Mikrotik RouterOS WireGuard dynamic DNS endpoint refresh

MikroTik RouterOS doesn’t yet support DNS names for peer entpoints (v7.1.1). As a workaround, you can set the endpoint address using the CLI, but RouterOS will not re-resolve the DNS name. If the IP addresses behind the DNS name change at some point, for example if you use DDNS, the WireGuard tunnel will eventually stop working. As a solution, you can use a script that checks if the peer endpoint address still matches the dns name and if not, updates to the latest ip address of the DNS name.

Script:

Add under System > Scheduler a new script and choose a useful interval.

:local wgPeerComment
:local wgPeerDns

:set wgPeerComment "Peer #1 Comment"
:set wgPeerDns "dns.example.com"

:if ([interface wireguard peers get number=[find comment="$wgPeerComment"] value-name=endpoint-address] != [resolve $wgPeerDns]) do={
  interface wireguard peers set number=[find comment="$wgPeerComment"] endpoint-address=[/resolve $wgPeerDns]
}
Example:

Configure local Systemd-resolved DNS Resolver for Company Domains behind VPN

To send queries for the company internal (sub)-domains to the company DNS resolvers behind the VPN, the resolver can be configured with the following commands:

# Configure internal corporate domain name resolvers:
resolvectl dns tun0 192.0.2.53 192.0.2.54

# Only use the internal corporate resolvers for domain names under these:
resolvectl domain tun0 "~example.com"

# Not super nice, but might be needed:
resolvectl dnssec tun0 off

How to easily clone a (encrypted hard) disk over network (with dd and netcat)

The task was simple: two computers (notebooks). One – we call it A – with a working operating system (Xubuntu) and a new one – we call it B – without operating system. This is how I proceeded:

  1. Create bootable flash drive with in my case Arch-Linux
  2. In the Arch-Linux boot loader, press [TAB] and add “copytoram” to the boot command to load the squashfs image into ram. I needed this because in this case I only had a flash drive at hand. If you have two, you don’t need this.
  3. List network devices:
    ip address
  4. Assign a IP adress to computer A with:
    ip address add <machine A ip adress> dev <ethernet device>

  5. To identify source disk, list all block devices with:
    lslbk

  6. Prepare the copy operation (do not execute yet!) with
    dd if=/dev/<source block device> bs=32M status=progress | nc <machine B ip adress> <random port number>

  7. Boot machine B from the same or different flash drive
  8. Assign different IP adress
  9. Identify target device
  10. Prepare the receiving copy operation with
    nc -l -p <same port number as A> | dd of=/dev/<destination block device> bs=32M status=progress

  11. Execute the command on Machine B
  12. Then execute the command on Machine A
  13. Wait until the copying process is completed.
  14. Use at least the Sync command to synchronize corresponding file data in volatile storage and permanent storage
  15. Restart the machine, you are done

How it works/remarks
dd reads the source drive bit by bit into the normal output stream. The output stream is piped to netcat, which sends it over the network to a receiving netcat process (server with -l). Therefore the server must be started first. The server receives the bits and piped them back to dd, which writes them to the target on machine B.

Maybe this is not the best and/or most efficient way, but transfer speed in my case of 75MB/s (poor performance on screenshots is from a setup with two vm’s) is in IHMO very good for this simple setup.

Thanks to pmenke for his support.

IPsec VPN between Sophos UTM and AVM Fritz!Box (LTE) with a dynamic IP-Adresss

Use the following settings to configure a Fritz!Box – also a LTE version – to connect to a Sophos UTM (v9.7)

  • Sophos UTM Settings
  • Fritz!Box VPN VPN-Configfile
vpncfg {
        connections {
                enabled = yes;
                conn_type = conntype_lan;
                name = "Sophos IPsec";
                always_renew = yes;
                reject_not_encrypted = no;
                dont_filter_netbios = yes;
                localip = 0.0.0.0;
                local_virtualip = 0.0.0.0;
                remoteip = AAA.BBB.CCC.DDD; // Change to Sophos External IP
                remote_virtualip = 0.0.0.0;
                localid {
                        fqdn = "my.fqdn.net"; // No change needed. Is ignored from the UTN
                }
                remoteid {
                        ipaddr = "AAA.BBB.CCC.DDD"; // Change
                }
                mode = phase1_mode_idp; // Main Mode
                phase1ss = "dh14/aes/sha";
                keytype = connkeytype_pre_shared;
                key = "MySecr3tPassw0rd!"; // has to be changed
                cert_do_server_auth = no;
                use_nat_t = yes;
                use_xauth = no;
                use_cfgmode = no;
                phase2localid {
                        ipnet {
                                ipaddr = 192.168.0.1; // change to local network
                                mask = 255.255.255.0;   // change to local subnet
                        }
                }
                phase2remoteid {
                        ipnet {
                                ipaddr = 172.16.0.0; // change to remote network
                                mask = 255.255.255.0; // change to remote subnet
                        }
                }
                phase2ss = "esp-aes256-3des-sha/ah-no/comp-lzs-no/pfs";
                accesslist = "permit ip any 172.16.0.0 255.255.255.0"; // to remote network
        }
        ike_forward_rules = "udp 0.0.0.0:500 0.0.0.0:500",
                            "udp 0.0.0.0:4500 0.0.0.0:4500";
}