LAN To LAN Wireguard tunnel over the internet

Installing and Using OpenWrt Network and Wireless Configuration
21

I use screensharing to deal with things that need local access. Provided you can establish a screensharing connection in general, this works for pretty much anything other than failsafe mode or a complete reset that might disable the network/internet connectivity.

I use the screen sharing built into the Mac OS Messages application, and I did this just yesterday with my father-in-law because their ISP replaced the router (I have an OpenWrt VPN endpoint behind the ISP router). I used the browser on his computer (via screenshare) to adjust his local network devices so that I can get the VPN up and running again. There are many screen sharing technologies that should work in this scenario, including Chrome Remote Desktop among many other things. Even if you can't control the remote side, as long as you can give your remote user instructions of what to do (while you watch), you can usually resolve most issues.

EDIT: It also raises another question -- how were you previously gaining access to the OpenWrt router from your home?

1 Like
22

I managed to gain access back, it was hard, took me more than an hour just to explain to my cousin how to log in, go to firewall and delete that NAT rule :smiley:
I thought about screen sharing but couldn't find android to android one, maybe there is but i couldn't. I have access again to the router via wg, ssh and web interface, the access is only permitted via my static public IP at home, so will try later again to establish a connection between two routers, i have opened a thread at mikrotik forum as well so i can get advice from the "other side" as well :slight_smile: will keep you posted! Thanks again to everyone!

23

UPDATE:

Everyone thanks a lot for your advices and efforts. Finally I have managed to achieve my goal. Everything is working as intended, I have access to my LANs from both sides I think ( at least from one side I have it :slight_smile: )
Please see below the configuration of both routers. OpenWrt and Mikrotik.

OpenWrt:


config interface 'loopback'
	option ifname 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fde5:fe4e:f4fe::/48'

config atm-bridge 'atm'
	option vpi '1'
	option vci '32'
	option encaps 'llc'
	option payload 'bridged'
	option nameprefix 'dsl'

config dsl 'dsl'
	option annex 'a'
	option tone 'av'
	option ds_snr_offset '0'

config interface 'lan'
	option type 'bridge'
	option proto 'static'
	option ip6assign '60'
	option ifname 'eth0 eth0.1 vpn'
	list ipaddr '192.168.1.1/24'

config device 'lan_eth0_1_dev'
	option name 'eth0.1'
	option macaddr 'b8:ee:0e:f1:88:38'

config interface 'wan'
	option proto 'pppoe'
	option username 'user'
	option password 'pass'
	option ifname 'eth0.2'
	option macaddr ''
	option ipv6 '0'
	option delegate '0'
	option mtu '1500'
	option metric '1'

config device 'wan_dsl0_dev'
	option name 'dsl0'
	option macaddr 'b8:ee:0e:f1:88:39'

config interface 'wan6'
	option ifname '@wan'
	option proto 'dhcpv6'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option ports '0 1 2 4 6t'

config switch_vlan
	option device 'switch0'
	option vlan '2'
	option ports '5 6t'

config interface 'vpn'
	option proto 'wireguard'
	option private_key ''
	option listen_port '51820'
	list addresses '192.168.9.1/24'
	list addresses 'fdf1:e8a1:8d3f:9::1/64'

config wireguard_vpn
	option public_key ''
	option description 'phone'
	option route_allowed_ips '1'
	list allowed_ips '192.168.1.0/32'
	list allowed_ips '192.168.9.5'

config wireguard_vpn
	option public_key ''
	option description 'mikrotik'
	option route_allowed_ips '1'
	option persistent_keepalive '25'
	list allowed_ips '192.168.9.2'
	list allowed_ips '192.168.88.0/24'

config wireguard_vpn
	option route_allowed_ips '1'
	option public_key ''
	option description 'Macbook'
	list allowed_ips '192.168.9.4'

Mikrotik

# apr/05/2022 08:23:54 by RouterOS 7.1.5
# software id = 2Y0D-P7Z5
#
# model = RB750Gr3
# serial number = 
/interface bridge
add admin-mac= auto-mac=no comment=defconf name=bridge
/interface ethernet
set [ find default-name=ether1 ] mac-address=
/interface wireguard
add listen-port=13231 mtu=1420 name=wireguard1
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip ipsec proposal
set [ find default=yes ] disabled=yes enc-algorithms=3des
/ip pool
add name=dhcp ranges=192.168.88.30-192.168.88.80
add name=vpn-pool ranges=192.168.8.10-192.168.8.12
/ip dhcp-server
add address-pool=dhcp interface=bridge name=defconf
/port
set 0 name=serial0
/ppp profile
add dns-server=192.168.8.250 local-address=192.168.8.250 name=vpn-profile \
    remote-address=vpn-pool use-encryption=yes
/routing table
add fib name=""
/user group
set full policy="local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,pas\
    sword,web,sniff,sensitive,api,romon,dude,tikapp,rest-api"
/interface bridge port
add bridge=bridge comment=defconf ingress-filtering=no interface=ether2
add bridge=bridge comment=defconf ingress-filtering=no interface=ether3
add bridge=bridge comment=defconf ingress-filtering=no interface=ether4
add bridge=bridge comment=defconf ingress-filtering=no interface=ether5
/ip neighbor discovery-settings
set discover-interface-list=all
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface detect-internet
set detect-interface-list=all
/interface l2tp-server server
set authentication=mschap1,mschap2
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/interface ovpn-server server
set auth=sha1 certificate=server-certificate cipher=aes128,aes192,aes256 \
    default-profile=vpn-profile require-client-certificate=yes
/interface wireguard peers
add allowed-address=192.168.9.4/32 comment=Phone interface=wireguard1 \
    public-key=""
add allowed-address=192.168.9.5/32 comment=MacBookAir interface=wireguard1 \
    public-key="="
add allowed-address=192.168.9.2/32,192.168.9.1/32,192.168.1.0/24 comment=\
    "Openwrt VPN" endpoint-port=51820 interface=wireguard1 \
    persistent-keepalive=25s public-key=\
    ""
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
    192.168.88.0
add address=public IP/24 interface=ether1 network=.0
add address=192.168.9.2/24 interface=wireguard1 network=192.168.9.0
/ip cloud
set update-time=no
/ip dhcp-client
add comment=defconf disabled=yes interface=ether1
/ip dhcp-server lease
add address=192.168.88.48 comment="NUC wifi" mac-address=:D6 \
    server=defconf
add address=192.168.88.49 comment="NUC cable" mac-address=:7F \
    server=defconf
add address=192.168.88.43 comment="Raspberry pi 4" mac-address=\
    DC:A6:32:8B:BC:94 server=defconf
add address=192.168.88.52 client-id=:f6 mac-address=\
    B:F6 server=defconf
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.49 gateway=\
    192.168.88.1
/ip dns
set allow-remote-requests=yes servers=192.168.88.49
/ip dns static
add address=192.168.88.1 disabled=yes name=router.lan
add address=192.168.88.49 name="Home DNS"
/ip firewall filter
add action=accept chain=input comment="Allow OpenVPN" dst-port=1194 protocol=\
    tcp
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=accept chain=input comment="Wireguard VPN" dst-port=13231 \
    in-interface-list=WAN protocol=udp
add action=accept chain=input protocol=ipsec-esp
add action=accept chain=input port=1701,500,4500 protocol=udp
add action=accept chain=forward comment="OpenWRT Wireguard" dst-address=\
    192.168.1.0/24 src-address=192.168.88.0/24
add action=accept chain=forward dst-address=192.168.88.0/24 src-address=\
    192.168.1.0/24
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat comment="OpenVPN Server NUC" disabled=yes \
    in-interface=ether1 log=yes log-prefix=VPN protocol=udp to-addresses=\
    192.168.88.49 to-ports=1122
add action=dst-nat chain=dstnat comment=Wireguard dst-port=52994 \
    in-interface=ether1 protocol=udp to-addresses=192.168.88.49 to-ports=\
    52994
add action=redirect chain=dstnat disabled=yes dst-port=53 protocol=tcp \
    src-port="" to-ports=53
add action=redirect chain=dstnat disabled=yes dst-port=53 protocol=udp \
    to-ports=53
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set irc disabled=yes
set h323 disabled=yes
set sip disabled=yes
set pptp disabled=yes
set udplite disabled=yes
set dccp disabled=yes
set sctp disabled=yes
/ip ipsec policy
set 0 disabled=yes dst-address=0.0.0.0/0 src-address=0.0.0.0/0
/ip route
add disabled=no dst-address=0.0.0.0/0 gateway=XX.XX.XX.1
add disabled=no dst-address=192.168.1.0/24 gateway=wireguard1 routing-table=\
    main suppress-hw-offload=no
/ip service
set telnet disabled=yes
set ftp disabled=yes
set ssh port=2
/ppp secret
add name=sevim profile=vpn-profile
/system clock
set time-zone-name=Europe/
/system identity
set name=MikroTikRouter
/system ntp client
set enabled=yes
/system ntp client servers
add address=192.168.88.49
/tool graphing interface
add
/tool graphing queue
add
/tool graphing resource
add
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool sniffer
set filter-interface=wireguard1
24

Diff on MikroTik Good job friends!

Diff
Diff1286×723 150 KB

Diff on OpenWRT

Dads
Dads1921×2834 361 KB

25

Hi all again there is Update to the situation

So the situation is as follows:
When i connect with my phone or laptop to my MikroTik's WG I:

  1. can ping 192.168.88.0 subnet
  2. can access 192.168.88.49 port 80 nextcloud
  3. can not access any other ports on the same IP (strange) i have a pi-hole running on port 8888, but no luck!
  4. can not access 192.168.88.1 via winbox or mikrotik android app, but can access the other wifi router on 192.168.88.2!?
  5. Can not ping any IP on 192.168.1.0 subnet
    ##############################
    When i connect with my phone to the other side to the Openwrt router's WG:
  6. can not ping anything from 192.168.88.0 subnet
  7. have access to the router and the 192.168.1.0 subnet
  8. one strange thing as i am at work if i try to connect via wifi to the Wg i get can not resolve dns error, if i try with cellular it works, maybe the IT guys over here are doing something fancy don't know.

I was thinking of client isolation? maybe this is the problem, what do you think?

26

Shall I buy two?

Get one for me and the other for you and you can ....

FLASH IT

Learn the OpenWRT configs back to Dads house and then mimic them to the Mikrotik.

Good job @sevo

27

Well, just managed to sort out the problem with accessing my home server and all the services running on it. To be honest I was thinking that something is wrong with the routers routing or firewall rules, so i was testing a lot of things these days, most of them without realizing what they do, fortunately rid not break anything but finally got a solution. So the problem was not in my MT or Openwrt routers but in my Home servers firewall ....
i just had to allow everything from Wireguard subnet and it started working like a charm. Well thanks again to everyone and for your patience as well :slight_smile:
All the best and live long and prosperous!

please find down below the latest config files for both sides:

OpenWRT:

cat /etc/config/network

config interface 'loopback'
	option ifname 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fde5:fe4e:f4fe::/48'

config atm-bridge 'atm'
	option vpi '1'
	option vci '32'
	option encaps 'llc'
	option payload 'bridged'
	option nameprefix 'dsl'

config dsl 'dsl'
	option annex 'a'
	option tone 'av'
	option ds_snr_offset '0'

config interface 'lan'
	option type 'bridge'
	option proto 'static'
	option ip6assign '60'
	option ifname 'eth0 eth0.1 vpn'
	list ipaddr '192.168.1.1/24'

config device 'lan_eth0_1_dev'
	option name 'eth0.1'
	option macaddr ''

config interface 'wan'
	option proto 'pppoe'
	option username ''
	option password ''
	option ifname 'eth0.2'
	option macaddr ''
	option ipv6 '0'
	option delegate '0'
	option mtu '1500'
	option metric '1'

config device 'wan_dsl0_dev'
	option name 'dsl0'
	option macaddr ''

config interface 'wan6'
	option ifname '@wan'
	option proto 'dhcpv6'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option ports '0 1 2 4 6t'

config switch_vlan
	option device 'switch0'
	option vlan '2'
	option ports '5 6t'

config interface 'vpn'
	option proto 'wireguard'
	option private_key ''
	option listen_port '51820'
	list addresses '192.168.9.1/24'
	list addresses 'fdf1:e8a1:8d3f:9::1/64'

config wireguard_vpn
	option public_key ''
	option description 'phone'
	option route_allowed_ips '1'
	list allowed_ips '192.168.9.20'

config wireguard_vpn
	option public_key ''
	option description 'mikrotik'
	option route_allowed_ips '1'
	option persistent_keepalive '25'
	list allowed_ips '192.168.9.2'
	list allowed_ips '192.168.88.0/24'
	list allowed_ips '192.168.9.0/24'

config wireguard_vpn
	option route_allowed_ips '1'
	option public_key ''
	option description 'Macbook'
	list allowed_ips '192.168.9.21'

config route
	option target '192.168.88.0/24'
	option interface 'vpn'
	option gateway '192.168.9.1'
	option netmask '255.255.255.0'

Mikrotik Side:

# 04/10/2022 08:59:44 by RouterOS 7.1.5
# software id = 2Y0D-P7Z5
#
# model = RB750Gr3
# serial number = 
/interface bridge
add admin-mac= auto-mac=no comment=defconf name=bridge
/interface ethernet
set [ find default-name=ether1 ] mac-address=
/interface wireguard
add listen-port=13231 mtu=1420 name=wireguard1
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip ipsec proposal
set [ find default=yes ] disabled=yes enc-algorithms=3des
/ip pool
add name=dhcp ranges=192.168.88.30-192.168.88.80
add name=vpn-pool ranges=192.168.8.10-192.168.8.12
/ip dhcp-server
add address-pool=dhcp interface=bridge name=defconf
/port
set 0 name=serial0
/ppp profile
add dns-server=192.168.8.250 local-address=192.168.8.250 name=vpn-profile \
    remote-address=vpn-pool use-encryption=yes
/routing table
add fib name=""
/user group
set full policy="local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,pas\
    sword,web,sniff,sensitive,api,romon,dude,tikapp,rest-api"
/interface bridge port
add bridge=bridge comment=defconf ingress-filtering=no interface=ether2
add bridge=bridge comment=defconf ingress-filtering=no interface=ether3
add bridge=bridge comment=defconf ingress-filtering=no interface=ether4
add bridge=bridge comment=defconf ingress-filtering=no interface=ether5
/ip neighbor discovery-settings
set discover-interface-list=all
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface l2tp-server server
set authentication=mschap1,mschap2
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/interface ovpn-server server
set auth=sha1 certificate=server-certificate cipher=aes128,aes192,aes256 \
    default-profile=vpn-profile require-client-certificate=yes
/interface wireguard peers
add allowed-address=192.168.9.4/32 comment=Phone interface=wireguard1 \
    public-key=""
add allowed-address=192.168.9.5/32 comment=MacBookAir interface=wireguard1 \
    public-key=""
add allowed-address=\
    192.168.9.2/32,192.168.88.0/24,192.168.1.0/24,192.168.9.0/24 comment=\
    "Openwrt VPN" endpoint-address=OPENWRT DDNS IP endpoint-port=51820 \
    interface=wireguard1 persistent-keepalive=25s public-key=\
    ""
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
    192.168.88.0
add address=public IP/24 interface=ether1 network=public IP mask
add address=192.168.9.2/24 interface=wireguard1 network=192.168.9.0
/ip cloud
set update-time=no
/ip dhcp-client
add comment=defconf disabled=yes interface=ether1
/ip dhcp-server lease
add address=192.168.88.48 comment="NUC wifi" mac-address= \
    server=defconf
add address=192.168.88.49 comment="NUC cable" mac-address= \
    server=defconf
add address=192.168.88.43 comment="Raspberry pi 4" mac-address=\
     server=defconf
add address=192.168.88.52 client-id= mac-address=\
     server=defconf
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.49 gateway=\
    192.168.88.1
/ip dns
set allow-remote-requests=yes servers=192.168.88.49
/ip dns static
add address=192.168.88.1 disabled=yes name=router.lan
add address=192.168.88.49 name="Home DNS"
/ip firewall filter
add action=accept chain=input comment="Allow OpenVPN" disabled=yes dst-port=\
    1194 protocol=tcp
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=accept chain=input comment="Wireguard VPN NUC" dst-port=13231 \
    in-interface-list=WAN protocol=udp
add action=accept chain=input comment="Wireguard VPN" dst-address=\
    192.168.88.0/24 src-address=192.168.9.0/24
add action=accept chain=input comment="Wireguard VPN" disabled=yes \
    dst-address=192.168.9.0/24 in-interface=wireguard1 src-address=\
    192.168.1.0/24
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat comment=Wireguard dst-port=52994 \
    in-interface=ether1 protocol=udp to-addresses=192.168.88.49 to-ports=\
    52994
add action=redirect chain=dstnat disabled=yes dst-port=53 protocol=tcp \
    src-port="" to-ports=53
add action=redirect chain=dstnat disabled=yes dst-port=53 protocol=udp \
    to-ports=53
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set irc disabled=yes
set h323 disabled=yes
set sip disabled=yes
set pptp disabled=yes
set udplite disabled=yes
set dccp disabled=yes
set sctp disabled=yes
/ip ipsec policy
set 0 disabled=yes dst-address=0.0.0.0/0 src-address=0.0.0.0/0
/ip route
add disabled=no dst-address=0.0.0.0/0 gateway=
add disabled=no distance=1 dst-address=192.168.1.0/24 gateway=wireguard1 \
    pref-src="" routing-table=main scope=30 suppress-hw-offload=no \
    target-scope=10
add disabled=yes distance=1 dst-address=192.168.88.0/24 gateway=wireguard1 \
    pref-src=0.0.0.0 routing-table=main scope=30 suppress-hw-offload=no \
    target-scope=10
/ip service
set telnet disabled=yes
set ftp disabled=yes
set ssh port=
/ppp secret
add name= profile=vpn-profile
/system clock
set time-zone-name=Europe/
/system identity
set name=MikroTikRouter
/system ntp client
set enabled=yes
/system ntp client servers
add address=192.168.88.49
/tool graphing interface
add
/tool graphing queue
add
/tool graphing resource
add
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool sniffer
set filter-interface=wireguard1

So these configs solve all problems

Thanks again to everyone!

28

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.