Hello,
I'm trying to setup on my MK router two wireguard tunnels, one for administration with access to all the lan machines connected to the router and another tunnel for general users only to access a server on the LAN called DS02 whit IP 192.168.88.2 and connected to the router Eth3. Also both WG tunnels only to access local and not to use the WG VPN to surf the internet.
The router does have a public static IP to access the internet and I have successfully set up the first tunnel (administration) so I can access all the machines but not the second tunnel to access only the server DS02.
Can pls anyone help me to set up also the second tunnel.
This is the diagram of how I want to set up
This is my router configuration:
I would much appreciate anyone could me help to solve this; I'm a beginner still learning RouterOS.
Enrico
-
-
enricosm60
just joined
- Posts: 6
- Joined:
configure two wireguard tunnels
You do not have the required permissions to view the files attached to this post.
Re: configure two wireguard tunnels
Good news, you only need one wireguard interface to accomplish all your tasks.
The key is in the firewall rules for what you allow or not allow. You can put all all admin users in one firewall address list and all the general users in another firewall address list.
Another option is to use two different addresses for the same interface, all legal.
Setting ether 3 as interface list item, is not useful as ether3 belongs to the bridge......... but its not needed so no loss by removing it.
By NOT adding the Wireguard to the LAN interface list, you can avoid the internet access quite successfully.
HOwever the right way to do this is directly on the remote users setup. ON remote users setup they need something like
Admin users:
allowedIPs=192.168.100.0/24,192.168.88.0/24 endpoint-address=............. endpoint-port=13231 interface=WG_ALL
public-key="mdmdmdmdm" persistent-keep-alive=40s.
General users:
allowedIPs=192.168.101.0/24,192.168.88.2/32 endpoint-address=............. endpoint-port=13231 interface=WG_ALL
public-key="mdmdmdmdm" persistent-keep-alive=35s.
( Just in case they change their settings, we still ensure they cannot access WAN by not adding them to the LAN )
Make sure you dont use the real keys in any configs you put on the forum........
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
So, will keep to one interface but use a separate IP address to keep the users distinct for firewall rules.
Removed all the port forwarding rules,,,,,,,,, not required. If user access the router via wireguard, they only need firewall access.
So disabled port forwarding rule.
Cleaned up and simplified firewall rules, they were a mess.
Major changes shown...........
/interface wireguard
add listen-port=13231 mtu=1420 name=WG_ALL
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface list member
add comment=defconf interface=local list=LAN
add comment=defconf interface="ether1[WAN]" list=WAN
/interface wireguard peers
add allowed-address=192.168.100.3/32 comment="Administracion - Dynabook ESM" \
interface=WG_ALL public-key= "Y="
add allowed-address=192.168.100.4/32 comment="Admintracion - iPad Pro 11 ESM" |
interface=WG_ALL public-key="1FDtjRED4="
add allowed-address=192.168.100.5/32 comment="Administracion - Macbook Pro ESM" \
interface=WG_ALL public-key="+K1jTw="
add allowed-address=192.168.100.6/32 comment="Administracion - iPhone ESM" \
interface=WG_ALL public-key="CWQ="
add allowed-address=192.168.101.2/32 comment="General user 1 \
interface=WG_ALL public-key="CWQnGupqf6rQQ="
add allowed-address=192.168.101.3/32 comment="MacBookESM \
interface=WG_ALL public-key="CWQnGupq="
/ip address
add address=192.168.88.1/24 comment=defconf interface=local network=\
192.168.88.0
add address=192.168.100.1/24 comment="Wireguard full lan access" interface=\
WG_ALL network=192.168.100.0
add address=192.168.101.1/24 comment="Wireguard Users Group" interface=\
WG_ALL network=192.168.101.0
add address=190.999.999.999/30 comment="WAN static IP" interface="ether1[WAN]" \
network=190.141.32.176
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input in-interface-list=LAN
add action=drop chain=input comment="Drop all else"
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=accept chain=forward comment="allow internet traffic" \
in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="port forwarding" disabled=yes \
connection-nat-state=dstnat
add action=accept chain=forward comment=\
"WG Administracion - trusted users to ALL connections" in-interface=\
WG_ALL src-address=192.168.100.0/24 out-interface-list=LAN
add action=accept chain=forward comment="WG-users1 - general users group1" \
in-interface=WG_ALL src-address=192.168.101.0/24 dst-address=192.168.88.2
add action=drop chain=forward comment="drop all else"
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
The key is in the firewall rules for what you allow or not allow. You can put all all admin users in one firewall address list and all the general users in another firewall address list.
Another option is to use two different addresses for the same interface, all legal.
Setting ether 3 as interface list item, is not useful as ether3 belongs to the bridge......... but its not needed so no loss by removing it.
By NOT adding the Wireguard to the LAN interface list, you can avoid the internet access quite successfully.
HOwever the right way to do this is directly on the remote users setup. ON remote users setup they need something like
Admin users:
allowedIPs=192.168.100.0/24,192.168.88.0/24 endpoint-address=............. endpoint-port=13231 interface=WG_ALL
public-key="mdmdmdmdm" persistent-keep-alive=40s.
General users:
allowedIPs=192.168.101.0/24,192.168.88.2/32 endpoint-address=............. endpoint-port=13231 interface=WG_ALL
public-key="mdmdmdmdm" persistent-keep-alive=35s.
( Just in case they change their settings, we still ensure they cannot access WAN by not adding them to the LAN )
Make sure you dont use the real keys in any configs you put on the forum........
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
So, will keep to one interface but use a separate IP address to keep the users distinct for firewall rules.
Removed all the port forwarding rules,,,,,,,,, not required. If user access the router via wireguard, they only need firewall access.
So disabled port forwarding rule.
Cleaned up and simplified firewall rules, they were a mess.
Major changes shown...........
/interface wireguard
add listen-port=13231 mtu=1420 name=WG_ALL
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface list member
add comment=defconf interface=local list=LAN
add comment=defconf interface="ether1[WAN]" list=WAN
/interface wireguard peers
add allowed-address=192.168.100.3/32 comment="Administracion - Dynabook ESM" \
interface=WG_ALL public-key= "Y="
add allowed-address=192.168.100.4/32 comment="Admintracion - iPad Pro 11 ESM" |
interface=WG_ALL public-key="1FDtjRED4="
add allowed-address=192.168.100.5/32 comment="Administracion - Macbook Pro ESM" \
interface=WG_ALL public-key="+K1jTw="
add allowed-address=192.168.100.6/32 comment="Administracion - iPhone ESM" \
interface=WG_ALL public-key="CWQ="
add allowed-address=192.168.101.2/32 comment="General user 1 \
interface=WG_ALL public-key="CWQnGupqf6rQQ="
add allowed-address=192.168.101.3/32 comment="MacBookESM \
interface=WG_ALL public-key="CWQnGupq="
/ip address
add address=192.168.88.1/24 comment=defconf interface=local network=\
192.168.88.0
add address=192.168.100.1/24 comment="Wireguard full lan access" interface=\
WG_ALL network=192.168.100.0
add address=192.168.101.1/24 comment="Wireguard Users Group" interface=\
WG_ALL network=192.168.101.0
add address=190.999.999.999/30 comment="WAN static IP" interface="ether1[WAN]" \
network=190.141.32.176
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input in-interface-list=LAN
add action=drop chain=input comment="Drop all else"
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=accept chain=forward comment="allow internet traffic" \
in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="port forwarding" disabled=yes \
connection-nat-state=dstnat
add action=accept chain=forward comment=\
"WG Administracion - trusted users to ALL connections" in-interface=\
WG_ALL src-address=192.168.100.0/24 out-interface-list=LAN
add action=accept chain=forward comment="WG-users1 - general users group1" \
in-interface=WG_ALL src-address=192.168.101.0/24 dst-address=192.168.88.2
add action=drop chain=forward comment="drop all else"
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
Last edited by anav on Sun Apr 14, 2024 3:10 pm, edited 1 time in total.
Re: configure two wireguard tunnels
What I didnt understand is your IP routes...... ??? What is the purpose of this config??? Specifically the routes in orange?? Dont think they are needed. Okay I see that they are disabled.
Should remove clutter to a config, far less confusing.
/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=190.999.999.999 \
pref-src="" routing-table=main scope=30 suppress-hw-offload=no \
target-scope=10
add disabled=yes distance=1 dst-address=0.0.0.0/0 gateway=190.999.999.999 \
pref-src="" routing-table=*400 scope=30 suppress-hw-offload=no \
target-scope=10
add disabled=yes distance=1 dst-address=0.0.0.0/0 gateway=190.219.92.1 \
pref-src="" routing-table=*401 scope=30 suppress-hw-offload=no \
target-scope=10
Should remove clutter to a config, far less confusing.
/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=190.999.999.999 \
pref-src="" routing-table=main scope=30 suppress-hw-offload=no \
target-scope=10
add disabled=yes distance=1 dst-address=0.0.0.0/0 gateway=190.999.999.999 \
pref-src="" routing-table=*400 scope=30 suppress-hw-offload=no \
target-scope=10
add disabled=yes distance=1 dst-address=0.0.0.0/0 gateway=190.219.92.1 \
pref-src="" routing-table=*401 scope=30 suppress-hw-offload=no \
target-scope=10
-
-
enricosm60
just joined
- Posts: 6
- Joined:
Re: configure two wireguard tunnels
Hello ANAV,
Your config worked well and I'm cleaning all the unnecessary router rules.
Still processing all the new info you put on the post and amazed how powerful is the Mikrotik OS.
Many tks for your excellent support.
This post can be labeled as SOLVED
Enrico
Your config worked well and I'm cleaning all the unnecessary router rules.
Still processing all the new info you put on the post and amazed how powerful is the Mikrotik OS.
Many tks for your excellent support.
This post can be labeled as SOLVED
Enrico
Re: configure two wireguard tunnels
Glad you got it working!!
Last point, if you decide to add more servers, then change the rules accordingly.
/ip firewall address-list
add address=192.168.88.2/32 list=SERVERS comment="server A"
add address=192.168.88.XX/32 list=SERVERS comment="server B"
add action=accept chain=forward comment="WG - general users group1" \
in-interface=WG_ALL src-address=192.168.101.0/24 dst-address-list=SERVERS
Last point, if you decide to add more servers, then change the rules accordingly.
/ip firewall address-list
add address=192.168.88.2/32 list=SERVERS comment="server A"
add address=192.168.88.XX/32 list=SERVERS comment="server B"
add action=accept chain=forward comment="WG - general users group1" \
in-interface=WG_ALL src-address=192.168.101.0/24 dst-address-list=SERVERS
Who is online
Users browsing this forum: infabo and 52 guests