Hi there,
I came across weird behaviour (or perhaps it is my lack of understanding how MK implemented WG) when I added Site to Site WG configuration. In a nut shell I have had my mobile and laptops connect to my WG home router for some time now and it worked flawlessly.
I have decided to to replace an ppp S2S connection with WireGuard which was proving a challenge until I started looking at the logs and what I have found that the S2S tunnels were trying to connect to the phone / laptops WG instance resulting in failure due to mismatched public keys once is temporarily disabled that WG site the S2S remote location connects no problem.
I do have the sites and remote site configured on different ports so they would not conflict yet the remote site for some reason rema to be getting the phone/laptop site to respond.
What am I missing ? Or is this a bug.
Thanks in advance.
Re: WireGuard - multiple instances
Likely a configuration mistake. Please post your config for both the router and remote locations. (Hide keys)
Re: WireGuard - multiple instances
Pay attention to which public key you place where and make sure each peer has a unique address.
If that doesn't help, indeed post config for review.
All peers.
If that doesn't help, indeed post config for review.
All peers.
Re: WireGuard - multiple instances
her is the config for wireguard on both ends
Main Site
/interface wireguard
add disabled=yes listen-port=13231 mtu=1420 name=WG-HQ
add listen-port=13232 mtu=1420 name=WG-S2S
/interface wireguard peers
add allowed-address=10.10.100.2/32,192.168.220.0/24 interface=WG-S2S name=WG-Kubara public-key="-+PK MK interface+-"
add allowed-address=10.10.0.3/32 comment=iPhone16Pro interface=WG-HQ name=iphone16pro public-key="-+phone PK+-"
add address=10.10.100.1/24 comment="WG 2412" interface=WG-S2S network=10.10.100.0
Remote Site
/interface wireguard
add listen-port=13232 mtu=1420 name=WG-Kubara
/interface wireguard peers
add allowed-address=10.10.100.1/32,192.168.26.0 endpoint-address=myhomeendpoint endpoint-port=13232 interface=WG-Kubara name="WG-S2S Kubara" persistent-keepalive=10m public-key="-+PK MK interface+-"
add address=10.10.100.2/24 interface=WG-Kubara network=10.10.100.0
The one for the iPhone pro worked for ages . Now to get the remote site to work I need to disable site WG-S2S on the main router. Only then the remote site connects, but obviously my iPhone does not as the interface for it in disabled.
Hope this illustrates the problem I have.
Main Site
/interface wireguard
add disabled=yes listen-port=13231 mtu=1420 name=WG-HQ
add listen-port=13232 mtu=1420 name=WG-S2S
/interface wireguard peers
add allowed-address=10.10.100.2/32,192.168.220.0/24 interface=WG-S2S name=WG-Kubara public-key="-+PK MK interface+-"
add allowed-address=10.10.0.3/32 comment=iPhone16Pro interface=WG-HQ name=iphone16pro public-key="-+phone PK+-"
add address=10.10.100.1/24 comment="WG 2412" interface=WG-S2S network=10.10.100.0
Remote Site
/interface wireguard
add listen-port=13232 mtu=1420 name=WG-Kubara
/interface wireguard peers
add allowed-address=10.10.100.1/32,192.168.26.0 endpoint-address=myhomeendpoint endpoint-port=13232 interface=WG-Kubara name="WG-S2S Kubara" persistent-keepalive=10m public-key="-+PK MK interface+-"
add address=10.10.100.2/24 interface=WG-Kubara network=10.10.100.0
The one for the iPhone pro worked for ages . Now to get the remote site to work I need to disable site WG-S2S on the main router. Only then the remote site connects, but obviously my iPhone does not as the interface for it in disabled.
Hope this illustrates the problem I have.
Re: WireGuard - multiple instances
Well from the limited information provided you have the wg main site disabled.
Other than than that
change your Remote SITE settings for allowed IPs to 10.100.100.0/24,192.168.2.6.0
This will give you the opportunity to wireguard into the S2S site from the iphone.
On the wireguard main forward chain ensure you include a rule.
add chain=forward action=accept comment="wg relay" in-interface=WG-HQ out-interface=WG-HQ
Note on the main site you will need a route
/ip route
add dst-address=192.168.220.0/24 gateway=WG-HQ table=main
Similarly on the S2S site
/ip route
add dst-address=192.168.26.0/24 gateway=WG-Kubara table=main
Without both configs, no more help is possible.
/export file=anynameyouwish (minus router serial number, any public WANIP information, vpn keys etc, )
Other than than that
change your Remote SITE settings for allowed IPs to 10.100.100.0/24,192.168.2.6.0
This will give you the opportunity to wireguard into the S2S site from the iphone.
On the wireguard main forward chain ensure you include a rule.
add chain=forward action=accept comment="wg relay" in-interface=WG-HQ out-interface=WG-HQ
Note on the main site you will need a route
/ip route
add dst-address=192.168.220.0/24 gateway=WG-HQ table=main
Similarly on the S2S site
/ip route
add dst-address=192.168.26.0/24 gateway=WG-Kubara table=main
Without both configs, no more help is possible.
/export file=anynameyouwish (minus router serial number, any public WANIP information, vpn keys etc, )
Re: WireGuard - multiple instances
Thanks anav,
The reason the first site is disabled is so that my remote site works.
I do want to keep them separate ( one for iPhones/Laptops/Tablets ) road warrior scenario and second for the S2S .
the problem is that for some reason the S2S (Kubara) somehow wants to connect to the WG-HQ site even thought the ports are different for both. Only if I disable the WG-HQ site (interface) then it skips over to the WG-S2S. Should it do it ?
Just to reiterate the S2S configuration is working and routing if the WG-HQ is disabled. What I do not get is why the remote site is trying to connect on port 13231 even thought it is configured for 13232..
To answer other questions I don't need to have the phones to connect to the remote site.
I do have the routes set as you have stated. The configuration is huge so I thought I would only post the one related to WG.
so here it is again updated with routes
Main Site
/interface wireguard
add disabled=yes listen-port=13231 mtu=1420 name=WG-HQ
add listen-port=13232 mtu=1420 name=WG-S2S
/interface wireguard peers
add allowed-address=10.10.100.2/32,192.168.220.0/24 interface=WG-S2S name=WG-Kubara public-key="-+PK MK interface+-"
add allowed-address=10.10.0.3/32 comment=iPhone16Pro interface=WG-HQ name=iphone16pro public-key="-+phone PK+-"
add address=10.10.100.1/24 comment="WG 2412" interface=WG-S2S network=10.10.100.0
/ip route
add comment=WireGuard-Kubara disabled=no distance=1 dst-address=192.168.220.0/24 gateway=WG-S2S routing-table=main scope=30 suppress-hw-offload=no target-scope=10
this route is added once the interface is started
DAc 10.10.100.0/24 WG-S2S 0
Remote Site
/interface wireguard
add listen-port=13232 mtu=1420 name=WG-Kubara
/interface wireguard peers
add allowed-address=10.10.100.1/32,192.168.26.0 endpoint-address=myhomeendpoint endpoint-port=13232 interface=WG-Kubara name="WG-S2S Kubara" persistent-keepalive=10m public-key="-+PK MK interface+-"
add address=10.10.100.2/24 interface=WG-Kubara network=10.10.100.0
/ip route
add comment="WireGuard - 6.x Backups" disabled=no distance=1 dst-address=192.168.26.0/24 gateway=WG-Kubara pref-src="" routing-table=main scope=30 suppress-hw-offload=no target-scope=10
this route is added once the interface is started
DAc 10.10.100.0/24 WG-Kubara 0
Is there any other configuration related to WG I need to share to help me solve this issue?
The reason the first site is disabled is so that my remote site works.
I do want to keep them separate ( one for iPhones/Laptops/Tablets ) road warrior scenario and second for the S2S .
the problem is that for some reason the S2S (Kubara) somehow wants to connect to the WG-HQ site even thought the ports are different for both. Only if I disable the WG-HQ site (interface) then it skips over to the WG-S2S. Should it do it ?
Just to reiterate the S2S configuration is working and routing if the WG-HQ is disabled. What I do not get is why the remote site is trying to connect on port 13231 even thought it is configured for 13232..
To answer other questions I don't need to have the phones to connect to the remote site.
I do have the routes set as you have stated. The configuration is huge so I thought I would only post the one related to WG.
so here it is again updated with routes
Main Site
/interface wireguard
add disabled=yes listen-port=13231 mtu=1420 name=WG-HQ
add listen-port=13232 mtu=1420 name=WG-S2S
/interface wireguard peers
add allowed-address=10.10.100.2/32,192.168.220.0/24 interface=WG-S2S name=WG-Kubara public-key="-+PK MK interface+-"
add allowed-address=10.10.0.3/32 comment=iPhone16Pro interface=WG-HQ name=iphone16pro public-key="-+phone PK+-"
add address=10.10.100.1/24 comment="WG 2412" interface=WG-S2S network=10.10.100.0
/ip route
add comment=WireGuard-Kubara disabled=no distance=1 dst-address=192.168.220.0/24 gateway=WG-S2S routing-table=main scope=30 suppress-hw-offload=no target-scope=10
this route is added once the interface is started
DAc 10.10.100.0/24 WG-S2S 0
Remote Site
/interface wireguard
add listen-port=13232 mtu=1420 name=WG-Kubara
/interface wireguard peers
add allowed-address=10.10.100.1/32,192.168.26.0 endpoint-address=myhomeendpoint endpoint-port=13232 interface=WG-Kubara name="WG-S2S Kubara" persistent-keepalive=10m public-key="-+PK MK interface+-"
add address=10.10.100.2/24 interface=WG-Kubara network=10.10.100.0
/ip route
add comment="WireGuard - 6.x Backups" disabled=no distance=1 dst-address=192.168.26.0/24 gateway=WG-Kubara pref-src="" routing-table=main scope=30 suppress-hw-offload=no target-scope=10
this route is added once the interface is started
DAc 10.10.100.0/24 WG-Kubara 0
Is there any other configuration related to WG I need to share to help me solve this issue?
Re: WireGuard - multiple instances
Cannot help further without some context.
Draw a diagram showing the devices at both ends of the tunnel.
Also the full config of the MT and the second device if MT and if not at least the wireguard settings minus any actual public WANIP information or keys.
/export file=anynameyouwish ( minus router serial number, any public WANIP information, keys etc. )
Draw a diagram showing the devices at both ends of the tunnel.
Also the full config of the MT and the second device if MT and if not at least the wireguard settings minus any actual public WANIP information or keys.
/export file=anynameyouwish ( minus router serial number, any public WANIP information, keys etc. )
Re: WireGuard - multiple instances
To the MAIN Siteher is the config for wireguard on both ends
Main Site
/interface wireguard
add disabled=yes listen-port=13231 mtu=1420 name=WG-HQ
add listen-port=13232 mtu=1420 name=WG-S2S
You've assigned one WireGuard interface called "wireguard" 2 listening ports ... IMO this is wrong -- you can achieve your objective if you assign the Main Site 2 WireGuard Interfaces - each with its own listening ports etc. and in that way you have effective separation for your remote objectives ...
Its not that you cannot have multiple listening ports on the same interface -- you can -- but that introduces another level of complexity like dst-nat rules for redirection ...
Another advantage to the method I suggest is you will have a performance improvement for your remote users -- that has been my experience ...
Re: WireGuard - multiple instances
Mozerd I think your saying one wireguard interface and simply use two IP addresses for each purpose with same interface name.
Who is online
Users browsing this forum: No registered users and 6 guests