Fórum Root.cz
Hlavní témata => Sítě => Téma založeno: Jigdo 01. 06. 2022, 01:23:57
-
Podle navodu z clanku
https://www.root.cz/clanky/navod-vpn-wireguard-na-routerech-mikrotik-a-telefonech-s-androidem/
vse funguje jak ma.
/interface/wireguard/print
/interface/wireguard/add name=wireguard1 mtu=1420 listen-port=13231
/interface/wireguard/print
NOTE: public-key="Mikrotik-Public-key="
/interface/wireguard/peers/print
/interface/wireguard/peers/add interface=wireguard1 allowed-address=10.200.0.2/32 persistent-keepalive=30s comment="Samsung SM-N986B/DS" public-key="Android-Interface-Publick-key-generated"
/ip/address/print
/ip/address/add interface=wireguard1 address=10.200.0.1/24
Na Androiodu:
Interface:
- Name: MikrotikVPN
- Private key: GENERATE with arrows
- Public key: (generated in previous step)
- Addresses: 10.200.0.2/32
- DNS servers: 192.168.1.1
Peer:
- Public key: Mikrotik-Public-key=
- Allowed IPs: 0.0.0.0/0
- Persistent keepalive: every 30 seconds
- Endpoint: Mikrotik IP/domain name (xxxxxx.sn.mynetname.net) : 13231
- Allowed IPs
Ale nemuzu se dostat na lokalni PC ktere k tomu MikroTiku jsou pripojene na adresnim rozsahu 192.168.1.1/24
Jak pise pan Krcmar v clanku/nazorech VPN je nastavena, a ted je to o spravnem nastaveni routeru.
Poradi nekdo jak nastavit Android/Mikrotik tak aby Android zarizeni melo pristup do lokalni site toho Mikrotiku + do Internetu?
A jeste jedna vec, pouzivam na tom Androidu (vsech zarizenich DoT od Mullvad "adblock.doh.mullvad.net", ktere funguje bezvadne na blokovani reklam), ale po pripojeni k WG VPN s MikroTIkem vypadne, takze jak nastavit aby to DoT stale fungovalo i pri pripojeni k WH na MIkrotiku.
-
Mozno nastrel, ale skus pridat do allowed-address tiez 192.168.1.0/24
Smerovanie by si mal riesit wireguard sam (ale neviem ako je to na MK)
-
Podle navodu z clanku
https://www.root.cz/clanky/navod-vpn-wireguard-na-routerech-mikrotik-a-telefonech-s-androidem/
vse funguje jak ma.
/interface/wireguard/print
/interface/wireguard/add name=wireguard1 mtu=1420 listen-port=13231
/interface/wireguard/print
NOTE: public-key="Mikrotik-Public-key="
/interface/wireguard/peers/print
/interface/wireguard/peers/add interface=wireguard1 allowed-address=10.200.0.2/32 persistent-keepalive=30s comment="Samsung SM-N986B/DS" public-key="Android-Interface-Publick-key-generated"
/ip/address/print
/ip/address/add interface=wireguard1 address=10.200.0.1/24
Na Androiodu:
Interface:
- Name: MikrotikVPN
- Private key: GENERATE with arrows
- Public key: (generated in previous step)
- Addresses: 10.200.0.2/32
- DNS servers: 192.168.1.1
Peer:
- Public key: Mikrotik-Public-key=
- Allowed IPs: 0.0.0.0/0
- Persistent keepalive: every 30 seconds
- Endpoint: Mikrotik IP/domain name (xxxxxx.sn.mynetname.net) : 13231
- Allowed IPs
Ale nemuzu se dostat na lokalni PC ktere k tomu MikroTiku jsou pripojene na adresnim rozsahu 192.168.1.1/24
Jak pise pan Krcmar v clanku/nazorech VPN je nastavena, a ted je to o spravnem nastaveni routeru.
Poradi nekdo jak nastavit Android/Mikrotik tak aby Android zarizeni melo pristup do lokalni site toho Mikrotiku + do Internetu?
A jeste jedna vec, pouzivam na tom Androidu (vsech zarizenich DoT od Mullvad "adblock.doh.mullvad.net", ktere funguje bezvadne na blokovani reklam), ale po pripojeni k WG VPN s MikroTIkem vypadne, takze jak nastavit aby to DoT stale fungovalo i pri pripojeni k WH na MIkrotiku.
Pretoze skoncite vo firewalle, v akom interface liste mate rozhranie wireguard1?
Bud mu povolte forward, alebo ho pridajte do LAN listu. Ak ho pridate do LAN listu, bude moct robit presne to, co ostatne zariadenia v LAN, vratane pripajania sa do internetu a pouzivania Mulvad DNS.
-
Co je zvlastni tak v tom tovarnim nastaveni (viz clanek) mi funguje ve VLC na telefonu
streming ale pouze Adio/Video, ktere jsem uz na telefonu sledoval z miniDLNA serveru v te siti.
Takze ve VLC 3.4.4 [... More] - [History ->] kde je veskera historie a kdyz vyberu nejake Audio/Video
tak to funguje ......
Ale kdyz vyberu [Browse] tak proste to PC s miniDLNA v Local Network neni videt :(
-
Mozno nastrel, ale skus pridat do allowed-address tiez 192.168.1.0/24
Smerovanie by si mal riesit wireguard sam (ale neviem ako je to na MK)
/interface/wireguard/peers/add interface=wireguard1 allowed-address=10.200.0.2/32,192.168.1.0/24 persistent-keepalive=30s comment="Samsung SM-N986B/DS" public-key="Android-Interface-Publick-key-generated"
A nic, nefunguje :(
-
Co je zvlastni tak v tom tovarnim nastaveni (viz clanek) mi funguje ve VLC na telefonu
streming ale pouze Adio/Video, ktere jsem uz na telefonu sledoval z miniDLNA serveru v te siti.
Takze ve VLC 3.4.4 [... More] - [History ->] kde je veskera historie a kdyz vyberu nejake Audio/Video
tak to funguje ......
Ale kdyz vyberu [Browse] tak proste to PC s miniDLNA v Local Network neni videt :(
Ani nebude... discovery DLNA beha cez broadcast, LAN je v inom subnete ako wireguard interface, takze to ani neuvidite. A ano, samotne prehravanie ide cez unicast, takze to funguje.
/interface/wireguard/peers/add interface=wireguard1 allowed-address=10.200.0.2/32,192.168.1.0/24 persistent-keepalive=30s comment="Samsung SM-N986B/DS" public-key="Android-Interface-Publick-key-generated"
A nic, nefunguje :(
By som sa cudoval keby ano, treba si precitat co som pisal vyssie.
Adresa lokalnej LAN do allow listu nepatri!
-
Podle navodu z clanku
https://www.root.cz/clanky/navod-vpn-wireguard-na-routerech-mikrotik-a-telefonech-s-androidem/
vse funguje jak ma.
/interface/wireguard/print
/interface/wireguard/add name=wireguard1 mtu=1420 listen-port=13231
/interface/wireguard/print
NOTE: public-key="Mikrotik-Public-key="
/interface/wireguard/peers/print
/interface/wireguard/peers/add interface=wireguard1 allowed-address=10.200.0.2/32 persistent-keepalive=30s comment="Samsung SM-N986B/DS" public-key="Android-Interface-Publick-key-generated"
/ip/address/print
/ip/address/add interface=wireguard1 address=10.200.0.1/24
Na Androiodu:
Interface:
- Name: MikrotikVPN
- Private key: GENERATE with arrows
- Public key: (generated in previous step)
- Addresses: 10.200.0.2/32
- DNS servers: 192.168.1.1
Peer:
- Public key: Mikrotik-Public-key=
- Allowed IPs: 0.0.0.0/0
- Persistent keepalive: every 30 seconds
- Endpoint: Mikrotik IP/domain name (xxxxxx.sn.mynetname.net) : 13231
- Allowed IPs
Ale nemuzu se dostat na lokalni PC ktere k tomu MikroTiku jsou pripojene na adresnim rozsahu 192.168.1.1/24
Jak pise pan Krcmar v clanku/nazorech VPN je nastavena, a ted je to o spravnem nastaveni routeru.
Poradi nekdo jak nastavit Android/Mikrotik tak aby Android zarizeni melo pristup do lokalni site toho Mikrotiku + do Internetu?
A jeste jedna vec, pouzivam na tom Androidu (vsech zarizenich DoT od Mullvad "adblock.doh.mullvad.net", ktere funguje bezvadne na blokovani reklam), ale po pripojeni k WG VPN s MikroTIkem vypadne, takze jak nastavit aby to DoT stale fungovalo i pri pripojeni k WH na MIkrotiku.
Pretoze skoncite vo firewalle, v akom interface liste mate rozhranie wireguard1?
Bud mu povolte forward, alebo ho pridajte do LAN listu. Ak ho pridate do LAN listu, bude moct robit presne to, co ostatne zariadenia v LAN, vratane pripajania sa do internetu a pouzivania Mulvad DNS.
Momentalne nemam pristup k WinBox/WWW pristupu k tomuto Mikrotiku, pouze SSH a takze je te todkom pro mne pokus a omyl nastavovani pres SSH :(
Poradite s CLI prikazem?
-
Momentalne nemam pristup k WinBox/WWW pristupu k tomuto Mikrotiku, pouze SSH a takze je te todkom pro mne pokus a omyl nastavovani pres SSH :(
Poradite s CLI prikazem?
Iste, nie je problem:
/interface list member
add interface=wireguard1 list=LAN
Alternativou je povolit v /ip/firewall/filter pre forward chain presne rozsahy ip adries, odkial-kam mozu tiect data z wireguard1 rozhrania na ostatne rozhrania. Pridanie do LAN listu povoli vsetko.
-
Pretoze skoncite vo firewalle, v akom interface liste mate rozhranie wireguard1?
Bud mu povolte forward, alebo ho pridajte do LAN listu. Ak ho pridate do LAN listu, bude moct robit presne to, co ostatne zariadenia v LAN, vratane pripajania sa do internetu a pouzivania Mulvad DNS.
/interface list member print
Columns: LIST, INTERFACE
# LIST INTERFACE
;;; defconf
0 LAN bridge
;;; defconf
1 WAN ether1
2 WAN pppoe-out1
-
Malo by vam tam pribudnut:
3 LAN wireguard1
-
Malo by vam tam pribudnut:
3 LAN wireguard1
Ano, je tam:
[aaisp@MikroTik] > /interface list member print
Columns: LIST, INTERFACE
# LIST INTERFACE
;;; defconf
0 LAN bridge
;;; defconf
1 WAN ether1
2 WAN pppoe-out1
3 LAN wireguard1
[aaisp@MikroTik] > /interface wireguard peers print
Columns: INTERFACE, PUBLIC-KEY, ENDPOINT-PORT, ALLOWED-ADDRESS, PERSISTENT-KEEPALIVE
# INTERFACE PUBLIC-KEY ENDPOINT-PORT ALLOWED-ADDRESS PERSISTENT-KEEPALIVE
;;; iPad A2124
0 wireguard1 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx= 0 10.200.0.3/32 30s
;;; Samsung SM-N986B/DS
1 wireguard1 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx= 0 10.200.0.2/32 30s
[aaisp@MikroTik] > /interface/wireguard/print
Flags: X - disabled; R - running
0 R name="wireguard1" mtu=1420 listen-port=13231 private-key="xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx=" public-key="xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx="
[aaisp@MikroTik] > /ip firewall filter print
Flags: X - disabled, I - invalid; D - dynamic
0 D ;;; special dummy rule to show fasttrack counters
chain=forward action=passthrough
1 ;;; defconf: accept established,related,untracked
chain=input action=accept connection-state=established,related,untracked
2 ;;; defconf: drop invalid
chain=input action=drop connection-state=invalid
5 ;;; defconf: accept ICMP
chain=input action=accept protocol=icmp
7 ;;; defconf: accept ICMP
chain=input action=accept protocol=udp dst-port=13231 log=yes log-prefix=""
8 ;;; defconf: accept to local loopback (for CAPsMAN)
chain=input action=accept dst-address=127.0.0.1
9 ;;; defconf: drop all not coming from LAN
chain=input action=drop in-interface-list=!LAN
10 ;;; defconf: accept in ipsec policy
chain=forward action=accept ipsec-policy=in,ipsec
11 ;;; defconf: accept out ipsec policy
chain=forward action=accept ipsec-policy=out,ipsec
12 ;;; defconf: fasttrack
chain=forward action=fasttrack-connection hw-offload=yes connection-state=established,related
13 ;;; defconf: accept established,related, untracked
chain=forward action=accept connection-state=established,related,untracked
14 ;;; defconf: drop invalid
chain=forward action=drop connection-state=invalid
15 ;;; defconf: drop all from WAN not DSTNATed
chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface-list=WAN
DoT error message uz se neukazuje (diky), ale VLC stale nenajde lokalni PC 192.168.1.xxx na kterem bezi miniDLNA a TvhClient na iPadu take nevidi TVH Server, ktery v te siti taky bezi na 192.168.1.xx .....
Ale pokud zadam do VLC primou adresu na program/playlist to uz funguje (diky).
-
UPnP discovery fungovat nebude, pretoze je to broadcast, pisal som vyssie. Priamy link (=unicast) fungovat bude.
(Mal som napisane dlhsie vysvetlenie, ale medzitym ma root odhlasil a ja som rozpisany prispevok stratil. Druhykrat ho pisat nebudem, sorry.)
Btw, uz by vam mal fungovat winbox a prihlasenie cez web browser na vnutorny interface routera.
-
UPnP discovery fungovat nebude, pretoze je to broadcast, pisal som vyssie. Priamy link (=unicast) fungovat bude.
(Mal som napisane dlhsie vysvetlenie, ale medzitym ma root odhlasil a ja som rozpisany prispevok stratil. Druhykrat ho pisat nebudem, sorry.)
Btw, uz by vam mal fungovat winbox a prihlasenie cez web browser na vnutorny interface routera.
Ten constantni logout je neprijemny, ale pred tim nez dam "Prohlednout/Poslat" vzdy cele zkopiruji s Ctrl+C.
Napada vas nejak jak by se daly prehravat multimedia (Audio/Video) ulozene na PC s miniDLNA 192.168.1.xxx takhle na dalku?
Jsem momentalne mimo domov (a dneska zacina v Atlanitku hurricane seasons) ..takze pristup jen pres SSH/CLI :(
-
Ten constantni logout je neprijemny, ale pred tim nez dam "Prohlednout/Poslat" vzdy cele zkopiruji s Ctrl+C.
Napada vas nejak jak by se daly prehravat multimedia (Audio/Video) ulozene na PC s miniDLNA 192.168.1.xxx takhle na dalku?
Jsem momentalne mimo domov (a dneska zacina v Atlanitku hurricane seasons) ..takze pristup jen pres SSH/CLI :(
DLNA by som uplne vynechal, vyzdielal by som priecinky s mediami na PC cez smb a z VLC prehraval videa z smb share.
-
Napada vas nejak jak by se daly prehravat multimedia (Audio/Video) ulozene na PC s miniDLNA 192.168.1.xxx takhle na dalku?
Sám to mám řešeno skrze GRE tunelem mezi zařízeními (DLNA server v datacentru + gateway doma), který tahám přes Wireguard spojení.
Ve výsledku má DLNA server statickou adresu vnitřní sítě doma a funguje to stejně, jako by doma byl i reálně. :-)