Connectivity to customers mikrotiks via Wireguard. Good idea?

korg · Sun Mar 31, 2024 12:58 am

Hello to all,

I am Looking for a easy and userfriendly support resp connectivity to my customers mikrotiks.

To setup a ‘wg site to site’ connectivity from my to all customers mikrotiks would be an idea (the connection would not always be active. Only in a case od support issue).

How are you supporting all your mt’s? L2tp?

Tx

Korg

anav · Sun Mar 31, 2024 1:20 am

Of course the WG tunnels would always be active.
YOur work or home router would serve as the Server for handshake and all the client devices would have persistent keep alive set.
You dont even need a separate wireguard interface for all your devices either.
You can separate them by IP address..........

add address=172.168.0.1/24 interface=WireguardControl network=172.168.0.0
add address=172.168.1.1/24 interface=WireguardControl network=172.168.1.0
add address=172.168.2.1/24 interface=WireguardControl network=172.168.2.0
...
...
add address=172.168.n.1/24 interface=WireguardControl network=172.168.n.0

Much easier IMHO as you only need to produce one Public KEY to put on all the devices!
Easy for firewall rules too.
- single input chain rule for all handshakes !! for port 14678 for example......
- one forward chain rule for you as admin to enter tunnel
add chain=forward action=accept in-interface=trusTRUSTED src-address-list=Authorized out-interface=WireguardControl

korg · Tue Apr 02, 2024 2:05 pm

This is my test setup. It is just simple setup with two goals:

.get the wg connectivity running between spine and leaf1 and spine and leaf2. not between leaf1 and leaf2.
.getting correct ip address of the VPC's on leaf1 and leaf2.

2024-04-02_12h56_03.png

IP addresses:

spine 10.10.100.0/24
leaf1 10.20.100.0/24
leaf2 10.30.100.0/24

wg connectivity is working, as it suppose to.. but.. what i am experiencing is that on the VPC of a leaf1 and leaf2.. when doing DHCP function do NOT GET THE IP address of the leaf itself (10.20.100.x and 10.30.100.x respectively) but the ip address of the spine! Again, no 'nuclear physics' mikrotik setup .. pretty simple. Where am i doing/making/'enabling' error?

Here is the spine code

# apr/02/2024 10:53:30 by RouterOS 7.9.1
# software id = 
#
/interface bridge
add name=bridge1
/interface wireguard
add listen-port=13299 mtu=1420 name=wireguard1
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_pool0 ranges=10.10.100.1-10.10.100.253
/ip dhcp-server
add address-pool=dhcp_pool0 interface=bridge1 name=dhcp1
/port
set 0 name=serial0
/interface bridge port
add bridge=bridge1  interface=ether2
add bridge=bridge1  interface=ether3
add bridge=bridge1  interface=ether4
add bridge=bridge1 interface=ether5
add bridge=bridge1 interface=ether6
/interface wireguard peers
add allowed-address=0.0.0.0/0 endpoint-address=192.168.216.135 endpoint-port=\
    13299 interface=wireguard1 public-key=\
    "sdfdsfsdfsd"
add allowed-address=0.0.0.0/0 endpoint-address=192.168.216.138 endpoint-port=\
    13299 interface=wireguard1 public-key=\
    "sdfdsfsdfsd="
add allowed-address=0.0.0.0/0 endpoint-address=192.168.216.136 endpoint-port=\
    13299 interface=wireguard1 public-key=\
    "sdfdsfsdfsd="
/ip address
add address=10.10.100.254/24 interface=bridge1 network=10.10.100.0
add address=172.16.0.100/24 interface=wireguard1 network=172.16.0.0
/ip dhcp-client
add interface=ether1
/ip dhcp-server network
add address=10.10.100.0/24 gateway=10.10.100.254
/ip firewall filter
add action=accept chain=input disabled=yes dst-port=13299 protocol=udp \
    src-port=""
/ip route
add comment="Connection to xy" disabled=no distance=1 dst-address=\
    10.20.100.0/24 gateway=wireguard1 pref-src="" routing-table=main scope=30 \
    suppress-hw-offload=no target-scope=10
add comment="connection to zy" disabled=no distance=1 dst-address=\
    10.30.100.0/24 gateway=wireguard1 pref-src="" routing-table=main scope=30 \
    suppress-hw-offload=no target-scope=10
add disabled=no dst-address=10.40.100.0/24 gateway=wireguard1 routing-table=\
    main suppress-hw-offload=no
/system identity
set name="MT SPINE WG"
/system note
set show-at-login=no

Here is a leaf1 code

# apr/02/2024 10:53:44 by RouterOS 7.9.1
# software id = 
#
/interface bridge
add name=bridge1
/interface wireguard
add listen-port=13299 mtu=1420 name=wireguard1
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_pool0 ranges=10.20.100.1-10.20.100.253
/ip dhcp-server
add address-pool=dhcp_pool0 interface=bridge1 name=dhcp1
/port
set 0 name=serial0
/interface bridge port
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=ether3
add bridge=bridge1 interface=ether4
/interface wireguard peers
add allowed-address=0.0.0.0/0 endpoint-address=192.168.216.137 endpoint-port=\
    13299 interface=wireguard1 public-key=\
    "papapapaapa"
/ip address
add address=10.20.100.254/24 interface=bridge1 network=10.20.100.0
add address=172.16.0.200/24 interface=wireguard1 network=172.16.0.0
/ip dhcp-client
add interface=ether1
/ip dhcp-server network
add address=10.20.100.0/24 gateway=10.20.100.254
/ip firewall filter
add action=accept chain=input dst-port=13299 protocol=tcp
/ip route
add disabled=no distance=1 dst-address=10.10.100.0/24 gateway=wireguard1 \
    pref-src="" routing-table=main scope=30 suppress-hw-offload=no \
    target-scope=10
/system identity
set name="MT Leaf1 WG"
/system note
set show-at-login=no

and a leaf2 code

# apr/02/2024 10:53:56 by RouterOS 7.9.1
# software id = 
#
/interface bridge
add name=bridge1
/interface wireguard
add listen-port=13299 mtu=1420 name=wireguard1
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_pool1 ranges=10.30.100.1-10.30.100.253
/ip dhcp-server
add address-pool=dhcp_pool1 interface=bridge1 name=dhcp1 
/port
set 0 name=serial0
/interface bridge port
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=ether3
add bridge=bridge1 interface=ether4
/interface wireguard peers
add allowed-address=0.0.0.0/0 endpoint-address=10.10.100.254 endpoint-port=\
    13299 interface=wireguard1 public-key=\
    "bkakakakakaa"
/ip address
add address=10.30.100.254/24 interface=bridge1 network=10.30.100.0
add address=172.16.0.110/24 interface=wireguard1 network=172.16.0.0
/ip dhcp-client
add interface=ether1
/ip dhcp-server network
add address=10.30.100.0/24 gateway=10.30.100.254
/ip firewall filter
add action=accept chain=input dst-port=13299 protocol=udp
/ip route
add disabled=no dst-address=10.10.100.0/24 gateway=wireguard1 routing-table=\
    main suppress-hw-offload=no
/system identity
set name="MT Leaf2 WG"
/system note
set show-at-login=no

anav · Tue Apr 02, 2024 2:42 pm

??????????? There is no DHCP in wireguard, its not a regular type of subnet, its really an IP address and an interface.

(1) Allowed IPs on spine are incorrect,
a. you need to put the actual IP assigned to the leaf peer ( and any remote subnets local users are visiting, or any remote subnets visiting your local subnets)
b. you dont put endpoint address or port

(2) Allowed IPs on leaf1 & 2.......... missing persistent keep alive setting

(3) Allowed IPs on leaf2, incorrect, the endpoint address you put is not based on the spine public IP address ?????????????

loloski · Tue Apr 02, 2024 3:18 pm

just use zerotier + romon is much simpler and use routing if you need to reach LAN subnet, just my 0.2$

korg · Tue Apr 02, 2024 3:26 pm

1. so i should put ether2 out of the dhcp server? And should put the ip of the leaf1 (and 2 and 3) in the wg setup..something like this?

/interface wireguard peers
add allowed-address=10.20.100.0/24 endpoint-address=192.168.216.135 (or if the public ip address is dynamic, i put here cloud dns address?) endpoint-port=13299 interface=wireguard1
add allowed-address=10.30.100.0/24 endpoint-address=192.168.216.137 (or if the public ip address is dynamic, i put here cloud dns address?) endpoint-port=13299 interface=wireguard1
add allowed-address=10.40.100.0/24 endpoint-address=192.168.216.138 (or if the public ip address is dynamic, i put here cloud dns address?) endpoint-port=13299 interface=wireguard1

/interface bridge port
add bridge=bridge1 disabled=yes interface=ether2
add bridge=bridge1 disabled=yes interface=ether3
add bridge=bridge1 disabled=yes interface=ether4

2./interface wireguard peers
add allowed-address=10.10.100.0/24 endpoint-address=192.168.216.137 endpoint-port=13299 interface=wireguard1

3. Then, what which value/ip address should be instead of the public ip address? the ip of the spine (10.10.100.254)?

korg · Tue Apr 02, 2024 3:27 pm

just use zerotier + romon is much simpler and use routing if you need no reach LAN subnet, just my 0.2$

you mean... you have a 'ready to go' solution?

Amm0 · Tue Apr 02, 2024 3:40 pm

ZeroTier is easier to setup, but even if idle it ZeroTier does use more bandwidth than WG. Plus as more routers are connect to same ZT network, even more bandwidth is used to maintain the bridge/paths. And the ZeroTier builtin to Mikrotik does not support ZeroTier "low bandwidth mode". If it's a fiber line, it wouldn't be an issue. But on DSL or similar slower upstream, ZT's overhead can be noticeable.

While with WG... if there is no traffic flowing between the peers (e.g. you're not connected to customer router), traffic should be pretty minimal traffic since it's just WG heartbeat messages between the peer.

korg · Tue Apr 02, 2024 3:45 pm

Tx Amm0.. i am using 4G connectivity as fiber for me resp for the town where i'm living is like future far away!

So, zerotier is no option for me

tx anyway

mozerd · Tue Apr 02, 2024 3:51 pm

ZeroTier is easier to setup, but even if idle it ZeroTier does use more bandwidth than WG.

In-my-opinion , WireGuard is far easier to setup and far more efficent to run when KISS is applied .... but if you are a Rocket Scientist then ZeroTier is your cup of Tea.

korg · Tue Apr 02, 2024 3:59 pm

KISS?

Larsa · Tue Apr 02, 2024 4:43 pm

We initially started using WireGuard but as we scaled up it became unmanageable (a real pain in the neck to be honest) to administer so we've completely transitioned to ZeroTier for OOB administration. Also, the overhead for path search traffic is negligible, even in 4G. ZeroTier is extremely easy to get started with and manage, as are most other similar SD-WAN solutions.

Once you've experienced the benefits of SD-WAN, you'll never want to go back to the hassle of manually managing static VPN links. This is especially true as your network grows and becomes more complex..

EDIT:
KISS = acronym “keep it simple” = ZeroTier ;- )

mozerd · Tue Apr 02, 2024 5:34 pm

KISS = acronym “keep it simple” = ZeroTier ;- )

I guess that you have not tried the PRO WIREGUARD MANAGEMENT solution from someone that you respect highly ???
KISS = acronym “keep it simple” = for PRO's only

only when scalling becomes an issue with WireGuard

Amm0 · Tue Apr 02, 2024 6:10 pm

ZeroTier is easier to setup, but even if idle it ZeroTier does use more bandwidth than WG.
In-my-opinion , WireGuard is far easier to setup and far more efficent to run when KISS is applied .... but if you are a Rocket Scientist then ZeroTier is your cup of Tea.

It's kinda "pick your poison" situation if you ask me. All involve some complexity.

. Plus you need ARM-based routers for ZT, which can be a big blocker to using ZeroTier...

Pure WG on mikrtoik be fine if you have some fixed IP at logical "hub" (yes there all peers but...). More just a fair amount of manual config between the subnets/routing/firewall/etc. If pretty familiar with RouterOS's firewall, totally manageable. More when you multiple by # of routers, it gets complex to maintain routes/rules everywhere manually & more config, more potential troubles. Certainly stuff like Tailscale, headscale, ProCustodibus, etc can help fill in those gaps. Just none are integrated into RouterOS.

While do think ZT use slightly more bandwidth than WG, it likely not significant on a decent 4G link for half dozen sites. One note here with 4G LTE is that it's often CGNAT. And ZT does deal with NAT hole punching (and perfer IPv6 automatically to tunnel Layer2 ZT traffic). So if Site1 need to talk to Site2, both on 4G with CGNAT, ZT would allow that, while WG won't. Or if 4G connection has IPv6, it use that to tunnel, while your traffic/network can still be IPv4-only if you want.

ZT can also distribute routes from the controller that get dynamically added to RouterOS. This can be useful since the routes could be whatever, including WG paths if you wanted. Now using both WG and ZT, kinda violates KISS.

llamajaja · Tue Apr 02, 2024 8:12 pm

You all be missing the point.....................
Zerotier, besides the limitation to ARM devices, is forcing the OP to be dependent upon THIRD PARTY.
Wireguard is direct and thus more secure and independent --> and ZT may conflict with Company Policy.....

I mean its unlikely that cloudflare is going to read your traffic, but then again Google had Incognito browsing LOL....

llamajaja · Tue Apr 02, 2024 8:14 pm

Mozerd, how easy is it to integrate PRO WG MGMT with MT devices?? Does it run on windows PC?

Larsa · Tue Apr 02, 2024 8:32 pm

By "THIRD PARTY," I presume you mean third-party "cloud services." Most SD-WAN solutions offer both cloud-based services and on-premises support. If you prefer, Mikrotik ZeroTier includes an on-premises controller that makes you independent of third-party cloud services.

However, bear in mind that the major strength of SD-WAN is simplified operations. This becomes especially important when your network grows and becomes more complex. WireGuard is simply a tunneling protocol, nothing else.

mozerd · Tue Apr 02, 2024 8:33 pm

how easy is it to integrate PRO WG MGMT with MT devices??

how many aliases do you have anav?

The Pro Custodibus agent won't run on MikroTik's RouterOS .... would be very nice if it did

.... so if a MikroTik Router is used as a WireGuard hub, Pro Custodibus isn't a good fit.
Pro Custodibus would be a better fit if one had vanilla Linux servers inside (or outside) the MikroTik network that one used as hubs for WireGuard access -- like if you had a fileshare or custom application that a bunch of users connected to directly from their devices through WireGuard then that would work.

Your Security point is a very good one ...

Amm0 · Tue Apr 02, 2024 9:16 pm

All these point are fair.

But the diagram here shows 4 routers. In total, it's ~5-10 lines of config per router for "pure" WG... That seems manageable & I'd listen to @anav on config.

It's when these change a lot or you have dozens of routers, then something outside of Mikrotik is often needed.

korg · Tue Apr 02, 2024 9:58 pm

Ok...

so according to @anav, spine should be

/interface wireguard peers
add allowed-address=10.20.100.0/24,10.30.100.0/24,'whatever remote ip of the peer the spine should connect to' endpoint-address=public ip address resp. dyndns(cloud) address of the leaf(s) endpoint-port=13299 interface=wireguard1

and on the leaf side(s)

/interface wireguard peers
add allowed-address='ip address of the wireguard interface of the spine' endpoint-address=dyndns address of the spine endpoint-port=13299 interface=wireguard1 persistent-keepalive=25s

are this setting now correct?

anav · Tue Apr 02, 2024 10:53 pm

SPINE:
/interface wireguard
add listen-port=13299 mtu=1420 name=wireguard-S
/ip address
add address=172.16.0.100/24 interface=wireguard-S network=172.16.0.0
/interface wireguard peers
add allowed-address=172.16.0.200/32,10.20.100.0/24 interface=wireguard-S public-key=\
"sxxxxxdfsd" comment=leaf1
add allowed-address=172.16.0.300/32,10.30.200.0/24 interface=wireguard-S public-key=\
"sttttttttsd=" comment=leaf2
/ip route
add dst-address=10.20.100.0/24 gateway=wireguard-S routing-table=main
add dst-address=10.30.100.0/24 gateway=wireguard-S routing-table=main

LEAF1:
/interface wireguard
add listen-port=11299 mtu=1420 name=wireguard-LF1
/ip address
add address=172.16.0.200/24 interface=wireguard-LF1 network=172.16.0.0
/interface wireguard peers
add allowed-address=0.0.0.0/0 interface=wireguard-LF1 endpoint-address=DYNDNS-SPINE \
endpoint-port=13299 public-key="sxxxxxdfsd" persistent-keep alive=45s comment="connect to spine"
/ip route
add dst-address=10.10.100.0/24 gateway=wireguard-LF1 routing-table=main
add dst-address=10.10.300.0/24 gateway=wireguard-LF1 routing-table=main { if you want users on lf1 to reach lf2 each other }

LEAF2:
/interface wireguard
add listen-port=10299 mtu=1420 name=wireguard-LF2
/ip address
add address=172.16.0.300/24 interface=wireguard-LF2 network=172.16.0.0
/interface wireguard peers
add allowed-address=0.0.0.0/0 interface=wireguard-LF2 endpoint-address=DYNDNS-SPINE \
endpoint-port=13299 public-key="sxxxxxdfsd" persistent-keep alive=35s comment="connect to spine"
/ip route
add dst-address=10.10.100.0/24 gateway=wireguard-LF1 routing-table=main
add dst-address=10.10.200.0/24 gateway=wireguard-LF1 routing-table=main { if you want users on lf1 to reach lf2 each other }

- Only SPINE needs input chain rule for handshake protocol udp dst-port=13299.
- Forward chain rules required to allow users to enter or exit tunnel.
Recommend generic easy enter
in-interface-list=LAN out-interface=wireguardX
Picky Exit onto the LANs
in-interface=wireguardX source-address=a.b.c.d dst-address=subnet of choice.

If Spine is to relay lf1 users to lf2 users, then use relay forward rule.
add chain=forward action=accept in-interface=wireguard-S out-interface=wireguard-S

korg · Wed Apr 03, 2024 6:43 pm

@anav: great help! Tx again!!!

only thing which i hopefully have understood is that i've added on spine to the fw rule:

add action=accept chain=forward in-interface-list=LAN out-interface=wireguard-S

but i do not see any traffic on that rule. LAN list is ether2-4.

Here are scripts of the spine and leaf1 and leaf2... somebody could need it...

SPINE

# apr/03/2024 15:35:50 by RouterOS 7.9.1
# software id = 
#
/interface bridge
add name=bridge1
/interface wireguard
add listen-port=13299 mtu=1420 name=wireguard-S
/interface list
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_pool0 ranges=10.10.100.1-10.10.100.253
/ip dhcp-server
add address-pool=dhcp_pool0 interface=bridge1 name=dhcp1
/port
set 0 name=serial0
/interface bridge port
add bridge=bridge1 interface=ether5
add bridge=bridge1 interface=ether6
/interface list member
add interface=ether6 list=LAN
add interface=ether5 list=LAN
add interface=ether2 list=LAN
add interface=ether3 list=LAN
add interface=ether4 list=LAN
/interface wireguard peers
add allowed-address=172.16.0.200/32,10.20.100.0/24 comment=Leaf1 \
    endpoint-address=192.168.216.135 endpoint-port=13299 interface=\
    wireguard-S public-key="lalalalalala"
add allowed-address=172.16.0.110/32,10.30.100.0/24 comment=leaf2 \
    endpoint-address=192.168.216.136 endpoint-port=13299 interface=\
    wireguard-S public-key="lalalalalala="
add allowed-address=172.16.0.150/32,10.40.100.0/24 comment=leaf3 \
    endpoint-address=192.168.216.138 endpoint-port=13299 interface=\
    wireguard-S public-key="lalalalalala="
/ip address
add address=10.10.100.254/24 interface=bridge1 network=10.10.100.0
add address=172.16.0.100/24 interface=wireguard-S network=172.16.0.0
/ip dhcp-client
add interface=ether1
/ip dhcp-server network
add address=10.10.100.0/24 gateway=10.10.100.254
/ip firewall filter
add action=accept chain=input dst-port=13299 protocol=udp src-port=""
add action=accept chain=forward in-interface-list=LAN out-interface=\
    wireguard-S
/ip route
add comment="Connection to leaf1" disabled=no distance=1 dst-address=\
    10.20.100.0/24 gateway=wireguard-S pref-src="" routing-table=main scope=\
    30 suppress-hw-offload=no target-scope=10
add comment="connection to leaf2" disabled=no distance=1 dst-address=\
    10.30.100.0/24 gateway=wireguard-S pref-src="" routing-table=main scope=\
    30 suppress-hw-offload=no target-scope=10
add comment=leaf3 disabled=no distance=1 dst-address=10.40.100.0/24 gateway=\
    wireguard-S pref-src="" routing-table=main scope=30 suppress-hw-offload=\
    no target-scope=10
add comment="connection to leaf2" disabled=no distance=1 dst-address=\
    10.40.100.0/24 gateway=wireguard-S pref-src="" routing-table=main scope=\
    30 suppress-hw-offload=no target-scope=10
/system identity
set name="MT SPINE WG"
/system note
set show-at-login=no

LEAF1

# apr/03/2024 15:35:27 by RouterOS 7.9.1
# software id = 
#
/interface bridge
add name=bridge1
/interface wireguard
add listen-port=13299 mtu=1420 name=wireguard-leaf1
/interface list
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_pool0 ranges=10.20.100.1-10.20.100.253
/ip dhcp-server
add address-pool=dhcp_pool0 interface=bridge1 name=dhcp1
/port
set 0 name=serial0
/interface bridge port
add bridge=bridge1 interface=ether3
add bridge=bridge1 interface=ether4
/interface list member
add interface=ether4 list=LAN
add interface=ether3 list=LAN
add interface=ether2 list=LAN
/interface wireguard peers
add allowed-address=0.0.0.0/0 comment="connect to Spine" endpoint-address=\
    192.168.216.137 endpoint-port=13299 interface=wireguard-leaf1 \
    persistent-keepalive=45s public-key="lalalalalalala="
/ip address
add address=10.20.100.254/24 interface=bridge1 network=10.20.100.0
add address=172.16.0.200/24 interface=wireguard-leaf1 network=172.16.0.0
/ip dhcp-client
add interface=ether1
/ip dhcp-server network
add address=10.20.100.0/24 gateway=10.20.100.254
/ip route
add disabled=no distance=1 dst-address=10.10.100.0/24 gateway=wireguard-leaf1 \
    pref-src="" routing-table=main scope=30 suppress-hw-offload=no \
    target-scope=10
/system identity
set name="MT Leaf1 WG"
/system note
set show-at-login=no

LEAF2

# apr/03/2024 15:34:46 by RouterOS 7.9.1
# software id = 
#
/interface bridge
add name=bridge1
/interface wireguard
add listen-port=13299 mtu=1420 name=wireguard-leaf2
/interface list
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_pool1 ranges=10.30.100.1-10.30.100.253
/ip dhcp-server
add address-pool=dhcp_pool1 interface=bridge1 name=dhcp1
/port
set 0 name=serial0
/interface bridge port
add bridge=bridge1 interface=ether3
add bridge=bridge1 interface=ether4
/interface list member
add interface=ether2 list=LAN
add interface=ether3 list=LAN
add interface=ether4 list=LAN
/interface wireguard peers
add allowed-address=0.0.0.0/0 endpoint-address=192.168.216.137 endpoint-port=\
    13299 interface=wireguard-leaf2 persistent-keepalive=45s public-key="lalalalala="
/ip address
add address=10.30.100.254/24 interface=bridge1 network=10.30.100.0
add address=172.16.0.110/24 interface=wireguard-leaf2 network=172.16.0.0
/ip dhcp-client
add interface=ether1
/ip dhcp-server network
add address=10.30.100.0/24 dns-server=10.30.100.254 gateway=10.30.100.254
/ip route
add disabled=no dst-address=10.10.100.0/24 gateway=wireguard-leaf2 \
    routing-table=main suppress-hw-offload=no
/system identity
set name="MT Leaf2 WG"
/system note
set show-at-login=no

Of course, if someone has a better, more complete idea or script, I would be glad if you would share it with us.

tx

korg

llamajaja · Wed Apr 03, 2024 7:53 pm

Attention to detail my friend!

SPINE
1. You need to add ether 2,3,4 to the bridge ports! ( assuming they are part of your LAN as you have no other ports or addressess delineated )

2. If the Spine is behind another router fine, if not, pull the ethernet cable from the modem, as you have no firewall rules and its not secure.
With no firewall rules entered, the default is allow everything .

Leaf1
3. Suggest add ether2 to bridge maybe?? ( as I dont know the purpose of ether2)

Leaf2
4. Suggest add ether2 to bridge maybe?? ( as I dont know the purpose of ether2)

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

In terms of WIREGUARD SETUP, some disturbing entries that I didnt suggest/include so not sure what you are doing??

SPINE:
Allowed IPs does NOT contain endpoint address or port for client peers............. remove them
/interface wireguard peers
add allowed-address=172.16.0.200/32,10.20.100.0/24 comment=Leaf1 \
endpoint-address=192.168.216.135 endpoint-port=13299 interface=\
wireguard-S public-key="lalalalalala"
add allowed-address=172.16.0.110/32,10.30.100.0/24 comment=leaf2 \
endpoint-address=192.168.216.136 endpoint-port=13299 interface=\
wireguard-S public-key="lalalalalala="
add allowed-address=172.16.0.150/32,10.40.100.0/24 comment=leaf3 \
endpoint-address=192.168.216.138 endpoint-port=13299 interface=\
wireguard-S public-key="lalalalalala="

should be
/interface wireguard peers
add allowed-address=172.16.0.200/32,10.20.100.0/24 comment=Leaf1 \
interface=wireguard-S public-key="lalalalalal="
add allowed-address=172.16.0.110/32,10.30.100.0/24 comment=leaf2 \
interface=wireguard-S public-key="ckckckckc="
add allowed-address=172.16.0.150/32,10.40.100.0/24 comment=leaf3 \
interface=wireguard-S public-key="pqpqpqpqp="

LEAF1 and LEAF2
Your endpoint address is wrong, It needs to point to the publicly reachable address of the SPine Router.
a. if its static it should be X.X.X.X
b. if its dynamic, then a dyndns address like the IP cloud name for exampl.e

/interface wireguard peers
add allowed-address=0.0.0.0/0 comment="connect to Spine" endpoint-address=\
192.168.216.137 endpoint-port=13299 interface=wireguard-leaf1 \
persistent-keepalive=45s public-key="lalalalalalala="

/interface wireguard peers
add allowed-address=0.0.0.0/0 endpoint-address=192.168.216.137 endpoint-port=\
13299 interface=wireguard-leaf2 persistent-keepalive=45s public-key="lalalalala="

korg · Thu Apr 04, 2024 10:40 am

Attention to detail my friend!

SPINE
1. You need to add ether 2,3,4 to the bridge ports! ( assuming they are part of your LAN as you have no other ports or addressess delineated )

2. If the Spine is behind another router fine, if not, pull the ethernet cable from the modem, as you have no firewall rules and its not secure.
With no firewall rules entered, the default is allow everything .

Leaf1
3. Suggest add ether2 to bridge maybe?? ( as I dont know the purpose of ether2)

Leaf2
4. Suggest add ether2 to bridge maybe?? ( as I dont know the purpose of ether2)

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

In terms of WIREGUARD SETUP, some disturbing entries that I didnt suggest/include so not sure what you are doing??

SPINE:
Allowed IPs does NOT contain endpoint address or port for client peers............. remove them
/interface wireguard peers
add allowed-address=172.16.0.200/32,10.20.100.0/24 comment=Leaf1 \
endpoint-address=192.168.216.135 endpoint-port=13299 interface=\
wireguard-S public-key="lalalalalala"
add allowed-address=172.16.0.110/32,10.30.100.0/24 comment=leaf2 \
endpoint-address=192.168.216.136 endpoint-port=13299 interface=\
wireguard-S public-key="lalalalalala="
add allowed-address=172.16.0.150/32,10.40.100.0/24 comment=leaf3 \
endpoint-address=192.168.216.138 endpoint-port=13299 interface=\
wireguard-S public-key="lalalalalala="

should be
/interface wireguard peers
add allowed-address=172.16.0.200/32,10.20.100.0/24 comment=Leaf1 \
interface=wireguard-S public-key="lalalalalal="
add allowed-address=172.16.0.110/32,10.30.100.0/24 comment=leaf2 \
interface=wireguard-S public-key="ckckckckc="
add allowed-address=172.16.0.150/32,10.40.100.0/24 comment=leaf3 \
interface=wireguard-S public-key="pqpqpqpqp="

LEAF1 and LEAF2
Your endpoint address is wrong, It needs to point to the publicly reachable address of the SPine Router.
a. if its static it should be X.X.X.X
b. if its dynamic, then a dyndns address like the IP cloud name for exampl.e

/interface wireguard peers
add allowed-address=0.0.0.0/0 comment="connect to Spine" endpoint-address=\
192.168.216.137 endpoint-port=13299 interface=wireguard-leaf1 \
persistent-keepalive=45s public-key="lalalalalalala="

/interface wireguard peers
add allowed-address=0.0.0.0/0 endpoint-address=192.168.216.137 endpoint-port=\
13299 interface=wireguard-leaf2 persistent-keepalive=45s public-key="lalalalala="

1. I was guided by the logic that if the interface is under wireguard, then it should not be in the bridge.Is this assumption wrong?

2. i know..this config is just 'test environment' to test the WG connectivity if and how it works. Its not a production config, just a small 'how to' for me. Surely, there are lots of fw rules which need to be implemented. And, many thanks for that opservation

3. and 4. look 1.

Regarding endpoint addresses, as this is my EVE NG setup/lab the only way i can connect to other mt routers is through those addresses. I know that as 'endpoint address' a dyndns address should be entered but in my (test/lab) case i had to enter the 'dhcp-client1' address which is than 192.168.216.138 for example to be able to test the setup.

Production environment will have other, 'real ip/dyndns' addresses.

Tx

anav · Thu Apr 04, 2024 1:08 pm

No wireguard is not a regular subnet and has no etherPorts associated to it.

korg · Thu Apr 04, 2024 2:17 pm

So, @anav... with other words... even ethernet ports which have WG connectivity from one router to another (example router1 ether 2 - router2 ether1) needs to be within the bridge. Example, in my case spine

spine

/interface bridge port
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=ether3
add bridge=bridge1 interface=ether4
add bridge=bridge1 interface=ether5
add bridge=bridge1 interface=ether6

even if the Wg traffic is going through the ether2-4?

correct?

and in the leafs (leaf1 and leaf2) respectivly

/interface bridge port
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=ether3
add bridge=bridge1 interface=ether4

llamajaja · Thu Apr 04, 2024 4:53 pm

What I will say is, that you do not state requirements in terms of ports etc...
Describe requirements in terms of
a. identify users/devices, groups of users/devices and
b. identify what traffic they need to accomplish.

So ports are NOT users or devices!!
Should explain the need for wireguard to users and devices.
Which subnets for example require access to remote site for either internet access or remote subnet access
Which remote subnets require access to the local site for internet or access to local subnets
etc........

So when you come clean on clear requirements I will be able to answer your questions.
Asking about ports means nothing to me.

llamajaja · Thu Apr 04, 2024 4:57 pm

Since you have one bridge and subnet assigned to bridge on all devices, each device has a flat subnet associated.
In other words, all users are on the same LAN and same subnet and yes all ports are part of bridge.

You need to decide WHICH users require access to wireguard.
a. by firewall address list is one choice ( and you will need to mangle )
b. by subnet, ( and this means you will need to
-- either create a vlan which is assigned to the bridge and config appropriately
or
-- take a port OFF the bridge, assign it its own subnet and use that port for wireguard users etc.

On the wifi side of things bit easier.
make an additional SSID for wireguard traffic only and assign it a vlan for example.

korg · Thu Apr 04, 2024 5:47 pm

Ok...This 'lab' was just 'a basic how can i connect to the customers MT's' in order to support them. Meaning, if i have the customer which has 7 VLAN's than i will need to connect to all VLANs which means 'allowed-address=ALL VLANS SUBNETS'.

Usually i have customers which have either 4g/5g connectivity (behind NAT) or VDSL (dynamic public IP - for fibre as well at least in my country). So I was thinking about setting up the WG connectivity to each or .. i should better say to the 'MT which does all the logic' in order to support all MT devices.

So, my goal is to enable support for clients with their mikrotiks, i.e. the network, so that it would connect with my mikrotik to their mikrotiks via wireguard and enable remote maintenance. Thats why i have opened and put the test/lab schematic to this thread.

llamajaja · Thu Apr 04, 2024 6:05 pm

Not a problem and makes sense.
I would also setup an IP-IP backup tunnel based on Ipsec secret as a backup to wiregurd.

This has nothing to with your attempt to assign wireguard to ports vice users/devices etc...
What you are talking now is simply to access remote routers for config purposes.
If you also need to access subnets at remote devices that will require a bit more work but not that much.

mozerd · Thu Apr 04, 2024 6:34 pm

This has nothing to with your attempt to assign wireguard to ports vice users/devices etc...
What you are talking now is simply to access remote routers for config purposes.
If you also need to access subnets at remote devices that will require a bit more work but not that much.

JUST a reminder that with WireGuard -- KISS - Simple & Easy-to-use

There is no need to manage connections, be concerned about state, manage daemons, or worry about what's under the hood. WireGuard presents an extremely basic yet powerful interface.

Cryptokey Routing

Because all packets sent on the WireGuard interface are encrypted and authenticated, and because there is such a tight coupling between the identity of a peer and the allowed IP address of a peer, system administrators do not need complicated firewall extensions, such as in the case of IPsec, but rather they can simply match on "is it from this IP? on this interface?", and be assured that it is a secure and authentic packet. This greatly simplifies network management and access control, and provides a great deal more assurance that your iptables rules are actually doing what you intended for them to do.

anav · Thu Apr 04, 2024 11:54 pm

Amen brother!

Thu Apr 04, 2024 11:57 pm

another example of the eternal crusade of the evangelists of Zerotier, acting like there is no other VPN type in the world

the hype for something new in a race to deprecate anything previously existent

Larsa · Fri Apr 05, 2024 12:29 am

SD-WAN has been around for over a decade and is now more or less a de facto standard so calling it 'hype' feels somewhat exaggerated. A general guideline is to consider implementing SD-WAN when your network exceeds 10 links.

Anyhow, regarding this particular case it's important to consider future needs for "inter-leaf" communication with a possible mesh setup using for example OSPF/iBGP. In these scenarios, an SD-WAN solution might significantly simplify deployment and management.

Amm0 · Fri Apr 05, 2024 3:17 am

another example of the eternal crusade of the evangelists of Zerotier, acting like there is no other VPN type in the world

the hype for something new in a race to deprecate anything previously existent

That's a bit unfair. But these "protocol wars" are silly. e.g.

JUST a reminder that with WireGuard -- KISS - Simple & Easy-to-use

“If the only tool you have is a hammer, you tend to see every problem as a nail."

Topology decision should be based on use cases/needs and budget. While admin "easy-of-use" is reasonable consideration.... I'm not sure there is meaningful difference in complexity between any VPN Mikrotik supports – they all have nuances that require understanding & difference capabilities. For example, Mikrotik's IPSec supports NAT transversal and RADIUS out-of-the-box – so if those were you use cases, WireGuard won't help do – so these "protocol pitches" get tiresome.

Here there are 4 remote sites, don't know models, but since all support WG & needs are management.... Manually config of WG sounds reasonable solution here. But if admin need was winbox discovery working, there be a different VPN answer. Or if existing routers were already using a lot CPU, but had IPSec offload, maybe that might be preferable to WG, dunno. And at 40 or 400 or 4000 routers, likely different answers still.

Connectivity to customers mikrotiks via Wireguard. Good idea? [SOLVED]

Connectivity to customers mikrotiks via Wireguard. Good idea?

Re: Connectivity to customers mikrotiks via Wireguard. Good idea?

Re: Connectivity to customers mikrotiks via Wireguard. Good idea?

Re: Connectivity to customers mikrotiks via Wireguard. Good idea?

Re: Connectivity to customers mikrotiks via Wireguard. Good idea? [SOLVED]

Re: Connectivity to customers mikrotiks via Wireguard. Good idea?

Re: Connectivity to customers mikrotiks via Wireguard. Good idea?

Re: Connectivity to customers mikrotiks via Wireguard. Good idea?

Re: Connectivity to customers mikrotiks via Wireguard. Good idea?

Re: Connectivity to customers mikrotiks via Wireguard. Good idea?

Re: Connectivity to customers mikrotiks via Wireguard. Good idea?

Re: Connectivity to customers mikrotiks via Wireguard. Good idea?

Re: Connectivity to customers mikrotiks via Wireguard. Good idea?

Re: Connectivity to customers mikrotiks via Wireguard. Good idea?

Re: Connectivity to customers mikrotiks via Wireguard. Good idea?

Re: Connectivity to customers mikrotiks via Wireguard. Good idea?

Re: Connectivity to customers mikrotiks via Wireguard. Good idea?

Re: Connectivity to customers mikrotiks via Wireguard. Good idea?

Re: Connectivity to customers mikrotiks via Wireguard. Good idea?

Re: Connectivity to customers mikrotiks via Wireguard. Good idea?

Re: Connectivity to customers mikrotiks via Wireguard. Good idea?

Re: Connectivity to customers mikrotiks via Wireguard. Good idea?

Re: Connectivity to customers mikrotiks via Wireguard. Good idea?

Re: Connectivity to customers mikrotiks via Wireguard. Good idea?

Re: Connectivity to customers mikrotiks via Wireguard. Good idea?

Re: Connectivity to customers mikrotiks via Wireguard. Good idea?

Re: Connectivity to customers mikrotiks via Wireguard. Good idea?

Re: Connectivity to customers mikrotiks via Wireguard. Good idea?

Re: Connectivity to customers mikrotiks via Wireguard. Good idea?

Re: Connectivity to customers mikrotiks via Wireguard. Good idea?

Re: Connectivity to customers mikrotiks via Wireguard. Good idea?

Re: Connectivity to customers mikrotiks via Wireguard. Good idea?

Re: Connectivity to customers mikrotiks via Wireguard. Good idea?

Re: Connectivity to customers mikrotiks via Wireguard. Good idea?

Re: Connectivity to customers mikrotiks via Wireguard. Good idea?

Who is online