Wireguard config help

cneg1485 · Thu Jan 09, 2025 7:24 pm

I currently have an ubuntu vps acting as a wireguard server. I can connect different devices to the server successfully from inside my home network and with celular data. I currently have tmobile home internet. I connected an rb952 to the tmobile router and configured the wireguard interface and peer. The mikrotik would be acting as a client. ROuter has No default configuration. I can access the internet with devices connected to the mikrotik wifi thats acting as a bridge but wireguard is not doing the handshaking with the server. Any ideas?

# 2025-01-09 17:22:09 by RouterOS 7.16.2
# software id = U13N-3S1V
#
# model = RB952Ui-5ac2nD
# serial number =
/interface bridge
add name=bridge1
/interface wireless
set [ find default-name=wlan1 ] ssid=MikroTik
set [ find default-name=wlan2 ] ssid=MikroTik
/interface wireguard
add listen-port=51820 mtu=1420 name=wg1
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/interface bridge port
add bridge=bridge1 interface=all
/interface wireguard peers
add allowed-address=0.0.0.0/0 client-address=10.8.0.7/24 client-dns=1.1.1.1 \
client-endpoint=XX>XX.XX.XX client-listen-port=51820 endpoint-address=\
XX.XX.XX.XX endpoint-port=51820 interface=wg1 name=peer1 preshared-key=\
"NiBmzxcmYgVf7KoPcweqhnGvfjMlYUbsxr7ITh9p4NA=" private-key=\
"8H/xgcG5EOys0I/BNIO8O8yFWJXzJVQyVFb7t96bOmk=" public-key=\
"6B4Rg1yE4arG10Mf1phPwbYE7AZ4HHSkloi7s2Va420="
/ip address
add address=10.8.0.7/24 interface=wg1 network=10.8.0.0
/ip dhcp-client
add interface=bridge1
/system note
set show-at-login=no

anav · Thu Jan 09, 2025 11:10 pm

I suspect you may need the MT to act as a router vice switch/bridge?

cneg1485 · Fri Jan 10, 2025 12:53 am

I suspect you may need the MT to act as a router vice switch/bridge?

the MT has a bridge configured and all the ports are inside that bridge, the bridge is receiving ip from the Tmobile router, if thats what you mean. But if you mean putting the Tmobile router in bridge mode, not able to do that, tmobile router is restricted

jaclaz · Fri Jan 10, 2025 1:39 am

I presume that the XX.XX.XX.XX is not on the same network 10.8.0.0/24, right?
Can you ping successfully the XX.XX.XX.XX endpoint address from the router?
If not, which error do you get?

cneg1485 · Fri Jan 10, 2025 1:50 am

I presume that the XX.XX.XX.XX is not on the same network 10.8.0.0/24, right?
Can you ping successfully the XX.XX.XX.XX endpoint address from the router?
If not, which error do you get?

the endpoint address is 74.208.xx.xx
from the MT router i can ping google but no the endpoint, timeout
on my windows machine i also cant ping the endpoint but that does not prevent me from connecting other devices to the wireguard tunnel

flintham12 · Fri Jan 10, 2025 1:50 am

It sounds like the Mikrotik router may not have the correct routes or NAT configuration for WireGuard traffic.
Debug with `/log print` or `torch` to see if packets are leaving and returning correctly.

cneg1485 · Fri Jan 10, 2025 3:12 am

It sounds like the Mikrotik router may not have the correct routes or NAT configuration for WireGuard traffic.
Debug with `/log print` or `torch` to see if packets are leaving and returning correctly.

jaclaz · Fri Jan 10, 2025 2:54 pm

UNfortunately the "timeout" in the ping could be due to anything along the connection, including the remote 74.208.xx.xx prevented from replying to ICMP requests (newish windows as an example have a firewall rule that prevents replying from pings coming from outside the local lan), but it could as well be something in the local router settings.

I am still not convinced that the router can reach the endpoint.

/tool traceroute?

And tracert on windows?

cneg1485 · Fri Jan 10, 2025 4:01 pm

UNfortunately the "timeout" in the ping could be due to anything along the connection, including the remote 74.208.xx.xx prevented from replying to ICMP requests (newish windows as an example have a firewall rule that prevents replying from pings coming from outside the local lan), but it could as well be something in the local router settings.

I am still not convinced that the router can reach the endpoint.

/tool traceroute?

And tracert on windows?

[admin@MikroTik] > /tool traceroute
address: 66.179.191.147
Columns: ADDRESS, LOSS, SENT, LAST, AVG, BEST, WORST, STD-DEV
# ADDRESS LOSS SENT LAST AVG BEST WORST STD-DEV
1 172.20.10.1 0% 1 4.8ms 4.8 4.8 4.8 0
2 100% 1 timeout
3 100% 1 timeout
4 100% 1 timeout
5 100% 1 timeout
6 100% 1 timeout
7 100% 1 timeout
8 100% 1 timeout
9 0% 1 0ms

I suspect I am missing something in the configuration in the mikrotik cause if it take the wireguard config and put it in my iPhone or my computer, i can connect to the wireguard server no matter the network i am connected to( home wifi, office wifi, or celullar data), but the mikrotik doesnt, i may be missing some configuration but cant figure it out

jaclaz · Fri Jan 10, 2025 8:18 pm

Well it gets to 172.20.10.1 (and stops there) .
What is that address?
Your network gateway?
I don't really understand how it even gets there without a route (I was suspecting a ping error of "no route to host".).
Anyway, post the output of:

/ip address print

and of

/ip route print

so that we can check what is created dynamically.

cneg1485 · Fri Jan 10, 2025 10:35 pm

Well it gets to 172.20.10.1 (and stops there) .
What is that address?
Your network gateway?
I don't really understand how it even gets there without a route (I was suspecting a ping error of "no route to host".).
Anyway, post the output of:
Code: Select all
/ip address print
and of
Code: Select all
/ip route print
so that we can check what is created dynamically.

wrong output on top

[admin@MikroTik] > /tool traceroute
address: 74.208.197.52
Columns: ADDRESS, LOSS, SENT, LAST, AVG, BEST, WORST, STD-DEV
# ADDRESS LOSS SENT LAST AVG BEST WORST STD-DEV
1 192.168.12.1 0% 1 0.6ms 0.6 0.6 0.6 0
2 192.0.0.1 0% 1 7.8ms 7.8 7.8 7.8 0
3 100% 1 timeout
4 100% 1 timeout
5 100% 1 timeout
6 100% 1 timeout
7 100% 1 timeout
8 100% 1 timeout
9 100% 1 timeout
10 100% 1 timeout
11 100% 1 timeout
12 100% 1 timeout
13 100% 1 timeout
14 100% 1 timeout
15 100% 1 timeout
16 0% 1 0ms

[admin@MikroTik] > /ip address print
Flags: D - DYNAMIC
Columns: ADDRESS, NETWORK, INTERFACE
# ADDRESS NETWORK INTERFACE
0 D 192.168.12.164/24 192.168.12.0 ether1
1 10.8.0.2/24 10.8.0.0 wg1

[admin@MikroTik] > /ip route print
Flags: D - DYNAMIC; A - ACTIVE; c - CONNECT, d - DHCP
Columns: DST-ADDRESS, GATEWAY, DISTANCE
DST-ADDRESS GATEWAY DISTANCE
DAd 0.0.0.0/0 192.168.12.1 1
DAc 10.8.0.0/24 wg1 0
DAc 192.168.12.0/24 ether1 0

The 192.168.12.0/24 is my home network, 10.8.0.0 is wireguard network

anav · Fri Jan 10, 2025 10:41 pm

# model = RB952Ui-5ac2nD
# serial number =
/interface bridge
add name=bridge1
/interface list
add name=WAN
add name=LAN
/interface list member
add interface=ether1 list=WAN
add interface=wg1 list=WAN
add interface=bridge1 list=LAN
/ip pool
add name=bridge-pool ranges=192.168.88.2-192.168.88.254
/ip dhcp-server
add address-pool=bridge-pool interface=bridge1 name=bridge-server
/interface wireguard
add listen-port=62220 mtu=1420 name=wg1
/interface bridge port
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=ether3
etc.
/interface wireguard peers
add allowed-address=0.0.0.0/0 endpoint-address=XX.XX.XX.XX endpoint-port=51820 \
interface=wg1 name=peer1 preshared-key="=" private-key="-=" public-key="="
/ip address
add address=10.8.0.7/24 interface=wg1 network=10.8.0.0
add address=192.168.88.1/24 interface=bridge1 network=192.168.88.0
/ip dns
set allow-remote-requests=yes servers=1.1.1.1
/ip dhcp-server network
add address=192.168.88.0/24 dns-server=192.168.88.1 gateway=192.168.88.1
/ip dhcp-client
add interface=ether1 default route=yes peer-dns=yes
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN

cneg1485 · Sat Jan 11, 2025 1:34 am

# model = RB952Ui-5ac2nD
# serial number =
/interface bridge
add name=bridge1
/interface list
add name=WAN
add name=LAN
/interface list member
add interface=ether1 list=WAN
add interface=wg1 list=WAN
add interface=bridge1 list=LAN
/ip pool
add name=bridge-pool ranges=192.168.88.2-192.168.88.254
/ip dhcp-server
add address-pool=bridge-pool interface=bridge1 name=bridge-server
/interface wireguard
add listen-port=62220 mtu=1420 name=wg1
/interface bridge port
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=ether3
etc.
/interface wireguard peers
add allowed-address=0.0.0.0/0 endpoint-address=XX.XX.XX.XX endpoint-port=51820 \
interface=wg1 name=peer1 preshared-key="=" private-key="-=" public-key="="
/ip address
add address=10.8.0.7/24 interface=wg1 network=10.8.0.0
add address=192.168.88.1/24 interface=bridge1 network=192.168.88.0
/ip dns
set allow-remote-requests=yes servers=1.1.1.1
/ip dhcp-server network
add address=192.168.88.0/24 dns-server=192.168.88.1 gateway=192.168.88.1
/ip dhcp-client
add interface=ether1 default route=yes peer-dns=yes
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN

I did the config but still the mikrotik is not doing the handshaking. I can use the same wireguard configuration in other devices connected to the same network where the mikrotik gets the ip from and i can connect to the wireguard server successfully. here is the config:

# 2025-01-10 18:52:59 by RouterOS 7.16.2
# software id = U13N-3S1V
#
# model = RB952Ui-5ac2nD
# serial number =
/interface bridge
add name=bridge1
/interface wireless
set [ find default-name=wlan1 ] ssid=MikroTik
set [ find default-name=wlan2 ] disabled=no mode=ap-bridge ssid=MikroTik
/interface wireguard
add listen-port=51820 mtu=1420 name=wg1
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=bridge-pool ranges=192.168.88.2-192.168.88.254
/ip dhcp-server
add address-pool=bridge-pool interface=bridge1 name=bridge-server
/interface bridge port
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=ether3
add bridge=bridge1 interface=wlan2
add bridge=bridge1 interface=wlan1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add interface=ether1 list=WAN
add interface=bridge1 list=LAN
add interface=wg1 list=WAN
/interface wireguard peers
add allowed-address=0.0.0.0/0 endpoint-address=66.179.XX.XX endpoint-port=\
51820 interface=wg1 name="VPN 66" persistent-keepalive=25s preshared-key=\
"+FRlZLci8s37J6Hv2kS3IfeTpAp6AJVX6o//287zc8w=" private-key=\
"aPulCKJTSxqdIZltXWROU9xQjPj7uErfbuqKhyTZHXc=" public-key=\
"iA1OmT/fKNfLeQyh5OrK04/qyfQBtW0wLpcRvJLi22w="
/ip address
add address=10.8.0.2/24 interface=wg1 network=10.8.0.0
add address=192.168.88.1/24 interface=bridge1 network=192.168.88.0
/ip dhcp-client
add interface=ether1
/ip dhcp-server network
add address=192.168.88.0/24 dns-server=192.168.88.1 gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes servers=1.1.1.1
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN
/system clock
set time-zone-name=
/system note
set show-at-login=no

cneg1485 · Sat Jan 11, 2025 1:40 am

The server info is not showing on the circled part as it should when the handshaking is successful but is still not showing anything

Wireguard config help

Wireguard config help

Re: Wireguard config help

Re: Wireguard config help

Re: Wireguard config help

Re: Wireguard config help

Re: Wireguard config help

Re: Wireguard config help

Re: Wireguard config help

Re: Wireguard config help

Re: Wireguard config help

Re: Wireguard config help

Re: Wireguard config help

Re: Wireguard config help

Re: Wireguard config help