Community discussions

MikroTik App
 
User avatar
KrEdEnS
just joined
Topic Author
Posts: 4
Joined: Sun Feb 19, 2023 2:18 am

Access to Mikrotik LAN via Wireguard on VPS

Tue May 23, 2023 5:57 pm

Hi, I have VPS with public IP server with running Wireguard server installed via https://github.com/Nyr/wireguard-install. To this server are connecting clients (my phone, Mikrotik)
Wireguard network: 10.7.0.0/24; WG Phone IP: 10.7.0.3; WG Mikrotik IP 10.7.0.2; WG server IP: 10.7.0.1
On VPS server i have another network 10.8.0.0/24 and VPS server has 10.8.0.1 IP
On my Mikrotik is running LAN network 10.6.0.0/24

I want to connect to 10.6.0.0/24 network via my phone which is connected to the VPN, but all types of configuration which i try doesn't work. The most promising config too https://www.laroberto.com/remote-lan-ac ... wireguard/

So now I can ping:
from my phone connected to VPN:
- IPs from 10.7.0.0/24
- IPs from 10.8.0.0/24
(all network traffic is routed by VPN WG on phone AllowedIPs: 0.0.0.0/0)

from PCs in Mikrotik LAN network and Mikrotik console:
- IPs from 10.6.0.0/24
- IPs from 10.7.0.0/24
- IPs from 10.8.0.0/24

Now i roll back all buged configuration and:
VPS WG server config /etc/wireguard/wg0.conf
[Interface]
Address = 10.7.0.1/24, fddd:2c4:2c4:2c4::1/64
PrivateKey = XXXXXXXXX
ListenPort = 51820

# BEGIN_PEER MikroTik_hAPlite
[Peer]
PublicKey = XXXXXXXXX
PresharedKey = XXXXXXXXX
AllowedIPs = 10.7.0.2/32, fddd:2c4:2c4:2c4::2/128
# END_PEER MikroTik_hAPlite
# BEGIN_PEER phone
[Peer]
PublicKey = XXXXXXXXX
PresharedKey = XXXXXXXXX
AllowedIPs = 10.7.0.3/32, fddd:2c4:2c4:2c4::3/128
# END_PEER phone
Mikrotik config, and Mikrotik routing:
Zrzut ekranu 2023-05-23 o 16.52.45.png
Zrzut ekranu 2023-05-23 o 16.53.49.png
Can someone help me with this problem, please?
You do not have the required permissions to view the files attached to this post.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Access to Mikrotik LAN via Wireguard on VPS

Tue May 23, 2023 6:24 pm

On the VPS, the peer for the MT should include 10.0.6.0/24

# BEGIN_PEER MikroTik_hAPlite
[Peer]
PublicKey = XXXXXXXXX
PresharedKey = XXXXXXXXX
AllowedIPs = 10.7.0.2/32,
10.0.6.0/24 fddd:2c4:2c4:2c4::2/128.

The reason being is that its not a contiguous tunnel.
The phone connects peer to peer to the VPS and exits the tunnel.
Then in re-enters the tunnel from the VPS to MT segment and thus the peer setting has to included the destination IP of 10.0.6.0/24.

THe other thing you have to ensure on the VPS, are the firewall rules and routing rules since I am only conversant in MT lingo I will put the equivalents.

VPS Firewall rule
add chain=forward action=accept in-interface=wireguard out-interface=wireguard

We are using VPS as a relay, so traffic exiting the tunnel should be able to re-enter the tunnel, and of course we need routing to do that as well.
So we have to ensure that the phone after exiting the tunnel at VPS has a path to the subnet on MT, SAME AS LOCAL USERS at VPS would need.

add dst-address=10.0.6.0/24 gateway=wireguard table=main
 
User avatar
KrEdEnS
just joined
Topic Author
Posts: 4
Joined: Sun Feb 19, 2023 2:18 am

Re: Access to Mikrotik LAN via Wireguard on VPS

Tue May 23, 2023 8:03 pm

I added 10.6.0.0/24 to wg0 conf and this rules:
iptables -A FORWARD -i wg0 -o wg0 -j ACCEPT
ip route add 10.0.6.0/24 dev wg0
the last one (route) was added by WG config automatically

but after this I can't still ping 10.6.0.0/24 network [screen from VPS] and from device connected to VPN (phone)
Zrzut ekranu 2023-05-23 o 18.56.55.png
You do not have the required permissions to view the files attached to this post.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Access to Mikrotik LAN via Wireguard on VPS

Wed May 24, 2023 3:51 am

Sorry cant help, not an MT issue I dont think. Why dont you add an MT virtual router vice this VPS garbage.
Dont mind me, just frustrated I cannot help further.

Who is online

Users browsing this forum: aoravent, mtest001, phascogale, Soleous75 and 84 guests