Hi, installed v7.1 last week, and activated Wireguard on my Android phone, works like a charm !
After adding a 2nd peer for my Android tablet, both phone and tablet fail get a connection via Wireguard
When disabling the 2nd peer, the phone (1st peer) is still not able to connect.
Only afer a reboot, Wireguard on the phone (1st peer) is working again.
Seems a bug, does anyone have the same experience, and / or possibly a solution ?
Current version used: 7.1.1
Re: Wireguard multiple road warriors
Hi,
We got this issue when "peers" are in the same network, try to change the /interface wireguard peers > allowed-address=xxx.xxx.xxx.xxx/32 on the router.
You can keep your /ip address of the router with a /24 (for example) so devices can communicate together.
A working configuration:
We did the test on top of the default config, so internal network is 192.168.88.0/24 and added VPN network on 192.168.89.0/24. For the tests, we disabled all default firewall rules and added those, but DON'T DO IT FOR PRODUCTION!
If you want the VPN clients able to talk to internal network (192.168.88.0/24) but not between clients, add this line in firewall:
It's a lab and only tests for now, but maybe it can help you.
Best Regards,
We got this issue when "peers" are in the same network, try to change the /interface wireguard peers > allowed-address=xxx.xxx.xxx.xxx/32 on the router.
You can keep your /ip address of the router with a /24 (for example) so devices can communicate together.
A working configuration:
Code: Select all
/interface wireguard
add listen-port=13231 mtu=1420 name=wireguard-server
/interface wireguard peers
add allowed-address=192.168.89.2/32 comment="Device 1" interface=wireguard-server public-key="[YourPublicKey]="
add allowed-address=192.168.89.3/32 comment="Device 2" interface=wireguard-server public-key="[YourPublicKey]="
add allowed-address=192.168.89.4/32 comment="Device 3" interface=wireguard-server public-key="[YourPublicKey]="
add allowed-address=192.168.89.5/32 comment="Device 4" interface=wireguard-server public-key="[YourPublicKey]="
/ip address
add address=192.168.89.1/24 comment="WIREGUARD VPN" interface=wireguard-server
/ip firewall filter
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related hw-offload=yes
add action=accept chain=forward
add action=accept chain=input
add action=accept chain=output
If you want the VPN clients able to talk to internal network (192.168.88.0/24) but not between clients, add this line in firewall:
Code: Select all
/ip firewall filter add action=drop chain=forward disabled=yes dst-address=192.168.89.0/24 src-address=192.168.89.0/24Best Regards,
Re: Wireguard multiple road warriors
hi Swisstico, thanks for your tip,
Just changed allowed-address to the ip address of the device with /32 and now its working fine !
Just changed allowed-address to the ip address of the device with /32 and now its working fine !
Re: Wireguard multiple road warriors
Hijacking this thread to say that I have the same problem. My "client" devices are from isp without any static IP, and they are behind NAT to I can't set their address in the server. Any idea how to solve this? If I only more than one peers with their public key, no client can handshake/connect. Seems like Mikrotik needs another criteria to "distinguish" the peers? Is there any solution to this? Or I may have to fall back to using l2tp. Public key in wireguard will be used as similar to how username/password is used in l2tp.
Re: Wireguard multiple road warriors
I don't see what the problem is. Peers are identified by their public keys, one peer, one key. You can have as many as you want even behind same NAT, and it works just fine.
Re: Wireguard multiple road warriors
I think gittubaba misunderstands the configuration, they think that the address must be the address that the client is actually connecting from (like the public IP) rather than the IP that you have assigned them in the private wireguard subnet that has been created.
Re: Wireguard multiple road warriors
Yes, I think I misunderstood the allowed-address setting. I had originally set allowed-address 0.0.0.0/0 for all peers. I got some more info from other wireguard thread. I'll try again tomorrow with that.
Edit: setting allowed-address=10.x.x.2/32, allowed-address=10.x.x.3/32 for each peer solved the problem.
Edit: setting allowed-address=10.x.x.2/32, allowed-address=10.x.x.3/32 for each peer solved the problem.