wireguard VPN and Synology NAS

ultrakiller · Mon Jul 08, 2024 10:06 pm

Hello,

I'm completely lost in this, tried openVPN first but went to wireguard since that seems to be the best option nowadays.

Mikrotik HEX S, WAN interface has bridge in the ISP router.

when i connect via the wireguard app on android, i can access for example home assistant just fine.
i cannot access the mikrotik devices via the mikrotik app
most importantly, i cannot access my Synology NAS, or DS cam surveillance station.
Firewall on the NAS is off.

What am i missing here?

TheCat12 · Mon Jul 08, 2024 11:20 pm

Could you export your config and post it here?

/export file=anynameyouwish (minus sensitive information like public keys, passwords, etc.)

anav · Tue Jul 09, 2024 12:06 am

The android configuration for wireguard will also be useful to see ( minus any actual WANIP information of course ).
The likely culprits are
a. not giving your wireguard address or interface access on the input chain to configure the router.]
b. Typing in the wrong information on the MT app.
You need to put in
(your choice)
IP address of wireguard:winbox port
IP address of main subnet:winbox port ( trusted subnet )

ultrakiller · Tue Jul 09, 2024 9:17 pm

This is the current config ;

# 2024-07-09 20:08:03 by RouterOS 7.13.4
# software id = EZ2C-6T9K
#
# model = RB760iGS
# serial number = ************
/interface bridge
add name="WAN bridge" port-cost-mode=short
add arp=proxy-arp name=bridge1 port-cost-mode=short
/interface ethernet
set [ find default-name=ether5 ] poe-out=forced-on
set [ find default-name=sfp1 ] disabled=yes
/interface wireguard
add listen-port=13231 mtu=1420 name="wireguard"
/interface list
add name=WAN
add name=LAN
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha256,sha1
/ip pool
add name=dhcp ranges=192.168.1.100-192.168.1.190
add name=vpn ranges=192.168.80.10-192.168.80.25
/ip dhcp-server
add address-pool=dhcp interface=bridge1 lease-time=10m name=dhcp1
add add-arp=yes address-pool=dhcp disabled=yes interface=bridge1 lease-time=\
    10m name=server1 use-radius=accounting
add address-pool=dhcp interface="WAN bridge" lease-time=10m name=dhcp2
/port
set 0 name=serial0
/ppp profile
set *FFFFFFFE local-address=192.168.89.1 remote-address=vpn
/interface bridge port
add bridge="WAN bridge" ingress-filtering=no interface=ether2 \
    internal-path-cost=10 path-cost=10
add bridge="WAN bridge" ingress-filtering=no interface=ether3 \
    internal-path-cost=10 path-cost=10
add bridge="WAN bridge" ingress-filtering=no interface=ether4 \
    internal-path-cost=10 path-cost=10
add bridge="WAN bridge" ingress-filtering=no interface=ether5 \
    internal-path-cost=10 path-cost=10
add bridge="WAN bridge" ingress-filtering=no interface=sfp1 \
    internal-path-cost=10 path-cost=10
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface detect-internet
set detect-interface-list=WAN internet-interface-list=LAN lan-interface-list=\
    LAN wan-interface-list=WAN
/interface l2tp-server server
set authentication=mschap2 l2tpv3-ether-interface-list=dynamic max-sessions=4 \
    one-session-per-host=yes use-ipsec=yes
/interface list member
add interface=ether1 list=WAN
add interface=bridge1 list=LAN
add interface="WAN bridge" list=LAN
/interface ovpn-server server
set certificate=Server default-profile=default-encryption \
    require-client-certificate=yes
/interface pptp-server server
# PPTP connections are considered unsafe, it is suggested to use a more modern VPN protocol instead
set enabled=yes
/interface sstp-server server
set default-profile=default-encryption enabled=yes
/interface wireguard peers
add allowed-address=192.168.100.205/24 comment="cellphone" interface=\
    "wireguard " public-key=\
    "**************************************************"
/ip address
add address=192.168.1.1/24 interface="WAN bridge" network=192.168.1.0
add address=192.168.100.1/24 interface="wireguard" network=\
    192.168.100.0
/ip arp
add address=192.168.1.138 interface=bridge1 mac-address=EE:D6:91:53:73:64
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add interface=ether1
/ip dhcp-server lease
add address=192.168.1.147 client-id=1:8:d1:f9:2d:5d:c0 mac-address=\
    08:D1:F9:2D:5D:C0 server=dhcp1
add address=192.168.1.40 client-id=\
    ff:35:24:df:f8:0:1:0:1:2a:71:1a:7f:f2:23:21:ce:82:d8 mac-address=\
    C8:3A:35:24:DF:F8 server=dhcp2
/ip dhcp-server network
add address=0.0.0.0/24 gateway=0.0.0.0 netmask=24
add address=192.168.1.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=192.168.1.1 \
    netmask=24
/ip dns
set allow-remote-requests=yes max-concurrent-queries=10000 \
    max-concurrent-tcp-sessions=10000 query-server-timeout=4s servers=\
    8.8.8.8,1.1.1.1,8.8.4.4
/ip firewall address-list
add address=192.168.1.2-192.168.1.254 list=allowed_to_router
add address=*************** list=WAN
/ip firewall filter
add action=accept chain=input in-interface="wireguard"
add action=accept chain=input comment=Wireguard dst-port=13231 protocol=udp \
    src-address=192.168.100.0/24
add action=accept chain=input comment=Wireguard dst-port=13231 protocol=udp
add action=accept chain=input comment="default configuration" \
    connection-state=established,related
add action=accept chain=input src-address-list=allowed_to_router
add action=accept chain=input protocol=icmp
add action=drop chain=input
add chain=forward
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN
add action=masquerade chain=srcnat comment="masq. vpn traffic" dst-address=\
    192.168.1.0/24 src-address=192.168.80.0/24
add action=dst-nat chain=dstnat comment=openVPN dst-port=50001 \
    in-interface-list=WAN protocol=udp to-addresses=192.168.1.25 to-ports=\
    4500
/ppp secret
add comment=***** name=***** profile=default-encryption service=ovpn
add name=vpn
/routing bfd configuration
add disabled=no interfaces=all min-rx=200ms min-tx=200ms multiplier=5
/system clock
set time-zone-name=Europe/Brussels
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp client servers
add address=185.111.204.220

wireguard settings :

public key : same as mikrotik config
adresses : 192.168.100.205/32
DNS server : 192.168.100.1
endpoint : <WAN ip:13231>
allowed IP adresses : 0.0.0.0/0

llamajaja · Tue Jul 09, 2024 9:42 pm

(1) One thing not showing on the APP config is persistent keep alive = 30s etc.. if you have such a setting.

Router

(3) Add the Wireguard to the LAN interface list.

(4) DO NOT UNDERSTAND the purpose of this config line???
/ip dhcp-server network
add address=0.0.0.0/24 gateway=0.0.0.0 netmask=24

(5) For input chain rules........

/ip firewall address-list
add address=192.168.1.X list=Authorized comment="admin device1"
add address=192.168.1.Y list=Authorized comment="admin device2"
add address=192.168.100.205 list=Authorized comment="remote admin via wg"

/ip firewall filter
add action=accept chain=input connection-state=established,related,untracked
add action=drop chain=input connection-state=invalid
add action=accept chain=input protocol=icmp
add action=accept chain=input comment="wireguard handshake" dst-port=13231 protocol=udp
add action=accept chain=input in-interface-list=LAN src-address-list=Authorized
add action=accept chain=input in-interface-list=LAN dst-port=53 protocol=udp comment="lan access to services"
add action=accept chain=input in-interface-list=LAN dst-port=53 protocol=tcp comment="lan access to services"
add action=drop chain=input comment="drop all else"

wireguard VPN and Synology NAS

wireguard VPN and Synology NAS

Re: wireguard VPN and Synology NAS

Re: wireguard VPN and Synology NAS

Re: wireguard VPN and Synology NAS

Re: wireguard VPN and Synology NAS