Community discussions

MikroTik App
 
e17
just joined
Topic Author
Posts: 4
Joined: Sun May 15, 2022 11:23 am

Wireguard UDP 'ciphertext' socket in VRF

Thu Jun 23, 2022 12:55 am

I have a problem with having a Wireguard interface in a VRF. I mean, completely, with its encapsulation 'ciphertext' UDP socket as well. Looks like I can have a Wireguard interface in a VRF, but only its tunneled traffic are treated as VRF traffic.

Symptom: once the Wireguard tunnel wants to establish connections to a peer, the encrypted session start using the main routing table and not the one tied to the VRF.

To demo this, consider this simple setup below. The other peer is a generic Linux host speaking VLAN 20, having ethernet address of 192.0.2.2 and Wireguard tunnel address 192.0.3.2.
/interface vlan
add interface=ether8 name=ether8.20 vlan-id=20
/interface wireguard 
add listen-port=13231 mtu=1420 name=wireguard1 private-key="[notimportant]"
/interface wireguard peers
add allowed-address=0.0.0.0/0,::/0 endpoint-address=192.0.2.2 endpoint-port=8844 interface=wireguard1 public-key="[notimportant]" 
/ip address
add address=192.0.2.1/24 interface=ether8.20 network=192.0.2.0
add address=192.0.3.1/30 interface=wireguard1 network=192.0.3.0
/ip vrf
add interfaces=ether8.20,wireguard1 name=test
#of course we have firewall rule for the UDP socket
/ip firewall filter
add action=accept chain=input dst-port=13231 protocol=udp
Low-level IP connectivity works:
22:19:14.030945 ethertype IPv4 (0x0800), length 70: 192.0.2.1 > 192.0.2.2: ICMP echo request, id 57656, seq 14338, length 36
22:19:14.031008 ethertype IPv4 (0x0800), length 70: 192.0.2.2 > 192.0.2.1: ICMP echo reply, id 57656, seq 14338, length 36

In the first case, it's the Linux hosts that tries to establish the tunnel, and fails miserably as RouterOS tells that there's no UDP listener on port 13231.
22:19:18.366508 ethertype IPv4 (0x0800), length 190: 192.0.2.2.8844 > 192.0.2.1.13231: UDP, length 148
22:19:18.366721 ethertype IPv4 (0x0800), length 218: 192.0.2.1 > 192.0.2.2: ICMP 192.0.2.1 udp port 13231 unreachable, length 184

When I specify
/interface/wireguard/peers/set persistent-keepalive=42
telling RouterOS to actively connect to the Linux host, it tries to connect to this address using the default route (and corresponding public IP as source) from the main table. Which of course will not work.

The only way I could redirect outgoing (from RouterOS perspective) Wireguard UDP traffic to the VRF interface is this:
/ip route
add disabled=no distance=1 dst-address=192.0.2.2/32 gateway=ether8.20@test pref-src=0.0.0.0 routing-table=main scope=30 suppress-hw-offload=no target-scope=10
Which is a gross hack and it still does not work for replies:
23:12:36.852918 ethertype IPv4 (0x0800), length 190: 192.0.2.1.13231 > 192.0.2.2.8844: UDP, length 148
23:12:36.853318 ethertype IPv4 (0x0800), length 134: 192.0.2.2.8844 > 192.0.2.1.13231: UDP, length 92
23:12:36.853486 ethertype IPv4 (0x0800), length 162: 192.0.2.1 > 192.0.2.2: ICMP 192.0.2.1 udp port 13231 unreachable, length 128

If this hack worked for replies, that would not be much help as I still needed multiple Wireguard tunnels to this very host in multiple VRFs anyway.

To sum it up: looks like RouterOS 7.2.3 does not support having Wireguard UDP sockets in VRFs.
My goal would be: having multiple tunnels via multiple uplinks (ISPs) to the same host, letting routing protocols adjust the tunneled traffic prefixes in the main table.

However, this is not impossible: between generic Linux hosts I already have this working with simple network namespaces. Wireguard UDP sockets can listen in namespaces. It feels like RouterOS VRF implementation is more like an RPDB-hack than any namespacing. And if that is the case, I fear we have no option to lift Wireguard UDP sockets off the main table/VRF/you name it.
 
Railander
Frequent Visitor
Frequent Visitor
Posts: 85
Joined: Thu Jun 16, 2016 11:30 pm

Re: Wireguard UDP 'ciphertext' socket in VRF

Thu Sep 15, 2022 11:05 am

exact same issue here.

i tried doing a bunch of things with mangle rules and even routing rules but nothing worked.

ultimately i settled with L2TP which does have support for VRFs... however it cannot run on a VRF with IPsec enabled, so i had to disabled that. for my use-case i didn't really need IPsec, just a tunnel protocol that didn't require a static IP on both ends. but i guess you could always just run a 2nd tunnel inside that with with encryption (such as wireguard). not the most performant option, but it works.
 
Railander
Frequent Visitor
Frequent Visitor
Posts: 85
Joined: Thu Jun 16, 2016 11:30 pm

Re: Wireguard UDP 'ciphertext' socket in VRF

Fri Feb 10, 2023 4:39 pm

problem persists, can't run wireguard on top of VRF.
 
User avatar
greek
Member Candidate
Member Candidate
Posts: 117
Joined: Thu Nov 04, 2010 11:37 pm
Location: Russia, 78rus

Re: Wireguard UDP 'ciphertext' socket in VRF

Thu Nov 16, 2023 5:12 pm

I has the same problem :(

RBM33G with 2 lte interfaces (one interface in vrf) and 2 wireguard interfaces (one interface in vrf)

But peers both interfaces works only in main vrf.

I can create Route Rule: "dst-ip-of-peer lookup only in VRF table".
In conntracks i see requets + answers, but not RX packets in peer

Who is online

Users browsing this forum: TeWe, UkRainUa and 91 guests