Community discussions

MikroTik App
 
User avatar
kaherdin
newbie
Topic Author
Posts: 32
Joined: Sat Nov 20, 2021 7:47 am

Connect router to VPN service, and then also allow WAN devices to connect to the router via Wireguard

Fri Aug 12, 2022 9:52 pm

I'm running RB750Gr3, fw 7.4.1

My conundrum
Short; How can setup the router to connect to
1. an external vpn service, such as NordVPN, Express VPN or OVPN, to effectively make everyone on my LAN have a VPN connection in-, and outbound
and then also
2. allow devices outside my LAN (for example when I am at work, or commuting to/from work) to connect home to my router using Wireguard, and get full LAN access and then also get the same VPN connection on the WAN-side as LAN devices do

This is a private home setup
My network infrastructure looks like this;
Fiber 1Gb/s > ISP-modem > MikroTik RB750Gr3 > ethernet connected WiFi access point (to which all client devices such as phones, laptops and media players connect to)
The RB750Gr3 defines a LAN, runs DHCP-server, hands out ip-addresses to devices in my home

I already have the wg setup, and I have full LAN access when I'm away from home using my phone to connect to home using
IP\Cloud\DNS name\ [xxx].sn.mynetname.net
GREAT.

Is the rest possible to achieve?
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19101
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Connect router to VPN service, and then also allow WAN devices to connect to the router via Wireguard

Sat Aug 13, 2022 2:10 am

Should be.
Can you post your current MT config.
/export
just ensure there is no actual WAN IP or gateway information or keys showing etc........

The key will be on your remote device be it laptop or iphone etc......
the allowed IPs will have to expand to 0.0.0.0/0 so the remote device accepts your attempts to enter the tunnel
with more than just the subnet IPs at the router or the wireguard address at the router.

Then, at the router, you will need to ensure that traffic coming out of the tunnel from your device at the router is
a. allowed to hit the subnets (me thinks you have this working)
b. allowed to go out the VPN tunnel, Not exactly sure on this.........would be easy peasy if it was all wireguard......
c. routing to ensure your traffic traffic returning from the VPN tunnel, knows where to go, clearly from the subnets thats already working.

Seeing the export will help get an appreciation of the task at hand.
 
User avatar
kaherdin
newbie
Topic Author
Posts: 32
Joined: Sat Nov 20, 2021 7:47 am

Re: Connect router to VPN service, and then also allow WAN devices to connect to the router via Wireguard

Sat Aug 13, 2022 3:42 pm

Hi Anav
Is it safe to share mac addresses, as shown in /export?
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19101
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Connect router to VPN service, and then also allow WAN devices to connect to the router via Wireguard

Sat Aug 13, 2022 4:08 pm

I personally delete them from my configs, not relevant 99% of the time.
 
User avatar
kaherdin
newbie
Topic Author
Posts: 32
Joined: Sat Nov 20, 2021 7:47 am

Re: Connect router to VPN service, and then also allow WAN devices to connect to the router via Wireguard

Sun Aug 14, 2022 6:36 pm

Should be.
Can you post your current MT config.
/export
just ensure there is no actual WAN IP or gateway information or keys showing etc........
# aug/13/2022 08:57:16 by RouterOS 7.4.1
# software id = M2VH-09C3
#
# model = RB750Gr3
# serial number = [redacted]
/interface bridge
add admin-mac=XX:XX:XX:XX:XX:XX auto-mac=no comment=defconf name=bridge
/interface ethernet
set [ find default-name=ether1 ] comment=WAN-port-Drosk-ISP-Modem
set [ find default-name=ether2 ] comment=LAN-Drosk-Switch
set [ find default-name=ether3 ] comment=LAN-Droskv-MR60-AP
/interface wireguard
add listen-port=13231 mtu=1420 name=wireguard1
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip kid-control
add fri=0s-1d mon=0s-1d name=system-dummy sat=0s-1d sun=0s-1d thu=0s-1d tue=\
    0s-1d tur-fri=0s-1d tur-mon=0s-1d tur-sat=0s-1d tur-sun=0s-1d tur-thu=\
    0s-1d tur-tue=0s-1d tur-wed=0s-1d wed=0s-1d
add fri=0s-1d mon=0s-1d name=Monitor sat=0s-1d sun=0s-1d thu=0s-1d tue=0s-1d \
    wed=0s-1d
/ip pool
add name=dhcp ranges=10.0.0.90-10.0.0.200
add name=vpn ranges=192.168.89.2-192.168.89.255
/ip dhcp-server
add address-pool=dhcp interface=bridge lease-script=":local DHCPtag\r\
    \n:set DHCPtag \"#DHCP\"\r\
    \n\r\
    \n:if ( [ :len \$leaseActIP ] <= 0 ) do={ :error \"empty lease address\" }\
    \r\
    \n\r\
    \n:if ( \$leaseBound = 1 ) do=\\\r\
    \n{\r\
    \n  :local ttl\r\
    \n  :local domain\r\
    \n  :local hostname\r\
    \n  :local fqdn\r\
    \n  :local leaseId\r\
    \n  :local comment\r\
    \n\r\
    \n  /ip dhcp-server\r\
    \n  :set ttl [ get [ find name=\$leaseServerName ] lease-time ]\r\
    \n  network \r\
    \n  :set domain [ get [ find \$leaseActIP in address ] domain ]\r\
    \n  \r\
    \n  .. lease\r\
    \n  :set leaseId [ find address=\$leaseActIP ]\r\
    \n\r\
    \n# Check for multiple active leases for the same IP address. It's weird a\
    nd it shouldn't be, but just in case.\r\
    \n\r\
    \n  :if ( [ :len \$leaseId ] != 1) do=\\\r\
    \n  {\r\
    \n   :log info \"DHCP2DNS: not registering domain name for address \$lease\
    ActIP because of multiple active leases for \$leaseActIP\"\r\
    \n   :error \"multiple active leases for \$leaseActIP\"\r\
    \n  }  \r\
    \n\r\
    \n  :set hostname [ get \$leaseId host-name ]\r\
    \n  :set comment [ get \$leaseId comment ]\r\
    \n  /\r\
    \n\r\
    \n  :if ( [ :len \$hostname ] <= 0 ) do={ :set hostname \$comment }\r\
    \n\r\
    \n  :if ( [ :len \$hostname ] <= 0 ) do=\\\r\
    \n  {\r\
    \n    :log error \"DHCP2DNS: not registering domain name for address \$lea\
    seActIP because of empty lease host-name or comment\"\r\
    \n    :error \"empty lease host-name or comment\"\r\
    \n  }\r\
    \n  :if ( [ :len \$domain ] <= 0 ) do=\\\r\
    \n  {\r\
    \n    :log error \"DHCP2DNS: not registering domain name for address \$lea\
    seActIP because of empty network domain name\"\r\
    \n    :error \"empty network domain name\"\r\
    \n  }\r\
    \n\r\
    \n  :set fqdn \"\$hostname.\$domain\"\r\
    \n  \r\
    \n  /ip dns static\r\
    \n  :if ( [ :len [ find name=\$fqdn and address=\$leaseActIP and disabled=\
    no ] ] = 0 ) do=\\\r\
    \n  {\r\
    \n    :log info \"DHCP2DNS: registering static domain name \$fqdn for addr\
    ess \$leaseActIP with ttl \$ttl\"\r\
    \n    add address=\$leaseActIP name=\$fqdn ttl=\$ttl comment=\$DHCPtag dis\
    abled=no\r\
    \n  } else=\\\r\
    \n  {\r\
    \n    :log error \"DHCP2DNS: not registering domain name \$fqdn for addres\
    s \$leaseActIP because of existing active static DNS entry with this name \
    or address\" \r\
    \n  }\r\
    \n  /\r\
    \n} \\\r\
    \nelse=\\\r\
    \n{\r\
    \n  /ip dns static\r\
    \n  :local dnsDhcpId \r\
    \n  :set dnsDhcpId [ find address=\$leaseActIP and comment=\$DHCPtag ]\r\
    \n\r\
    \n  :if ( [ :len \$dnsDhcpId ] > 0 ) do=\\\r\
    \n  {\r\
    \n    :log info \"DHCP2DNS: removing static domain name(s) for address \$l\
    easeActIP\"\r\
    \n    remove \$dnsDhcpId\r\
    \n  }\r\
    \n  /\r\
    \n}" lease-time=6m name=defconf
/port
set 0 name=serial0
/ppp profile
set *FFFFFFFE local-address=192.168.89.1 remote-address=vpn
/routing bgp template
set default disabled=no output.network=bgp-networks
/routing ospf instance
add disabled=no name=default-v2
/routing ospf area
add disabled=yes instance=default-v2 name=backbone-v2
/user group
add name=homeassistant policy="read,test,api,!local,!telnet,!ssh,!ftp,!reboot,\
    !write,!policy,!winbox,!password,!web,!sniff,!sensitive,!romon,!dude,!rest\
    -api"
/interface bridge port
add bridge=bridge comment=defconf ingress-filtering=no interface=ether2
add bridge=bridge comment=defconf ingress-filtering=no interface=ether3
add bridge=bridge comment=defconf ingress-filtering=no interface=ether4
add bridge=bridge comment=defconf ingress-filtering=no interface=ether5
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface detect-internet
set detect-interface-list=all
/interface l2tp-server server
set use-ipsec=yes
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=wireguard1 list=LAN
/interface ovpn-server server
set auth=sha1,md5
/interface sstp-server server
set default-profile=default-encryption
/interface wireguard peers
add allowed-address=10.0.10.10/32 comment="P30 Andreas first try" \
    endpoint-address=10.0.0.1 endpoint-port=13231 interface=wireguard1 \
    public-key="[redacted]"
add allowed-address=10.0.10.3/32 interface=wireguard1 public-key=\
    "[redacted]"
/ip address
add address=10.0.0.1/24 comment=defconf interface=bridge network=10.0.0.0
add address=10.0.10.1/24 interface=wireguard1 network=10.0.10.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add comment=defconf interface=ether1 use-peer-dns=no
/ip dhcp-server lease
add address=10.0.0.43 address-lists=Blocked, comment="[redacted] Ledlight" mac=[redacted] server=defconf
add address=10.0.0.42 address-lists=Blocked comment="[redacted] Ledlight" mac=[redacted] server=defconf
add address=10.0.0.40 address-lists=Blocked comment="[redacted] ledlight" mac=[redacted] server=defconf
add address=10.0.0.45 address-lists=Blocked comment="[redacted] nere" mac=[redacted] server=defconf
add address=10.0.0.41 address-lists=Blocked comment="[redacted] ledlight" mac=[redacted] server=defconf
add address=10.0.0.38 client-id=[redacted] comment="Eufycam [redacted]" mac=[redacted] server=defconf
add address=10.0.0.3 client-id=[redacted] comment=MR60 mac-address=\
    [redacted] server=defconf
add address=10.0.0.55 client-id=[redacted]mment="Nvidia Shield TV" \
    mac=[redacted] server=defconf
add address=10.0.0.15 client-id=[redacted]"surfplatta, stor\?" \
    mac=[redacted] server=defconf
add address=10.0.0.12 client-id=[redacted]comment=Ebba mac-address=\
    [redacted] server=defconf
add address=10.0.0.13 client-id=[redacted] comment=\
    "[redacted] telefon" mac=[redacted] server=defconf
add address=10.0.0.53 client-id=[redacted]omment="Sonos Vardagsrum" \
    mac=[redacted] server=defconf
add address=10.0.0.52 client-id=[redacted] comment="Sonos TV-rum" \
    mac=[redacted] server=defconf
add address=10.0.0.14 client-id=[redacted] comment="[redacted] telefon" \
    mac=[redacted] server=defconf
add address=10.0.0.51 comment="Sonos Kok" mac=[redacted] \
    server=defconf
add address=10.0.0.37 client-id=[redacted] comment=HomeBase2 \
    mac=[redacted] server=defconf
add address=10.0.0.11 client-id=[redacted]comment=Sofie mac-address=\
    [redacted] server=defconf
add address=10.0.0.10 client-id=[redacted] comment=Andreas \
    mac=[redacted] server=defconf
add address=10.0.0.16 mac=[redacted] server=defconf
add address=10.0.0.56 client-id=[redacted] mac-address=\
    [redacted] server=defconf
add address=10.0.0.17 mac=[redacted] server=defconf
add address=10.0.0.60 client-id=[redacted] comment=\
    "[redacted] laptop wifi" mac=[redacted] server=defconf
add address=10.0.0.18 client-id=[redacted] comment="[redacted] iPhone" \
    mac=[redacted] server=defconf
add address=10.0.0.61 client-id=[redacted] comment=\
    "[redacted] laptop wi-fi" mac=[redacted] server=defconf
add address=10.0.0.19 client-id=[redacted] mac-address=\
    [redacted] server=defconf
add address=10.0.0.20 client-id=[redacted] comment="[redacted] iPad3" \
    mac=[redacted] server=defconf
add address=10.0.0.21 client-id=[redacted] comment="[redacted] iPad4" \
    mac=[redacted] server=defconf
add address=10.0.0.62 client-id=[redacted] comment=\
    "[redacted]Skoldator" mac=[redacted] server=defconf
add address=10.0.0.57 client-id=[redacted]mac-address=\
    [redacted] server=defconf
add address=10.0.0.6 comment="hp wifi printer" mac=[redacted] \
    server=defconf
add address=10.0.0.35 comment=Tellstick mac=[redacted] server=\
    defconf
add address=10.0.0.4 client-id=[redacted]comment="MS60 WiFi AP" \
    mac=[redacted] server=defconf
add address=10.0.0.9 client-id=[redacted] comment=\
    "[redacted]" mac=[redacted] server=defconf
add address=10.0.0.36 client-id=[redacted]comment=\
    "[redacted]VM - Home Assistant" mac=[redacted] server=defconf
add address=10.0.0.5 comment="Tibber Pulse" mac=[redacted] \
    server=defconf
add address=10.0.0.22 client-id=[redacted] comment="iPhone Elsa" \
    mac=[redacted] server=defconf
add address=10.0.0.23 client-id=[redacted]comment="ipad Elsa" \
    mac=[redacted] server=defconf
add address=10.0.0.7 comment="Easee EV Charger Uppfart" mac-address=\
    [redacted] server=defconf
/ip dhcp-server network
add address=10.0.0.0/24 comment=defconf dns-server=10.0.0.31 domain=drosk \
    gateway=10.0.0.1 netmask=24
/ip dns
set allow-remote-requests=yes cache-max-ttl=2d servers=8.8.8.8,8.8.4.4
/ip dns static
add address=10.0.0.1 comment=defconf name=router.lan
add address=10.0.0.33 comment=#DHCP name=homeassistant.drosk ttl=6m
add address=10.0.0.4 comment=#DHCP name=MS60.drosk ttl=6m
add address=10.0.0.52 comment=#DHCP name=SonosZP.drosk ttl=6m
add address=10.0.0.53 comment=#DHCP name=SonosZP.drosk ttl=6m
add address=10.0.0.42 comment=#DHCP name=.drosk ttl=6m
add address=10.0.0.40 comment=#DHCP name=.drosk ttl=6m
add address=10.0.0.45 comment=#DHCP name=.drosk ttl=6m
add address=10.0.0.41 comment=#DHCP name=.drosk ttl=6m
add address=10.0.0.5 comment=#DHCP name=Pulse.drosk ttl=6m
add address=10.0.0.35 comment=#DHCP name= \
    ttl=6m
add address=10.0.0.3 comment=#DHCP name=MR60.drosk ttl=6m
add address=10.0.0.55 comment=#DHCP name="Nvidia Shield TV.drosk" ttl=6m
add address=10.0.0.51 comment=#DHCP name=SonosZP.drosk ttl=6m
add address=10.0.0.37 comment=#DHCP name=HomeBase2.drosk ttl=6m
add address=10.0.0.36 comment=#DHCP name=homeassistant.drosk ttl=6m
add address=10.0.0.7 comment=#DHCP name=Easee-Home.drosk ttl=6m
add address=10.0.0.11 comment=#DHCP name= ttl=6m
add address=10.0.0.10 comment=#DHCP name=asd.drosk ttl=\
    6m
add address=10.0.0.38 comment=#DHCP name="[redacted].drosk" ttl=6m
add address=10.0.0.56 comment=#DHCP name=[redacted]TV.drosk ttl=6m
add address=10.0.0.60 comment=#DHCP name=[redacted]ASUS.drosk ttl=6m
/ip firewall address-list
add address=123.123.123.123 disabled=yes list=WANs
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=accept chain=input comment=WireguardDrosken dst-port=13231 \
    in-interface-list=WAN protocol=udp
add action=accept chain=input comment="allow IPsec NAT" dst-port=4500 \
    protocol=udp
add action=accept chain=input comment="allow IKE" dst-port=500 protocol=udp
add action=accept chain=input comment="allow l2tp" dst-port=1701 protocol=udp
add action=accept chain=input comment="allow pptp" dst-port=1723 protocol=tcp
add action=accept chain=input comment="allow sstp" dst-port=443 protocol=tcp
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat comment=wg dst-port=51845 in-interface-list=\
    WAN protocol=udp to-addresses=10.0.0.31 to-ports=51845
add action=dst-nat chain=dstnat comment=piholeNAT1 dst-address=!10.0.0.31 \
    dst-port=53 in-interface=bridge protocol=udp src-address=!10.0.0.31 \
    to-addresses=10.0.0.31
add action=dst-nat chain=dstnat comment=piholeNAT2 dst-address=!10.0.0.31 \
    dst-port=53 in-interface=bridge protocol=tcp src-address=!10.0.0.31 \
    to-addresses=10.0.0.31
add action=masquerade chain=srcnat comment=piholeNAT3 dst-address=10.0.0.31 \
    dst-port=53 protocol=udp src-address=10.0.0.0/24
add action=masquerade chain=srcnat comment=piholeNAT4 dst-address=10.0.0.31 \
    dst-port=53 protocol=tcp src-address=10.0.0.0/24
add action=dst-nat chain=dstnat comment="home google" dst-port=8123 protocol=\
    tcp to-addresses=10.0.0.36 to-ports=8123
add action=masquerade chain=srcnat comment="masq. vpn traffic" src-address=\
    192.168.89.0/24
/ip kid-control device
add mac=[redacted] name="RpiZEthernet;4"
add mac=[redacted] name="homeassistant;4"

/ppp secret
add name=vpn
/system clock
set time-zone-name=Europe/Stockholm
/system scheduler
add disabled=yes interval=1m name=PingCheckPiDNS on-event=":local piholeDNS \"\
    10.0.0.31\"\r\
    \n:local testDomain \"www.google.com\"\r\
    \n\r\
    \n\r\
    \n:if ([/ip firewall nat [find comment=\"piholeNAT1\"] enabled]) do={\r\
    \n    :do {\r\
    \n        :resolve \$testDomain server \$piholeDNS\r\
    \n    } on-error={\r\
    \n\t\t/ip firewall nat disable [find comment=\"piholeNAT1\"]\r\
    \n\t\t/ip firewall nat disable [find comment=\"piholeNAT2\"]\r\
    \n\t\t/ip firewall nat disable [find comment=\"piholeNAT3\"]\r\
    \n\t\t/ip firewall nat disable [find comment=\"piholeNAT4\"]\r\
    \n    }\r\
    \n} else={\r\
    \n    :do {\r\
    \n        :resolve \$testDomain server \$piholeDNS\r\
    \n\t\t/ip firewall nat enable [find comment=\"piholeNAT1\"]\r\
    \n\t\t/ip firewall nat enable [find comment=\"piholeNAT2\"]\r\
    \n\t\t/ip firewall nat enable [find comment=\"piholeNAT3\"]\r\
    \n\t\t/ip firewall nat enable [find comment=\"piholeNAT4\"]\r\
    \n    } on-error={}\r\
    \n}" policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-date=dec/06/2021 start-time=18:56:53
/system script
add dont-require-permissions=no name=script1 owner=andi policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source=\
    test
add dont-require-permissions=no name=leasescript001 owner=andi policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source=":\
    local DHCPtag\r\
    \n:set DHCPtag \"#DHCP\"\r\
    \n\r\
    \n:if ( [ :len \$leaseActIP ] <= 0 ) do={ :error \"empty lease address\" }\
    \r\
    \n\r\
    \n:if ( \$leaseBound = 1 ) do=\\\r\
    \n{\r\
    \n  :local ttl\r\
    \n  :local domain\r\
    \n  :local hostname\r\
    \n  :local fqdn\r\
    \n  :local leaseId\r\
    \n  :local comment\r\
    \n\r\
    \n  /ip dhcp-server\r\
    \n  :set ttl [ get [ find name=\$leaseServerName ] lease-time ]\r\
    \n  network \r\
    \n  :set domain [ get [ find \$leaseActIP in address ] domain ]\r\
    \n  \r\
    \n  .. lease\r\
    \n  :set leaseId [ find address=\$leaseActIP ]\r\
    \n\r\
    \n# Check for multiple active leases for the same IP address. It's weird a\
    nd it shouldn't be, but just in case.\r\
    \n\r\
    \n  :if ( [ :len \$leaseId ] != 1) do=\\\r\
    \n  {\r\
    \n   :log info \"DHCP2DNS: not registering domain name for address \$lease\
    ActIP because of multiple active leases for \$leaseActIP\"\r\
    \n   :error \"multiple active leases for \$leaseActIP\"\r\
    \n  }  \r\
    \n\r\
    \n  :set hostname [ get \$leaseId host-name ]\r\
    \n  :set comment [ get \$leaseId comment ]\r\
    \n  /\r\
    \n\r\
    \n  :if ( [ :len \$hostname ] <= 0 ) do={ :set hostname \$comment }\r\
    \n\r\
    \n  :if ( [ :len \$hostname ] <= 0 ) do=\\\r\
    \n  {\r\
    \n    :log error \"DHCP2DNS: not registering domain name for address \$lea\
    seActIP because of empty lease host-name or comment\"\r\
    \n    :error \"empty lease host-name or comment\"\r\
    \n  }\r\
    \n  :if ( [ :len \$domain ] <= 0 ) do=\\\r\
    \n  {\r\
    \n    :log error \"DHCP2DNS: not registering domain name for address \$lea\
    seActIP because of empty network domain name\"\r\
    \n    :error \"empty network domain name\"\r\
    \n  }\r\
    \n\r\
    \n  :set fqdn \"\$hostname.\$domain\"\r\
    \n  \r\
    \n  /ip dns static\r\
    \n  :if ( [ :len [ find name=\$fqdn and address=\$leaseActIP and disabled=\
    no ] ] = 0 ) do=\\\r\
    \n  {\r\
    \n    :log info \"DHCP2DNS: registering static domain name \$fqdn for addr\
    ess \$leaseActIP with ttl \$ttl\"\r\
    \n    add address=\$leaseActIP name=\$fqdn ttl=\$ttl comment=\$DHCPtag dis\
    abled=no\r\
    \n  } else=\\\r\
    \n  {\r\
    \n    :log error \"DHCP2DNS: not registering domain name \$fqdn for addres\
    s \$leaseActIP because of existing active static DNS entry with this name \
    or address\" \r\
    \n  }\r\
    \n  /\r\
    \n} \\\r\
    \nelse=\\\r\
    \n{\r\
    \n  /ip dns static\r\
    \n  :local dnsDhcpId \r\
    \n  :set dnsDhcpId [ find address=\$leaseActIP and comment=\$DHCPtag ]\r\
    \n\r\
    \n  :if ( [ :len \$dnsDhcpId ] > 0 ) do=\\\r\
    \n  {\r\
    \n    :log info \"DHCP2DNS: removing static domain name(s) for address \$l\
    easeActIP\"\r\
    \n    remove \$dnsDhcpId\r\
    \n  }\r\
    \n  /\r\
    \n}"
/system watchdog
set automatic-supout=no ping-start-after-boot=0ms ping-timeout=2m \
    send-email-from=[redacted]@gmail.com send-email-to=\
    [redacted]@gmail.com send-smtp-server=smtp.gmail.com watchdog-timer=no
/tool bandwidth-server
set enabled=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19101
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Connect router to VPN service, and then also allow WAN devices to connect to the router via Wireguard

Sun Aug 14, 2022 7:22 pm

Just lost a 30min entry :-(

Couple of sticking points, endpoint address on router makes no sense can you please explain why its your own bridge address?

You state you want all traffic from the bridge LAN on the router to go out OVPN for internet.
You state you want you the admin to access the router, to also go out OVPN for internet and also access the bridge LAN

All relatively straight foward maybe ( its not clear what your OVPN VPN faux IP address is, or VPN subnet etc....) What was provided by this third party provider??

+++++++++++++

Problems will arise because it also appears you have local servers on the bridge LAN which people coming in the local WAN connection will be accessing YES/NO?
Are there local user or you the admin also wanting access to the server YES/NO
and if so how, direct LANIP address ??

The problem with routing is that its much more challenging to attempt to send people everywhich way for traffic.............. if send all lan bridge traffic out OVPN then likely and server traffic will also go out the OVPN and not back out the local WAN for example. Means we have to pay attention more carefully to what are the real requirements.
You may be getting to the point where its smarter to put the servers on their own subnet for example. Much easier to deal with then.
 
User avatar
kaherdin
newbie
Topic Author
Posts: 32
Joined: Sat Nov 20, 2021 7:47 am

Re: Connect router to VPN service, and then also allow WAN devices to connect to the router via Wireguard

Sun Aug 14, 2022 11:24 pm

My setup is a modification of the default settings.
The only LAN I currently run is a 10.0.0.0/24 where all devices at home get addresses.
The wg setup is for the devices connecting from outside the home. When connected they are given a 10.0.10.0/24 address. I followed a tutorial for this setup also.

On the LAN I have one home server, smart home devices, media players, etc.
If there is a way, in a simple and step by step-manner, to explain/guide me to scrub this setup and start over with a new one to be able to create what I stated in the OP I would be very grateful
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19101
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Connect router to VPN service, and then also allow WAN devices to connect to the router via Wireguard

Tue Aug 16, 2022 4:14 pm

No need to give anyone coming in a specific address.... when entering the home LAN.
If its a subnet coming in from another router you have the subnet as an allowed IP in the home router for that peer as well as wireguard Address/32 of other device
If its a single user coming in on a laptop or iphone for example then their IP is a wireguard IP address /32, on the same wireguard subnet as the home router, as an allowed IP for that peer.

Ensure you have firewall rules that allow in-interface=wirguard dst-address=homelan subnet in the forward chain.
For routing, if its single users, their route back will be auto created <dac> if its a subnet from a remote LAN that needs
a. for you to access
b. or to return traffic to remote users,
Then simply
add address=remotesubnet gwy=wireguard table=main.

Who is online

Users browsing this forum: 0xAA55, AtomikRoach, Google [Bot], hatred, jfox, mszru, neki, tesme33 and 49 guests