What I would do is create a Wireguard tunnel between the VPS and the mikrotik router.
The server and files would be hosted on the Mikrotik Router.
On the CHR I would port forward inquiries coming in externally from USers or in this case just the admin, to the VPS public IP or domain name/url etc.........
They would be port forwarded into the tunnel,
DONE.
Assuming server is 192.168.0.25 and port 10101 on the MT router.
VPS
/wireguard interface
add name=wireguard-vps listening port=15444
/ip address
add address=10.10.10.1/24 interface=wireguard-vps network=10.10.10.0
/wireguard
allowed-ips=10.10.10.2/32,192.168.0.0/24 interface=wireguard-vps public-key="" { add additional subnets on the MT as required } PEER MT ROUTER
allowed-ips=10.10.10.3/32 interface=wireguard-vps public-key="" PEER ADMIN LAPTOP
allowed-ips=10.10.10.4/32 interface=wireguard-vps public-key="" PEER ADMIIN IPHONE
/ip route
add dst-address=192.168.0.0/24 gateway=wireguard-vps routing-table=main
/ip firewall ( complete set of default rules except replace the forward chain rule associated with port forwarding to )
add action=accept chain=forward connection-nat-state=dstnat comment="allow port forwarding"
add action=accept chain=forward in-interface=wireguard-vps out-interface=wireguard-vps comment="relay for remote users to MT Router"
add action=accept chain=forward in-interface-list=wireguard-vps out-interface-list=WAN { allows remote users or users on MT to use VPS internet if required }
add action=drop chain=forward comment="Drop all else"
Probably want to also add an input chain rule
add chain=input action=accept in-interface=wireguard-vps comment='remote or MT Router admin config access to VPS"
/ip firewall nat
add chain=srcnat action=scrnat out-interface=wan to-address=static VPS public IP
add chain=dstnat action=dst-nat dst-address=vps public IP dst-port=10101 protocol=tcp to-address=192.168.0.25
+++++++++++++++++++++++++++++++++++++++++++++++++++++
MT Router
/wireguard interface
add name=wireguard-vps listening port=10222
/ip address
add address=10.10.10.2/24 interface=WG network=10.10.10.0
/wireguard
allowed-ips=0.0.0.0/0 interface=WG public-key="" endpoint=DOMAINNAME endpoint-port=15444 persistent-keep-alive=30s
/ip firewall
add chain=input action=accept in-interface=WG comment="allow remote admin IPs to config router"
add chain=forward action=accept in-interface=WG out-interface-list=LAN comment="Remote access to local LANs/Server"
add chain=forward action=accept src-address-list=ADMIN out-interface=WG comment="allow local admin IPs to tunnel"
The server and files would be hosted on the Mikrotik Router.
On the CHR I would port forward inquiries coming in externally from USers or in this case just the admin, to the VPS public IP or domain name/url etc.........
They would be port forwarded into the tunnel,
DONE.
Assuming server is 192.168.0.25 and port 10101 on the MT router.
VPS
/wireguard interface
add name=wireguard-vps listening port=15444
/ip address
add address=10.10.10.1/24 interface=wireguard-vps network=10.10.10.0
/wireguard
allowed-ips=10.10.10.2/32,192.168.0.0/24 interface=wireguard-vps public-key="" { add additional subnets on the MT as required } PEER MT ROUTER
allowed-ips=10.10.10.3/32 interface=wireguard-vps public-key="" PEER ADMIN LAPTOP
allowed-ips=10.10.10.4/32 interface=wireguard-vps public-key="" PEER ADMIIN IPHONE
/ip route
add dst-address=192.168.0.0/24 gateway=wireguard-vps routing-table=main
/ip firewall ( complete set of default rules except replace the forward chain rule associated with port forwarding to )
add action=accept chain=forward connection-nat-state=dstnat comment="allow port forwarding"
add action=accept chain=forward in-interface=wireguard-vps out-interface=wireguard-vps comment="relay for remote users to MT Router"
add action=accept chain=forward in-interface-list=wireguard-vps out-interface-list=WAN { allows remote users or users on MT to use VPS internet if required }
add action=drop chain=forward comment="Drop all else"
Probably want to also add an input chain rule
add chain=input action=accept in-interface=wireguard-vps comment='remote or MT Router admin config access to VPS"
/ip firewall nat
add chain=srcnat action=scrnat out-interface=wan to-address=static VPS public IP
add chain=dstnat action=dst-nat dst-address=vps public IP dst-port=10101 protocol=tcp to-address=192.168.0.25
+++++++++++++++++++++++++++++++++++++++++++++++++++++
MT Router
/wireguard interface
add name=wireguard-vps listening port=10222
/ip address
add address=10.10.10.2/24 interface=WG network=10.10.10.0
/wireguard
allowed-ips=0.0.0.0/0 interface=WG public-key="" endpoint=DOMAINNAME endpoint-port=15444 persistent-keep-alive=30s
/ip firewall
add chain=input action=accept in-interface=WG comment="allow remote admin IPs to config router"
add chain=forward action=accept in-interface=WG out-interface-list=LAN comment="Remote access to local LANs/Server"
add chain=forward action=accept src-address-list=ADMIN out-interface=WG comment="allow local admin IPs to tunnel"
Statistics: Posted by anav — Fri Jan 05, 2024 5:56 pm