WireGuard VPN in non-MT network

Gomo · Fri Apr 07, 2023 2:59 am

Hello all,

I need assistance with a MT wireguard setup in non-MT network with basic ISP modem / router (means, very little configuration possible on the ISP modem / router side).
I would like to add a MT router inside of a small local network and make it reachable from outside. "Outside" being a group of laptops with WireGuard software installed.

So in short, VPN access for remote workers. I've attached the diagram below.

wireguard.png

To be fully honest, I don't know how to make laptops (192.168.100.2,3,4,5) reachable here. How would the configuration on the MT need to look like, in order for this work?
MT has to be in the same subnet (192.168.100.0/24), and the ISP router / modem is the gateway / DHCP / DNS server.
I guess in this scenario the ISP DHCP would need to be restricted to hand out IPs in following range: 192.168.100.1-192.168.100.240 (so that the wireguard VPN client range doesn't get used by accident). 192.168.100.240-192.168.100.250 stays reserved for the remote workers.

I've made few tests and gotten the tunnel connection established (so I can confirm that port forwarding to the MT works), but couldn't reach devices on any end.

Thank you in advance for your time!
P.S. I would appreciate if you would only write suggestions if you're confident in your skills

anav · Fri Apr 07, 2023 6:13 am

Hello
P.S. I would appreciate if you would only write suggestions if you're confident in your skills

Counts me out, I'm a cat person anyway.

Gomo · Fri Apr 07, 2023 3:18 pm

Hello
P.S. I would appreciate if you would only write suggestions if you're confident in your skills
Counts me out, I'm a cat person anyway.

If I were asking for whom this doesn't apply, we would see a bit more activity. But nice of you to share this useful piece of information.

erlinden · Fri Apr 07, 2023 3:27 pm

P.S. I would appreciate if you would only write suggestions if you're confident in your skills

Confident of my skills...still a bit in doubt...going to react anyway (sorry anav):

What resources do you want to provide through this tunnel?
Or is it sufficient to make the internal machines reachable?
Would it be possible to have all clients behind the MikroTik?
Can the ISP modem be in bridge mode?

Gomo · Fri Apr 07, 2023 3:40 pm

Pretty much whole ISP / destination subnet (192.168.100.0/24) should be reachable via the tunnel. "10.10.10.2" is a "remote worker" who needs to access internal resources, such as 192.168.100.2,3.4.5.

Unfortunately the ISP modem cannot be in bridge mode. I know that having everything go thought MT would make things way easier (and I would manage to set it up myself in that scenario).
Is the above described setup even doable? (network diagram pic)

anav · Fri Apr 07, 2023 3:52 pm

Confident of my skills...still a bit in doubt...going to react anyway (sorry anav):

I was being facetious LOL, perfectly within the skillset but no guarantees. Have at it!
If one wants to add conditions on to post,
I simply direct this way -------------------> https://mikrotik.com/consultants

Gomo · Fri Apr 07, 2023 5:07 pm

Confident of my skills...still a bit in doubt...going to react anyway (sorry anav):
I was being facetious LOL, perfectly within the skillset but no guarantees. Have at it!
If one wants to add conditions on to post,
I simply direct this way -------------------> https://mikrotik.com/consultants

Somehow your post count doesn't surprise me. Now let's state the obvious, there are no conditions nor were any set.
I was simply and kindly asking for answers of those who think / feel they can contribute to the solution. Before this post, like many others turn into chit-chat about non related topics and suggestions which are completely out of the scope, simply for the sake of getting number of posts up.

anav · Fri Apr 07, 2023 6:22 pm

There is no value in getting post numbers up, so not sure what you are alluding too.
Clearly you are liar thought as a condition of responding was predicated on arrogance, dont bother posting unless......................
I dont like BS and call it out when I see it. Political speak and niceties aside, truth hurts, too bad, grow a pair and next time just ask for help without constraints!!

Your situation is very common and there is nothing complex about it.
You want to setup the hex behind another router so as to be able to reach an internal network.
The one caveat is that you need to be able to port forward the mikrotik listening port from the ISP router to the HEX router ???

Assuming thats possible.
One can setup the hex as a bare bones routing device.
The one thing to be sure of is to have a source-nat rule to the WANport on the hex, so that all wireguard requests to the subnet look like they are coming from the WANIP of the hex ( also its LANIP on the subnet of the ISP modem/router ). Otherwise although the ISP modem router would have no way of directing any return traffic back to wireguard source addresses as they are not local to the ISP modem/router and would get dropped.

Wireguard understanding --> viewtopic.php?t=182340

Example of Router Setup
.......

/interface bridge
add ingress-filtering=no name=bridgeWG
/interface ethernet
set [ find default-name=ether1 ] name=TO-ISP-ROUTER
set [ find default-name=ether2 ] name=emergaccess  { to be able to access and config hex directly and off bridge }
/interface wireguard
add name=wireguard1 listening-port=51820 
/interface list
add name=WAN
add name=LAN
/ip pool
add name=bridgepool  range=192.168.20.10-192.168.20.50
/ip dhcp-server
add name=bridge-server interface=bridgeWG address-pool=bridgepool
/ip dhcp-server network
add address=192.168.20.0 dns-server=192.168.20.1 gateway=192.168.20.1
/interface bridge port
add bridge=bridgeWG interface=ether3
add bridge=bridgeWG interface=ether4
add bridge=bridgeWG interface=ether5
/ip neighbor discovery-settings
set discover-interface-list=LAN
/wireguard peers
add interface=wireguard1  allowed-addresses=110.50.50.2  comment=peer1 {public key etc. }
add interface=wireguard1  allowed-addresses=110.50.50.3  comment=peer2  { public key etc. }
/interface list member
add interface=bridgeWG list=LAN
add interface=emergaccess list=LAN
add interface=wireguard1  list=LAN  { thus remote wg users will get sourcenatted out WAN } *****
add interface=TO-ISP-ROUTER  list=WAN
/ip address
add address=192.168.100.250/24 interface=TO-ISP-ROUTER network=192.168.100.0  comment="WANIP_of_HEX"   { make static entry }
add address=192.168.20.1/24  interface=bridge-WG  network=192.168.100.0 comment="hex lan"
add address=192.168.55.1/24 interface=emergaccess network=192.168.55.0 comment="ether2 access off bridge"
add address=110.50.50.1/24 interface=wireguard1 network=110.50.50.0  comment="wireguard network1"
/ip dns
set allow-remote-requests=yes servers=192.168.100.1 
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN  *****
/ip route
add dst-address=0.0.0.0/0 gateway=192.168.100.1
/ip service
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=LAN

Use of off bridge access is optional but it avoids any hassles when configing any MT bridge and along with use of safe mode makes life much easier.
( just plug in laptop to ether2 put in 192.168.55.5 for example on ipv4 settings and you will be in )

NOTE: I have not included any firewall rules and thus ALL traffic will pass.

+++++++++++++++++++++++++++++++++++++++++++

Regarding Clients.................... This is really messed up!!

(1) The address of the wireguard client is the address on the WG network thus it should be
110.50.50.2/32
If you had another client you could give it.
110.50.50.3/32

(2) The allowed IPs is missing the wireguard Ips..........

You can choose
allowed-ips= 110.50.50.0/24,192.168.100.0/24 ( which allows you to ping any other wg device (useful if other client routers in the mix) and of course the subnet in question
OR
allowed-ips= 0.0.0.0/0 which includes all of the above and in case you wanted remote users to use internet of ISP router.

(3) The endpoint shown in your illustration is not correct. The endpoint is the PUBLIC IP of the ISP router.
How do you propose to provide that?
Is the WANIP of the ISP modem router a fixed/static or dynamic WANIP.
One option is to use the IP CLOUD function on the hex router for the dynamic case if you dont already have an existing dyndns name/provider.

Gomo · Fri Apr 07, 2023 9:42 pm

If after all these years being on this forum (and I assume others) and not seeing what was meant and correlating that with arrogance.. oh boy.

About the config suggestion ..
I don't understand why you would put eth3,4,5 in a different subnet?

add address=192.168.20.1/24  interface=bridge-WG  network=192.168.100.0 comment="hex lan"

About the bottom right corner of the image (wireguard CLIENT side config). Allowed IPs are IPs / ranges which will be routed into the tunnel.. so why would I add "110.50.50.0/24" there?
Also, on the client side, the "endpoint" is the destination for this wireguard tunnel, which is and should be (in my case) 110.50.50.50 (public IP of the destination ISP modem / router).

Another part that confuses me is following:

add address=110.50.50.1/24 interface=wireguard1 network=110.50.50.0  comment="wireguard network1"

From my understanding, wireguard IP range here should be form a local range (192.168.100.0/24 if possible?).

anav · Fri Apr 07, 2023 10:17 pm

Sorry for the confusion, I understand what you are saying. I made an incorrect fix to the config.........
The result is still the same in that he config is wrong and needs to be adjusted.

In this case, its the IP address structure of the Wireguard. It cannot be the WANIP of the ISP router......
So here are the adjustments...........

The IP address of the wireguard is now
add address=10.50.50.1/24 interface=wireguard1 network=10.50.50.0 comment="wireguard network1"

/interface bridge
add ingress-filtering=no name=bridgeWG
/interface ethernet
set [ find default-name=ether1 ] name=TO-ISP-ROUTER
set [ find default-name=ether2 ] name=emergaccess  { to be able to access and config hex directly and off bridge }
/interface wireguard
add name=wireguard1 listening-port=51820 
/interface list
add name=WAN
add name=LAN
/ip pool
add name=bridgepool  range=192.168.20.10-192.168.20.50
/ip dhcp-server
add name=bridge-server interface=bridgeWG address-pool=bridgepool
/ip dhcp-server network
add address=192.168.20.0 dns-server=192.168.20.1 gateway=192.168.20.1
/interface bridge port
add bridge=bridgeWG interface=ether3
add bridge=bridgeWG interface=ether4
add bridge=bridgeWG interface=ether5
/ip neighbor discovery-settings
set discover-interface-list=LAN
/wireguard peers
add interface=wireguard1  allowed-addresses=10.50.50.2  comment=peer1 {public key etc. }
add interface=wireguard1  allowed-addresses=10.50.50.3  comment=peer2  { public key etc. }
/interface list member
add interface=bridgeWG list=LAN
add interface=emergaccess list=LAN
add interface=wireguard1  list=LAN  { thus remote wg users will get sourcenatted out WAN } *****
add interface=TO-ISP-ROUTER  list=WAN
/ip address
add address=192.168.100.250/24 interface=TO-ISP-ROUTER network=192.168.100.0  comment="WANIP_of_HEX"   { make static entry }
add address=192.168.20.1/24  interface=bridge-WG  network=192.168.100.0 comment="hex lan"
add address=192.168.55.1/24 interface=emergaccess network=192.168.55.0 comment="ether2 access off bridge"
add address=10.50.50.1/24 interface=wireguard1 network=10.50.50.0  comment="wireguard network1"
/ip dns
set allow-remote-requests=yes servers=192.168.100.1 
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN  *****
/ip route
add dst-address=0.0.0.0/0 gateway=192.168.100.1
/ip service
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=LAN

The comments reference the wireguard clients remain.
The ADDRESS must be on the wireguard network
so 10.50.50.2/32 ( NOT 192.168.xx.xy) etc.....

The reason that most folks put on the clients peer settings
allowed-address=10.50.50.0/24,192.168.100.0/24 is so that the admin can easily ping the router to ensure connectivity, It also allows the admin to configure the router via winbox.
Simply by putting 10.50.50.1:winboxport# into WINBOX client to gain access to config the router remotely.

Another reason is that its not unsual to have another router in the mix as a client........... and thus if that router also has 10.50.50.0/24 in their peer settings to the server MT Router, the remote wireguard user is automatically able to access that router through tunnels to access the client routers subnets or to config it, etc...... Very flexible approach.

So unless, you need internet access 0.0.0.0/0 which covers all IPs, the norm is wg subnet,remotesubnet(s)

anav · Fri Apr 07, 2023 10:30 pm

The hex is acting as a wg router here and thus it was just easy to construct a bridge with a subnet, you dont need the subnet but it functions perfectly if you need it to....
Nor did you actually state any requirements reference the hex.
I always manage devices directly off bridge to avoid bridge configuration hiccups.

Gomo · Sat Apr 08, 2023 3:00 am

Thank you.

I've made some adjustments (nothing major, just the IP ranges and removed the emergency access part) and tested it at home. Here's the config export:

/interface bridge
add name=bridgeWG
/interface ethernet
set [ find default-name=ether1 ] comment=Uplink
/interface wireguard
add listen-port=51820 mtu=1420 name=wireguard1
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/ip pool
add name=dhcp_pool0 ranges=10.90.91.2-10.90.91.254
/ip dhcp-server
add address-pool=dhcp_pool0 interface=bridgeWG lease-time=1h name=dhcp1 relay=10.90.91.1
/port
set 0 name=serial0
/interface bridge port
add bridge=bridgeWG interface=ether3
add bridge=bridgeWG interface=ether4
add bridge=bridgeWG interface=ether5
add bridge=bridgeWG interface=ether2
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add interface=bridgeWG list=LAN
add interface=wireguard1 list=LAN
add interface=ether1 list=WAN
/interface wireguard peers
add allowed-address=10.90.90.10/32 interface=wireguard1 public-key=\
    "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
add allowed-address=10.90.90.11/32 interface=wireguard1 public-key=\
    "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
add allowed-address=10.90.90.12/32 interface=wireguard1 public-key=\
    "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
/ip address
add address=192.168.100.250/24 comment=WANIP_of_HEX interface=ether1 network=192.168.100.0
add address=10.90.90.1/24 comment="wireguard network1" interface=wireguard1 network=10.90.90.0
add address=10.90.91.1/24 interface=bridgeWG network=10.90.91.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-server network
add address=10.90.91.0/24 dns-server=10.90.91.1 gateway=10.90.91.1
/ip dns
set allow-remote-requests=yes servers=1.1.1.1
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN
/ip route
add dst-address=0.0.0.0/0 gateway=192.168.100.1
/system clock
set time-zone-name=Europe/Berlin
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=LAN

What I noticed is that communication back isn't working (from within the main ISP network) to the "remote worker". But I guess that's because the ISP router doesn't have a route for 10.90.90.0/24?

Also, on the MT ether2,3,4,5 LAN has no working DHCP, any idea why?

dhcp.png

anav · Sat Apr 08, 2023 3:59 am

Of course there is a route back through wireguard........... its created by the Ip address for wireguard.
check the ip tables on the hex
<dac> dst-address=10.90.90.0/24 gateway=wireguard1 routing-table=main

You also changed the setting for IP DNS,
recommend for now changing it back...... to 192.168.100.1

The one big boo boo you made was changing the name of ether1 but not reflecting that everywhere.................
Mainly the interface list settings................. interface=ether1 list=WAN

Get rid of this relay addition, no idea where it came from.
/ip dhcp-server
add address-pool=dhcp_pool0 interface=bridgeWG lease-time=1h name=dhcp1 relay=10.90.91.1[/color]

/interface bridge
add name=bridgeWG
/interface ethernet
set [ find default-name=ether1 ] comment=Uplink
/interface wireguard
add listen-port=51820 mtu=1420 name=wireguard1
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/ip pool
add name=dhcp_pool0 ranges=10.90.91.2-10.90.91.254
/ip dhcp-server
add address-pool=dhcp_pool0 interface=bridgeWG lease-time=1h name=dhcp1
/port
set 0 name=serial0
/interface bridge port
add bridge=bridgeWG interface=ether3
add bridge=bridgeWG interface=ether4
add bridge=bridgeWG interface=ether5
add bridge=bridgeWG interface=ether2
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add interface=bridgeWG list=LAN
add interface=wireguard1 list=LAN
add interface=Uplink list=WAN
/interface wireguard peers
add allowed-address=10.90.90.10/32 interface=wireguard1 public-key=\
"xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
add allowed-address=10.90.90.11/32 interface=wireguard1 public-key=\
"xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
add allowed-address=10.90.90.12/32 interface=wireguard1 public-key=\
"xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
/ip address
add address=192.168.100.250/24 comment=WANIP_of_HEX interface=ether1 network=192.168.100.0
add address=10.90.90.1/24 comment="wireguard network1" interface=wireguard1 network=10.90.90.0
add address=10.90.91.1/24 interface=bridgeWG network=10.90.91.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-server network
add address=10.90.91.0/24 dns-server=10.90.91.1 gateway=10.90.91.1
/ip dns
set allow-remote-requests=yes servers=192.168.100.1
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN
/ip route
add dst-address=0.0.0.0/0 gateway=192.168.100.1 routing-table=main
/system clock
set time-zone-name=Europe/Berlin
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=LAN

+++++++++++++++++++++++++++++++++++++++

1. Ensure port forwarded 51820 on ISP router to 192.168.100.250 protocol=udp
2. Since there are no firewall rules on the hex, the router should receive the handshake.
(without a firewall rule, we cannot establish if the rule has been executed so thats a reason to perhaps stick in some firewall rules for troubleshooting purposes)
3. Assuming the connection is made since there are no firewall rules, the remote wireguard warrrior should be able to reach, both the router for config purposes or the users in the 192.168.100.0 subnet.

Since the MT device has an IP route to the gateway of 192.168.100.1, all traffic leaving through the gateway will get sourcenatted with the IP of 192.168.100.250.
The traffic will either go out the internet or to another device on the local LAN as the ISP router knows about this subnet and where to route traffic.
Return traffic will be sent to 192.168,100.250 and will go back into the mT router. The MT Router will unsourcenat the traffic back to the wirguard remote address and due to existing <dac> router will send return traffic back to the tunnel and the router will match with the correct peer.

Thus I dont see any impediments to it working.

Gomo · Sat Apr 08, 2023 3:55 pm

- The DNS was changed due to testing related to the dyndns.
- About the interface name change "ether1", I think you must've missed something (the "Uplink" thing you saw was just a comment), because the name change was done via WinBox and it is reflected everywhere.
- About the DHCP relay thing, thanks, not sure how it slipped in. Now DHCP works (on the MT ether2,3,4,5).
When I posted my last comment, everything worked expect for the DHCP on MT LAN. Port forwarding was already configured on the ISP router and working.

Bi-directional communication (between two networks / two MT routers) would only work with Site-to-Site MT wireguard configuration, correct? (as long as you configure necessary routes & FW on both ends)

Thank you for taking the time and assisting, I do appreciate it.

anav · Sat Apr 08, 2023 4:46 pm

Yup, you got me it was only a comment, my bad!
Either getting old or doing stuff to late in the evening!

Glad its all working!
Yes, use of firewall rules at the receiving end is usually the good place to be specific where traffic goes with firewall rules.
Besides IP routes, the allowed-IPs is also critical.

WireGuard VPN in non-MT network

WireGuard VPN in non-MT network

Re: WireGuard VPN in non-MT network

Re: WireGuard VPN in non-MT network

Re: WireGuard VPN in non-MT network

Re: WireGuard VPN in non-MT network

Re: WireGuard VPN in non-MT network

Re: WireGuard VPN in non-MT network

Re: WireGuard VPN in non-MT network

Re: WireGuard VPN in non-MT network

Re: WireGuard VPN in non-MT network

Re: WireGuard VPN in non-MT network

Re: WireGuard VPN in non-MT network

Re: WireGuard VPN in non-MT network

Re: WireGuard VPN in non-MT network

Re: WireGuard VPN in non-MT network