LAN To LAN Wireguard tunnel over the internet

Installing and Using OpenWrt Network and Wireless Configuration
1

Hi all,
Can someone help me a little with my struggle
So the situation is as follows
I have a home mikrotik router with wg server running, i have another openwrt router at my father's house which is 250km away. I just set up some cameras at father's house and want to access them though the internet, also want to connect the two routers via wg but not to push all the traffic through the tunnel, just want to access father's router and everything in the local lan without connecting via wg from my phone or laptop but while in the home lan. I managed to set up a connection between the two routers but something is wrong and it doesn't work as expected.

###########
The home lan is as follows
mikrotik switch 192.168.88.1 (connected to internet)
mikrotik wifi router 192.168.88.2
local lan subnet 192.168.88.0/24
wg interface addr 10.0.0.1/32
home server with pi hole and unbound 192.168.88.49

###########
Father's router Openwrt connected to internet but with dynamic ip, managed to set up ddns via no-ip.com
Local lan 192.168.1.1/24
NVR 192.168.1.5
Cameras 192.168.200-202
Wg interface addr 192.168.9.1

Form my phone over mobile network i can connect to Openwrt router via WG and it is working as expected, then while connected i can see the cameras, i have access to the local lan.
The same is with my home router, wg is working as expected.

I was thinking do i have to create a separate wg interfaces on both devices, or create vlans and then bridge them somehow, just can not figure it out, i am not an engineer, a doctor :slight_smile: but have some knowledge about computers :slight_smile: Any help os highly appreciated!
Thanks in advance!

2

Please copy the output of the following commands from both routers and post it here using the "Preformatted text </> " button:
grafik
Remember to redact passwords, MAC addresses and any public IP addresses you may have:

cat /etc/config/network
cat /etc/config/firewall
3 
cat /etc/config/network

config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fde5:fe4e:f4fe::/48'

config atm-bridge 'atm'
        option vpi '1'
        option vci '32'
        option encaps 'llc'
        option payload 'bridged'
        option nameprefix 'dsl'

config dsl 'dsl'
        option annex 'a'
        option tone 'av'
        option ds_snr_offset '0'

config interface 'lan'
        option type 'bridge'
        option ifname 'eth0.1'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option ip6assign '60'

config device 'lan_eth0_1_dev'
        option name 'eth0.1'
        option macaddr 'b8:ee:0e:'

config interface 'wan'
        option proto 'pppoe'
        option username ''
        option password ''
        option ifname 'eth0.2'
        option macaddr ''
        option ipv6 '0'
        option delegate '0'
        option mtu '1500'
        option metric '1'

config device 'wan_dsl0_dev'
        option name 'dsl0'
        option macaddr ''

config interface 'wan6'
        option ifname '@wan'
        option proto 'dhcpv6'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option ports '0 1 2 4 6t'

config switch_vlan
        option device 'switch0'
        option vlan '2'
        option ports '5 6t'

config interface 'vpn'
        option proto 'wireguard'
        option private_key ''
        option listen_port '51820'
        list addresses '192.168.9.1/24'
        list addresses 'fdf1:e8a1:8d3f:9::1/64'

config wireguard_vpn
        option public_key ''
        option route_allowed_ips '1'
        list allowed_ips '192.168.9.2




cat /etc/config/firewall


config defaults
        option syn_flood '1'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'

config zone 'lan'
        option name 'lan'
        list network 'lan'
        list network 'vpn'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'

config zone 'wan'
        option name 'wan'
        list network 'wan'
        list network 'wan6'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option src_ip 'fc00::/6'
        option dest_ip 'fc00::/6'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config include
        option path '/etc/firewall.user'

config rule
        option src 'wan'
        option name 'Allow Remote Mngmt'
        option target 'ACCEPT'
        list src_ip 'my home public IP'

config nat
        option name 'NVR and CAMS'
        option target 'MASQUERADE'
        option src '*'

config rule 'wg'
        option name 'Allow-WireGuard'
        option src 'wan'
        option dest_port '51820'
        option proto 'udp'
        option target 'ACCEPT'

config rule
        option src 'wan'
        option name 'Allow Full Access from Sofia'
        option target 'ACCEPT'
        list src_ip y home public IP'
        list dest_ip '192.168.1.5'
        list dest_ip '192.168.1.200'
        list dest_ip '192.168.1.201'
        list dest_ip '192.168.1.202'
        option dest '*'
4

Perhaps this scripted setup guide would help? https://openwrt.org/docs/guide-user/services/vpn/wireguard/site-to-site

5

First, the two ends of the Wireguard tunnel need to be in the same network.
Father's house: 192.168.9.1/24
Your house: 192.168.9.2/24

At your end set the allowed_ips to what you need to receive from the other end. This would be the camera network 192.168.200.0/24 and the LAN with the NVR 192.168.1.0/24, and (mostly for test purposes), the server end of the tunnel 192.168.9.1.

At his end the allowed_ips is your LAN 192.168.88.0/24, and again you may want to send a ping or a ssh session from 192.168.9.2 so include that as well. Set route_allowed_ips to 1 on both ends. You should see these routes in the routing table of each router.

Your router:

  • 192.168.9.0/24 interface wg0
  • 192.168.1.0/24 gateway 192.168.9.1 interface wg0
  • 192.168.200.0/24 gateway 192.168.9.1 interface wg0

Father's router:

  • 192.168.9.0/24 interface wg0
  • 192.168.88.0/24 gateway 192.168.9.2 interface wg0

It is simplest to place the Wireguard tunnel in the lan firewall zone as long as everything at both ends is considered trusted.

Assuming the Wireguard endpoint is also the main router of each network, this should be all that you need. This is all layer 3 routing there is no need for bridges or VLANs etc. The important thing is that the device hosting the end of the tunnel also holds the interfaces and routes to all networks of interest, because it is the main router for the house.

A "road warrior" client like a phone would have an IP in the tunnel that isn't the same as the two existing ends, such as 192.168.9.3. At the VPN server (father's house) the allowed_ips of this client would just be 192.168.9.3/32 since that is the only IP address the phone has. Typically road warriors are set up to default route 0.0.0.0 through the VPN gateway of 192.168.9.1. That would include the cameras and the NVR as well as the Internet.

6

First, the two ends of the Wireguard tunnel need to be in the same network.
Father's house: 192.168.9.1/24
Your house: 192.168.9.2/24

So i have to set the interface address for wg at my router to the same subnet like 192.168.9.2
Because now,the interface address at my house router for the wg is set to 10.0.0.1/32, is that correct?

7

Perhaps this scripted setup guide would help? https://openwrt.org/docs/guide-user/services/vpn/wireguard/site-to-site

i am afraid to use automated scripts from a distance because if anything goes wrong I can't go and reset the configuration, also there is no one that understands this stuff over there, but i will have a look at it and see of i can understand the basics, thanks a lot :slight_smile:

8

That is not correct since it doesn't match the wg interface at the other end. Inside the wireguard tunnel is similar to another LAN-- all the machines need to have different IPs but in the same subnet, and the netmask needs to be large enough to cover all of them.

9

Ok, i understand, I will create a new interface in my mikrotik router at home with new address 192.168.9.2 and will try to connect it with the openwrt at my father's house with wg 192.168.9.1, and will report back if it is working thanks a lot for your time and help!

10

Not a new interface, you only need to change the IP of your end of the wireguard tunnel to 192.168.9.2 with a netmask that includes 192.168.9.1. Conventionally, just take the whole .9.0/24 block(*). There is no need for the 10.0 IP at all, delete it.

  • as something for the future, this could be used to allow your road warrior phone VPN access to your LAN via a double hop through your father's wireguard server.
11

That's not entirely true. The wireguard interface on the router doesn't technically need it's own separate ip address at all. You can do site to site without assigning an IP to the wireguard interfaces on either end and just route the appropriate IP/subnets from either end (either manually or by setting route allowed IPs to 1.

Any 'road warrior' peers will need an IP address assigning to their local wireguard interface, but there doesn't need to be a 'tunnel subnet'.

12

So this is is the latest config. I can ping the wg interfaces from both sides but that's just it, nothing else.
here is the Openwrt side (father's house)

config interface 'vpn'
	option proto 'wireguard'
	option private_key ''
	option listen_port '51820'
	list addresses '192.168.9.1/24'
	list addresses 'fdf1:e8a1:8d3f:9::1/64'

config wireguard_vpn
	option public_key ''
        option description 'Phone'
	option route_allowed_ips '1'
	list allowed_ips '192.168.9.20'

config wireguard_vpn
	option public_key ''
	option description 'mikrotik'
	option route_allowed_ips '1'
	option persistent_keepalive '25'
	option endpoint_port '13231'
	option endpoint_host 'home public IP'
	list allowed_ips '192.168.9.2'
	list allowed_ips '192.168.88.0/24'
	list allowed_ips '192.168.9.0/24'

config wireguard_vpn
	option route_allowed_ips '1'
	option public_key ''
	option description 'Macbook'
	list allowed_ips '192.168.9.21/24'

config route
	option target '192.168.9.1/24'
	option gateway '192.168.1.0/24'
	option netmask '192.168.9.0/24'
	option interface 'vpn'

and here is my mikrotik config (home router)

# jan/02/2022 14:43:04 by RouterOS 7.1.5
# software id = 2Y0D-P7Z5
#
# model = RB750Gr3
# serial number = 
/interface bridge
add admin-mac=XXXXXXXXX auto-mac=no comment=defconf name=bridge
/interface ethernet
set [ find default-name=ether1 ] mac-address=XXXXXXXXX
/interface wireguard
add listen-port=13231 mtu=1420 name=wireguard1
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip ipsec proposal
set [ find default=yes ] disabled=yes enc-algorithms=3des
/ip pool
add name=dhcp ranges=192.168.88.30-192.168.88.80
add name=vpn-pool ranges=192.168.8.10-192.168.8.12
/ip dhcp-server
add address-pool=dhcp interface=bridge name=defconf
/port
set 0 name=serial0
/ppp profile
add dns-server=192.168.8.250 local-address=192.168.8.250 name=vpn-profile \
    remote-address=vpn-pool use-encryption=yes
/routing table
add fib name=""
/user group
set full policy="local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,pas\
    sword,web,sniff,sensitive,api,romon,dude,tikapp,rest-api"
/interface bridge port
add bridge=bridge comment=defconf ingress-filtering=no interface=ether2
add bridge=bridge comment=defconf ingress-filtering=no interface=ether3
add bridge=bridge comment=defconf ingress-filtering=no interface=ether4
add bridge=bridge comment=defconf ingress-filtering=no interface=ether5
/ip neighbor discovery-settings
set discover-interface-list=all
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface detect-internet
set detect-interface-list=all
/interface l2tp-server server
set authentication=mschap1,mschap2
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/interface ovpn-server server
set auth=sha1 certificate=server-certificate cipher=aes128,aes192,aes256 \
    default-profile=vpn-profile require-client-certificate=yes
/interface wireguard peers
add allowed-address=192.168.9.4/32 comment=Phone interface=wireguard1 \
    public-key=""
add allowed-address=192.168.9.5/32 comment=MacBookAir interface=wireguard1 \
    public-key=""
add allowed-address=192.168.9.0/24,192.168.1.0/24 comment="Openwrt VPN" \
    endpoint-address=no-ip.com endpoint-port=51820 interface=wireguard1 \
    persistent-keepalive=25s public-key=\
    ""
/ip address
add address=192.168.88.1/24 comment=defconf interface=ether2 network=\
    192.168.88.0
add address=/24 interface=ether1 network=0
add address=192.168.9.2/24 interface=wireguard1 network=192.168.9.0
/ip cloud
set update-time=no
/ip dhcp-client
add comment=defconf disabled=yes interface=ether1
/ip dhcp-server lease
add address=192.168.88.48 comment="NUC wifi" mac-address= \
    server=defconf
add address=192.168.88.49 comment="NUC cable" mac-address= \
    server=defconf
add address=192.168.88.43 comment="Raspberry pi 4" mac-address=\
     server=defconf
add address=192.168.88.52 client-id=1: mac-address=\
     server=defconf
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.49 gateway=\
    192.168.88.1
/ip dns
set allow-remote-requests=yes servers=192.168.88.49
/ip dns static
add address=192.168.88.1 disabled=yes name=router.lan
add address=192.168.88.49 name="Home DNS"
/ip firewall filter
add action=accept chain=input comment="Allow OpenVPN" dst-port= protocol=\
    tcp
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=accept chain=input comment="Wireguard VPN" dst-port=13231 \
    in-interface-list=WAN protocol=udp
add action=accept chain=input protocol=ipsec-esp
add action=accept chain=input port=1701,500,4500 protocol=udp
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat comment="OpenVPN Server NUC" disabled=yes \
    in-interface=ether1 log=yes log-prefix=VPN protocol=udp to-addresses=\
    192.168.88.49 to-ports=1122
add action=dst-nat chain=dstnat comment=Wireguard dst-port=52994 \
    in-interface=ether1 protocol=udp to-addresses=192.168.88.49 to-ports=\
    52994
add action=redirect chain=dstnat disabled=yes dst-port=53 protocol=tcp \
    src-port="" to-ports=53
add action=redirect chain=dstnat disabled=yes dst-port=53 protocol=udp \
    to-ports=53
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set irc disabled=yes
set h323 disabled=yes
set sip disabled=yes
set pptp disabled=yes
set udplite disabled=yes
set dccp disabled=yes
set sctp disabled=yes
/ip ipsec policy
set 0 disabled=yes dst-address=0.0.0.0/0 src-address=0.0.0.0/0
/ip route
add disabled=no dst-address=0.0.0.0/0 gateway=
add disabled=yes distance=1 dst-address=192.168.1.0/24 gateway=bridge \
    pref-src=192.168.1.1 routing-table=main scope=10 suppress-hw-offload=no \
    target-scope=10
add check-gateway=ping disabled=no distance=1 dst-address=192.168.9.0/32 \
    gateway=bridge pref-src="" routing-table=main scope=30 \
    suppress-hw-offload=no target-scope=10
/ip service
set telnet disabled=yes
set ftp disabled=yes
set ssh port=
/ppp secret
add name=sevim profile=vpn-profile
/system clock
set time-zone-name=Europe/
/system identity
set name=MikroTikRouter
/system ntp client
set enabled=yes
/system ntp client servers
add address=192.168.88.49
/tool graphing interface
add
/tool graphing queue
add
/tool graphing resource
add
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
13

Yikes RouterOS! I'm no help but this IS after-all a OpenWRT support forum.

I truly hope we got some Dye-in-the-Wool Mikrotik RouterOS fan here as well.
I'd like to see how this pans out. :+1:
Sincerely
Biill

14

Yikes RouterOS! I'm no help but this IS after-all a OpenWRT support forum.
I truly hope we got some Dye-in-the-Wool Mikrotik RouterOS fan here as well.
I'd like to see how this pans out. :+1:
Sincerely
Biill

I know that's why I am asking for help here, I hope nobody is offended :slight_smile:

15

I'm Not!!
Have you checked the TOH to see if you can do a initramfs test drive of OpenWRT on this Mikky?

16

I have no intention to use it with openwrt, routeros is hard but once set up reliable enough for me. :slight_smile:

1 Like
17

RESPECT!
You'll be my go to when I need a new MikroTik!!
Enjoy the Journey

Per the OP permission here is his MikroTik's system output formatted for easier viewing:

# jan\02\2022 14:43:04 by RouterOS 7.1.5
# software id = 2Y0D-P7Z5
#
# model = RB750Gr3
# serial number = 
		SYSTEM--interface bridge
               add admin-mac=XXXXXXXXX auto-mac=no comment=defconf name=bridge
		SYSTEM--interface ethernet
               set [ find default-name=ether1 ] mac-address=XXXXXXXXX
		SYSTEM--interface wireguard
               add listen-port=13231 mtu=1420 name=wireguard1
		SYSTEM--interface list
               add comment=defconf name=WAN
               add comment=defconf name=LAN
		SYSTEM--interface lte apn
               set [ find default=yes ] ip-type=ipv4 use-network-apn=no
		SYSTEM--interface wireless security-profiles
               set [ find default=yes ] supplicant-identity=MikroTik
		SYSTEM--ip ipsec proposal
               set [ find default=yes ] disabled=yes enc-algorithms=3des
		SYSTEM--ip pool
               add name=dhcp ranges=192.168.88.30-192.168.88.80
               add name=vpn-pool ranges=192.168.8.10-192.168.8.12
		SYSTEM--ip dhcp-server
               add address-pool=dhcp interface=bridge name=defconf
		SYSTEM--port
               set 0 name=serial0
		SYSTEM--ppp profile
               add dns-server=192.168.8.250 local-address=192.168.8.250 name=vpn-profile \
               remote-address=vpn-pool use-encryption=yes
		SYSTEM--routing table
               add fib name=""
		SYSTEM--user group
               set full policy="local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,pas\
               sword,web,sniff,sensitive,api,romon,dude,tikapp,rest-api"
		SYSTEM--interface bridge port
               add bridge=bridge comment=defconf ingress-filtering=no interface=ether2
               add bridge=bridge comment=defconf ingress-filtering=no interface=ether3
               add bridge=bridge comment=defconf ingress-filtering=no interface=ether4
               add bridge=bridge comment=defconf ingress-filtering=no interface=ether5
		SYSTEM--ip neighbor discovery-settings
               set discover-interface-list=all
		SYSTEM--ipv6 settings
               set disable-ipv6=yes max-neighbor-entries=8192
		SYSTEM--interface detect-internet
               set detect-interface-list=all
		SYSTEM--interface l2tp-server server
               set authentication=mschap1,mschap2
		SYSTEM--interface list member
               add comment=defconf interface=bridge list=LAN
               add comment=defconf interface=ether1 list=WAN
		SYSTEM--interface ovpn-server server
               set auth=sha1 certificate=server-certificate cipher=aes128,aes192,aes256 \
               default-profile=vpn-profile require-client-certificate=yes
		SYSTEM--interface wireguard peers
               add allowed-address=192.168.9.4\32 comment=Phone interface=wireguard1 \
               public-key=""
               add allowed-address=192.168.9.5\32 comment=MacBookAir interface=wireguard1 \
               public-key=""
               add allowed-address=192.168.9.0\24,192.168.1.0\24 comment="Openwrt VPN" \
               endpoint-address=ustra.hopto.org endpoint-port=51820 interface=wireguard1 \
               persistent-keepalive=25s public-key=\
               ""
		SYSTEM--ip address
               add address=192.168.88.1\24 comment=defconf interface=ether2 network=\
               192.168.88.0
               add address=\24 interface=ether1 network=0
               add address=192.168.9.2\24 interface=wireguard1 network=192.168.9.0
		SYSTEM--ip cloud
               set update-time=no
		SYSTEM--ip dhcp-client
               add comment=defconf disabled=yes interface=ether1
		SYSTEM--ip dhcp-server lease
               add address=192.168.88.48 comment="NUC wifi" mac-address= \
               server=defconf
               add address=192.168.88.49 comment="NUC cable" mac-address= \
               server=defconf
               add address=192.168.88.43 comment="Raspberry pi 4" mac-address=\
               server=defconf
               add address=192.168.88.52 client-id=1: mac-address=\
               server=defconf
		SYSTEM--ip dhcp-server network
               add address=192.168.88.0\24 comment=defconf dns-server=192.168.88.49 gateway=\
               192.168.88.1
		SYSTEM--ip dns
               set allow-remote-requests=yes servers=192.168.88.49
		SYSTEM--ip dns static
               add address=192.168.88.1 disabled=yes name=router.lan
               add address=192.168.88.49 name="Home DNS"
		SYSTEM--ip firewall filter
               add action=accept chain=input comment="Allow OpenVPN" dst-port= protocol=\
               tcp
               add action=accept chain=input comment=\
               "defconf: accept established,related,untracked" connection-state=\
               established,related,untracked
               add action=accept chain=input comment="Wireguard VPN" dst-port=13231 \
               in-interface-list=WAN protocol=udp
               add action=accept chain=input protocol=ipsec-esp
               add action=accept chain=input port=1701,500,4500 protocol=udp
               add action=drop chain=input comment="defconf: drop invalid" connection-state=\
               invalid
               add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
               add action=accept chain=forward comment="defconf: accept in ipsec policy" \
               ipsec-policy=in,ipsec
               add action=accept chain=forward comment="defconf: accept out ipsec policy" \
               ipsec-policy=out,ipsec
               add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
               connection-state=established,related hw-offload=yes
               add action=accept chain=forward comment=\
               "defconf: accept established,related, untracked" connection-state=\
               established,related,untracked
               add action=drop chain=forward comment="defconf: drop invalid" \
               connection-state=invalid
               add action=drop chain=forward comment=\
               "defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
               connection-state=new in-interface-list=WAN
               add action=drop chain=input comment="defconf: drop all not coming from LAN" \
               in-interface-list=!LAN
		SYSTEM--ip firewall nat
               add action=masquerade chain=srcnat comment="defconf: masquerade" \
               ipsec-policy=out,none out-interface-list=WAN
               add action=dst-nat chain=dstnat comment="OpenVPN Server NUC" disabled=yes \
               in-interface=ether1 log=yes log-prefix=VPN protocol=udp to-addresses=\
               192.168.88.49 to-ports=1122
               add action=dst-nat chain=dstnat comment=Wireguard dst-port=52994 \in-interface=ether1 protocol=udp to-addresses=192.168.88.49 to-ports=\52994
               add action=redirect chain=dstnat disabled=yes dst-port=53 protocol=tcp \
			   src-port="" to-ports=53
               add action=redirect chain=dstnat disabled=yes dst-port=53 protocol=udp \
               to-ports=53
		SYSTEM--ip firewall service-port
               set ftp disabled=yes
               set tftp disabled=yes
               set irc disabled=yes
               set h323 disabled=yes
               set sip disabled=yes
               set pptp disabled=yes
               set udplite disabled=yes
               set dccp disabled=yes
               set sctp disabled=yes
		SYSTEM--ip ipsec policy
               set 0 disabled=yes dst-address=0.0.0.0\0 src-address=0.0.0.0\0
		SYSTEM--ip route
               add disabled=no dst-address=0.0.0.0\0 gateway=
               add disabled=yes distance=1 dst-address=192.168.1.0\24 gateway=bridge \
               pref-src=192.168.1.1 routing-table=main scope=10 suppress-hw-offload=no \
               target-scope=10
               add check-gateway=ping disabled=no distance=1 dst-address=192.168.9.0\32 \
               gateway=bridge pref-src="" routing-table=main scope=30 \
               suppress-hw-offload=no target-scope=10
		SYSTEM--ip service
               set telnet disabled=yes
               set ftp disabled=yes
               set ssh port=
		SYSTEM--ppp secret
               add name=sevim profile=vpn-profile
		SYSTEM--system clock
               set time-zone-name=Europe\
		SYSTEM--system identity
               set name=MikroTikRouter
		SYSTEM--system ntp client
               set enabled=yes
		SYSTEM--system ntp client servers
               add address=192.168.88.49
		SYSTEM--tool graphing interface
               add
		SYSTEM--tool graphing queue
               add
		SYSTEM--tool graphing resource
               add
		SYSTEM--tool mac-server
               set allowed-interface-list=LAN
		SYSTEM--tool mac-server mac-winbox
               set allowed-interface-list=LAN
18

:rofl: thanks mate

19

I know nothing about RouterOS, so I can only speak in generalities with that side of the equation.

It appears that you have the OpenWrt side setup more or less in a 'server' type configuration, I'd recommend that you have the routerOS peer initiate the connection to the OpenWrt peer (just like you do for the phone > OpenWrt via WG).

That would mean that you'd setup the peer configuration for the 'tik (on the OpenWrt side) like this

config wireguard_vpn
	option public_key ''
	option description 'mikrotik'
	option route_allowed_ips '1'
	option persistent_keepalive '25'
	list allowed_ips '192.168.9.2'

Then, on the Mikrotik, you'll set up the WG config with an interface address of 192.168.9.2. The OpenWrt peer config on the 'tik will be configured much like what you see in the peer config on your phone. Set the allowed IPs on that side to 192.168.1.0/24. That should do it. But I cannot give you any specific guidance on how to actually set those configurations in RouterOS.

1 Like
20

Thanks all, i have made a big mistake and now i am waiting for a friend of mine to go and with some instructions from me to clear the mess. So it was late last night and i was messing around with NAT rules and by mistake i forwarded all the traffic from WAN to the DVR :frowning: so now i can not access the router everything goes to the nvr, it is exposed the the internet, fortunately i have updated it's firmware because recently there was a vulnerability that could lead to RCE ...
Until my friend goes to my father's house and disables the NAT rule there is nothing i can test. So my question is, is there a fool proof settings that i can do so whatever happens I won't loose access to the router again :slight_smile: ? Probably not but it's worth asking :slight_smile: