Community discussions

MikroTik App
 
Josephny
Member
Member
Topic Author
Posts: 434
Joined: Tue Sep 20, 2022 12:11 am

Just wanted to share....

Thu Dec 01, 2022 4:01 pm

Most of you will find this boring old stuff, but I wanted to share:

Over the course of the past month or so, I implemented a heX at my home (replacing a Verizon FIOS router) and have Wireguard set up (connecting 4 sites in total).

I am for the first time not at any of those sites -- I'm actually sitting in a hotel room 250 miles from my main site using my Windows laptop connected to the hotel's WiFi with a Wireguard VPN active (using the Windows Wireguard client) and it's working super well!

Beautiful, fast, reliable, secure, total access to my main site.

Thank you to the great members of this forum for all the help!
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18959
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Just wanted to share....

Thu Dec 01, 2022 4:05 pm

Awesome!!
( and thus you should be able to connect to the other 3 sites as well if they are hooked up via wg to the main site )
 
Josephny
Member
Member
Topic Author
Posts: 434
Joined: Tue Sep 20, 2022 12:11 am

Re: Just wanted to share....

Thu Dec 01, 2022 4:38 pm

I must have messed something up because I cannot ping the other 3 site's routers.

I can ping all the sites from a Winbox session to the main site.

I thought maybe I needed a route added locally on the laptop, but that didn't fix it.


Awesome!!
( and thus you should be able to connect to the other 3 sites as well if they are hooked up via wg to the main site )
 
mbovenka
Member
Member
Posts: 337
Joined: Mon Oct 14, 2019 10:14 am

Re: Just wanted to share....

Thu Dec 01, 2022 4:52 pm

I must have messed something up because I cannot ping the other 3 site's routers.

I can ping all the sites from a Winbox session to the main site.

I thought maybe I needed a route added locally on the laptop, but that didn't fix it.

Probably the other sites don't know the route back to you. With your added route you know the way to them, but they need a similar route back to you.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18959
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Just wanted to share....

Thu Dec 01, 2022 6:26 pm

Step1 - on windows laptop settings.................
You probably have the wrong settings on your remote windows settings.
The peer setting should be either one of two things.

allowedIPs=0.0.0.0/0 { which is necessary for Internet access elsewhere, and conveniently covers all the items below (allowed IPs without internet need) }
allowedIPs=wireguard_Subnet,mainsite_subnet(s), anyother-site_subnet(s) if required { will allow you to ping all connected wireguard sites, and connect to other sites and to config other sites }

Step2 - on main site, allowed IPs
allowed IP for peer windows laptop is simply the wireguard address for the windows laptop. This will allow the windows laptop to get to the main site LAN.

Step3 firewall rules main site.
you need to allow peer to enter LAN and if they have to re-enter tunnel to get to another peer to re-enter tunnel.

The easiest method is
add chain=forward action=accept in-interface=wgMAIN out-interface=wgMAIN

This allows any wg user to reach another wg site on the same wg interface network.
You may not want all users to have this easy reach so you could make such rules and use source or destination address to provide some limits.

If the remote user needs access to MAIN SITE subnets then make another rule
add chain=forward action=accept in-interface=wgMAIN src-address=windowsPC-WG-IP dst-address=mainsite-subnet

If the remote user needs to config the MAIN SITE
add chain=input action=accept in-interface=wgMAIN src-address=windowsPC-WG-IP

Step 4 routes at main site.
In the case of single users, the wireguard subnet creates a <DAC> routing (automated) and thus for example your windows laptop has no problems getting routed back into the tunnel.
At least for pinging purposes and for local MAIN site subnet access!
To reach another site subnet, then you will need a rule to reach that subnet from the main site, probably local users on the main site do to and thus you already have one but if not,
dst-address=subnet_at_other_site gwy=wgMAIN table=main Now when the remote user exits the tunnel at the Main site with destination address of a subnet at the other site, the router will know that the route there is through the tunnel

On the Main router, always ensure you have three items (routes, firewall rules and allowed Ips considered) What is key is that yes you have a route to the subnet on the other site and need to ensure, on the MAIN SITE, that peer settings for the allowed IPS for the OTherSite, includes the destination subnet (existing at the other site)

Step5 other site routes

Already done for windows laptop, as <DAC> provides routing here back through the tunnel etc.
IF however the incoming traffic is not a remote user but a user from a subnet coming from the MAIN router you would need a route back to the MAIN site subnet
dst-address=MaiNSite_subnet gwy=OtherSiteWG table=main

Step6 other site firewall rules.
need to allow WG to access the LAN
add chain=input action=accept in-interface=OtherSiteWG src-address=windowsPC-WG-IP dst-address=????
need to allow WG to access the router for config purposes
add chain=input action=accept in-interface=OtherSiteWG src-address=windowsPC_WG-IP

Who is online

Users browsing this forum: No registered users and 35 guests