Community discussions

MikroTik App
  4. RouterOS
  5. General

wireguard client on LTE isp

Post Reply
 
aleab
Member Candidate
Member Candidate
Topic Author
Posts: 119
Joined: Sat Sep 22, 2018 6:13 pm

wireguard client on LTE isp

Fri Jan 05, 2024 9:23 pm

Hello, i have i mikrotik at home with a LTE connection.
Works all ok, but now i would route all traffic from specific device to wireguard.
so i have a VPS on cloud provider, install docker and start wireguard (linuxserver/wireguard)
test it on my smartphone and works very well...

so i try to install wireguard on mikrotik (as client) and create a rule to redirect al traffic on tunnel
here a export
Code: Select all
/interface wireguard
add comment="WG VM16 DOCKER" listen-port=13234 mtu=1420 name=wireguard-vm16-docker
/interface wireguard peers
add allowed-address=0.0.0.0/0 comment="WG VM16 DOCKER" endpoint-address=212.x.y.z endpoint-port=59638 \
    interface=wireguard-vm16-docker persistent-keepalive=25s preshared-key=\
    "xxxxxxx" public-key=\
    "xxxxxxx"
/ip address
add address=10.13.13.2/24 comment="WG VM16 DOCKER" interface=wireguard-vm16-docker network=10.13.13.0
/ip firewall nat
add action=masquerade chain=srcnat comment="MASQUERADE TO WG VM16 DOCKER" ipsec-policy=out,none out-interface=\
    wireguard-vm16-docker
/routing table
add comment="WG VM16 DOCKER" disabled=no fib name=_wg_vm16_docker
/routing rule
add action=lookup-only-in-table comment="MY SMARTPHONE TO WG VM16 DOCKER" disabled=yes dst-address=0.0.0.0/0 \
    src-address=10.2.1.197/32 table=_wg_vm16_docker
/ip route
add comment=route-lte disabled=no distance=10 dst-address=0.0.0.0/0 gateway=10.78.252.46 pref-src="" \
    routing-table=main scope=30 suppress-hw-offload=no target-scope=10 vrf-interface=vlan_300_LTE
add comment="ROUTE VM16 DOCKER" disabled=no distance=20 dst-address=0.0.0.0/0 gateway=\
    wireguard-vm16-docker pref-src="" routing-table=_wg_vm16_docker scope=30 suppress-hw-offload=no \
    target-scope=10
wireguard server have ip 10.13.13.1
so i can ping from mikrotik and i can ping from my smartphone

strange is when i try to browsing on internet from my smartphone , but i can't...
some webpage works (like wikipedia) but is very slowly... other timeout...
of course other devices works fine.

if i try to traceroute from my smartphone i see correct routing to tunnel and to destination.
also ping from my smartphone to 8.8.8.8 - 1.1.1.1 - www.google.com - ecc... all works...
ping works, web browsing no...

so i search in forum and found a mangle rules
Code: Select all
/ip firewall mangle
add action=change-mss chain=forward comment="Clamp MSS to PMTU for Outgoing packets" disabled=no new-mss=\
    clamp-to-pmtu passthrough=yes protocol=tcp tcp-flags=syn
but again from smartphone i can ping/traceroute all internet, but i can't web browsing...

i think is my LTE isp to block wireguard tunnel, but i can understand how ping/traceroute work fine...
someone could help me?

thank you
Top
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 21226
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:
Contact anav

Re: wireguard client on LTE isp

Fri Jan 05, 2024 9:52 pm

Really well done for the most part....... dst address needs to be gone, and needs to be enabled!
Modify this
/routing rule
add action=lookup-only-in-table comment="MY SMARTPHONE TO WG VM16 DOCKER" disabled=yes dst-address=0.0.0.0/0 \
src-address=10.2.1.197/32 table=_wg_vm16_docker
TO
/routing rule
add action=lookup-only-in-table comment="MY SMARTPHONE TO WG VM16 DOCKER" disabled=no \
src-address=10.2.1.197/32 table=_wg_vm16_docker

Ensure your smart phone IP address is fixed static on the dhcp router leases. Its an iphone you will need to turn off the hide my IP option for the connection to the SSID in question.
The mangle rule is a good idea whenever as a client an MT router connects to a different ilk of server.


Modify your route from this ( distance not required, its a separate table )
add comment="ROUTE VM16 DOCKER" disabled=no distance=20 dst-address=0.0.0.0/0 gateway=\
wireguard-vm16-docker pref-src="" routing-table=_wg_vm16_docker scope=30 suppress-hw-offload=no \
target-scope=10

TO:
add comment="ROUTE VM16 DOCKER" dst-address=0.0.0.0/0 gateway=\
wireguard-vm16-docker pref-src="" routing-table=_wg_vm16_docker scope=30 suppress-hw-offload=no \
target-scope=10
Top
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 21226
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:
Contact anav

Re: wireguard client on LTE isp

Fri Jan 05, 2024 9:59 pm

I think the issue is the smartphone blocking, as none of the changes above would necessarily block anything.
Top
 
aleab
Member Candidate
Member Candidate
Topic Author
Posts: 119
Joined: Sat Sep 22, 2018 6:13 pm

Re: wireguard client on LTE isp

Fri Jan 05, 2024 10:27 pm

thank you for quick reply.

of course routing rule was enabled...
after many test i disabled to browsing with smartphone...
and yes i dhcp static all of my devices (also my smartphone).

but i try to change routing rule (of course enabled :) ) with my laptop (win 11) and same behavior...
i can ping all internet ip and traceroute correct but not browsing...

for this i ask here...
thank you

ps. i try to change dst without 0.0.0.0/ and change distance , same result (no phone and no laptop web browsing)
Top
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 21226
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:
Contact anav

Re: wireguard client on LTE isp

Fri Jan 05, 2024 10:32 pm

Then please post full config, there is something else on the config p erhaps.

/export file=anynameyouwish ( minus router serial number and any public WANIP information, keys etc.)
Top
 
aleab
Member Candidate
Member Candidate
Topic Author
Posts: 119
Joined: Sat Sep 22, 2018 6:13 pm

Re: wireguard client on LTE isp

Fri Jan 05, 2024 10:57 pm

here you are
Code: Select all
# 2024-01-05 21:34:07 by RouterOS 7.13
#
# model = C52iG-5HaxD2HaxD
# serial number = 
/interface bridge
add admin-mac=74:4D:28:FB:CC:3E auto-mac=no comment=LAN mtu=1500 name=bridge \
    port-cost-mode=short
add comment=CONTAINER name=bridge-container port-cost-mode=short
add comment="BRIDGE GUEST" ingress-filtering=no name=bridge_guest \
    port-cost-mode=short vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] comment="SXT LTE" l2mtu=1598 mac-address=\
    xx:xx:xx:xx:xx:xx
set [ find default-name=ether2 ] comment="MINI PC HP I5" l2mtu=1598 \
    xx:xx:xx:xx:xx:xx
set [ find default-name=ether3 ] comment="AP WAP" l2mtu=1598 \
    xx:xx:xx:xx:xx:xx
set [ find default-name=ether4 ] comment="TV LG" l2mtu=1598 mac-address=\
    xx:xx:xx:xx:xx:xx
set [ find default-name=ether5 ] l2mtu=1598 mac-address=74:4D:28:FB:CC:41
/interface wireguard
add comment="WG VM16 DOCKER" listen-port=13234 mtu=1420 name=\
    wireguard-vm16-docker
/interface veth
add address=192.168.19.2/24 gateway=192.168.19.1 gateway6="" name=\
    veth-adguard
/interface vlan
add comment="WAN - LTE" interface=ether1 name=vlan_300_LTE vlan-id=300
/interface ethernet switch port
set 0 default-vlan-id=auto
set 1 default-vlan-id=auto
set 2 default-vlan-id=auto
set 3 default-vlan-id=auto
set 4 default-vlan-id=auto
set 5 default-vlan-id=auto
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wifi channel
add disabled=no frequency=2412,2437,2462 name=Canale-2ghz width=20/40mhz
add disabled=no name=Canale-5ghz skip-dfs-channels=10min-cac width=\
    20/40/80mhz
/interface wifi configuration
add channel.frequency=2412,2437,2462 .skip-dfs-channels=disabled .width=\
    20/40mhz country=Italy datapath.bridge=bridge disabled=yes mode=ap name=\
    wifi_lan_2ghz security.authentication-types=wpa2-psk .disable-pmkid=yes \
    .group-key-update=1h .wps=disable ssid="Fritzbox 7170"
add channel.skip-dfs-channels=all .width=20/40/80mhz country=Italy disabled=\
    yes mode=ap name=wifi_lan_5ghz security.authentication-types=\
    wpa2-psk,wpa3-psk .disable-pmkid=yes .group-key-update=1h .wps=disable \
    ssid="Fritzbox 7170"
/interface wifi datapath
add disabled=no name=datapath-lan
/interface wifi security
add authentication-types=wpa2-psk disable-pmkid=yes disabled=no ft=yes \
    ft-over-ds=yes group-key-update=1h name=sec-lan wps=disable
/interface wifi configuration
add channel=Canale-2ghz country=Italy datapath=datapath-lan disabled=no mode=\
    ap name=cfg-2ghz security=sec-lan ssid="Fritzbox 7170"
add channel=Canale-5ghz country=Italy datapath=datapath-lan disabled=no mode=\
    ap name=cfg-5ghz security=sec-lan ssid="Fritzbox 7170"
/interface wifi
set [ find default-name=wifi1 ] comment=5.0GHZ configuration=cfg-5ghz \
    configuration.manager=local .mode=ap disabled=no name=wifi1-5ghz
set [ find default-name=wifi2 ] comment=2.4GHZ configuration=cfg-2ghz \
    configuration.manager=local .mode=ap disabled=no name=wifi2-2.4ghz
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip pool
add name=dhcp ranges=10.2.1.160-10.2.1.230
/ip dhcp-server
add address-pool=dhcp interface=bridge lease-script="#:local queueName \"LAN \
    \$leaseActMAC\";\r\
    \n\r\
    \n#:if (\$leaseBound = \"1\") do={\r\
    \n#    /queue simple add name=\$queueName parent=queue_LAN target=(\$lease\
    ActIP . \"/32\") max-limit=25M/70M comment=[/ip dhcp-server lease get [fin\
    d #where active-mac-address=\$leaseActMAC && active-address=\$leaseActIP] \
    host-name];\r\
    \n#} else={\r\
    \n#    /queue simple remove \$queueName\r\
    \n#}" lease-time=2h name=dhcp_LAN
/queue type
add kind=sfq name=sfq
/queue simple
add limit-at=2M/2M max-limit=25M/100M name=queue-lan queue=\
    pcq-upload-default/pcq-download-default target=10.2.1.0/24
add disabled=yes limit-at=1M/1M max-limit=100M/50M name=wan-sfq queue=sfq/sfq \
    target=vlan_300_LTE
/routing table
add comment="WG VM16 DOCKER" disabled=no fib name=_wg_vm16_docker
/system logging action
set 1 disk-file-name=flash/log
/user group
add name=homeassistant policy="reboot,read,write,policy,test,api,!local,!telne\
    t,!ssh,!ftp,!winbox,!password,!web,!sniff,!sensitive,!romon,!rest-api"
/zerotier
set zerotier-vm16 comment=\
    "ZeroTier Central controller - https://my.zerotier.com/" interfaces=\
    vlan_300_LTE name=zerotier-vm16 port=9993
/zerotier interface
add allow-default=no allow-global=no allow-managed=yes disabled=no instance=\
    zerotier-vm16 name=zerotier-vm16 network=xxxxxxxxxxxx
/container
add comment="IP 192.168.19.2" interface=veth-adguard root-dir=/adguard \
    start-on-boot=yes workdir=/opt/adguardhome/work
/container config
set registry-url=https://registry-1.docker.io tmpdir=pull
/interface bridge port
add bridge=bridge comment=defconf ingress-filtering=no interface=ether2 \
    internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether3 \
    internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether4 \
    internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether5 \
    internal-path-cost=10 path-cost=10
add bridge=bridge ingress-filtering=no interface=ether1 internal-path-cost=10 \
    path-cost=10
add bridge=bridge interface=wifi1-5ghz internal-path-cost=10 path-cost=10
add bridge=bridge interface=wifi2-2.4ghz internal-path-cost=10 path-cost=10
add bridge=bridge-container interface=veth-adguard internal-path-cost=10 \
    path-cost=10
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ip settings
set max-neighbor-entries=8192
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface list member
add comment=defconf interface=bridge list=LAN
add interface=vlan_300_LTE list=WAN
add interface=bridge-container list=LAN
/interface wifi access-list
add action=reject allow-signal-out-of-range=10s comment=Disconnetti disabled=\
    no interface=any signal-range=-120..-80
add action=accept allow-signal-out-of-range=10s comment=Connetti disabled=no \
    interface=any signal-range=-79..120
/interface wifi cap
set caps-man-addresses=127.0.0.1
/interface wifi capsman
set enabled=yes interfaces=bridge package-path="" require-peer-certificate=no \
    upgrade-policy=none
/interface wifi provisioning
add action=create-dynamic-enabled disabled=no master-configuration=cfg-2ghz \
    supported-bands=2ghz-g,2ghz-n,2ghz-ax
add action=create-dynamic-enabled disabled=no master-configuration=cfg-5ghz \
    supported-bands=5ghz-a,5ghz-n,5ghz-ac,5ghz-ax
/interface wireguard peers
add allowed-address=0.0.0.0/0 comment="WG VM16 DOCKER" endpoint-address=\
    x.x.x.x endpoint-port=59638 interface=wireguard-vm16-docker \
    persistent-keepalive=25s preshared-key=\
    "xxxxx" public-key=\
    "xxxxx"
/ip address
add address=10.2.1.254/24 comment=LAN interface=bridge network=10.2.1.0
add address=192.168.19.1/24 comment=CONTAINER interface=bridge-container \
    network=192.168.19.0
add address=10.13.13.2/24 comment="WG VM16 DOCKER" interface=\
    wireguard-vm16-docker network=10.13.13.0
/ip cloud
set ddns-enabled=yes ddns-update-interval=5m
/ip dhcp-client
add add-default-route=no comment="LTE passthrough\r\
    \n" interface=vlan_300_LTE script="/ip route set [find where comment~\"rou\
    te-lte\"] gateway=\$\"gateway-address\"\r\
    \n\r\
    \n" use-peer-dns=no use-peer-ntp=no
/ip dhcp-server lease
add address=10.2.1.201 comment="LAPTOP HP WIFI" mac-address=xx:xx:xx:xx:xx:xx \
    server=dhcp_LAN use-src-mac=yes
add address=10.2.1.203 comment="SMARTPHONE 1" mac-address=\
    xx:xx:xx:xx:xx:xx server=dhcp_LAN
add address=10.2.1.197 comment="MY SMARTPHONE" mac-address=\
    xx:xx:xx:xx:xx:xx server=dhcp_LAN
/ip dhcp-server network
add address=10.2.1.0/24 comment=defconf dns-server=10.2.1.254 gateway=\
    10.2.1.254 netmask=24
add address=192.168.252.0/24 dns-server=8.8.8.8,1.1.1.1 gateway=192.168.252.1
/ip dns
set allow-remote-requests=yes servers=192.168.19.2,94.140.14.14,94.140.15.15
/ip dns static
add address=10.2.1.254 comment=defconf name=router.mikrotik.lan
/ip/firewall/address-list
add address=10.2.1.0/24 comment="LAN LOCAL" list=local
add address=192.168.19.0/24 comment=CONTAINER list=local
/ip firewall filter
add action=accept chain=input comment="allow all from zerotier" in-interface=\
    zerotier-vm16
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    disabled=yes ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    disabled=yes ipsec-policy=out,ipsec
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall mangle
add action=change-mss chain=forward comment=\
    "Clamp MSS to PMTU for Outgoing packets" new-mss=clamp-to-pmtu \
    passthrough=yes protocol=tcp tcp-flags=syn
/ip firewall nat
add action=redirect chain=dstnat comment="REDIRECT OUTBOUND 53 TO LOCAL DNS" \
    dst-port=53 protocol=tcp src-address=!192.168.19.2 to-ports=53
add action=redirect chain=dstnat comment="REDIRECT OUTBOUND 53 TO LOCAL DNS" \
    dst-port=53 protocol=udp src-address=!192.168.19.2 to-ports=53
add action=masquerade chain=srcnat comment="MASQUERADE TO WG VM16 DOCKER" \
    ipsec-policy=out,none out-interface=wireguard-vm16-docker
add action=masquerade chain=srcnat comment="MASQUERADE TO ZEROTIER" \
    ipsec-policy=out,none out-interface=zerotier-vm16
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    dst-address-list=!local ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat comment="CONTAINER MASQUERADE" \
    dst-address-list=!local ipsec-policy=out,none out-interface-list=WAN \
    src-address=192.168.19.0/24
/ip route
add comment=route-lte disabled=no distance=10 dst-address=0.0.0.0/0 gateway=\
    10.78.252.46 pref-src="" routing-table=main scope=30 suppress-hw-offload=\
    no target-scope=10 vrf-interface=vlan_300_LTE
add comment="ROUTE VM16 DOCKER" disabled=no distance=\
    1 dst-address=0.0.0.0/0 gateway=wireguard-vm16-docker pref-src="" \
    routing-table=_wg_vm16_docker scope=30 suppress-hw-offload=no \
    target-scope=10
add comment="ROUTE ZEROTIER" disabled=no distance=20 \
    dst-address=0.0.0.0/0 gateway=zerotier-vm16 pref-src="" routing-table=\
    _zerotier scope=30 suppress-hw-offload=no target-scope=10
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www-ssl certificate=CAPsMAN-18FD74BBC72D disabled=no port=10443 \
    tls-version=only-1.2
set api disabled=yes
set api-ssl certificate=CAPsMAN-18FD74BBC72D
/routing bfd configuration
add disabled=no
/routing rule
add action=lookup-only-in-table comment="MY SMARTPHONE TO WG VM16 DOCKER" \
    disabled=no src-address=10.2.1.197/32 table=_wg_vm16_docker
/system clock
set time-zone-name=Europe/Rome
/system identity
set name=HAP-AX2
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp client servers
add address=time.google.com
add address=time.cloudflare.com
/system routerboard settings
set auto-upgrade=yes
/system watchdog
set watchdog-timer=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool netwatch
add comment="WG VM16 DOCKER" disabled=no down-script="" host=10.13.13.1 \
    http-codes="" src-address=10.13.13.2 test-script="" type=simple \
    up-script=""
big thank you
Top
Post Reply

Who is online

Users browsing this forum: frozenchair, kostastsing, merkkg, sbence76 and 37 guests
  4. RouterOS
  5. General