WireGuard stopped cooperating after the 7.16 upgrade

Artemisfo · Thu Oct 03, 2024 6:02 pm

Hello everyone,

I tried searching for an answer to my problem but to no avail, hence I am starting this topic. If I failed to find the resolution already posted to this forums please direct me to the right thread and feel free to close this one up forever.

Back in the days I have set up my WireGuard interface as demonstrated in many official and not official tutorials both written or in video form. Everything worked just flawlessly my remote clients (peers) were able to connect, access the web and brows through the contents of my LAN network. I use three android devices running the latest Android version with the latest version of the WireGuard App as well as one Windows machine. I do have the adequate firewall / NAT rules applied (like I said they worked just fine before) and no configuration what so ever has been changed. I am on RB5009 running the latest stable release of the RouterOS. When I come to think of it one or actually two things could have chnaged from the last time WG worked just fine, I installed two additional packages: Container support and the ZeroTier both of which remain untouched and unconfigured ever since.

The problem is that all of the devices are able to perform the handshake, the WG interface recognizes the connections just fine, shows the endpoint IP addressess just fine but that is pretty much it. The peers can not access websites nor LAN. The WG interface reports some kind of movement but that bits per second, the listen ports of the particular peers are different to the one provided within the config file - this is the only thing I am able to observe.
What is the most interesting is that when I come to reissue the private/public keys for one of the peers in question, I reupload the config to peers and swithc the WG on then I am able to use it in a normal way for about 15 minutes. After the time is up everything goes back to point zero, no connection to anything. That is both for when I am using the WLAN or 5G remote connections with WG (at least on the Android devices). Strangely enough WG on my Windows machine continues to work just fine with no config changes no new keys being exchanged etc.

I really ran out of ideas what could be wrong and still needed fixing, would anyone of you have the idea? Let me know what would be necessary to provide to try to troubleshoot this. Thanks in advance!

Here's the config, purged all the sensitive details (i hope).

# 2024-10-03 17:06:07 by RouterOS 7.16
# software id = 
#
# model = RB5009UG+S+
# serial number = 
/interface bridge
add admin-mac= auto-mac=no comment=LAN name=Bridge_Local \
    port-cost-mode=short
/interface wireguard
add listen-port=13232 mtu=1420 name=WG-External
add listen-port=13231 mtu=1420 name=WG-Internal
/interface vlan
add interface=Bridge_Local name=IoT vlan-id=30
add interface=ether1 name=LAN_ vlan-id=20
add interface=Bridge_Local name=Management vlan-id=10
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wifi channel
add band=2ghz-ax disabled=no frequency=2412,2437,2462 name=\
    "2.4Ghz AX upstairs" width=20/40mhz
add band=5ghz-ax disabled=no frequency=5180,5200,5220,5240,5745 name=\
    "5Ghz AX downstairs" width=20/40/80mhz
add band=2ghz-ax disabled=no frequency=2412,2437,2462 name=\
    "2.4Ghz AX downstairs" width=20/40mhz
add band=5ghz-ax disabled=no frequency=5180,5200,5220,5240,5745 name=\
    "5Ghz AX upstairs" width=20/40/80mhz
add band=2ghz-ax disabled=no frequency=2432,2457 name=IoT_band width=20mhz
/interface wifi datapath
add bridge=Bridge_Local disabled=no name=datapath1
/interface wifi security
add authentication-types=wpa2-psk,wpa3-psk disable-pmkid=yes disabled=no \
    encryption="" ft=yes ft-over-ds=yes name=Main wps=disable
add authentication-types=wpa2-psk disable-pmkid=yes disabled=no ft=yes \
    ft-over-ds=yes name=IoT wps=disable
/interface wifi configuration
add comment="TBA with future supported APs" country=Poland datapath=datapath1 \
    disabled=no manager=capsman mode=ap name="Main 6Ghz" security=Main ssid=\
    "Swiat Dysku"
/interface wifi steering
add disabled=no name=Main_Steer neighbor-group="dynamic-Swiat Dysku-5740aa3f" \
    rrm=yes wnm=yes
add disabled=no name=IoT_Steer neighbor-group=dynamic-Calypso-a8f8c3f3 rrm=\
    yes wnm=yes
/interface wifi configuration
add channel="5Ghz AX downstairs" comment="Main home wireless network" \
    country=Poland datapath=datapath1 disabled=no mode=ap name="Main 5Ghz" \
    security=Main ssid="Swiat Dysku" steering=Main_Steer
add channel="2.4Ghz AX downstairs" comment="Main home wireless network" \
    country=Poland datapath=datapath1 disabled=no mode=ap name="Main 2.4Ghz" \
    security=Main ssid="Swiat Dysku" steering=Main_Steer
add channel=IoT_band comment="Dedicated wireless network for IoT devices" \
    country=Poland datapath=datapath1 disabled=no mode=ap name=IoT security=\
    IoT ssid=Calypso steering=IoT_Steer
/interface wifi
add configuration="Main 2.4Ghz" disabled=no name=cap-wifi1 radio-mac=\
    
add channel.frequency=2432,2457 configuration=IoT configuration.mode=ap \
    disabled=no mac-address= master-interface=cap-wifi1 \
    name=cap-wifi2
add configuration="Main 2.4Ghz" disabled=no name=cap-wifi3 radio-mac=\
    
add channel.frequency=2432,2457 configuration=IoT configuration.mode=ap \
    disabled=no mac-address= master-interface=cap-wifi3 \
    name=cap-wifi4
add configuration="Main 5Ghz" disabled=no name=cap-wifi5 radio-mac=\
    
add configuration="Main 5Ghz" disabled=no name=cap-wifi6 radio-mac=\
    
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.1.10-192.168.1.254
add name=lan_pool ranges=10.10.20.2-10.10.20.254
add name=management_pool ranges=10.10.10.2-10.10.10.254
add name=iot_pool ranges=10.10.30.2-10.10.30.254
add name=resque_pool ranges=192.168.88.2-192.168.88.254
/ip dhcp-server
add address-pool=dhcp disabled=yes interface=Bridge_Local lease-time=10m \
    name=defconf
add address-pool=dhcp interface=Bridge_Local name=dhcp1
/ip smb users
set [ find default=yes ] disabled=yes
/zerotier
set zt1 comment="ZeroTier Central controller - https://my.zerotier.com/" \
    disabled=yes disabled=yes name=zt1 port=9993
/interface bridge port
add bridge=Bridge_Local interface=ether2 internal-path-cost=10 path-cost=10
add bridge=Bridge_Local interface=ether3 internal-path-cost=10 path-cost=10
add bridge=Bridge_Local interface=ether4 internal-path-cost=10 path-cost=10
add bridge=Bridge_Local interface=ether5 internal-path-cost=10 path-cost=10
add bridge=Bridge_Local interface=ether6 internal-path-cost=10 path-cost=10
add bridge=Bridge_Local interface=ether8 internal-path-cost=10 path-cost=10
add bridge=Bridge_Local disabled=yes interface=ether1 internal-path-cost=10 \
    path-cost=10
add bridge=Bridge_Local interface=sfp-sfpplus1 internal-path-cost=10 \
    path-cost=10
/ip firewall connection tracking
set udp-timeout=10s
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface detect-internet
set detect-interface-list=all lan-interface-list=LAN
/interface list member
add interface=Bridge_Local list=LAN
add interface=ether1 list=WAN
/interface wifi cap
set discovery-interfaces=Bridge_Local slaves-datapath=datapath1
/interface wifi capsman
set ca-certificate=auto certificate=auto enabled=yes interfaces=Bridge_Local \
    package-path="" require-peer-certificate=no upgrade-policy=none
/interface wifi provisioning
add action=create-enabled disabled=no master-configuration="Main 5Ghz" \
    supported-bands=5ghz-ax
add action=create-enabled disabled=no master-configuration="Main 2.4Ghz" \
    slave-configurations=IoT supported-bands=2ghz-ax
/interface wireguard peers
add allowed-address=0.0.0.0/0 client-address=192.168.100.2/32 client-dns=\
    1.1.1.1,8.8.8.8 client-endpoint=test.sn.mynetname.net interface=\
    WG-Internal is-responder=yes name="Wojtek - Smartfon" private-key=\
    "" public-key=\
    ""
add allowed-address=0.0.0.0/0 client-address=192.168.100.3/32 client-dns=\
    1.1.1.1,8.8.8.8 client-endpoint=test.sn.mynetname.net interface=\
    WG-Internal is-responder=yes name="Wojtek - Laptop Prywatny" private-key=\
    "" public-key=\
    ""
add allowed-address=0.0.0.0/0 client-address=192.168.100.4/32 client-dns=\
    1.1.1.1,8.8.8.8 client-endpoint=test.sn.mynetname.net interface=\
    WG-Internal is-responder=yes name="Wojtek - Laptop Sluzbowy" private-key=\
    "" public-key=\
    ""
add allowed-address=0.0.0.0/0 client-address=192.168.100.5/32 client-dns=\
    1.1.1.1,8.8.8.8 client-endpoint=test.sn.mynetname.net interface=\
    WG-Internal is-responder=yes name="Tablet - Tab S9" private-key=\
    "" public-key=\
    ""
add allowed-address=0.0.0.0/0 client-address=192.168.100.6/32 client-dns=\
    1.1.1.1,8.8.8.8 client-endpoint=test.sn.mynetname.net interface=\
    WG-Internal is-responder=yes name="Ania - Smartfon" private-key=\
    "" public-key=\
    ""
add allowed-address=0.0.0.0/0 client-address=192.168.100.7/32 client-dns=\
    1.1.1.1,8.8.8.8 client-endpoint=test.sn.mynetname.net interface=\
    WG-Internal is-responder=yes name="Ania - Laptop Sluzbowy" private-key=\
    "" public-key=\
    ""
add allowed-address=0.0.0.0/0 client-address=192.168.100.8/32 client-dns=\
    1.1.1.1,8.8.8.8 client-endpoint=test.sn.mynetname.net interface=\
    WG-Internal is-responder=yes name="Ania - Laptop Prywatny" private-key=\
    "" public-key=\
    ""
/ip address
add address=192.168.1.1/24 interface=Bridge_Local network=192.168.1.0
add address=192.168.100.1/24 interface=WG-Internal network=192.168.100.0
add address=192.168.200.1/24 interface=WG-External network=192.168.200.0
add address=10.10.10.1/24 interface=Management network=10.10.10.0
add address=10.10.20.1/24 interface=LAN_ network=10.10.20.0
add address=10.10.30.1/24 interface=IoT network=10.10.30.0
add address=192.168.88.1/24 interface=ether7 network=192.168.88.0
/ip cloud
set ddns-enabled=yes ddns-update-interval=1m
/ip dhcp-client
add disabled=yes interface=Bridge_Local
# Interface not active
add interface=sfp-sfpplus1
add interface=ether1
/ip dhcp-server
add address-pool=management_pool interface=Management name=management_dhcp \
    parent-queue=*FFFFFFFF
add address-pool=lan_pool interface=LAN_ name=lan_dhcp parent-queue=*FFFFFFFF
add address-pool=iot_pool interface=IoT name=iot_dhcp parent-queue=*FFFFFFFF
add address-pool=resque_pool interface=ether7 name=rescue_dhcp parent-queue=\
    *FFFFFFFF
/ip dhcp-server lease
add address=192.168.1.18 client-id=1: mac-address=\
     server=dhcp1
/ip dhcp-server network
add address=0.0.0.0/24 comment=defconf dns-server=0.0.0.0 gateway=0.0.0.0 \
    netmask=24
add address=192.168.1.0/24 dns-server=192.168.1.1 gateway=192.168.1.1 \
    netmask=24
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.1.1 comment=defconf name=router.lan type=A
/ip firewall filter
add action=accept chain=input comment="Accept established,related,untracked" \
    connection-state=established,related,untracked
add action=accept chain=input comment="WireGuard passthrough" dst-port=\
    13231,13232,51820 in-interface=ether1 protocol=udp
add action=accept chain=input comment="WG Internal allowance" disabled=yes \
    src-address=192.168.100.0/24
add action=accept chain=input comment="WG External allowance" disabled=yes \
    src-address=192.168.200.0/24
add action=accept chain=input comment="CAPsMAN connectivity" dst-port=\
    5246,5247 protocol=udp
add action=drop chain=input comment="Drop invalid traffic" connection-state=\
    invalid
add action=accept chain=input comment="Allow PING" protocol=icmp
add action=accept chain=input comment=\
    "Accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input comment="[WinBox]Allow IP connection from LAN" \
    dst-port=8291 protocol=tcp src-address=192.168.1.0/24 src-port=""
add action=drop chain=input comment="Drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="Accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="Accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment=Fasttrack \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "Accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="Drop invalid traffic" \
    connection-state=invalid
add action=drop chain=forward comment="Drop all from WAN not DSTNATed" \
    connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="Basic NAT" ipsec-policy=out,none \
    out-interface-list=WAN
add action=masquerade chain=srcnat comment=Hairpin dst-address=!192.168.1.1 \
    src-address=192.168.1.0/24
add action=masquerade chain=srcnat comment="WG Internal - Hairpin" \
    dst-address=!192.168.100.0/24 src-address=192.168.100.0/24
add action=masquerade chain=srcnat comment="WG External - Hairpin" \
    dst-address=!192.168.200.0/24 src-address=192.168.200.0/24
/ip ipsec profile
set [ find default=yes ] dpd-interval=2m dpd-maximum-failures=5
/ip service
set ssh port=1308
/ip smb shares
set [ find default=yes ] directory=/pub
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
    33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
/system clock
set time-zone-name=Europe/Warsaw
/system identity
set name=Templar
/system note
set show-at-login=no
/tool e-mail
set from=Templar port=587 server=smtp.gmail.com tls=yes user=
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

anav · Thu Oct 03, 2024 6:50 pm

Perhaps if you were more honest about the config it would be helpful.
You didnt mention why you have two wireguard interfaces for example?????

There are many parts of the config, that I dont like but in terms of wireguard, you clearly do not understand how wireguard works.
Your allowed IPs for being the wireguard server for handshake is incorrectly formatted, and also get rid of the useless information and keep it simple.

ALLowed IPs on the server for handshake router is to identify
a. for single client peer devices, the assigned wireguard IP
b. for client peer routers, the assigned wireguardIP, plus any remote subnets involved ( either coming into the 5009 or local users need to reach ).

Thus each client peer ont he 5009 should look like:
/interface wireguard peers
add allowed-address=192.168.100.2/32 interface=WG-Internal public-key="--key:" Comment="pavlovs android"

At the android device itself two options.
a. ONLY SUBNETS on 5009
add add allowed-address=192.168.100.0/24,subnetA,subnetB interface=WG-android2 endpoint-address=wanipof5009 endpoint=port=13231
public-key="key***" persistent-keep-alive=25s
b. Internet or internet and subnets
add add allowed-address=0.0.0.0/0 interface=WG-android2 endpoint-address=wanipof5009 endpoint=port=13231
public-key="key***" persistent-keep-alive=25s

To understand why one has to understand at the 5009, that wireguard routing is two ways.
For incoming traffic, the wirguard acts very much like a filter, and only allows incoming source addresses that are on the allowed IPs.........
More importantly in your case, for outgoing traffic the wireguard FIRST matches the destination address, to existing allowed IP entries and goes in the order of which they are listed on the router config.
Then the traffic is routed out the proper peer ( matching and filtering process ).

It should be clear that when a local user puts in any address ( any of the client peers), it will always match on the first peer. Now realistically no one on the subnets will be wanting to access android devices, but this would be true if all the client peers were routers or for some reason, it was a laptop that an admin wanted to access to make some changes.
What is more important is that all return traffic will also be captured by this fact.

When the android device accesses the internet or subnet on the 5009, what happens to the return traffic???
The router says Okay, traffic source was from 192.168.100.6 and I know based on the wireguard subnet that the return traffic has to go back out the wireguard tunnel.
The wireguard protocol then does the matching and filtering.......... ( assuming firewall rules allow return traffic to enter wireguard tunnel )
and it says okay let me look for the source address (in this case the destination address of return traffic) of 192.168.100.3.
It checks peers in the order they are entered so the first peer the wireguard protocol hits is
/interface wireguard peers
add allowed-address=0.0.0.0/0 client-address=192.168.100.2/32 client-dns=\
1.1.1.1,8.8.8.8 client-endpoint=test.sn.mynetname.net interface=\
WG-Internal is-responder=yes name="Wojtek - Smartfon" private-key=\
"" public-key=\

Since 0.0.0.0/0 captures ALL IPs, the router says, perfect it matches to the first peer and sends the response to 192.168.100.2 instead, and guess what, the android device at the other end rejects the traffic as its not valid (never requested by that device ).

Remember wireguard is peer to peer traffic. The Server for handshake has to be able to distinguish each peer client.
If you need for some reason to have a 0.0.0.0/0 connection to perhaps another router, then one has to use a separate wireguard interface.

gfunkdave · Thu Oct 03, 2024 6:58 pm

YEah that Wireguard configuration makes no sense. I would delete it all and start from scratch.

Reread the documentation on what Allowed IPs are and how they work. anav's guidance is solid.

Artemisfo · Thu Oct 03, 2024 10:21 pm

Alright, thanks anav for the very elaborate reply guiding me towards the right direction. I do think though that we could sum it up nicely in a couple of sentecnes as opposed to the whole paper complimenting my config file

I do sincerely appreciate your help! Everyone gotta start somehow and somewhere once, right?

So I changed the allowed addresses as per your guidance and everything is back to normal operation.

Perhaps if you were more honest about the config it would be helpful.
You didnt mention why you have two wireguard interfaces for example?????

Yikes, this sounds a little too strong but I was kinda expecting that after reading through a couple of other posts of yours. I consider it as anav's staple!
P.S. The second wireguard interface is not relevant at all and I really did not count it as a part of the equation. There's no being dishonest or hiding things from anyone here.

anav · Fri Oct 04, 2024 3:18 am

Concur, not in this case but its often true, the more described up front in understanding the requirements that lead you to two wireguard interfaces, means a solution will be holistic and ensure all use cases are thought of/included.

WireGuard stopped cooperating after the 7.16 upgrade [SOLVED]

WireGuard stopped cooperating after the 7.16 upgrade

Re: WireGuard stopped cooperating after the 7.16 upgrade [SOLVED]

Re: WireGuard stopped cooperating after the 7.16 upgrade

Re: WireGuard stopped cooperating after the 7.16 upgrade

Re: WireGuard stopped cooperating after the 7.16 upgrade