MikroTik

Hey everyone,

I´m new to Mikrotik Routers and RouterOS7, but everything so went good so far.
With my old router, which didn´t support Wireguard natively, I used a ubuntu VM for wireguard.
There everything worked 100%, but my goal was to set up Wireguard on the new Mikrotik RB5009.
So I set it up and everything is working with Android (immediate connection to peer, no problems).

But with Windows (Client Version 0.5.3 - official from the Wireguard website) I got an error in the Log with "Handshake to peer 1 Failed ...."
The IP is reachable and I tested serveral MTUs, Keepalive Change from 25 to 10 or other - no sucess, reconfigured serveral times the complete config, no sucess.
Windows Firewall is off, reinstalled, no success.
Tested it with a fresh Windows 10 Install (Main System is Windows 11) - same Error in Log.
Exported from Android, where everything works, same Error in Log.

May there be a Bug? Or did I miss something?

Hope the Thread is placed in the right Forum.

Greetings
Marcus

I use lots of wg clients under W10/11 and have no issues of that kind at all. Check for correct public key on both sides an d correc allowed IPs.

I checked the public key on both configs (Mikrotik + Client) multiple times, copy&pasted it, wrote the lines manual, no connection what so ever....
I´m 100% sure the config is correct, and like I said - I exported the working config from my Android device and imported it to windows, still - no handshake possible.

Yup key mismatch is a good place to start.
Also any windows firewalls in the way?
If android works fine, that rules out the MT as the issue!!

Yup key mismatch is a good place to start.
Also any windows firewalls in the way?
If android works fine, that rules out the MT as the issue!!

I exported the working android config and imported it to 2 different windows installations, same issue, still no sucessful handshake.
Windows firewalls are off - and before with the ubuntu wireguard server it worked fine, not with the MT.

I don´t think it´s a MT issue, if it would be a problem by the MT itself no other client would work.
So it has to be some sort of bug or another tiny thing in the config itself maybe?

Other ideas what I can try?
I´m really lost right now, because it makes no sense :/

Since you dont provide the windows config entries and you dont provide the wireguard config, not much more we can do .

Same problem here, in this case with W11.

It is working in Android perfectly. The common thing with you guy is that we have Mikrotik and RB5009 specifically. I do not know if this could be related...strange but..

Hmm, is there an MTU setting on the windows client??

If not try changing MTU on wireguard to 1500 from 1420 and if no joy go in the opposite direction 1400, 1380 etc.....

Below the config of the MT
---------------------------------------
[admin@MikroTik] /interface/wireguard> print
Flags: X - disabled; R - running
0 R name="WireguardMain" mtu=1420 listen-port=13231 private-key="oMqbUKfIdzFWEmPFpnzeKn+UG9ZC0cM+CcJDZt5NWEU=" public-key="JLNDQMvNmh6fkmSyZfNhIuhdbjzKxFHlA+2fVcAckBY="
[admin@MikroTik] /interface/wireguard/peers> print
Columns: INTERFACE, PUBLIC-KEY, ENDPOINT-PORT, ALLOWED-ADDRESS, PERSISTENT-KEEPALIVE
# INTERFACE PUBLIC-KEY ENDPOINT-PORT ALLOWED-ADDRESS PERSISTENT-KEEPALIVE
;;; Smartphone
0 WireguardMain Me3l9bnlEdjP/MTqmAWjk2fU/0dwxvru3mkYKWB6Nks= 0 10.111.20.40/32 25s
;;; Smartphone-Backup
1 WireguardMain 0Ll0zS96Esim5eAzbwEluSpyGpp9PFLt4yDvDE4Q1zc= 0 10.111.20.42/32 25s
;;; Tablet
2 WireguardMain l1RVGBtvXo25HvHRrrxL/t7ro7x/nKAIUgoaacjVmQ8= 0 10.111.20.41/32 25s
;;; Desktop
3 WireguardMain tUluRiFoys7Uev+HYr+AKk4BYH+eyWGhSPpmaPL8OU0= 0 10.111.20.60/32 25s
---------------------------------------

Below now the Windows Config:
Note - the public Key of the "Desktop" Entry is: tUluRiFoys7Uev+HYr+AKk4BYH+eyWGhSPpmaPL8OU0= (and i double checked this - multiple times!)
---------------------------------------
[Interface]
Address = 10.111.20.60/32
DNS = 10.111.2.1/32
PrivateKey = uCbvO9OkVIfIoowhinf/c2T7Bc1QP7tq236HBdqwzXU=

[Peer]
AllowedIPs = 10.111.20.0/24, 10.111.2.0/24, 192.168.70.0/24, 192.168.71.0/24, 192.168.72.0/24, 192.168.73.0/24, 10.111.3.0/24, 10.111.4.0/24, 10.111.5.0/24
Endpoint = example.xyz:13231
PersistentKeepalive = 25
PublicKey = JLNDQMvNmh6fkmSyZfNhIuhdbjzKxFHlA+2fVcAckBY=

In my opinion everything is configured correct.

The error which is appearing in the windows log is still:
2023-11-07 15:32:04.522260: [TUN] [VPN] Handshake for peer 1 (37.85.XX.XX:13231) did not complete after 5 seconds, retrying (try 7)
2023-11-07 15:32:04.522260: [TUN] [VPN] Sending handshake initiation to peer 1 (37.85.XX.XX:13231)
2023-11-07 15:32:09.626017: [TUN] [VPN] Handshake for peer 1 (37.85.XX.XX:13231) did not complete after 5 seconds, retrying (try
2023-11-07 15:32:09.626017: [TUN] [VPN] Sending handshake initiation to peer 1 (37.85.XX.XX:13231)

Ideas?

Hmm, is there an MTU setting on the windows client??

If not try changing MTU on wireguard to 1500 from 1420 and if no joy go in the opposite direction 1400, 1380 etc.....

Yesterday I tried 1500, 1420, 1420 etc. no luck with that :/

Some error in log...

1. Remove persistent keep alive settings on the Mikrotik Router settings for client peers. These are useless.

2. Allowed IPs on windows,
a. are you sure there are spaces between each entry??

What I was expecting only was 10.111.20.0/24
10.111.2.0/24 / 10.111.3.0/24 / 10.111.4.0/24 / 10.111.5.0/24 doesnt seem to make sense??? How many wg interfaces do you have running on the MT.

assuming all the rest 192.168.... are local subnets on the MT.

3. Did you try different DNS setting on windows, like 1.1.1.1 just for giggles.

4. would need to see the full MT config .........
/export file=anynameyouwish (minus router serial number, public WANIP information etc.)

1. Remove persistent keep alive settings on the Mikrotik Router settings for client peers. These are useless.

Tried, but had no positive effect, still same issue, but thanks for the advice, will remove it out of each peer.

2. Allowed IPs on windows,
a. are you sure there are spaces between each entry??

What I was expecting only was 10.111.20.0/24
10.111.2.0/24 / 10.111.3.0/24 / 10.111.4.0/24 / 10.111.5.0/24 doesnt seem to make sense??? How many wg interfaces do you have running on the MT.

assuming all the rest 192.168.... are local subnets on the MT.

Yeah the spaces are no problem, same config on each android device and there it straight works.
10.111.20.0/24 is the wireguard interface
10.111.2.0/24 is my main subnet/intranet
10.111.3-5.0/24 are my other networks (separted in vlans - for guest/vpn etc.)
192.168.70.0/24 - First WAN Conn - Telekom 4G+
192.168.71.0/24 - Second WAN Conn - Telekom 5G
192.168.72.0/24 - Third WAN Conn - Vodafone 5G
192.168.73.0/24 - Gli.Net Router (Old Router) which connects to a VPN via Surfshark and relies as a external VPN Gateway, which connects to a defined WAN connection to one of the above gateways (had a Lancom Router before the Mikrotik and next steps are to terminate the surfshark vpn directly on the MT, but this is project for another day)

But I tried it only with 10.111.20.0/24 as allowed subnets and it still doesn´t work.

3. Did you try different DNS setting on windows, like 1.1.1.1 just for giggles.

yes, normally in this config dns is 1.1.1.1 because I only need Split Tunneling with my wireguard vpn and my dns at home is still not configured 100% correct.
But this didn´t worked either.

4. would need to see the full MT config .........
/export file=anynameyouwish (minus router serial number, public WANIP information etc.)

Do you need the full .rsc file?
Because it´s a bit confusing and the config is long as heck because I have dozens of routing tables for a stable function (see multiple wans and usecases for serveral clients...).
Yeah, would be much easier with fiber and 1 gig.... but here we go, germany ftw ^^

Thanks!

Have you checked if the public ip is correct?

be aware of this

https://torrentfreak.com/russia-blocks- ... on-231031/

name="WireguardMain" mtu=1420 listen-port=13231 private-key="oMqbUKfIdzFWEmPFpnzeKn+UG9ZC0cM+CcJDZt5NWEU=" public-key="JLNDQMvNmh6fkmSyZfNhIuhdbjzKxFHlA+2fVcAckBY="

Better change your keys. You’ve just reduced the key strength to ~32 bits, a search through the public IP space to find the WG endpoint that responds to that key pair.

Be careful what you copy-paste into a public post!

I assumed he made changes such that the keys were not the exact ones, but if not concur!!

Have you checked if the public ip is correct?

Of course, like I said, on android it´s working fine. In the wireguard log on windows it resolves to the correct wan public ip, so yes, 100% sure.
My IP adress should one with location in germany (I´m german) - and my previous posted IP adress is a cellular network ip adress from "Deutsche Telekom".
Yes it´s cellular, but with this special APN prov. by Deutsche Telekom there is no carrier grade NAT, so this IP is fully accessible from the outside, no problems

be aware of this

I live in germany, so it´s not related to my problem?!

Better change your keys. You’ve just reduced the key strength to ~32 bits, a search through the public IP space to find the WG endpoint that responds to that key pair.

Be careful what you copy-paste into a public post!

Of course, changed both keys, but thanks for your conserns! Really kind
My IP changes 1-3x randomly a day (because of cellular...)

I assumed he made changes such that the keys were not the exact ones, but if not concur!!

Yeah sure
At this time I stopped fixing it, I´m not at home this week and needed a working tunnel :/
At this point I reactivated my ubuntu machine, which is working, but the goal still is to bring this wireguard thing on the MT fully working!

Which config do you need? Full config file?
How I said, I´m lost, in my opinion there should not be a issue in this config.
Hopefully I´m wrong and it´s not a bug....

MT config mikrotik LOL

yeah... shame on me, it was all my fault

I tried dodging the bullet and not move to PCC instead of using ECMP+....
And this was the only fault.... corrected the routes and it worked like instant....
Will move to PCC at the weekend.

In addition I will set my routers before the mikrotik in ip-passthrough mode, so I can avoid "recursive" routing.... acutal all routers on the wan ports of the MT are "nated" so double-nat is never a good idea...

But does somebody of you know what happens in this situation:

wan1 (4g cellular)
-> ip-passthrough
-> interface assign IP via DHCP from the cellular apn
-> connection drops on the "passthrough" router, so gateway will not be reachable
-> is the uplink (or route) offline in this case? like I "unplugged" the eth cable? or will the interface still have the IP have assigned to it and all packets will be dropped because of "interface seems online / route active"?

Thanks for your answers and help!

Shame you didnt share your config or some truth on your setup,,,,, maybe next time.