Community discussions

MikroTik App
 
Rox169
Member
Member
Topic Author
Posts: 432
Joined: Sat Sep 04, 2021 1:47 am

Wireguard SSH to Rasberry Pi4

Fri May 05, 2023 11:45 am

Hi,

I have working wireguard between phone and my home(AX3). Rasberry pi is connected to the AX3 thorough LAN. I can access to web GUI of Rasberry but IM not able to connect Rasberry thorough SSH. Do you know where could be problem?
 
holvoetn
Forum Guru
Forum Guru
Posts: 5323
Joined: Tue Apr 13, 2021 2:14 am
Location: Belgium

Re: Wireguard SSH to Rasberry Pi4

Fri May 05, 2023 12:44 pm

Check firewall for blocked ports.
Esp. port 22, see if it is allowed from wireguard towards LAN.
 
Rox169
Member
Member
Topic Author
Posts: 432
Joined: Sat Sep 04, 2021 1:47 am

Re: Wireguard SSH to Rasberry Pi4

Fri May 05, 2023 2:06 pm

Thank you for helping.

I have only one port open for wireguard which wireguard need. Do I need to create another filter rule or I can use one with more allowed ports?
 
holvoetn
Forum Guru
Forum Guru
Posts: 5323
Joined: Tue Apr 13, 2021 2:14 am
Location: Belgium

Re: Wireguard SSH to Rasberry Pi4

Fri May 05, 2023 2:22 pm

Additional rule is easier for troubleshooting.
And for completeness: I am referring to firewall on the device where wireguard comes in, not where it passes through.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Wireguard SSH to Rasberry Pi4

Fri May 05, 2023 2:49 pm

Not clear what you are trying to do. Nor do you provide a config.
If you can reach the raspberry pi, what is the problem?
 
Rox169
Member
Member
Topic Author
Posts: 432
Joined: Sat Sep 04, 2021 1:47 am

Re: Wireguard SSH to Rasberry Pi4

Fri May 05, 2023 2:50 pm

Ok,
AX3 has 10.255.255.4 WG adress
Mobile phone has 10.255.255.4 WG adress
RPI has 192.168.1.3. local adress

When I log into AX3 from my phone I can see I loged in with IP 10.255.255.4.

But If I create rulle scr. adr. 10.255.255.4 dest. adr. 192.168.1.3. port 22 and the opposite I still can not login. Any advice please?
 
holvoetn
Forum Guru
Forum Guru
Posts: 5323
Joined: Tue Apr 13, 2021 2:14 am
Location: Belgium

Re: Wireguard SSH to Rasberry Pi4

Fri May 05, 2023 2:51 pm

Ok,
AX3 has 10.255.255.4 WG adress
Mobile phone has 10.255.255.4 WG adress

RPI has 192.168.1.3. local adress
OK, I'm going to sit on the porch with anav now...

Contradicting info there.
Please provide export of config (minus usual sensitive stuff like serial, public key, ...)
Last edited by holvoetn on Fri May 05, 2023 2:52 pm, edited 1 time in total.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Wireguard SSH to Rasberry Pi4

Fri May 05, 2023 2:51 pm

/export file=anynameyouwish ( minus router serial# and any public WANIP info or keys etc. )
 
Rox169
Member
Member
Topic Author
Posts: 432
Joined: Sat Sep 04, 2021 1:47 am

Re: Wireguard SSH to Rasberry Pi4

Fri May 05, 2023 3:08 pm

/export file=anynameyouwish ( minus router serial# and any public WANIP info or keys etc. )
Log deleted
Last edited by Rox169 on Sun May 07, 2023 4:50 pm, edited 2 times in total.
 
holvoetn
Forum Guru
Forum Guru
Posts: 5323
Joined: Tue Apr 13, 2021 2:14 am
Location: Belgium

Re: Wireguard SSH to Rasberry Pi4

Fri May 05, 2023 3:20 pm

(tip: please post between code quotes. MUCH easier for reading.
Those: [ ])

Personally: why do have this ?
/interface detect-internet set detect-interface-list=WAN lan-interface-list=LAN wan-interface-list=WAN
I would remove that.

Your wireguard interface is not a member of any interface list. So it's definitely not WAN nor LAN.
Either add it to a separate list (VPN might be a good option) and foresee a rule which allows forward from VPN to LAN.
Or add wireguard to LAN list.
First one has my preference.

But ... you also have this rule:
add action=accept chain=forward dst-address=10.255.255.4 dst-port=22 \
protocol=tcp src-address=192.168.1.3

Should be the reverse.

I am sure anav will be a bit more detailed with his response :lol:
Last edited by holvoetn on Fri May 05, 2023 3:23 pm, edited 1 time in total.
 
Rox169
Member
Member
Topic Author
Posts: 432
Joined: Sat Sep 04, 2021 1:47 am

Re: Wireguard SSH to Rasberry Pi4

Fri May 05, 2023 3:22 pm

Wireguard is part of LAN. The log may not show it but WG is in LAN.
 
holvoetn
Forum Guru
Forum Guru
Posts: 5323
Joined: Tue Apr 13, 2021 2:14 am
Location: Belgium

Re: Wireguard SSH to Rasberry Pi4

Fri May 05, 2023 3:24 pm

Wireguard is part of LAN. The log may not show it but WG is in LAN.
Yes, I see it now as well.
But there is one other thing. Adjusted my comment.

I also see now you are using some block list for port 22.
Sure you don't have to add an IP address to the allowed list ?
Last edited by holvoetn on Fri May 05, 2023 3:26 pm, edited 1 time in total.
 
Rox169
Member
Member
Topic Author
Posts: 432
Joined: Sat Sep 04, 2021 1:47 am

Re: Wireguard SSH to Rasberry Pi4

Fri May 05, 2023 3:25 pm

I have reverse in Firewall. I do not know why is it not in log..

add action=accept chain=forward dst-address=192.168.1.3 dst-port=22 \
protocol=tcp src-address=10.255.255.4
 
holvoetn
Forum Guru
Forum Guru
Posts: 5323
Joined: Tue Apr 13, 2021 2:14 am
Location: Belgium

Re: Wireguard SSH to Rasberry Pi4

Fri May 05, 2023 3:36 pm

Because there is no log action ?
 
Rox169
Member
Member
Topic Author
Posts: 432
Joined: Sat Sep 04, 2021 1:47 am

Re: Wireguard SSH to Rasberry Pi4

Fri May 05, 2023 4:49 pm

what do you mean?
 
holvoetn
Forum Guru
Forum Guru
Posts: 5323
Joined: Tue Apr 13, 2021 2:14 am
Location: Belgium

Re: Wireguard SSH to Rasberry Pi4

Fri May 05, 2023 4:52 pm

add action=accept chain=forward dst-address=192.168.1.3 dst-port=22 \
protocol=tcp src-address=10.255.255.4
This rule does not have a log action.
So nothing will be written to log when it is used.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Wireguard SSH to Rasberry Pi4

Fri May 05, 2023 6:06 pm

(1) Set to NONE ( known to cause funky issues )
/interface detect-internet
set detect-interface-list=WAN lan-interface-list=LAN wan-interface-list=WAN

(2) Personal preference set tcp syn cookies to NO.

(3) You can get rid of the default static DNS setting.
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan

UP TO THIS POINT THE CONFIG IS QUITE GOOD, then you fall into the trap of focusing on everything except just permitting ALLOWED traffic.
SO that usually ends up botching actual needed performance sooner or later and also a dogs mess trying to find issues.
Lean, efficient and simplify.

(4) Remove DDOS crap, youir router cannot prevent DDOS

(5) My understanding is that if you have queues, you can no longer use fastrack in forward chain. OKAY I see its disabled, thats good!

(6) Why do you reference a 192.168.4.X network in firewall rules when none exists on the hapax or hapac ?????? I am going to assume that you simply forgot to add
192.168.4.0/24 to the allowed-addresses on the peer settings from the hapac. I should add 192.168.5.0/24 based on your routes as well.
What a mess.
/interface wireguard peers
add allowed-address=10.255.255.2/32,192.168.3.0/24,192.168.2.0/24,192.168.4.0/24,192.168.5.0/24 comment=\
"HAP AC3" interface=wireguard1 public-key=\
"yh5i1pgBdN5p8xLELfeDI="


(7) To add to that mess why do you use firewall rules for two subnets coming through wireguard from hapac, that makes zeros sense to me??
or worse to itself............. Need serious consideration not to be configuring a firewall if you dont know what you are doing and simply copying and pasting crap from somehwere!!
add action=accept chain=forward dst-address=192.168.4.0/24 src-address=\
193.168.4.0/24


(8) YOu use forward chain rules for Port forwarding (destination nat) which is wrong, only the general allow rule for dst-nat is required in MT forward chain, and port forward rules are refined in the NAT rule set.
However you seem to want to hit the server from both internal address and from wiregard address. So why not just go direct to the LANIP of the server, no need for any port forwarding when coming locally or through wireguard. Also if you plan to use the WANIP of your router for INTERNAL users, and not just external users, then your dst nat rules will need more work.
By the way since you didnt identify the LANIP of the server, it was left blank!!

(9) Firewall rules are disorganized. You should group chains together so its easy to follow what has been done as ORDER counts within a chain.
.............
/ip firewall address list
add  address=192.168.1.X   list=ADMIN  {  admin desktop wired }
add address=192.168.1.Y list=ADMIN  { admin laptop wired }
add address=192.168.1.XY list=ADMIN { admin laptop wifi }
add address=192.168.1.DC   list-ADMIN { admin smartphone }
add address=10.255.255.X  list=ADMIN  { admin remotely connecting via wg }
add address=192.168.2.X list=ADMIN  { in the off chance you or the admin at the hapac needs sometimes to config router from there over WG etc. }
/ip firewall filter
{input chain}
(default rules)
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
(admin rules)
add action=accept chain=input comment=Wireguard dst-port=13231 protocol=udp
add action=accept chain=input comment="allow admin access to router in-interface-list=LAN src-address-list=ADMIN
add action=accept chain=input  in-interface-list=LAN dst-port=53 protocol=tcp 
add action=accept chain=input in-interface-list=LAN dst-port=53  protocol=udp
add action=drop chain=input comment="drop all else"  {  LAST RULE to put in,  ensure admin access rule prior }
{forward chain}
(default rules)
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related disabled=yes hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
(admin rules)
add action=accept chain=forward in-interface-list=LAN out-interface-list=WAN comment="allow internet traffic"
add action=accept chain=forward comment="allow port forwarding" connection-nat-state=dstnat
add action=accept in-interface=wireguard1  dst-address=192.168.1.0/24  comment="wg users to local LAN"
add action=accept  src-address=192.168.1.0/24  out-interface=wireguard1 comment="local LAN to wg" 
add action=drop chain=forward comment="drop all else"
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
add action=accept chain=forward in-interface-list=WAN dst-port=22 \
    protocol=tcp  to-addresses=???????
add action=accept chain=forward in-interface-list=WAN dst-port=22 protocol=\
    tcp  to-addresses=?????
.....................

If you are truly concerned about ddos, then use zerotier cloudflare trust tunnel, (only available in a container, unlike WG which is part of RoS, and not even in an options package, believe I have been asking) as this functionality prevents any exposure of your IP address !!! This is the way. Your router cannot stop ddos, and is the ISP up chain responsibility.
 
Rox169
Member
Member
Topic Author
Posts: 432
Joined: Sat Sep 04, 2021 1:47 am

Re: Wireguard SSH to Rasberry Pi4

Sat May 06, 2023 12:42 am

Hello Anav,

thank you very much for checking all my settings. I will read it very carefully and try to learn.

1. I control 3 diffrent routers/places and it is good to see in mobile app that the location has internet.
2. I will do
3. I will do
4. This setting is directly from Mikrotik I know it will not defend big attack but I like to keep it
5.yes, I like to use CAKE
6.192.168.4.0 is another place/router, 192.168.4.0 I do not see 192.168.5.0/24 in my setting
7. I will check
8. Here Im lost...I would like to use your advice but I do not how to implement them. Could you please more explain what do you mean?

YOu use forward chain rules for Port forwarding (destination nat) which is wrong, only the general allow rule for dst-nat is required in MT forward chain, and port forward rules are refined in the NAT rule set.

What should I please change?

However you seem to want to hit the server from both internal address and from wiregard address. So why not just go direct to the LANIP of the server, no need for any port forwarding when coming locally or through wireguard. Also if you plan to use the WANIP of your router for INTERNAL users, and not just external users, then your dst nat rules will need more work.

What should I please change?

9. I will learn from your example how to order firewall rules

Thank you very much again
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Wireguard SSH to Rasberry Pi4

Sat May 06, 2023 3:23 pm

/ip route
add disabled=no dst-address=192.168.2.0/24 gateway=wireguard1 pref-src="" \
routing-table=main scope=10 suppress-hw-offload=no target-scope=10
add disabled=no distance=1 dst-address=192.168.3.0/24 gateway=wireguard1 \
pref-src="" routing-table=main scope=10 suppress-hw-offload=no \
target-scope=10
add disabled=no distance=1 dst-address=192.168.4.0/24 gateway=wireguard1 \
pref-src="" routing-table=main scope=30 suppress-hw-offload=no \
target-scope=10
add disabled=no distance=1 dst-address=192.168.5.0/24 gateway=wireguard1 \
pref-src="" routing-table=main scope=30 suppress-hw-offload=no \
target-scope=10
add disabled=no distance=1 dst-address=10.1.168.0/24 gateway=192.168.192.34 \
pref-src="" routing-table=main scope=30 suppress-hw-offload=no \
target-scope=10 vrf-interface=zerotier1
add disabled=no distance=2 dst-address=192.168.2.0/24 gateway=192.168.192.34 \
pref-src="" routing-table=main scope=30 suppress-hw-offload=no \
target-scope=10 vrf-interface=zerotier1
add disabled=no distance=2 dst-address=192.168.3.0/24 gateway=192.168.192.34 \
pref-src="" routing-table=main scope=30 suppress-hw-offload=no \
target-scope=10 vrf-interface=zerotier1
add disabled=no distance=2 dst-address=192.168.4.0/24 gateway=192.168.192.84 \
pref-src="" routing-table=main scope=30 suppress-hw-offload=no \
target-scope=10 vrf-interface=zerotier1
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Wireguard SSH to Rasberry Pi4

Sat May 06, 2023 3:24 pm

Unfortunately you have other routers now? in the mix and unknown one at .5, and you prefer ddos for nothing, so good luck.
Ive done all I can here.
 
Rox169
Member
Member
Topic Author
Posts: 432
Joined: Sat Sep 04, 2021 1:47 am

Re: Wireguard SSH to Rasberry Pi4

Sat May 06, 2023 4:49 pm

Yes, I have 3 gateways/ locations with Mikrotik and one location has two subnets because there are two houses conected thorough 60Ghz. So I have many routers :)

Thank you Anav for helping

Who is online

Users browsing this forum: Ahrefs [Bot], lurker888, Wave and 44 guests