..................

.....................

........................

................................

...............................

............................

.............................

................................

.............................

I will leave all wg assistance to others then.

Good to know.
I have to think in concepts because its clear I know shit when it comes to networking.
(also not relevant for me unless i consider MT in the context)

For LOCAL OUTBOUND TRAFFIC.
In my twisted way, I think of it this way.
USER (payload) ---> Destination address ----> MT device -----> IP routes
IP Routes ---- > gwy=wireguard interface ---> STOPPEN ---> Wireguard Protocol

Wireguard Protocol ( Wireguard Mini Router = Wireguard Customs office. )
Customs officer attempts to find a match of destination address with Allowed IP in the list Peers starting at Peer1 on the list.
Match found ----> Peer Selection ----> encrypt payload (right public key) ----> add destination address and destination port for that peer --->create transport packet
Transport packet ----> MT Device
IP Routes ----> gwy= ISP gateway IP table=main ---> WWW.

++++++++++++++++++++++++++++++++++++++++++

On the INCOMING SIDE,
MT Device ------> Incoming Transport packet ------> Incoming destination address exists on device ------> IP routing
IP Routing ----> Due to destination port on transport packet ------>STOPPEN ----> Wireguard Protocol/Customs Office
WG Protocol -----> decrypt transport into payload from associated peer and then reveal Source IP address
Customs officer confirms that the source IP exists on the peer used to decrypt the payload.
Source IP exists -----> send payload to MT device
MT Device ---> Route to correct interface via destination address and firewall rules

So in my twisted way, I dont think of wireguard protocol doing traditional routing but it is doing some steering and marshaling and thus is like a customs booth at an airport.
Thus on the outgoing side, I think of the MT device routing the traffic to wireguard, wireguard 'customs processing' is executed, the resulting traffic is returned to the router for onward IP routing.
On the Incoming side, I think of the mT device routing the traffic to wireguard, wireguard 'customs processing is executed', the resulting traffic is returned to the for onward IP routing.

Notice, I completely avoided any use of IP address for wireguard interface.

Proper routing is done using public/ private key lookup.
Addresses are linked to those keys.
That's how it knows how to route what where.

More accurately destination addresses for outbound, source addresses for inbound
AND NOT anything to do with
IP addresses for interfaces.

Proper routing is done using public/ private key lookup. Addresses are linked to those keys. That's how it knows how to route what where.

Well yes (sort of), but I'm afraid you missed the point where they "admit" that the complete wg driver actually is included in ros. fun! Besides, wg peers and the mt routing engine based on the underlying netfilter/nftables are two separate entities.

Concur and that is why I try to understand the implementation as two processes working together.

One other very interesting observation

In Winbox Tools and using the Ping tool if no static route is added for 10.10.50.99 in my test scenario 10.10.50.99 is pingable but as soon as a static route is added 10.10.50.99 becomes host unreachable ….. why?

Yes in the configuration all subnets are isolated from each other.

You have missing information
IPHONE
- faux IP address = ________________________???
-allowed IPs =192.168.99.155 (NAS), 10.10.50.99 (PC)

TIK Wireguard
- allowed IP = _______________?

TIK Router
IP address=172.168.50.1/24 interface=wg-tik network=192.168.50.0

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

By the way, If I wanted to test ping like you are doing here is my solution.....

IPHONE
- faux IP address = 172.168.50.5/32
-allowed IPs =192.168.99.155 (NAS), 10.10.50.99 (PC)

TIK Wireguard
- allowed IP = 172.168.50.5/32

TIK Router
IP address=nil entry

IP Route
dst-address=172.168.50.5/32 gwy=wg-tik table=main

Firewall Rules
add chain=forward action=accept in-interface=wg-tik dst-address=192.168.99.155/32 src-address=172.168.50.5/32

Since the firewall rule already allows full access, you should be able to also ping the device.

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

I see Mozerd's mother has entered the thread again. ;-PP (Let it rest Znevna.......)

Excellent explanation, Sob !

Yup! Said, by you and the crickets.

This should be in the help page !

Yes, after reading that any beginner is 100% ready.

Larsa, there is no point in etching it in stone with all the errors I have found, he is waiting to be corrected before publishing! jajajajajajaja

I do have many questions/observations (not related to crypto key routing, that part is rock solid). I keep writing and rewriting a very long post,,,,,,,,,,,sigh.......

Oh yeah, and feedback from fans. I'll clear my schedule.

It can wait until after you go to Poland to help refugees, now that is important work!!!

Observations
1. Very good diagram example of a generic network, and I liked the separation using the black WG bubbles. It would have been preferential to have more LANs per router and perhaps a bit more detail for allowed IPs between them but still nice and clean.

2. You selected a coordinated IP address subnet for your peer wireguard interfaces, which reinforces your notion that an IP address for the wireguard interface is expected and a good thing.

3. The explanation, or more accurately the purpose of the paragraph starting with "Regular routing and crypto routing are two distinct complementary things... and ending with "....happily ever after." was vague and weak. At first I thought you were trying to describe crypto routing and then realized you were just attempting to highlight the different effects on traffic between IP routing and Crypto Routing. This needed a bit more detail and clarity.

4. Personally I prefer to look at Crypto Processes as its own mini router (or Customs Booth if you will), and thus VERY conceptually (for the new beginner), gets user traffic from IP routing (payload), converts that to encrypted user traffic with RIGHT peer destination information (encrypted transport packet) and then back to IP routing for onward TX, and then the reverse happens at the other end. They work hand in hand to ensure the traffic gets to where it needs to be and thus both Route in their own way, and I view Crypto Routing as Crypto Steering or Marshaling because I get easily confused when using the word Routing for different processes. But thats just me, it is crypto routing and I have no issues with how it works and what it does.

5. What the new person, beginner, should focus on is that Crypto Routing runs in the background and has to do mainly with two processes. However, for crypto routing to occur, it is the responsibility of the admin, to first accurately state the Allowed IPs for each peer (key word being peer=remote site). More specifically the admin should, at any local device, consider the Allowed IPs as they relate to the remote end for two distinct populations of addresses, a. the destination addresses at the remote end, for local users heading outbound and entering the tunnel, and b. the source addresses for users at the remote end, heading inbound and will be exiting the tunnel. Now that the Allowed IPs are correctly established by the admin, Crypto Routing can carry out its two integrated processes, and the really core bit uses the admin Allowed IPs to ensure the right peers and right keys are matched to the local traffic entering the tunnel so that the right destination information is added and subsequently at the other again compare peers and allowed IPs to ensure authorized traffic is allowed to exit the tunnel. The other process which occurs is the encryption and decryption (not as exciting). That is enough detail for the new beginner at the start of their journey. I added a bit more detail a few post before which adds the order of events involved (encryption, matching, selection, filtering etc.).

6. I liked the fact that you included the IP addresses of the other sites wireguard interfaces as part of the Allowed IPs. Did you do this to facilitate PING?
Or does this automatically ensure then that fragmentation issues are reported??? This question becomes clearer later!

7. I was disappointed you skipped an important step in your evolutionary process, namely this configuration, that you didnt put and was waiting to see. I am truly hoping I got the gateway IPs correct.
/ip route (at LANB)
add dst-address=10.0.1.0/24 gateway=172.16.0.1 table=main
add dst-address=10.0.3.0/24 gateway=172.16.0.3 table=main

8. Now you can tie in question 6, with the observation at 7. and my follow-on questions.
Q1 - If I have stated the IP routes as such, would I still need to include the IP addresses of the interfaces in the Allowed IPs, to PASSIVELY detect and report fragmentation issues???
Q2 - Are they linked? or is the Allowed IPs inclusion simply to facilitate the more ACTIVE ping test/troubleshooting.

9. I forget to mention in 6, that I liked how you used the subnet to describe the Allowed IPs for the IP wireguard addresses, such that in all cases only one entry need be made to cover all peers and thus every possible ping direction!

10. Then we get to the use of IP address for Wireguard, for the simple case, one mobile peer or perhaps 3 or 4, where they all have a faux address where we conveniently ensure their nomenclatures line up such that they can easily be described or captured within a subnet and then we provide an IP address for the Server WG interface that includes them. This shows some flexibility in your thinking on the use of IP address and that you do realize the practical effect that this causes DAC routes for those to be created on the Server device.

11. What is not clear to me yet, is how you can justify that usage but then not be consistent when the same could potentially be used for a subnet on a different peer, not an iphone - not a faux IP, but an MT device peer subnet. Somehow to you, the IP address on the phone is sufficiently different from a subnet on another MT Device such that you dont want to use an additional IP address line to also include this subnet - and yes one has to ensure there is no overlap or conflict with any other peers. I am still fuzzy on the distinction??

12. Now we get to - okay we can get away with using wg-interface, but if we do, then we lose something in the translation for Passive communications fragmentation reports etc... Here is where you propose Pref Source. I understand pref source, in that it will change the source IP of the payload to that suggested in this case you picked the LAN gateway 10.0.2.1. However this could be misleading. What if router A had 3 subnets...............?? What then?
In other words, the missing part of the equation here is that whatever pref-source you select IT HAS TO BE on the allowed IP list at the remote site. This wasnt explicitly stated and needs to be. With that wording, the reader can then go back to your example information and confirm YES, I see now that that pref- source is included in the allowed IPs at the other end, and thus will be allowed to exit the tunnel at the other end.

13. But then I get confused because it appears to me in your example the preferred source is the same as the source initiating the packets so what has been gained ?? Assuming preferred source changes the source of the payload from whatever it is to the preferred source IP. There is some nuance I am missing?? The source is A, and the preferred source is A? what is gained??
I think I am missing an important point here.

14. Another point of confusion with pref source, is this only for originating devices, traffic from local subnet heading outbound? What happens for the associated Return Traffic at the Server Side and the IP routes created there??

15. Lastly we get to the discussion of using wg-interface only with manual IP routes. It works but as you state is missing the Passive communications component and may not suffice for ACTIVE troubleshooting/pinging.

16. For ACTIVE pinging one can choose any existing Allowed IP for this purpose and if necessary identify an existing subnet at the other end and include this in local Allowed IPs, so that is easily accomplished without too much fuss.

17. For Passive communications, it seems you are saying the two ways to ensure this is done right but the over riding requirement is that:
AN IP address for the wireguard interface has to be present, as per your example, and needs to be a coordinated subnet between the peers.
Then one has two options:
a. use the correct gwy IP ADDRESS in the IP route OR
b. use wg-interface name WITH pref source!

18. In other words any time you deviate from some form of 17 (aka like 15) , the full breadth of possible communications between WG interfaces is not established.

Summary: The above represents what I got out of your post. Sorry I do not have the level of understanding of the others and thus cannot blindly accept stuff if not understanding how and why it functions.

Outstanding issues.
1. For me to understand Passive Communication (fragmentation or any other magic that happens automatically (passively) with the proper structure).
2. For you to explain why I cannot use multiple IP addresses for all my local Allowed IPs. )))) but I can for single IP devices like Iphones.
3. To explain pref source explaining the purpose, as it looks like the source and source pref are no different in the example AND ALSO in terms of return traffic vice originating traffic, as it appears you only describe originating outbound ??

For example let me propose and addendum to your example. The PLUS lines are added to show what I would normally have done, and
based on your information would do in the future.

IP addresses associated with Wireguard on the devices.
Peer1 - iphone - 192.168.35.2/32
peer2 - laptop - 192.168.35.200/32
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
peer3 - MT device client - 172.168.77.2/24 ( Subnet 10.10.10.0/24 needs to access server on Local Router subnet D)
peer4 - MT device client 172.168.77.3/24 (Subnent 10.20.10.10.0/24 needs to access server on Local Router subnet E)
Server- Local Router - 172.168.77.4/24

Allowed IPs Local Router
192.168.35.0/24 (handles both incoming peer 1 and peer 2 - using local Router internet and for peer 2, To be able to config the local router - so fw rules have to lineup)
10.10.10.0/24 (handles incoming subnet from peer3)
10.20.10.0/24 (handles incoming subnet from peer4)
+++++++++++++++++++++++++++++++++++++++++++
172.168.77.0/24 (ensures any device can ping any IP wireguard interface )

IP Routes Local Router
dst-address=192.168.35.0/24 gwy=192.168.35.1 table=main
dst-address=10.10.10.0/24 gwy=172.168.77.2 table=main
dst-address=10.20.10.0/24 gwy=172.168.77.3 table=main

IP Routes other peers
[peer3] dst-address=subnetD/24 gwy=172.168.77.4 table=main
[peer4] dst=address=subnetE/24 gwy=172.168.77.4 table=main

OR
Let say I add a second, IP address to the local router wireguard interface........
and this time lets use wg-interface for the gateway,
Server- Local Router - IP1 - 172.168.77.4/24 / IP2 - 192.168.35.1/24

IP Routes
(DAC) dst-address=192.168.35.0/24 gwy=wg-local table=main
dst-address=10.10.10.0/24 gwy=wg-local table=main pref source=??
dst-address=10.20.10.0/24 gwy=wg-local table=main pref-source=??

IP Routes other peers
[peer3] dst-address=subnetD/24 gwy=wg-peer3 table=main pref-source=10.10.10.1 ??
[peer4] dst=address=subnetE/24 gwy=wg-peer4 table=main pref-source=10.20.1.1 ??


What i find strange is that pref source is already the source IP, the source packets from peer 3 are from subnet 10.10.10.0/24, the source packets from peer 4 are already from 10.20.10.0/24 ??

Read and answered in order so there may be duplication!

6) It's simply because they are there, and if they should be able to pass through tunnel, they need to be listed as allowed.
You didnt answer the questions here! Its simply because they are there....... is a frivolous answer without any meaning. Yes BUT should they be allowed to pass through the tunnel?
What uses will be made of them? Does it have to with permitting PING, or to auto report ping fragmentation??

The peer has them, you want them to be able to pass through tunnel .......... they must be allowed.
But why? What functionality are you protecting? Since you seem unable to answer this question thus far let me phrase it differently............ what will not be possible if you do not include them in allowed IPs.

11) I'm not completely sure if I understand. But I guess it could be related to the past misunderstanding about what's local and remote. Addresses 172.16.0.x/24 are in local subnet in relation to WG interface. Addresses 10.0.x.x/24 are remote subnets, because they are behind other routers.

Well I appreciate how you view the coordinated subnet created between WG interfaces as a local subnet (to all wg devices). I also understand that yes from any local device, subnets on other routers are remote subnets. However my question was not that, it was why are you content to include an IPHONE within a local WG interface IP address and despite the iphone being a remote device, but not a subnet on another remote device, an MT device. What is the difference I am missing?? As you state this has nothing to do with WG but something else I am missing!!

Is it not true that as soon as I identify something with an IP address at the local router, that something (be it an IPHONE or a subnet) is now considered local on that router.
Hence IP address= 192.168.50.1/24 interface=wg-local network=192.168.50.0 WHERE 192.168.50.0/24 describes a subnet on a peer, means now for all intensive purposes that the subnet is recognized as a local entity, in terms of routing at least?
Hence - (dac) dst-address=192.168.50.0/24 gwy=wg-local table=main IS CREATED AND PROPERLY UTILIZED BY THE ROUTER???

More work to be done here.....


12) Important thing, this has nothing to do with just WG, it will happen with other interface types too.
AHHH, this is really good stuff!! We may spend several weeks here. :-0
However I need to drill down WHERE this pref source is applied. Is it applied in the payload, or is it applied on the transport??
Perhaps that is where i was getting confused, as the payload is from the user, and it seemed to me you were picking the the same source for pref-source.
However if we are talking transport then yes, instead of the outgoing interface router IP, pref-source changes this to the local user subnet IP.

So basically the transport layer has to have some address assigned to it as source and if we use the actual WG gateway IP on the IP route, that is the obvious choice and is readily available.
If we use the gwy=wg-interface-name, then we are forcing the router to decide.
Would it not simply go get the wg interface IP address line to get that info, if one is assigned??
If so, then what we are saying is that if you have no IP address for the WG interface, pref-source is a viable alternative.

15) As described, don't do it when it doesn't give you any advantage. If you're doing site to site tunnel and you don't need another subnet at all, then it can make sense to skip addresses on WG interfaces. But if you do need some subnet, e.g. because you have several phones and each gets 172.16.0.x, then replacing address (172.16.0.1/24) on server's WG interface with route (172.16.0.0/24) doesn't help with anything, it's not better in any way, it's worse, don't do it.

Even if I do this ???
allowed IPs=172.16.0.2/32, 172.16.0.4/32
dst-address=172.16.0.2/32 gwy=wg-local pref-source=(local subnet)
dst-address=172.16.0.4/32 gwy=wg-local pref-source=(local subnet)

Better??
IP address WG 172.168.0.1/24 interface=wg-local network=172.168.0.0
(dac) dst-address=172.16.0.0./24 gwy=wg-local table=main

17) No. It's two different things, gateway and source address. You can have different combinations:

a1) WG interface with address 172.16.0.x/24, route with gateway=172.16.0.y => 172.16.0.x will be used as source
a2) WG interface with address 172.16.0.x/24, route with gateway=<WG interface> => 172.16.0.x will be used as source
b1) WG interface without address, route with gateway=172.16.0.y => won't work at all (there won't be any communication with remote subnet), because regular routing doesn't know where 172.16.0.y is
b2) WG interface without address, route with gateway=<WG interface> => will need pref-src to fix source address

Super, confirms what I did on 15. both will work. VERY CLEAR NOW. ( and yes a gateway IP without a corresponding IP address for WG interface is a no go)

All good................. so far

6. has some niggly points.
11. is where there is still some friction ( non wg friction )

Almost there.
Where we differ is that very space.

By adding the IP address of a subnet from another router (due to basing it on allowed IPs) then I am not sure I have done something evil? What I have done is actually added that subnet to my router, since it now exists on an interface on the Router.

To be consistent how is the iphone any different. Its a remote device with an address, just like the remote MT with a subnet. So I co-opt that address by ensuring its within the existing IP address of my current WG interfaces and I dont see much difference in doing something similar with the subnet address due to my ignorance more than anything else.

Lets discuss the following example .........Where I try to apply newfound wisdom!!!
There is a subnet on my local router that peer 3 users (on an MT device) will need to access which has address of 172.168.20.1/24 interface=whatever network=172.168.20.0
The peer 3 users themselves,are on subnet with address of 10.10.10.1/24 interface=whatever network=10.10.10.0

IP addresses for wg, where I try to apply all the good stuff!
peer1 192.168.50.3/32 iphone
peer2 192.168.50.200/32 laptop
peer3 192.168.50.2/24 interface=wg-peer3 network=192.168.50.0 Allowed IPs = 192.168.50.0/24, 172.168.20.0/24
Local 192.168.50.5/24 interface=wg-local network=192.168.50.0 Allowed IPs = 192.168.50.2/32, 192.168.50.200/32, 192.168.50.3/32, 10.10.10.0/24

Peer 3 Routes
dst-address=0.0.0.0/0 gwy=wanIPgateway table=main
dst-address=172.168.20.0/24 gwy=wg-peer3 table=main
dst-address=192.168.50.0/24 gwy=wg-peer3 table=main

Local Routes
dst-address=0.0.0.0/0 gwy=wanIPgateway table=main
dst-address=192.168.50.3/32 gwy=wg-local table=main
dst-address=192.168.50.200/32 gwy=wg-local table=main
dst-address=192.168.50.2/32 gwy=wg-local table=main
dst-address=10.10.10.0/24 gwy=wg-local table=main


Correct ???
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

So now lets 'sweeten the pot' and add some juice!
The subnet on peer 3 device (DHCP server) assigns leases from 10.10.10.20-254

I elect to add an IP address to the local Router and smartly choose
add address=10.10.10.10/24 interface=wg-local network=10.10.10.0

In this regard there is no potential conflict with a user at the other end for that subnet.
Result:
(dac) dst-address=10.10.10.0/24 gwy=wg-local replaces the similar manual remove above.

Will this work? If not what breaks? Are you having a nervous breakdown?

I see your point Sob, I hadnt thought of the consequences of the traffic flow in the opposite direction. The traffic may reach the server but the response will never make it back.
Not to worry wont actually config like that just wanted to see why not.......... what broke etc......

Depends if I really want to look at your latest diagram or not.............

I don't think you exactly know what you're talking about. RouterOS has everything except high level tool that processes WG config file. Same way RouterOS doesn't take standard OpenVPN config files. But you don't need that, the config is just entered differently, there's nothing missing (for WG, OpenVPN in RouterOS is missing some features).

Edit: They could perhaps add an option to automatically create routes from peers' allowed-address, it wouldn't be universal thing, but it could help someone. I personally think it's not too important, but maybe...

Im putting this on a poster"

SOB SAYS "They could add an option to automatically create routes from peers' allowed-address" to MIMIC the Donenfield Creation. )))))

Let me counter Mozerd, by stating, that wanton MASS ip route creation from Allowed IPs, is not as bad as MASS MURDER, but it is a minefield of problems in the hands of the beginner. It may work on a very simple configuration (like a single smart device) but I am thinking it may get less and less useful as the number of peers and multiple addresses within a peer start adding up.

In any case, my concerns may be groundless, especially seeing its wide use in many other linux based programs, but AS LONG AS I dont have to create an IP address for the Wireguard Interface to create such Routes, both SOB and I will be like two pigs playing in the mud!!

A different thread has my interest
in terms of having multiple peers on the same interface and with a coordinated Wireguard Interface subnet.

Chap has an MT device behind CGNAT, behind the MT he has an IP camera he wants to access. He has a VPS server (unbuntu) that can run wireguard and he plans on connecting the MT to the VPS. He currently accesses the vps server via laptop or smart phone.

[ Discussion but not what I want to explore in any depth - The part I didnt get was his part about port forwarding traffic from the VPS to the MT over wireguard. I missed the fact that his plan was NOT to wireguard into the VPS from mobile devices (laptop or smartphone). Does this mean that most people access their VPS server without VPN ?? ]

Where I want to go, is a full wireguard end to end connection from mobile device to IP camera.
Is there only option A, or will option B also work and if so how?

A. (two wg interfaces at VPS) --> have the remote mobile devices come in to vps on one tunnel and then use a second tunnel between the VPS and MT
B. (one wg interface at VPS) --> have all devices on the same wireguard interface................... this seems the most efficient BUT how would this actually work.......... Could a mobile laptop connect directly to the MT or is what mozerd indicates a clue to NO WAY (wg is only peer to peer, not peer to multi-peer) ?

A. is clean to me. I can visualize what goes on with the traffic.........
Traffic from remote mobile device arrives at VPS via wg, exits the tunnel.
Firewall rules allow this traffic to reach second tunnel
IP route directs this traffic to second tunnel
I just have to make sure the return path also exists............. not to hard.

B. NOT A FRIGGEN CLUE.

++++++++++++++++++++++++++

Okay mkx, I thought that was indeed the case where one needs two distinct tunnels to RELAY traffic in this way and that having all the peers on the same WG interface IS NOT capable of relay.

Good to know!.

So why is the chap doing port forwarding from VPS to MT device? Is it because most people https into the VPS device ( then user name and password) and that is good enough for security??

One tunnel is enough:

Okay I will bite, but will try to explain it so that is understandable vice sob cryptic short form!
Also will ignore the public access dstnat bit, as the MT is behind another router and cannot forward ports ;-P
oops I see you mean the Dst NAT at the VPS............. okay I get it....... but will leave that till the end, it confuses my train of thought LOL

VPS server wg port 12122, fixed IP 24.233.45.15

Step1: create wireguard coordinated subnet
VPS linuxspeak=192.168.0.1/24 interface=wg0
MT IP address=192.168.0.10/24 interface=wg-MT { camera resides off this device Ip address local is 10.10.10.50/32 }
Laptop Address=192.168.0.20/32

Requirement: Laptop to reach camera via Wireguard.

Solution (so sob says):

Wireguard at Mobile Laptop
Allowed IPs=192.168.0.0/24 { allows one to ping both VPS server and MT remote client }, 10.10.10.50/32 { camera IP destination address (at MT device) }
[Note: if internet access was involved the only allowed IP required would be 0.0.0.0/0]

Wireguard settings at VPS
Peer MT Allowed IPs - 192.168.0.10/32 { allows pinging from MT },
Peer Laptop Allowed IPs - 192.168.0.20/32 { allows pinging and all incoming traffic from laptop }

Wireguard settings at MT (camera)
Peer Server Allowed IPs - 192.168.0.1/32 { allows pinging from Server }, 192.168.0.20/32 {allows traffic from laptop to exit tunnel at MT }

IP Routes.
MT DEVICE
(dac) dst-address=192.168.0.0/24 gwy=wg-MT table=main ( allows outbound pinging to VPS server and return pings from VPS or laptop)
dst=address=192.168.0.20 gwy=wg-MT table=main NOT REQUIRED (return traffic from camera covered by DAC rule???? ***

VPS SERVER
(dac) 192.168.0.0/24 gwy=wg-MT table=main ( allows outbound pinging to MT and returning pings from MT or laptop )
*** similarly return traffic from MT to laptop moves transparently through VPS due to the DAC rule.????

++++++++++++++++++++++++++++++++++++++++++++++

With only WG to the MT camera and only an external connection from LAPTOP to VPS, then at the VPS we would have to do some dstnat like work.
Since I dont know linux I will couch it in MT forms..
But this is really good for learning too --> HOW TO PORT FORWARD THRU a wg tunnel.

add chain=dstnat action=dst-nat in-interface=?? WAN or dst-address=fixed IP of VPS wan connection??
protocol=whatever dst-port=actual cameraport? to-addresses=actual camera local IP or IP of MT wireguard??

[quote=Sob post_id=920437 time=1647879773 user_id=33312]
If you want direct access to camera's internal address, then you need 10.10.10.50/32 also here
[quote=anav post_id=920417 time=1647875296 user_id=115581]
Wireguard settings at VPS
Peer MT Allowed IPs - 192.168.0.10/32 { allows pinging from MT }, [/quote]

WHY? ---> Because in a relay scenario, within the same interface, one MUST still view the traffic from Laptop. after arriving at VPS WG interface, as requiring a valid destination address, for the next leg, although never exiting the wireguard interface? (aka 10.10.10.50/32 is checked as a valid destination address for selection outbound at VPS just as it was for the laptop itself??).

Note that this is exactly what one would do if it were for a separate tunnel (second wireguard interface).

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Because if you add another client, you won't need to touch it. And here:

(dac) dst-address=192.168.0.0/24 gwy=wg-MT table=main ( allows outbound pinging to VPS server and return pings from VPS or laptop)
dst=address=192.168.0.20 gwy=wg-MT table=main NOT REQUIRED (return traffic from camera covered by DAC rule???? ***

If you have (dynamic) route to 192.168.0.0/24, you don't need another route to 192.168.0.20, because the first one includes it. Go play a bit with subnet calculator.

This I understand, makes sense,,,,,,,,, and hence why I stated not required and future proofing yes!

And server must also have route to 10.10.10.50/32. Then it's better to have whole 192.168.0.0/24 as allowed here:

This is the one thing I didnt understand!!

Why does the VPS server need a route to 10.10.10.50/32.
IF all the traffic is remaining within wireguard and not exiting the tunnel at VPS, and we are not using a second tunnel.......................

OR ARE YOU REALLY SAYING, yes the traffic has to EXIT THE TUNNEL and then RENTER the tunnel ???
in which case this would make more sense............
It would act at a way to get traffic to the mT for traffic exiting the tunnel at VPS that came from laptop
dst-address=10.10.10.50/32 gwy=wg0

Not sure if you meant to somehow associate this with 192.168.0.0/24 above??

add chain=dstnat action=dst-nat in-interface=?? WAN or dst-address=fixed IP of VPS wan connection??
protocol=whatever dst-port=actual cameraport? to-addresses=actual camera local IP or IP of MT wireguard??

It's simple port forwarding like any other, on server you'll have dst-address=<public address of VPS> and to-addresses can be both 10.10.10.50 and 192.168.0.10. If it's the latter, then you'll need additional dstnat on camera's MT.

Why? I see the port forward from VPS into wireguard, but NOT ON the MT.
This seems right! ( assuming its still the laptop requesting the information from the camera and the op still manages to use the same Ip address .20 - not sure how )
VPS Server
add chain=dstnat action=dst-nat dst-address=publicIP-VPS to-address=192.168.0.10
MT
add chain=forward action=accept in-interface=wg-MT source-address=192.168.0.20/32 dst-address=10.10.10.50/32

Why do you give the client (mobile device lets say ipad or laptop windows etc) a Wiregurd Address of 192.68.20.20/24 and not 192.168.0.20/32

Its just a single device??
I thought that a full /24 was to be used for Devices that have the capacity for multiple subnets for example.

OR ARE YOU REALLY SAYING, yes the traffic has to EXIT THE TUNNEL and then RENTER the tunnel ???

I'm saying that traffic from client to camera (or back) will have in-interface=WG out-interface=WG on server.

More importantly are you saying that at the MT DEVICE (client) and where the server is found, that it has two peers in its Wireguard Settings

peer1 = server
peer2 =mobile client (this would be impossible unless it is okay for the exchange of public keys will make this work!! ??????????? THIS IS THE LINK I HAVE BEEN MSSING!!!
arrgg makes no sense cannot have peer to peer like this both are clients my bad..............
okay my original thoughts were correct you verbalized them differently as usual LOL

Another riddle, to help me understand firewall rule required at the VPS Serer, what if the VPS server was an MT device,
Assuming drop rules, would you need any firewall rules for the relay of mobile client traffic from laptop to MT server to MTClient (camera)

If it was two separate wg interfaces it would be clear to me how to apply firewall rules to relay........
add chain=forward action=accept in-interface=wg1 out-interface=wg2 src-address=mobile client IP.

So what you are saying is that at the VPS linux if it was an MT device would need something like this that looks almost SILLY. (as interfaces are the same)

add chain=forward action=accept in-interface=wg0 out-interface=wg0 src-address=mobile client IP ???????????

So in the end, to have a relay function is perfectly reasonable by only using ONE WG interface.
This works as long as we realize that each peer to peer connection is separate and that traffic that arrives from one end to an MT RELAY device, is considered now LOCAL and thus why

a. We need a firewall rule as bizarre as it seems at the RELAY device, to ensure traffic then re-enters the tunnel for the next leg.
add chain=forward action=accept in-interface=wg-name out-interface=wg-name src-address=mobile client.

b. We need an IP route for the destination traffic (like the allowed IP on the mobile client which matched and selected traffic outbound from the user at the mobile client) and this traffic is now local to the RELAY device, and thus has to go through the same process/configuration --> to match and select 'local' traffic we have to include the destination address in

i; allowed IPs for the Relay device (allocated to the peer where we are relaying the traffic too)
ii; create an IP route for that traffic (for destination IP to enter WG interface)

IP address 192.168.0.20/24 gives client connected route to whole 192.168.0.0/24 subnet, i.e. all 192.168.0.x addresses. So it knows where to find server (.1), camera's WG client (.10), even some future cameras (.11, .12, ...), etc. It's WG subnet and if it's /24, then all devices should (in most cases) have IP addresses with /24. It's slightly different for allowed IPs, server/VPS should have 192.168.0.x/32 for each peer, because they each have only one IP address from this subnet and have no reason to use others. But clients should have 192.168.0.0/24, because server can relay to them traffic from all other peers, so it needs to be allowed.

And yes, on server/VPS, traffic between peers will match in-interface=wg0 out-interface=wg0, there's nothing wrong with that, that's what happens, both incoming and outgoing interface is WG.

Got it, understood, where required the allowed IPs needs to be specific but the iP address need not be fixed for mobile clients that have ADDRESS assigned within the Wireguard parameters.
As for the other issue SAME interface at the Relay device in the firewall rule makes sense.
It mirrors a solution I had proposed for a similar relay but using TWO wireguard interfaces.
The key is that each connection is peer to peer so at the relay site, the traffic should be considered having exited the tunnel and now needs a route and firewall permission to rententer the next tunnel.
hence why allowed IP at originating mobile client (aka the destination IP) is then added to the end client device in its peer settings at the relay device, and why also at the relay device one needs to create a route for that destination IP with the applicable wg interface gateway.

What is really cool is the sense that the one tunnel solution is more efficient because this rule works for both directions!
in-interface=wg0 out-interface=wg0 src-address=192.168.0.20/32

whereas in my dual tunnel Relay example (iphone to relay device, out different tunnel (aka 3rd party VPN provider) I need two firewall rules at the MT RElay device.
one to allow iphone to 3rd party VPN, one to allow response from 3rd party VPN to iphone
in-interface=wg-local1 out-interface=wg-local2 src-address=IPof IPhone
in-interface=wg-local2 out-interface=wg-local2 src-address=IPof IPhone

What is really cool is the sense that the one tunnel solution is more efficient because this rule works for both directions!
in-interface=wg0 out-interface=wg0 src-address=192.168.0.20/32

Until you realize that this rule with all three conditions makes sense for only one direction, then it becomes less cool.

Dont follow you at all......

Traffic all the way along has one source address, that of the mobile client (be it iphone or laptop).
so that part of the rule is fine......... if there was another mobile client involved, then
you would create a source address list at the RELAY Device,,,,,,,,,,,,,,,,,

Return traffic to the mobile client (ipad, laptop) after hitting the camera server at the MT client end,,,,,,,,,,, hits the RELAY device at the same wireguard interface!!

Therefore the rule is valid in both directions........... it will come out the interface, it will have destination traffic for mobile client, the IP route for the mobile client on the SERVER will see that it has to go to the wg interface, the firewall rule will allow it and the return traffic will get peer matched and selected to the mobile client and be on its merry way.

Where is the issue...............

Don't overthink it. If you say "works for both directions", I'd expect that device A can initiate connections to device B, and also device B can initiate connection to device A. So .20->.10 and .10->20. And it would be true if you had only in/out-interface=wg0. But if there's also src-address=192.168.0.20/32, then it allows connections only from .20.

Your nitpickyness is annoying and sometime infuriating ( I swear you are trying to give me an ulcer - then i realized sometimes I am as vague LOL but not out of spite, or lazyness but because I dont know any better ;-PP) I didnt mean to imply it works both ways for ALL traffic, but ONLY for the finite example I was discussing, which was a mobile laptop remote client accessing a camera server hosted on a remote MT client, both with WG to the VPS server (RELAY device). Clearly this traffic retains its source IP as 192.168.0.20/32 during its phucking travels.......
Thus in-interface=wg0 out-interface=wg0 src-address=192.168.0.20/32 is VALID if the traffic pops out of the tunnel at the RELAY device from either the originating mobile client or the return traffic pops out of the tunnel at the RELAY device from the MT client.....

My comment was, simply how convenient compared to the other example where I use two separate wireguard interfaces and then one needs two separate firewall rules at the SERVER.

To make you happy, then simply dont use a source address with that rule and then any traffic coming out of the tunnel can go back in the tunnel in terms of firewall scrutiny and then it would be truly two way for all. I suppose the IP routes and allowed IPs (routing squared) would be enough to direct the traffic correctly but I prefer to use the firewall for its intended purpose (impose admin control and limit traffic to only that which is required).

In any case I have adjusted the main article text based on your input/minor almost trivial concerns and at some point will get to the examples.

My comment was, simply how convenient compared to the other example where I use two separate wireguard interfaces and then one needs two separate firewall rules at the SERVER.

Well, you don't have to have two separate firewall rules if you have two WG interfaces ... just create interface list and use that in FW rule ...

That is another option of course........... Which I believe I had already mentioned in a previous post but a reminder is always nice!
However what you say is valid for the SAME WG interface, not two distinct wg interfaces unless you go ALL in with the following LOL

Unless you mean
add chain=forward in-interface-list=WG-interfaceS out-interface-list=WG-interfaceS source-address-list=MultipleSources ( catches all )

Your nitpickyness is annoying and sometime infuriating ...

Few things about that:

- Sometimes it's fully intentional. You're all about tough love for users, so no exceptions for you. And I admit that sometimes I enjoy it a lot.
- Sometimes it's because I'm not sure if something you wrote incorrectly is honest mistake and you know what's right, or you actually meant that. So I'm just trying to make sure that we understand each other.
- Sometimes it's me misunderstanding something. That's this case, now I see what you meant. My excuse is that English is not my native language, I can't even say with absolute certainty if I can't read or you can't write.

You hit the nail on the head, tough love, or better tough instructing. The more accurate and clear I am the quieter you are! Why dont I seem to learn that lesson LOL.

All good info when I get to the examples, I keep tweaking the article so do pop in from time to time to let me know anything else that bugs you...........