Wireguard peer irregularly stops working

pwac092 · Tue Oct 25, 2022 4:18 am

Hiya!

I am having some issues with the wireguard interface. There are a few posts describing similar issues, but since the most relevant one is not exactly the same (viewtopic.php?t=184678) I decided to make a new one.

I have a simple wireguard setup on an hac3, running RouterOS v7.6. The WAN interface (ether1) receives the fixed IP address from the ISP.

* Public and fixed IP assigned to the WAN (ether1) interface.
* 1 wireguard interface with address assigned (192.168.89.1/24) on the default port (13231)
* 3 peers 89.2, 89.3, 89.4, all on /24 subnets.
* Allowed addresses are 89.0/24 for all peers.
* On the input chain, I allow UDP for the default port (13231), Also on the input chain I allow anything with source address 192.168.89.0/24. These accept rules are before any drop rules.
* I have also allowed traffic sourced from 89.0/24 to 88.0/24 and viceversa. This is just to make things easier on my end. I could do with a bridge, but alas, here we are.

This setup is allowing peers are able to connect and the tunnel is established. The tunnel, just does not last very long. In particular, I connect my mobile (iphone, current ios) with the official wireguard app. Things work fine, but at some point (have tried both using 4g and remote wifi) it just stops working. The logs are not useful, as they report the handshake being completed and the connection being alive. Just no traffic is flowing.

Keepalive does not change this situation. I have tried for on the "incoming" peer, only the mikrotik peer and both. Nothing changes. I have also tried connecting the peer from a virtual interface within the same router. That is, one on the 192.168.100.0/24 address WIFI to the wireguard interface on the same router.

As I said, the interface technically works, but it just stops working.

I am posting this after trying for about a week to no avail, and I am hesitant to write a script and just disable and enable the interface to get it running. I would appreciate any help on this matter.

Cheers!

# oct/24/2022 22:10:48 by RouterOS 7.6
# software id = DS1W-MS2G
#
# model = RBD53iG-5HacD2HnD
# serial number = F34E0FBBFD49
/interface bridge
add admin-mac=DC:2C:6E:14:DE:91 auto-mac=no comment=defconf name=bridge
add name=bridge_casa
add name=bridge_domotica
/interface wireguard
add listen-port=13231 mtu=1420 name=wg_oveta
/interface vlan
add interface=ether2 name=vlan50_ether4 vlan-id=50
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk mode=dynamic-keys \
    supplicant-identity=MikroTik
add authentication-types=wpa2-psk management-protection=allowed mode=\
    dynamic-keys name=perfil_casa supplicant-identity=MikroTik
add authentication-types=wpa2-psk management-protection=allowed mode=\
    dynamic-keys name=perfil_domotica supplicant-identity=MikroTik
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX \
    disabled=no distance=indoors frequency=auto mode=ap-bridge \
    security-profile=perfil_casa ssid=oficina wireless-protocol=802.11
set [ find default-name=wlan2 ] antenna-gain=0 band=5ghz-a/n/ac \
    channel-width=20/40/80mhz-XXXX country=paraguay disabled=no distance=\
    indoors frequency=auto mode=ap-bridge security-profile=perfil_casa ssid=\
    oficina wireless-protocol=802.11
add disabled=no mac-address=DE:2C:6E:14:DE:97 master-interface=wlan2 name=\
    wlan_casa_5 security-profile=perfil_casa ssid=CASA2 wds-default-bridge=\
    bridge wps-mode=disabled
add disabled=no mac-address=DE:2C:6E:14:DE:96 master-interface=wlan1 name=\
    wlan_casa_24 security-profile=perfil_casa ssid=CASA2 wds-default-bridge=\
    bridge wps-mode=disabled
add disabled=no mac-address=DE:2C:6E:14:DE:95 master-interface=wlan1 name=\
    wlan_domotica security-profile=perfil_domotica ssid=domotica \
    wds-default-bridge=bridge wps-mode=disabled
/interface vlan
add interface=wlan_domotica name=vlan10_domotica vlan-id=10
add interface=wlan2 name=vlan50_casa_5 vlan-id=50
add interface=wlan1 name=vlan50_casa_24 vlan-id=50
/ip pool
add name=dhcp ranges=192.168.88.100-192.168.88.254
add name=dhcp_pool_domotica ranges=10.0.0.2-10.0.0.254
add name=dhcp_pool_casa ranges=192.168.1.2-192.168.1.254
add comment="Range of ips for backup vpns" name=vpn-pool ranges=\
    192.168.89.100-192.168.89.254
/ip dhcp-server
add address-pool=dhcp interface=bridge name=defconf
add address-pool=dhcp_pool_domotica interface=bridge_domotica name=\
    dhcp_domotica
add address-pool=dhcp_pool_casa interface=bridge_casa name=dhcp_casa
/interface bridge port
add bridge=bridge_casa comment=defconf ingress-filtering=no interface=ether2
add bridge=bridge ingress-filtering=no interface=ether3
add bridge=bridge_domotica ingress-filtering=no interface=ether4
add bridge=bridge ingress-filtering=no interface=ether5
add bridge=bridge ingress-filtering=no interface=wlan1
add bridge=bridge ingress-filtering=no interface=wlan2
add bridge=bridge_domotica ingress-filtering=no interface=vlan10_domotica
add bridge=bridge_domotica ingress-filtering=no interface=wlan_domotica
add bridge=bridge_casa ingress-filtering=no interface=vlan50_casa_5
add bridge=bridge_casa ingress-filtering=no interface=vlan50_casa_24
add bridge=bridge_casa ingress-filtering=no interface=wlan_casa_24
add bridge=bridge_casa ingress-filtering=no interface=wlan_casa_5
add bridge=bridge_domotica ingress-filtering=no interface=vlan50_ether4
/ip neighbor discovery-settings
set discover-interface-list=none
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface detect-internet
set detect-interface-list=all
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=wg_oveta list=LAN
/interface ovpn-server server
set auth=sha1,sha256,sha512 certificate=SERVER cipher=\
    blowfish128,aes128,aes192,aes256 default-profile=default-encryption \
    require-client-certificate=yes
/interface wireguard peers
add allowed-address=192.168.89.0/24 comment=iphone endpoint-address=\
    192.168.89.2 interface=wg_oveta public-key=\
    "tezEg/4ckt9iVo="
add allowed-address=192.168.89.0/24 comment=anguja endpoint-address=\
    192.168.89.3 interface=wg_oveta public-key=\
    "Zke6G1S954Roh8="
add allowed-address=192.168.89.0/24 comment=ykua endpoint-address=\
    192.168.89.4 interface=wg_oveta public-key=\
    "URD54882YkmoUI="
/ip address
add address=192.168.88.1/24 interface=bridge network=192.168.88.0
add address=181.94.246.38/24 interface=ether1 network=181.94.246.0
add address=10.0.0.1/24 interface=bridge_domotica network=10.0.0.0
add address=192.168.1.1/24 interface=bridge_casa network=192.168.1.0
add address=192.168.89.1/24 interface=wg_oveta network=192.168.89.0
/ip dhcp-client
add comment=defconf disabled=yes interface=ether1
/ip dhcp-server network
add address=10.0.0.0/24 gateway=10.0.0.1
add address=192.138.1.0/24 gateway=192.138.1.1
add address=192.168.1.0/24 gateway=192.168.1.1
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
add address=192.168.100.0/24 gateway=192.168.100.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,1.1.1.1
/ip dns static
add address=192.168.88.1 comment=defconf name=oveta.lan
add address=192.168.88.5 name=mrroboto.lan
add address=192.168.88.6 name=mandua.lan
add address=10.0.0.5 name=test.domotica.lan
/ip firewall filter
add action=accept chain=input dst-port=13231 protocol=udp
add action=accept chain=input src-address=192.168.89.0/24
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid log=yes log-prefix=test
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward in-interface=bridge_casa out-interface=bridge
add action=drop chain=forward in-interface=bridge out-interface=\
    bridge_domotica
add action=drop chain=forward in-interface=bridge_domotica out-interface=\
    bridge_casa
add action=drop chain=forward in-interface=bridge out-interface=bridge_casa
add action=drop chain=forward in-interface=bridge_domotica out-interface=\
    bridge
add action=drop chain=forward in-interface=bridge_casa out-interface=\
    bridge_domotica
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=accept chain=forward comment=\
    "Allow traffic between .89 and .88 nets for Wireguard\
    \n" dst-address=192.168.89.0/24 src-address=192.168.88.0/24
add action=accept chain=forward dst-address=192.168.88.0/24 src-address=\
    192.168.89.0/24
/ip firewall nat
add action=masquerade chain=srcnat
add action=dst-nat chain=dstnat comment=Dvr dst-address=181.94.246.38 \
    dst-port=8000 protocol=tcp to-addresses=10.0.0.5 to-ports=8000
add action=dst-nat chain=dstnat comment=Dvr dst-address=181.94.246.38 \
    dst-port=554 protocol=tcp to-addresses=10.0.0.5 to-ports=554
add action=masquerade chain=srcnat comment="OpenVPN  NAT" out-interface=\
    ether1
/ip firewall service-port
set rtsp disabled=no
/ip route
add disabled=no dst-address=0.0.0.0/0 gateway=181.94.246.1
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www address=192.168.88.0/24,192.168.89.0/24
set ssh address=192.168.88.1/32
set www-ssl disabled=no
set api disabled=yes
set winbox address=192.168.88.0/24,192.168.89.0/24
set api-ssl disabled=yes
/ip ssh
set strong-crypto=yes
/ppp profile
set *FFFFFFFE bridge=*21 dns-server=8.8.8.8,1.1.1.1 interface-list=LAN \
    local-address=192.168.89.1 remote-address=vpn-pool
/system clock
set time-zone-name=America/Asuncion
/system identity
set name=oveta
/system leds
set 0 disabled=yes interface=wlan2 leds=led1,led2,led3,led4,led5 type=\
    wireless-signal-strength
set 1 leds=poe-led type=poe-out
set 2 interface=wg_oveta leds=led1
set 3 interface=wg_oveta leds=led2 type=interface-receive
/tool bandwidth-server
set enabled=no
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool mac-server ping
set enabled=no
/tool traffic-monitor
add interface=bridge name=tmon1 threshold=0

Sob · Tue Oct 25, 2022 4:31 am

* Allowed addresses are 89.0/24 for all peers.

And that's your mistake, it should be just their address/32.

Edit: And on (slightly) closer look, endpoint-address is nonsense, for dynamic peers it should not be set at all.

retom · Tue Oct 25, 2022 6:31 am

Same post:
viewtopic.php?t=184678

pwac092 · Tue Oct 25, 2022 12:43 pm

Good morning Sob!

Thank you for your help, once again.

* Allowed addresses are 89.0/24 for all peers.

I have indeed tried this before. To verify, I have done it again and changing that (and only that on the entire network) results in the tunnel not being established.

In an on itself, this is not quite intuitive. /32 is surely address and not addresses. I am not convinced this should make a difference..am I looking at this the wrong way?

The settings on my connecting peer are reasonable. The endpoint is PUBLIC_IP:13231, addresses are 89.2/32, allowed addresses are .89.0/24 and .88.0/24, and keepalive is 25 secs. The log on this device shows "Tunnel status is connected" but really, no traffic flows. The Mikrotik side of the peer shoes no traffic.

You know what's weird? the intermittency of the problem. That is, why should the netmask make the problem intermittent?

Tue Oct 25, 2022 2:59 pm

Is the intermittence related to more then 2 peers being active ?
If so, you better check those netmasks because it will most likely be the problem.
If, like most, you have a hub and spoke setup (one peer acting as server, the rest are clients) then all peer-definitions on clients should use netmask /24.
On the hub settings for peer, you need to use netmask /32.

If because of faulty netmasks multiple peers can be the target when going in the interface, the protocol will not know what to send where.
And then it fails.

With only 2 peers (a client and a server, if you want), there is no confusion.
Add a 3th one and the problems begin.

pwac092 · Tue Oct 25, 2022 3:56 pm

Good morning holvoetn,

Thank you very much for your reply. I do, indeed, have this hub-and-spoke, star topology thing going.

I do apologise but I am rather slow, so what you are saying is:

1. The wireguard interface on the hub (i.e mikrotik) would get a /32 netmask address (89.1/32)
2. Each client, on the hub side (i.e. mikrotik) would be: 89.2/32, 89.3/32, ..., 89.255/32
3. Each client, on the spoke (i.e. Ios, linux...) would set their address as: 89.2/24, ..., 89.255/24

Is this correct?

I have to say, I rather like this forum. Kinda like old-style internet. Lots of knowledge, cool people helping, great stuff.

anav · Tue Oct 25, 2022 4:21 pm

Showing just the Server setup is not good enough.
Please post the client setups as well.
Also what are clients
a. laptop?
b. smartphone?
c Mt Router?

As stated this is problematic...... endpoint address is not required............ the allowed addresses should be .89.2/32, ,.89.3/32, .89.4/32 etc...........
/interface wireguard peers
add allowed-address=192.168.89.0/24 comment=iphone endpoint-address=\
192.168.89.2 interface=wg_oveta public-key=\
"tezEg/4ckt9iVo="
add allowed-address=192.168.89.0/24 comment=anguja endpoint-address=\
192.168.89.3 interface=wg_oveta public-key=\
"Zke6G1S954Roh8="
add allowed-address=192.168.89.0/24 comment=ykua endpoint-address=\
192.168.89.4 interface=wg_oveta public-key=\
"URD54882YkmoUI="

Your input chain rule is not required as you allow all traffic not on the LAN interface list already as the last rule in the input chain.
No need to stick rules before the default rules?

Tue Oct 25, 2022 4:28 pm

Small addition to your post for clarification

1. The wireguard interface on the hub (i.e mikrotik) would get a /32 netmask address (89.1/32) -> addresses get /32
2. Each client, on the hub side (i.e. mikrotik) would be: 89.2/32, 89.3/32, ..., 89.255/32 -> allowed addresses
3. Each client, on the spoke (i.e. Ios, linux...) would set their address as: 89.2/24, ..., 89.255/24 -> allowed addresses and /24 translates to 89.0/24 for all.

If it still doesn't work , as anav suggests, please post config of clients as well and specify what they are.

anav · Tue Oct 25, 2022 4:39 pm

Not sure what you are talking about holvoe.

(1) If the MT is the hub, ALL clients in allowed IPs are described by x/32 then you may add additional subnets if required (as destination addresses for local users, or for any remote incoming subnets).
The MT has an IP address typically of .1/24

(2) If the clients are singular entities, then these clients will have allowed IP of .0/24
The clients themselves will get an interface address of .x/32

(3) If the clients are other routers (with subnets) then on these devices, client settings would have allowed IPs of .0/24 and additional subnets ((as destination addresses for local users, or for any remote incoming subnets).
These particular clients will get an interface address of .x/24

ON ROUTERS.............
(4) What determines what is allowed in and out of routers be they hub or not, is firewall rules!
(5) What enables subnets to access tunnels is IP routes........

NOTE: If clients are coming into a router for internet, then one uses 0.0.0.0/0 for allowed IPs, (and no other entries are required as wg IPs and subnets are included in that range) and the firewall rules determine which traffic is allowed to go where..........

pwac092 · Tue Oct 25, 2022 5:00 pm

Cheers anav, holvoetn,

I will try again with the /24 addresses and report back.

Regarding the spoke peers.

The first peer is on macos.

[Interface]
PrivateKey = yHzFtr.....8KP2JxSxyFg=
Address = 192.168.89.3/32


[Peer]
PublicKey = UxqwXpmJS....SKI5H6P3AdLotkM=
AllowedIPs = 192.168.89.0/24, 192.168.88.0/24
Endpoint = PUBLIC_IP:13231
Persistent keepalive = 25 seconds

The second peer is an ios device, so I created the peer manually. These are the data

Interface section:
PublicKey = tezEgxDhAx....
Addresses = 192.168.89.2/32

Peer section:
Public key:
PublicKey = UxqwXpmJS....SKI5H6P3AdLotkM=
Endpoint = PUBLIC_IP:13231
AllowedIPs = 192.168.89.0/24, 192.168.88.0/24
Persistent keepalive every 25 seconds

The third peer is a mikrotik device.

[Interface]
PrivateKey = yASDFASDFASDFA-000asdfasdfxyFg=
Address = 192.168.89.4/32

[Peer]
PublicKey = UxqwXpmJS....SKI5H6P3AdLotkM=
AllowedIPs = 192.168.89.0/24, 192.168.88.0/24
Endpoint = PUBLIC_IP:13231
Persistent keepalive = 25 seconds

Considering the input chain rules:

Your input chain rule is not required as you allow all traffic not on the LAN interface list already as the last rule in the input chain.
No need to stick rules before the default rules?

I agree. It's just the irrational testing. I call this percussive digital maintenance, is a bad habit.

That said, once I get it working, I will remove it. Firewall needs work in general, but that is another story.

anav · Tue Oct 25, 2022 9:12 pm

Remove WANIP info from destination nat and IP route on your first config post, if those are real numbers!!

The third device the MT, is incorrect.
Ip addresses are NOT assigned in the interface setting, They are assigned under the IP Address setting........

Should be ( dont know name so made it up)
/interface wireguard
add listen-port=13231 mtu=1420 name=wg_mt_client
/ip address
add address=192.168.89.4/24 interface=wg_mt_client network=192.168.89.0
/interface wireguard peers
add allowed-address=192.168.89.0/24,192.168.88.0/24
endpoint address=FIXEDWANIP:132312 interface=wg_mt_client public-key=\

Tue Oct 25, 2022 9:23 pm

Not sure what you are talking about holvoe.

The same as you but with verbose=no

anav · Tue Oct 25, 2022 10:10 pm

Yes, but my brain is not soaking in belgium chocolate and thus clearer and not dulled by such deliciousness!!

pwac092 · Fri Oct 28, 2022 2:08 am

Thank you very much lads!

That got the ball rolling and things are looking up!

I have written in my notes what I understand from the labels in winbox.

On to the next step for me now!

Have a nice day!

dave864 · Sun Oct 30, 2022 1:50 am

Everyone in here. Thanks, I finally got mine working properly instead of the Frankenstein mess I had before!

Windows:
Addresses set to a unique /32 address 192.168.30.2/32.
Allowed IP = 0.0.0.0/0
End point = my Router IP/port
Peer = Router unique public key
Interface = client1 unique public key

Android
Addresses set to a unique /32 address 192.168.30.3/32.
Allowed IP = 0.0.0.0/0
End point = my Router IP/port
Peer = Router unique public key
Interface = client2 unique public key

Router
Wireguard tab = setup a single interface + Router unique public key
Peers tab = put in both Windows and Android as two separate items
Windows allowed address 192.168.30.2/32 + client1 unique public key
Android allowed address 192.168.30.3/32 + client2 unique public key
Make sure an address is set in IP/Address = 192.168.30.1 and 192.168.30.0/24
I also opened firewall ports for Wireguard, but not sure that is necessary?

Sorted, thanks everyone.

Wireguard peer irregularly stops working [SOLVED]

Wireguard peer irregularly stops working

Re: Wireguard peer irregularly stops working

Re: Wireguard peer irregularly stops working

Re: Wireguard peer irregularly stops working

Re: Wireguard peer irregularly stops working

Re: Wireguard peer irregularly stops working

Re: Wireguard peer irregularly stops working

Re: Wireguard peer irregularly stops working [SOLVED]

Re: Wireguard peer irregularly stops working

Re: Wireguard peer irregularly stops working

Re: Wireguard peer irregularly stops working

Re: Wireguard peer irregularly stops working

Re: Wireguard peer irregularly stops working

Re: Wireguard peer irregularly stops working

Re: Wireguard peer irregularly stops working