Route all traffic via WireGuard

schanjan · Wed Aug 21, 2024 10:11 pm

Hi all,

I am trying to route all traffic from a Wifi (SSID=MikroTik) via the interface wg1.
The Mikrotik is behind a "standard home-grade internet router".

Notes:
- did not create a DHCP server, I am using the one from my home router, also for the Wifi (=> ap bridge)
- devices can connect to the wifi and have internet access - everything good so far.
- wireguard config is also fine, ping via wireguard looks good.

Now I followed https://www.reddit.com/r/mikrotik/comme ... _with_vpn/
(starting from #5)
- add routing table
- add route
- add nat masq
- add routing rule for a network as described in Scenario A

I can't wrap my head around what is wrong (probably a lot...

)

Config: (tried to keep it as basic as possible)

# 2024-08-21 21:09:13 by RouterOS 7.15.3
# software id = NX3X-69MB
#
# model = RBmAPL-2nD
# serial number = XXX
/interface bridge
add name=bridge1
/interface wireless
set [ find default-name=wlan1 ] disabled=no mode=ap-bridge ssid=MikroTik
/interface wireguard
add listen-port=28436 mtu=1420 name=wg1
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/routing table
add disabled=no fib name=wg
/interface bridge port
add bridge=bridge1 interface=ether1
add bridge=bridge1 interface=wlan1
/interface wireguard peers
add allowed-address=0.0.0.0/0 endpoint-address=mydns.com endpoint-port=51820 \
    interface=wg1 name=peer1 public-key=\
    "xxx="
/ip address
add address=192.168.2.2 interface=wg1 network=192.168.2.2
/ip dhcp-client
add interface=bridge1
/ip firewall nat
add action=masquerade chain=srcnat out-interface=wg1
/ip route
add disabled=no dst-address=0.0.0.0/0 gateway=wg1 routing-table=wg \
    suppress-hw-offload=no
/routing rule
add action=lookup-only-in-table disabled=no src-address=192.168.1.0/24 table=wg

TheCat12 · Wed Aug 21, 2024 11:11 pm

Since your Mikrotik is currently acting as a switch, you won't be able to perform routing with it. You'll have to configure a DHCP server and deal with double NAT or find another Mikrotik (e.g. hAP ac²) and put it in place of your home router, if possible and your budget allows it, because you'll have much more options, with which you can customize your home network to your will

anav · Wed Aug 21, 2024 11:43 pm

MIght work, let me review the config.
What you FAIL to mention is what you are connecting to ???
Another mikrotik router and a friends, your CHR in the cloud, a third party VPN provider???

The Mikrotik device should be on the same LAN as your main router and in that case better to use a fixed lanIP.
Lets say your main router subnet is 192.168.10.0/24
Lets say your Mikrotik device is given a static DHCP lease IP of 192.168.10.10

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

# serial number = XXX
/interface bridge
add name=bridge1
/interface wireless
set [ find default-name=wlan1 ] disabled=no mode=ap-bridge ssid=MikroTik
/interface wireguard
add listen-port=28436 mtu=1420 name=wg1
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/routing table
add disabled=no fib name=use-WG
/interface bridge port
add bridge=bridge1 interface=ether1 comment="connection to main router"
add bridge=bridge1 interface=wlan1 comment="connected MT SSID users"
/interface wireguard peers
add allowed-address=0.0.0.0/0 endpoint-address=mydns.com endpoint-port=51820 \
interface=wg1 name=peer1 public-key=\ persistent-keep-alive=30s
"xxx="
/ip address
add address=192.168.10.10/24 interface=bridge network=192.168.10.0
add address=192.168.2.2 interface=wg1 network=192.168.2.0

/ip firewall nat
add action=masquerade chain=srcnat out-interface=wg1 comment="required for third party provider
/ip route
add dst-address=0.0.0.0/0 gateway=192.168.10.1 routing-table=main
add disabled=no dst-address=0.0.0.0/0 gateway=wg1 routing-table=use-WG
/routing rule
add action=lookup-only-in-table src-address=192.168.10.0/24 table=use-WG

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

To be clear, I am not sure this will work but its what I would attempt to do.........

schanjan · Fri Aug 23, 2024 3:24 pm

Thank you for giving it a try...

- The IP address is already added because of the DHCP Client, but as "D - Dynamic". So I think that config step is redundant.
- What would the new IP route change?

Also, I am missing the confic which basically says "all wifi1 users are using the routing table use-WG". How does wifi1 know which routing table to use?

To answer your open question: The WG server is on a CHR and is working totally fine with the WG App on my phone.

I am now giving it a try by double-NATing. Although I was hoping that it is possible without. (basically "borrowing" the main DHCP Server but doing the routing myself).

TheCat12 · Fri Aug 23, 2024 7:45 pm

Also, I am missing the confic which basically says "all wifi1 users are using the routing table use-WG". How does wifi1 know which routing table to use?

The following line from @anav's configuration should answer your question:

/routing rule
add action=lookup-only-in-table src-address=192.168.10.0/24 table=use-WG

This means that all packets (including those of wifi clients) with source address 192.168.10.0/24 should use use-WG table which contains a default route to the Wireguard interface.

anav · Sat Aug 24, 2024 10:33 pm

Correct, the easiest thing to do is turn the device into a router and do it that way. Its how most of us would approach given that the intent is only for the wifi users on the device to go out the tunnel.

schanjan · Thu Aug 29, 2024 7:21 pm

Update... I have now turned it into a router. It get's a WAN IP, nat masq from a DHCP server on wlan1 interface (via bridge).

WAN access works just fine so far.

I then added the wireguard config as per reddit post. And nothing is working any more... (client device displays "no internet")
ping via interface "wg1" works.

/interface bridge
add name=bridge1
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n disabled=no mode=ap-bridge ssid=MikroTik
/interface wireguard
add listen-port=45586 mtu=1420 name=wg1
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_pool0 ranges=192.168.88.2-192.168.88.254
/ip dhcp-server
add address-pool=dhcp_pool0 interface=bridge1 name=dhcp1
/routing table
add disabled=no fib name=wg
/interface bridge port
add bridge=bridge1 interface=wlan1
/interface wireguard peers
add allowed-address=0.0.0.0/0 endpoint-address=mydomain.com endpoint-port=51820 interface=wg1 name=peer1 public-key=\
    "xxx=" persistent-keepalive=25s
/ip address
add address=192.168.88.1/24 interface=bridge1 network=192.168.88.0
add address=192.168.2.2 interface=wg1 network=192.168.2.0
/ip dhcp-client
add interface=ether1
/ip dhcp-server network
add address=192.168.88.0/24 dns-server=1.1.1.1 gateway=192.168.88.1
/ip firewall nat
add action=masquerade chain=srcnat out-interface=wg1
/ip route
add disabled=no dst-address=0.0.0.0/0 gateway=wg1 routing-table=wg suppress-hw-offload=no
/routing rule
add action=lookup disabled=no src-address=192.168.88.0/24 table=wg

Now I believe I am really "out of the box" with this setup. What am I missing?

anav · Thu Aug 29, 2024 7:57 pm

1. Did you forward port 45586 on the upstream router to the LANIP of the mikrotik router??

Easy to do if you go the path I suggested
/ip address
add address=192.168.xx.yy interface=ether1 network=192.168.xx.0

Vice this........
/ip dhcp-client
add interface=ether1

++++++++++++++++++++++++++++++++++++++++++++++++++++++++]

You are missing so many rules for a router
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1
add action=masquerade chain=srcnat out-interface=wg1

/ip route
add dst-address=0.0.0.0/0 gateway=192.168.xx.1 routing-table=main
add dst-address=0.0.0.0/0 gateway=wg1 routing-table=wg

/routing rule
add min-prefix=0 action=lookup-in-table-only routing-table=main
add action=lookup src-address=192.168.88.0/24 table=wg

Note: If wireguard connection goes down, your router will not know so the action of lookup only is the same, in effect as, lookup-only-in -table.
One has to monitor the wireguard connection.......... More on that later.........

I would certainly add firewall rules but assume you want to keep it lean,
for tracking testing would at least put in the following
/ip firewall
add chain=input action=accept dst-port=45586 protocol=udp log=yes log-prefix="wiregard handshake"

/interface list
add name=WAN
add name=LAN
/interface list members
add bridge1 list=LAN
add ether1 list=WAN

anav · Thu Aug 29, 2024 9:35 pm

Regarding use of the routing table action..........
a. lookup --> basically means use the preferred table but if not available router can look at main table for an alternative active route --> out the local WAN for example.
b. lookup-only-in-table ---> means if the preferred table is not available the router cannot look for an alternative active route.

Clearly if your choice had been b., we dont really care if wireguard is down as the users are simply not allowed local internet and since the router is not able to know if wireguard is down will keep sending traffic out a dead end. However, if that reallly is the requirement, best to put in option b in the rule.

However, the Router has to be aware if routes are available or not and wireguard is an interface not a route.
Thus to use the option a, then the router needs to know to switch to MAIN ...............

So in the example above we add so it looks like:

/ip route
add dst-address=0.0.0.0/0 gateway=192.168.xx.1 routing-table=main check-gateway=ping
++++++++++++++++++++++++++++++++++++++++++++++++++++
add distance=2 dst-address=0.0.0.0/0 gateway=1.1.1.1 routing-table=main scope=10 target-scope=12 check-gateway=ping
add distance=2 dst-address=1.1.1.1/32 gateway=wg1 routing-table=main scope=10 target-scope=11
+++++++++++++++++++++++++++++++++++++++++++++++++
add dst-address=0.0.0./0 gateway=wireguard routing table=wg

The middle two rule recursively lets the router know if the wireguard interface in its gateway form, is routable or not. The small caveat is that perhaps the dns site cloudflare is not up............
One could make the decision dependent upon two remote sites.

/ip route
add dst-address=0.0.0.0/0 gateway=192.168.xx.1 routing-table=main check-gateway=ping
++++++++++++++++++++++++++++++++++++++++++++++++++++
add distance=2 dst-address=0.0.0.0/0 gateway=1.1.1.1 routing-table=main scope=10 target-scope=12 check-gateway=ping
add distance=2 dst-address=1.1.1.1/32 gateway=wg1 routing-table=main scope=10 target-scope=11
add distance=3 dst-address=0.0.0.0/0 gateway=9.9.9.9 routing-table=main scope=10 target-scope=12 check-gateway=ping
add distance=3 dst-address=9.9.9.9/32 gateway=wg1 routing-table=main scope=10 target-scope=11
+++++++++++++++++++++++++++++++++++++++++++++++++
add dst-address=0.0.0./0 gateway=wireguard routing table=wg

yhfung · Thu Jan 09, 2025 9:09 am

For the similar network but all LAN and Wi-Fi routed to remote site via WireGuard, you could have a look at the following thread.

viewtopic.php?t=213013

The above the HK-Gateway works very well.

Route all traffic via WireGuard

Route all traffic via WireGuard

Re: Route all traffic via WireGuard

Re: Route all traffic via WireGuard

Re: Route all traffic via WireGuard

Re: Route all traffic via WireGuard

Re: Route all traffic via WireGuard

Re: Route all traffic via WireGuard

Re: Route all traffic via WireGuard

Re: Route all traffic via WireGuard

Re: Route all traffic via WireGuard