Community discussions

MikroTik App
 
Amplificator
just joined
Topic Author
Posts: 1
Joined: Wed Aug 17, 2022 1:57 am

Route FTP through WireGuard

Wed Aug 17, 2022 2:00 am

Hi.

I have tried setting up WireGuard (which seems to work) and I'm now trying to create a route for only FTP traffic to go through it - can this be done?

I have fiddled with mangle and routes but never got any of it to work, can someone please give me a helping hand?
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19106
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Route FTP through WireGuard

Wed Aug 17, 2022 3:48 am

Sure provide a network diagram showing the devices in play,
Which device is the listening device for the connection.
Where is the FTP server located etc....
Provide config for the MT devices.

A basic example is provided..........
FTP is like any other service so nothing overly special. Create the tunnel properly using wireguard parameters.
Then ensure the firewall rules match needs/intention and then ensure routing exists for the traffic to move.

More detail here: viewtopic.php?t=182340
++++++++++++++++++++++++++++++++++

Ex: MT Router WANIP is x.y.w.z with lan subnet of 192.168.5.0/24 and FTP server at 192.168.5.25/32
Ex. MT other Device with lan subnet of 192.168.10.0/24
Ex IOS device

Main MT router
wireguard interface name=ftpwireguard
listening port=15555
PUBLIC Key for all peers................
ip address=10.10.10.1/24 interface=ftpwireguard
+++++++++++++++++++
peer1 settings interface name=ftpwireguard (pulldown menu), Allowed IPs= 10.10.10.2/32.192.168.10.0/24 public key=FROM other MT device
peer2 settings interface name=ftpwireguard (pulldown menu), Allowed IPs=10.10.10.3.32 public key= from IOS device

OTHER MT DEVICE (peer1)
wireguard interface name=wireguard1
Public Key ------ TO GIVE TO MT ROUTER for peer settings.
ip address=10.10.10.2/24 interface=wireguard1

Peer Settings
wg name, pull down choice of wireguard1
Public Key -- From MT router.
Endpoint=x.y.w.z (or dyndns url)
Endpoint port=15555
Allowed address=10.10.10.0/24, 192.168.5.0/24
Persistent keep alive=25 secs

IOS DEVICE (peer2)
wireguard name = ioswireguard2
public key --> From MT Router
Address=10.10.10.3/32
DNS Server: 10.10.10.1

Peer Settings
Public Key TO GIVE TO MT ROUTER
Endpoint=x.y.w.z (or dyndns url)
Endpoint port=15555
Allowed address=10.10.10.0/24, 192.168.5.0/24
Persistent keep alive=25 secs
+++++++++++++++++++++++++++++++++++++++++++++++++

Firewall rules,
allow traffic exiting the tunnel into a router locally from remote users is allowed to go where it needs to go.
allow traffic entering the tunnel originating from local users...... is allowed to do so

Routing rules
ensure traffic originating on a device has a path/route to enter the tunnel
ensure remote traffic has a return path/route back through the tunnel
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: Route FTP through WireGuard

Wed Aug 17, 2022 6:28 am

Unfortunately, FTP is special, because unlike more modern protocols, it uses separate connections for each data transfer (download, upload, directory listing), so working with them can be tricky. In depends on what you want to do. Hosting FTP server accessible via WG tunnel would be mostly ok. Having WG tunnel for outgoing connections to random FTP servers would be highly problematic. It may work with unencrypted FTP, if data connections inherit connection marks (I don't remember if they do and I can't test it right now). But with encrypted FTP, no way. You'd have to work with addresses, but if any other service would use same address, it would go via tunnel too.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19106
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Route FTP through WireGuard

Wed Aug 17, 2022 2:04 pm

Good points by Sob that I didnt think about, I was strictly thinking that you were hosting an FTP server on the mikrotik router and were having users from other devices via wireguard access this FTP server.........

Who is online

Users browsing this forum: arebelo, Majestic-12 [Bot], sid5632 and 38 guests