Symptom: once the Wireguard tunnel wants to establish connections to a peer, the encrypted session start using the main routing table and not the one tied to the VRF.
To demo this, consider this simple setup below. The other peer is a generic Linux host speaking VLAN 20, having ethernet address of 192.0.2.2 and Wireguard tunnel address 192.0.3.2.
Code: Select all
/interface vlan
add interface=ether8 name=ether8.20 vlan-id=20
/interface wireguard
add listen-port=13231 mtu=1420 name=wireguard1 private-key="[notimportant]"
/interface wireguard peers
add allowed-address=0.0.0.0/0,::/0 endpoint-address=192.0.2.2 endpoint-port=8844 interface=wireguard1 public-key="[notimportant]"
/ip address
add address=192.0.2.1/24 interface=ether8.20 network=192.0.2.0
add address=192.0.3.1/30 interface=wireguard1 network=192.0.3.0
/ip vrf
add interfaces=ether8.20,wireguard1 name=test
#of course we have firewall rule for the UDP socket
/ip firewall filter
add action=accept chain=input dst-port=13231 protocol=udp
Code: Select all
22:19:14.030945 ethertype IPv4 (0x0800), length 70: 192.0.2.1 > 192.0.2.2: ICMP echo request, id 57656, seq 14338, length 36
22:19:14.031008 ethertype IPv4 (0x0800), length 70: 192.0.2.2 > 192.0.2.1: ICMP echo reply, id 57656, seq 14338, length 36
Code: Select all
22:19:18.366508 ethertype IPv4 (0x0800), length 190: 192.0.2.2.8844 > 192.0.2.1.13231: UDP, length 148
22:19:18.366721 ethertype IPv4 (0x0800), length 218: 192.0.2.1 > 192.0.2.2: ICMP 192.0.2.1 udp port 13231 unreachable, length 184
Code: Select all
/interface/wireguard/peers/set persistent-keepalive=42
The only way I could redirect outgoing (from RouterOS perspective) Wireguard UDP traffic to the VRF interface is this:
Code: Select all
/ip route
add disabled=no distance=1 dst-address=192.0.2.2/32 gateway=ether8.20@test pref-src=0.0.0.0 routing-table=main scope=30 suppress-hw-offload=no target-scope=10
Code: Select all
23:12:36.852918 ethertype IPv4 (0x0800), length 190: 192.0.2.1.13231 > 192.0.2.2.8844: UDP, length 148
23:12:36.853318 ethertype IPv4 (0x0800), length 134: 192.0.2.2.8844 > 192.0.2.1.13231: UDP, length 92
23:12:36.853486 ethertype IPv4 (0x0800), length 162: 192.0.2.1 > 192.0.2.2: ICMP 192.0.2.1 udp port 13231 unreachable, length 128
To sum it up: looks like RouterOS 7.2.3 does not support having Wireguard UDP sockets in VRFs.
My goal would be: having multiple tunnels via multiple uplinks (ISPs) to the same host, letting routing protocols adjust the tunneled traffic prefixes in the main table.
However, this is not impossible: between generic Linux hosts I already have this working with simple network namespaces. Wireguard UDP sockets can listen in namespaces. It feels like RouterOS VRF implementation is more like an RPDB-hack than any namespacing. And if that is the case, I fear we have no option to lift Wireguard UDP sockets off the main table/VRF/you name it.