Run RouterOS as Tunnel or VPN Client Behind NAT

AdminSpeedNet · Thu Aug 11, 2022 3:38 am

Dear All

RouterOS is behind NAT so it has only private IP address for WAN Interface. I want to establish a tunnel with a ubuntu server with Public IP so only one side has public IP address. In my case, which protocols can I use?

Sob · Thu Aug 11, 2022 6:28 am

With a bit of luck, any of them. PPTP can sometimes have trouble, but you shouldn't use that anyway, because it's outdated and not secure anymore. The rest should be fine, SSTP and OpenVPN use only single outgoing connection, there's no problem with that. Wireguard (hit of current season) is similar and otherwise very nice, only in current RouterOS it may need a little help if remote peer's endpoint uses hostname instead of numeric address. IPSec should detect presence of NAT and deal with that. Same goes for L2TP/IPSec. So it's anything you like.

AdminSpeedNet · Thu Aug 11, 2022 1:11 pm

I'm having problem with Wireguard as client on RouterOS. something's wrong that it nerver get connected. I remember L2TP/IPSec is used only on Windows Server. Does Linux support it?

anav · Thu Aug 11, 2022 5:15 pm

Wireguard works well across OS/s.
Post your config at least for the MT device.
/export

Cannot read linux but if you post your linux associated wireguard settings that will help too (just dont show any public WAN IP info on the linux side).

AdminSpeedNet · Fri Aug 12, 2022 3:48 am

Please take a look and thank for you time reading a long text

# aug/12/2022 07:25:40 by RouterOS 7.4.1
# software id = FNS2-DFTT
#
# model = RouterBOARD 750 r2
# serial number = 67D2065237B2
/interface pptp-server
add name=pptp-in1 user=test1
/interface bridge
add admin-mac=6C:3B:6B:4B:29:AA auto-mac=no comment=defconf name=bridge
/interface ethernet
set [ find default-name=ether1 ] advertise=\
    10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
set [ find default-name=ether2 ] advertise=\
    10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
set [ find default-name=ether3 ] advertise=\
    10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
set [ find default-name=ether4 ] advertise=\
    10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
set [ find default-name=ether5 ] advertise=\
    10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1 name=pppoe-out1 \
    use-peer-dns=yes user=ereee@digi
/interface wireguard
add listen-port=51820 mtu=1420 name=wireguard-client
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.88.50-192.168.88.100
add name=VPN_pool ranges=192.168.88.101-192.168.88.120
/ip dhcp-server
add address-pool=dhcp interface=bridge name=defconf
/ppp profile
add local-address=192.168.88.1 name=VPN_prof remote-address=VPN_pool
set *FFFFFFFE dns-server=8.8.8.8 wins-server=8.8.4.4
/user group
set full policy="local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,pas\
    sword,web,sniff,sensitive,api,romon,dude,rest-api"
/interface bridge port
add bridge=bridge comment=defconf ingress-filtering=no interface=ether2
add bridge=bridge comment=defconf ingress-filtering=no interface=ether3
add bridge=bridge comment=defconf ingress-filtering=no interface=ether4
add bridge=bridge comment=defconf ingress-filtering=no interface=ether5
/ip neighbor discovery-settings
set discover-interface-list=!LAN
/ip settings
set max-neighbor-entries=8192
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=pppoe-out1 list=WAN
/interface ovpn-server server
set auth=sha1,md5
/interface pptp-server server
# PPTP connections are considered unsafe, it is suggested to use a more modern VPN protocol instead
set authentication=pap,chap,mschap1,mschap2 default-profile=VPN_prof enabled=\
    yes
/interface wireguard peers
add allowed-address=192.168.11.0/24 endpoint-address=160.222.222.179 \
    endpoint-port=51820 interface=wireguard-client persistent-keepalive=25s \
    public-key="Cencered-Gzc="
/ip address
add address=192.168.88.1/24 comment=defconf interface=ether2 network=\
    192.168.88.0
add address=192.168.11.104/24 interface=wireguard-client network=192.168.11.0
/ip dhcp-client
add comment=defconf disabled=yes interface=ether1
/ip dhcp-server lease
add address=192.168.88.10 always-broadcast=yes client-id=1:5c:f9:dd:ea:35:3e \
    mac-address=5C:F9:DD:EA:35:3E server=defconf
add address=192.168.88.12 mac-address=00:90:A9:D0:54:66 server=defconf
add address=192.168.88.42 always-broadcast=yes mac-address=B0:52:16:1B:98:61 \
    server=defconf
add address=192.168.88.11 client-id=1:74:e6:e2:d8:6e:ad mac-address=\
    74:E6:E2:D8:6E:AD server=defconf
add address=192.168.88.100 always-broadcast=yes client-id=1:98:8b:a:cd:db:ab \
    mac-address=98:8B:0A:CD:DB:AB server=defconf
add address=192.168.88.8 client-id=1:18:66:da:20:33:e8 mac-address=\
    18:66:DA:20:33:E8 server=defconf
add address=192.168.88.18 always-broadcast=yes client-id=1:70:ec:e4:11:63:71 \
    mac-address=70:EC:E4:11:63:71 server=defconf
add address=192.168.88.79 client-id=\
    ff:4c:11:26:3c:0:2:0:0:ab:11:2e:48:54:7a:9:16:56:4c mac-address=\
    00:19:99:CC:DA:AC server=defconf
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf dns-server=\
    1.1.1.1,1.0.0.1,8.8.8.8,8.8.4.4 gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes servers=1.1.1.1,1.0.0.1
/ip dns static
add address=192.168.88.1 name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    disabled=yes in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
add action=accept chain=input comment="pptp vpn" disabled=yes protocol=gre
add action=drop chain=forward comment="drop MON-THI" disabled=yes \
    dst-address=128.116.0.0/17 time=0s-1d,mon,tue,wed,thu
add action=drop chain=forward comment="DROP FRI" disabled=yes dst-address=\
    128.116.0.0/17 time=0s-13h,fri
add action=drop chain=forward comment="drop 8am - 10am" disabled=yes \
    dst-address=128.116.0.0/17 time=8h-10h,sun,mon,tue,wed,thu,fri,sat
add action=drop chain=forward comment="drop 12pm - 2:00pm" disabled=yes \
    dst-address=128.116.0.0/17 time=12h-14h,sun,sat
add action=drop chain=forward comment="drop 4pm - 6pm" disabled=yes \
    dst-address=128.116.0.0/17 time=16h-18h,sun,mon,tue,wed,thu,fri,sat
add action=drop chain=forward comment="drop 9:30pm to 11:59pm" disabled=yes \
    dst-address=128.116.0.0/17 time=21h30m-23h59m,sun,mon,tue,wed,thu,fri,sat
add action=accept chain=input dst-address=0.0.0.0/0 src-address=\
    160.222.222.179
add action=accept chain=output dst-address=160.222.222.179 log=yes log-prefix=\
    wg
/ip firewall mangle
add action=accept chain=output dst-address=160.222.222.179 log=yes \
    out-interface=pppoe-out1
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat dst-port=8787 protocol=tcp to-addresses=\
    192.168.88.8 to-ports=80
add action=dst-nat chain=dstnat disabled=yes dst-port=1433 protocol=tcp \
    to-addresses=192.168.88.8 to-ports=1433
/ppp secret
add name=test1 profile=VPN_prof service=pptp
/system clock
set time-zone-name=Asia/SomeWhere
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

Server Side

[Interface]
Address = 192.168.11.1/24
SaveConfig = true
PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o enp4s0 -j MASQUERADE
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o enp4s0 -j MASQUERADE
ListenPort = 51820
PrivateKey = Cencered-KUg=

[Peer]
PublicKey = Cencerted-hyY=
AllowedIPs = 192.168.11.104/32

anav · Fri Aug 12, 2022 4:49 am

MT
(1) Wrong interface
/ip address
add address=192.168.88.1/24 comment=defconf interface=ether2 network=\
192.168.88.0

needs to be bridge.

(2) Just to confirm, what do you want to access at the MT device (from linux users ) ?
What do you want to access from at the linux device (from MT users)?

(3) Right now, there are no remote users coming to the MT device (other than perhaps the ability to ping the MT device from the linux device).
Similarly, there appears to be no traffic intended for heading toward the linux device, except perhaps to ping the linux device from the MT device?)

(4) ROUTES - Dont see anything glaringly wrong at the moment,
Any traffic between wireguard Ip addresses will use the <dac> dst=1 dst-address=192.168.11.0/24 gateway=wireguard table=main

(5) FIREWALL RULES - Dont see anything untoward, your forward chain does not block traffic so it should occur.......
Just to be clear though I would probably add something like
add chain=forward action=accept in-interface=wireguard
add chain=forward action=accept out-interface=wireguard

AdminSpeedNet · Fri Aug 12, 2022 5:56 am

1. Wrong Interface
I don't get it. What's wrong? 192.168.88.0/24 is LAN subnet

2. I want to ping 192.168.11.104 from Linux(Wireguard Server) to MikroTik and ping 192.168.11.1 to Linux. Both were timeout

5. I don't want to forward any taffic across interfaces for now. Just want to be able to ping Mikrotik and Linux(192.168.11.1 and 192.168.11.104)

Do you know how to check Wireguard negotiated message between Client and Server? Connection timeout or Fail to authenticate?

I created firewall rule to log outgoing and incoming IP of Wireguard Server and it produce the follow log

Wireguard outgoing.png

anav · Fri Aug 12, 2022 1:37 pm

(1) You must be colour blind then

, instead of ether2, you should be using the bridge as the interface for the subnet.

I see nothing that blocks pinging at the moment.
Did you add the firewall rules noted?

Can you confirm in your IP routes you see
<dac> dst-address=192.168.11.0/24 gwy=wireguard-client ???

On your linux device do you see the initial connection or handshake on the listening port ???

AdminSpeedNet · Sun Aug 14, 2022 1:15 am

About wrong interface, it has bridge interface that link all ether1-5

After days of browsing online I found a tool called tcpdump to watch traffic in Wireguard Server

tcpdump -i eth0 'udp port 51820'

15:07:47.474818 IP ezecom.45.118.222.0.149.ezecom.com.6163 > h.wireguard_server.com.51820: UDP, length 148
15:07:51.677908 IP h.wireguard_server.com.51820 > ezecom.45.118.222.0.149.ezecom.com.18733: UDP, length 96
15:07:52.595355 IP ezecom.45.118.222.0.149.ezecom.com.6163 > h.wireguard_server.com.51820: UDP, length 148
15:07:52.958609 IP h.wireguard_server.com.51820 > ezecom.45.118.222.0.149.ezecom.com.18733: UDP, length 148
15:07:52.958657 IP h.wireguard_server.com.51820 > ezecom.45.118.222.0.149.ezecom.com.18733: UDP, length 528
15:07:58.082520 IP h.wireguard_server.com.51820 > ezecom.45.118.222.0.149.ezecom.com.18733: UDP, length 148
15:07:58.356140 IP ezecom.45.118.222.0.149.ezecom.com.6163 > h.wireguard_server.com.51820: UDP, length 148
15:08:03.458543 IP h.wireguard_server.com.51820 > ezecom.45.118.222.0.149.ezecom.com.18733: UDP, length 148
15:08:04.115468 IP ezecom.45.118.222.0.149.ezecom.com.6163 > h.wireguard_server.com.51820: UDP, length 148
15:08:07.549950 IP h.wireguard_server.com.51820 > ezecom.45.118.222.0.149.ezecom.com.18733: UDP, length 528
15:08:08.578520 IP h.wireguard_server.com.51820 > ezecom.45.118.222.0.149.ezecom.com.18733: UDP, length 148
15:08:09.875782 IP ezecom.45.118.222.0.149.ezecom.com.6163 > h.wireguard_server.com.51820: UDP, length 148
15:08:13.950383 IP h.wireguard_server.com.51820 > ezecom.45.118.222.0.149.ezecom.com.18733: UDP, length 148
15:08:14.996271 IP ezecom.45.118.222.0.149.ezecom.com.6163 > h.wireguard_server.com.51820: UDP, length 148

With this tcpdump, I noticed that RouterOS(Port 6163) send request to Wireguard Server. The server received it but did not response. This make it clear that port 51820 was not blocked by ISP or server's firewall. Next step, I looked into configuration and found out that RouterOS public key in server config did not correspond to client public key. I replace the key and it was connected. Thank you guys and I hope this discussion will help other people in the future with similar problem

Run RouterOS as Tunnel or VPN Client Behind NAT

Run RouterOS as Tunnel or VPN Client Behind NAT

Re: Run RouterOS as Tunnel or VPN Client Behind NAT

Re: Run RouterOS as Tunnel or VPN Client Behind NAT

Re: Run RouterOS as Tunnel or VPN Client Behind NAT

Re: Run RouterOS as Tunnel or VPN Client Behind NAT

Re: Run RouterOS as Tunnel or VPN Client Behind NAT

Re: Run RouterOS as Tunnel or VPN Client Behind NAT

Re: Run RouterOS as Tunnel or VPN Client Behind NAT

Re: Run RouterOS as Tunnel or VPN Client Behind NAT