MikroTik

Hi all,

I have set up Wireguard road warrior VPN tunnel exactly as it is stated here: https://help.mikrotik.com/docs/display/ ... uardtunnel

All looks perfect and works without problem when my iPhone is on 5G. But as as soon as it connects to WiFi, my VPN tunnel stops working. I have tried this at my two different friend WiFI networks and have the same. iPhone connects to the tunnel, but nothing works, no internet, not access to my router, nothing. It is extremely difficult to troubleshoot as I have my phone with me and I can't be in two places at the same time.

Anyone has good ideas of what to test and what could be wrong?

Regards,

Well if it works on 5G then you know your router and phone are setup correctly.
Wondering if one has to do something different on the phone when connecting via WIFI, dont think so?

I just made an interesting test. I have created hotspot on another iPhone connected to 5G. Then my iPhone connected to that hotsport on WiFi and still Wireguard was not working. It looks that it connects, I can see some data being sent over the tunnel (shows in Wireguard status), but it does not seem to be working: I can't access internet, I can't access my Mikrotik router. As soon as I disconnect from hotspot, all starts working. Same issue with other two WiFi networks.

Now, I'm wondering if it is iPhone problem, or Wireguest app problem or is it still something to be configured in Mikrotik, even though that sounds not realistic. It should not be any difference for Mikrotik whether I connect from 5G or WiFi.

Edit: Wireguard logs states "handshake did not complete after 5 seconds". That is very strange, especially in the case with another iPhone as hotspot. Also, wen I tested with WiFi, one of them I can access and make sure that outgoing packets to Wireguard VPN tunnel were passing through the router. So, it is really interesting now, where is the problem.

Did you try a laptop with a wireguard client as well using same wifi, that would really narrow it down to the phone.

Not yet, was too focused on the phone. But yes, I will try that and will post result here.

Reduce the MTU the VPN tunnel its to large for the wifi network when you add all the VPN packet overheads in

So, I have made tests with iPhone and laptop running Debian linux on 3 different WiFi networks. Behavior is all the same:

* iPhone on 5G - works no problem
* iPhone on WiFi - does not work, handshake did not complete in 5 seconds
* laptop on WiFi - does not work, same issue
* laptop on WiFi that is actually hotspot connection to iPhone wile its on 5G - works no problem

As mentioned before, same behavior on 3 different WiFi networks.

Then I have tried changing MTU size as LdB suggested. I have tried 576 (smallest allowed), then 1500, then some different sizes around 1000 - same issue, it just does not work on WiFi.

Honestly speaking, I do not know what to check more and where to search for an issue. My configuration is 100% the same as in Mikrotik Documentation of Roadwarrior setup. Any ideas? I have started to lean towards switching to OpenVPN.

Regards,

What does the router log say, when you try to connect when on wifi? Does the initial package even reach the router?

If you're trying to use WG on your home wifi, you need to configure a hairpin NAT on your router. The 5G connection works because it's hitting your router from the WAN.

If you're trying to use WG on your home wifi, you need to configure a hairpin NAT on your router. The 5G connection works because it's hitting your router from the WAN.

No, hairpin NAT is not needed because WireGuard is running on the router, not on some other device on the LAN network. There is no dst-nat involved.

The test should not be Laptop on LAN going out wifi to same router,
The test should be like cellular, from a separate WAN source, like a friends house etc.. to the router in his house.

The problem is that he can connect to his router via WG from his iphone from any cellular connection but never when at friends house on wifi or anywwhere else on wifi.
Makes no sense to me..........

Thank you everyone for ideas and suggestions.

What I tried now is that I connect iPhone to the same WiFi that does not work for iPhone and laptop. Then I have made hotspot in mobile phone and connected laptop to this hotspot. And all is working! I know that iPhone is sharing WiFi just because of external IP adress I can see on WG server router. Packets are reaching and being accepted. If I connect directly to WiFi with my laptop (same external IP), then WG server router shows "handshake did not complete in 5 sec".

I have tried changing MTU in iPhone WG client config as well as on WG server. Nothing seems to be helping.

Then, I have tried to check on WG git source and saw that at least iPhone client had not been updated for past 15 months. I'm not sure about WG clients for other platforms, but that in any way does not seem to be very promising.

Regards,

Edit: I have messed up a bit. My 5G and home router IP adresses are extremely similar, so I've got confused a bit. When I was sharing internet via hotstop, it was having 5G connection, so that is why all was working. What I stated above is still true to when I connect laptop to WiFi, WG server router gets faults "handshake did not complete in 5 sec". So, back to square 1.

It is true that the app does not get updated often, but I've been using it for a few years now with no issue. The difference for me being that my WG server is a VM within my LAN, not on my router.

Then cannot help you.
I thought we were discussing using the wireguard on the MT router.

Yes, in my case WG server runs on MT router.

I have actually found the issue, and apparently it is my own fault. The problem is that MT router running WG server has 'white list' of IP addresses that can connect to VPN services. My 5G IP address on iPhone and external IP address of WiFi network differs only by last digits and I was simply confused thinking that WiFi external address was also added to 'white list'. I could only see the problem when I set up OpenVPN service on MT router which was also working only on 5G. Then I immediately realized that I need to check white list one more time and I was surprised how much similar those IP addresses are.

So, my own fault. Thank you all for your ideas and support.

Regards,

Wrong.
There is no whitelist created by the wireguard interface??????\

By creating a wireguard interface and a wireguard IP address, one setups the possibility of a working wireguard structure.
You still need the input chain rule to allow the handshake of clients to reach the router.
You still need an input chain rule to allow yourself as admin coming in on wireguard to access the config ( could be combined with other existing rules )
You still need a forward chain rule to allow incoming wireguard traffic to local subnets

Most importantly the Allowed IPs setting on the MT router for each peer client is critical in
a. allowing that client to exit the tunnel and enter the router, (by wireguard IP address, and if from another client router, subnets on that router )

All to say, I have no idea what this whitelist is that you are talking about??

Probably OP has an address list in his firewall configuration and access to the UDP port of WireGuard is only allowed for addresses in that list. And he forgot to extend the list with ranges outside of the mobile operator.

White list is just as I called it white list. Normally it is an entry in address list and only that address is allowed to reach WG port from outside. Basically speaking, only allowed IP adresses can reach WG port. All that is done via firewall and has nothing to do with WG setup.

@CGGXANNX yes, that is exactly what has happened to me

A whitelist to allow external WANIPs to connect to your wireguard port is not required. That is the purpose of the VPN connection. Only those with proper encrypted credentials will be able to connect and thus there is no need for a whitelist.

Well yes and no When you have address list with allowed IPs, then you will not reveal open ports to random IP adresses. That is mainly why I do it. If you get scanned for open VPN common ports, it will not respond in case you have white list addresses. The rest yes, nobody will be able to connect without required credentials.

What is the purpose of "road warrior" VPN if you unable to connect to it from any WAN IP? Allowing all IP address ranges of all ISPs available on locations from where you assume you will be connected is a bit silly, unless this is not VPN for travelling purposes (but then it is not "road warrior" VPN).
If you are concerned about security, setup wg on some uncommon port (also different from some examples/forums/documentations) and use blocklists. Fetch IP addresses/ranges from sources which provides such IPs (see https://iplists.firehol.org/), import it to ROS address list and block them, there are script examples on this forum for this.
Additionally for advanced protection it is possible to setup port knocking (see https://help.mikrotik.com/docs/display/ ... t+knocking) with bruteforce protection on wg port (https://help.mikrotik.com/docs/display/ ... prevention) or if you have LTE modem on router to use SMS command to execute script which toggles wg port firewall filter.

Yes, my purpose is for travelling, and yes, I have port knocking setup