NEW FEATURE: Back to Home VPN

anav · Thu Apr 25, 2024 4:38 pm

My bad, I didnt realize that BTH was NOT possible to connect two routers that do not have publicly reachable IPs etc.. Its only valid for a router without a public IP and a remote device like phone.

Grumpy · Mon May 20, 2024 12:01 pm

Supposedly fixed in 7.15beta6.
There is also a workaround if you modify the logging rules to numb down those messages but in my book these shouldn't even be displayed (it's debug, not info)

It's a while ago now. Can you guys confirm it will be fixed in the mentioned version, any news?

Mon May 20, 2024 2:59 pm

What specifically ?

Grumpy · Mon May 20, 2024 4:58 pm

I'd like just to have a confirmation about scheduled fixing because it's a while ago. Nothing special ;)

Mon May 20, 2024 5:00 pm

Fixing what specifically? Abundance of Wireguard logs? That was already fixed

DarkNate · Mon May 20, 2024 5:03 pm

FYI to the users, the WireGuard problem of trying to re-connect to a previously connected dynamic peer is not a MikroTik problem, it's part of the OG WireGuard codebase. Same issue on a plain Debian install as well.

@normis, does BTH allow me to specify which IPv6 /64 pool to use for the peers?

Grumpy · Tue May 21, 2024 8:11 pm

Fixing what specifically? Abundance of Wireguard logs? That was already fixed

still occuring BTH iOS and 7.14.3; checked 3d ago

@DarkNate: thx for explanation!

anav · Fri May 24, 2024 11:09 pm

@Normis.

Okay so what I have learned recently.
1. BTH is not applicable to router to router connections.

2. It would appear that BTH configs certain things automatically please confirm.
a. sourcenat rule
b. wireguard ip address
c. input chain handshake rule
d. allowed ips.
e. wg blocked to LAN but allowed to WAN
f. anything else??

My concern is WHY are these settings:
1 NOT showing up on the export (as per normal wireguard settings ) *****
or
2 NOT showing up on the export on a specific config block maybe /ip BTH VPN etc......

Very frustrating to try and help customers when I dont have an understanding or proper expectations.

**** Allowed Ips does show up on regular export but the rest seem not to??

anav · Fri May 24, 2024 11:12 pm

Okay understand I may be looking at a BTH setup incorrectly done on an Ops MT router and thus the missing export info?

dcavni · Sat May 25, 2024 8:14 am

How would you block acess to LAN only based on client config file? Client could then just change few lines in existing config file an gain acess to your lan.

Amm0 · Sat May 25, 2024 6:16 pm

Okay understand I may be looking at a BTH setup incorrectly done on an Ops MT router and thus the missing export info?

It's not in the `/wireguard/export` because it's "dynamic config" (i.e.configuration generated by another RouterOS option). And dynamic config is never in an export – think /ip/dhcp-client and /ip/address/export. So like elsewhere, "/wireguard/print detail" is what's needed to "see" BTH stuff. And /ip/firewall/.../print etc. too. Basically you'll see more "D" items from BTH in a few places.

@anav, you think "Back-to-Home" is more complex than it is. BTH is still just plain WireGuard, following all same rules, with fews tricks (that do not change WG protocol):

1. BTH adds "dynamic config" (e.g. items marked with a "D") to /wireguard and elsewhere.** And as such, are not in an export. Only "print", or winbox.

2. Biggest trick is the DDNS name <sn>.vpn.mynetname.net used. What that name resolves to is set by BTH internally & used in the WG config generated (instead of IPs). This allow floating between direct/proxy mode, since DDNS can change over time. So if proxied <sn>.vpn.mynetname.net resolves Mikrotik's IP & if direct, it's your own WAN IP.

3. The BTH apps just issue RouterOS commands, using your winbox/etc login, to enable BTH & get device keys/config from those commands. But this just avoid cut-and-paste - you can use WG client instead, all the proxy stuff work same (see #2, trick is WG config shown for BTH uses a DDNS name).

4. AFAIK, you can still add your own peer statically using winbox/etc using the BTH "dynamic" /wireguard interface. So while router-to-router is "not supported", BTH really does not care what OS the other peer is using, so that should work too (*only ONE needs to enable BTH, other is a peer of that, not both running BTH). Basically, BTH does not change that everything is a peer. It just automated config on router to enable WG (with encrypted WG traffic getting transparently proxied via another server if needed), Basically BTH client are still just normal WG peers – just the WG config file uses a special DDNS name.

5. /ip/address for WG interface, to this point, is always in same fixed subnet: 192.168.216.0/24

** I do think what "dynamic config" is added automatically with BTH should be described more specifically in the docs. _i.e._ get it is a home feature — but there folks that deploy things to customers that like to know how they work at greater detail.

anav · Sat May 25, 2024 11:52 pm

Agree much better documentation will take out some mystery. BUT I SAY AGAIN, BTH needs to be more explicity shown on the export.
/ip cloud full full settings etc........

K0NCTANT1N · Mon Jul 01, 2024 11:46 am

routerOS v7.12.1, BTH v1.3.33: "Tools/IP Scan" interface "bridge" no information

(checked because of a post in another topic)

DATPOLpl · Mon Jul 01, 2024 12:59 pm

HI

I hae a lof os this...
Why?

ROS 15.2 - 5009 routerboard fw upgraded

nichky · Tue Jul 02, 2024 2:43 pm

that is because something is not happy.How the ping looks like?

DATPOLpl · Tue Jul 02, 2024 4:53 pm

What ping?

nichky · Wed Jul 03, 2024 2:00 am

e.g. from the Router to peer9

jfim88 · Sat Jul 06, 2024 1:38 pm

Quick question. I have BTH enabled, created from iOS app from iPhone. Working perfect. I want to add a peer for my Macbook using Wireguard app for Mac.

Trying to use the iPhone BTH app share option, but after pressing share button, it ask for router login, I enter login and pass and says connection refused.

SuperMario81 · Fri Jul 26, 2024 2:09 pm

Hi,
I´m using /testing the B2H, I´m running 7.16Beta7
I create 2 users from the Back to Home Users function all is good, but when I go to WireGuard Peers there is no way to Un-check the Responder Checkbox to avoid the Log being full of the message "back-to-home-vpn: [peer2] .....=: Handshake for peer did not complete after 20 attempts, giving up
Am I doing something wrong?
Thanks

anav · Fri Jul 26, 2024 4:33 pm

@supermario Nothing wrong, just poorly constructed APP functionality. By the way, the company story, as always, is that its very easy to use and implement. :-(

@jfim Ensure the mac does not have some sort of firewall blocking the traffic.

SuperMario81 · Fri Jul 26, 2024 4:46 pm

@anav Thanks, then I guess better to config manually WG to have better control, maybe one day Mikrotik will do some improvements in the BTH, @normis are some improvements in the backlog?

faxxe · Fri Jul 26, 2024 6:37 pm

I already have several working Wireguard connections, but I also wanted to try this function.
Since then, I have a dynamic entry that can no longer be deleted. How can I remove it?
Thank you,

v 7.15.3

-faxxe

NatePB14 · Mon Jul 29, 2024 9:08 pm

I already have several working Wireguard connections, but I also wanted to try this function.
Since then, I have a dynamic entry that can no longer be deleted. How can I remove it?
Thank you,

v 7.15.3

-faxxe

You'll find the BTH users on the IP>Cloud window, from there you could delete the users

faxxe · Mon Jul 29, 2024 10:22 pm

Very helpful, thank you NatePB14
-faxxe

serambca · Wed Jul 31, 2024 3:53 pm

Good afternoon,
I would like to send all traffic across the Back to Home. is it possible?
Best regards!

nichky · Fri Aug 02, 2024 9:02 am

can they expire?

anav · Wed Aug 07, 2024 6:56 pm

To help understand the functionality........

1. First setup Phone BTH app, when connected to router ???
2. Then one can, using the phone and the BTH app, while at remote locations (NO Need to be connected to router) create a WG instance for another device??
3. This assumes hole punching correct.
4. The other (third device) gets a separate wireguard IP on the wireguard network?? - but how does the router know or the Mikrotik hole-punch gateway??

+++++++++++++++++++++++++++++++++++++++++++++
HOW DO I CATEGORY
How do I create QR codes from a standard setup ( hole punch not required ), that I can whatsapp to remote devices for them to ingest??
If not possible.
What is the closest one can come to the above in current or planned functionality?

optio · Wed Aug 07, 2024 7:45 pm

How do I create QR codes from a standard setup ( hole punch not required ), that I can whatsapp to remote devices for them to ingest??

Create screenshot from Winbox or Webfig.
Even from terminal is possible with /interface/wireguard/peers show-client-config if terminal window is expanded enough or has very small font size :)

wg-peer-qr.png

It would be nice that Client Config text is selectable in Winbox without need to execute show-client-config from Terminal so to make it easy c/p it into .conf file for sharing as config file since desktop wg client doesn't support reading config from QR image. Also creating new peer in ROS from wg config file by reading config properties that are supported on ROS would be a nice feature for standard Wireguard configuration.

anav · Wed Aug 07, 2024 8:50 pm

Sweet photo, gee I wonder why this is not in the MT Documents???

optio · Wed Aug 07, 2024 9:58 pm

ROS wouldn't be fun without (hidden/undocumented) gems :)

Thu Aug 08, 2024 8:19 am

The biggest benefit of Back to Home is the mobile app. It is super simple to use. If you want to configure wireguard manually, you don't really need BTH anymore. So by using the CLI, you are missing the point

optio · Thu Aug 08, 2024 12:28 pm

Not sure I follow missing the point regarding CLI, my reply was a bit OT because it was not related to BTH WG, it was reply to @anav question regarding manual (standard) WG setup (also OT) - "How do I create QR codes from a standard setup..."

Thu Aug 08, 2024 12:35 pm

My answer was about why documentation is more concentrated on using the App, not CLI.

optio · Thu Aug 08, 2024 12:45 pm

Still, it was about manual WG setup and possibilities of sharing peer configuration... Is it possible to share such manual WG peer configuration from MT mobile app (not BTH)?
From WG documentation:

iOS configuration
Download the WireGuard application from the App Store. Open it up and create a new configuration from scratch.

In documentation is stated "...create a new configuration from scratch" :), even it is possible to create peer QR code as in my screenshot example, that was why @anav is wondering why such possibility is not documented.

This is OT, maybe is better to create separate topic for such discussions regarding improvements for manual WG.

Thu Aug 08, 2024 12:54 pm

I agree, BTH documentation does not yet describe Share management.
This does not mean Winbox should be used at all. I still insist, if you use BTH without the app, you are missing the point of BTH.

optio · Thu Aug 08, 2024 1:03 pm

BTH WG setup != manual WG setup.
Trying to explain that my comments are not related to BTH WG and that are OT :)
Forcing using BTH just because exists doesn't mean that one can choose different approach to use WG as it fits to its needs even as custom WG setup as BTH VPN (I have also OpenVPN for eg. as backup BTH VPN).

Thu Aug 08, 2024 1:06 pm

Check title of topic. Yes, manual WG setup should be discussed in another topic

optio · Thu Aug 08, 2024 1:07 pm

Now you get it :)
I was just trying to help @anav...

Thu Aug 08, 2024 1:56 pm

Regarding the TOPIC
We have updated the manual with the Share function info (APP side) https://help.mikrotik.com/docs/display/ROS/Back+To+Home

anav · Thu Aug 08, 2024 4:21 pm

Thanks Normis for updating the docs.
My question are mostly about the APP.
Specifically, the first questions are about the "Spread the wireguard love" ability of the phone app!

(1) How does the APP on the phone create more peer client instances ( such as for a windows laptop )? When both are no longer under the Routers NetworK, aka at a remote location.
More precisely, the new device (laptop) presumably gets assigned a wireguard IP address.
How does the APP decide which IP to give out?
How does the other end ( the router ) know to accept traffic from that new IP.
OR
How does the punch hole MT cloud server know to accept traffic from that new IP.
OR
Please fill in the missing gap of knowledge I have.
++++++++++++++++++++++++++++++
Secondly, I am trying to find "extra utility" of the BTH app in terms of the QR code generating capability.
Does the phone(app) generate QR codes
OR
Does the router generate QR codes.

GOAL: In manual wg mode setup, the ability to create QR codes for remote users to ingest ( via whats app, email etc.) to easily setup their device, be it generating those qr codes on the bth app on the phone, or via some other means on the router ( ip cloud?)

optio · Thu Aug 08, 2024 4:44 pm

Regarding "GOAL", why mix manual WG setup with BTH app? Better to have ability to export/share configuration of such peers (from manual WG setup) in MT mobile app (not BTH) or in Winbox to have ability to save QR image without need to create screenshot, to use as configuration import into official WG client mobile app.

anav · Thu Aug 08, 2024 5:23 pm

Regarding "GOAL", why mix manual WG setup with BTH app? Better to have ability to export/share configuration of such peers (from manual WG setup) in MT mobile app (not BTH) or in Winbox to have ability to save QR image without need to create screenshot, to use as configuration import into official WG client mobile app.

What?
I am simply trying to understand the functionality available and how to use/apply it, if possible.
Any monkey would rather have functionality available in the native menus, but not asking for MT to change anything just to explain the depth of the functionality available.
Its up to Normis and Co, whether they can adapt, modify or add additional functionality to either BTH app, MT APP, or routerOs.

optio · Thu Aug 08, 2024 5:33 pm

Yes, but thread is for BTH, not manual for WG setup, that's why I mentioned BTH app in first place. Better to have separate topic for such discussions.

sas2k · Sun Sep 01, 2024 12:08 am

Hello Dear Friends.
Is there a way to use bth with rb750gr3?
May be some handmade setup available?
Thank you in advance.

nichky · Sun Sep 01, 2024 6:12 am

@sas2k

there is no way to run BTH on MMIPS.

That is only available on ARM/ARM64/TILE

DDDM · Wed Sep 04, 2024 5:37 pm

This morning my samsung phone was updated. Since then BTH is not working properly, i can barely connect to my Ip cams, to home server, but im unable to use the browsers and others apps getting my home ip and network. Samsung did smting which broke everything (not for the first time) anybody with same problem?

nichky · Thu Sep 12, 2024 9:28 am

how the Share invite link works?

i can see the link, but it doesn't add on that BTH application (mob to mob)

Thu Sep 12, 2024 3:35 pm

send the link to a friend.
friend needs BTH app.
friend clicks on link, and setup opens.

nichky · Fri Sep 13, 2024 2:43 am

@normis

I thing that I figured out.

i was trying with facebook messenger.

teams , whatsapp and messages - all working

Amm0 · Fri Sep 13, 2024 3:15 am

i was trying with facebook messenger.

teams , whatsapp and messenger - all working

Well, the share link returns HTML that requires JavaScript. So if FB tries to "unfurl" (e.g. click the link, to summarize content for a message stream), the BTH link is only a redirect to the App Store with no HTML body - and FB may not like a link that leaves the app or needs JavaScript to render...

Whatever app you select for use with BTH share, when receiver clicks the link... that BTH link needs to run in a real browser, so that query parameters are provided to the BTH home app (i.e. market:// or http://app.apple.com/... which means navigate to an APP) on the shared user's phone. So if shared by email or SMS, then the URL is likely to go through without modification, and email or SMS will send http:// to a browser. So yeah FB processing URL, and blocking stuff to keep you in their ecosystem isn't surprising ;).

<html>
  <head>
  </head>
  <body>
    <script type="text/javascript">
      var userAgent = navigator.userAgent || navigator.vendor || window.opera;
      if (/android/i.test(userAgent)) {
          window.location.replace("market://details?id=com.mikrotik.android.freevpn");
      }
      else if (/iPad|iPhone|iPod/.test(userAgent) && !window.MSStream) {
          window.location.replace("https://apps.apple.com/us/app/mikrotik/id6450679198");
      }
      else {
          window.location.replace("https://mt.lv/bth");
      }
    </script>
  </body>
</html>

rushlife · Tue Sep 24, 2024 9:40 pm

Last update on app lead to unusable state. App on Android is unable to start.

Tested with Samsung s23 with android 14 (oneui 6.1).

anav · Thu Sep 26, 2024 5:22 pm

Regarding the TOPIC
We have updated the manual with the Share function info (APP side) https://help.mikrotik.com/docs/display/ROS/Back+To+Home

Much thanks for these efforts!

nichky · Fri Sep 27, 2024 5:02 am

does anyone play with "Disable VPN when home"?

i'm not expecting to work properly as this is experimental features, but that is so useful.

nichky · Fri Sep 27, 2024 9:29 am

one more thing i noticed today.

when login to back-to-home by using the local lan ip-add , and user and pas from the MT.

With that user you can create and share-users, but with the shared user u can only edit, you cant share

anav · Sat Nov 23, 2024 8:25 pm

Trying to understand BTH some more.
It would appear that it does not function as I thought.
One cannot create QR codes for all remote users and send them each their own QR code, at which time the BTH app on android or Iphone could then simply use to setup their end.
It would appear this can only be one for ONE client.
For PCs, one uses the wireguard client app for windows to copy the qr code or somehow a config file that may also be provided?......

However, it would appear there still may be away of doing this.
I have to use a smartphone on my network to create my own BTH Tunnel.
Then using BTH app functionality as the admin, I can create as many qr codes etc to share with others and send them the qr code or config file provided for each share.

Is this correct??
Bizarre that I cannot do this FROM or AT the router ?????

Amm0 · Sat Nov 23, 2024 8:42 pm

Trying to understand BTH some more.
Is this correct??
Bizarre that I cannot do this FROM or AT the router ?????

Did you look in /ip/cloud/print (first BTH user), or /ip/cloud/back-to-home-users/show-client-config XX (2nd or more BTH users)?

But I just notice is under /interface/wireguard/peer in Winbox4, I don't see the QR code or client for the match BTH peer for the 1st user in UI there – that does seem wrong.... The 2nd "BTH user" does have a client config/QR, and the 1st BTH user client config shows at CLI. But in all cases, the BTH QR/client config appears under /ip/cloud show both QR/client in CLI and winbox4.

anav · Sun Nov 24, 2024 1:09 am

Hi Ammo reading the docs there is only one qr/code one can generate from the router itself, the rest if I read this right, is that you can easily create and manage additional Qr codes and send them all from the admin smartphone.

Amm0 · Sun Nov 24, 2024 2:36 am

Hi Ammo reading the docs there is only one qr/code one can generate from the router itself, the rest if I read this right, is that you can easily create and manage additional Qr codes and send them all from the admin smartphone.

The docs aren't entirely clear, but the "share" ones should have QR codes in RouterOS under IP > Cloud > Back-to-Home User. And if you created a share on the phone, the WG peer config will be there. If you use the "New" in the /ip/cloud/back-to-home-users in winbox to create new BTH users, while you'd pick a key when you do it that way & since winbox isn't a phone, it cannot forward it directly via SMS/email/etc - but the "new" in winbox do same as app.

Now, I might not be understanding the problem. And agree docs are entirely clear about the QR codes for 2nd/"shared" users: https://help.mikrotik.com/docs/spaces/R ... me-IPCloud

But under IP > Cloud in winbox should have QR code for the main user and shared users from app.

Coughy · Sun Nov 24, 2024 4:30 am

you are correct there is a QR code in the
ip/cloud section called
VPN Wireguard client config QRcode

Hi Ammo reading the docs there is only one qr/code one can generate from the router itself, the rest if I read this right, is that you can easily create and manage additional Qr codes and send them all from the admin smartphone.
The docs aren't entirely clear, but the "share" ones should have QR codes in RouterOS under IP > Cloud > Back-to-Home User. And if you created a share on the phone, the WG peer config will be there. If you use the "New" in the /ip/cloud/back-to-home-users in winbox to create new BTH users, while you'd pick a key when you do it that way & since winbox isn't a phone, it cannot forward it directly via SMS/email/etc - but the "new" in winbox do same as app.

Now, I might not be understanding the problem. And agree docs are entirely clear about the QR codes for 2nd/"shared" users: https://help.mikrotik.com/docs/spaces/R ... me-IPCloud

But under IP > Cloud in winbox should have QR code for the main user and shared users from app.

anav · Mon Nov 25, 2024 6:18 pm

Read the docs y..........
Connect to router
Enable DDNS Cloud service: `/ip/cloud/set ddns-enabled=yes`
Enable Back To Home: `/ip/cloud/set back-to-home-vpn=enabled`
Print tunnel configuration: `/ip/cloud/print`
Scan QR Code (`vpn-wireguard-client-config-qrcode`) or Copy config (`vpn-wireguard-client-config`) and enter in preferred WireGuard® client. Only one client at a time will be available to use this config.

In other words, the router itself can only generate one setup via BTH, the rest have to be done from the Admins smartphone.
Just waiting for NORMIS to confirm!

Amm0 · Mon Nov 25, 2024 6:46 pm

As I said, the docs are not very clear. But end of the docs does reference the commands. The wording at top of docs should be changed IMO.

In other words, the router itself can only generate one setup via BTH, the rest have to be done from the Admins smartphone.
Just waiting for NORMIS to confirm!

But you can try in winbox, or via CLI too:

/ip/cloud/back-to-home-users/add allow-lan=no comment="2nd user - added from RouterOS" name="$[/system identity get name] 2nd user" 
:delay 2s 
/ip/cloud/back-to-home-users/show-client-config [find name~"2nd"]

which will show add a new shared/2nd+ user from CLI.
(with a BUG: if you cut-and-paste without [:delay], it does not find the new peer)

And you can see the BTH peer and QR code under WG too (as a dynamic entry):

/interface/wireguard/peer/print
/interface/wireguard/peer show-client-config [find comment~"2nd"]

anav · Mon Nov 25, 2024 7:57 pm

okay hopefully NORMIS will provide his usual clarity. :-) :-)

Tue Nov 26, 2024 8:23 am

Each client has a separate configuration and a separate code. All users are configured in /ip/cloud/back-to-home-users/ section.
Do not ever use the QR code displayed in the "ip cloud" menu to invite somebody else than yourself. That is a one time use code for your self.

Normally you would do all the setup from the BTH mobile app, there it is much easier to understand.

The back-to-home-users menu is a new menu, this is why some of the documentation is conflicting. We will fix that.

anav · Tue Nov 26, 2024 4:28 pm

Hi Normis,

Understood, the One Time user available on the ROUTER itself, is for the ADMIN, to use. I presume this is meant to be put on the admins phone and from there he can easily generate additional qr codes or configs to send to as many clients as he/she,it,they,them etc desires.

I also understand that once folks have accepted the qr code on their smartphone app, or wireguard client app (laptops), etc. the results show up on the associated MT Routers IP Cloud tabs ( users ) and can be configured further if required ( add access to subnets, delete, and probably other options ).

Of special note, much thanks for providing this capability, its not part of wireguard core, but many other apps have implemented some form of qr code generation or another, and MT has managed to incorporate the same right, into the OS BZ! This provides the ability for most users to SAFELY and remotely reach their router and subnets, when one has no access to a public IP. Also for some, removes the need to pay for third party provider to do same.

Now if we can just crack the Routing BUG and wireguard with multi WANs.........

anav · Tue Nov 26, 2024 4:31 pm

anav:1 ammo:0 ( but whose counting) - by the way it looks my advice after inauguration day will cost 25% more jajajaja
( ps dont worry only applies to USA, rest of the world, same free advice, quality not guaranteed until reviewed by mkx/sob and a few others.......... )

Edit................... Damn it to sHELL, Ammo is right again.
anav:0 ammo:1

Amm0 · Tue Nov 26, 2024 6:15 pm

anav:1 ammo:0 ( but whose counting)

Except I'm not wrong. All BTH are just WG peers, and have QR codes. So just like any other peer, don't use the same peer twice. The advice to first one (/ip/cloud), applies to the shared ones too (/ip/cloud/back-to-home-user) - don't use them twice as they have an IP address assigned in peer's client config.

@normis is totally right: the app is easy consumer-friendly way of configuring it - but is still just normal WG under-the-covers and equally configurable from winbox/webfig too.

Amm0 · Tue Nov 26, 2024 6:24 pm

I also understand that once folks have accepted the qr code on their smartphone app, or wireguard client app (laptops), etc. the results show up on the associated MT Routers IP Cloud tabs ( users ) and can be configured further if required ( add access to subnets, delete, and probably other options ).

The peer is created by BTH app when initially shared, it has nothing to do if the end user "accepts" or uses it. The shared peer will appear under /ip/cloud/back-to-home-users once shared.

Now if we can just crack the Routing BUG and wireguard with multi WANs.........

Now here we agree. :)

On the docs...

The back-to-home-users menu is a new menu, this is why some of the documentation is conflicting. We will fix that.

Perhaps describing how it works "under the covers" might help these questions in the future. AFAIK, from RouterOS and WG client, BTH is still just a WG peer - just with DNS name that MAY use Mikrotik's custom "WG proxy" server & some dynamic firewall rules based on /ip/cloud/back-to-home-users allow-lan=.

anav · Tue Nov 26, 2024 7:10 pm

Wont say you are wrong, I would rather use obtuse! ;-)

First though, I would agree that the associated MT router probably receives the new peer information UPON creation on the admin's smartphone.
My assumption was that the router gets populated upon first hookup attempt. However after reading your post it makes sense upon profile creation. The MT relay server has no storage capacity to hold information and thus upon first contact wont work as the router would not know about the incoming yet!!

Except I'm not wrong. All BTH are just WG peers, and have QR codes. So just like any other peer, don't use the same peer twice. The advice to first one (/ip/cloud), applies to the shared ones too (/ip/cloud/back-to-home-user) - don't use them twice as they have an IP address assigned in peer's client config.

The function of the ROUTER generated BTH client is NOT the same as the ones created via MANAGE SHARES.
The function of the ROUTER generated BTH client is to create ONE client and we should call it the MASTER Client peer.
This Master client Peer, typically on the admins smart phone, using the BTH app, is then used to generate AS MANY further client peers as required.

No one indicated that one should only generate one user profile in Managed Shares and then send that single client setup to all users. ??????????????

Amm0 · Tue Nov 26, 2024 7:28 pm

It's WG, so all are peers. The app and /ip/cloud just always create ONE peer upon enabling it. If you need more, you need the "managed shared" (or /ip/cloud/back-to-home-users). On the "shared" ones, there is the additional option to allow-lan= so that the only difference AFAIK.

So there is actually no difference from a shared user/peer (if allow-lan=yes) and the "MASTER" one.

anav · Tue Nov 26, 2024 8:41 pm

It's WG, so all are peers. The app and /ip/cloud just always create ONE peer upon enabling it. If you need more, you need the "managed shared" (or /ip/cloud/back-to-home-users). On the "shared" ones, there is the additional option to allow-lan= so that the only difference AFAIK.

So there is actually no difference from a shared user/peer (if allow-lan=yes) and the "MASTER" one.

Disagree, the only thing in common is that they use the same wireguard interface.
They both allow a user to access the internet and if the admin dictates also access to the LAN

Beyond accessing the router ( for internet or lan access ) there is nothing else in common
Note: If it wasn't obvious the (second to infinity) client peers are not for access to the router itself!

So its crystal clear!!! Beyond normal use client peers 2 to infinity in BTH have no purpose/function

The ROUTER initiated client peer, ( the one that should go on the admins smartphone ) can, via Managed Shares, create additional peer clients to the same router. The client peers (second created to infinity) CANNOT create additional peer clients.

They are not equal.....
There must be a hook in the BTH app that is set by the MASTER PEER config, created on the Router. The BTH app recognized the additional hidden sent info, and authorizes the BTH app at that device to have a CONFIG generation capability. Perhaps even only allowing that peer to even show MANAGE SHARES as a tabbed option.

Amm0 · Tue Nov 26, 2024 9:12 pm

The ROUTER initiated client peer, ( the one that should go on the admins smartphone ) can, via Managed Shares, create additional peer clients to the same router. The client peers (second created to infinity) CANNOT create additional peer clients.

They are not equal.....

Now I get the confusion. The thing is you can use a normal WG client app with the BTH config from /ip/cloud/back-to-home-users, and it work the same as for the 2+ BTH peers.

FWIW, BTH app is what's confusing. In app, you still login to router using normal winbox/etc credentials that internally modifies BTH/WG config on router. The 1st WG alone does not let you modify users either - it's the saved router password in app that does that.

anav · Wed Nov 27, 2024 4:41 am

Not sure what you mean. If a user (not admin) uses the BTH app to setup a BTH tunnel after receiving the QR code, or URL link or export config file generated on the admins smartphone, then the user access is done through the BTH app, not the standard wireguard app.

Now what has not been explained at least to my knowledge and not in docs, is what happens if I take that QR code (a user generated by Manage Shares ) and try to import into the regular plain wireguard app. Me thinks its proprietary to the MT BTH setup and thus would not work on the ordinary wireguard app.

Now in case the admin doesnt have a smart phone and still wants a wireguard connection to another device, presumably a PC, then one can manually do the dirty deed by using the QR code generated in the BTH VPN WireGuard Tab selection ( identical to /ip/cloud/print ( this entry is meant to be used when only a single user presumably admin is involved ).

Instead of this config going on a smartphone for the BTH app, it can go on any device ( usually a PC ) but I imagine also a smartphone but USING the standard wireguard app.
The downside, of course, is that its a ONE OF, and the admin cannot generate further user accounts from this connection.

Amm0 · Wed Nov 27, 2024 5:42 am

Not sure what you mean. If a user (not admin) uses the BTH app to setup a BTH tunnel after receiving the QR code, or URL link or export config file generated on the admins smartphone, then the user access is done through the BTH app, not the standard wireguard app.

That why the app is more confusing. Yes, BTH is also a wireguard client too - beyond it role to configure BTH. So, yes, the shared ones don't need the router user/password. But the provisioning step can always be done with "Create New" in app - which is where you need router user/password to do. Now how the app works is not the hill I'm going to die on, so could be slightly off –as I said it's MORE confusing than winbox/CLI - at least to me.

Now what has not been explained at least to my knowledge and not in docs, is what happens if I take that QR code (a user generated by Manage Shares ) and try to import into the regular plain wireguard app. Me thinks its proprietary to the MT BTH setup and thus would not work on the ordinary wireguard app.

Nope. It should work, or at least that's how I use a BTH "shared user" on my Mac. And just retested with cut-and-paste client config from the "2nd BTH" user CLI shown.

BTH 2nd User Using MacOS WG Client.png

which was actually my 3rd user ... so it got automatically assigned an 192.168.216.4 / ::4 - since the default values will automatically use the next greatest IP with BTH subnet.

And the proxy support, if needed, will still work with the normal WG client too.

do the dirty deed by using the QR code generated in the BTH VPN WireGuard Tab selection ( identical to /ip/cloud/print ( this entry is meant to be used when only a single user presumably admin is involved ).

Assuming you were NOT already using the "Main"/MASTER client on your phone already. Otherwise, you'd need to hit the "Back to Home User" button in IP>Cloud to get the 2nd++ "peer".

Also, I find just cut-and-paste the "Client Config" text is easier than using a QR code if you're on a PC. QR code should work same, but I don't use it so not 100%.

anav · Wed Nov 27, 2024 6:21 am

Okay to be clear, it seems what you are saying is that you can take a wireguard config generated by the admin on the admins smartphone, for another user, using the Manage Shares approach, and it can be applied to any normal WIREGUARD APP, aka on smartphone or PC etc. ( stating that the BTH app is NOT required/mandatory )??

Just trying to figure out the use/advantage of BTH app ??
Maybe a easy way to give someone wan access without touching the normal WG config?
Maybe an easy w ay to give someone access to the LAN without touching the normal WG config..

Amm0 · Wed Nov 27, 2024 6:33 am

Yup. App is not mandatory, as EVERYTHING can technically be done using RouterOS winbox/CLI alone.

As @normis suggests, the app may be easier. Although just enabling BTH under /ip/cloud is not very hard either (i.e. it's a radio button, which enables BTH & gets you 1st WG client, and then with "Back To Home Users" button, any 2nd user will automatically generate keys/config/IP.

anav · Wed Nov 27, 2024 4:27 pm

Okay so its just a convenience APP for the users second to infinity. The only critical use of the BTH app is for the first user ( admin ) as that account on that phone is the only one where the APP has MANAGE shares capability. The PRIMARY config loaded! You know its very annoying that your right ;-)

Amm0 · Wed Nov 27, 2024 4:45 pm

You know its very annoying that your right ;-)

Can we agree to blame Mikrotik's docs? :)

BTH is actually pretty elegant since it really just uses DDNS to determine if proxy is needed, but always still plain WG. The docs are just bad (overly complex for simple case & not enough info for someone like you who knows WG to understand how it works).

anav · Wed Nov 27, 2024 4:49 pm

I am working on that bit ( improving docs ) and is why I am being nitpicky in my understanding.
I forget, where do the firewall rules show up that allow a USER to access the WAN and possibly the LAN???

Amm0 · Wed Nov 27, 2024 4:55 pm

I am working on that bit ( improving docs ) and is why I am being nitpicky in my understanding.
I forget, where do the firewall rules show up that allow a USER to access the WAN and possibly the LAN???

On firewall, there is an address-list named "back-to-home-lan-restricted-peers" in /ip/firewall/address-list that get dynamically added by BTH code on RouterOS If "allow-lan=no" in /ip/cloud/back-to-home-users.
Along with DYNAMIC /ip/firewall/filter rules that enforce it:

0 D ;;; back-to-home-vpn
chain=forward action=drop
src-address-list=back-to-home-lan-restricted-peers
out-interface-list=LAN
1 D ;;; back-to-home-vpn
chain=input action=accept protocol=udp dst-port=25297

BTH also adds a NAT rule just by enabling BTH for the 1st peer:

0 D ;;; back-to-home-vpn
chain=srcnat action=masquerade src-address=192.168.216.0/24

Only the DDNS part is magic in BTH.

optio · Wed Nov 27, 2024 5:39 pm

On which WG peer endpoint BTH users (non admin - for which is shared) are connecting if they are possible to use WG VPN app? Always to MT cloud host? It is not possible to get P2P WG connection then even if ROS device WG peer has public access? If DDNS host is resolved to ROS device IP, WG VPN app will fail to connect if there is no public access (for eg. CGNAT), if is resolved to some MT cloud host then it always uses that host and connection is tunneled through it.
Maybe it is the case that some service on MT cloud checks in some interval (or maybe per resolve but I doubt because of DNS caching behavior) if there is WG public access and assigns public IP of ROS device to DDNS host, if not then assigns IP of cloud host.

anav · Wed Nov 27, 2024 5:58 pm

As AMMO stated, the magic is the DDNS part of the BTH user config ( allowed IPs ). I am assuming this sends the user to the MT server. The server keeps track if the Mikrotik Router has a direct type of connection and then rejigs the destination/source address type information such that the BTH Users traffic then goes direct to the MT router.
So its not dependent upon which APP is uses, the key is the DDNS address being used.

optio · Wed Nov 27, 2024 6:04 pm

Not sure I follow, how traffic can go directly to MT router if WG endpoint DDNS IP address is always some MT server? Unless IP is, as I wrote, dynamically assigned on DDNS service depending on WG public access detection. This can be easily checked by resolving DDNS host from WG peer endpoint configuration and see which IP is resolved in both cases - when ROS device has public access and when not (or maybe just by blocking in firewall BTH WG peer port from WAN on ROS device).

anav · Wed Nov 27, 2024 8:06 pm

Because the destination and source addresses are kept up to date by Wireguard ROS at either end, so MT ensures that if there is a direct connection that the client uses the direct dst IP address instead of the DDNS one. I am assuming that in the traffic back to the client, the BTH connection sends the updated endpoint address...........
This would work whether the client config was made on the BTH app or Wireguard app.

optio · Wed Nov 27, 2024 8:34 pm

Hmm, let say that ROS device WAN access at certain point is changed, goes behind CGNAT or oposite while BTH WG configuration is already shared, then in such case shared configuration becomes invalid? Assuming that shared WG peer endpoint is set in config to host depending when shared configuration is made, it doesn't seem flexible for LTE mobile routers (in some cases WAN access can be behind CGNAT or not if MO SIM is changed...). I would love to see plain text config for shared WG peer from QR to understand this, don't have BTH setup on my router to check...

Amm0 · Wed Nov 27, 2024 10:10 pm

Well, BTH is actually useful for LTE for a router-to-router WG with a CGNAT. This is use case @normis does not quite get with the "always use app" approach, and why I persist in explaining it since regular WG will not use BTH's "relay" server hosted by Mikrotik to deal with hole punching. (I used "proxy" above, by relay may be more accurate)

Hmm, let say that ROS device WAN access at certain point is changed, goes behind CGNAT or oposite while BTH WG configuration is already shared, then in such case shared configuration becomes invalid? Assuming that shared WG peer endpoint is set in config to host depending when shared configuration is made, it doesn't seem flexible for LTE mobile routers (in some cases WAN access can be behind CGNAT or not if MO SIM is changed...). I would love to see plain text config for shared WG peer from QR to understand this, don't have BTH setup on my router to check...

/ip/cloud DDNS being enabled is required for BTH. And they use an additional DNS FQDN per router for the endpoint <sn>.vpn.mynetname.net. And that's what's used as the "Endpoint" in WG config. The value of the *.vpn.mynetname.net name is EITHER a public IP detected by /ip/cloud's DDNS, or if DDNS detects a NAT then DNS name resolves to Mikrotik BTH reply.

I know it does switch, but not sure the exact timing. I'd imagine it follows the value ddns-update-interval= under /ip/cloud to update if DNS name uses replay/proxy or direct, plus the DNS TTL — but I did not explicitly test this. I do know it will switch modes, and the WG clients don't care, other than not working while the DDNS is updated/expire-from-cache.

Here a sample (with keys/etc changed) of the WG the same CLI above generates:

# Name = bigdude 2nd user
# CloudDDNS = xxxx0a11yyyy.sn.mynetname.net

[Interface]
ListenPort = 51820
PrivateKey = AbcdAbcdiroehZ7kxlFj52qGrzAZogUk3kllvAbcd=
Address = 192.168.216.4/32, fc00:0:0:216::4/128
DNS = 192.168.216.1

[Peer]
PublicKey = Zxywo/62fHo/pe0g1JFdEkNZTHhZxywLdF+2ZxywFhz=
AllowedIPs = 0.0.0.0/0, ::/0
Endpoint = xxxx0a11yyyy.vpn.mynetname.net:25297
PersistentKeepalive = 30

[Peer]
PublicKey = //////////////////////////////////////////8=
AllowedIPs = 0.0.0.0/32
Endpoint = xxxx0a11yyyy.sn.mynetname.net:25297
PersistentKeepalive = 15

optio · Wed Nov 27, 2024 10:28 pm

The value of the *.vpn.mynetname.net name is EITHER a public IP detected by /ip/cloud's DDNS, or if DDNS detects a NAT then DNS name resolves to Mikrotik BTH reply.

I know it does switch, but not sure the exact timing. I'd imagine it follows the value ddns-update-interval= under /ip/cloud to update if DNS name uses replay/proxy or direct, plus the DNS TTL — but I did not explicitly test this. I do know it will switch modes, and the WG clients don't care, other than not working while the DDNS is updated/expire-from-cache.

That I was assuming when I wrote previously that DDNS host IP is changing depending on public access and it makes sense to work like that to have WG endpoint available in any WAN access case. Thx for clarifying and config sample.

anav · Wed Nov 27, 2024 10:54 pm

So in summary, its transparent to the end user, and hence why both apps can be used.

Amm0 · Wed Nov 27, 2024 11:21 pm

So in summary, its transparent to the end user, and hence why both apps can be used.

Yup. Just WG peer, with special DNS name.

anav · Wed Nov 27, 2024 11:33 pm

I want to know more about this line............ In case of going through relay, speed could be limited.

Clearly we have limits on client end for ISP, and limits at Router end from its associated ISP connection and then there are losses due using VPN.
So are they saying on top of that there may be additional losses due to
a. bottleneck at Servers ( heavy load )?
b. depends on physical distance from server?

Also the Manage shares creates three methods. need to confirm the below.......
AN URL LINK ( assuming this works only with the BTH app - limited to smartphones with the BTH app )
A QR code which works with both BTH app and wireguard app - so good for all devices
A config file which is primarily designed for PCs and wireguard app.

Lastly, when one selects the URL link to share or the CONFIG file, apparently the smartphone automatically prompts using the standard share choices, to send the LINK or config file to another person.........
BUT what about the second QR code method. In the DOCS it says view.
SO no automated cell phone prompts? Does one have to physically select it to get the cell phone prompts, do you have to take a screen shot............what is the process........not clear for QR code.

okomor13 · Thu Dec 05, 2024 9:56 pm

I have a question about relaying. My Mikrotik router is behind a CGNAT connection, so the IPv4 address I receive from my provider is not directly accessible from outside. I have assigned a static IPv4 via an IPIP6 tunnel through a server and added a global route in a separate routing table. With the appropriate mangle entries, an existing Wireguard configuration works perfectly through it.

However, I would like to use the IP/Cloud features, including BTH, and to enforce the use of the static IPv4, I redirected all requests to `cloud2.mikrotik.com` via the static IP using output mangle. The `Public Address` in DDNS then directly shows the static IP. But the `VPN Relay IPv4 Status` in BTH still says `reachable via relay`.

I would like to bypass the relaying, as a direct connection or a connection through my own server is significantly faster.

Is another host then cloud2.mikrotik.com being used to determine reachability of BTH Wireguard?

Amm0 · Fri Dec 06, 2024 3:12 am

(I was hoping @normis would chime in, since @anav asks good questions. But I'll try...)

I want to know more about this line............ In case of going through relay, speed could be limited.

Clearly we have limits on client end for ISP, and limits at Router end from its associated ISP connection and then there are losses due using VPN.
So are they saying on top of that there may be additional losses due to
a. bottleneck at Servers ( heavy load )?
b. depends on physical distance from server?

Kinda both.
a. Normal traffic via an ISP will eventually take many paths. With any proxy/relay, you're forcing a 2nd point where all traffic must flow (with the ISP to site is 1st and last point). So if relay'ed, there is still some finite bandwidth available.
b. There is a North American relay server so latency is better than when first introduced. But distance add latency. So for gaming/"live media", longer latency will affect the experience. How much depend on if the remote end being on same ISP or closer interconnect. But if it's traffic already going across oceans/continents, proxy'ing may not that be significant. Also, inner TCP traffic with a higher latency will generally be "slower" than one with a low latency. This is because TCP congestion control often uses latency to determine how fast to send packets.

Also the Manage shares creates three methods. need to confirm the below.......
AN URL LINK ( assuming this works only with the BTH app - limited to smartphones with the BTH app )
A QR code which works with both BTH app and wireguard app - so good for all devices
A config file which is primarily designed for PCs and wireguard app.

Lastly, when one selects the URL link to share or the CONFIG file, apparently the smartphone automatically prompts using the standard share choices, to send the LINK or config file to another person.........
BUT what about the second QR code method. In the DOCS it says view.
SO no automated cell phone prompts? Does one have to physically select it to get the cell phone prompts, do you have to take a screen shot............what is the process........not clear for QR code.

The URL LINK from app is different. It's a some web page with tricks that redirects (which can be URL to apps) — so that one is different. But the QR code and config file are identical - QR codes just store bytes, so its just stores the same ASCII config file in QR code as bytes (which you can verify on Linux/Mac with zbarimg from a screen grab of QR).

So for the official desktop WireGuard app, the config file is easier. For the mobile WireGuard, the QR code will scan from WG mobile app and work same as BTH app if needed.

Amm0 · Fri Dec 06, 2024 3:19 am

I have a question about relaying. My Mikrotik router is behind a CGNAT connection, so the IPv4 address I receive from my provider is not directly accessible from outside. I have assigned a static IPv4 via an IPIP6 tunnel through a server and added a global route in a separate routing table. With the appropriate mangle entries, an existing Wireguard configuration works perfectly through it.
[...]

When I hear mangle and WireGuard ... often there are "strange" interactions. I guess my question is does /ip/cloud say "behind a NAT"? AFAIK that what's triggers using the proxy method in my observation - but could be wrong.

Also, since you're trying to run another tunnel, I'm not sure the MTU calculation be right in the default BTH config. And also I'm not sure it's possible to adjust the MTU for BTH's WG interface either...

okomor13 · Fri Dec 06, 2024 8:31 am

No, I’m not using mangle for Wireguard but rather to get DDNS detection to recognize the static IPv4 instead of the one behind my provider’s CGNAT. The static IPv4 is not forwarded via NAT but routed through the IPIP6 tunnel. This has been working flawlessly in manual configuration for years.

Yes, it says "Router is behind a NAT. Remote connection might not work". But I’m wondering why BTH doesn’t even try to reach the IP address that's used for DDNS. What’s the point of hole punching if it doesn’t even attempt to reach the known IP?

anav · Mon Dec 09, 2024 4:05 pm

@Ammo: does this sound right.
Challenge: Allow BTH users to go out internet and LAN.

a. Establish BTH network with 5 users plus admin
b. Do select NO for lan access initially --> I have a reason. :-)

Go to /ip/firewall/address-list and copy down all the user Ip addresses.

c. Unselect NO for lan access ( so users can acccess LAN)

d. Go to /ip firewall address-list and MANUALLY RECREATE the list.
Name it, BTH TO WAN
/ip firewall adddress-list
add userIP1 list=BTH-to-WAN
add userIP1 list=BTH-to-WAN
....
add userIP6 list=BTH-to-WAN

e. add firewall rule
add chain=forward action=accept comment="Bth users Internet" src-addres-list=BTH-to-WAN out-interface-list=WAN

anav · Mon Dec 09, 2024 4:05 pm

No, I’m not using mangle for Wireguard but rather to get DDNS detection to recognize the static IPv4 instead of the one behind my provider’s CGNAT. The static IPv4 is not forwarded via NAT but routed through the IPIP6 tunnel. This has been working flawlessly in manual configuration for years.

Yes, it says "Router is behind a NAT. Remote connection might not work". But I’m wondering why BTH doesn’t even try to reach the IP address that's used for DDNS. What’s the point of hole punching if it doesn’t even attempt to reach the known IP?

You dont do anything....
Just enable IP cloud and BTH and the router handles the connection.

Amm0 · Mon Dec 09, 2024 7:19 pm

@Ammo: does this sound right.
Challenge: Allow BTH users to go out internet and LAN.
a. Establish BTH network with 5 users plus admin
b. Do select NO for lan access initially --> I have a reason. :-)
Go to /ip/firewall/address-list and copy down all the user Ip addresses.
c. Unselect NO for lan access ( so users can acccess LAN)
d. Go to /ip firewall address-list and MANUALLY RECREATE the list.
Name it, BTH TO WAN
/ip firewall adddress-list
add userIP1 list=BTH-to-WAN
add userIP1 list=BTH-to-WAN
....
add userIP6 list=BTH-to-WAN
e. add firewall rule
add chain=forward action=accept comment="Bth users Internet" src-addres-list=BTH-to-WAN out-interface-list=WAN

Now you got me confused... But the BTH user IP address range is 192.168.216.2...X, so you can always use IP in a firewall rules (or address-list too) — but this match the config assigned the /ip/cloud/back-to-home-users... So you always know the client IP from the saved config. So I'm not sure the added step to determine the client IP is needed. Maybe I'm not getting the problem, too....

anav · Mon Dec 09, 2024 8:28 pm

I am not aware of the address range used, so you are saying it starts the first one given to the admin on his smartphone as 192.168.216.2 and the next .3 and so forth.

In that case yes,
Just go straight to firewall rules.
add chain=forward action=accept comment=BTH WAN" src-address-list=BTH-users out-interface-list=WAN

where;
/ip firewall adddress-list
add 192.168.216.2 list=BTH-to-WAN
add 192.168.216.3 list=BTH-to-WAN
....
add 192.168.216.XX list=BTH-to-WAN

or perhaps only a select few are allowed by OP etc........

Amm0 · Mon Dec 09, 2024 8:34 pm

I am not aware of the address range used, so you are saying it starts the first one given to the admin on his smartphone as 192.168.216.2 and the next .3 and so forth.

Yup, admin/"1st user" is 192.168.216.2, and any added BTH users/"2nd+ users" start at .3, ...

okomor13 · Mon Dec 09, 2024 8:45 pm

You dont do anything....
Just enable IP cloud and BTH and the router handles the connection.

Well, as I wrote. BTH uses the IP I have via CGNAT and not the static IP even if I force the DDNS service to detect the static one. That leads into the situation that BTH works only via relaying over IPv4 and not direct connection. But the connection over my server and the static ip is much faster then the relay service from mikrotik.

So it would be good to know how BTH detects the IP address that should be used and why it differs from DDNS

anav · Mon Dec 09, 2024 8:47 pm

So your saying that I ping your public IP it will get to you??
In that case why are you even using BTH, I mean if you have a public IP??
So I can reach a server on your LAN easily then.

okomor13 · Mon Dec 09, 2024 8:51 pm

So your saying that I ping your public IP it will get to you??
In that case why are you even using BTH, I mean if you have a public IP??
So I can reach a server on your LAN easily then.

Yes you will.

Because BTH is a bit simpler to configure (via app) and should work even if my (IPIP6) tunnel is temporarily offline.

anav · Mon Dec 09, 2024 9:33 pm

So your saying that I ping your public IP it will get to you??
In that case why are you even using BTH, I mean if you have a public IP??
So I can reach a server on your LAN easily then.
Yes you will.

Because BTH is a bit simpler to configure (via app) and should work even if my (IPIP6) tunnel is temporarily offline.

Well your mixing in IPV6 into BTH or regular wireguard and I know nothing about such freaky things, its on par with capsman, a complexity I joyfully live without. :-)

okomor13 · Mon Dec 09, 2024 10:01 pm

Nothing freaky. Just another hop over the tunnel. But no NAT, Proxy or anything else. It's a regular IPv4 assigned to a (virtual) interface :-) As I wrote: Everything works fine with a manual wireguard config since years. But I wanted to use BTH because it has a fallback through the relaying service. I just wonder why it doesn't use the IP from DDNS. I got DDNS to use the static ip from the alternate route and not from the primary internet connection but BTH just ignores it ....

anav · Wed Dec 11, 2024 3:36 am

Yes, and the rest of the IPs follow in order for additional members.

anav · Wed Dec 11, 2024 3:38 am

Great service if it was reliable, but since it relies on Mikrotik servers, and since they dont protect their servers, the BTH and IP cloud in general is not fit for business and should only used for home environments, case in point today with Issues, which also are disrupting forum posting and access. Mikrotik really needs to pay for cloudflare protection.

Wed Dec 11, 2024 9:53 am

anav, did you notice which words make up "BTH"?

anav · Wed Dec 11, 2024 3:51 pm

Yes i did and thus made the following suggestion to aid in MT communications and transparency.
viewtopic.php?t=213203#p1114262

I should add another one..... for the CLOUD page:
Summary

MikroTik offers multiple services for your RouterBOARD devices that are connected to the Internet. These services are meant to ease the inconveniences when configuring, setting up, controlling, maintaining, or monitoring your device. A more detailed list of available services that IP/Cloud can provide can be found below.
Services

Caution1: Be aware that if the router has multiple public IP addresses and/or multiple internet gateways, the exact IP used for communicating with MikroTik's Cloud server may not be as expected!
Caution2: IP/Cloud requires a paid perpetual license for Cloud Hosted Router (CHR).
Caution3: Cloud services are not supported on x86 systems.
{new} Caution4: Cloud services are convenient and free but should not be used for business purposes as server uptime cannot be guaranteed.

Wed Dec 11, 2024 4:10 pm

the name literally includes the word "home"

infabo · Wed Dec 11, 2024 4:13 pm

It is up to the individual to use it for business purposes. Some can live with outages. Like many people worldwide can live without electricity for many hours of the day quite fine.

So: "Caution 4: While cloud services offer convenience and are free, their service uptime cannot be guaranteed."

infabo · Wed Dec 11, 2024 4:17 pm

the name literally includes the word "home"

"The Dude" literally includes the word "dude". But how can a software be a dude? So please be serious: BTH is a product name. It could also be named "Phone to Home" and still be the same service. Wireguard and no real telephone. Or "Wireguard Dude" - still no dude.

anav essentially pointed out, in anav way, the importance of clearly stating that the BTH service - or IP Cloud in general - does not guarantee availability. It's better to repeat this point twice than risk any misunderstanding.

Wed Dec 11, 2024 4:19 pm

Looks like somebody has not read the manual. Please stop with the stupid trolling.

anav · Wed Dec 11, 2024 4:37 pm

Looks like somebody has not read the manual. Please stop with the stupid trolling.

Hey if that comment is for me, I am actually trying to provide constructive improvements to the guides. It would better inform new persons and also enable the correct and smart rextended's of the world, to respond with please read MT documentation where it states x,y,z , although I prefer his sarcastic take downs :-)

If that comment is not for me, I am still trying to provide constructive improvements to the guides. It would better inform new persons and also enable the correct and smart rextended's of the world, to respond with please read MT documentation where it states x,y,z , although I prefer his sarcastic take downs :-)

Inspired by.
The Pros and Cons of examining things closely.
PRO --> you might find out what it is!
CON --> you might find out what it is!

Amm0 · Wed Dec 11, 2024 4:55 pm

I'm with @anav here.
@normis you have to realize you come off as insulting to your users sometimes, including me.

the name literally includes the word "home"

There was an incident, and it's "blame the user"? And that "home" in name means unreliability?

Most vendors often write up detail blog post/etc on major outages, with the ending what efforts are being done to prevent them.

Folks have suggests a status page, better monitoring, backup site, self-hosted BTH solution for ISP/OEMs, etc., etc. No comment, or action plan to prevent in future.

Y'all sell LTE devices with 16MB of RAM that make using ZeroTier rather risky and containers out of the question. So BTH is sometimes the only "hole punching" NAT available for these LTE devices. And I think it's a well designed for it. But I guess I'm the dumb one who used BTH instead of burning money+time to netinstall units in the field – which was only necessary because of added "home features" in past releases.

WarlorZ · Sat Jan 04, 2025 10:05 am

Hello Mikrotik..

Of late recently i been noticing the BacktoHome vpn randomly activates - without me requesting the connection thereoff.
This is all while my mikrotik rb itself is turned off during non-use..
Start VPN after phone reboot - off
Disable VPN when home - off

Andriod BacktoHome 0.34

I been noticed it on my Samsung Note 20 5G (while on wifi) -
OneUI version 5.1
Andriod version 13
Baseband version : N981BXXSEHXJ1
Build Number : TP1A.220624.014.N981BXXSEHXJ1

Secondly i only seem to get it to run off my wifi connection via WAN, 3G connection cannot seem to make connection which i think may be a ISP issue.

Please request more information if needed... any advise on fixes would be greatful.

Once again thanks to mikrotik and the community for great work and support.

WeWiNet · Wed Jan 08, 2025 9:17 am

Setting up BTH works like a charme on Android.

The problem I have, despite setting to off the option "Start VPN automatically after Reboot", BTH always gets active after reboot and has to be disabled manually
This is on Android 14.

Will that get solved anywhere in the future?

anav · Sat Jan 11, 2025 6:49 pm

Fresh Questions:

Observation: One only needs the APP to create the first user ( the smartphone itself ). It automatically turns on BTH VPN, and creates the first two entries!
I had thought one needed to manually turn on BTH VPN in ip cloud first.

1. When creating the the tunnel from the phone it would appear that two peers are created, the actual smartphone itself 192.168.216.3 and..........

a. the first peer, 192.168.216.2 appears to be the MT cloud relay peer reference and it has two entries I dont understand:
peer user, (ones smartphone), the dynamic client peer setting has two entries I dont understand.

i. persistent keep alive of 5 seconds??
I can understand on the client device of having a persistent keep alive, what is the purpose of this one ???
I suppose the router needs to keep pinging the mt cloud server for some reason??

ii. allowed address of: fc00:0:0:216::2/128
what does this actually mean, or translate to.
Is this so that the router accepts any traffic from the MT cloud bTH server and why doesnt the actual IP suffice ??

c. responder box is checked?
Why, on normal wireguard this is not utilized from what I recall??
What is the purpose of this being checked? ( on both the .2 (MT cloud peer) and .3, the iphone 1st master peer)

d. dynamic nature of peer?
Why cannot we make any of the peers peer static with one button selection...............

+++++++++++++++++++++++++++++++++++++++++++++++++++

2. In terms of firewall rules, I see that the router automatically gets an input rule for wireguard, and assuming this covers the case if router does have a public IP and thus devices can talk directly to the router.

3. Although LAN was checked for bth client access, I do not see any forward firewall rule allowing this????

Amm0 · Sun Jan 12, 2025 6:40 pm

One only needs the APP to create the first user ( the smartphone itself ). It automatically turns on BTH VPN, and creates the first two entries!
I had thought one needed to manually turn on BTH VPN in ip cloud first.

It's likely best to do it phone BTH app - so you can test it first. But doing it via CLI, "/ip/cloud/set back-to-home-vpn=enabled" is identical, except your phone would not then have the first user.

1. When creating the the tunnel from the phone it would appear that two peers are created, the actual smartphone itself 192.168.216.3 and..........
a. the first peer, 192.168.216.2 appears to be the MT cloud relay peer reference and it has two entries I dont understand:
peer user, (ones smartphone), the dynamic client peer setting has two entries I dont understand.

Router running BTH gets the .1 address (i.e. the back-to-home WG interface), with the first peer getting .2 (with peer information in top-level /ip/cloud), then any "shared users" / n-th peers are number .3, .4, .5, ... (with the peer stored in /ip/cloud/back-to-home-users, or the same named button in winbox).

i. persistent keep alive of 5 seconds??
I can understand on the client device of having a persistent keep alive, what is the purpose of this one ???
I suppose the router needs to keep pinging the mt cloud server for some reason??

Dunno exactly... But the lower it is the sooner BTH can re-calculate status. And, since OTHER devices's NAT might be involved, it ensure any OTHER NAT connection mapping do not get flushed and remained tracked.

ii. allowed address of: fc00:0:0:216::2/128
what does this actually mean, or translate to.
Is this so that the router accepts any traffic from the MT cloud bTH server and why doesnt the actual IP suffice ??

It's the IPv6 version of BTH fixed private IP range, so same as 192.168.216.2. And fc00::/8 is like 10.x.x.x,... private ranges for IPv6, so Mikrotik reuses some of the private/non-routable IPv6 for BTH use. But it ensure each peer always gets a fixed BTH IP address for IPv6 too, which you might want for any IPv6 routing over WG. The ::2, ::3 should follow same numbering as IPv4.

c. responder box is checked?
Why, on normal wireguard this is not utilized from what I recall??
What is the purpose of this being checked? ( on both the .2 (MT cloud peer) and .3, the iphone 1st master peer)

To be able to accept traffic from Mikrotik BTH proxy servers when proxied. And also the more "traditional" use when your router has a public IP. So needed BOTH proxied and direct modes.

d. dynamic nature of peer?
Why cannot we make any of the peers peer static with one button selection...............

Because they don't want to have two places to manage BTH, and most dynamic entires (outside DHCP) work like this - i.e. you disable dynamic config via the other/actual config option that caused it to be enable. Since the WG peers got created by via /ip/cloud and /ip/cloud/back-to-home-users, that how they removed/changed too. Now nothing stops you from "copy" a BTH peer shown under /interface/wireguard/peer, and adding it as new one to make it static - although I haven't tested that.

2. In terms of firewall rules, I see that the router automatically gets an input rule for wireguard, and assuming this covers the case if router does have a public IP and thus devices can talk directly to the router.

Correct. And it's also dynamic, so firewall rule is removed if BTH is disabled/"revoked" in /ip/cloud

3. Although LAN was checked for bth client access, I do not see any forward firewall rule allowing this????

It's allowed since there [yet another] dynamic config item to add the back-to-home WG interface as a LAN interface-list (/interface/lists) - so the default firewall rule that allows LAN, allows BTH by default.

Blocking LAN access happens indirectly via /ip/firewall/address-list (back-to-home-lan-restricted-peers) and dynamic config in /ip/firewall/filter that drops based on the address-list. So by checking the "Allow LAN" button for a user, controls whether the BTH peer's IP address gets added to that ip address-list in firewall.

anav · Mon Jan 13, 2025 5:29 am

The dynamic firewall rules are annoying, They cannot be moved. Also the block list forward chain rule should only show if the ALLOW LAN has not been selected.
Still working my way through this functionality..........

nichky · Mon Jan 13, 2025 9:57 am

back-to-homes is perfect solution.
I found useful for the phones, however i have some issue with the DNS-Server as that is not reflecting to the clients, so for that one we have to use IKE2 , as there is a feature split-dns/system-dns

anav · Mon Jan 13, 2025 5:16 pm

1. Do I need to keep the IPV6 addresses, even though I am strictly using IPV4, in other words does MT relay server require that for all devices??

2. The dynamic firewall rules are flaky. If I, after creating the user, change the LAN allow in IP Cloud settings to NO, it is too late.
No firewall rule is made to block LAN access. Further I noticed on another user I was helping they had a block list firewall address list made up to block LAN,
and this rule was NOT removable, even after we changed the IP Cloud setting to ALLOW for LAN.

Thus these dynamic rules are setup and then left there. I could not even delete the block LAN rule......or move it.
Something is not quite right in functionality or my understanding or both. :-)

3. Assuming the allow LAN rule, which I havent actually seen yet, only block rule............
is basically non-existant as it relies on the default condition of forward chain which only blocks non dst-nattted traffic from WAN.
Thus if one constructs vlans for example one must add a forward chain rule to ensure BTH traffic reaches a specific subnet??

I dont see any allow bth to interface-list=LAN rule thats for sure.......

Amm0 · Mon Jan 13, 2025 6:31 pm

1. Do I need to keep the IPV6 addresses, even though I am strictly using IPV4, in other words does MT relay server require that for all devices??

IPv6 address are not required on the peers or router, although it will be generated in the sample/exported/shared config.

But on IPv6... keep in mind if you have IPv6 enabled/worked to internet, and say the WAN's IPv4 is CGNAT (i.e. like starlink). IPv6 WAN may allow direct connection, while using a CGNAT IPv4 may need to use Mikrotik BTH proxy servers. Almost certainly a direct connection is going to be faster. And just just because the OUTER WG tunnel is using IPv6, the inner tunnel can still be only IPv4 (i.e. 192.168.216.0/24). That is to say, the WG tunnel will carry IPv4 network, over a IPv6 WAN. And on a lot of smartphones, this will happen automatically since LTE/5G carrier often have IPv6 deployed.

But whatever you do with the IP address in peer configs (i.e. remove the fc00:0:0:216::x addresses) will NOT affect the outer tunnel's selection of IPv4 or IPv6 - as that is done by DNS when the A or AAAA is resolve from snXXX.vpn.mynetname.net & the WG client app is what controls whether IPv4 or IPv6 is used for the WG tunnel connection.

2. The dynamic firewall rules are flaky.
[...]

It be nice if the docs just wrote what is modified dynamically in configuration... Now I do NOT know the logic of when the dynamic config is "re-evaluated" - and potentially re-applied - so if you move around firewall rules IDK what happens...

3. Assuming the allow LAN rule, which I havent actually seen yet, only block rule............
is basically non-existant as it relies on the default condition of forward chain which only blocks non dst-nattted traffic from WAN.
Thus if one constructs vlans for example one must add a forward chain rule to ensure BTH traffic reaches a specific subnet??

I dont see any allow bth to interface-list=LAN rule thats for sure.......

OIn most default configs there is a non-dynamic:

/ip/firewall/filter add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN

... so here should be two rules added dynamically by BTH:

/ip/firewall/filter/print

Flags: X - disabled, I - invalid; D - dynamic
0 D ;;; back-to-home-vpn
chain=forward action=drop
src-address-list=back-to-home-lan-restricted-peers
out-interface-list=LAN

1 D ;;; back-to-home-vpn
chain=input action=accept protocol=udp dst-port=25297

And so it's first rule that will drop anyone in the /ip/firewall/address-list that want to reach any interface in the LAN /interface/list. And when you UN-check the "Allow LAN" box you're actually modifying /ip/firewall/address-list, not the filter rules directly.

anav · Mon Jan 13, 2025 6:57 pm

Okay got it.
On the person I was assisting the dynamic block rule exists, but we couldnt get rid of it, (not able to delete rule) very weird. I didnt look at the firewall list itself, ran out of time, but I imagine invoking allow LAN or not allow LAN should modify that list ( add or remove peers). If one cannot remove peers if the initial rule is Not allow, I suppose one could attempt to move the rule to last place and thus all accept rules will work prior to it.

Now here is the strange part on my hapax3 when I make up the BTH there is no such firewall address list or RULE ????? I was on 7.16.1 so even bumped it up to 7.16.2 but still cannot see any forward chain rule or firewall list created.......... ?????

Amm0 · Mon Jan 13, 2025 7:25 pm

To cut to chase, you're right that if you have customization in /ip/firewall/filter things get more complex. I think the underlying assuming is that you do NOT have any modifications to the default firewall.... Now why some are missing, it's possible that unless you have an BTH peers that have "Allow LAN" UNCHECKED, you may not see the 1st rule using address-list - since it would not be needed

if you have VLANs and firewall rules that block routing between them in /ip/firewall/filter....which you might if you used your own names in /interface/list, like @pcunite BASE_VLAN etc... So if that's the case... basically you need to use a in-address-list != back-to-home-restricted-peers if you didn't want BTH users to access any additional VLAN. Alternatively, you might be able to add BTH WG interface to BASE_VLAN or whatnot interface-list as an alternative. But in the end... ip/firewall/filter has to allow the "LAN" interface list in static configuration, someplace. BTH will NOT add that one dynamically - it assumed by Mikrotik to be there based on the default configuration.

anav · Mon Jan 13, 2025 7:29 pm

I just deleted and recreated from scratch the tunnel via my iphone.
Dynamically created
a. the iphone as peer .3 and with ALLOW to LAN yes.
b. dynamic sourcnat rule for the tunnel
c. dynamic input chain rule for the handshake.
d. NO forward chain rule
e. NO firewall address list
f. dynamic ip address for the router interface

++++++++++++++++++++++++++++

I suspect if I added another peer, then I might see d. and e. the thinking being is that the admins smartphone is somehow exempt from such things, when remote ????
I will have to add another peer to find out LOL.

Okay I am unable to add another peer.
I tried on the same wlan I created the initial account and also tried connecting by cellular (wifi turned off on phone).
In both cases I get connected, then ask to manage shares and it then takes me to logging in, which fails.
It does not allow me to be connected and then go to manage shares.

In other words, I am UNABLE to get to any step after hitting manage shares and thus unable to create a second peer.
This is infuriating!! Just to be sure I removed by PC connection via winbox but my connecting via the BTH app to the router is now being refused WHY --> its the same connection to the router I used to create the tunnel in the first place!!
I then went to the input chain and although there are no block rules I added an accept rule for the IP of my smartphone and still no joy???

I even tried with a WLAN that is not admin/authorized friendly as well.
For some reason the hapax3 is not letting me connect for the purpose of manage shares.........

Amm0 · Mon Jan 13, 2025 7:38 pm

IDK what's going. I've always seen the rules, but only have a couple test devices, both are running 7.17rc. Although this was all working in 7.16 too.

I'd try again, and NOT use the smartphone app - IMO that makes this MORE configuring unless you really do have "factory defaults". So disable it in /ip/cloud, then enable it using /ip/cloud. You can check what happens when you do it that way. The address-list and interface list MAY not get created until you have some user listed in /ip/cloud/back-to-home-users - I suspect that's what triggers the trifecta of dynamic config: 1. BTH WG to LAN interface-list, 2. new address-list, and 3. the 1st filter rule to drop back-to-home-restricted-peers.

The first user (i.e. the one created by smartphone app) is always allowed LAN. You do not need to create or share another anything if you want just the smartphone with app to connect & there be no users under /ip/cloud/back-to-home-users in that case. Only the 2nd, n-th users - done via CLI or the "share" in app – will have the "Allow LAN" option. And only the "Allow LAN" options need those additional rules to restrict a "shared" peer/user.

anav · Mon Jan 13, 2025 7:42 pm

I am trying to follow the MT documents. The method that MT recommends is using the smartphone to generate other remote user accounts and to then pass them the link/url/qrcode via the phone. Trying to do it manually via creating the tunnel on the MT by enabling etc...... defeats the purpose of my testing. It is ancillary testing to be done once the recommended process is found to be working and understood. Dont worry, I will eventually get to the create by enabling route. I actually started out that way and then got confused LOL as to what was happening. Next time it will be well understood.

anav · Mon Jan 13, 2025 7:44 pm

@NORMIS, what is the trick of connecting to the router itself to create shares?? I can connect via VPN but after hitting manage shares, the login I provide (triple checked) and same one used to create the tunnel in the first place on the phone) is REJECTED ????????

Amm0 · Mon Jan 13, 2025 7:59 pm

Yeah maybe @normis has a clue here.

I am trying to follow the MT documents.

While I get it... that would include doing a /system/reset-configuration no-defaults=no keep-users=yes IMO. And I bet everything would work. I doubt the docs assume anyone has custom firewall rules or VLANs in their docs... And merely disabling BTH may not fully cleanup things...

It's like QuickSet, when you start changing things, whether QuickSet works becomes more of a crapshot. I've always seen BTH work consistently when enabled from /ip/cloud - but I only used the app a handful of times. So on the APP logic, I've never done any deep-dive, so that part is more of mystery to me...

anav · Mon Jan 13, 2025 8:05 pm

I have a very basic almost nothing firewall on the HapAx3 so shouldnt be an issue, no drop rules etc..
I will entertain a reboot, but not a reset, dont want to monkey with other config settings .................

Wed Jan 15, 2025 10:17 am

@NORMIS, what is the trick of connecting to the router itself to create shares?? I can connect via VPN but after hitting manage shares, the login I provide (triple checked) and same one used to create the tunnel in the first place on the phone) is REJECTED ????????

rejected how? post screenshot. I can't repeat the issue

anav · Wed Jan 15, 2025 4:19 pm

Okay when I get home but here is the simple explanation. No BTH on hapax3. Go to IPHONE ensure I am on trusted WLAN that can access router. Open BTH, create new VPN
I have to login to do so, and successful login completed and I add name of the tunnel. I close the APP for now. I go to the router and check all changes.

AT ROUTER:
a. BTH wireguard interface exists 192.168.216.1 given to the interface and peers exist .2 assigned I think to mt cloud and .3 assigned to my iphone.
b. input chain rule exists for wireguard handshake
c. Allow lan is selected by default yet no forward chain rule (drop allow or otherwise) exists.
d. sourcenat rule created with source address of BTH subnet.
(all the above seems to be dynamically created).

Now I go back to the APP and start it up.
Option:1 If I dont hard close it, it seems to connect to the VPN tunnel right away and when I select manage shares, it of course takes me to the login page as one is going to configure the router. My credentials are still kept from before ( same username and password used to create the tunnel). I hit connect and the response on the BTH app, with red text is that the connection has been refused.

Option2: After a hard close, I open the APP and am presented with the available name of the tunnel created. Interestingly I have to press select, the name of the tunnel and the then the tunnel connect popup is displayed and I am then successfully connected and the timer starts.. Then I select the three dots, to manage shares.
I am taking to the login page and there the default entries (as when I first used the app) are presented. So I add the proper user name and password.
When I hit enter, I get the same rejected connection message as in option1.

Note1: When going back to the APP to add users I ensured I tried it in three different conditions.
i. on the same trusted WLAN
ii. on a different WLAN
iii. turned off wifi on the phone and used cellular.

Note2: There are no block rules in the hapax3 firewall.
Note3: The hapax3 is natted behind my 1009 which is not PCC strictly WAN1 priority, WAN2 as backup.

WeWiNet · Wed Jan 15, 2025 6:35 pm

Regarding LAN access of the client I also had the same issue that despite "allow LAN" being checked on the phone app there was no forward rule added.
As I have restrictive forward rules, I had to add basic forward rules before my drop all rule to make it work:

/ip firewall filter
add action=accept chain=forward comment=Back-to-home_LAN in-interface=back-to-home-vpn
add action=accept chain=forward comment=Back-to-home_LAN out-interface=back-to-home-vpn

What could be also improved on Android, BTH switches itself on after each phone reboot... should not be (or only when the option is enabled)...

WeWiNet · Thu Jan 16, 2025 12:24 pm

I wonder, one aim of the BTH feature is to be able to manage your router remotely with the TIK app on android for example.
But by default this does not work, as the Dynamic interface is not part of LAN and the firewall input accept rule that gets automatically created does open only port UDP 17.

Wouldn't it be good to have an option in the app to also enable access for the phone Mtik app? Then the user can access his router for management easily remotely via BTH.

WeWiNet · Thu Jan 16, 2025 12:32 pm

Sorry for many questions, but just getting deeper into BTH.

Why and what traffic is coming in from the dynamic BTH interface that is added? I created BTH on the phone, all works. Then I switch the phone off and would assume no more traffic is coming in/accepted on the input chain. But not the case , the counter increments steadily without a BTH client out there.
So what traffic is this, mddns? I don't like an input chain accepting traffic on position 1 without knowing what that is.

anav · Thu Jan 16, 2025 5:24 pm

Sorry for many questions, but just getting deeper into BTH.

Why and what traffic is coming in from the dynamic BTH interface that is added? I created BTH on the phone, all works. Then I switch the phone off and would assume no more traffic is coming in/accepted on the input chain. But not the case , the counter increments steadily without a BTH client out there.
So what traffic is this, mddns? I don't like an input chain accepting traffic on position 1 without knowing what that is.

Seeing as you have persistent keep alive set to the relay server, the router keeps in contact with the relay server??

Amm0 · Thu Jan 16, 2025 5:45 pm

Why and what traffic is coming in from the dynamic BTH interface that is added? [...] the counter increments steadily without a BTH client out there.
So what traffic is this, mddns?
Seeing as you have persistent keep alive set to the relay server, the router keeps in contact with the relay server??

IDK. And, could be neighbor discovery too.

You can use /tool/torch, or in winbox right click on the back-to-home WG and select "Torch" to see what traffic is flowing (and may want to increase the timeout in touch dialog) to know for sure.

WeWiNet · Thu Jan 16, 2025 7:24 pm

[/quote]
Seeing as you have persistent keep alive set to the relay server, the router keeps in contact with the relay server??
[/quote]

I have set it DDNS keep alive to 23h, should not be that one.
I can do torch but wanted to have a comment from Mikrotik what traffic gets accepted on the input chain from WAN interface without any restriction except the destination port.

anav · Thu Jan 16, 2025 8:25 pm

edit NM. answered a post from page one LOL

anav · Fri Jan 17, 2025 6:56 pm

@Normis.
note: ensured that mac-server win-mac server included Trusted interface
note: ensured Trusted interface list included back to home interface.
note: ensured input chain rule for BTH subnet allowed ( although have few rules on my hapax3 and no drop all rules)

SUPOUT SENT --> SUP-176739

....

IMG_2267.jpg

daveq · Sun Jan 19, 2025 9:54 pm

Hi,

Please how to make use of BTH in case i would like to connect to Local Services / servers?

Soon as I've setup the BTH connection on Android device and i connect (via Mobile internet), my internet connection (page loading, clients etc...) stop to work.
I can only connect to the Mikrotik router - via Mikrotik / Mikrotik Home app.

So not really sure if this is the wanted behaivor to only control Mikrotik router settings, reboots etc.
Or I should also gain access to "local services" and have internet working at the same time.

If so, do I need to configure some exceptions , rules , FW on router?
(using also other VPN WG connection from commerce provider)

thx

anav · Mon Jan 20, 2025 12:17 am

Well you need to ensure LAN is allowed on bth users ( its the default setting so should be )
You may need to add a forward chain allow rule from BTH to LAN
You may need to add a forward chain rule allow from BTH to WAN

nichky · Mon Jan 20, 2025 4:16 am

@anav how did you come across to that screenshot?

nichky · Mon Jan 20, 2025 4:26 am

@normis
about QR Code from the ip/cloud/ .
Is that limited per user, or we can have it for multiple users, as they have to be admin

anav · Mon Jan 20, 2025 5:27 am

Nichky, the QR code available at the router is ONLY for the first assignment to the admins smartphon........... When you use Manage Shares from that smartphone,, you can create more qrcodes, links BTH app can use, or standard wireguard export files........

The screenshot from my iphone you mean??

nichky · Mon Jan 20, 2025 8:47 am

1. The thing is only QR Code from the ip/cloud/ , can create users, which is admin user.
All other created can't do that.

2. The screenshot from my iphone , yes

WeWiNet · Mon Jan 20, 2025 11:03 am

Coming back to my previous quote and question. Would it be possible to make the dynamic Input firewall rule more restrictive/selective?
These are the BTH FW rules dynamically added.

Flags: X - disabled, I - invalid; D - dynamic
0 D ;;; back-to-home-vpn
chain=forward action=drop src-address-list=back-to-home-lan-restricted-peers out-interface-list=LAN

1 D ;;; back-to-home-vpn
chain=input action=accept protocol=udp dst-port=16453

As one can see 2nd rule opens completely port 16453 from any side (LAN/WAN) and any interface/port of the router.
If you log the traffic that needs to be accepted, you will see it comes in from the physical WAN port.
Therefore I would like Mikrotik to add to the dynamic accept rule the in-interface, closing this port for all other interfaces.
And maybe there are further means to restrict this rule further (IP address of the Mtik server)... based on the principle, only allow what you have to have, and drop all the rest.

thoughts?

anav · Mon Jan 20, 2025 4:19 pm

BTH is supposed to make a dynamic input chain rule for wireguard, completely normal!
The forward chain rule you see, I have never seen when making BTH setups, so not sure why you are seeing it.
I can only guess is that you didnt select LAN availability for your peers?
In any case you can apply firewall rules as you see fit for either the BTH interface, or the subnet of wireguard, both apply

daveq · Wed Jan 22, 2025 1:28 am

Well you need to ensure LAN is allowed on bth users ( its the default setting so should be )
You may need to add a forward chain allow rule from BTH to LAN
You may need to add a forward chain rule allow from BTH to WAN

Searched for "back-" in config and it added those values

Seems like allow WAN is not there

/ip cloud set back-to-home-vpn=enabled ddns-enabled=yes ddns-update-interval=10m
/ip cloud back-to-home-users add allow-lan=yes comment="Xiaomi" name="MikroTik hAP AX3" private-key="xxx=" public-key="xxx"
/interface wireguard add comment=back-to-home-vpn disabled=yes listen-port=40556 mtu=1420 name=back-to-home-vpn private-key="xxxx"

seems like those FW rules are readonly , not editable

Capture.JPG

Capture1.JPG

anav · Wed Jan 22, 2025 4:43 am

Did some more testing but still no luck.
However I have to admit the hapax3 is not setup as a router but simply an AP switch behind a CCR1009 main router, with one primary WAN.
So the management vlan is where the hapax3 gets its IP address.
When I use my iphone to start the process, I use a WLAN on the trusted subnet. From there I connect to the hapax3 by using its IP address on that subnet and of course the winboxport I have setup on the hapax3.

I have no issues creating the new BTH tunnel which can be confirmed by viewing the hapax3 via my PC and winbox.

I disconnect wifi from my iphone and attempt to reconnect via cellular.
I have no issues connecting to the tunnel via cellular, simply by selecting the tunnel name and hitting connect.
However when I go to manage shares, the same username and password are rejected in the app and thus cannot add shares.

- I tried adding the bth interface and bth ips in various combinations on the input chain of the hapax3 to allow connectivity (after adding the bth to the trusted interface )
- I tried taking the port noted in bTH and port forwarding that port on the CCR1009 to the hapax3

No joy.

My conclusion thus far is that if the MT device is not setup as a router perhaps BTH will not work???
If that is not true then I must be missing something obvious.

Wed Jan 22, 2025 10:37 am

Let me repeat it again. If you find BTH confusing, it's because you are trying to configure it from Winbox. You should not use Winbox or CLI for BTH at all.
Use the BTH app and it will be much clearer. Sure it's technically possible, but it is not made for that. If you are in Winbox, just use Wireguard.

manuschiller · Wed Jan 22, 2025 12:58 pm

my private Network uses 10.0.0.0/24 as address range. When I connect via BTH my device gets a 192.168.216.0/24 address.
This implies that requests needs routing, and I need to update some firewall rules.

Would it be possible that BTH users will just get a 10.0.0.0/24 address, as if they were "truly local"?

daveq · Wed Jan 22, 2025 2:00 pm

Let me repeat it again. If you find BTH confusing, it's because you are trying to configure it from Winbox. You should not use Winbox or CLI for BTH at all.
Use the BTH app and it will be much clearer. Sure it's technically possible, but it is not made for that. If you are in Winbox, just use Wireguard.

Well , i did try only from Android mobile app, without any additional settings and except of Mikrotik router connection, nothing is working
viewtopic.php?t=198231&start=300#p1120132

EDIT: im on 7.17

anav · Wed Jan 22, 2025 2:12 pm

Same here attempting to do it all from App.

anav · Thu Jan 23, 2025 2:05 am

Decided to try BTH on main router CCR1009 and using 7.17 firmware.
All good in terms of using the iphone app on trusted WLAN to create the tunnel.
All settings checked on router via winbox

1. Only difference from hapax3 ( acting as a switch ) is that I finally see on the CCR1009 version, the forward chain rule that blocks any entries without LAN selected for bth clients.
2. From cellular connection and any network WLAN, SAME Issue! I am not able to login again from the app to create new peers via manage shares.

BTH seems to be broken for me and cannot figure out why.
Just in case I created many allow input chain rules from BTH to input chain.

New SUPOUT added to the file for the CCR1009

Thu Jan 23, 2025 8:58 am

Send the RIF to support, thank you, there might be some cases where some default config is conflicting.

manuschiller · Thu Jan 23, 2025 11:32 am

my private Network uses 10.0.0.0/24 as address range. When I connect via BTH my device gets a 192.168.216.0/24 address.
This implies that requests needs routing, and I need to update some firewall rules.

Would it be possible that BTH users will just get a 10.0.0.0/24 address, as if they were "truly local"?

I tried looking through the generated interfaces and wireguard config in the admin UI, but I am still new to mikrotik and could not find it on my own. Can someone point me in the right direction? :)

anav · Thu Jan 23, 2025 1:56 pm

No the address range provided is fixed, the admins smartphone will get 192.168.216.3, the router 192.168.216.1 address and 192.168.213.2 is reserved for the relay peer.
You are correct the default rule allows access to the LAN, so it depends how you have defined your LAN interface list.
Further rules will probably be necessary to permit WAN access or other access as required, if you have changed your rules from default.

manuschiller · Thu Jan 23, 2025 2:20 pm

thx for the clarification! if I wanted to stream some videos from my media server via BTH while being on vacation for example, my CRS-326 would need to route all packages from 10.0.0.0/24 to 192.168.216.0/24, correct? I have no experience with hardware offloading and routing so far, but would that be a perf bottleneck?

Amm0 · Thu Jan 23, 2025 2:42 pm

You really should be able to use your media servers IP address while connected to BTH, without doing anything. Now if your media server app does discovery to find the media server, that won't work... you need to use the media server LAN IP address (or a DNS name defined in /ip/dns/static) in the media client app.

By default, all traffic is routed to Mikrotik router when connected to BTH (as long as your "first/app user" or a "shared/2nd user" with allow-lan=yes set). So it doesn't matter what IP the LAN uses... unless if you have non-default firewall, in which case the WG interface or BTH IP range might have to be allowed if you have stuff like inter-VLAN/other restrictions etc.

manuschiller · Thu Jan 23, 2025 10:27 pm

It‘s not about being able to reach the media (even DNS works fine). The question is about performance of routing between the different ip ranges for large amounts of data like 4k streams

Amm0 · Thu Jan 23, 2025 11:42 pm

It‘s not about being able to reach the media (even DNS works fine). The question is about performance of routing between the different ip ranges for large amounts of data like 4k streams

I cannot say I've run performance benchmarks*. But I'd imagine you should be able get 50Mb/s or more through the proxy connection, or I've seen in my limited test when proxied. And if it's running in "direct" mode (i.e. your router has a public IP), BTH is exactly same overhead as regular WireGuard - and limited by the internet speed/latency and router CPU.

But keep in mind, a 4K stream is still only 10-30Mb/s, so assuming WANs on both ends have 100Mbs+ internet... you should be fine be my guess. If you're doing MPEG/RTP/UDP streams, that be more sensitive to VPN's latency, but if your connection is via HLS (i.e. HTTP livestream RFC) which is pretty common, that is more friendly to VPN like BTH/WG.

*I just ran Ookla's "Video" test on my phone when connected to BTH over LTE — via the Mikrotik App — and it reported it can do 4K (2160p) over a proxied BTH connect. The router here has 1G symmetric fiber — but I forced it out a double-NAT so BTH ran in proxy mode (took 1-2 minutes to switch between them FWIW). The phone running app was using Verizon LTE only (no Wi-Fi). In some cases (fast, ookla, speedof.me), using BTH VPN was FASTER than using no VPN. Only a long test in nPerf app, was using no VPN faster & with BTH was about 50-70% of raw speed on same 60s second (using proxy mode was pretty similar speeds in nPerf app, although, latency was 50-100ms higher with proxied BTH). This is a bit surprising — perhaps Verizon looks for speed tests and throttles — since BTH should not be faster than NO VPN running. Anyway that was curious finding...

manuschiller · Fri Jan 24, 2025 12:04 am

Interesting, thanks!!

Amm0 · Fri Jan 24, 2025 12:26 am

Interesting, thanks!!

I believe, in the app, if you want JUST the LAN (which let other network traffic go out wi-fi/lte)... you can use the ⋮ next to the connect, and "Edit", the allowed addresses to remove 0.0.0.0/0 and replace it with your LAN subnet(s). By default, all traffic goes through the BTH tunnel & if your using it just to stream, you may "save" bandwidth/CPU/etc if you allow all other traffic to use "real" Wi-Fi/LTE connection.

One more trick, at least for TCP traffic, is using a MSS adjustment mangle rule. I actually added one to BTH and helped in nPerf speedtest (after I posted) when using BTH. So something like this may help — although you'd want to know you calculate your MTU MSS in rule below, so mainly for thought.

/ip firewall mangle
add action=change-mss chain=postrouting dst-address=192.168.216.0/24 log=yes new-mss=1358 protocol=tcp tcp-flags=syn tcp-mss=1359-65535

1358 is since the LTE side has lower MTU, which is additive when using WG which also has a lower MTU.... So if you're using the BTH app over LTE, the rule may be helpful

anav · Sat Jan 25, 2025 6:37 pm

Interesting as I wouldnt have thought of that but since the router is in some sense a client here as well it kinda works.
Just wondering if monkeying with the MTU for one device connection will effect all the other clients connecting............. most will probably be smartphone but could easily have windows or apple laptops/desktops in the mix.

anav · Sun Jan 26, 2025 6:39 pm

Send the RIF to support, thank you, there might be some cases where some default config is conflicting.

I did but checked today and the new supout didnt show, I must not have completed the add process properly.
Added it just now and its visible in the conversation trail.

Jarek9008 · Sat Feb 08, 2025 6:08 pm

What can cause an error is that to join a second peer I have to block it in Winbox then unlock it and the connection is just working. This operation also causes the previous peer to stop working - websites do not load, I cannot log in to the router.

Amm0 · Sat Feb 08, 2025 6:42 pm

I did but checked today and the new supout didnt show, I must not have completed the add process properly.
Added it just now and its visible in the conversation trail.

@anav, did they get back to you? Been following your saga here for a while on what should be a simple for someone as well-versed in WG.

eworm · Sat Feb 08, 2025 7:19 pm

What can cause an error is that to join a second peer I have to block it in Winbox then unlock it and the connection is just working. This operation also causes the previous peer to stop working - websites do not load, I cannot log in to the router.

Sounds like you have messed the allowed-ips setting, defining subnets too large. For single hosts you should always use "/32".

Jarek9008 · Sat Feb 08, 2025 9:11 pm

What can cause an error is that to join a second peer I have to block it in Winbox then unlock it and the connection is just working. This operation also causes the previous peer to stop working - websites do not load, I cannot log in to the router.
Sounds like you have messed the allowed-ips setting, defining subnets too large. For single hosts you should always use "/32".

You had right. It is works properly now. Thx!

anav · Sun Feb 09, 2025 2:30 pm

I did but checked today and the new supout didnt show, I must not have completed the add process properly.
Added it just now and its visible in the conversation trail.
@anav, did they get back to you? Been following your saga here for a while on what should be a simple for someone as well-versed in WG.

YES, the first response was they could not recreate, so then I decided to use my my main router for BTH 1009 and the same issue occurred, I added the new SUP but they seemed to have not looked at it so, no answer yet. I may repost a new bug report with the 1009 as the second supout seems to be ignored.