.

You have a conundrum in that you have multiple addresses that need to go out WG tunnel
a. create one route and a gazillion route rules to match on dst-address OR
b. create a firewall address list and add mangling

In terms of allowed IP addresses you can add all of them individually to the WG list, or use 0.0.0.0/0 but then you have to be cognizant of how this affects all other traffic intended for the regular internet.

Seems like you have solved a config error, and its working for you now?
 
jovaf32128
just joined
Topic Author
Posts: 24
Joined: Sun Apr 26, 2020 9:22 pm

Re: WireGuard only for specific sites - how?

Sun Jul 03, 2022 6:00 pm

Seems like you have solved a config error, and its working for you now?
Yes, I think it was early error in config that led me to this problem. Now it works, I can add required site to the list and it will route through my vpn.

Who is online

Users browsing this forum: Ahrefs [Bot], korg, smirgo and 99 guests