Community discussions

MikroTik App
 
Guentha
just joined
Topic Author
Posts: 20
Joined: Thu Apr 17, 2014 8:47 pm

Wireguard to windows for roadwarrior.

Sat Jan 21, 2023 10:56 pm

I have a site with a CCR1036 with a symmetric 10gb connection (PPPOE). This router handles an entire building(~36 companies). One of the companies is a medical lab and they have a new requirement that when connected to one of their partners they can only use their Static Wan IP. this works fine when onsite but so many people are working from home now its become a problem. We quickly set up a PPTP VPN to get them going which works but is limited to around 45mbps for some reason. I like the Idea of wireguard and the forums make it sound so easy.

I didn't originally set this router up and I am not the only admin that gets into this router so I am a bit squeamish to play around a lot.

I have it set up and connecting. it pings the wiregaurd address (172.16.50.20) but nothing else.

the client wants wireguard to work like their PPTP VPN, everything goes over the VPN. they want an IP on the main subnet that acts like they are onsite. most tutorials show a separate range but maybe I am misunderstanding.

here is the setup for this client router (RouterOS 7.7)
External IP X.X.X.249
internal network = 172.16.50.0/24
gateway = 172.16.50.5
wireguard address = 172.16.50.20
Wiregaurd client addresses 172.16.50.21-29





here is the windows config (keys are truncated for security but added so you can see they are in the right places.)
[Interface]
PrivateKey = +PWpCAraqBVV
Address = 172.16.50.22/24
DNS = 1.1.1.1

[Peer]
PublicKey = Lukk7tz13Z6JY
AllowedIPs = 0.0.0.0/0
Endpoint = X.X.X.249:369

Quick update: adding wireguard interface and assigning it an IP seems to break all routing.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19100
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Wireguard to windows for roadwarrior.

Sun Jan 22, 2023 5:53 pm

Okay wireguard is peer to peer, and typically all the RWs are going to get a wireguard specific IP.
They will exit the tunnel and be parallet to the LAN interface.
In other words they can reach any LAN subnet, user or device as dictated by the firewall rules.

It sounds however that that is not good enough? They need to have IP addressing that is the same as on the subnet?
Not sure why ??

Perhaps zerotier or the like is better suited to that type of approach ??

+++++++++++++++++++

In any case read something similar on another thread............ FM LARSA.

Yes, it's possible if you are able to allocate a free subnet for the remote clients within that adress range like for example 10.4.10.0/29 (6 clients) or 10.4.10.0/28 (14 clients).

You can calculate different subnet options using: https://www.calculator.net/ip-subnet-ca ... &x=68&y=21

Just bear in mind that the Mikrotik WG implementation doesn't offer dynamic allocation of ip addresses (of your office address subnet) thus you have to allocate a static ip for each client.
 
Guentha
just joined
Topic Author
Posts: 20
Joined: Thu Apr 17, 2014 8:47 pm

Re: Wireguard to windows for roadwarrior.

Mon Jan 23, 2023 12:07 am

Okay wireguard is peer to peer, and typically all the RWs are going to get a wireguard specific IP.
They will exit the tunnel and be parallet to the LAN interface.
In other words they can reach any LAN subnet, user or device as dictated by the firewall rules.

It sounds however that that is not good enough? They need to have IP addressing that is the same as on the subnet?
Not sure why ??

Perhaps zerotier or the like is better suited to that type of approach ??

+++++++++++++++++++

In any case read something similar on another thread............ FM LARSA.

Yes, it's possible if you are able to allocate a free subnet for the remote clients within that adress range like for example 10.4.10.0/29 (6 clients) or 10.4.10.0/28 (14 clients).

You can calculate different subnet options using: https://www.calculator.net/ip-subnet-ca ... &x=68&y=21

Just bear in mind that the Mikrotik WG implementation doesn't offer dynamic allocation of ip addresses (of your office address subnet) thus you have to allocate a static ip for each client.

So if I give wireguard an IP outside the client's 172.16.50.0 subnet how do I tell it that they can see resources on this subnet? how do I stop them from seeing the subnets of the other 35 clients on this router?
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19100
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Wireguard to windows for roadwarrior.

Mon Jan 23, 2023 3:53 am

How can I tell if I dont see the config on the router you are talking about???
Firewall rules are the easy way to determine this.......

Some examples.............
Keep in mind I work on a Drop all end rule at the end of my forward chain. This means that if I dont specify traffic it is dropped by the last rule, so typically/conceptually this is what it is.
DEFAULT RULES
USER RULES - what is allowed
DROP ALL ELSE.

(1) This may suit a simple homeowner scenari0. In this scenario any traffic exiting the router will be able to access any LAN entity.
add chain=forward action=accept in-interface=Wireguard1

(2) In this case the admin has general subnetA and a private subnet B and thus only specifies the intended subnet for access.
add chain=forward action=accept in-interface=Wireguard1 dst-address=subnetA

(3) In this this case the admin only wants to allow a specific RW to subnetB, his own laptop on the road.....
add chain=forward action=accept in-interface=wireguard1 dst-address=subnetB src-address=admin_RW_WG_assigned_IP

(4) in this case the admin wants another RW to access only a specific device on subnet B.....
add chain=forward action=accept in-interface=wireguard1 dst-address=specific_SubnetB_IP src-address=specific_RW_WG_IP


The only example below that allow a user to access all 35 subnets was the first example. The rest do not.

Who is online

Users browsing this forum: cdblue, koolandrew and 52 guests