Working IKEv2 with ProtonVPN, how can I do the same using Wireguard?

VPN
1

Hi,

I have fully working IKEv2 VPN setup using address-list and connection-marking that works really well. I followed guides on various sites and got it working. As a next step, I would like to do the same using Wireguard under ProtonVPN as it is more modern VPN protocol.

Can you please guide me on how to do that? Any help would be appreciated.

Start of my Wireguard config

/interface wireguard
add listen-port=13231 mtu=1420 name=WG-PROTON-CZ private-key="XXX"

/ip address
add address=10.2.0.2/30 interface=WG-PROTON-CZ network=10.2.0.0 

/interface wireguard peers
add allowed-address=0.0.0.0/0 endpoint-address=XXX endpoint-port=51820 interface=WG-PROTON-CZ persistent-keepalive

I tried using the same logic with masquerade together with conn marking as below, but it just doesn’t work.

IKEv2 config

In git repo as well as below:
https://github.com/Ownercz/MikroTik-ProtonVPN/tree/main

Certificate download and import

/tool fetch url="https://protonvpn.com/download/ProtonVPN_ike_root.der"  
/certificate import file-name=ProtonVPN_ike_root.der

IPsec config

/ip ipsec policy group add name="ProtonVPN"
/ip ipsec profile add dh-group=modp4096,modp2048 enc-algorithm=aes-256 hash-algorithm=sha256 name="ProtonVPN"
/ip ipsec proposal add name="ProtonVPN" auth-algorithms=sha256 enc-algorithms=aes-256-cbc pfs-group=modp2048 
/ip ipsec policy add dst-address=0.0.0.0/0 group="ProtonVPN" proposal="ProtonVPN" src-address=0.0.0.0/0 template=yes
/ip ipsec mode-config add connection-mark=nat-to-protonvpn-cz name=ProtonVPN-CZ responder=no use-responder-dns=no
/ip ipsec peer add address="PROTON_SERVER_ADDRESS_FROM_USER_PROFILE_OVPN_CONFIG" exchange-mode=ike2 name=ProtonVPN profile=ProtonVPN send-initial-contact=yes  
/ip ipsec identity add auth-method=eap certificate=ProtonVPN_ike_root.der_0 eap-methods=eap-mschapv2 generate-policy=port-override mode-config=ProtonVPN peer=ProtonVPN policy-template-group=ProtonVPN username=USER password=PASS

Routing via address-list, conn mark and mangle

/ip firewall address-list add address=192.168.20.100 list=protonvpn-only-cz
/ip firewall address-list
add address=192.168.0.0/16 list=no-vpn
/ip firewall mangle
add action=mark-connection chain=forward dst-address-list=!no-vpn \
    new-connection-mark=nat-to-protonvpn-cz passthrough=yes src-address-list=\
    protonvpn-only-cz
add action=change-mss chain=forward connection-mark=nat-to-protonvpn-cz new-mss=\
    1360 passthrough=yes protocol=tcp tcp-flags=syn tcp-mss=!0-1360
2

Did you add the routing, after creating the wireguard bit?

Also do you get a handshake on the peer?

3

https://protonvpn.com/support/wireguard-mikrotik-routers

maybe this will help you get on track?

4

while it doesn’t help your problem, I’d like to point out the funny irony that someone that can get ipsec ike2 working cant get wireguard working.

5

Yes, WG connection and ping directly to the opposite side works.
I did not touch any other routing (as guide suggested), as I do have two gateways that are netwatch switched (if primary goes down, then LTE backup kicks in).

6

I followed these and for some reason it does not work. Oh well, I will just use the client on my laptop

7

Haha, well I am infrastructure engineer and I definitely see my Ikev2 solution in MikroTik as a really straightforward way how to route packets.

I work with WG in Linux and I use it to nat a lot of services around as well as site2site tunneling, but this piece (WG as a VPN route) is just not so straightforward to me.

8

What does your route table look like?

I create a VPN route table with a default route over the wg-vpn then a second default route that has a high distance that’s just a black hole. To stop leaking.

Then in the mangle rules I put whatever clients need VPN, I change the routing mark, to the VPN table :blush:.

9

Same here, the guide is written weridly.

10

im at home now and reading your post.

i do remember wireguard having issues if you wanted to run firewall stuff on packets for the tunnel itself, had something to do with how it runs on the linux kernel. from looking at the firewall rules, this seems to be what you’re trying to do.

unless this is a mistake and you’re just trying to NAT traffic inside the VPN, not the VPN itself.

here’s the thread from over 1 year ago where me and someone else commented on the issue: Wireguard UDP 'ciphertext' socket in VRF - MikroTik

11

routing table main looks just like this (lan routing ommited), the idea with vpn routing table seems promising, I will take a look into that

[admin@MikroTik-RB5009] /ip/route> print
Flags: D - DYNAMIC; A - ACTIVE; c - CONNECT, s - STATIC, d - DHCP, v - VPN
Columns: DST-ADDRESS, GATEWAY, DISTANCE
#     DST-ADDRESS        GATEWAY           DISTANCE
  D d 0.0.0.0/0          lte.gat.ewa.yip           10
  DAv 0.0.0.0/0          primary-isp           4
  DAc 10.2.0.0/30        WG-PROTON-CZ             0
  DAc ipv4_isp_address/32  primary-isp           0
12

Ideally, I would like to use packet/connection marking to force packets through the vpn.

Thanks for the link, I will check it out.