I'm not finding the wireguard interface

lacibsd · Sun Aug 25, 2024 3:14 am

I'm trying to enable the wireguard interface but I'm not finding it.
Do you have any idea what am I missing?

[user@mik] > interface wireguard print
bad command name wireguard (line 1 column 11)
[user@mik] > interface

.. -- go up to root
blink --
bonding -- Interface bonding
bridge -- Bridge interfaces
comment -- Set comment for items
detect-internet --
disable -- Disable interface
dot1x --
edit --
enable -- Enable interface
eoip -- Ethernet over IP tunnel interface
ethernet -- Ethernet interfaces
find --
get -- Gets value of item's property
gre --
ipip -- IP over IP tunnel interfaces
l2tp-client -- Layer Two Tunneling Protocol's client
l2tp-server -- Layer Two Tunneling Protocol's server
list --
lte --
mesh --
monitor-traffic -- Monitor traffic
ovpn-client --
ovpn-server --
ppp-client -- PPP client
ppp-server -- PPP server
pppoe-client -- PPPoE client interfaces
pppoe-server -- PPPoE server
pptp-client -- PPTP client
pptp-server -- PPTP server
print -- Print interface summary
reset-counters --
set -- Change item properties
sstp-client --
sstp-server --
traffic-eng --
vlan -- Virtual LAN interfaces
vpls --
vrrp --
wireless -- Wireless interface
export -- Print or save an export script that can be used to restore configuration
[user@mik] > /system routerboard print
       routerboard: yes
        board-name: hEX S
             model: RB760iGS
     serial-number: AE370BB31B22
     firmware-type: mt7621L
  factory-firmware: 6.44
  current-firmware: 6.44.5
  upgrade-firmware: 6.49.17
[user@mik] > system package print
Flags: X - disabled
 #   NAME                                 VERSION                                 SCHEDULED
 0   routeros-mmips                       6.49.17
 1   system                               6.49.17
 2 X ipv6                                 6.49.17
 3   wireless                             6.49.17
 4   hotspot                              6.49.17
 5   mpls                                 6.49.17
 6   routing                              6.49.17
 7   ppp                                  6.49.17
 8   dhcp                                 6.49.17
 9   security                             6.49.17
10   advanced-tools                       6.49.17

CGGXANNX · Sun Aug 25, 2024 4:03 am

It's only available with RouterOS 7. You are still running version 6.

lacibsd · Sun Aug 25, 2024 4:35 am

I found out and upgraded to RouterOS 7, then spent the last half hour finding out why my internet doesn't work

Current status: Router OS 7.15.3 is installed, the router is connected to the internet but NAT does not work, none of my computers can get out to the internet, they can still ping the router. Wireguard interface was not added, nothing was done but the RouterOS upgrade.

This is my routing table (I did replace my actual IP with 11.222.22.1)

[user@mik] > ip route/print
Flags: D - DYNAMIC; X - DISABLED, I - INACTIVE, A - ACTIVE; c - CONNECT, s - STATIC, d - DHCP, v - VPN
Columns: DST-ADDRESS, GATEWAY, DISTANCE
#     DST-ADDRESS        GATEWAY       DISTANCE
0  Xs 0.0.0.0/0          opvn                 1
1  Xs 0.0.0.0/0          disabled_vpn
  DAd 0.0.0.0/0          11.222.22.1          1
  DAv 0.0.0.0/1          10.8.0.9             0
  DAv 10.8.0.1/32        10.8.0.9             1
  DAc 10.8.0.9/32        opvn                 0
  DAc 10.83.14.0/24      bridge-LAN           0
  DAv 79.172.212.172/32  11.222.22.1          0
  DAc 98.117.53.0/24     eth1-GW              0
  DAv 128.0.0.0/1        10.8.0.9             0
  DAc 172.16.20.0/24     bridge-IOT           0
 [user@mik] > ping google.com
  SEQ HOST                                     SIZE TTL TIME       STATUS
    0 142.250.31.102                             56  61 306ms664us
    1 142.250.31.102                             56  61 260ms497us
    2 142.250.31.102                             56  61 233ms24us
    3 142.250.31.102                             56  61 256ms579us                                            
    4 142.250.31.102                             56  61 255ms730us
    5 142.250.31.102                             56  61 269ms874us
    6 142.250.31.102                             56  61 391ms888us
    7 142.250.31.102                             56  61 302ms842us
    8 142.250.31.102                             56  61 333ms993us
    9 142.250.31.102                             56  61 293ms257us
   10 142.250.31.102                             56  61 284ms959us
   11 142.250.31.102                             56  61 333ms146us
   12 142.250.31.102                             56  61 365ms740us
    sent=13 received=13 packet-loss=0% min-rtt=233ms24us avg-rtt=299ms91us max-rtt=391ms888us

If I try to get out from any device on the network I'm getting:

❯ ping 1.1.1.1
PING 1.1.1.1 (1.1.1.1): 56 data bytes
Request timeout for icmp_seq 0
Request timeout for icmp_seq 1
^C
--- 1.1.1.1 ping statistics ---

% ping google.com
PING google.com (142.250.31.100): 56 data bytes
^C
--- google.com ping statistics ---
7 packets transmitted, 0 packets received, 100.0% packet loss

What went wrong?

sindy · Sun Aug 25, 2024 4:53 am

What went wrong?

No way to find out unless you post the export of your actual configuration.

anav · Sun Aug 25, 2024 2:28 pm

What went wrong is MT not providing you with a first post path and process that ensures you get your issues answered in a sane manner.

/export file=anynameyouwish ( minus router serial#, any public WANIP information, keys etc.)

CGGXANNX · Sun Aug 25, 2024 2:44 pm

It's probably quicker to just reset your hEX S to the default configuration (System -> Reset Configuration) and use Quick Set ONCE to setup your internet connection.

lacibsd · Sun Aug 25, 2024 6:32 pm

Update: I have an openvpn client configured on the Mirkotik, if I disable it the clients behind the NAT can connect to the internet. The openvpn connection though works, so I see no relation between the two.
Also, only traffic marked as "vpn_traffic" should go through this, which are the following IPs: 10.0.1.200-10.0.1.210.

I did the export and redacted a few lines, still, it is quite long so I don't blame you if you don't want to go through the whole thing:

[user@mik] > /export
# 2024-08-25 13:56:19 by RouterOS 7.15.3
# software id = 75ZJ-SINV
#
# model = RB760iGS
# serial number = ***
/interface bridge
add name=bridge-IOT port-cost-mode=short
add add-dhcp-option82=yes admin-mac=C4:AD:34:XX:YY:ZZ arp=proxy-arp auto-mac=no dhcp-snooping=yes name=bridge-LAN port-cost-mode=short
/interface ethernet
set [ find default-name=ether1 ] comment=ISP name=eth1
set [ find default-name=ether2 ] name=eth2-master
set [ find default-name=ether3 ] name=eth3
set [ find default-name=ether4 ] name=eth4
set [ find default-name=ether5 ] name=eth5-IOT poe-out=off
/interface l2tp-client
add connect-to=l2tp.***.*** name=l2tp use-ipsec=yes use-peer-dns=yes user=mik
/interface vlan
add interface=eth2-master name=vlan1003 vlan-id=1003
/disk
set sd1 media-interface=none media-sharing=no
add media-interface=none media-sharing=no parent=sd1 partition-number=1 partition-offset=512 partition-size="3 980 393 984" type=partition
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip ipsec peer
add disabled=yes name=L2TP-peer passive=yes
/ip pool
add name=dhcp-10.0.1.0 ranges=10.0.1.20-10.0.1.80
add name=dhcp-IOT-192.168.66.0 ranges=192.168.1.10-192.168.1.50
add name=dhcp-VPN-172.16.12.0 ranges=172.16.12.2-172.16.12.20
add name=dhcp-RIPE-172.16.20.0 ranges=172.16.20.5-172.16.20.100
/ip dhcp-server
add address-pool=dhcp-10.0.1.0 interface=bridge-LAN lease-time=8h name=LAN
add address-pool=dhcp-RIPE-172.16.20.0 interface=bridge-IOT lease-time=12h name=IOT
add address-pool=dhcp-IOT-192.168.66.0 interface=vlan1003 lease-time=1h name=vlan1003
/ip smb users
set [ find default=yes ] disabled=yes
/port
set 0 name=serial0
/ppp profile
add bridge=bridge-LAN change-tcp-mss=yes comment="for L2TP server" dns-server=10.0.1.1 local-address=10.0.1.1 name=VPN-encryption \
    only-one=no remote-address=dhcp-10.0.1.0
add change-tcp-mss=yes name=OVPN-client only-one=yes use-compression=no use-encryption=required use-mpls=no
set *FFFFFFFE bridge=bridge-LAN
/interface ovpn-client
add certificate=hap.***.***.crt_0 cipher=aes256-cbc connect-to=openvpn.***.*** disabled=yes mac-address=FE:E1:13:A2:50:59 name=opvn \
    profile=OVPN-client user=notused
/queue simple
add disabled=yes max-limit=12M/1M name="speed limit" target=10.0.1.19/32 total-queue=ethernet-default
/routing bgp template
set default disabled=no output.network=bgp-networks
/routing ospf instance
add disabled=no name=default-v2
/routing ospf area
add disabled=yes instance=default-v2 name=backbone-v2
/routing table
add fib name=vpn_traffic
add fib name=l2tp_traffic
/snmp community
set [ find default=yes ] addresses=10.0.1.19/32 disabled=yes
add addresses=*.*.*.*/32 encryption-protocol=AES name=pi_*.*.*.* security=private
add addresses=10.0.1.53/32 encryption-protocol=AES name=pi security=private
/system logging action
set 0 memory-lines=200
set 1 disk-file-count=100
add email-start-tls=yes email-to=user@redacted.com name=email target=email
/interface bridge port
add bridge=bridge-LAN ingress-filtering=no interface=eth2-master internal-path-cost=10 path-cost=10
add bridge=bridge-LAN ingress-filtering=no interface=eth3 internal-path-cost=10 path-cost=10
add bridge=bridge-LAN comment=defconf ingress-filtering=no interface=eth4 internal-path-cost=10 path-cost=10
add bridge=bridge-IOT ingress-filtering=no interface=eth5-IOT internal-path-cost=10 path-cost=10
add bridge=bridge-LAN ingress-filtering=no interface=sfp1 internal-path-cost=10 path-cost=10
/ip firewall connection tracking
set udp-timeout=10s
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ip settings
set tcp-syncookies=yes
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface detect-internet
set detect-interface-list=all
/interface l2tp-server server
set allow-fast-path=yes authentication=mschap2 caller-id-type=number enabled=yes keepalive-timeout=300 max-mru=1460 max-mtu=1460 \
    max-sessions=10 use-ipsec=required
/interface list member
add interface=bridge-LAN list=LAN
add interface=eth1 list=WAN
/interface ovpn-server server
set auth=sha1,md5 certificate=cacert.pem_1 cipher=blowfish128,aes128-cbc,aes192-cbc,aes256-cbc default-profile=*3 require-client-certificate=\
    yes
/ip address
add address=10.0.1.1/24 comment=LAN interface=eth2-master network=10.0.1.0
add address=172.16.20.1/24 comment=RIPE interface=bridge-IOT network=172.16.20.0
add address=192.168.1.1/24 comment=vlan1003 interface=vlan1003 network=192.168.66.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add comment=defconf interface=eth1 use-peer-dns=no
/ip dhcp-server lease
add address=10.0.1.5 client-id=1:88:87:37:6e:15:1d mac-address=88:87:37:6E:15:1D server=LAN
add address=10.0.1.25 client-id=1:fa:64:3b:4c:c1:8d mac-address=FA:64:3B:4C:C1:8D server=LAN
add address=10.0.1.252 mac-address=2C:AA:8E:42:F1:E4 server=LAN
add address=10.0.1.253 mac-address=2C:AA:8E:43:A2:E2 server=LAN
/ip dhcp-server network
add address=10.0.1.0/24 comment=LAN dns-server=10.0.1.1 domain=redacted.com gateway=10.0.1.1 netmask=24 ntp-server=\
    129.6.15.28,129.6.15.29,132.163.97.1
add address=172.16.20.0/24 comment=IOT-RIPE dns-server=208.67.220.220,208.67.222.222 gateway=172.16.20.1 netmask=24
add address=192.168.66.0/24 comment="VLAN 1003 Airport Guest" dns-server=208.67.220.220,208.67.222.222 gateway=192.168.1.1 netmask=24
/ip dns
set allow-remote-requests=yes cache-size=4096KiB max-concurrent-queries=200 max-concurrent-tcp-sessions=40 servers=\
    208.67.222.222,208.67.220.220 use-doh-server=https://doh.opendns.com/dns-query
/ip dns static
add address=146.112.41.2 name=doh.opendns.com
/ip firewall address-list
add address=10.0.0.0/8 list=local_traffic
add address=172.16.0.0/12 list=local_traffic
add address=192.168.0.0/16 list=local_traffic
/ip firewall filter
add action=drop chain=input comment=Blacklist log-prefix=BLACKLIST src-address-list=Blacklist
add action=drop chain=input dst-address=10.0.1.0/24 src-address=192.168.66.0/24
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=14w2d chain=input comment="Port scanners to list " \
    protocol=tcp psd=21,3s,3,1 src-address=!79.172.212.172
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=input comment="NMAP FIN Stealth scan" protocol=\
    tcp tcp-flags=fin,!syn,!rst,!psh,!ack,!urg
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=input comment="SYN/FIN scan" protocol=tcp \
    tcp-flags=fin,syn
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=input comment="SYN/RST scan" protocol=tcp \
    tcp-flags=syn,rst
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=input comment="FIN/PSH/URG scan" protocol=tcp \
    tcp-flags=fin,psh,urg,!syn,!rst,!ack
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=input comment="ALL/ALL scan" protocol=tcp \
    tcp-flags=fin,syn,rst,psh,ack,urg
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=input comment="NMAP NULL scan" protocol=tcp \
    tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg
add action=drop chain=input comment="dropping port scanners" src-address-list="port scanners"
add action=accept chain=input comment="default configuration" connection-state=established,related
add action=accept chain=input comment=L2TP connection-state="" dst-port=1701,500,4500 in-interface=eth1 limit=20,5:packet log=yes \
    log-prefix=L2TP protocol=udp
add action=accept chain=input comment=L2TP connection-state="" in-interface=eth1 log=yes log-prefix=L2TP protocol=ipsec-esp
add action=accept chain=input comment=OpenVPN disabled=yes dst-port=1194 log=yes log-prefix=openvpn protocol=tcp
add action=accept chain=input comment="ping reply" protocol=icmp
add action=drop chain=input comment="default configuration" in-interface=eth1
add action=accept chain=forward comment=IOT out-interface=eth1 src-address=192.168.66.0/24
add action=drop chain=forward comment="IOT - drop other traffic from IOT network" disabled=yes dst-address=0.0.0.0/0 src-address=\
    192.168.66.0/24
add action=accept chain=forward comment=RIPE out-interface=eth1 src-address=172.16.20.0/24
add action=drop chain=forward comment="RIPE - drop other traffic for RIPE network" disabled=yes dst-address=0.0.0.0/0 src-address=\
    172.16.20.0/24
add action=accept chain=forward comment="default configuration - NAT" connection-state=established,related
add action=accept chain=forward comment="default configuration" connection-state=established,related
add action=drop chain=forward comment="default configuration" connection-state=invalid
add action=jump chain=forward comment="SYN Flood protect" connection-state=new jump-target=SYN-Protect log=yes log-prefix=SYN-Protect \
    protocol=tcp tcp-flags=syn
add action=drop chain=forward comment="default configuration" connection-nat-state=!dstnat connection-state=new in-interface=eth1
add action=drop chain=forward in-interface=eth1 src-address=0.0.0.0/8
add action=drop chain=forward dst-address=0.0.0.0/8 in-interface=eth1
add action=drop chain=forward in-interface=eth1 src-address=127.0.0.0/8
add action=drop chain=forward dst-address=127.0.0.0/8 in-interface=eth1
add action=drop chain=forward in-interface=eth1 src-address=224.0.0.0/3
add action=drop chain=forward dst-address=224.0.0.0/3 in-interface=eth1
add action=drop chain=input comment="drop ftp brute forcers" dst-port=21 protocol=tcp src-address-list=ftp_blacklist
add action=drop chain=forward comment="drop invalid connections" connection-state=invalid protocol=tcp
add action=accept chain=icmp comment="net unreachable" icmp-options=3:0 protocol=icmp
add action=accept chain=icmp comment="host unreachable" icmp-options=3:1 protocol=icmp
add action=accept chain=icmp comment="host unreachable fragmentation required" icmp-options=3:4 protocol=icmp
add action=accept chain=icmp comment="allow source quench" icmp-options=4:0 protocol=icmp
add action=accept chain=icmp comment="allow echo request" icmp-options=8:0 protocol=icmp
add action=accept chain=icmp comment="allow time exceed" icmp-options=11:0 protocol=icmp
add action=accept chain=icmp comment="allow parameter bad" icmp-options=12:0 protocol=icmp
add action=accept chain=output content="530 Login incorrect" dst-limit=1/1m,9,dst-address/1m protocol=tcp
add action=add-dst-to-address-list address-list=ftp_blacklist address-list-timeout=5h chain=output content="530 Login incorrect" protocol=tcp
add action=drop chain=input comment="drop ssh brute forcers" dst-port=5722 log=yes log-prefix=ssh_brute_force protocol=tcp src-address-list=\
    ssh_blacklist
add action=add-src-to-address-list address-list=ssh_blacklist address-list-timeout=14w3d23m chain=input connection-state=new dst-port=5722 \
    protocol=tcp src-address-list=ssh_stage3
add action=add-src-to-address-list address-list=ssh_stage3 address-list-timeout=1m chain=input connection-state=new dst-port=5722 protocol=\
    tcp src-address-list=ssh_stage2
add action=add-src-to-address-list address-list=ssh_stage2 address-list-timeout=1m chain=input connection-state=new dst-port=5722 protocol=\
    tcp src-address-list=ssh_stage1
add action=add-src-to-address-list address-list=ssh_stage1 address-list-timeout=1m chain=input connection-state=new dst-port=5722 protocol=\
    tcp
add action=add-src-to-address-list address-list=ssh_blacklist address-list-timeout=28w4d chain=input connection-limit=100,32 log=yes \
    protocol=tcp
add action=accept chain=SYN-Protect connection-state=new limit=100,5:packet log=yes log-prefix=SYN-Protect protocol=tcp tcp-flags=syn
add action=accept chain=input disabled=yes dst-port=161 protocol=udp src-address=*.*.*.*
add action=accept chain=forward comment="bulb" disabled=yes out-interface=eth1 src-address=10.0.1.101
add action=accept chain=forward comment="bulb" disabled=yes out-interface=eth1 src-address=10.0.1.102
add action=drop chain=forward comment="bulb" disabled=yes dst-address=0.0.0.0/0 src-address=10.0.1.101
add action=drop chain=forward comment="bulb" disabled=yes dst-address=0.0.0.0/0 src-address=10.0.1.102
/ip firewall mangle
add action=mark-routing chain=prerouting dst-address-list=!local_traffic new-routing-mark=vpn_traffic passthrough=yes src-address=\
    10.0.1.200-10.0.1.210
add action=mark-routing chain=prerouting disabled=yes dst-address-list=!local_traffic new-routing-mark=l2tp_traffic passthrough=yes \
    src-address=10.0.1.190-10.0.1.199
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat disabled=yes dst-port=53 protocol=udp to-addresses=10.0.1.8 to-ports=53
add action=dst-nat chain=dstnat disabled=yes dst-port=53 protocol=tcp to-addresses=10.0.1.8 to-ports=53
# opvn not ready
add action=masquerade chain=srcnat out-interface=opvn src-address=10.0.1.200-10.0.1.210
add action=masquerade chain=srcnat disabled=yes out-interface=bridge-LAN src-address=10.0.1.190-10.0.1.199
/ip ipsec identity
add disabled=yes generate-policy=port-override peer=L2TP-peer remote-id=ignore
/ip ipsec policy
set 0 dst-address=0.0.0.0/0 src-address=0.0.0.0/0
/ip route
add disabled=yes distance=1 dst-address=0.0.0.0/0 gateway=opvn pref-src="" routing-table=vpn_traffic scope=30 suppress-hw-offload=no \
    target-scope=10
add disabled=yes dst-address=0.0.0.0/0 gateway=l2tp routing-table=l2tp_traffic
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www address=10.0.1.0/24 disabled=yes
set ssh address=10.0.1.0/25,172.16.12.0/24
set www-ssl address=10.0.1.0/25,172.16.12.20/32 certificate=server disabled=no
set api disabled=yes
set winbox address=\
    10.0.1.18/32,10.0.1.11/32,10.0.1.42/32
set api-ssl disabled=yes
/ip smb shares
set [ find default=yes ] directory=/flash/pub
/ppp secret
add name=tel profile=VPN-encryption service=l2tp
add name=laptop profile=VPN-encryption service=l2tp
/routing bfd configuration
add disabled=no interfaces=all min-rx=200ms min-tx=200ms multiplier=5
/snmp
set contact=pi@redacted.com enabled=yes trap-community=pi trap-interfaces=bridge-LAN trap-version=3
/system clock
set time-zone-name=UTC
/system identity
set name=mik
/system logging
set 0 action=disk disabled=yes
set 2 disabled=yes
add disabled=yes prefix=ovpn topics=ovpn
add prefix=l2tp topics=l2tp
add action=disk disabled=yes prefix=ppp topics=ppp,error
add action=disk disabled=yes prefix=route topics=route
add disabled=yes prefix=dhcp-server topics=dhcp
/system ntp client
set enabled=yes
/system ntp client servers
add address=184.105.182.16
add address=69.164.213.136
add address=time.cloudflare.com
/system scheduler
add name="on reboot" on-event=":delay 10;\r\
    \n\
    \n/system script run reboot_script" policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon start-time=startup
add disabled=yes interval=1d name="send IP every day" on-event=send_ip policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon start-date=2019-12-14 start-time=07:00:00
add interval=5m name=IPSEC_failed on-event=IPSEC_failed policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon start-date=\
    2020-10-10 start-time=16:29:19
add disabled=yes interval=1d name=adblock on-event=adblock policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-time=startup
add disabled=yes name=adblock_startup on-event=":delay 30;\r\
    \n/system script run adblock" policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon start-time=startup
/system script
add comment="disabled because email doesn't work anymore - google smtp security update" dont-require-permissions=no name=\
    reboot_script_DISABLED owner=user policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive source="delay 10s\
    \n:global ipadd;\
    \n:global extinterface \"eth1\"\
    \n:local thisip [/ip address get [/ip address find interface=\$extinterface ] address];\
    \n:local date [/system clock get date] \
    \n:local time [/system clock get time] \
    \n\
    \n/tool e-mail send to=\"user@redacted.com\" subject=\"reboot - \$time\" body=\"Router was rebooted at: \$date - \$time\\nIP \$thisip\";\
    \n    set ipadd \$thisip;"
/system watchdog
set auto-send-supout=yes ping-start-after-boot=12h ping-timeout=10m send-email-from=mik@redacted.com send-email-to=user@redacted.com \
    send-smtp-server=smtp.redacted.com watch-address=208.67.222.222
/tool e-mail
set from=mik port=587 server=smtp.redacted.com tls=starttls user=mik@redacted.com
/tool graphing interface
add
/tool graphing resource
add
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

sindy · Sun Aug 25, 2024 8:58 pm

Leaving aside that I forgot to press Ctrl-C once so instead of pasting just the single ovpn-client line to my test CHR (to check what is the default value of add-default-route), I pasted your complete configuration there, there is indeed no reason why enabling and disabling the ovpn client should impact the router behavior the way you describe. So the only explanation I can think of is some issue with the configuration conversion.

So I would make an /export show-sensitive file=complete, download the file to the management laptop, reset the router to factory default and copy-paste the configuration from the file. If you have any certificates there, you have to export them separately, one by one, using /certificate export-certificate ...; when exporting own certificates of the router, you must specify a passphrase, otherwise the private key is not exported and the certificate becomes useless.

lacibsd · Tue Aug 27, 2024 12:57 am

Thank you sindy for doing all this, I'm sorry for your trouble with ctrl+c
I'm going to do more debugging and try what you suggested.

Ps: I'm very busy in the past few weeks, it might take some time. Once I have a result I'm updating this post.

I'm not finding the wireguard interface

I'm not finding the wireguard interface

Re: I'm not finding the wireguard interface

Re: I'm not finding the wireguard interface

Re: I'm not finding the wireguard interface

Re: I'm not finding the wireguard interface

Re: I'm not finding the wireguard interface

Re: I'm not finding the wireguard interface

Re: I'm not finding the wireguard interface

Re: I'm not finding the wireguard interface