Community discussions

MikroTik App
  4. RouterOS
  5. Beginner Basics

Wireguard handshake but no traffic  [SOLVED]

Post Reply
 
jfad
just joined
Topic Author
Posts: 4
Joined: Sun Feb 04, 2024 6:37 pm

Wireguard handshake but no traffic

Sat Feb 10, 2024 7:22 pm

Hello to all!

First post in this community, hope you guys can help out.
I've been trying to make a dynamic WG connection between 2 sites, both of them using a ddns address.
Site A has an EdgeRouter and is the current WG server (public IP under ddns.net)
Site B has a Mikrotik and is the one to connect to WG as as client (public IP under duckdns.org)

So far I was able to get a handshake but unfortunately I'm not able to get any traffic from the Mikrotik via the WG tunnel

Can you guys help to identify the issue?

EdgeRouter config (server)
Public IP under xxx.ddns.net
Wireguard interface: 10.6.69.1
Listening port: 51280
Peer: mikrotik
Allowed IP: 10.6.69.6/32
endpoint: xxx.duckdns.org:13231

Mikrotik config (client)
Public IP under xxx.duckdns.org
Code: Select all
/interface wireguard
add listen-port=13231 mtu=1420 name=WG-CasaPollo
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1_WAN list=WAN
add interface=WG-CasaPollo list=WAN
/interface wireguard peers
add allowed-address=0.0.0.0/0 client-address=10.6.69.6/24 client-dns=\
    1.1.1.1,8.8.8.8 client-endpoint=xxx.duckdns.org client-listen-port=\
    13231 endpoint-address=xxx.ddns.net endpoint-port=51280 interface=\
    WG-CasaPollo persistent-keepalive=25s public-key=\
    "xxx"
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
    192.168.88.0
add address=10.6.69.6/24 interface=WG-CasaPollo network=10.6.69.0
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf dns-server=10.0.0.2 gateway=\
    192.168.88.1
/ip firewall filter
add action=fasttrack-connection chain=forward comment="from the network berg" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="from the network berg" \
    connection-state=established,related
add action=accept chain=input comment="WG-casapollo (Mikrotik guides)" \
    dst-port=13231 protocol=udp src-port=""
add action=drop chain=forward comment="from the network berg" \
    connection-state=invalid
add action=drop chain=forward comment="from the network berg" \
    connection-nat-state=!dstnat connection-state=new in-interface=ether1_WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
Top
 
Mesquite
Member
Member
Posts: 420
Joined: Tue Jan 23, 2024 9:16 pm

Re: Wireguard handshake but no traffic

Sat Feb 10, 2024 9:26 pm

Peer address on the Mikrotik router should be
/interface wireguard peers
add allowed-address=0.0.0.0/0 client-address=10.6.69.0/24
endpoint-address=xxx.ddns.net endpoint-port=51280 interface=\
WG-CasaPollo persistent-keepalive=25s public-key=\
"xxx"

Do not require client address on edgerouter, it is acting as server for handshake.

Do not require input chain rule for wireguard on MT, it is NOT server for handshake, so remove......
add action=accept chain=input comment="WG-casapollo (Mikrotik guides)" \
dst-port=13231 protocol=udp src-port=""

+++++++++++++++++++++++++++++++++++++++++

If you didnt want to masquerade all the MT traffic out the wireguard to its IP address .6, and simply allow the local subnets to enter the tunnel.
ONe would only need to include those subnets on the edgerouter allowed IPs.

for example- Allowed IP: 10.6.69.6/32,192.168.88.0/24
Top
 
TheCat12
Member Candidate
Member Candidate
Posts: 178
Joined: Fri Dec 31, 2021 9:13 pm

Re: Wireguard handshake but no traffic

Sat Feb 10, 2024 9:40 pm

Also Wireguard interface should be part of LAN interface list, not WAN, at least in my opinion
Top
 
Mesquite
Member
Member
Posts: 420
Joined: Tue Jan 23, 2024 9:16 pm

Re: Wireguard handshake but no traffic

Sat Feb 10, 2024 10:13 pm

Its not a matter of belonging to a particular interface is some rule.
It can be assigned to a particular interface for various reasons.....
In fact, for third party Wireguard connections, making the WG interface part of the WAN interface makes sense.
Then one need not create a separate sourcenat rule for wireguard.

If the router is the server for handshake, and you have users coming in that need access to the WAN for example, ensuring they are part of the LAN interface will
a. allow them access to DNS services and any forward chain LAN to WAN allow rules.

Bottom line, look at your firewall rules and traffic needs and apply what makes sense.
Top
 
jfad
just joined
Topic Author
Posts: 4
Joined: Sun Feb 04, 2024 6:37 pm

Re: Wireguard handshake but no traffic

Sun Feb 11, 2024 12:12 pm

Thanks for the suggestion!!

I've modified my config as you've proposed but I still can't ping 10.6.69.1 from the Mikrotik or get any traffic out from the WG interface.
On the Edge router i've added as allowed IP 10.6.69.6/32 and 192.168.88.0/24 but as soon as I remove the endpoint xxx.duckdns.org:13231 I no longer get a handshake.

Any ideas why it doesn't work?
Code: Select all
/interface wireguard
add listen-port=13231 mtu=1420 name=WG-CasaPollo
/interface list member
add interface=WG-CasaPollo list=LAN
/interface wireguard peers
add allowed-address=0.0.0.0/0 client-address=10.6.69.0/24 client-dns=\
    1.1.1.1,8.8.8.8 client-endpoint=xxx.duckdns.org client-listen-port=\
    13231 endpoint-address=xxx.ddns.net endpoint-port=51280 interface=\
    WG-CasaPollo persistent-keepalive=25s public-key=\
    "xxx"
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
    192.168.88.0
add address=10.6.69.6/24 interface=WG-CasaPollo network=10.6.69.0
/ip firewall filter
add action=fasttrack-connection chain=forward comment="from the network berg" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="from the network berg" \
    connection-state=established,related
add action=drop chain=forward comment="from the network berg" \
    connection-state=invalid
add action=drop chain=forward comment="from the network berg" \
    connection-nat-state=!dstnat connection-state=new in-interface=ether1_WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
Peer address on the Mikrotik router should be
/interface wireguard peers
add allowed-address=0.0.0.0/0 client-address=10.6.69.0/24
endpoint-address=xxx.ddns.net endpoint-port=51280 interface=\
WG-CasaPollo persistent-keepalive=25s public-key=\
"xxx"

Do not require client address on edgerouter, it is acting as server for handshake.

Do not require input chain rule for wireguard on MT, it is NOT server for handshake, so remove......
add action=accept chain=input comment="WG-casapollo (Mikrotik guides)" \
dst-port=13231 protocol=udp src-port=""

+++++++++++++++++++++++++++++++++++++++++

If you didnt want to masquerade all the MT traffic out the wireguard to its IP address .6, and simply allow the local subnets to enter the tunnel.
ONe would only need to include those subnets on the edgerouter allowed IPs.

for example- Allowed IP: 10.6.69.6/32,192.168.88.0/24
Top
 
gigabyte091
Forum Guru
Forum Guru
Posts: 1204
Joined: Fri Dec 31, 2021 11:44 am
Location: Croatia

Re: Wireguard handshake but no traffic

Sun Feb 11, 2024 1:00 pm

That's normal, how will router know where to send handshake and establish connection if you remove endpoint.

If you look at the post from @Mesquite he didn't remove endpoint...
Top
 
jfad
just joined
Topic Author
Posts: 4
Joined: Sun Feb 04, 2024 6:37 pm

Re: Wireguard handshake but no traffic

Sun Feb 11, 2024 2:41 pm

Thanks, I've misread the message from @Mesquite.

In anycase, now that i have the endpoint on the Edgerouter correct, handshake works but not able to ping the Edgerouter from the Mirkrotik

Any suggestions of what to do?

thanks again for the support!
Top
 
Mesquite
Member
Member
Posts: 420
Joined: Tue Jan 23, 2024 9:16 pm

Re: Wireguard handshake but no traffic  [SOLVED]

Sun Feb 11, 2024 3:43 pm

jfad, YOU HAD TWO endpoints in your mikrotik config.
There is no such thing as client endpoint in your scenario.
The edgepoint router acts as the server for the initial handshake ( after established its a peer to peer connection).

SO two things need to happen'
- get rid of client duckstuff on MIkrotik Allowed IPs setting. You only need the endpoint identifying the edge router .
- get rid of the duck settings on the edge router, they are meaningless
all that should be on the edge router for address on the allowed IPs, is the 10.6.69.6/32

To to recap:
MT
/interface wireguard peers
add allowed-address=0.0.0.0/0 endpoint-address=xxx.ddns.net endpoint-port=51280 interface=\
WG-CasaPollo persistent-keepalive=25s public-key="xxx"

EDGE:
Allowed IP: 10.6.69.6/32 publickey=xxxxx etc..
Top
 
jfad
just joined
Topic Author
Posts: 4
Joined: Sun Feb 04, 2024 6:37 pm

Re: Wireguard handshake but no traffic

Sun Feb 11, 2024 5:51 pm

Thanks Mesquite!

works like a charm now!
Top
Post Reply

Who is online

Users browsing this forum: anav, pepe262, webnoob and 17 guests
  4. RouterOS
  5. Beginner Basics