MikroTik

Hi, there is a difference in Wireguard behavior between my laptop and an Android phone that I don't completely understand, therefore looking for explanation.

The setup:
I have a MT router running Wireguard in my home network. The wireguard1 interface IP is 192.168.255.1.

Then I have 2 devices in road warrior mode: a Linux laptop and an Android phone.
The laptop's Wireguard IP is 192.168.255.4.
The phone's Wireguard IP is 192.168.255.3.
Both devices have 192.168.2.0/24 (my home network) and 192.168.255.1/32 in Allowed IPs.

On the router, in the Peers settings, I have:
- the laptop Peer has 192.168.255.4 in Allowed Address
- the phone Peer has 192.168.255.3 in Allowed Address

With these settings:
The laptop is able to handshake and access my network without any problem.
The phone is able only to handshake. It cannot access any IP inside my network.

I found a way to fix this though: on the router, in the phone Peer settings, I can add 0.0.0.0/0 (or the actual IP that the phone has at that moment) into its Allowed Address - then I am able to access my network from the phone as well.

The question: why is this additional Allowed IP needed for the phone? The laptop works without it just fine.

What is even more interesting: when I "fix" the problem this way and establish the tunnel from the phone, I can then safely remove the additional Allowed IP on the router in the phone Peer settings and keep only 192.168.255.3 there. After this change, the phone will still be able to establish the tunnel AND access my network. All will be working fine until I reboot the router. After the reboot, things will return to the original state: handshake from the phone works, but access to the network fails.

Thanks for shedding light on this!

The allowed IPs are not correct for your client devices.
Both should be:
allowed-ips=192.168.255.0/24,192.168.2.0/24

There may be issues with other parts of the config, but clearly unable to comment.

The allowed IPs are not correct for your client devices.
Both should be:
allowed-ips=192.168.255.0/24,192.168.2.0/24

What's wrong with 192.168.255.1/32? It's the only IP that the clients need to access, so .1/32 should be fine.

Not sure whether the rest of my config has other issues (I hope not), but the setup is working, with the only exception being the need for the additional Allowed IP for the phone as I described in the first post - that's the thing I'd like to understand.

Good you have surmized there is no problem with your config, thus no help required.

Hi, i had a similar problem. I think the reason is, that allowed addresses ar not only for firewalling, but also for routing.

My solution was to configure it this way on the mikrotik server:

Allowed IP Adresses:
192.168.2.0/24, 192.168.255.3/32 for Laptop and
192.168.2.0/24, 192.168.255.4/32 for the phone.

If i'am not doing it this way, its kind of random if it worked or not. I believe the reason is, that otherwise both ips are found on the the other peer too and routing will not work, for some reason. Looks like Mirkotik does not know which peer has which ip and routes it sometimes to this peer and somtimes to the other, because if i traces the packets i can clear see that the answer is not coming back and lost before ist reaches the target Firewall logs.

1. Allowed IPs on the mikrotik side have nothing to do with routing.
2. Allowed IPs are a matching flltering function for leaving traffic and a filtering function for arriving traffic.
3. An automatic route is created for wireguard IPs by the wireguard router due to ccreating the interface IP address.
4. Any remote subnet related traffic ( coming into the router or users going to remote subnets) will require manual routes.
5. A good crosscheck always is remote subnets identified in allowed IPs will need manual routes in IP routes

If your comment was for laptop or non mt device............ good to know......

Good you have surmized there is no problem with your config, thus no help required.

I wrote:
with the only exception being the need for the additional Allowed IP for the phone as I described in the first post - that's the thing I'd like to understand.

Still looking for a kind and knowledgeable person to help me understand that, rather than someone posting useless ironic comments. No offense.

I can't help much since I don't use Mikrotik's wireguard functionality, but between an iPhone and a Linux machine, I don't need the 0.0.0.0/0 hack.

On the Linux side, the only allowed IP is the a /32 (the wireguard IP of the phone). On the phone side, the allowed IPs are the actual netblocks I need to access.

Something seems strange in your case, but I don't know what, and whether it's Mikrotik's issue, or the phone. Might help to see the exported config?

No silver spoons here, read!
https://www.wireguard.com/xplatform/
https://www.wireguard.com/papers/wireguard.pdf