OpenVPN server and Wireguard server on same router (2024)

Hello,

I am using Hap AX2, with latest OS version and I am unable to figure it out how to configure Openvpn clients and Wireguard clients to see each other.

192.168.200.0/25 - LAN subnet - Router IP is 192.168.200.1/25
10.168.200.0/25 - Wireguard subnet - Router IP is 10.168.200.1/32
10.168.200.128/25 - OpenVPN subnet - Router IP is 10.168.200.254/25
10.167.200.0/24 - OpenVPN site to site subnet for remote branches.
192.168.200.128/25 - OpenVPN site to site subnet for remote branch.

All interfaces belong to LAN interace list, so no additional firewall forward rules are necessary (although I tried adding those rules, but it's the same)

When I connect to Wireguard server, I can only ping LAN subnet (and vice versa) and other Wireguard peers, but neither OpenVPN subnet or OpenVPN s2s subnet.

When I connect to OpenVPN server, I can ping LAN subnet and other OpenVPN clients and remote branches, but I can't ping Wireguard clients.

Something I am obviously missing about routing...

Code: Select all

Windows OpenVPN client's route tableActive Routes:Network Destination Netmask Gateway Interface Metric 0.0.0.0 0.0.0.0 192.168.0.129 192.168.0.150 25 0.0.0.0 0.0.0.0 10.168.200.254 10.168.200.248 537 10.167.200.0 255.255.255.0 10.168.200.254 10.168.200.248 537 10.168.200.0 255.255.255.0 10.168.200.254 10.168.200.248 537 10.168.200.128 255.255.255.128 On-link 10.168.200.248 281 10.168.200.248 255.255.255.255 On-link 10.168.200.248 281 10.168.200.255 255.255.255.255 On-link 10.168.200.248 281 127.0.0.0 255.0.0.0 On-link 127.0.0.1 331 127.0.0.1 255.255.255.255 On-link 127.0.0.1 331 127.255.255.255 255.255.255.255 On-link 127.0.0.1 331 192.168.0.128 255.255.255.128 On-link 192.168.0.150 281 192.168.0.150 255.255.255.255 On-link 192.168.0.150 281 192.168.0.255 255.255.255.255 On-link 192.168.0.150 281 192.168.200.0 255.255.255.0 10.168.200.254 10.168.200.248 537 224.0.0.0 240.0.0.0 On-link 127.0.0.1 331 224.0.0.0 240.0.0.0 On-link 10.168.200.248 281 224.0.0.0 240.0.0.0 On-link 192.168.0.150 281 255.255.255.255 255.255.255.255 On-link 127.0.0.1 331 255.255.255.255 255.255.255.255 On-link 10.168.200.248 281 255.255.255.255 255.255.255.255 On-link 192.168.0.150 281

Code: Select all

Windows Wireguard client's route tableNetwork Destination Netmask Gateway Interface Metric 0.0.0.0 0.0.0.0 192.168.255.254 192.168.255.1 2 10.167.200.0 255.255.255.0 On-link 10.168.200.2 5 10.167.200.255 255.255.255.255 On-link 10.168.200.2 261 10.168.200.0 255.255.255.0 On-link 10.168.200.2 5 10.168.200.2 255.255.255.255 On-link 10.168.200.2 261 10.168.200.255 255.255.255.255 On-link 10.168.200.2 261 127.0.0.0 255.0.0.0 On-link 127.0.0.1 331 127.0.0.1 255.255.255.255 On-link 127.0.0.1 331 127.255.255.255 255.255.255.255 On-link 127.0.0.1 331 192.168.200.0 255.255.255.0 On-link 10.168.200.2 5 192.168.200.255 255.255.255.255 On-link 10.168.200.2 261 192.168.255.0 255.255.255.0 On-link 192.168.255.1 257 192.168.255.1 255.255.255.255 On-link 192.168.255.1 257 192.168.255.255 255.255.255.255 On-link 192.168.255.1 257 224.0.0.0 240.0.0.0 On-link 127.0.0.1 331 224.0.0.0 240.0.0.0 On-link 192.168.255.1 257 255.255.255.255 255.255.255.255 On-link 127.0.0.1 331 255.255.255.255 255.255.255.255 On-link 192.168.255.1 257

Code: Select all

Mikrotik routesFlags: D - DYNAMIC; A - ACTIVE; c - CONNECT, s - STATIC, d - DHCPColumns: DST-ADDRESS, GATEWAY, DISTANCE# DST-ADDRESS GATEWAY DISTANCE DAd 0.0.0.0/0 10.168.1.1 10 As 10.167.200.32/27 <ovpn-pr2-kapija.domain.loc> 11 As 10.167.200.64/27 <ovpn-magacin-kapija.domain.loc> 12 As 10.167.200.128/27 <ovpn-pr5-kapija.domain.loc> 13 As 10.167.200.160/27 <ovpn-pr6-kapija.domain.loc> 1 DAc 10.168.1.0/24 ether1 04 As 10.168.200.0/25 WG 1 DAc 10.168.200.1/32 WG 0 DAc 10.168.200.248/32 <ovpn-w.domain.loc> 0 DAc 10.168.200.249/32 <ovpn-pr6-kapija.domain.loc> 0 DAc 10.168.200.250/32 <ovpn-pr1pr4-kapija.domain.loc> 0 DAc 10.168.200.251/32 <ovpn-pr2-kapija.domain.loc> 0 DAc 10.168.200.252/32 <ovpn-pr5-kapija.domain.loc> 0 DAc 10.168.200.253/32 <ovpn-magacin-kapija.domain.loc> 0 DAc 192.168.200.0/25 vlan1 05 As 192.168.200.128/25 <ovpn-pr1pr4-kapija.domain.loc> 1

Code: Select all

Wireguard config[Interface]PrivateKey = ****************ListenPort = 65534Address = 10.168.200.3/32DNS = 192.168.200.100MTU = 1412[Peer]PublicKey = ****************PresharedKey = ****************AllowedIPs = 192.168.200.0/24, 10.167.200.0/24, 10.168.200.0/24Endpoint = ****************:65534PersistentKeepalive = 25

Code: Select all

OpenVPN (relevant to routing) part of theconfigregister-dnsroute-delay 4route-method exeroute-metric 512route 192.168.200.0 255.255.255.0route 10.168.200.0 255.255.255.0route 10.167.200.0 255.255.255.0route 0.0.0.0 0.0.0.0

Code: Select all

Traceroute from Wireguard client to OpenVPN clientTracing route to 10.168.200.248 over a maximum of 30 hops 1 9 ms 11 ms 10 ms 10.168.200.1 2 * * * Request timed out. 3 * * * Request timed out.

Code: Select all

Traceroute from OpenVPN client to Wireguard clientTracing route to 10.168.200.2 over a maximum of 30 hops 1 4 ms 3 ms 3 ms 10.168.200.254 2 * * * Request timed out. 3 * * * Request timed out.

Code: Select all

Mikrotik config:# 2024-01-22 16:30:30 by RouterOS 7.13.2## model = C52iG-5HaxD2HaxD/interface bridgeadd admin-mac=48:A9:8A:62:7A:17 auto-mac=no comment=defconf name=bridge \ port-cost-mode=short protocol-mode=none vlan-filtering=yes/interface ethernetset [ find default-name=ether1 ] comment=Internet poe-out=off/interface ovpn-serveradd name=<ovpn-magacin-kapija.domain.loc> user=magacin-kapija.domain.locadd name=<ovpn-pr1pr4-kapija.domain.loc> user=pr1pr4-kapija.domain.locadd name=<ovpn-pr2-kapija.domain.loc> user=pr2-kapija.domain.locadd name=<ovpn-pr5-kapija.domain.loc> user=pr5-kapija.domain.locadd name=<ovpn-pr6-kapija.domain.loc> user=pr6-kapija.domain.loc/interface wireguardadd comment="Wireguard VPN" listen-port=65534 mtu=1412 name=WG/interface vlanadd comment="LAN mreza" interface=bridge name=vlan1 vlan-id=1add comment="Buduca mreza za goste" interface=bridge name=vlan2 vlan-id=2/interface listadd comment=defconf name=WANadd comment=defconf name=LANadd comment="vlan20 - wifi gosti" name=WIFI/interface wifi channeladd band=2ghz-ax disabled=no frequency=2412 name=1 width=20mhzadd band=2ghz-ax disabled=no frequency=2437 name=6 width=20mhzadd band=2ghz-ax disabled=no frequency=2462 name=11 width=20mhzadd band=5ghz-ax disabled=no frequency=5180-5250 name=42 width=20/40/80mhz/interface wifiset [ find default-name=wifi1 ] channel=42 configuration.country=\ "United States" .mode=ap .ssid=**** datapath.bridge=bridge .vlan-id=1 \ disabled=no security.authentication-types=wpa2-psk .ft=yes \ .ft-mobility-domain=0x10 .wps=disableset [ find default-name=wifi2 ] channel=1 configuration.country=\ "United States" .mode=ap .ssid=**** datapath.bridge=bridge .vlan-id=1 \ disabled=no security.authentication-types=wpa2-psk .ft=yes \ .ft-mobility-domain=0x10 .wps=disable/ip pooladd name=dhcp_vlan10 ranges=192.168.200.10-192.168.200.99add name=openvpn ranges=10.168.200.130-10.168.200.253/ip dhcp-serveradd address-pool=dhcp_vlan10 interface=vlan1 lease-time=2w1d name=dhcp1/portset 0 name=serial0/ppp profileadd change-tcp-mss=yes dns-server=192.168.200.100 interface-list=LAN \ local-address=10.168.200.254 name=openvpn only-one=yes remote-address=\ openvpn use-compression=no use-encryption=required use-ipv6=no use-mpls=\ no use-upnp=no/interface bridge portadd bridge=bridge comment=defconf interface=ether2 internal-path-cost=10 \ path-cost=10add bridge=bridge comment=defconf interface=ether3 internal-path-cost=10 \ path-cost=10add bridge=bridge comment=defconf interface=ether4 internal-path-cost=10 \ path-cost=10add bridge=bridge comment=defconf interface=ether5 internal-path-cost=10 \ path-cost=10/ip neighbor discovery-settingsset discover-interface-list=LAN/ipv6 settingsset disable-ipv6=yes max-neighbor-entries=15360/interface bridge vlanadd bridge=bridge tagged=bridge untagged=\ ether2,ether3,ether4,wifi1,wifi2,ether5 vlan-ids=1add bridge=bridge tagged=bridge,ether2,ether3,ether4,ether5,wifi1,wifi2 \ vlan-ids=2/interface list memberadd comment=defconf interface=vlan1 list=LANadd comment=defconf interface=ether1 list=WANadd interface=WG list=LAN/interface ovpn-server serverset auth=sha1 certificate=kapija.domain.loc cipher=aes128-cbc \ default-profile=openvpn enabled=yes netmask=25 port=587 \ require-client-certificate=yes/interface wireguard peersadd allowed-address=10.168.200.2/32 interface=WG preshared-key=\ "********************************" public-key=\ "********************************"add allowed-address=10.168.200.3/32 interface=WG preshared-key=\ "********************************" public-key=\ "********************************"/ip addressadd address=192.168.200.1/25 interface=vlan1 network=192.168.200.0add address=10.168.200.1 interface=WG network=10.168.200.1/ip dhcp-clientadd comment=defconf interface=ether1/ip dhcp-server lease******************************/ip dhcp-server networkadd address=192.168.200.0/25 dns-server=192.168.200.100 domain=domain.loc \ gateway=192.168.200.1/ip dnsset servers=192.168.200.100/ip firewall filteradd action=accept chain=input comment=\ "defconf: accept established,related,untracked" connection-state=\ established,related,untrackedadd action=accept chain=input disabled=yes src-address=************add action=drop chain=input comment="defconf: drop invalid" connection-state=\ invalidadd action=accept chain=input comment="defconf: accept ICMP" protocol=icmpadd action=accept chain=input comment=\ "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1add action=accept chain=input comment=Wireguard dst-port=65534 \ in-interface-list=WAN protocol=udpadd action=accept chain=input comment=OpenVPN dst-port=587 in-interface-list=\ WAN protocol=tcpadd action=drop chain=input comment="defconf: drop all not coming from LAN" \ in-interface-list=!LANadd action=accept chain=forward comment="defconf: accept in ipsec policy" \ ipsec-policy=in,ipsecadd action=accept chain=forward comment="defconf: accept out ipsec policy" \ ipsec-policy=out,ipsecadd action=fasttrack-connection chain=forward comment="defconf: fasttrack" \ connection-state=established,related hw-offload=yesadd action=accept chain=forward comment=\ "defconf: accept established,related, untracked" connection-state=\ established,related,untrackedadd action=drop chain=forward comment="defconf: drop invalid" \ connection-state=invalidadd action=drop chain=forward comment=\ "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \ connection-state=new in-interface-list=WAN/ip firewall natadd action=masquerade chain=srcnat comment="defconf: masquerade" \ ipsec-policy=out,none out-interface-list=WANadd action=dst-nat chain=dstnat dst-port=37777-37778 in-interface-list=WAN \ protocol=tcp src-address=!192.168.200.0/25 to-addresses=192.168.200.25 \ to-ports=37777-37778add action=dst-nat chain=dstnat dst-port=10000 in-interface-list=WAN \ protocol=tcp src-address=!192.168.200.0/25 to-addresses=192.168.200.1 \ to-ports=587/ip routeadd distance=1 dst-address=10.167.200.32/27 gateway=\ <ovpn-pr2-kapija.domain.loc>add distance=1 dst-address=10.167.200.64/27 gateway=\ <ovpn-magacin-kapija.domain.loc>add distance=1 dst-address=10.167.200.128/27 gateway=\ <ovpn-pr5-kapija.domain.loc>add distance=1 dst-address=10.167.200.160/27 gateway=\ <ovpn-pr6-kapija.domain.loc>add distance=1 dst-address=192.168.200.128/25 gateway=\ <ovpn-pr1pr4-kapija.domain.loc>add disabled=no dst-address=10.168.200.0/25 gateway=WG routing-table=main \ suppress-hw-offload=no/ipv6 firewall address-listadd address=::/128 comment="defconf: unspecified address" list=bad_ipv6add address=::1/128 comment="defconf: lo" list=bad_ipv6add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6add address=100::/64 comment="defconf: discard only " list=bad_ipv6add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6/ipv6 firewall filteradd action=accept chain=input comment=\ "defconf: accept established,related,untracked" connection-state=\ established,related,untrackedadd action=drop chain=input comment="defconf: drop invalid" connection-state=\ invalidadd action=accept chain=input comment="defconf: accept ICMPv6" protocol=\ icmpv6add action=accept chain=input comment="defconf: accept UDP traceroute" port=\ 33434-33534 protocol=udpadd action=accept chain=input comment=\ "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\ udp src-address=fe80::/10add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \ protocol=udpadd action=accept chain=input comment="defconf: accept ipsec AH" protocol=\ ipsec-ahadd action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\ ipsec-espadd action=accept chain=input comment=\ "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsecadd action=drop chain=input comment=\ "defconf: drop everything else not coming from LAN" in-interface-list=\ !LANadd action=accept chain=forward comment=\ "defconf: accept established,related,untracked" connection-state=\ established,related,untrackedadd action=drop chain=forward comment="defconf: drop invalid" \ connection-state=invalidadd action=drop chain=forward comment=\ "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6add action=drop chain=forward comment=\ "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \ hop-limit=equal:1 protocol=icmpv6add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\ icmpv6add action=accept chain=forward comment="defconf: accept HIP" protocol=139add action=accept chain=forward comment="defconf: accept IKE" dst-port=\ 500,4500 protocol=udpadd action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\ ipsec-ahadd action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\ ipsec-espadd action=accept chain=forward comment=\ "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsecadd action=drop chain=forward comment=\ "defconf: drop everything else not coming from LAN" in-interface-list=\ !LAN/ppp secretadd name=w.domain.loc profile=openvpn service=ovpn*******************/system clockset time-zone-name=Europe/Belgrade/system identityset name=kapija.domain.loc/system noteset show-at-login=no/tool mac-serverset allowed-interface-list=LAN/tool mac-server mac-winboxset allowed-interface-list=LAN

Edit:

Wireguard peer config on Mikrotik

Capture.JPG

You do not have the required permissions to view the files attached to this post.

Insights, advice, suggestions, feedback and comments from experts

Based on the information you provided, it seems like you are trying to configure OpenVPN and Wireguard clients to communicate with each other on your Hap AX2 router. You have different subnets for each type of client, and you are experiencing issues with routing between them. Let's dive into the concepts related to your configuration and troubleshoot the problem.

OpenVPN and Wireguard

OpenVPN and Wireguard are both popular VPN (Virtual Private Network) protocols used to create secure connections over the internet. They provide encryption and authentication mechanisms to protect your data while transmitting it between different networks or devices.

OpenVPN is an open-source VPN protocol that uses SSL/TLS (Secure Sockets Layer/Transport Layer Security) for encryption. It is widely supported and can be used on various operating systems and devices.

Wireguard, on the other hand, is a relatively new VPN protocol known for its simplicity and efficiency. It aims to provide a faster and more secure VPN solution compared to traditional protocols like OpenVPN.

Subnets and IP Addresses

In networking, a subnet is a portion of a larger IP network. It allows you to divide a network into smaller, more manageable segments. Each subnet has its own range of IP addresses and can be used to isolate different groups of devices or networks.

In your case, you have multiple subnets defined:

LAN subnet: 192.168.200.0/25 with a router IP of 192.168.200.1/25.
Wireguard subnet: 10.168.200.0/25 with a router IP of 10.168.200.1/32.
OpenVPN subnet: 10.168.200.128/25 with a router IP of 10.168.200.254/25.
OpenVPN site-to-site subnet for remote branches: 10.167.200.0/24.
OpenVPN site-to-site subnet for remote branch: 192.168.200.128/25.

These subnets allow you to logically separate your network and assign different IP addresses to devices within each subnet.

Routing and Firewall Rules

Routing is the process of determining the path that network traffic should take from one network to another. In your case, you need to configure routing between the different subnets to enable communication between the OpenVPN and Wireguard clients.

Firewall rules, on the other hand, control the flow of network traffic based on predefined criteria. They can be used to allow or block specific types of traffic between different networks or devices.

Based on your description, all interfaces belong to the LAN interface list, so no additional firewall forward rules should be necessary. However, you mentioned that you tried adding firewall rules without success.

Troubleshooting Steps

To troubleshoot the issue with routing between your OpenVPN and Wireguard clients, you can follow these steps:

Verify that the OpenVPN and Wireguard server configurations on your router are correct. Ensure that the subnets and IP addresses are properly configured.
Check the routing tables on both the OpenVPN and Wireguard clients. The routing tables determine how network traffic is directed. Make sure that the routes for the respective subnets are correctly configured.
Verify that the firewall rules on your router are not blocking the traffic between the OpenVPN and Wireguard clients. Double-check the firewall rules related to OpenVPN and Wireguard to ensure they allow the necessary traffic.
Use the traceroute command from both the Wireguard and OpenVPN clients to see the path the network traffic takes and identify any potential issues. The traceroute command will show you the hops between the source and destination IP addresses.
If the issue persists, you may need to consult the documentation or seek support from the manufacturer of your Hap AX2 router. They can provide specific guidance on configuring OpenVPN and Wireguard clients to communicate with each other on their hardware.

I hope these steps help you troubleshoot the routing issue between your OpenVPN and Wireguard clients. Remember to double-check your configurations and consult the documentation or support resources for your specific router model if needed.