How to route all traffic through WireGuard VPN and keep LAN access?

ictoplossing · Thu Nov 16, 2023 12:09 pm

Hello,

I have:

pppoe Internet access from my provider

LAN with IP-range 10.0.0.0/24

WireGuard access 9.0.0.0/24

I can connect with Mikrotik (and get handshake) but can't to get access to shared folder from NAS 10.0.0.200 (also can't to get control panel via browser).

Can anybody explain me why this happend, please?

Tnx!

/interface bridge
add admin-mac=CC:CC:6E:CC:93:CC arp=proxy-arp auto-mac=no comment=defconf \
    name=bridge vlan-filtering=yes
/interface ethernet
set [ find default-name=ether5 ] advertise=\
    10M-half,10M-full,100M-half,100M-full
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX \
    country=belgium disabled=no distance=indoors frequency=2422 installation=\
    indoor mode=ap-bridge ssid="Home" wireless-protocol=802.11 wps-mode=\
    disabled
/interface wireguard
add listen-port=443 mtu=1420 name=wireguard1
/interface vlan
add interface=ether1 name=vlan1 vlan-id=10
/interface pppoe-client
add add-default-route=yes disabled=no interface=vlan1 name=pppoe-out1 \
    use-peer-dns=yes user=1000.d1@DQ
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk mode=dynamic-keys \
    supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=10.0.0.10-10.0.0.254
/ip dhcp-server
add address-pool=dhcp interface=bridge lease-time=10m name=defconf
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=wlan1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface l2tp-server server
set default-profile=*1 use-ipsec=required
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=wireguard1 list=LAN
add interface=pppoe-out1 list=WAN
/interface wireguard peers
add allowed-address=9.0.0.5/24 comment="Laptop" interface=wireguard1 \
    persistent-keepalive=10s public-key=\
    "Xv==========================EMQVg="
/ip address
add address=10.0.0.1/24 comment=defconf interface=bridge network=10.0.0.0
add address=9.0.0.1/24 comment="WireGuard VPN" interface=wireguard1 network=\
    9.0.0.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add comment=defconf disabled=yes interface=ether1
/ip dhcp-server network
add address=10.0.0.0/24 comment=defconf dns-server=10.0.0.1 gateway=10.0.0.1 \
    netmask=24
/ip dns
set allow-remote-requests=yes use-doh-server=https://dns.nextdns.io/XXXXXX \
    verify-doh-cert=yes
/ip dns static
add address=10.0.0.1 comment=defconf name=router.lan
add address=45.90.28.0 name=dns.nextdns.io
add address=45.90.30.0 name=dns.nextdns.io
add address=2a07:a8c0:: name=dns.nextdns.io type=AAAA
add address=2a07:a8c1:: name=dns.nextdns.io type=AAAA
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-nat-state="" \
    connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input comment="wireguard handshake" dst-port=443 \
    protocol=udp
add action=accept chain=input comment="allow LAN access" in-interface-list=\
    LAN
add action=drop chain=input comment="Drop all else"
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=accept chain=forward comment="internet traffic" in-interface-list=\
    LAN out-interface-list=WAN
add action=accept chain=forward comment="home access" in-interface=wireguard1 \
    out-interface-list=WAN
add action=accept chain=forward comment="home access" in-interface=wireguard1 \
    out-interface-list=LAN
add action=accept chain=forward comment="port forwarding" \
    connection-nat-state=dstnat
add action=drop chain=forward comment="Drop all else"
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
/ipv6 firewall filter
add action=drop chain=input comment="drop all"
add action=drop chain=forward comment="drop all"

anav · Thu Nov 16, 2023 3:26 pm

Since the MT router is the server for handshake, there is no NEED for KEEP ALIVE on the peer setting for the laptop.

Looking at the config, it would appear you should be able to do both.
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=wireguard1 list=LAN
add interface=pppoe-out1 list=WAN

1. the wireguard interface is a member of the LAN interface list. and thus you should have access to the input chain for config.

add action=accept chain=input comment="allow LAN access" in-interface-list=LAN

2. the wireguard interface is a member of the LAN interface list. and thus you should have access to the WAN and LAN

add action=accept chain=forward comment="internet traffic" in-interface-list=\
LAN out-interface-list=WAN
add action=accept chain=forward comment="home access" in-interface=wireguard1 \ { not required see rule above }
out-interface-list=WAN
add action=accept chain=forward comment="home access" in-interface=wireguard1 \
out-interface-list=LAN

Assuming the allowed IPs on the laptop is 0.0.0.0/0 I have no clue where the problem is?????

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Perhaps try with normal DNS settings and see if that makes a difference??

Also Allowed IPs for the client peer should be /32
/interface wireguard peers
add allowed-address=9.0.0.5/32 comment="Laptop" interface=wireguard1 \
persistent-keepalive=10s public-key=\ { remove keep alive! }
"Xv==========================EMQVg="

ictoplossing · Thu Nov 16, 2023 5:02 pm

Hi anav,

Yes, Allowed IP's 0.0.0.0/0
I have removed "Keep alive"

What do you mean here?

Perhaps try with normal DNS settings and see if that makes a difference??

Network adapter get this IP:


   Unknown adapter wireguard2:
   Connection-specific DNS Suffix  . :
   IPv4 Address. . . . . . . . . . . : 9.0.0.5
   Subnet Mask . . . . . . . . . . . : 255.255.255.255
   Default Gateway . . . . . . . . . : 0.0.0.0

Also I can't connect with 10.0.0.1 (Mikrotik via Winbox)

anav · Thu Nov 16, 2023 6:06 pm

Thats a good sign as it looks like you are getting at least the correct IP address.
There may be an issue with your windows wireguard client did you get the client from the wireguard website (if so good, if from a MS windows site, not good).
Ensure you have no blocking firewall or AV on windows side.

Remember winbox needs the correct port identified for winbox access.
IF you are using the default 8291? then just the IP should suffice. if using a different port then default (recommended) then you need to add the port.
9.0.0.1:xxxxxx on the winbox IP line.

Finally, check your NAS, typically I have seen the NAS blocks any IP thats not in the current subnet where the NAS resides, so you have to ensure it will permit an address of 9.0.0.5

ictoplossing · Mon Nov 20, 2023 1:49 pm

Hi anav,
Nope, i can't to access to network 10.0.0.0 from WireGuard-network 9.0.0.0

Where am i wrong?

anav · Mon Nov 20, 2023 5:37 pm

Post your latest config and I will have a look.

ictoplossing · Mon Nov 20, 2023 5:43 pm

Hi anav,


/interface bridge
add admin-mac=DC:XX:XX:XX:XX:F2 arp=proxy-arp auto-mac=no comment=defconf \
    name=bridge vlan-filtering=yes
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX \
    country=belgium disabled=no distance=indoors frequency=2422 installation=\
    indoor mode=ap-bridge ssid="Home" wireless-protocol=802.11 wps-mode=\
    disabled
/interface ethernet
set [ find default-name=ether5 ] advertise=\
    10M-baseT-half,10M-baseT-full,100M-baseT-half,100M-baseT-full
/interface wireguard
add listen-port=443 mtu=1420 name=wireguard1
/interface vlan
add interface=ether1 name=vlan1 vlan-id=10
/interface pppoe-client
add add-default-route=yes disabled=no interface=vlan1 name=pppoe-out1 \
    use-peer-dns=yes user=XXXXXXX
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk mode=dynamic-keys \
    supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=10.0.0.10-10.0.0.254
/ip dhcp-server
add address-pool=dhcp interface=bridge lease-time=10m name=defconf
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=wlan1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface l2tp-server server
set default-profile=*1 use-ipsec=required
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=wireguard1 list=LAN
add interface=pppoe-out1 list=WAN
/interface wireguard peers
add allowed-address=9.0.0.5/32 comment="Laptop Lenovo" interface=wireguard1 \
    public-key="Xvue0000000000000000000000EMQVg="
/ip address
add address=10.0.0.1/24 comment=defconf interface=bridge network=10.0.0.0
add address=9.0.0.1/24 comment="WireGuard VPN" interface=wireguard1 network=\
    9.0.0.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add comment=defconf disabled=yes interface=ether1
/ip dhcp-server network
add address=10.0.0.0/24 comment=defconf dns-server=10.0.0.1 gateway=10.0.0.1 \
    netmask=24
/ip dns
set allow-remote-requests=yes use-doh-server=https://dns.nextdns.io/XXXXX \
    verify-doh-cert=yes
/ip dns static
add address=10.0.0.1 comment=defconf name=router.lan
add address=45.90.28.0 name=dns.nextdns.io
add address=45.90.30.0 name=dns.nextdns.io
add address=2a07:a8c0:: name=dns.nextdns.io type=AAAA
add address=2a07:a8c1:: name=dns.nextdns.io type=AAAA
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-nat-state="" \
    connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input comment="wireguard handshake" dst-port=443 \
    protocol=udp
add action=accept chain=input comment="allow LAN access" in-interface-list=\
    LAN
add action=drop chain=input comment="Drop all else"
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=accept chain=forward comment="internet traffic" in-interface-list=\
    LAN out-interface-list=WAN
add action=accept chain=forward comment="home access" disabled=yes \
    in-interface=wireguard1 out-interface-list=WAN
add action=accept chain=forward comment="home access" in-interface=wireguard1 \
    out-interface-list=LAN
add action=accept chain=forward comment="port forwarding" \
    connection-nat-state=dstnat
add action=drop chain=forward comment="Drop all else"
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
/ipv6 firewall filter
add action=drop chain=input comment="drop all"
add action=drop chain=forward comment="drop all"
/system clock
set time-zone-name=Europe/Brussels
/system note
set show-at-login=no
/system routerboard reset-button
set enabled=yes
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=LAN

anav · Mon Nov 20, 2023 6:14 pm

I see nothing wrong on the config side.
You have the right allowed peer, you have firewall settings that allow the traffic.

Can you post your WIreguard settings on the laptop?
If you want to access the 10 subnet from the laptop you would need to have allow IPS on the laptop on its peer settings:
allowed-ips=9.0.0.0/24,10.0.0.0/24

ictoplossing · Tue Nov 21, 2023 12:10 pm

Hi anav,


[Interface]
PrivateKey = SMZXXXXXXXXXXXXXXXXXXXKGg=
Address = 9.0.0.5/32
DNS = 9.0.0.1

[Peer]
PublicKey = /VDhoPXXXXXXXXXXXXX/3s=
AllowedIPs = 9.0.0.0/24, 10.0.0.0/24
Endpoint = de3XXXXXXXX.sn.mynetname.net:443

Yes, it's works now! But when i use Eduroam (school and university network) I don't have access.

So, your answer is a solution of my problem. Thank you again.

Do you have any idea why it don't work via Eduroam-network?

anav · Tue Nov 21, 2023 1:09 pm

Perhaps they block certain ports? WG can use any port you choose.

How to route all traffic through WireGuard VPN and keep LAN access? [SOLVED]

How to route all traffic through WireGuard VPN and keep LAN access?

Re: How to route all traffic through WireGuard VPN and keep LAN access?

Re: How to route all traffic through WireGuard VPN and keep LAN access?

Re: How to route all traffic through WireGuard VPN and keep LAN access?

Re: How to route all traffic through WireGuard VPN and keep LAN access?

Re: How to route all traffic through WireGuard VPN and keep LAN access?

Re: How to route all traffic through WireGuard VPN and keep LAN access?

Re: How to route all traffic through WireGuard VPN and keep LAN access? [SOLVED]

Re: How to route all traffic through WireGuard VPN and keep LAN access?

Re: How to route all traffic through WireGuard VPN and keep LAN access?