Community discussions

MikroTik App
  4. RouterOS
  5. General

Only one Wireguard peer working at a time  [SOLVED]

Post Reply
 
jjoelc
just joined
Topic Author
Posts: 12
Joined: Mon Oct 05, 2015 9:14 pm

Only one Wireguard peer working at a time

Thu Jun 29, 2023 8:30 pm

I have searched and read through several different posts in this forum about the same issue, but none of them seem to apply in my case?

Background: Lightning took out my router, which I had a working wireguard config on, but (silly me!) I didn't have a recent backup of my config which included the wireguard config. So I have had to rebuild it from scratch. In other words. I'm reasonably confident this is something *I* have done wrong, and would love some help spotting it!

Currently, either peer will work, but whichever peer connects first is the ONLY peer that will ever work, until I disable/reenable one of the peers or otherwise make some config change. At that point, again, whichever peer connects first will work, any additional peers will show a successful handshake, but no additional traffic will pass.

At this point, I have stripped it down to two peers, a phone and a laptop. Full config can be posted if needed, but for now will stick to relevant pieces.
Code: Select all
/interface wireguard
add listen-port=13231 mtu=1420 name=wireguard
then
Code: Select all
/ip address
add address=172.16.10.1/24 interface=wireguard network=172.16.10.0
Now peers (Full disclosure, there is a preshared key also. I have verified it is correct on all peers and in the mikrotik):
Code: Select all
/interface wireguard peers
add allowed-address=172.16.10.101/24 comment="Joel Laptop" interface=wireguard public-key="JLlbaJuKwJpCZrkjSyz6TU9AHHiQolE5MhNettC0ISI="
add allowed-address=172.16.10.100/24 comment="Joel iPhone" interface=wireguard public-key="QzMlYHGmpiHlS4ol44rPkhxYsm5uO8WWwTOIsTylKyE="
And a print detail for the peers (redacted sensitive info):
Code: Select all
[jjoelc@JJC-Router] > interface/wireguard/peers/print detail
Flags: X - disabled 
 0   ;;; Joel Laptop
     interface=wireguard public-key="JLlbaJuKwJpCZrkjSyz6TU9AHHiQolE5MhNettC0ISI=" endpoint-address="" endpoint-port=0 current-endpoint-address=166.137.106.252 
     current-endpoint-port=1551 allowed-address=172.16.10.101/24 preshared-key="<snip>" rx=296 tx=824 last-handshake=1h57m3s 

 1   ;;; Joel's iPhone
     interface=wireguard public-key="QzMlYHGmpiHlS4ol44rPkhxYsm5uO8WWwTOIsTylKyE=" endpoint-address="" endpoint-port=0 current-endpoint-address="" current-endpoint-port=0 
     allowed-address=172.16.10.100/24 preshared-key="<snip>" rx=0 tx=34.0KiB
and Firewall:
Code: Select all
/ip firewall filter
add action=accept chain=input comment="Allow Wireguard" dst-address=76.255.235.9 dst-port=13231 protocol=udp
add action=accept chain=forward dst-address-list=local in-interface=wireguard
add action=accept chain=forward out-interface=wireguard src-address-list=local
Route is in place:
Code: Select all
[jjoelc@JJC-Router] > ip/route/print
Flags: D - DYNAMIC; A - ACTIVE; c, s, y - BGP-MPLS-VPN; + - ECMP
Columns: DST-ADDRESS, GATEWAY, DISTANCE
#      DST-ADDRESS       GATEWAY         DISTANCE
0  As  0.0.0.0/0         76.255.235.14          1
<snip>
  DAc  172.16.10.0/24    wireguard              0
<snip>
Based on other posts, I have tried seen the issues with endpointaddress="" listings in the config. As seen above the listing does not appear in an export, but does show when you do a print. If one of the peers is connected when you do the print, the peer's public IP is listed in that field. Once the peer is disconnected the print shows the empty field again, so I kind of have to assume this is the expected behavior.

As stated, If both peers are disconnected, I can just disable/reenable either of the peers, or make any other config change to either peer. And whichever peer connects first works, the other does not. I really need more than one per at a time connected though!

Thanks in advance for any and all advice!
Top
 
holvoetn
Forum Guru
Forum Guru
Posts: 6869
Joined: Tue Apr 13, 2021 2:14 am
Location: Belgium

Re: Only one Wireguard peer working at a time  [SOLVED]

Thu Jun 29, 2023 9:10 pm

On "server", the allowed addresses on client peers should not be /24 for the wireguard addresses.

On the server when the second client makes connection, server will not know which peer to choose.

/32 for wireguard addresses, /24 ( or whatever) for other allowed subnets.
Top
 
jjoelc
just joined
Topic Author
Posts: 12
Joined: Mon Oct 05, 2015 9:14 pm

Re: Only one Wireguard peer working at a time

Thu Jun 29, 2023 9:32 pm

That was exactly it! (And it makes sense, also!)
THANK YOU!
Top
 
holvoetn
Forum Guru
Forum Guru
Posts: 6869
Joined: Tue Apr 13, 2021 2:14 am
Location: Belgium

Re: Only one Wireguard peer working at a time

Thu Jun 29, 2023 10:08 pm

No problem.
Top
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 22202
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:
Contact anav

Re: Only one Wireguard peer working at a time

Thu Jun 29, 2023 10:32 pm

Peer settings look wrong.
At the MT, being the server, the peers are simply /32 not/24

Oopsie already answered, opened it and then left for what I thought was a few minutes and then became hours LOL.
Top
 
leikoilja
just joined
Posts: 12
Joined: Sat May 08, 2021 10:53 am

Re: Only one Wireguard peer working at a time

Wed Jun 12, 2024 10:19 am

thank you, gents, that was exactly my problem as well and got resolved by changing /32 on the server :)
Top
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 22202
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:
Contact anav

Re: Only one Wireguard peer working at a time

Wed Jun 12, 2024 5:43 pm

There is logic behind what has been suggested. Its just not a case of memorizing, its a case of understanding.

The Server client ( for handshake ) may have 2 or more peers connecting to it.
That is multiple peer to peer tunnels.

The way any local traffic heading outbound gets sent is by several factors.
a. first the router checks the destination address.
b. does the dst address match any allowed IPs in the wireguard allowed IP list and it SEQUENTIALLY from top to bottom reads the list.

- thus if you have entered a /24 address for wireguard of a peer, ANY destination for other peers .3, .4, .5 will get trapped and get sent out the wrong peer subtunnel so to speak.
- thus if you have entered 0.0.0.0/0 address for a wireguard peer, ANY destination (be it wireguard address, or subnet) will get trapped and get sent out this peer.

So the moral of the story, is understanding that the outbound heading traffic undergoes a MATCHING and filtering process.

c. Do firewall rules permit the flow of traffic from source to destination is another router process
d. Is there a route for the destination traffic, ( aka a remote subnet for example !! )
Top
 
Dude
just joined
Posts: 9
Joined: Wed Nov 19, 2014 2:25 pm

Re: Only one Wireguard peer working at a time

Fri Nov 15, 2024 3:46 pm

... /32 for wireguard addresses ...
For routed links work:
Code: Select all
# 2024-11-15 16:42:06 by RouterOS 7.12.1
#
/interface wireguard peers
add allowed-address=10.254.10.34/32,0.0.0.0/0 ...
add allowed-address=10.254.10.35/32,0.0.0.0/0 ...
#
Top
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 22202
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:
Contact anav

Re: Only one Wireguard peer working at a time

Sat Nov 16, 2024 4:49 am

... /32 for wireguard addresses ...
For routed links work:
Code: Select all
# 2024-11-15 16:42:06 by RouterOS 7.12.1
#
/interface wireguard peers
add allowed-address[color=#008000][b]=10.254.10.34/32,0.0.0.0/0 ...
add allowed-address=10.254.10.35/32,0.0.0.0/0 ...[/b][/color]
#
There is no point in putting 0.0.0.0/0 and any other address as 0.0.0.0/0 = all possible addresses,
So its mildly amusing but wrong and if this is on a server router for handshake, a recipe for disaster
as traffic will NEVER make it to the second client on the list.
Top
Post Reply
  4. RouterOS
  5. General