Community discussions

MikroTik App
  4. RouterOS
  5. Beginner Basics

Route a Static IP through Wireguard Tunnel

Post Reply
 
User avatar
ShanerWarnerX
just joined
Topic Author
Posts: 16
Joined: Mon Jun 26, 2023 5:41 pm

Route a Static IP through Wireguard Tunnel

Tue May 07, 2024 12:10 pm

Hey All,

I have configured a Wireguard Tunnel to a VPS with a Successful Handshake and Can also PING the IP.

The Internet Connection is a PPPoE Dialup with a Dynamic IP (CG-NAT).
I've been trying to create a static route for a Specific IP 192.168.1.43 to go over the WG-Cloud Interface, But it breaks the Connection.
Have even tried to route all traffic over over the WG-Cloud Interface.

Am I missing out on something?

Image
Top
 
rplant
Member
Member
Posts: 352
Joined: Fri Sep 29, 2017 11:42 am

Re: Route a Static IP through Wireguard Tunnel

Tue May 07, 2024 1:21 pm

One solution
Set up a route table to go via wireguard, and route entry to go via the wireguard interface.
Code: Select all
/route table add disabled=no fib name=ViaWG-Cloud

/ip route 
add disabled=no dst-address=0.0.0.0/0 gateway=WG-Cloud routing-table=ViaWG-Cloud
Then for setting up the routing of specified IP Addresses to go via wireguard there are at least a couple of options.
Route Marking packets (possibly more flexible) and Routing Rules (a lot easier for simple cases).
A simple Routing Rule Example
Code: Select all
/routing rule 
add action=lookup comment="min-prefix=0 all known local routes go via main" disabled=no min-prefix=0 table=main
add action=lookup src-address=192.168.1.43/32 dst-address=0.0.0.0/0 table=ViaWG-Cloud
Very likely you will likely also need to set up a NAT rule on the wireguard tunnel.
(As the other end of the tunnel is unlikely to know what to do with 192.168.1.43)
Likely best option is to add the wireguard tunnel to the WAN interface list, which sets up masquerade and also adds firewalling.
(Assuming near default config)
Code: Select all
/interface list member
add interface=WG-Cloud list=WAN
Top
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19825
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:
Contact anav

Re: Route a Static IP through Wireguard Tunnel

Tue May 07, 2024 4:27 pm

Best to provide config after giving it a go.
Top
 
User avatar
ShanerWarnerX
just joined
Topic Author
Posts: 16
Joined: Mon Jun 26, 2023 5:41 pm

Re: Route a Static IP through Wireguard Tunnel

Wed May 08, 2024 10:13 am

I have configured a NAT rule on the CHR (VPS) and tried the configuration last night, It worked. , And decided to go ahead with a fresh configuration once again as I am still learning and wanted to know what I'm exactly doing, But this time it didn't go as planned, I may have missed out on something again.

Could establish a successful Ping to 10.0.1.1 and a Handshake.

Below Is the configuration:

CHR Configuration
Code: Select all
/interface wireguard
add listen-port=13231 mtu=1420 name=WG-Server-BLR
/interface list
add name=WAN
/port
set 0 name=serial0
/interface list member
add interface=ether1 list=WAN
add interface=WG-Server-BLR list=WAN
/interface wireguard peers
add allowed-address=10.0.1.2/32 interface=WG-Server-BLR name=RB5009-Home public-key="ABCDEFGHIJKLMNOPQ123456789"
/ip address
add address=10.0.1.1/24 interface=WG-Server-BLR network=10.0.1.0
/ip dhcp-client
add interface=ether1
/ip firewall filter
add action=accept chain=input connection-state=established,related,untracked \
    connection-type=""
/ip firewall nat
add action=masquerade chain=srcnat ipsec-policy=out,none out-interface-list=\
    WAN
/system note
set show-at-login=no
RB5009 Configuration
Code: Select all
/interface bridge
add admin-mac=48:A9:8A:9F:B1:C0 auto-mac=no name=bridge
/interface ethernet
set [ find default-name=sfp-sfpplus1 ] auto-negotiation=no mac-address=\
    5C:96:66:50:83:FA name=SFP-ODI-WAN rx-flow-control=auto \
    sfp-shutdown-temperature=70C speed=1Gbps tx-flow-control=auto
set [ find default-name=ether1 ] mac-address=5C:96:66:50:83:FA
/interface wireguard
add listen-port=13231 mtu=1420 name=WG-Cloud-BLR
/interface vlan
add interface=SFP-ODI-WAN name=VL10-Broadband vlan-id=10
/interface pppoe-client
add add-default-route=yes disabled=no interface=VL10-Broadband name=\
    Instanet-PPPoE-01 use-peer-dns=yes user=ISPUsername
/disk
set usb1 type=hardware
add parent=usb1 partition-number=1 partition-offset=512 partition-size=\
    "15 664 676 352" type=partition
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.1.10-192.168.1.254
/ip dhcp-server
add address-pool=dhcp interface=bridge lease-time=10m name=defconf
/routing table
add disabled=no fib name=ViaWG-Cloud-BLR
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=ether6
add bridge=bridge comment=defconf interface=ether7
add bridge=bridge comment=defconf interface=ether8
add bridge=bridge disabled=yes interface=ether1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface detect-internet
set detect-interface-list=all
/interface list member
add comment=defconf interface=bridge list=LAN
add interface=Instanet-PPPoE-01 list=WAN
add interface=SFP-ODI-WAN list=WAN
/interface wireguard peers
add allowed-address=0.0.0.0/0 endpoint-address=129.XXX.XX.XX2 endpoint-port=\
    13231 interface=WG-Cloud-BLR public-key=\
    "ABCDEFGHIJKLMNOPQ123456789"
/ip address
add address=192.168.1.10/24 comment=defconf interface=bridge network=\
    192.168.1.0
add address=192.168.2.10/24 interface=SFP-ODI-WAN network=192.168.2.0
add address=10.0.1.2/24 interface=WG-Cloud-BLR network=10.0.1.0
/ip arp
add address=192.168.2.1 interface=SFP-ODI-WAN
/ip dhcp-client
add comment=defconf disabled=yes interface=ether1
/ip dhcp-server lease
add address=192.168.1.43 client-id=1:5c:96:66:50:83:fa mac-address=\
    5C:96:66:50:83:FA server=defconf
/ip dhcp-server network
add address=192.168.1.0/24 comment=defconf dns-server=192.168.1.10 gateway=\
    192.168.1.10 netmask=24
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.1.10 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
/ip route
add disabled=no dst-address=129.XXX.XXX.XX0/32 gateway=Instanet-PPPoE-01 \
    routing-table=main suppress-hw-offload=no
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=Instanet-PPPoE-01 \
    pref-src="" routing-table=main scope=30 suppress-hw-offload=no \
    target-scope=10 vrf-interface=Instanet-PPPoE-01
add disabled=no dst-address=0.0.0.0/0 gateway=WG-Cloud-BLR routing-table=\
    ViaWG-Cloud-BLR
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
    33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
/routing rule
add action=lookup comment="min-prefix=0 all known local routes go via main" \
    disabled=no min-prefix=0 table=main
add action=lookup dst-address=0.0.0.0/0 src-address=192.168.1.43/32 table=\
    ViaWG-Cloud-BLR
/system note
set show-at-login=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
Top
 
rplant
Member
Member
Posts: 352
Joined: Fri Sep 29, 2017 11:42 am

Re: Route a Static IP through Wireguard Tunnel

Wed May 08, 2024 1:27 pm

/interface list member
add interface=WG-Cloud-BLR list=WAN


Possibly also
Change the wireguard MTU on the 5009 to 1412 (because its inside pppoe)
Add a persistent keep alive on the 5009 (somewhere 25-60 seconds is likely good)
Top
Post Reply

Who is online

Users browsing this forum: ale2co, ckonsultor, gabeluci, ursaca, zahgl and 37 guests
  4. RouterOS
  5. Beginner Basics