I have an Opsense with a Wireguard server on it and a Mikrotik with a Wireguard client. Unfortunately I always get a timeout with the Wirguard Client.
However, if I take the QR code and connect my cell phone to it on the same network, I am online. So the configuration actually has to be correct. What could be wrong here?
I changed the keys, they are not the real ones.
WIREGUARD: wireguard-client: XXXXXXXX=: Handshake for peer did not complete after 5 seconds, retrying (try 16)
Code: Select all
# 2023-12-12 21:04:41 by RouterOS 7.12.1
# software id = MVD7-Y3UP
#
# model = RB962UiGS-5HacT2HnT
/interface bridge
add fast-forward=no name=BRIDGE
/interface ethernet
set [ find default-name=ether1 ] name=WAN1
/interface wireguard
add listen-port=13233 mtu=1420 name=wireguard-client
/interface list
add name=WAN
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
add authentication-types=wpa2-psk mode=dynamic-keys name=WlanCompany \
supplicant-identity=""
/interface wireless
set [ find default-name=wlan1 ] disabled=no mode=ap-bridge security-profile=\
WlanCompany ssid=WLAN_Company
set [ find default-name=wlan2 ] disabled=no mode=ap-bridge security-profile=\
WlanCompany ssid=WLAN_Company
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/ip pool
add name=COMPANY ranges=10.248.1.50-10.248.1.150
/ip dhcp-server
add address-pool=COMPANY interface=BRIDGE lease-time=10m name=COMPANY
/system logging action
add disk-file-count=1 disk-file-name=auth.log disk-lines-per-file=5000 name=\
auth target=disk
/user group
add name=dude
/interface bridge port
add bridge=BRIDGE ingress-filtering=no interface=ether2
add bridge=BRIDGE ingress-filtering=no interface=ether3
add bridge=BRIDGE ingress-filtering=no interface=ether4
add bridge=BRIDGE ingress-filtering=no interface=ether5
add bridge=BRIDGE interface=wlan1
add bridge=BRIDGE interface=wlan2
/ip settings
set max-neighbor-entries=8192
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface list member
add interface=WAN1 list=WAN
/interface ovpn-server server
set auth=sha1,md5
/interface wireguard peers
add allowed-address=10.10.150.0/24 client-address=10.10.140.63/32 \
client-endpoint=191.6.209.212 interface=wireguard-client \
persistent-keepalive=25s private-key=\
"kOoHLfgEJ1gRqQlxVONRF3eQ1eFRflXOkHpLkFuNx0M=" public-key=\
"1cp2GkWEw2bZtsizc0p1/m29AWTrVTMGW6oLQIPTxSg="
/ip address
add address=10.248.1.254/24 interface=BRIDGE network=10.248.1.0
add address=10.10.140.63/24 interface=wireguard-client network=10.10.140.0
/ip cloud
set ddns-enabled=yes ddns-update-interval=10m
/ip dhcp-client
add interface=WAN1
/ip dhcp-server network
add address=10.248.1.0/24 dns-server=10.248.1.254 gateway=10.248.1.254
/ip dns
set allow-remote-requests=yes servers=8.8.8.8
/ip firewall address-list
add address=10.248.1.0/24 list=local
add address=192.168.181.0/24 list=local
add address=192.168.152.0/24 list=local
add address=8.8.8.8 list=DNS
add comment="Black List (SSH)" list="Black List (SSH)"
add comment="Black List (Winbox)" list="Black List (Winbox)"
add comment="Black List (Port Scanner WAN)" list=\
"Black List (Port Scanner WAN)"
add comment="Black List (Port Scanner LAN)" list=\
"Black List (Port Scanner LAN)"
add address=192.168.254.0/24 list=local
add address=10.16.0.0/16 list=local
add address=10.1.0.0/24 list=local
add address=192.168.155.0/24 list=local
add address=192.168.249.0/24 list=local
add address=10.10.140.0/24 list=local
add address=10.10.150.0/24 list=local
add address=10.10.141.0/24 list=local
/ip firewall filter
add action=drop chain=input comment="Drop invalid connections" \
connection-state=invalid
add action=drop chain=input comment="Drop Netbios" connection-state="" \
dst-port=137,138 protocol=udp
add action=jump chain=forward connection-state=new jump-target=detect-ddos
add action=return chain=detect-ddos dst-limit=32,32,src-and-dst-addresses/10s
add action=return chain=detect-ddos src-address-list=DNS
add action=add-dst-to-address-list address-list=ddosed address-list-timeout=\
10m chain=detect-ddos
add action=add-src-to-address-list address-list=ddoser address-list-timeout=\
10m chain=detect-ddos
add action=drop chain=forward comment="Drop DDOS" connection-state=new \
dst-address-list=ddosed src-address-list=ddoser
add action=drop chain=input comment=\
"Drop anyone in the Port Scanner (WAN) list." in-interface-list=WAN log=\
yes log-prefix="BL_Black List (Port Scanner WAN)" src-address-list=\
"Black List (Port Scanner WAN)"
add action=drop chain=forward comment=\
"Drop anyone in the Port Scanner (WAN) list." in-interface-list=WAN log=\
yes log-prefix="BL_Black List (Port Scanner WAN)" src-address-list=\
"Black List (Port Scanner WAN)"
add action=add-src-to-address-list address-list=\
"Black List (Port Scanner WAN)" address-list-timeout=4w2d chain=input \
comment="Add TCP port scanner to Port Scanner (WAN) list." \
in-interface-list=WAN log=yes log-prefix=\
"Add_Black List (Port Scanner WAN)" protocol=tcp psd=21,3s,3,1
add action=drop chain=input comment=\
"Drop anyone in the Port Scanner (LAN) list." in-interface-list=WAN log=\
yes log-prefix="BL_Black List (Port Scanner LAN)" src-address-list=\
"Black List (Port Scanner LAN)"
add action=drop chain=forward comment=\
"Drop anyone in the Port Scanner (LAN) list." in-interface-list=WAN log=\
yes log-prefix="BL_Black List (Port Scanner LAN)" src-address-list=\
"Black List (Port Scanner LAN)"
add action=add-src-to-address-list address-list=\
"Black List (Port Scanner LAN)" address-list-timeout=4w2d chain=forward \
comment="Add TCP port scanner to Port Scanner (LAN) list." \
in-interface-list=WAN log=yes log-prefix=\
"Add_Black List (Port Scanner LAN)" protocol=tcp psd=21,3s,3,1
add action=drop chain=input comment="Drop anyone in Black List (Winbox)." \
in-interface-list=WAN log=yes log-prefix="BL_Black List (Winbox)" \
src-address-list="Black List (Winbox)"
add action=jump chain=input comment="Jump to Black List (Winbox) chain." \
dst-port=8291 in-interface-list=WAN jump-target=\
"Black List (Winbox) Chain" protocol=tcp
add action=add-src-to-address-list address-list="Black List (Winbox)" \
address-list-timeout=4w2d chain="Black List (Winbox) Chain" comment="Trans\
fer repeated attempts from Black List (Winbox) Stage 6 to Black List (Winb\
ox)." connection-state=new in-interface-list=WAN log=yes log-prefix=\
"Add_Black List (Winbox)" src-address-list="Black List (Winbox) Stage 6"
add action=add-src-to-address-list address-list="Black List (Winbox) Stage 6" \
address-list-timeout=1m chain="Black List (Winbox) Chain" comment=\
"Add succesive attempts to Black List (Winbox) Stage 6." \
connection-state=new in-interface-list=WAN log=yes log-prefix=\
"Add_Black List (Winbox) S6" src-address-list=\
"Black List (Winbox) Stage 5"
add action=add-src-to-address-list address-list="Black List (Winbox) Stage 5" \
address-list-timeout=1m chain="Black List (Winbox) Chain" comment=\
"Add succesive attempts to Black List (Winbox) Stage 5." \
connection-state=new in-interface-list=WAN log=yes log-prefix=\
"Add_Black List (Winbox) S5" src-address-list=\
"Black List (Winbox) Stage 4"
add action=add-src-to-address-list address-list="Black List (Winbox) Stage 4" \
address-list-timeout=1m chain="Black List (Winbox) Chain" comment=\
"Add succesive attempts to Black List (Winbox) Stage 4." \
connection-state=new in-interface-list=WAN log=yes log-prefix=\
"Add_Black List (Winbox) S4" src-address-list=\
"Black List (Winbox) Stage 3"
add action=add-src-to-address-list address-list="Black List (Winbox) Stage 3" \
address-list-timeout=1m chain="Black List (Winbox) Chain" comment=\
"Add succesive attempts to Black List (Winbox) Stage 3." \
connection-state=new in-interface-list=WAN log=yes log-prefix=\
"Add_Black List (Winbox) S3" src-address-list=\
"Black List (Winbox) Stage 2"
add action=add-src-to-address-list address-list="Black List (Winbox) Stage 2" \
address-list-timeout=1m chain="Black List (Winbox) Chain" comment=\
"Add succesive attempts to Black List (Winbox) Stage 2." \
connection-state=new in-interface-list=WAN log=yes log-prefix=\
"Add_Black List (Winbox) S2" src-address-list=\
"Black List (Winbox) Stage 1"
add action=add-src-to-address-list address-list="Black List (Winbox) Stage 1" \
address-list-timeout=1m chain="Black List (Winbox) Chain" comment=\
"Add initial attempt to Black List (Winbox) Stage 1." connection-state=\
new in-interface-list=WAN log=yes log-prefix="Add_Black List (Winbox) S1"
add action=return chain="Black List (Winbox) Chain" comment=\
"Return From Black List (Winbox) chain."
add action=drop chain=input comment="Drop anyone in Black List (SSH)." \
in-interface-list=WAN log=yes log-prefix="BL_Black List (SSH)" \
src-address-list="Black List (SSH)"
add action=jump chain=input comment="Jump to Black List (SSH) chain." \
dst-port=45735 in-interface-list=WAN jump-target="Black List (SSH) Chain" \
protocol=tcp
add action=add-src-to-address-list address-list="Black List (SSH)" \
address-list-timeout=4w2d chain="Black List (SSH) Chain" comment="Transfer\
_repeated attempts from Black List (SSH) Stage 3 to Black List (SSH)." \
connection-state=new in-interface-list=WAN log=yes log-prefix=\
"Add_Black List (SSH)" src-address-list="Black List (SSH) Stage 3"
add action=add-src-to-address-list address-list="Black List (SSH) Stage 3" \
address-list-timeout=1m chain="Black List (SSH) Chain" comment=\
"Add successive attempts to Black List (SSH) Stage 3." connection-state=\
new in-interface-list=WAN log=yes log-prefix="Add_Black List (SSH) S3" \
src-address-list="Black List (SSH) Stage 2"
add action=add-src-to-address-list address-list="Black List (SSH) Stage 2" \
address-list-timeout=1m chain="Black List (SSH) Chain" comment=\
"Add successive attempts to Black List (SSH) Stage 2." connection-state=\
new in-interface-list=WAN log=yes log-prefix="Add_Black List (SSH) S2" \
src-address-list="Black List (SSH) Stage 1"
add action=add-src-to-address-list address-list="Black List (SSH) Stage 1" \
address-list-timeout=1m chain="Black List (SSH) Chain" comment=\
"Add initial attempt to Black List (SSH) Stage 1." connection-state=new \
in-interface-list=WAN log=yes log-prefix="Add_Black List (SSH) S1"
add action=return chain="Black List (SSH) Chain" comment=\
"Return From Black List (SSH) chain."
add action=accept chain=input comment="Accept established connections" \
connection-state=established
add action=accept chain=input comment="Accept related connections" \
connection-state=related
add action=accept chain=input comment="Accept SSH for secure shell" dst-port=\
45735 log=yes log-prefix=SSH_LOGIN protocol=tcp
add action=accept chain=input comment="Accept SSH for secure shell" dst-port=\
13234 log=yes log-prefix=SSH_LOGIN protocol=tcp
add action=accept chain=input comment="Accept SSH for secure shell" dst-port=\
13233 in-interface=WAN1 protocol=udp
add action=accept chain=input comment="Accept SSH for secure shell" dst-port=\
51820 in-interface=WAN1 protocol=udp
add action=accept chain=input comment="Allow limited pings" limit=\
50/5s,2:packet protocol=icmp
add action=drop chain=input comment="Drop excess pings" protocol=icmp
add action=accept chain=input comment="Accept VPN" protocol=ipsec-esp
add action=accept chain=input comment="Accept Winbox access" dst-port=8291 \
protocol=tcp src-address-list=local
add action=accept chain=input comment="Accept VPN" dst-port=500,4500,1701 \
protocol=udp
add action=accept chain=input comment="Accept Winbox MAC" dst-port=20561 \
in-interface-list=!WAN protocol=udp src-address-list=local
add action=accept chain=input comment="Accept NDP" dst-port=5678 \
in-interface-list=!WAN protocol=udp src-address-list=local
add action=accept chain=input comment="Accept DNS Querry" dst-port=53 \
in-interface-list=!WAN protocol=udp src-address-list=local
add action=accept chain=input comment="Accept NTP Querry" dst-port=123 \
in-interface-list=!WAN protocol=udp src-address-list=local
add action=accept chain=input comment="Accept DHCP Querry" dst-port=67 \
in-interface-list=!WAN protocol=udp src-address-list=local src-port=68
add action=accept chain=input comment="Accept SNMP" dst-port=161 \
in-interface-list=!WAN protocol=udp src-address-list=local
add action=accept chain=input comment="Accept Winbox http" dst-port=1455 \
in-interface-list=!WAN protocol=tcp src-address-list=local
add action=accept chain=input comment="CAPsMAN accept all local traffic" \
src-address-type=local
add action=drop chain=input comment="Drop everything else" log-prefix=\
"IN DROP REST -> "
add action=accept chain=forward comment="PF Mailserver" dst-port=443 \
protocol=tcp
add action=accept chain=forward comment="PF Mailserver" dst-port=80 protocol=\
tcp
add action=accept chain=forward comment="Accept established connections" \
connection-state=established
add action=accept chain=forward comment="Accept related connections" \
connection-state=related
add action=accept chain=forward comment="Accept VPN" in-interface=\
wireguard-client
add action=accept chain=forward comment="Accept VPN" out-interface=\
wireguard-client
add action=accept chain=forward comment="Accept VPN" in-interface=\
wireguard-client out-interface=BRIDGE
add action=accept chain=forward comment="Accept VPN" in-interface=BRIDGE \
out-interface=wireguard-client
# l2tp-DM not ready
add action=accept chain=forward comment="Accept VPN" in-interface=*C
# l2tp-DM not ready
add action=accept chain=forward comment="Accept VPN" out-interface=*C
add action=accept chain=forward comment="Allow Forward to WAN1" \
out-interface=WAN1
add action=drop chain=forward comment="Drop invalid connections" \
connection-state=invalid
add action=log chain=forward comment="Log everything else" log-prefix=\
"DROP FORWARD"
add action=drop chain=forward comment="Drop everything else"
/ip firewall nat
add action=dst-nat chain=dstnat disabled=yes dst-port=443 in-interface=WAN1 \
log=yes protocol=tcp to-addresses=192.168.0.10 to-ports=443
add action=dst-nat chain=dstnat disabled=yes dst-port=80 in-interface=WAN1 \
log=yes protocol=tcp to-addresses=192.168.0.10 to-ports=80
add action=masquerade chain=srcnat out-interface=WAN1
/ip firewall service-port
set sip disabled=yes
/ip ipsec identity
# Peer does not exist
add peer=*2 remote-id=ignore
/ip route
add disabled=yes distance=1 dst-address=192.168.254.0/24 gateway=*C pref-src=\
10.16.248.4 routing-table=main scope=10 suppress-hw-offload=no \
target-scope=10
add disabled=yes distance=1 dst-address=192.168.249.0/24 gateway=*C pref-src=\
10.16.248.4 routing-table=main scope=10 suppress-hw-offload=no \
target-scope=10
add disabled=yes distance=1 dst-address=192.168.155.0/24 gateway=*C pref-src=\
10.16.248.4 routing-table=main scope=10 suppress-hw-offload=no \
target-scope=10
add disabled=yes distance=1 dst-address=10.10.150.0/24 gateway=\
wireguard-client pref-src="" routing-table=main scope=30 \
suppress-hw-offload=no target-scope=10
add disabled=yes distance=1 dst-address=195.4.209.213/32 gateway=\
wireguard-client pref-src="" routing-table=main scope=30 \
suppress-hw-offload=no target-scope=10
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh port=45735
set api disabled=yes
/ip ssh
set strong-crypto=yes
/routing bfd configuration
add disabled=no interfaces=all min-rx=200ms min-tx=200ms multiplier=5
/system clock
set time-zone-name=Europe/Vienna
/system identity
set name=WBH10ROU03
/system leds settings
set all-leds-off=after-1min
/system logging
add action=auth disabled=yes topics=account
add prefix=WIREGUARD topics=wireguard
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp client servers
add address=0.pool.ntp.org
add address=1.pool.ntp.org
add address=2.pool.ntp.org
add address=3.pool.ntp.org
/system routerboard settings
set auto-upgrade=yes silent-boot=yes
