Wiregaurd peers stability issue

Hi

i have a problem with wiregaurd, most of times when peers try to establish a connection to the server they receive this error:
“Receiving keepalive packet from peer 1”
until i disable related interface and then enable it again in Peers window.

you can see log file:


2022-04-06 08:29:20.967534: [MGR] Starting at boot WireGuard/0.5.3 (Windows 10.0.19044; amd64)
2022-04-06 08:29:21.772478: [MGR] Starting UI process for user ‘Mx@MEHRDADHP’ for session 1
2022-04-06 14:01:49.153321: [TUN] [MxServer] Starting WireGuard/0.5.3 (Windows 10.0.19044; amd64)
2022-04-06 14:01:49.153321: [TUN] [MxServer] Watching network interfaces
2022-04-06 14:01:49.157002: [TUN] [MxServer] Resolving DNS names
2022-04-06 14:01:49.157002: [TUN] [MxServer] Creating network adapter
2022-04-06 14:01:49.806482: [TUN] [MxServer] Using existing driver 0.10
2022-04-06 14:01:49.819450: [TUN] [MxServer] Creating adapter
2022-04-06 14:01:51.596104: [TUN] [MxServer] Using WireGuardNT/0.10
2022-04-06 14:01:51.695205: [TUN] [MxServer] Enabling firewall rules
2022-04-06 14:01:50.757179: [TUN] [MxServer] Interface created
2022-04-06 14:01:51.705490: [TUN] [MxServer] Dropping privileges
2022-04-06 14:01:51.706002: [TUN] [MxServer] Setting interface configuration
2022-04-06 14:01:51.706513: [TUN] [MxServer] Peer 1 created
2022-04-06 14:01:51.711243: [TUN] [MxServer] Monitoring MTU of default v4 routes
2022-04-06 14:01:51.711243: [TUN] [MxServer] Interface up
2022-04-06 14:01:51.716022: [TUN] [MxServer] Setting device v4 addresses
2022-04-06 14:01:51.882560: [TUN] [MxServer] Monitoring MTU of default v6 routes
2022-04-06 14:01:51.882560: [TUN] [MxServer] Setting device v6 addresses
2022-04-06 14:01:51.882560: [TUN] [MxServer] Sending handshake initiation to peer 1 (217.182.230.10:1994)
2022-04-06 14:01:51.995401: [TUN] [MxServer] Receiving handshake response from peer 1 (217.182.230.10:1994)
2022-04-06 14:01:51.995401: [TUN] [MxServer] Keypair 1 created for peer 1
2022-04-06 14:01:52.071084: [TUN] [MxServer] Startup complete
2022-04-06 14:02:02.403846: [TUN] [MxServer] Receiving keepalive packet from peer 1 (217.182.230.10:1994)
2022-04-06 14:02:12.645862: [TUN] [MxServer] Receiving keepalive packet from peer 1 (217.182.230.10:1994)
2022-04-06 14:02:23.527350: [TUN] [MxServer] Receiving keepalive packet from peer 1 (217.182.230.10:1994)
2022-04-06 14:02:33.764654: [TUN] [MxServer] Receiving keepalive packet from peer 1 (217.182.230.10:1994)
2022-04-06 14:02:44.639689: [TUN] [MxServer] Receiving keepalive packet from peer 1 (217.182.230.10:1994)
2022-04-06 14:02:54.873890: [TUN] [MxServer] Receiving keepalive packet from peer 1 (217.182.230.10:1994)
2022-04-06 14:03:05.118515: [TUN] [MxServer] Receiving keepalive packet from peer 1 (217.182.230.10:1994)
2022-04-06 14:03:16.007498: [TUN] [MxServer] Receiving keepalive packet from peer 1 (217.182.230.10:1994)
2022-04-06 14:03:26.880474: [TUN] [MxServer] Receiving keepalive packet from peer 1 (217.182.230.10:1994)
2022-04-06 14:03:37.763780: [TUN] [MxServer] Receiving keepalive packet from peer 1 (217.182.230.10:1994)
2022-04-06 14:03:48.648032: [TUN] [MxServer] Receiving keepalive packet from peer 1 (217.182.230.10:1994)
2022-04-06 14:03:52.375007: [TUN] [MxServer] Sending handshake initiation to peer 1 (217.182.230.10:1994) [HERE I disable/enable the INTERFACE]
2022-04-06 14:03:52.470375: [TUN] [MxServer] Receiving handshake response from peer 1 (217.182.230.10:1994)
2022-04-06 14:03:52.470375: [TUN] [MxServer] Keypair 2 created for peer 1
2022-04-06 14:03:52.470375: [TUN] [MxServer] Sending keepalive packet to peer 1 (217.182.230.10:1994)
2022-04-06 14:04:03.366682: [TUN] [MxServer] Receiving keepalive packet from peer 1 (217.182.230.10:1994)
2022-04-06 14:04:18.640586: [TUN] [MxServer] Retrying handshake with peer 1 (217.182.230.10:1994) because we stopped hearing back after 15 seconds
2022-04-06 14:04:18.640586: [TUN] [MxServer] Sending handshake initiation to peer 1 (217.182.230.10:1994)
2022-04-06 14:04:18.745233: [TUN] [MxServer] Receiving handshake response from peer 1 (217.182.230.10:1994)
2022-04-06 14:04:18.745233: [TUN] [MxServer] Keypair 1 destroyed for peer 1
2022-04-06 14:04:18.745233: [TUN] [MxServer] Keypair 3 created for peer 1
2022-04-06 14:04:18.745233: [TUN] [MxServer] Sending keepalive packet to peer 1 (217.182.230.10:1994)
2022-04-06 14:04:18.852471: [TUN] [MxServer] Receiving keepalive packet from peer 1 (217.182.230.10:1994)
2022-04-06 14:06:15.775617: [TUN] [MxServer] Shutting down
2022-04-06 14:06:15.890089: [MGR] [MxServer] Tunnel service tracker finished
2022-04-06 14:07:33.348723: [TUN] [MxServer] Starting WireGuard/0.5.3 (Windows 10.0.19044; amd64)
2022-04-06 14:07:33.348723: [TUN] [MxServer] Watching network interfaces
2022-04-06 14:07:33.350802: [TUN] [MxServer] Resolving DNS names
2022-04-06 14:07:33.352465: [TUN] [MxServer] Creating network adapter
2022-04-06 14:07:33.818171: [TUN] [MxServer] Using existing driver 0.10
2022-04-06 14:07:33.837318: [TUN] [MxServer] Creating adapter
2022-04-06 14:07:35.724298: [TUN] [MxServer] Using WireGuardNT/0.10
2022-04-06 14:07:35.817100: [TUN] [MxServer] Enabling firewall rules
2022-04-06 14:07:34.845536: [TUN] [MxServer] Interface created
2022-04-06 14:07:35.833448: [TUN] [MxServer] Dropping privileges
2022-04-06 14:07:35.833935: [TUN] [MxServer] Setting interface configuration
2022-04-06 14:07:35.834940: [TUN] [MxServer] Peer 1 created
2022-04-06 14:07:35.836529: [TUN] [MxServer] Monitoring MTU of default v4 routes
2022-04-06 14:07:35.837529: [TUN] [MxServer] Setting device v4 addresses
2022-04-06 14:07:35.836529: [TUN] [MxServer] Interface up
2022-04-06 14:07:35.973189: [TUN] [MxServer] Sending handshake initiation to peer 1 (217.182.230.10:1994)
2022-04-06 14:07:36.054099: [TUN] [MxServer] Monitoring MTU of default v6 routes
2022-04-06 14:07:36.054099: [TUN] [MxServer] Setting device v6 addresses
2022-04-06 14:07:36.072090: [TUN] [MxServer] Receiving handshake response from peer 1 (217.182.230.10:1994)
2022-04-06 14:07:36.072090: [TUN] [MxServer] Keypair 1 created for peer 1
2022-04-06 14:07:36.143749: [TUN] [MxServer] Startup complete
2022-04-06 14:07:36.185496: [TUN] [MxServer] Receiving keepalive packet from peer 1 (217.182.230.10:1994)
2022-04-06 14:08:06.442426: [TUN] [MxServer] Shutting down
2022-04-06 14:08:06.556427: [MGR] [MxServer] Tunnel service tracker finished
2022-04-06 14:09:00.761208: [TUN] [MxServer] Starting WireGuard/0.5.3 (Windows 10.0.19044; amd64)
2022-04-06 14:09:00.761208: [TUN] [MxServer] Watching network interfaces
2022-04-06 14:09:00.765170: [TUN] [MxServer] Resolving DNS names
2022-04-06 14:09:00.765170: [TUN] [MxServer] Creating network adapter
2022-04-06 14:09:01.312059: [TUN] [MxServer] Using existing driver 0.10
2022-04-06 14:09:01.336526: [TUN] [MxServer] Creating adapter
2022-04-06 14:09:02.834761: [TUN] [MxServer] Using WireGuardNT/0.10
2022-04-06 14:09:02.935219: [TUN] [MxServer] Enabling firewall rules
2022-04-06 14:09:01.939680: [TUN] [MxServer] Interface created
2022-04-06 14:09:02.953402: [TUN] [MxServer] Dropping privileges
2022-04-06 14:09:02.953917: [TUN] [MxServer] Setting interface configuration
2022-04-06 14:09:02.954431: [TUN] [MxServer] Peer 1 created
2022-04-06 14:09:02.956517: [TUN] [MxServer] Monitoring MTU of default v4 routes
2022-04-06 14:09:02.956517: [TUN] [MxServer] Interface up
2022-04-06 14:09:02.977717: [TUN] [MxServer] Setting device v4 addresses
2022-04-06 14:09:03.008413: [TUN] [MxServer] Sending handshake initiation to peer 1 (217.182.230.10:1994)
2022-04-06 14:09:03.152842: [TUN] [MxServer] Receiving handshake response from peer 1 (217.182.230.10:1994)
2022-04-06 14:09:03.152842: [TUN] [MxServer] Keypair 1 created for peer 1
2022-04-06 14:09:03.269794: [TUN] [MxServer] Monitoring MTU of default v6 routes
2022-04-06 14:09:03.269794: [TUN] [MxServer] Setting device v6 addresses
2022-04-06 14:09:03.487860: [TUN] [MxServer] Startup complete
2022-04-06 14:09:25.451728: [TUN] [MxServer] Shutting down
2022-04-06 14:09:25.537838: [MGR] [MxServer] Tunnel service tracker finished


can you help me ?

Could be a mismatch in allowed addresses on one of the peers. They may not overlap !

Please post config of Mikrotik device (if that’s the one serving wireguard to your Win client) so we can review.
Terminal
/export file=
Review file for any left-overs of sensitive info and post between [__Code] quotes.

But I am guessing here.
So you may also need to provide a bit more info on what is running where and how.

1. Network diagram
2. Mikrotik config /export file=anynameyouwish

and
3. detail the wireguard requirements
a. which is the server and which are the peers
b. wireguard settings for the peers…
c. detail which users need access to which services…

https://forum.mikrotik.com/viewtopic.php?t=182340

touchy slip of the tongue … they’re all peers, dear Watson.

my server is in France and i am using this server as a vpn server.

Wiregaurd port is 1994, firewall rules are correct and in fact my config is simple.

its my server config:

# apr/06/2022 13:29:26 by RouterOS 7.1.3
# software id = TI09-7WK3
#

/interface wireguard
add listen-port=1994 mtu=1420 name=wireguard
/interface lte apn
set [ find default=yes ] ip-type=ipv4
/ip pool
add name=VPN-Pool ranges=71.12.26.1,71.12.26.20
/port
set 0 name=serial0
set 1 name=serial1
/ppp profile
add local-address=xxx.xx2.230.10 name=VPN remote-address=VPN-Pool
set *FFFFFFFE change-tcp-mss=default local-address=xxx.xx2.230.10 \
    remote-address=VPN-Pool
/interface l2tp-server server
set default-profile=VPN enabled=yes use-ipsec=yes
/interface ovpn-server server
set auth=sha1 certificate=server cipher=aes256 default-profile=VPN enabled=\
    yes max-mtu=1450 port=1993 protocol=udp
/interface pptp-server server
set enabled=yes
/interface wireguard peers
add allowed-address=192.168.200.2/24 comment="My Mobile" endpoint-port=1994 \
    interface=wireguard persistent-keepalive=25m public-key=\
    "rQBcd3oa0fGFOGT/7opcVpikKdDSIyzbmUkO+OtjQT0="
add allowed-address=192.168.200.3/24 comment="My Laptop" endpoint-port=1994 \
    interface=wireguard persistent-keepalive=25m public-key=\
    "scX1P6qmPkULqxMPD8uraI8DUaI0nu0PDAt6M7Yv2Ew="
add allowed-address=192.168.200.4/24 comment="My PC" endpoint-port=1994 \
    interface=wireguard persistent-keepalive=25m public-key=\
    "Pv/ydw7HUac64j51rX36LNnzBdRPGcwblrj8F0u8pz0="
add allowed-address=192.168.200.5/24 comment=Saeed endpoint-port=1994 \
    interface=wireguard persistent-keepalive=25m public-key=\
    "NYBAmxnoDJ2Fxz1hUGCnvZXozFUBNTRx52r6dgb/61I="
/ip address
add address=xxx.xx2.230.10 interface=ether1 network=x.xx.65.254
add address=192.168.200.1/24 interface=wireguard network=192.168.200.0
/ip cloud
set update-time=no
/ip dns
set servers=8.8.8.8,1.1.1.1
/ip firewall filter
add action=accept chain=input comment=Winbpx dst-port=1993 protocol=tcp
add action=accept chain=input comment=VPN dst-port=\
    1993,1945,1994,500,4500,1701 protocol=udp
add action=accept chain=input dst-port=1993,1945,1994,1723 protocol=tcp
add action=accept chain=input protocol=gre
add action=accept chain=input connection-state=established
add action=accept chain=input protocol=ipsec-esp
add action=accept chain=input comment=Ping disabled=yes protocol=icmp
add action=drop chain=input comment=Protection
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1
/ip route
add disabled=no dst-address=0.0.0.0/0 gateway=x.xx.65.254
/ip service
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set winbox port=1993
set api-ssl disabled=yes
/ip socks
set auth-method=password max-connections=10 port=1945 version=5
/ip socks users
add name=MxServer
add name=test
/ppp secret
add name=mehrdadvpn profile=VPN
add name=freshte.d profile=VPN
add name=mahtabvpn profile=VPN
add name=mom profile=VPN
add name=miss.faryadi profile=VPN
add name=hamidvpn profile=VPN
/system hardware
set allow-x86-64=yes
/system identity
set name=MxServer
/system ntp client
set enabled=yes
/system ntp client servers
add address=time.windows.com
/system package update
set channel=development

and its for one of Peers:

[Interface]
PrivateKey = CJNilywtZyH+1Dh/7kmexrce4wrH6ntvbKYkdL9LlFM=
ListenPort = 1994
Address = 192.168.200.4/24
DNS = 1.1.1.1

[Peer]
PublicKey = OWGLQysG/AfyjQJksOuzqlGWGrswyyAefzeLOYjsegQ=
AllowedIPs = 0.0.0.0/0
Endpoint = xxx.xxx.xxx.xx:1994

As suspected.
Your allowed addresses overlap on the peers-definition of your Mikrotik device.

192.168.200.2/24 is the same as 192.168.200.3/24 as far as network address is concerned.

Should be like this:

/interface wireguard peers
add allowed-address=192.168.200.2/32 comment=“My Mobile” endpoint-port=1994
interface=wireguard persistent-keepalive=25m public-key=
“key1”
add allowed-address=192.168.200.3/32 comment=“My Laptop” endpoint-port=1994
interface=wireguard persistent-keepalive=25m public-key=
“key2”
add allowed-address=192.168.200.4/32 comment=“My PC” endpoint-port=1994
interface=wireguard persistent-keepalive=25m public-key=
“key3”
add allowed-address=192.168.200.5/32 comment=Saeed endpoint-port=1994
interface=wireguard persistent-keepalive=25m public-key=
“key4”

I would also suggest to set keep-alive to 25.
That’s seconds, not MINUTES.

I ask for clarity for this very reason. The above text is gibberish and confuses the terms.
WHat WIREGUARD DEVICE is teh SERVER for the initial CONNECTION.

I am going to assume the France device is the wireguard Server.
and of course I am must be wrong because on the first peer I see this…

add allowed-address=192.168.200.2/24 comment=“My Mobile” endpoint-port=1994
interface=wireguard *persistent-keepalive=25m public-key=*
“rQBcd3oa0fGFOGT/7opcVpikKdDSIyzbmUkO+OtjQT0=”

The SERVER does not keep alive the peer its the other way around so this must not be the Wireguard server…
Hence confused again and too tired to deal with such inconsistencies at the moment.

Agree if indeed this is the WG server that all the PEER allowed IPs should reflect the address /32 and not /24

no the keep alives are not required on the WG settings !!!

This is rather bizarre for input chain rules…
/ip firewall filter
add action=accept chain=input comment=Winbpx dst-port=1993 protocol=tcp
add action=accept chain=input comment=VPN dst-port=
1993,1945,1994,500,4500,1701 protocol=udp
add action=accept chain=input dst-port=1993,1945,1994,1723 protocol=tcp

There are no forward chain rules??
Also not clear where the incoming wireguard traffic is going…
Edit- okay its internet bound traffic.

The wireguard address of mobile peers themselves, at the mobile device, should normally be set at /32 as well NOT /24.

They are for peers behind NAT (and especially CGNAT).

i set all prefixes to /32, until now everything is good.

my server is mikrotik cloud version on OVH datacenters, incoming traffic is going to the gateway (internet).

now i have another question, i want to exclude some network addresses from goings trough wiregaurd tunnel, can you help me ?

thank you so much, all of you.

you right, openvpn port is 1993 and winbox is 1993 too, i must change one of them.

Don’t add those addresses in the allowed addresses, then.
Or narrow down the allowed range, split it up in one or more parts, so the addresses you want to exclude, are not allowed … thus excluded.
Or use FW rules. Maybe easier.

More then one way to skin that cat.

Maybe best you clarify in detail what should not be allowed to pass where.
A simple drawing perhaps ?

exactly! they are settings for and ON PEER devices, NOT peer settings on the MT server ;-PP

Not necessarily. The goal is to keep connection through NAT or firewall open, and whether it’s done by packets from one side of the other doesn’t matter.

i want all traffic go trough tunnel except these networks: 192.168.80.0/24, 172.17.17.0/24

I agree that its possible but if the peer is behind NAt or CGnat or something else will it still work?? or trying to reach back to a laptop at a coffee shop?
The Op may turn the laptop on or off or the tunnel off and on etc…and its really the laptop that should keep the tunnel alive.

Wait a second here… We described an MT server in France that you had several mobile devices attached that would use the internet of the MT through the wireguard tunnels.
Where do these subnets NEW ones 192.168.80.0/24 and 172.17.17.0/24 come from?? Where are they located??

@anav: When connection is open and needs just some packets flowing to keep open, direction of packets doesn’t matter. But I think you’re right, if it’s mobile device, keepalives from server are not ideal, because if device connects from one place, server will be sending keepalives to there “forever” (I don’t know if there’s some timeout and it gives up after long enough silence from the other side; possibly could be, but I don’t remember seeing it mentioned anywhere) until device connects again from somewhere else.

That was my concern, and the unknown behaviour of the MT side when no connection etc…