MikroTik

Multiple WireGuard clients (peers) connect to one WireGuard service.

My purpose is trying to allow wireguard clients to communicate each others. If I create one WG service and connect to 1 peer then everything works well.
If I create two WG services, allow one peer connect to each service and creating routing rule to allow communication between wireguard peers, then everything is work as expected too.
But if only one service is created and allow 2 peers to connect, the service seems crash every time when the second peer try to connect.

I am not sure whether multiple peers per Wireguard service is allowed, if yes, how to config it. Please advice and thx in advance.

Hello! I am facing this issue too, on latest ROS 7.1beta6.
1 peer - working perfectly
2 or more peers - after first one connect, others are unable to receive data from ROS. In rare situation, it can even drop connection for first peer (one that is successfully connected)

Help in this situation is to restart service (maybe), but only thing that work for me now, is to change peer's config (anything, just to re-save whole peer config). Only this peer can be connected afterwards without issue.

Hi,

I'm having exactly the same issue, I've stumbled upon this yesterday, behavior is exactly as described by guys before me. It really is disappointing.

Version: ROS 7.1beta6

Interesting. All I can say is using Beta5, I can connect an external PC and my iphone.
I am using two different wg interfaces however for the two peers (not two peers to one interface,).

In my case I have an RBG router acting as a server behind an MT CCR primary router.
At the client end I have an RB4011 router acting as a client behind a Consumer Router.
The iphone uses my cellular data for example.

With the IPHONE I can access the RB4011 with my MT application and configure/manage the RB4011 (as well as both MT routers on the server side)
This tells me I can go from one tunnel to the other.
Since I have a destination route on the router SERVER for internet return packets (to the client PC at the other end), all I had to do was to use the IP on the MT APP for the client router.
On the client router of course on the input chain I had to include the IP address of the cell phone to allow access to the router.
The RBG looking at the traffic coming out of the iphone wireguard tunnel and seeing the destination address was for the other end of the WG tunnel on the other wg interface just ported it out the appropriate other wireguard interface.

Therefore suggesting that if you need to access something from one client or another, the routing may already be in place for each client subnet and thus accessible. Client A reaching Client B PC or vice versa. Here it would be a case at the client end to ensure forward filter rules allows access............ I think, but not sure what is being asked,
However if you are talking about both clients accessing a specific subnet on the server router that is a different matter.
Ensuring the requirements are crystal clear will point the right path.

Maybe we all have WG server on separate ROS in LAN, not on Primary gateway? I have DST-NAT 13231 >> ROS in local network.

Hi.
I have same problem.
I want to connect 5 Mikrotik routers as peers to RB450gx4.
Only one working from 5
Some times if i close the peer from 450 other one connect.
Did you find any solution?

All routers v7.1rc4

Thanks

On each peer use /32 for the assign IP and then check.

Try 5 separate WG interfaces each with its own single peer.

Try 5 separate WG interfaces each with its own single peer.

yes its my second option

but wireguard 2, 3, 4, 5 not running on same port
i see maybe tommorow because i need again for ports open on firewall and port forw etc...

Didnt help /32 on peer ip

Thanks

working fine

7.1 rc4 CHR

one WG interface, 8 peer
all at once

router to peer OK
peer to peer OK

Nice, maybe hardware specific then...........

4 different peers connected on the same WG interface.
It just works.
subnet 10.255.255.0/24 reserved for WG interface.
10.255.255.1 - Hex (home: 192.168.2.0/24)
10.255.255.2 - mAP (with subnet 192.168.90.0/24)
10.255.255.3 - laptop (no subnet)
10.255.255.4 - SXT LTE 930km further South in France (with subnet 192.168.88.0/24, also cAP and cAP AC on that network)
10.255.255.5 - mAP Lite (with subnet 192.168.91.0/24)

Be careful though:
- on "server" side (peer) set allowed address to ip/32 address of the endpoint (or it will not know where to go to), you can add subnet if needed
- on "client" side the easiest is to set 10.255.255.0/24 as allowed address and the subnets you want to be able to contact. E.g. I did not bother to go beyond home network for mAPLite. I did set all on mAP for educational purposes
For laptop I set 0.0.0.0/0 so everything goes home when WG is fired up.

i spend 2 hours to reset and config all of them

οκ, all working as described

Thank you

We have Hex S with v7rc4.
we specifically updated to v7 because of wireguard.
from day one multiple peers are not working.
i think it is understandable that reseting the whole router just to test IF it works is not acceptable considering time and downtime.

i am even blocked right now because i tried to add second peer and wireguard interface now accept connection but there is no internet.
probably i have to go to office to reboot whole router and hope return it to normal.

all peers can be anywhere , even at same place at same time.

right now workaround is each peer to be wireguard interface and have its own /30 network.
===
i just deployed (today) AWS EC2 instance with ubuntu and wireguard using popular wireguard-install.sh and it is just adding peers to same wireguard interface . so from wireguard point of view it is supported case.


EDIT: i just restarted router two times.
my wireguard interface is not working. so that second peer i tried to add just to confirm if commrnts here are correct and issue disappeared .. ruin whole setup.
will confirm with other collegues if their are working at least

4 different peers connected on the same WG interface.
It just works.
subnet 10.255.255.0/24 reserved for WG interface.
10.255.255.1 - Hex (home: 192.168.2.0/24)
10.255.255.2 - mAP (with subnet 192.168.90.0/24)
10.255.255.3 - laptop (no subnet)
10.255.255.4 - SXT LTE 930km further South in France (with subnet 192.168.88.0/24, also cAP and cAP AC on that network)
10.255.255.5 - mAP Lite (with subnet 192.168.91.0/24)

Be careful though:
- on "server" side (peer) set allowed address to ip/32 address of the endpoint (or it will not know where to go to), you can add subnet if needed
- on "client" side the easiest is to set 10.255.255.0/24 as allowed address and the subnets you want to be able to contact. E.g. I did not bother to go beyond home network for mAPLite. I did set all on mAP for educational purposes
For laptop I set 0.0.0.0/0 so everything goes home when WG is fired up.

Sorry to bring back this topic, but I just wanted to thank this user for the info on the "allowed address to ip/32" on the server side. This totally helped me get multiple wg peers for just one interface.

I am having similar issues
wireguard1 is showing as running, but wireguard2 is not showing as running
why is this?

I am having similar issues
wireguard1 is showing as running, but wireguard2 is not showing as running
why is this?

Because you used the exact same listen port as the other entry.
Change that port and it will start.

I am having similar issues
wireguard1 is showing as running, but wireguard2 is not showing as running
why is this?

Because you used the exact same listen port as the other entry.
Change that port and it will start.

Wow you are right
So the add feature does not auto increment the port
Yup changed the port and now it shows running
Thanks

So the add feature does not auto increment the port

No, why should it ?
It's the responsibility of the admin to make sure the port to be used is available and filled in correctly when setting up a new WG-interface.
There is no way ROS can know which port you plan to use so it simply fills in a default (which on itself should be an indication that you need to change it to something else).