Community discussions

MikroTik App
 
monoweb
just joined
Topic Author
Posts: 1
Joined: Sat Jun 18, 2022 8:54 pm

Route traffic from L2TP connection to Wireguard

Sat Jun 18, 2022 9:09 pm

I'm trying to setup Wireguard (Cloudflare Warp) connection as a gateway to access some sites, basic configuration is the following
# setup wireguard
/interface wireguard add name=Cloudflare listen-port=13231 mtu=1280 private-key="***"
/interface wireguard peers add allowed-address=0.0.0.0/0 endpoint-address="162.159.192.1" endpoint-port=2408 interface=Cloudflare public-key="***"
/ip address add address=172.16.0.2/24 interface=Cloudflare network=172.16.0.0
# mark packets
/routing table add disabled=no fib name=via-vpn
/ip firewall address-list add address=somesite.com comment=bypass list=bypass
/ip firewall mangle add action=mark-routing chain=prerouting comment=wg_bypass dst-address-list=bypass new-routing-mark=via-vpn passthrough=yes
# routing
/ip route add distance=1 dst-address=0.0.0.0/0 gateway=Cloudflare routing-table=via-vpn
# NAT
/ip firewall nat add action=masquerade chain=srcnat comment=wireguard out-interface=Cloudflare
Additionally, I have an L2TP + IPSec VPN server on the same Mikrotik device for my remote clients (network 192.168.10.0/24)

My setup works perfectly fine with all clients directly connected to Mikrotik via LAN or WiFi (network 192.168.1.0/24), target traffic successfully goes via Wireguard.
But any client who connected via L2TP + IPSec can't ping or access the target domain and request just timeouts. Even more strange thing is that 1 of roughly 50 ping packets is received successfully.

When I change the routing rule to another gateway (my OpenVPN client connection for example) i.e. from
/ip route add distance=1 dst-address=0.0.0.0/0 gateway=Cloudflare routing-table=via-vpn
to
/ip route add distance=1 dst-address=0.0.0.0/0 gateway=OVPNClient routing-table=via-vpn
then target traffic goes via OVPNClient fine for both local and L2TP clients, till I change the gateway back to Cloudflare again.

Wonder if anyone has any idea what I might be missing with the Wireguard connection?

Who is online

Users browsing this forum: unhuzpt and 24 guests