Setting up Mikroguard and mikrotik device with existing peers.

[hats0id]

Hello dear - thank you for this great software. When i try to add new user - it ignores all existing peers and tries to create new peer with dublicate IP. It would be great if it automatically add all existing peers. And second thing - is it possbile to use as a peer name not just email, but any name? Thank you.

[xterm-inator]

Hey,

Currently the application only knows about IP addresses that are used from creating peers through the app. However I think I can change this to also know about addresses already existing, I'll have a look into this.

For the second thing, are you talking about what the user logs into MikroGuard with, wanting this to be just a username instead of an email address?

[xterm-inator]

I have added functionality to skip IPs already used in the router. could you test this image: ghcr.io/xterm-inator/mikroguard:pr-41 with your setup and let me know if it works.

[hats0id]

I have added functionality to skip IPs already used in the router. could you test this image: ghcr.io/xterm-inator/mikroguard:pr-41 with your setup and let me know if it works.

Hello there. Thank you very much for fast response. I have tried and got an error:

[2024-06-19 19:34:31] production.ERROR: Invalid IP address format {"userId":1,"exception":"[object] (IPTools\Exception\IpException(code: 0): Invalid IP address format at /opt/app/vendor/s1lentium/iptools/src/IP.php:35)

[hats0id]

I have checked one more time and it works. I have had few peers with ip range for example 192.168.1.1-192.168.1.30 and two peers with ip 192.168.1.253 and 192.168.1.254. After removing these all works. May be you shoul add more checks. And regarding username and password - since there is no username and password when someone creates peer for wireguard - i do not relly understand purpose of these when i create peers. Can you clarify this?

[xterm-inator]

Hey, Thanks for testing.

I'll have a look into getting it working with ip ranges using 192.168.1.1-192.168.1.30 style, it should currently work for ranges with a CIDR notation e.g. 192.168.1.2/30.

I'm not sure why it wouldn't with 192.168.1.253 and 192.168.1.254, could you try these ones again?

The app is built around the concept of each user manages their own connection, e.g. a company with many users and each user can login to get their connection details. However, I am currently working on an update that will allow each user to have multiple peers so that might solve your problem.

[hats0id]

Hey, Thanks for testing.

I'll have a look into getting it working with ip ranges using 192.168.1.1-192.168.1.30 style, it should currently work for ranges with a CIDR notation e.g. 192.168.1.2/30.

I'm not sure why it wouldn't with 192.168.1.253 and 192.168.1.254, could you try these ones again?

The app is built around the concept of each user manages their own connection, e.g. a company with many users and each user can login to get their connection details. However, I am currently working on an update that will allow each user to have multiple peers so that might solve your problem.

In my setup i have 32 peers - for example 192.168.1.2-192.168.1.30 and two peers with ip 192.168.1.253 and 192.168.1.254. I Guess problem is in your algorithm how you check used/unused IP. And may be it just checked that last ip (192.168.1.254) for 192.168.1.0/24 subnet was used and there are no free IP for new peer. After deleting (changing IP) - that all peers have IP sequentially in range 192.168.1.2-192.168.1.34 it works.

[xterm-inator]

Ah OK, I get what you mean so you have multiple peers between 192.168.1.2 and 192.168.1.30 not a single peer with a range. pr-41 should work with that and with your high range ips, so I'm not sure why it didn't but I'll do some more tests later in the week to try and find the issue.

[xterm-inator]

so, I tested with 4 peers using 10.255.254.2/32, 10.255.254.3/32, 10.255.254.120/32, 10.255.254.4/32 all created in winbox. Then setup a new MikroGuard instance and created a new peer and it gave me an IP of 10.255.254.5/32, which is expected. So I'm not sure why your instance had an error.

[xterm-inator]

I have added some logging to the parse code so we can try and find the IP that is causing the problem. So if you could pull ghcr.io/xterm-inator/mikroguard:pr-41 again and see if you get any logs when adding a new connection.

[hats0id]

I have made a test and got this error:

[2024-07-06 21:41:39] production.DEBUG: Invalid IP - 193.168.1.253/32,0.0.0.0/0, Invalid IP address format.

This peer is a site to site connection. And this allowed address is needed to route some traffic via this peer. If i remove 0.0.0.0/0 all is ok.

[xterm-inator]

Awesome, So 2 issues got caught with this. First I had completely forgot multiple allowed IPs could be added to a single peer and that the parse code doesn't like any existing peers with 0.0.0.0 address. I have updated the code for both these cases so if you could pull ghcr.io/xterm-inator/mikroguard:pr-41 again and test that would be greatly appreciated. Thanks for your help with this.

[hats0id]

Awesome, So 2 issues got caught with this. First I had completely forgot multiple allowed IPs could be added to a single peer and that the parse code doesn't like any existing peers with 0.0.0.0 address. I have updated the code for both these cases so if you could pull ghcr.io/xterm-inator/mikroguard:pr-41 again and test that would be greatly appreciated. Thanks for your help with this.

I have made another check and all is ok. Thank you. Another thing wich i have menttioned from the start - user (peer) creation. Is it possible to create users without email - just username? Or email or username? Or may be username and email (optional) ?And it would be great in future if it would be possible to parse existing peer configuration on routeros and add existing peers to list in order to manage them. In latest ROS updates in wireguard they added peer name (peer1, peer2, etc) It will be possible to use username as peer name, or at least as a comment. Thank you again.

[xterm-inator]

Hey,

I have released a new version with this change in it v1.2.0.

I should be able to change email to username so both can be used. The only reason why it's currently email is because the login was originally for google sso only. I should be able to look into changing this within the next couple of weeks.

I did notice the latest update of ROS included peer names and I am going to look into using this.

As for importing existing peers, I do like the idea however it would require the current private key of the peers and I'm not sure if the MikroTik API would give that. I'll have a look into this.

[hats0id]

As for importing existing peers, I do like the idea however it would require the current private key of the peers and I'm not sure if the MikroTik API would give that. I'll have a look into this.

Yes sure - private key of any peer must be stored in private-key field if it was created manually - not using MikroGuard. Then it could be retrived via API.

[xterm-inator]

Yes sure - private key of any peer must be stored in private-key field if it was created manually - not using MikroGuard. Then it could be retrived via API.

I just tested it and as I thought the api returns an empty string for the private keys that are already on the router, so unfortunately it wont be possible to import existing peers.

[xterm-inator]

Hey,

v1.3.0 now has usernames instead of emails. Also with this update new peers will have their username/email added to the router as a peer name or a comment depending on the router version.