Community discussions

MikroTik App
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 21730
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: NEW FEATURE: Back to Home VPN

Thu Apr 25, 2024 4:38 pm

My bad, I didnt realize that BTH was NOT possible to connect two routers that do not have publicly reachable IPs etc.. Its only valid for a router without a public IP and a remote device like phone.
 
Grumpy
just joined
Posts: 16
Joined: Mon Sep 11, 2023 9:06 am

Re: NEW FEATURE: Back to Home VPN

Mon May 20, 2024 12:01 pm

Supposedly fixed in 7.15beta6.
There is also a workaround if you modify the logging rules to numb down those messages but in my book these shouldn't even be displayed (it's debug, not info)
It's a while ago now. Can you guys confirm it will be fixed in the mentioned version, any news?
 
User avatar
normis
MikroTik Support
MikroTik Support
Topic Author
Posts: 26880
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia
Contact:

Re: NEW FEATURE: Back to Home VPN

Mon May 20, 2024 2:59 pm

What specifically ?
 
Grumpy
just joined
Posts: 16
Joined: Mon Sep 11, 2023 9:06 am

Re: NEW FEATURE: Back to Home VPN

Mon May 20, 2024 4:58 pm

I'd like just to have a confirmation about scheduled fixing because it's a while ago. Nothing special ;)
 
User avatar
normis
MikroTik Support
MikroTik Support
Topic Author
Posts: 26880
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia
Contact:

Re: NEW FEATURE: Back to Home VPN

Mon May 20, 2024 5:00 pm

Fixing what specifically? Abundance of Wireguard logs? That was already fixed
 
DarkNate
Forum Guru
Forum Guru
Posts: 1065
Joined: Fri Jun 26, 2020 4:37 pm

Re: NEW FEATURE: Back to Home VPN

Mon May 20, 2024 5:03 pm

FYI to the users, the WireGuard problem of trying to re-connect to a previously connected dynamic peer is not a MikroTik problem, it's part of the OG WireGuard codebase. Same issue on a plain Debian install as well.

@normis, does BTH allow me to specify which IPv6 /64 pool to use for the peers?
 
Grumpy
just joined
Posts: 16
Joined: Mon Sep 11, 2023 9:06 am

Re: NEW FEATURE: Back to Home VPN

Tue May 21, 2024 8:11 pm

Fixing what specifically? Abundance of Wireguard logs? That was already fixed
still occuring BTH iOS and 7.14.3; checked 3d ago

@DarkNate: thx for explanation!
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 21730
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: NEW FEATURE: Back to Home VPN

Fri May 24, 2024 11:09 pm

@Normis.

Okay so what I have learned recently.
1. BTH is not applicable to router to router connections.

2. It would appear that BTH configs certain things automatically please confirm.
a. sourcenat rule
b. wireguard ip address
c. input chain handshake rule
d. allowed ips.
e. wg blocked to LAN but allowed to WAN
f. anything else??

My concern is WHY are these settings:
1 NOT showing up on the export (as per normal wireguard settings ) *****
or
2 NOT showing up on the export on a specific config block maybe /ip BTH VPN etc......

Very frustrating to try and help customers when I dont have an understanding or proper expectations.

**** Allowed Ips does show up on regular export but the rest seem not to??
Last edited by anav on Fri May 24, 2024 11:13 pm, edited 1 time in total.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 21730
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: NEW FEATURE: Back to Home VPN

Fri May 24, 2024 11:12 pm

Okay understand I may be looking at a BTH setup incorrectly done on an Ops MT router and thus the missing export info?
 
dcavni
Member Candidate
Member Candidate
Posts: 186
Joined: Sun Mar 31, 2013 6:02 pm

Re: NEW FEATURE: Back to Home VPN

Sat May 25, 2024 8:14 am

How would you block acess to LAN only based on client config file? Client could then just change few lines in existing config file an gain acess to your lan.
 
User avatar
Amm0
Forum Guru
Forum Guru
Posts: 4240
Joined: Sun May 01, 2016 7:12 pm
Location: California
Contact:

Re: NEW FEATURE: Back to Home VPN

Sat May 25, 2024 6:16 pm

Okay understand I may be looking at a BTH setup incorrectly done on an Ops MT router and thus the missing export info?
It's not in the `/wireguard/export` because it's "dynamic config" (i.e.configuration generated by another RouterOS option). And dynamic config is never in an export – think /ip/dhcp-client and /ip/address/export. So like elsewhere, "/wireguard/print detail" is what's needed to "see" BTH stuff. And /ip/firewall/.../print etc. too. Basically you'll see more "D" items from BTH in a few places.

@anav, you think "Back-to-Home" is more complex than it is. BTH is still just plain WireGuard, following all same rules, with fews tricks (that do not change WG protocol):

1. BTH adds "dynamic config" (e.g. items marked with a "D") to /wireguard and elsewhere.** And as such, are not in an export. Only "print", or winbox.

2. Biggest trick is the DDNS name <sn>.vpn.mynetname.net used. What that name resolves to is set by BTH internally & used in the WG config generated (instead of IPs). This allow floating between direct/proxy mode, since DDNS can change over time. So if proxied <sn>.vpn.mynetname.net resolves Mikrotik's IP & if direct, it's your own WAN IP.

3. The BTH apps just issue RouterOS commands, using your winbox/etc login, to enable BTH & get device keys/config from those commands. But this just avoid cut-and-paste - you can use WG client instead, all the proxy stuff work same (see #2, trick is WG config shown for BTH uses a DDNS name).

4. AFAIK, you can still add your own peer statically using winbox/etc using the BTH "dynamic" /wireguard interface. So while router-to-router is "not supported", BTH really does not care what OS the other peer is using, so that should work too (*only ONE needs to enable BTH, other is a peer of that, not both running BTH). Basically, BTH does not change that everything is a peer. It just automated config on router to enable WG (with encrypted WG traffic getting transparently proxied via another server if needed), Basically BTH client are still just normal WG peers – just the WG config file uses a special DDNS name.

5. /ip/address for WG interface, to this point, is always in same fixed subnet: 192.168.216.0/24

** I do think what "dynamic config" is added automatically with BTH should be described more specifically in the docs. _i.e._ get it is a home feature — but there folks that deploy things to customers that like to know how they work at greater detail.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 21730
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: NEW FEATURE: Back to Home VPN

Sat May 25, 2024 11:52 pm

Agree much better documentation will take out some mystery. BUT I SAY AGAIN, BTH needs to be more explicity shown on the export.
/ip cloud full full settings etc........
 
K0NCTANT1N
Frequent Visitor
Frequent Visitor
Posts: 77
Joined: Thu Jun 08, 2023 9:35 pm

Re: NEW FEATURE: Back to Home VPN

Mon Jul 01, 2024 11:46 am

routerOS v7.12.1, BTH v1.3.33: "Tools/IP Scan" interface "bridge" no information

(checked because of a post in another topic)
 
DATPOLpl
just joined
Posts: 4
Joined: Sat Jun 29, 2024 5:22 pm

Re: NEW FEATURE: Back to Home VPN

Mon Jul 01, 2024 12:59 pm

HI

I hae a lof os this...
Why?

ROS 15.2 - 5009 routerboard fw upgraded
You do not have the required permissions to view the files attached to this post.
 
User avatar
nichky
Forum Guru
Forum Guru
Posts: 1386
Joined: Tue Jun 23, 2015 2:35 pm

Re: NEW FEATURE: Back to Home VPN

Tue Jul 02, 2024 2:43 pm

that is because something is not happy.How the ping looks like?
 
DATPOLpl
just joined
Posts: 4
Joined: Sat Jun 29, 2024 5:22 pm

Re: NEW FEATURE: Back to Home VPN

Tue Jul 02, 2024 4:53 pm

What ping?
 
User avatar
nichky
Forum Guru
Forum Guru
Posts: 1386
Joined: Tue Jun 23, 2015 2:35 pm

Re: NEW FEATURE: Back to Home VPN

Wed Jul 03, 2024 2:00 am

e.g. from the Router to peer9
 
jfim88
Frequent Visitor
Frequent Visitor
Posts: 66
Joined: Tue May 07, 2024 8:57 pm

Re: NEW FEATURE: Back to Home VPN

Sat Jul 06, 2024 1:38 pm

Quick question. I have BTH enabled, created from iOS app from iPhone. Working perfect. I want to add a peer for my Macbook using Wireguard app for Mac.

Trying to use the iPhone BTH app share option, but after pressing share button, it ask for router login, I enter login and pass and says connection refused.
 
SuperMario81
just joined
Posts: 1
Joined: Mon Jun 12, 2023 12:56 pm

Re: NEW FEATURE: Back to Home VPN

Fri Jul 26, 2024 2:09 pm

Hi,
I´m using /testing the B2H, I´m running 7.16Beta7
I create 2 users from the Back to Home Users function all is good, but when I go to WireGuard Peers there is no way to Un-check the Responder Checkbox to avoid the Log being full of the message "back-to-home-vpn: [peer2] .....=: Handshake for peer did not complete after 20 attempts, giving up
Am I doing something wrong?
Thanks
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 21730
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: NEW FEATURE: Back to Home VPN

Fri Jul 26, 2024 4:33 pm

@supermario Nothing wrong, just poorly constructed APP functionality. By the way, the company story, as always, is that its very easy to use and implement. :-(

@jfim Ensure the mac does not have some sort of firewall blocking the traffic.
 
SuperMario81
just joined
Posts: 1
Joined: Mon Jun 12, 2023 12:56 pm

Re: NEW FEATURE: Back to Home VPN

Fri Jul 26, 2024 4:46 pm

@anav Thanks, then I guess better to config manually WG to have better control, maybe one day Mikrotik will do some improvements in the BTH, @normis are some improvements in the backlog?
 
faxxe
newbie
Posts: 40
Joined: Wed Dec 12, 2018 1:46 pm

Re: NEW FEATURE: Back to Home VPN

Fri Jul 26, 2024 6:37 pm

I already have several working Wireguard connections, but I also wanted to try this function.
Since then, I have a dynamic entry that can no longer be deleted. How can I remove it?
Thank you,

v 7.15.3

-faxxe
You do not have the required permissions to view the files attached to this post.
 
NatePB14
just joined
Posts: 4
Joined: Fri Aug 03, 2018 2:58 am

Re: NEW FEATURE: Back to Home VPN

Mon Jul 29, 2024 9:08 pm

I already have several working Wireguard connections, but I also wanted to try this function.
Since then, I have a dynamic entry that can no longer be deleted. How can I remove it?
Thank you,

v 7.15.3

-faxxe
You'll find the BTH users on the IP>Cloud window, from there you could delete the users
You do not have the required permissions to view the files attached to this post.
 
faxxe
newbie
Posts: 40
Joined: Wed Dec 12, 2018 1:46 pm

Re: NEW FEATURE: Back to Home VPN

Mon Jul 29, 2024 10:22 pm

Very helpful, thank you NatePB14
-faxxe
 
serambca
just joined
Posts: 3
Joined: Mon Jun 24, 2024 5:58 pm

Re: NEW FEATURE: Back to Home VPN

Wed Jul 31, 2024 3:53 pm

Good afternoon,
I would like to send all traffic across the Back to Home. is it possible?
Best regards!
 
User avatar
nichky
Forum Guru
Forum Guru
Posts: 1386
Joined: Tue Jun 23, 2015 2:35 pm

Re: NEW FEATURE: Back to Home VPN

Fri Aug 02, 2024 9:02 am

can they expire?
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 21730
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: NEW FEATURE: Back to Home VPN

Wed Aug 07, 2024 6:56 pm

To help understand the functionality........

1. First setup Phone BTH app, when connected to router ???
2. Then one can, using the phone and the BTH app, while at remote locations (NO Need to be connected to router) create a WG instance for another device??
3. This assumes hole punching correct.
4. The other (third device) gets a separate wireguard IP on the wireguard network?? - but how does the router know or the Mikrotik hole-punch gateway??

+++++++++++++++++++++++++++++++++++++++++++++
HOW DO I CATEGORY
How do I create QR codes from a standard setup ( hole punch not required ), that I can whatsapp to remote devices for them to ingest??
If not possible.
What is the closest one can come to the above in current or planned functionality?
 
optio
Forum Veteran
Forum Veteran
Posts: 907
Joined: Mon Dec 26, 2022 2:57 pm

Re: NEW FEATURE: Back to Home VPN

Wed Aug 07, 2024 7:45 pm

How do I create QR codes from a standard setup ( hole punch not required ), that I can whatsapp to remote devices for them to ingest??
Create screenshot from Winbox or Webfig.
Even from terminal is possible with /interface/wireguard/peers show-client-config if terminal window is expanded enough or has very small font size :)
wg-peer-qr.png
It would be nice that Client Config text is selectable in Winbox without need to execute show-client-config from Terminal so to make it easy c/p it into .conf file for sharing as config file since desktop wg client doesn't support reading config from QR image. Also creating new peer in ROS from wg config file by reading config properties that are supported on ROS would be a nice feature for standard Wireguard configuration.
You do not have the required permissions to view the files attached to this post.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 21730
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: NEW FEATURE: Back to Home VPN

Wed Aug 07, 2024 8:50 pm

Sweet photo, gee I wonder why this is not in the MT Documents???
 
optio
Forum Veteran
Forum Veteran
Posts: 907
Joined: Mon Dec 26, 2022 2:57 pm

Re: NEW FEATURE: Back to Home VPN

Wed Aug 07, 2024 9:58 pm

ROS wouldn't be fun without (hidden/undocumented) gems :)
 
User avatar
normis
MikroTik Support
MikroTik Support
Topic Author
Posts: 26880
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia
Contact:

Re: NEW FEATURE: Back to Home VPN

Thu Aug 08, 2024 8:19 am

The biggest benefit of Back to Home is the mobile app. It is super simple to use. If you want to configure wireguard manually, you don't really need BTH anymore. So by using the CLI, you are missing the point
 
optio
Forum Veteran
Forum Veteran
Posts: 907
Joined: Mon Dec 26, 2022 2:57 pm

Re: NEW FEATURE: Back to Home VPN

Thu Aug 08, 2024 12:28 pm

Not sure I follow missing the point regarding CLI, my reply was a bit OT because it was not related to BTH WG, it was reply to @anav question regarding manual (standard) WG setup (also OT) - "How do I create QR codes from a standard setup..."
 
User avatar
normis
MikroTik Support
MikroTik Support
Topic Author
Posts: 26880
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia
Contact:

Re: NEW FEATURE: Back to Home VPN

Thu Aug 08, 2024 12:35 pm

My answer was about why documentation is more concentrated on using the App, not CLI.
 
optio
Forum Veteran
Forum Veteran
Posts: 907
Joined: Mon Dec 26, 2022 2:57 pm

Re: NEW FEATURE: Back to Home VPN

Thu Aug 08, 2024 12:45 pm

Still, it was about manual WG setup and possibilities of sharing peer configuration... Is it possible to share such manual WG peer configuration from MT mobile app (not BTH)?
From WG documentation:
iOS configuration
Download the WireGuard application from the App Store. Open it up and create a new configuration from scratch.
In documentation is stated "...create a new configuration from scratch" :), even it is possible to create peer QR code as in my screenshot example, that was why @anav is wondering why such possibility is not documented.

This is OT, maybe is better to create separate topic for such discussions regarding improvements for manual WG.
 
User avatar
normis
MikroTik Support
MikroTik Support
Topic Author
Posts: 26880
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia
Contact:

Re: NEW FEATURE: Back to Home VPN

Thu Aug 08, 2024 12:54 pm

I agree, BTH documentation does not yet describe Share management.
This does not mean Winbox should be used at all. I still insist, if you use BTH without the app, you are missing the point of BTH.
 
optio
Forum Veteran
Forum Veteran
Posts: 907
Joined: Mon Dec 26, 2022 2:57 pm

Re: NEW FEATURE: Back to Home VPN

Thu Aug 08, 2024 1:03 pm

BTH WG setup != manual WG setup.
Trying to explain that my comments are not related to BTH WG and that are OT :)
Forcing using BTH just because exists doesn't mean that one can choose different approach to use WG as it fits to its needs even as custom WG setup as BTH VPN (I have also OpenVPN for eg. as backup BTH VPN).
Last edited by optio on Thu Aug 08, 2024 1:07 pm, edited 1 time in total.
 
User avatar
normis
MikroTik Support
MikroTik Support
Topic Author
Posts: 26880
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia
Contact:

Re: NEW FEATURE: Back to Home VPN

Thu Aug 08, 2024 1:06 pm

Check title of topic. Yes, manual WG setup should be discussed in another topic
 
optio
Forum Veteran
Forum Veteran
Posts: 907
Joined: Mon Dec 26, 2022 2:57 pm

Re: NEW FEATURE: Back to Home VPN

Thu Aug 08, 2024 1:07 pm

Now you get it :)
I was just trying to help @anav...
 
User avatar
normis
MikroTik Support
MikroTik Support
Topic Author
Posts: 26880
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia
Contact:

Re: NEW FEATURE: Back to Home VPN

Thu Aug 08, 2024 1:56 pm

Regarding the TOPIC
We have updated the manual with the Share function info (APP side) https://help.mikrotik.com/docs/display/ROS/Back+To+Home
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 21730
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: NEW FEATURE: Back to Home VPN

Thu Aug 08, 2024 4:21 pm

Thanks Normis for updating the docs.
My question are mostly about the APP.
Specifically, the first questions are about the "Spread the wireguard love" ability of the phone app!

(1) How does the APP on the phone create more peer client instances ( such as for a windows laptop )? When both are no longer under the Routers NetworK, aka at a remote location.
More precisely, the new device (laptop) presumably gets assigned a wireguard IP address.
How does the APP decide which IP to give out?
How does the other end ( the router ) know to accept traffic from that new IP.
OR
How does the punch hole MT cloud server know to accept traffic from that new IP.
OR
Please fill in the missing gap of knowledge I have.
++++++++++++++++++++++++++++++
Secondly, I am trying to find "extra utility" of the BTH app in terms of the QR code generating capability.
Does the phone(app) generate QR codes
OR
Does the router generate QR codes.

GOAL: In manual wg mode setup, the ability to create QR codes for remote users to ingest ( via whats app, email etc.) to easily setup their device, be it generating those qr codes on the bth app on the phone, or via some other means on the router ( ip cloud?)
 
optio
Forum Veteran
Forum Veteran
Posts: 907
Joined: Mon Dec 26, 2022 2:57 pm

Re: NEW FEATURE: Back to Home VPN

Thu Aug 08, 2024 4:44 pm

Regarding "GOAL", why mix manual WG setup with BTH app? Better to have ability to export/share configuration of such peers (from manual WG setup) in MT mobile app (not BTH) or in Winbox to have ability to save QR image without need to create screenshot, to use as configuration import into official WG client mobile app.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 21730
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: NEW FEATURE: Back to Home VPN

Thu Aug 08, 2024 5:23 pm

Regarding "GOAL", why mix manual WG setup with BTH app? Better to have ability to export/share configuration of such peers (from manual WG setup) in MT mobile app (not BTH) or in Winbox to have ability to save QR image without need to create screenshot, to use as configuration import into official WG client mobile app.
What?
I am simply trying to understand the functionality available and how to use/apply it, if possible.
Any monkey would rather have functionality available in the native menus, but not asking for MT to change anything just to explain the depth of the functionality available.
Its up to Normis and Co, whether they can adapt, modify or add additional functionality to either BTH app, MT APP, or routerOs.
 
optio
Forum Veteran
Forum Veteran
Posts: 907
Joined: Mon Dec 26, 2022 2:57 pm

Re: NEW FEATURE: Back to Home VPN

Thu Aug 08, 2024 5:33 pm

Yes, but thread is for BTH, not manual for WG setup, that's why I mentioned BTH app in first place. Better to have separate topic for such discussions.
 
sas2k
Frequent Visitor
Frequent Visitor
Posts: 99
Joined: Tue Jan 18, 2022 8:17 am

Re: NEW FEATURE: Back to Home VPN

Sun Sep 01, 2024 12:08 am

Hello Dear Friends.
Is there a way to use bth with rb750gr3?
May be some handmade setup available?
Thank you in advance.
 
User avatar
nichky
Forum Guru
Forum Guru
Posts: 1386
Joined: Tue Jun 23, 2015 2:35 pm

Re: NEW FEATURE: Back to Home VPN

Sun Sep 01, 2024 6:12 am

@sas2k

there is no way to run BTH on MMIPS.

That is only available on ARM/ARM64/TILE
 
DDDM
just joined
Posts: 10
Joined: Sun Oct 29, 2023 7:34 am

Re: NEW FEATURE: Back to Home VPN

Wed Sep 04, 2024 5:37 pm

This morning my samsung phone was updated. Since then BTH is not working properly, i can barely connect to my Ip cams, to home server, but im unable to use the browsers and others apps getting my home ip and network. Samsung did smting which broke everything (not for the first time) anybody with same problem?
 
User avatar
nichky
Forum Guru
Forum Guru
Posts: 1386
Joined: Tue Jun 23, 2015 2:35 pm

Re: NEW FEATURE: Back to Home VPN

Thu Sep 12, 2024 9:28 am

how the Share invite link works?

i can see the link, but it doesn't add on that BTH application (mob to mob)
 
User avatar
normis
MikroTik Support
MikroTik Support
Topic Author
Posts: 26880
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia
Contact:

Re: NEW FEATURE: Back to Home VPN

Thu Sep 12, 2024 3:35 pm

send the link to a friend.
friend needs BTH app.
friend clicks on link, and setup opens.
 
User avatar
nichky
Forum Guru
Forum Guru
Posts: 1386
Joined: Tue Jun 23, 2015 2:35 pm

Re: NEW FEATURE: Back to Home VPN

Fri Sep 13, 2024 2:43 am

@normis

I thing that I figured out.

i was trying with facebook messenger.

teams , whatsapp and messages - all working
 
User avatar
Amm0
Forum Guru
Forum Guru
Posts: 4240
Joined: Sun May 01, 2016 7:12 pm
Location: California
Contact:

Re: NEW FEATURE: Back to Home VPN

Fri Sep 13, 2024 3:15 am

i was trying with facebook messenger.

teams , whatsapp and messenger - all working
Well, the share link returns HTML that requires JavaScript. So if FB tries to "unfurl" (e.g. click the link, to summarize content for a message stream), the BTH link is only a redirect to the App Store with no HTML body - and FB may not like a link that leaves the app or needs JavaScript to render...

Whatever app you select for use with BTH share, when receiver clicks the link... that BTH link needs to run in a real browser, so that query parameters are provided to the BTH home app (i.e. market:// or http://app.apple.com/... which means navigate to an APP) on the shared user's phone. So if shared by email or SMS, then the URL is likely to go through without modification, and email or SMS will send http:// to a browser. So yeah FB processing URL, and blocking stuff to keep you in their ecosystem isn't surprising ;).
<html>
  <head>
  </head>
  <body>
    <script type="text/javascript">
      var userAgent = navigator.userAgent || navigator.vendor || window.opera;
      if (/android/i.test(userAgent)) {
          window.location.replace("market://details?id=com.mikrotik.android.freevpn");
      }
      else if (/iPad|iPhone|iPod/.test(userAgent) && !window.MSStream) {
          window.location.replace("https://apps.apple.com/us/app/mikrotik/id6450679198");
      }
      else {
          window.location.replace("https://mt.lv/bth");
      }
    </script>
  </body>
</html>
 
User avatar
rushlife
Member Candidate
Member Candidate
Posts: 254
Joined: Thu Nov 05, 2015 12:30 pm

Re: NEW FEATURE: Back to Home VPN

Tue Sep 24, 2024 9:40 pm

Last update on app lead to unusable state. App on Android is unable to start.

Tested with Samsung s23 with android 14 (oneui 6.1).
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 21730
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: NEW FEATURE: Back to Home VPN

Thu Sep 26, 2024 5:22 pm

Regarding the TOPIC
We have updated the manual with the Share function info (APP side) https://help.mikrotik.com/docs/display/ROS/Back+To+Home
Much thanks for these efforts!
 
User avatar
nichky
Forum Guru
Forum Guru
Posts: 1386
Joined: Tue Jun 23, 2015 2:35 pm

Re: NEW FEATURE: Back to Home VPN

Fri Sep 27, 2024 5:02 am

does anyone play with "Disable VPN when home"?

i'm not expecting to work properly as this is experimental features, but that is so useful.
 
User avatar
nichky
Forum Guru
Forum Guru
Posts: 1386
Joined: Tue Jun 23, 2015 2:35 pm

Re: NEW FEATURE: Back to Home VPN

Fri Sep 27, 2024 9:29 am

one more thing i noticed today.

when login to back-to-home by using the local lan ip-add , and user and pas from the MT.

With that user you can create and share-users, but with the shared user u can only edit, you cant share
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 21730
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: NEW FEATURE: Back to Home VPN

Sat Nov 23, 2024 8:25 pm

Trying to understand BTH some more.
It would appear that it does not function as I thought.
One cannot create QR codes for all remote users and send them each their own QR code, at which time the BTH app on android or Iphone could then simply use to setup their end.
It would appear this can only be one for ONE client.
For PCs, one uses the wireguard client app for windows to copy the qr code or somehow a config file that may also be provided?......

However, it would appear there still may be away of doing this.
I have to use a smartphone on my network to create my own BTH Tunnel.
Then using BTH app functionality as the admin, I can create as many qr codes etc to share with others and send them the qr code or config file provided for each share.

Is this correct??
Bizarre that I cannot do this FROM or AT the router ?????
 
User avatar
Amm0
Forum Guru
Forum Guru
Posts: 4240
Joined: Sun May 01, 2016 7:12 pm
Location: California
Contact:

Re: NEW FEATURE: Back to Home VPN

Sat Nov 23, 2024 8:42 pm

Trying to understand BTH some more.
Is this correct??
Bizarre that I cannot do this FROM or AT the router ?????
Did you look in /ip/cloud/print (first BTH user), or /ip/cloud/back-to-home-users/show-client-config XX (2nd or more BTH users)?

But I just notice is under /interface/wireguard/peer in Winbox4, I don't see the QR code or client for the match BTH peer for the 1st user in UI there – that does seem wrong.... The 2nd "BTH user" does have a client config/QR, and the 1st BTH user client config shows at CLI. But in all cases, the BTH QR/client config appears under /ip/cloud show both QR/client in CLI and winbox4.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 21730
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: NEW FEATURE: Back to Home VPN

Sun Nov 24, 2024 1:09 am

Hi Ammo reading the docs there is only one qr/code one can generate from the router itself, the rest if I read this right, is that you can easily create and manage additional Qr codes and send them all from the admin smartphone.
 
User avatar
Amm0
Forum Guru
Forum Guru
Posts: 4240
Joined: Sun May 01, 2016 7:12 pm
Location: California
Contact:

Re: NEW FEATURE: Back to Home VPN

Sun Nov 24, 2024 2:36 am

Hi Ammo reading the docs there is only one qr/code one can generate from the router itself, the rest if I read this right, is that you can easily create and manage additional Qr codes and send them all from the admin smartphone.
The docs aren't entirely clear, but the "share" ones should have QR codes in RouterOS under IP > Cloud > Back-to-Home User. And if you created a share on the phone, the WG peer config will be there. If you use the "New" in the /ip/cloud/back-to-home-users in winbox to create new BTH users, while you'd pick a key when you do it that way & since winbox isn't a phone, it cannot forward it directly via SMS/email/etc - but the "new" in winbox do same as app.

Now, I might not be understanding the problem. And agree docs are entirely clear about the QR codes for 2nd/"shared" users: https://help.mikrotik.com/docs/spaces/R ... me-IPCloud

But under IP > Cloud in winbox should have QR code for the main user and shared users from app.
 
User avatar
Coughy
Frequent Visitor
Frequent Visitor
Posts: 86
Joined: Tue Apr 23, 2024 2:53 am
Location: Brisbane Au

Re: NEW FEATURE: Back to Home VPN

Sun Nov 24, 2024 4:30 am

you are correct there is a QR code in the
ip/cloud section called
VPN Wireguard client config QRcode


Hi Ammo reading the docs there is only one qr/code one can generate from the router itself, the rest if I read this right, is that you can easily create and manage additional Qr codes and send them all from the admin smartphone.
The docs aren't entirely clear, but the "share" ones should have QR codes in RouterOS under IP > Cloud > Back-to-Home User. And if you created a share on the phone, the WG peer config will be there. If you use the "New" in the /ip/cloud/back-to-home-users in winbox to create new BTH users, while you'd pick a key when you do it that way & since winbox isn't a phone, it cannot forward it directly via SMS/email/etc - but the "new" in winbox do same as app.

Now, I might not be understanding the problem. And agree docs are entirely clear about the QR codes for 2nd/"shared" users: https://help.mikrotik.com/docs/spaces/R ... me-IPCloud

But under IP > Cloud in winbox should have QR code for the main user and shared users from app.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 21730
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: NEW FEATURE: Back to Home VPN

Mon Nov 25, 2024 6:18 pm

Read the docs y..........
Connect to router
Enable DDNS Cloud service: `/ip/cloud/set ddns-enabled=yes`
Enable Back To Home: `/ip/cloud/set back-to-home-vpn=enabled`
Print tunnel configuration: `/ip/cloud/print`
Scan QR Code (`vpn-wireguard-client-config-qrcode`) or Copy config (`vpn-wireguard-client-config`) and enter in preferred WireGuard® client. Only one client at a time will be available to use this config.

In other words, the router itself can only generate one setup via BTH, the rest have to be done from the Admins smartphone.
Just waiting for NORMIS to confirm!
 
User avatar
Amm0
Forum Guru
Forum Guru
Posts: 4240
Joined: Sun May 01, 2016 7:12 pm
Location: California
Contact:

Re: NEW FEATURE: Back to Home VPN

Mon Nov 25, 2024 6:46 pm

As I said, the docs are not very clear. But end of the docs does reference the commands. The wording at top of docs should be changed IMO.
In other words, the router itself can only generate one setup via BTH, the rest have to be done from the Admins smartphone.
Just waiting for NORMIS to confirm!
But you can try in winbox, or via CLI too:
/ip/cloud/back-to-home-users/add allow-lan=no comment="2nd user - added from RouterOS" name="$[/system identity get name] 2nd user" 
:delay 2s 
/ip/cloud/back-to-home-users/show-client-config [find name~"2nd"]
which will show add a new shared/2nd+ user from CLI.
(with a BUG: if you cut-and-paste without [:delay], it does not find the new peer)

And you can see the BTH peer and QR code under WG too (as a dynamic entry):
/interface/wireguard/peer/print
/interface/wireguard/peer show-client-config [find comment~"2nd"]
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 21730
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: NEW FEATURE: Back to Home VPN

Mon Nov 25, 2024 7:57 pm

okay hopefully NORMIS will provide his usual clarity. :-) :-)
 
User avatar
normis
MikroTik Support
MikroTik Support
Topic Author
Posts: 26880
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia
Contact:

Re: NEW FEATURE: Back to Home VPN

Tue Nov 26, 2024 8:23 am

Each client has a separate configuration and a separate code. All users are configured in /ip/cloud/back-to-home-users/ section.
Do not ever use the QR code displayed in the "ip cloud" menu to invite somebody else than yourself. That is a one time use code for your self.

Normally you would do all the setup from the BTH mobile app, there it is much easier to understand.

The back-to-home-users menu is a new menu, this is why some of the documentation is conflicting. We will fix that.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 21730
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: NEW FEATURE: Back to Home VPN

Tue Nov 26, 2024 4:28 pm

Hi Normis,

Understood, the One Time user available on the ROUTER itself, is for the ADMIN, to use. I presume this is meant to be put on the admins phone and from there he can easily generate additional qr codes or configs to send to as many clients as he/she,it,they,them etc desires.

I also understand that once folks have accepted the qr code on their smartphone app, or wireguard client app (laptops), etc. the results show up on the associated MT Routers IP Cloud tabs ( users ) and can be configured further if required ( add access to subnets, delete, and probably other options ).

Of special note, much thanks for providing this capability, its not part of wireguard core, but many other apps have implemented some form of qr code generation or another, and MT has managed to incorporate the same right, into the OS BZ! This provides the ability for most users to SAFELY and remotely reach their router and subnets, when one has no access to a public IP. Also for some, removes the need to pay for third party provider to do same.

Now if we can just crack the Routing BUG and wireguard with multi WANs.........
Last edited by anav on Tue Nov 26, 2024 4:32 pm, edited 2 times in total.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 21730
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: NEW FEATURE: Back to Home VPN

Tue Nov 26, 2024 4:31 pm

anav:1 ammo:0 ( but whose counting) - by the way it looks my advice after inauguration day will cost 25% more jajajaja
( ps dont worry only applies to USA, rest of the world, same free advice, quality not guaranteed until reviewed by mkx/sob and a few others.......... )

Edit................... Damn it to sHELL, Ammo is right again.
anav:0 ammo:1
Last edited by anav on Wed Nov 27, 2024 4:29 pm, edited 1 time in total.
 
User avatar
Amm0
Forum Guru
Forum Guru
Posts: 4240
Joined: Sun May 01, 2016 7:12 pm
Location: California
Contact:

Re: NEW FEATURE: Back to Home VPN

Tue Nov 26, 2024 6:15 pm

anav:1 ammo:0 ( but whose counting)
Except I'm not wrong. All BTH are just WG peers, and have QR codes. So just like any other peer, don't use the same peer twice. The advice to first one (/ip/cloud), applies to the shared ones too (/ip/cloud/back-to-home-user) - don't use them twice as they have an IP address assigned in peer's client config.

@normis is totally right: the app is easy consumer-friendly way of configuring it - but is still just normal WG under-the-covers and equally configurable from winbox/webfig too.
 
User avatar
Amm0
Forum Guru
Forum Guru
Posts: 4240
Joined: Sun May 01, 2016 7:12 pm
Location: California
Contact:

Re: NEW FEATURE: Back to Home VPN

Tue Nov 26, 2024 6:24 pm

I also understand that once folks have accepted the qr code on their smartphone app, or wireguard client app (laptops), etc. the results show up on the associated MT Routers IP Cloud tabs ( users ) and can be configured further if required ( add access to subnets, delete, and probably other options ).
The peer is created by BTH app when initially shared, it has nothing to do if the end user "accepts" or uses it. The shared peer will appear under /ip/cloud/back-to-home-users once shared.

Now if we can just crack the Routing BUG and wireguard with multi WANs.........
Now here we agree. :)

On the docs...
The back-to-home-users menu is a new menu, this is why some of the documentation is conflicting. We will fix that.
Perhaps describing how it works "under the covers" might help these questions in the future. AFAIK, from RouterOS and WG client, BTH is still just a WG peer - just with DNS name that MAY use Mikrotik's custom "WG proxy" server & some dynamic firewall rules based on /ip/cloud/back-to-home-users allow-lan=.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 21730
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: NEW FEATURE: Back to Home VPN

Tue Nov 26, 2024 7:10 pm

Wont say you are wrong, I would rather use obtuse! ;-)

First though, I would agree that the associated MT router probably receives the new peer information UPON creation on the admin's smartphone.
My assumption was that the router gets populated upon first hookup attempt. However after reading your post it makes sense upon profile creation. The MT relay server has no storage capacity to hold information and thus upon first contact wont work as the router would not know about the incoming yet!!

Except I'm not wrong. All BTH are just WG peers, and have QR codes. So just like any other peer, don't use the same peer twice. The advice to first one (/ip/cloud), applies to the shared ones too (/ip/cloud/back-to-home-user) - don't use them twice as they have an IP address assigned in peer's client config.

The function of the ROUTER generated BTH client is NOT the same as the ones created via MANAGE SHARES.
The function of the ROUTER generated BTH client is to create ONE client and we should call it the MASTER Client peer.
This Master client Peer, typically on the admins smart phone, using the BTH app, is then used to generate AS MANY further client peers as required.

No one indicated that one should only generate one user profile in Managed Shares and then send that single client setup to all users. ??????????????
 
User avatar
Amm0
Forum Guru
Forum Guru
Posts: 4240
Joined: Sun May 01, 2016 7:12 pm
Location: California
Contact:

Re: NEW FEATURE: Back to Home VPN

Tue Nov 26, 2024 7:28 pm

It's WG, so all are peers. The app and /ip/cloud just always create ONE peer upon enabling it. If you need more, you need the "managed shared" (or /ip/cloud/back-to-home-users). On the "shared" ones, there is the additional option to allow-lan= so that the only difference AFAIK.

So there is actually no difference from a shared user/peer (if allow-lan=yes) and the "MASTER" one.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 21730
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: NEW FEATURE: Back to Home VPN

Tue Nov 26, 2024 8:41 pm

It's WG, so all are peers. The app and /ip/cloud just always create ONE peer upon enabling it. If you need more, you need the "managed shared" (or /ip/cloud/back-to-home-users). On the "shared" ones, there is the additional option to allow-lan= so that the only difference AFAIK.

So there is actually no difference from a shared user/peer (if allow-lan=yes) and the "MASTER" one.
Disagree, the only thing in common is that they use the same wireguard interface.
They both allow a user to access the internet and if the admin dictates also access to the LAN

Beyond accessing the router ( for internet or lan access ) there is nothing else in common
Note: If it wasn't obvious the (second to infinity) client peers are not for access to the router itself!

So its crystal clear!!! Beyond normal use client peers 2 to infinity in BTH have no purpose/function

The ROUTER initiated client peer, ( the one that should go on the admins smartphone ) can, via Managed Shares, create additional peer clients to the same router. The client peers (second created to infinity) CANNOT create additional peer clients.

They are not equal.....
There must be a hook in the BTH app that is set by the MASTER PEER config, created on the Router. The BTH app recognized the additional hidden sent info, and authorizes the BTH app at that device to have a CONFIG generation capability. Perhaps even only allowing that peer to even show MANAGE SHARES as a tabbed option.
 
User avatar
Amm0
Forum Guru
Forum Guru
Posts: 4240
Joined: Sun May 01, 2016 7:12 pm
Location: California
Contact:

Re: NEW FEATURE: Back to Home VPN

Tue Nov 26, 2024 9:12 pm

The ROUTER initiated client peer, ( the one that should go on the admins smartphone ) can, via Managed Shares, create additional peer clients to the same router. The client peers (second created to infinity) CANNOT create additional peer clients.

They are not equal.....
Now I get the confusion. The thing is you can use a normal WG client app with the BTH config from /ip/cloud/back-to-home-users, and it work the same as for the 2+ BTH peers.

FWIW, BTH app is what's confusing. In app, you still login to router using normal winbox/etc credentials that internally modifies BTH/WG config on router. The 1st WG alone does not let you modify users either - it's the saved router password in app that does that.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 21730
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: NEW FEATURE: Back to Home VPN

Wed Nov 27, 2024 4:41 am

Not sure what you mean. If a user (not admin) uses the BTH app to setup a BTH tunnel after receiving the QR code, or URL link or export config file generated on the admins smartphone, then the user access is done through the BTH app, not the standard wireguard app.

Now what has not been explained at least to my knowledge and not in docs, is what happens if I take that QR code (a user generated by Manage Shares ) and try to import into the regular plain wireguard app. Me thinks its proprietary to the MT BTH setup and thus would not work on the ordinary wireguard app.

Now in case the admin doesnt have a smart phone and still wants a wireguard connection to another device, presumably a PC, then one can manually do the dirty deed by using the QR code generated in the BTH VPN WireGuard Tab selection ( identical to /ip/cloud/print ( this entry is meant to be used when only a single user presumably admin is involved ).

Instead of this config going on a smartphone for the BTH app, it can go on any device ( usually a PC ) but I imagine also a smartphone but USING the standard wireguard app.
The downside, of course, is that its a ONE OF, and the admin cannot generate further user accounts from this connection.
 
User avatar
Amm0
Forum Guru
Forum Guru
Posts: 4240
Joined: Sun May 01, 2016 7:12 pm
Location: California
Contact:

Re: NEW FEATURE: Back to Home VPN

Wed Nov 27, 2024 5:42 am

Not sure what you mean. If a user (not admin) uses the BTH app to setup a BTH tunnel after receiving the QR code, or URL link or export config file generated on the admins smartphone, then the user access is done through the BTH app, not the standard wireguard app.
That why the app is more confusing. Yes, BTH is also a wireguard client too - beyond it role to configure BTH. So, yes, the shared ones don't need the router user/password. But the provisioning step can always be done with "Create New" in app - which is where you need router user/password to do. Now how the app works is not the hill I'm going to die on, so could be slightly off –as I said it's MORE confusing than winbox/CLI - at least to me.

Now what has not been explained at least to my knowledge and not in docs, is what happens if I take that QR code (a user generated by Manage Shares ) and try to import into the regular plain wireguard app. Me thinks its proprietary to the MT BTH setup and thus would not work on the ordinary wireguard app.
Nope. It should work, or at least that's how I use a BTH "shared user" on my Mac. And just retested with cut-and-paste client config from the "2nd BTH" user CLI shown.
BTH 2nd User Using MacOS WG Client.png
which was actually my 3rd user ... so it got automatically assigned an 192.168.216.4 / ::4 - since the default values will automatically use the next greatest IP with BTH subnet.


And the proxy support, if needed, will still work with the normal WG client too.

do the dirty deed by using the QR code generated in the BTH VPN WireGuard Tab selection ( identical to /ip/cloud/print ( this entry is meant to be used when only a single user presumably admin is involved ).
Assuming you were NOT already using the "Main"/MASTER client on your phone already. Otherwise, you'd need to hit the "Back to Home User" button in IP>Cloud to get the 2nd++ "peer".

Also, I find just cut-and-paste the "Client Config" text is easier than using a QR code if you're on a PC. QR code should work same, but I don't use it so not 100%.
You do not have the required permissions to view the files attached to this post.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 21730
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: NEW FEATURE: Back to Home VPN

Wed Nov 27, 2024 6:21 am

Okay to be clear, it seems what you are saying is that you can take a wireguard config generated by the admin on the admins smartphone, for another user, using the Manage Shares approach, and it can be applied to any normal WIREGUARD APP, aka on smartphone or PC etc. ( stating that the BTH app is NOT required/mandatory )??

Just trying to figure out the use/advantage of BTH app ??
Maybe a easy way to give someone wan access without touching the normal WG config?
Maybe an easy w ay to give someone access to the LAN without touching the normal WG config..
 
User avatar
Amm0
Forum Guru
Forum Guru
Posts: 4240
Joined: Sun May 01, 2016 7:12 pm
Location: California
Contact:

Re: NEW FEATURE: Back to Home VPN

Wed Nov 27, 2024 6:33 am

Yup. App is not mandatory, as EVERYTHING can technically be done using RouterOS winbox/CLI alone.

As @normis suggests, the app may be easier. Although just enabling BTH under /ip/cloud is not very hard either (i.e. it's a radio button, which enables BTH & gets you 1st WG client, and then with "Back To Home Users" button, any 2nd user will automatically generate keys/config/IP.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 21730
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: NEW FEATURE: Back to Home VPN

Wed Nov 27, 2024 4:27 pm

Okay so its just a convenience APP for the users second to infinity. The only critical use of the BTH app is for the first user ( admin ) as that account on that phone is the only one where the APP has MANAGE shares capability. The PRIMARY config loaded! You know its very annoying that your right ;-)
 
User avatar
Amm0
Forum Guru
Forum Guru
Posts: 4240
Joined: Sun May 01, 2016 7:12 pm
Location: California
Contact:

Re: NEW FEATURE: Back to Home VPN

Wed Nov 27, 2024 4:45 pm

You know its very annoying that your right ;-)
Can we agree to blame Mikrotik's docs? :)

BTH is actually pretty elegant since it really just uses DDNS to determine if proxy is needed, but always still plain WG. The docs are just bad (overly complex for simple case & not enough info for someone like you who knows WG to understand how it works).
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 21730
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: NEW FEATURE: Back to Home VPN

Wed Nov 27, 2024 4:49 pm

I am working on that bit ( improving docs ) and is why I am being nitpicky in my understanding.
I forget, where do the firewall rules show up that allow a USER to access the WAN and possibly the LAN???
 
User avatar
Amm0
Forum Guru
Forum Guru
Posts: 4240
Joined: Sun May 01, 2016 7:12 pm
Location: California
Contact:

Re: NEW FEATURE: Back to Home VPN

Wed Nov 27, 2024 4:55 pm

I am working on that bit ( improving docs ) and is why I am being nitpicky in my understanding.
I forget, where do the firewall rules show up that allow a USER to access the WAN and possibly the LAN???
On firewall, there is an address-list named "back-to-home-lan-restricted-peers" in /ip/firewall/address-list that get dynamically added by BTH code on RouterOS If "allow-lan=no" in /ip/cloud/back-to-home-users.
Along with DYNAMIC /ip/firewall/filter rules that enforce it:
0 D ;;; back-to-home-vpn
chain=forward action=drop
src-address-list=back-to-home-lan-restricted-peers
out-interface-list=LAN
1 D ;;; back-to-home-vpn
chain=input action=accept protocol=udp dst-port=25297
BTH also adds a NAT rule just by enabling BTH for the 1st peer:
0 D ;;; back-to-home-vpn
chain=srcnat action=masquerade src-address=192.168.216.0/24

Only the DDNS part is magic in BTH.
 
optio
Forum Veteran
Forum Veteran
Posts: 907
Joined: Mon Dec 26, 2022 2:57 pm

Re: NEW FEATURE: Back to Home VPN

Wed Nov 27, 2024 5:39 pm

On which WG peer endpoint BTH users (non admin - for which is shared) are connecting if they are possible to use WG VPN app? Always to MT cloud host? It is not possible to get P2P WG connection then even if ROS device WG peer has public access? If DDNS host is resolved to ROS device IP, WG VPN app will fail to connect if there is no public access (for eg. CGNAT), if is resolved to some MT cloud host then it always uses that host and connection is tunneled through it.
Maybe it is the case that some service on MT cloud checks in some interval (or maybe per resolve but I doubt because of DNS caching behavior) if there is WG public access and assigns public IP of ROS device to DDNS host, if not then assigns IP of cloud host.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 21730
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: NEW FEATURE: Back to Home VPN

Wed Nov 27, 2024 5:58 pm

As AMMO stated, the magic is the DDNS part of the BTH user config ( allowed IPs ). I am assuming this sends the user to the MT server. The server keeps track if the Mikrotik Router has a direct type of connection and then rejigs the destination/source address type information such that the BTH Users traffic then goes direct to the MT router.
So its not dependent upon which APP is uses, the key is the DDNS address being used.
 
optio
Forum Veteran
Forum Veteran
Posts: 907
Joined: Mon Dec 26, 2022 2:57 pm

Re: NEW FEATURE: Back to Home VPN

Wed Nov 27, 2024 6:04 pm

Not sure I follow, how traffic can go directly to MT router if WG endpoint DDNS IP address is always some MT server? Unless IP is, as I wrote, dynamically assigned on DDNS service depending on WG public access detection. This can be easily checked by resolving DDNS host from WG peer endpoint configuration and see which IP is resolved in both cases - when ROS device has public access and when not (or maybe just by blocking in firewall BTH WG peer port from WAN on ROS device).
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 21730
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: NEW FEATURE: Back to Home VPN

Wed Nov 27, 2024 8:06 pm

Because the destination and source addresses are kept up to date by Wireguard ROS at either end, so MT ensures that if there is a direct connection that the client uses the direct dst IP address instead of the DDNS one. I am assuming that in the traffic back to the client, the BTH connection sends the updated endpoint address...........
This would work whether the client config was made on the BTH app or Wireguard app.
 
optio
Forum Veteran
Forum Veteran
Posts: 907
Joined: Mon Dec 26, 2022 2:57 pm

Re: NEW FEATURE: Back to Home VPN

Wed Nov 27, 2024 8:34 pm

Hmm, let say that ROS device WAN access at certain point is changed, goes behind CGNAT or oposite while BTH WG configuration is already shared, then in such case shared configuration becomes invalid? Assuming that shared WG peer endpoint is set in config to host depending when shared configuration is made, it doesn't seem flexible for LTE mobile routers (in some cases WAN access can be behind CGNAT or not if MO SIM is changed...). I would love to see plain text config for shared WG peer from QR to understand this, don't have BTH setup on my router to check...
 
User avatar
Amm0
Forum Guru
Forum Guru
Posts: 4240
Joined: Sun May 01, 2016 7:12 pm
Location: California
Contact:

Re: NEW FEATURE: Back to Home VPN

Wed Nov 27, 2024 10:10 pm

Well, BTH is actually useful for LTE for a router-to-router WG with a CGNAT. This is use case @normis does not quite get with the "always use app" approach, and why I persist in explaining it since regular WG will not use BTH's "relay" server hosted by Mikrotik to deal with hole punching. (I used "proxy" above, by relay may be more accurate)
Hmm, let say that ROS device WAN access at certain point is changed, goes behind CGNAT or oposite while BTH WG configuration is already shared, then in such case shared configuration becomes invalid? Assuming that shared WG peer endpoint is set in config to host depending when shared configuration is made, it doesn't seem flexible for LTE mobile routers (in some cases WAN access can be behind CGNAT or not if MO SIM is changed...). I would love to see plain text config for shared WG peer from QR to understand this, don't have BTH setup on my router to check...
/ip/cloud DDNS being enabled is required for BTH. And they use an additional DNS FQDN per router for the endpoint <sn>.vpn.mynetname.net. And that's what's used as the "Endpoint" in WG config. The value of the *.vpn.mynetname.net name is EITHER a public IP detected by /ip/cloud's DDNS, or if DDNS detects a NAT then DNS name resolves to Mikrotik BTH reply.

I know it does switch, but not sure the exact timing. I'd imagine it follows the value ddns-update-interval= under /ip/cloud to update if DNS name uses replay/proxy or direct, plus the DNS TTL — but I did not explicitly test this. I do know it will switch modes, and the WG clients don't care, other than not working while the DDNS is updated/expire-from-cache.

Here a sample (with keys/etc changed) of the WG the same CLI above generates:
# Name = bigdude 2nd user
# CloudDDNS = xxxx0a11yyyy.sn.mynetname.net

[Interface]
ListenPort = 51820
PrivateKey = AbcdAbcdiroehZ7kxlFj52qGrzAZogUk3kllvAbcd=
Address = 192.168.216.4/32, fc00:0:0:216::4/128
DNS = 192.168.216.1

[Peer]
PublicKey = Zxywo/62fHo/pe0g1JFdEkNZTHhZxywLdF+2ZxywFhz=
AllowedIPs = 0.0.0.0/0, ::/0
Endpoint = xxxx0a11yyyy.vpn.mynetname.net:25297
PersistentKeepalive = 30

[Peer]
PublicKey = //////////////////////////////////////////8=
AllowedIPs = 0.0.0.0/32
Endpoint = xxxx0a11yyyy.sn.mynetname.net:25297
PersistentKeepalive = 15
 
optio
Forum Veteran
Forum Veteran
Posts: 907
Joined: Mon Dec 26, 2022 2:57 pm

Re: NEW FEATURE: Back to Home VPN

Wed Nov 27, 2024 10:28 pm

The value of the *.vpn.mynetname.net name is EITHER a public IP detected by /ip/cloud's DDNS, or if DDNS detects a NAT then DNS name resolves to Mikrotik BTH reply.

I know it does switch, but not sure the exact timing. I'd imagine it follows the value ddns-update-interval= under /ip/cloud to update if DNS name uses replay/proxy or direct, plus the DNS TTL — but I did not explicitly test this. I do know it will switch modes, and the WG clients don't care, other than not working while the DDNS is updated/expire-from-cache.
That I was assuming when I wrote previously that DDNS host IP is changing depending on public access and it makes sense to work like that to have WG endpoint available in any WAN access case. Thx for clarifying and config sample.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 21730
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: NEW FEATURE: Back to Home VPN

Wed Nov 27, 2024 10:54 pm

So in summary, its transparent to the end user, and hence why both apps can be used.
 
User avatar
Amm0
Forum Guru
Forum Guru
Posts: 4240
Joined: Sun May 01, 2016 7:12 pm
Location: California
Contact:

Re: NEW FEATURE: Back to Home VPN

Wed Nov 27, 2024 11:21 pm

So in summary, its transparent to the end user, and hence why both apps can be used.
Yup. Just WG peer, with special DNS name.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 21730
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: NEW FEATURE: Back to Home VPN

Wed Nov 27, 2024 11:33 pm

I want to know more about this line............ In case of going through relay, speed could be limited.

Clearly we have limits on client end for ISP, and limits at Router end from its associated ISP connection and then there are losses due using VPN.
So are they saying on top of that there may be additional losses due to
a. bottleneck at Servers ( heavy load )?
b. depends on physical distance from server?


Also the Manage shares creates three methods. need to confirm the below.......
AN URL LINK ( assuming this works only with the BTH app - limited to smartphones with the BTH app )
A QR code which works with both BTH app and wireguard app - so good for all devices
A config file which is primarily designed for PCs and wireguard app.


Lastly, when one selects the URL link to share or the CONFIG file, apparently the smartphone automatically prompts using the standard share choices, to send the LINK or config file to another person.........
BUT what about the second QR code method. In the DOCS it says view.
SO no automated cell phone prompts? Does one have to physically select it to get the cell phone prompts, do you have to take a screen shot............what is the process........not clear for QR code.
 
okomor13
just joined
Posts: 7
Joined: Sun Dec 04, 2022 11:05 am

Re: NEW FEATURE: Back to Home VPN

Thu Dec 05, 2024 9:56 pm

I have a question about relaying. My Mikrotik router is behind a CGNAT connection, so the IPv4 address I receive from my provider is not directly accessible from outside. I have assigned a static IPv4 via an IPIP6 tunnel through a server and added a global route in a separate routing table. With the appropriate mangle entries, an existing Wireguard configuration works perfectly through it.

However, I would like to use the IP/Cloud features, including BTH, and to enforce the use of the static IPv4, I redirected all requests to `cloud2.mikrotik.com` via the static IP using output mangle. The `Public Address` in DDNS then directly shows the static IP. But the `VPN Relay IPv4 Status` in BTH still says `reachable via relay`.

I would like to bypass the relaying, as a direct connection or a connection through my own server is significantly faster.

Is another host then cloud2.mikrotik.com being used to determine reachability of BTH Wireguard?
 
User avatar
Amm0
Forum Guru
Forum Guru
Posts: 4240
Joined: Sun May 01, 2016 7:12 pm
Location: California
Contact:

Re: NEW FEATURE: Back to Home VPN

Fri Dec 06, 2024 3:12 am

(I was hoping @normis would chime in, since @anav asks good questions. But I'll try...)
I want to know more about this line............ In case of going through relay, speed could be limited.

Clearly we have limits on client end for ISP, and limits at Router end from its associated ISP connection and then there are losses due using VPN.
So are they saying on top of that there may be additional losses due to
a. bottleneck at Servers ( heavy load )?
b. depends on physical distance from server?
Kinda both.
a. Normal traffic via an ISP will eventually take many paths. With any proxy/relay, you're forcing a 2nd point where all traffic must flow (with the ISP to site is 1st and last point). So if relay'ed, there is still some finite bandwidth available.
b. There is a North American relay server so latency is better than when first introduced. But distance add latency. So for gaming/"live media", longer latency will affect the experience. How much depend on if the remote end being on same ISP or closer interconnect. But if it's traffic already going across oceans/continents, proxy'ing may not that be significant. Also, inner TCP traffic with a higher latency will generally be "slower" than one with a low latency. This is because TCP congestion control often uses latency to determine how fast to send packets.


Also the Manage shares creates three methods. need to confirm the below.......
AN URL LINK ( assuming this works only with the BTH app - limited to smartphones with the BTH app )
A QR code which works with both BTH app and wireguard app - so good for all devices
A config file which is primarily designed for PCs and wireguard app.

Lastly, when one selects the URL link to share or the CONFIG file, apparently the smartphone automatically prompts using the standard share choices, to send the LINK or config file to another person.........
BUT what about the second QR code method. In the DOCS it says view.
SO no automated cell phone prompts? Does one have to physically select it to get the cell phone prompts, do you have to take a screen shot............what is the process........not clear for QR code.
The URL LINK from app is different. It's a some web page with tricks that redirects (which can be URL to apps) — so that one is different. But the QR code and config file are identical - QR codes just store bytes, so its just stores the same ASCII config file in QR code as bytes (which you can verify on Linux/Mac with zbarimg from a screen grab of QR).

So for the official desktop WireGuard app, the config file is easier. For the mobile WireGuard, the QR code will scan from WG mobile app and work same as BTH app if needed.
 
User avatar
Amm0
Forum Guru
Forum Guru
Posts: 4240
Joined: Sun May 01, 2016 7:12 pm
Location: California
Contact:

Re: NEW FEATURE: Back to Home VPN

Fri Dec 06, 2024 3:19 am

I have a question about relaying. My Mikrotik router is behind a CGNAT connection, so the IPv4 address I receive from my provider is not directly accessible from outside. I have assigned a static IPv4 via an IPIP6 tunnel through a server and added a global route in a separate routing table. With the appropriate mangle entries, an existing Wireguard configuration works perfectly through it.
[...]
When I hear mangle and WireGuard ... often there are "strange" interactions. I guess my question is does /ip/cloud say "behind a NAT"? AFAIK that what's triggers using the proxy method in my observation - but could be wrong.

Also, since you're trying to run another tunnel, I'm not sure the MTU calculation be right in the default BTH config. And also I'm not sure it's possible to adjust the MTU for BTH's WG interface either...
 
okomor13
just joined
Posts: 7
Joined: Sun Dec 04, 2022 11:05 am

Re: NEW FEATURE: Back to Home VPN

Fri Dec 06, 2024 8:31 am

No, I’m not using mangle for Wireguard but rather to get DDNS detection to recognize the static IPv4 instead of the one behind my provider’s CGNAT. The static IPv4 is not forwarded via NAT but routed through the IPIP6 tunnel. This has been working flawlessly in manual configuration for years.

Yes, it says "Router is behind a NAT. Remote connection might not work". But I’m wondering why BTH doesn’t even try to reach the IP address that's used for DDNS. What’s the point of hole punching if it doesn’t even attempt to reach the known IP?

Who is online

Users browsing this forum: bajodel, rb9999 and 7 guests