Community discussions

MikroTik App
  4. RouterOS
  5. Beginner Basics

Route specific sites and one IP Address through PIA VPN

Post Reply
 
Pilo2710
just joined
Topic Author
Posts: 4
Joined: Thu Apr 18, 2024 12:00 am

Route specific sites and one IP Address through PIA VPN

Fri Apr 26, 2024 10:35 pm

I've been trying to setup the following for days now with the help of several posts on this forum, but I just can't get things working and I am coming to a point that I am lost. I'm trying to achieve the folling:

I have setup a Wireguard based PIA VPN following this tutorial: viewtopic.php?t=205188. Based on several posts I noticed that the instructed routing mark isn't working RouterOS 7 as shown in the tutorial, so I pointed the routing mark to the routing table and create a separate routing rule. I did the other steps and created the appropriate mangle rules. I created a 0.0.0.0/0 ip route rule pointing it to the VPN and tested it. I'm able to open internet sites as usual, but when I open the test site I've setup (www.wtfismyip.com), traffic stalls. When I look to the interfaces I created, I notice some traffic and on the VPN side, I can see the IP addresses (source/ destination) coming by what I expect. But Periodically I only see this, including only Tx traffic. No Rx. I tried several things, but I am a bit lost here. So, hopefully you guys can point me in the right direction.

Hereby my config:
Code: Select all
# 2024-04-26 21:29:36 by RouterOS 7.14.2
# software id = 3D2G-X07G
#
# model = RB5009UG+S+
# serial number = 
/interface bridge
add admin-mac=78:9A:18:BB:D7:8B auto-mac=no comment=defconf name=bridge \
    vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] comment=WAN
/interface ovpn-client
add auth=sha256 cipher=aes256-cbc connect-to=us-california.privacy.network \
    disabled=yes mac-address=FE:3E:A1:EE:B8:68 name=PIA_US_CAL port=501 \
    route-nopull=yes user=p5112900 verify-server-certificate=yes
/interface wireguard
add listen-port=13231 mtu=1420 name=MikroTik-Wireguard
add listen-port=57611 mtu=1420 name=wg-pia-il
/interface vlan
add interface=bridge name=LAB vlan-id=3
add interface=bridge name="LAN Network" vlan-id=20
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
add name=dhcp_pool1 ranges=192.168.20.20-192.168.20.254
add name=dhcp_pool2 ranges=192.168.30.20-192.168.30.254
/ip dhcp-server
add address-pool=dhcp_pool1 interface="LAN Network" name=dhcp1
add address-pool=dhcp_pool2 interface=LAB name=dhcp2
/routing table
add disabled=no fib name=PIA
/interface bridge port
add bridge=bridge comment=defconf interface=ether2 pvid=20
add bridge=bridge comment=defconf interface=ether3 pvid=20
add bridge=bridge comment=defconf interface=ether4 pvid=20
add bridge=bridge comment=defconf interface=ether5 pvid=20
add bridge=bridge comment=defconf interface=ether6 pvid=20
add bridge=bridge comment=defconf interface=ether7 pvid=20
add bridge=bridge comment=defconf interface=ether8
add bridge=bridge comment=defconf interface=sfp-sfpplus1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ipv6 settings
set disable-ipv6=yes
/interface bridge vlan
add bridge=bridge comment="LAN Network" tagged=bridge,ether8 untagged=\
    ether3,ether4,ether5,ether6,ether2,ether7 vlan-ids=20
add bridge=bridge comment=IPTV tagged=\
    ether8,ether2,ether3,ether4,ether5,ether6,ether7 vlan-ids=4
add bridge=bridge comment=LAB tagged=ether8,bridge vlan-ids=30
/interface list member
add interface="LAN Network" list=LAN
add interface=ether1 list=WAN
/interface wireguard peers
add allowed-address=192.168.100.10/32 comment="Macbook" interface=\
    MikroTik-Wireguard public-key=\
    "TT"
add allowed-address=192.168.100.11/32 comment="iPhone" interface=\
    MikroTik-Wireguard public-key=\
    "Pj"
add allowed-address=192.168.100.12/32 comment="iPhone" interface=\
    MikroTik-Wireguard public-key=\
    "dt"
add allowed-address=192.168.100.0/32,192.168.3.0/24 comment=\
    "Tunnel naar ouders" endpoint-address=xxx endpoint-port=13231 \
    interface=MikroTik-Wireguard public-key=\
    "Nb"
add allowed-address=0.0.0.0/0 endpoint-address=191.96.227.154 endpoint-port=\
    1337 interface=wg-pia-il persistent-keepalive=25s public-key=\
    "np"
/ip address
add address=192.168.30.1/24 interface=LAB network=192.168.30.0
add address=192.168.100.1/24 interface=MikroTik-Wireguard network=\
    192.168.100.0
add address=192.168.20.1/24 interface="LAN Network" network=192.168.20.0
add address=192.168.2.20/24 interface=ether1 network=192.168.2.0
add address=10.25.161.123/17 interface=wg-pia-il network=10.25.128.0
/ip dhcp-client
add disabled=yes interface=ether1
/ip dhcp-server lease
add address=192.168.20.215 client-id=1:ac:e2:d3:14:86:e3 mac-address=\
    AC:E2:D3:14:86:E3 server=dhcp1
/ip dhcp-server network
add address=192.168.20.0/24 gateway=192.168.20.1
add address=192.168.30.0/24 gateway=192.168.30.1
/ip dns
set allow-remote-requests=yes servers=192.168.2.254
/ip dns static
add address=192.168.2.254 comment=Router name=kpn.lan
add address=192.168.20.1 comment=Router name=router.lan
add address=192.168.20.2 comment=Woonkamer name=sw01.lan
add address=192.168.20.10 comment=Zolder name=nas.lan
add address=192.168.20.10 name=administratie.nas.lan
add address=192.168.20.215 name=batocera.lan
add address=192.168.3.254 name=routeraad.lan
add address=10.25.128.1 name=gw-wg-pia-il
/ip firewall address-list
add address=wtfismyip.com list=vpn-list
/ip firewall filter
add action=accept chain=input comment="Allow WireGuard traffic" src-address=\
    192.168.100.0/24
add action=accept chain=input comment=WireGuard dst-port=13231 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    disabled=yes ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    disabled=yes ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=input comment="Block LAB traffic to the Internet" \
    in-interface=LAB
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall mangle
add action=mark-packet chain=prerouting disabled=yes new-packet-mark=\
    PIA-Connection packet-mark=no-mark passthrough=yes src-address=\
    192.168.20.31
add action=mark-packet chain=prerouting connection-mark=no-mark \
    dst-address-list=vpn-list new-packet-mark=PIA-Connection passthrough=yes
add action=mark-routing chain=prerouting new-routing-mark=PIA packet-mark=\
    PIA-Connection passthrough=yes
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat comment=FTP dst-port=20 in-interface-list=WAN \
    protocol=tcp to-addresses=192.168.20.10 to-ports=20
add action=dst-nat chain=dstnat comment=FTP dst-port=21 in-interface-list=WAN \
    protocol=tcp to-addresses=192.168.20.10 to-ports=21
add action=dst-nat chain=dstnat comment=HTTPS dst-port=443 in-interface-list=\
    WAN protocol=tcp to-addresses=192.168.20.10 to-ports=443
add action=dst-nat chain=dstnat comment=Plex dst-port=32400 \
    in-interface-list=WAN protocol=tcp to-addresses=192.168.20.10 to-ports=\
    32400
add action=dst-nat chain=dstnat comment=HTTP dst-port=80 in-interface-list=\
    WAN protocol=tcp to-addresses=192.168.20.10 to-ports=80
add action=dst-nat chain=dstnat comment="Synology WEBDAV" dst-port=5006 \
    in-interface-list=WAN protocol=tcp to-addresses=192.168.20.10 to-ports=\
    5006
add action=dst-nat chain=dstnat comment="Synology Hyperbackup" dst-port=6281 \
    in-interface-list=WAN protocol=tcp to-addresses=192.168.20.10 to-ports=\
    6281
add action=dst-nat chain=dstnat comment="Synology Management" dst-port=5001 \
    in-interface-list=WAN protocol=tcp to-addresses=192.168.20.10 to-ports=\
    5001
add action=dst-nat chain=dstnat comment="Home Assistant" dst-port=8124 \
    in-interface-list=WAN log=yes protocol=tcp to-addresses=192.168.20.10 \
    to-ports=8124
add action=dst-nat chain=dstnat comment="Active Backup" dst-port=5510 \
    in-interface-list=WAN protocol=tcp to-addresses=192.168.20.10 to-ports=\
    5510
add action=dst-nat chain=dstnat comment=OpenVPN dst-port=1194 \
    in-interface-list=WAN protocol=udp to-addresses=192.168.20.10 to-ports=\
    1194
/ip firewall service-port
set tftp disabled=yes
set sip disabled=yes
set pptp disabled=yes
/ip route
add comment="Route naar ouders via WireGuard" disabled=no distance=1 \
    dst-address=192.168.3.0/24 gateway=MikroTik-Wireguard pref-src="" \
    routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=192.168.2.254 \
    routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add check-gateway=none disabled=no distance=1 dst-address=0.0.0.0/0 gateway=\
    wg-pia-il pref-src="" routing-table=PIA scope=30 suppress-hw-offload=no \
    target-scope=10
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www address=192.168.20.0/24
set ssh address=192.168.20.0/24 port=2202
set winbox address=192.168.20.0/24
set api-ssl disabled=yes
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" \
    dst-port=33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
/routing rule
add action=lookup disabled=no routing-mark=PIA table=main
/system clock
set time-zone-name=Europe/Amsterdam
/system identity
set name=ROUTER
/system note
set show-at-login=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
Top
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19651
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:
Contact anav

Re: Route specific sites and one IP Address through PIA VPN

Sun Apr 28, 2024 4:33 pm

(1) This client peer allowed IPs settings makes little sense. As per the other remote users, there is no need for endpoint anything!! Assuming this is another router as you have the wireguard address and a subnet identified. Also the wireguard address in the allowed IPs for the remote router is wrong!!!
add allowed-address=192.168.100.0/32,192.168.3.0/24 comment=\
"Tunnel naar ouders" endpoint-address=xxx endpoint-port=13231 \
interface=MikroTik-Wireguard public-key=\
"Nb"

(2) MISSING persistent-keep-alive=XXs for ex 35s. in the Peer setting for the PIA server.

(3) Change your PIA IP address ( it bothers me but probably nothing wrong with network not matching up......not a networking guru )
add address=10.25.161.123/24 interface=wg-pia-il network=10.25.128.0 { force all traffic from src to PIA }

(4) Why is this rule in the input chain??
add action=drop chain=input comment="Block LAB traffic to the Internet" \
in-interface=LAB

(5) Why are you mangling?

(6) Why use unsecure protocol method
set www address=192.168.20.0/24 ??? should be removed.

(7) instead of mangling try routing rules.

same table, same route, remove mangling add:

/routing rule
add action=lookup-only-in-table min-prefix=0 table=main comment="ensure local traffic is permitted"
add action=lookup-only-in-table src-address=192.168.20.31/32 table=PIA
Top
 
Pilo2710
just joined
Topic Author
Posts: 4
Joined: Thu Apr 18, 2024 12:00 am

Re: Route specific sites and one IP Address through PIA VPN

Sun Apr 28, 2024 6:16 pm

Thanks for your extensive explanation. Much appreciated. I will correct my configuration based on your comments and see if I am able to get things working.
Top
 
Pilo2710
just joined
Topic Author
Posts: 4
Joined: Thu Apr 18, 2024 12:00 am

Re: Route specific sites and one IP Address through PIA VPN

Tue Apr 30, 2024 7:20 pm

Hi,

I've updated the configuration and removed the mangle rules and added routing rules. Furthermore, I updated the VPN and it creates a dynamic subnet of 10.30.128.0/17 and an address in that range of 10.13.158.159/17, which makes sense when you look at the defined subnet. Again, I can see traffic on the Wireguard interface, but only Tx, no Rx:



I can only assume that something with the VPN is not configured correctly. the 8.8.8.8 is a ping that I did on the client. The other traffic is me trying to open a website on the box as well.

I've changed the config to use the openVPN configuration I also have for PIA and it's the same issue :S

Below is the Torch result with the WireGuard config
You do not have the required permissions to view the files attached to this post.
Top
 
Pilo2710
just joined
Topic Author
Posts: 4
Joined: Thu Apr 18, 2024 12:00 am

Re: Route specific sites and one IP Address through PIA VPN

Tue Apr 30, 2024 8:47 pm

Solved it!
Adding a NAT masquerade rule did the trick
Code: Select all
/IP FIREWALL NAT 
add chain=srcnat action=masquerade out-interface=wg-pia-il log=no log-prefix=""
Top
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19651
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:
Contact anav

Re: Route specific sites and one IP Address through PIA VPN

Tue Apr 30, 2024 10:22 pm

yes that is required for third party vpn providers as they only expect to see at their end the IP address they gave you.
By using sourcenat all your users will have their IP converted to the wireguard IP when sent through the tunnel..
Top
 
chiem
newbie
Posts: 42
Joined: Fri Oct 24, 2014 4:48 pm

Re: Route specific sites and one IP Address through PIA VPN

Fri May 03, 2024 1:47 am

Solved it!
Adding a NAT masquerade rule did the trick
Sorry about the NAT oversight. Updated my guide.
Top
Post Reply

Who is online

Users browsing this forum: dioeyandika, Google [Bot] and 12 guests
  4. RouterOS
  5. Beginner Basics