I've been trying to experiment with some different WireGuard VPN providers and have been having difficulty with getting things working properly.
Mullvad works exactly as expected when entering the configuration details.
Prior to SurfShark I tried to use NordLynx (hack and slash to get it working on Linux first) and whilst I could browse the web I had some weird issues with Android push notifications not working for things like Gmail and Discord (although NordLynx worked fine using exactly the same config through the WireGuard app on my phone).
More recently I have been trying to get SurfShark working with mixed results (although, again, fine with WireGuard Android app). It wouldn't even allow me to connect until adding new-mss=clamp-to-pmtu which wasn't required for Mullvad or NordLynx. I have changed nothing in my configuration since switching from Mullvad with exception of the MSS setting, IP address of the interface, DNS address and endpoint IP / public key etc.
Since changing the MSS seting I am now "connected" through SurfShark and can browse the web, however the "upload" portion appears to be broken; speed tests indicate that my upload speed is 0Mbps and if I watch the WireGuard interface during a speedtest my Tx rate sits at 6-15Kbps.
I have noticed that the only way I can get my upload speed back to normal is by adding a routing rule for the destination address of my WG provider clients subnet to use the main routing table:
Code: Select all
dst-address=192.168.5.0/24 action=lookup-only-in-table table=main
Surely I shouldn't need anything like this with srcnat?!
Both NordLynx and SurfShark work absolutely fine with the WireGuard Android app using identical interface / peer configs as the router, yet not with my configuration on my Mikrotik Router.
Can anybody help me with troubleshooting what exactly is going on here? I'd really appreciate it.
My current setup:
Routing rule for src-address 192.168.5.0/24 to only use wg_provider table
Routing rule dst-address to 192.168.1.0/24 to only use main table so I can get back to LAN for clients using the wg_provider routing table
Firewall rules allowing interface list containing this subnet to use wg0
srcnat masq rule for WAN interface list (wg0 is in this list)
Here's my config:
Code: Select all
/interface bridge
add admin-mac=XXXX auto-mac=no comment=defconf name=bridge \
vlan-filtering=yes
/interface wireguard
add listen-port=61468 mtu=1420 name=wg0
add listen-port=13231 mtu=1420 name=wg1
/interface vlan
add interface=bridge name=vlan91 vlan-id=91
add interface=bridge name=vlan92 vlan-id=92
add interface=bridge name=vlan95 vlan-id=95
add interface=bridge name=vlan100 vlan-id=100
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1 name=\
XXXX service-name=internet user=\
XXXX
/interface list
add name=WAN
add name=LAN
add name=WG_VPN_Provider_Clients
add name=UNTRUSTED_LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=bridge ranges=192.168.88.100-192.168.88.199
add name=vlan92 ranges=192.168.2.100-192.168.2.199
add name=vlan93 ranges=192.168.3.100-192.168.3.199
add name=vlan94 ranges=192.168.4.100-192.168.4.199
add name=vlan95 ranges=192.168.5.100-192.168.5.199
add name=vlan91 ranges=192.168.1.100-192.168.1.199
add name=rescue ranges=192.168.89.100-192.168.89.199
/ip dhcp-server
add address-pool=bridge interface=bridge name=bridge
add address-pool=vlan95 interface=vlan95 name=vlan95
add address-pool=vlan92 interface=vlan92 name=vlan92
add address-pool=vlan91 interface=vlan91 name=vlan91
add address-pool=rescue interface=ether8 name=rescue
/routing table
add fib name=wg_provider
/interface bridge port
add bridge=bridge comment=defconf interface=ether2 pvid=91
add bridge=bridge comment=defconf interface=ether3 pvid=91
add bridge=bridge comment=defconf interface=ether4 pvid=91
add bridge=bridge comment=defconf interface=ether5 pvid=91
add bridge=bridge comment=defconf interface=ether6 pvid=91
add bridge=bridge comment=defconf interface=ether7 pvid=95
add bridge=bridge comment=defconf interface=sfp-sfpplus1 pvid=91
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface bridge vlan
add bridge=bridge tagged=bridge,ether3 untagged=ether7 vlan-ids=95
add bridge=bridge tagged=bridge,ether3 vlan-ids=92
add bridge=bridge tagged=bridge untagged=\
ether2,ether3,ether4,ether5,ether6,ether7,sfp-sfpplus1 vlan-ids=91
/interface list member
add interface=bridge list=LAN
add interface=ether1 list=WAN
add interface=XXXXPPPOEXXXX list=WAN
add interface=vlan95 list=WG_VPN_Provider_Clients
add interface=wg0 list=WAN
add interface=vlan91 list=LAN
add interface=vlan92 list=UNTRUSTED_LAN
add interface=wg1 list=LAN
add interface=ether8 list=LAN
/interface wireguard peers
add allowed-address=0.0.0.0/0,::/0 endpoint-address=XXXXENDPOINTXXXX \
endpoint-port=51820 interface=wg0 public-key=\
"XXXXPUBKEYXXXX"
add allowed-address=192.168.10.2/32 interface=wg1 public-key=\
"XXXXPUBKEYXXXX"
/ip address
add address=192.168.88.1/24 comment="bridge default" interface=bridge \
network=192.168.88.0
add address=192.168.5.1/24 interface=vlan95 network=192.168.5.0
add address=192.168.2.1/24 interface=vlan92 network=192.168.2.0
add address=192.168.10.1/24 interface=wg1 network=192.168.10.0
add address=xxxx/16 interface=wg0 network=xxxx
add address=192.168.0.1/24 interface=ether1 network=192.168.0.0
add address=192.168.1.1/24 interface=vlan91 network=192.168.1.0
add address=192.168.89.1/24 comment="rescue port" interface=ether8 network=\
192.168.89.0
/ip cloud
set ddns-enabled=yes update-time=no
/ip dhcp-client
add comment=defconf disabled=yes interface=ether1
/ip dhcp-server network
add address=192.168.1.0/24 comment=vlan91 dns-server=1.1.1.1,1.0.0.1 gateway=\
192.168.1.1 netmask=24
add address=192.168.2.0/24 comment=vlan92 dns-server=1.1.1.1,1.0.0.1 gateway=\
192.168.2.1
add address=192.168.5.0/24 comment=vlan95 dns-server=\
XXXX,XXXX gateway=192.168.5.1 netmask=24
add address=192.168.88.0/24 comment=bridge dns-server=1.1.1.1,1.0.0.1 \
gateway=192.168.88.1
add address=192.168.89.0/24 comment=rescue dns-server=1.1.1.1,1.0.0.1 \
gateway=192.168.89.1 netmask=24
/ip dns
set allow-remote-requests=yes servers=1.1.1.1,1.0.0.1
/ip dns static
add address=192.168.1.1 comment=defconf name=router.lan
/ip firewall address-list
add address=192.168.1.10 list="Main PC"
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input comment="allow WireGuard (Home)" dst-port=13231 \
protocol=udp
add action=accept chain=input comment="Allow input chain from LAN interfaces" \
in-interface-list=LAN
add action=drop chain=input comment="Drop remaining traffic on input chain"
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
add action=accept chain=forward comment=\
"Allow LAN interfaces to forward to any interface list" \
in-interface-list=LAN out-interface-list=all
add action=accept chain=forward comment=\
"Allow internet traffic for untrusted LAN interfaces" in-interface-list=\
UNTRUSTED_LAN out-interface-list=WAN
add action=accept chain=forward comment=\
"Allow specified clients out through the VPN Provider's Wireguard tunnel" \
in-interface-list=WG_VPN_Provider_Clients out-interface=wg0
add action=accept chain=forward comment=\
"Allow Steam Remote Play UDP from vlan95" dst-address-list="Main PC" \
dst-port=27031-27036 in-interface=vlan95 protocol=udp
add action=accept chain=forward comment=\
"Allow Steam Remote Play TCP from vlan95" dst-address-list="Main PC" \
dst-port=27036-27037 in-interface=vlan95 protocol=tcp
add action=drop chain=forward comment=\
"Drop remaining traffic on the forward chain"
/ip firewall mangle
add action=change-mss chain=forward comment="SurfShark specific MSS change" \
new-mss=clamp-to-pmtu out-interface=wg0 passthrough=yes protocol=tcp \
tcp-flags=syn
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
/ip route
add dst-address=0.0.0.0/0 gateway=wg0 routing-table=wg_provider
/ipv6 address
add address=XXXX advertise=no interface=wg0
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
33434-33534 protocol=udp
add action=accept chain=input comment=\
"defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
ipsec-esp
add action=accept chain=input comment=\
"defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
"defconf: drop everything else not coming from LAN" in-interface-list=\
!LAN
add action=accept chain=forward comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
"defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
ipsec-esp
add action=accept chain=forward comment=\
"defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
"defconf: drop everything else not coming from LAN" in-interface-list=\
!LAN
/routing rule
add action=lookup-only-in-table disabled=no dst-address=192.168.1.0/24 table=\
main
add action=lookup-only-in-table comment="This rule shouldn't be here\?" \
dst-address=192.168.5.0/24 table=main
add action=lookup-only-in-table disabled=no src-address=192.168.5.0/24 table=\
wg_provider
/system clock
set time-zone-name=Europe/London
/system ntp client
set enabled=yes
/system ntp client servers
add address=0.uk.pool.ntp.org
add address=1.uk.pool.ntp.org
add address=2.uk.pool.ntp.org
add address=3.uk.pool.ntp.org
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN