Hi Everyone

Apologies but I am still very new to Mikrotiks
I have two Mikrotiks that are blank config save for the bare minimum to get connection to the internet.
ether2 set up with LAN IPs, DHCP server and the rest
ether1 set up as a DHCP client WAN
Masq set up in the NAT

Both Mikrotiks are set up the same and both are using the LTE and getting public IPs, and can route LAN to the internet with no problems, currently zero firewall rules and no other config to right home about.

However when I set up Wireguard and the peers on both I get no handshake. I know I am missing something but I have no idea what.

R1 set up peer:
Name: Wireguard-1
Endpoint: (blank)
Endpoint Port: (blank)
Allowed IPs: 0.0.0.0/0
Keep Alive 25s

IP Address added
10.0.0.1/30 --> Wireguard-1

R2 set up peer:
Name: Wireguard-1
Endpoint: *R1 Public IP*
Endpoint Port: 13231
Allowed IPs: 0.0.0.0/0
Keep Alive 25s

IP Address added
10.0.0.2/30 --> Wireguard-1

Can anyone help me with what I am missing? Thank you in advance!

Which router gets a public IP?

So both routers have a public IP

I have tried it where I add the Endpoint on both routers with each others public IP
& I have tried it with R1 having a blank endpoint and R2 having the Public IP of R1

Neither of these things work.

10.0.0.1 just wont speak to 10.0.0.2

I have gotten the handshake on the current config to work once however this time both where connected via ether1 - WAN both routers WAN where DHCP and they had IPs on the same network (10.10.1.5 & 10.10.1.4) handshake was fine.

But on the LTE which routes traffic to the internet fine both have public IPs and the handshake will not happen.

I also attached one of them to my Leased Line and it had a static public IP on the WAN and the handshake still failed

Post both configs.
Will assume R1 is the one you want to be the server for handshake.

/export file=anynameyouwish (minus router serial number, public WANIP info, keys, long dhcp lease lists etc.)

Post both configs.
Will assume R1 is the one you want to be the server for handshake.

/export file=anynameyouwish (minus router serial number, public WANIP info, keys, long dhcp lease lists etc.)

In this case R2 is the Server

R1
-------------------
# mar/18/2024 23:52:08 by RouterOS 7.8
# software id =
#
# model = L41G-2axD&FG621-EA
# serial number =
/interface lte
set [ find default-name=lte1 ] allow-roaming=no band=""
/interface ethernet
set [ find default-name=ether1 ] name="ether1 - WAN"
/interface wireguard
add listen-port=13231 mtu=1420 name=wireguard1
/ip pool
add name=dhcp_pool0 ranges=10.1.1.50-10.1.1.254
/ip dhcp-server
add address-pool=dhcp_pool0 interface=ether2 lease-time=1d name="LAN - DHCP"
/port
set 0 name=serial0
/interface wireguard peers
add allowed-address=0.0.0.0/0 endpoint-address=R2 PUBLIC IP endpoint-port=\
13231 interface=wireguard1 persistent-keepalive=25s public-key=\
"R2 Public KEY"
/ip address
add address=10.1.1.254/24 interface=ether2 network=10.1.1.0
add address=10.0.0.2/30 interface=wireguard1 network=10.0.0.0
/ip dhcp-client
add interface="ether1 - WAN"
/ip dhcp-server network
add address=10.1.1.0/24 dns-server=10.1.1.254, 8.8.8.8 gateway=10.1.1.254
/ip dns
set allow-remote-requests=yes servers=10.1.1.254
/ip dns static
add address=UNIFI SERVER PUBLIC IP match-subdomain=yes name=unifi
add address=UNIFI SERVER PUBLIC IP match-subdomain=yes name=unifi.local
add address=UNIFI SERVER PUBLIC IP match-subdomain=yes name=unifi.localdomain
/ip firewall filter
add action=accept chain=input port=13231 protocol=udp
/ip firewall nat
add action=masquerade chain=srcnat
add action=dst-nat chain=dstnat comment=\
"Forward UniFi Inform to Cloud Server" dst-port=8080 in-interface=ether2 \
protocol=tcp to-addresses=UNIFI SERVER PUBLIC IP to-ports=8080
add action=dst-nat chain=dstnat comment=\
"Forward UniFi Inform to Cloud Server" dst-port=8080 in-interface=ether2 \
protocol=tcp to-addresses=UNIFI SERVER PUBLIC IP to-ports=8080
add action=accept chain=srcnat dst-address=10.10.59.69 src-address=\
10.1.1.0/24
/system identity
set name=
-------------------

R2
-------------------
# mar/18/2024 23:10:07 by RouterOS 7.8
# software id =
#
# model = L41G-2axD&FG621-EA
# serial number =
/interface lte
set [ find default-name=lte1 ] allow-roaming=no band=""
/interface wifiwave2
add
/interface ethernet
set [ find default-name=ether1 ] mac-address=MAC name=\
"ether1 - WAN"
set [ find default-name=ether2 ] mac-address=MAC
set [ find default-name=ether3 ] mac-address=MAC
set [ find default-name=ether4 ] mac-address=MAC
/interface wireguard
add listen-port=13231 mtu=1420 name=wireguard1
/ip pool
add name=dhcp_pool0 ranges=10.1.1.50-10.1.1.254
/ip dhcp-server
add address-pool=dhcp_pool0 interface=ether2 lease-time=1d name="LAN - DHCP"
/port
set 0 name=serial0
/interface wireguard peers
add allowed-address=0.0.0.0/0 interface=wireguard1 public-key=\
"R1 PUBLIC KEY"
/ip address
add address=10.1.1.254/24 interface=ether2 network=10.1.1.0
add address=10.0.0.1/30 interface=wireguard1 network=10.0.0.0
/ip dhcp-client
add interface="ether1 - WAN"
/ip dhcp-server network
add address=10.1.1.0/24 dns-server=10.1.1.254,8.8.8.8 gateway=10.1.1.254
/ip dns
set allow-remote-requests=yes servers=10.1.1.254
/ip dns static
add address=UNIFI SERVER PUBLIC IP match-subdomain=yes name=unifi
add address=UNIFI SERVER PUBLIC IP match-subdomain=yes name=unifi.local
add address=UNIFI SERVER PUBLIC IP match-subdomain=yes name=unifi.localdomain
/ip firewall filter
add action=accept chain=input port=13231 protocol=udp
/ip firewall nat
add action=masquerade chain=srcnat
add action=dst-nat chain=dstnat comment=\
"Forward UniFi Inform to Cloud Server" dst-port=8080 in-interface=ether2 \
protocol=tcp to-addresses=UNIFI SERVER PUBLIC IP to-ports=8080
add action=dst-nat chain=dstnat comment=\
"Forward UniFi Inform to Cloud Server" dst-port=8080 in-interface=ether2 \
protocol=tcp to-addresses=UNIFI SERVER PUBLIC IP to-ports=8080
add action=accept chain=srcnat dst-address=10.10.59.69 src-address=\
10.1.1.0/24
/system identity
set name=

Very confusing setup.
You need to select which one is the server for handshake...........
Also why are your LAN subnets the same behind each router, make them different.

Very confusing setup.
You need to select which one is the server for handshake...........
Also why are your LAN subnets the same behind each router, make them different.

Yes LAN IPs are the same just because it's a lab, and I can't get the tunnel up & handshaking in the first place.
These would be different in reality.

In this R2 is the server as far as I know.
As far as I know R1 needs a peer set to R2
And R2 a peer to R1

Only R1s peer have an endpoint public IP set to R2 as R2 is the server correct?

If the wans are private IPs on the same network and I set up wireguard like this handshake is fine.
Once they are both on LTE with public's the handshake never happens.

Any help would be amazing, when you say select one for the server is there a step I missed?

....
Recommend updating to the latest stable or more specifically to 7.14.2 when it comes out.
I dont have clue what your are doing port forwarding as that is intended from external to internal ( or internal to internal sometimes ).....

Also its not clear who on R2 will be going to R1 and vice versa...... and for what purpose.

Code: Select all

# mar/18/2024 23:52:08 by RouterOS 7.8
# software id =
#
# model = L41G-2axD&FG621-EA
# serial number =
/interface lte
set [ find default-name=lte1 ] allow-roaming=no band=""
/interface ethernet
set [ find default-name=ether1 ] name="ether1 - WAN"
/interface wireguard
add listen-port=13231 mtu=1420 name=wireguard1
/ip pool
add name=dhcp_pool0 ranges=10.2.1.50-10.2.1.254
/ip dhcp-server
add address-pool=dhcp_pool0 interface=ether2 lease-time=1d name="LAN - DHCP"
/port
set 0 name=serial0
/interface wireguard peers
add allowed-address=0.0.0.0/0 endpoint-address=R2 PUBLIC IP endpoint-port=\
13231 interface=wireguard1 persistent-keepalive=25s public-key=\
"R2 Public KEY"
/ip address
add address=10.2.1.254/24 interface=ether2 network=10.2.1.0
add address=10.0.0.2/30 interface=wireguard1 network=10.0.0.0
/ip dhcp-client
add interface="ether1 - WAN"
/ip dhcp-server network
add address=10.2.1.0/24 dns-server=10.2.1.254, 8.8.8.8 gateway=10.2.1.254
/ip dns
set allow-remote-requests=yes servers=10.1.1.254
/ip dns static
add address=UNIFI SERVER PUBLIC IP match-subdomain=yes name=unifi
add address=UNIFI SERVER PUBLIC IP match-subdomain=yes name=unifi.local
add address=UNIFI SERVER PUBLIC IP match-subdomain=yes name=unifi.localdomain
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN


R2
-------------------
# mar/18/2024 23:10:07 by RouterOS 7.8
# software id =
#
# model = L41G-2axD&FG621-EA
# serial number =
/interface lte
set [ find default-name=lte1 ] allow-roaming=no band=""
/interface wifiwave2
add
/interface ethernet
set [ find default-name=ether1 ] mac-address=MAC name=\
"ether1 - WAN"
set [ find default-name=ether2 ] mac-address=MAC
set [ find default-name=ether3 ] mac-address=MAC
set [ find default-name=ether4 ] mac-address=MAC
/interface wireguard
add listen-port=13231 mtu=1420 name=wireguard2
/ip pool
add name=dhcp_pool0 ranges=10.1.1.50-10.1.1.254
/ip dhcp-server
add address-pool=dhcp_pool0 interface=ether2 lease-time=1d name="LAN - DHCP"
/port
set 0 name=serial0
/interface wireguard peers
add allowed-address=10.0.0.2/32,10.2.1.0/24 interface=wireguard2 public-key=\
"R1 PUBLIC KEY"
/ip address
add address=10.1.1.254/24 interface=ether2 network=10.1.1.0
add address=10.0.0.1/30 interface=wireguard1 network=10.0.0.0
/ip dhcp-client
add interface="ether1 - WAN"
/ip dhcp-server network
add address=10.1.1.0/24 dns-server=10.1.1.254,8.8.8.8 gateway=10.1.1.254
/ip dns
set allow-remote-requests=yes servers=10.1.1.254
/ip firewall filter
add action=accept chain=input port=13231 protocol=udp
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN

....
Recommend updating to the latest stable or more specifically to 7.14.2 when it comes out.
I dont have clue what your are doing port forwarding as that is intended from external to internal ( or internal to internal sometimes ).....

Also its not clear who on R2 will be going to R1 and vice versa...... and for what purpose.

Update noted! Thanks

What the end game here is.

R2 is wg server R1 client

Everything on ether2 on R1 is sent via wg to ether2 on R2 and visa versa

That part is neither here nor there at this point as the handshake just doesn't happen on 10.0.0.1 & 10.0.0.2. No idea why, I keep trying to figure out what would be stopping it and I'm lost, firewall rule missing ? Maybe

Well you have no firewall rules so all should be permitted.........
On R2 try adding
add chain=input action=accept comment="wg handshake" dst-port=13231 protocol=udp


FACEPALM, - we forgot routes

ON R1 Add
add dst-address=10.1.1.0/24 gateway=wireguard1 routing-table=main comment="route to remote subnet"

ON R2 add
add dst-address=10.2.1.0/24 gateway=wireguard2 routing-table=main comment="route to remote subnet"

Well you have no firewall rules so all should be permitted.........
On R2 try adding
add chain=input action=accept comment="wg handshake" dst-port=13231 protocol=udp


FACEPALM, - we forgot routes

ON R1 Add
add dst-address=10.1.1.0/24 gateway=wireguard1 routing-table=main comment="route to remote subnet"

ON R2 add
add dst-address=10.2.1.0/24 gateway=wireguard2 routing-table=main comment="route to remote subnet"

Followed the above request config below: no handshake
R1
-------------------
# mar/20/2024 09:44:58 by RouterOS 7.8
# software id =
#
# model = L41G-2axD&FG621-EA
# serial number =
/interface lte
set [ find default-name=lte1 ] allow-roaming=no band=""
/interface wifiwave2
add
/interface ethernet
set [ find default-name=ether1 ] mac-address=MAC ADDRESS name=\
"ether1 - WAN"
set [ find default-name=ether2 ] mac-address=MAC ADDRESS
set [ find default-name=ether3 ] mac-address=MAC ADDRESS
set [ find default-name=ether4 ] mac-address=MAC ADDRESS
/interface wireguard
add listen-port=13231 mtu=1420 name=wireguard1
/ip pool
add name=dhcp_pool0 ranges=10.2.1.50-10.2.1.253
/ip dhcp-server
add address-pool=dhcp_pool0 interface=ether2 lease-time=1d name="LAN - DHCP"
/port
set 0 name=serial0
/interface wireguard peers
add allowed-address=0.0.0.0/0 endpoint-address=R2 PUBLIC IP endpoint-port=\
13231 interface=wireguard1 persistent-keepalive=20s public-key=\
"R2 PUBLIC KEY"
/ip address
add address=10.2.1.254/24 interface=ether2 network=10.2.1.0
add address=10.0.0.1/30 interface=wireguard1 network=10.0.0.0
/ip dhcp-client
add interface="ether1 - WAN"
/ip dhcp-server network
add address=10.2.1.0/24 dns-server=8.8.8.8 gateway=10.2.1.254
/ip dns
set allow-remote-requests=yes servers=10.1.1.254
/ip dns static
add address=UNIFI SERVER match-subdomain=yes name=unifi
add address=UNIFI SERVER match-subdomain=yes name=unifi.local
add address=UNIFI SERVER match-subdomain=yes name=unifi.localdomain
/ip firewall filter
add action=accept chain=input port=13231 protocol=udp
add action=accept chain=input comment="wg handshake" dst-port=13231 protocol=\
udp
/ip firewall nat
add action=masquerade chain=srcnat
add action=dst-nat chain=dstnat comment=\
"Forward UniFi Inform to Cloud Server" dst-port=8080 in-interface=ether2 \
protocol=tcp to-addresses=UNIFI SERVER to-ports=8080
add action=dst-nat chain=dstnat comment=\
"Forward UniFi Inform to Cloud Server" dst-port=8080 in-interface=ether2 \
protocol=tcp to-addresses=UNIFI SERVER to-ports=8080
add action=accept chain=srcnat dst-address=10.10.59.69 src-address=\
10.2.1.0/24
/ip route
add comment="route to remote subnet" disabled=no dst-address=10.1.1.0/24 \
gateway=wireguard1 routing-table=main suppress-hw-offload=no
/system clock
set time-zone-name=Europe/London
/system identity
set name=
-------------------

R2
-------------------
# mar/20/2024 09:38:41 by RouterOS 7.8
# software id =
#
# model = L41G-2axD&FG621-EA
# serial number =
/interface lte
set [ find default-name=lte1 ] allow-roaming=no band=""
/interface ethernet
set [ find default-name=ether1 ] name="ether1 - WAN"
/interface wireguard
add listen-port=13231 mtu=1420 name=wireguard1
/ip pool
add name=dhcp_pool0 ranges=10.1.1.50-10.1.1.254
/ip dhcp-server
add address-pool=dhcp_pool0 interface=ether2 lease-time=1d name="LAN - DHCP"
/port
set 0 name=serial0
/interface wireguard peers
add allowed-address=0.0.0.0/0 interface=wireguard1 persistent-keepalive=25s \
public-key="R1 PUBLIC KEY"
/ip address
add address=10.1.1.254/24 interface=ether2 network=10.1.1.0
add address=10.0.0.2/30 interface=wireguard1 network=10.0.0.0
/ip dhcp-client
add interface="ether1 - WAN"
/ip dhcp-server network
add address=10.1.1.0/24 dns-server=10.1.1.254,127.4.0.144 gateway=10.1.1.254
/ip dns
set allow-remote-requests=yes servers=10.1.1.254
/ip dns static
add address=UNIFI SERVER match-subdomain=yes name=unifi
add address=UNIFI SERVER match-subdomain=yes name=unifi.local
add address=UNIFI SERVER match-subdomain=yes name=unifi.localdomain
/ip firewall filter
add action=accept chain=input port=13231 protocol=udp
add action=accept chain=input comment="wg handshake" dst-port=13231 protocol=\
udp
/ip firewall nat
add action=masquerade chain=srcnat
add action=dst-nat chain=dstnat comment=\
"Forward UniFi Inform to Cloud Server" dst-port=8080 in-interface=ether2 \
protocol=tcp to-addresses=UNIFI SERVER to-ports=8080
add action=dst-nat chain=dstnat comment=\
"Forward UniFi Inform to Cloud Server" dst-port=8080 in-interface=ether2 \
protocol=tcp to-addresses=UNIFI SERVER to-ports=8080
add action=accept chain=srcnat dst-address=10.10.59.69 src-address=\
10.1.1.0/24
/ip route
add comment="route to remote subnet" disabled=no dst-address=10.2.1.0/24 \
gateway=wireguard1 routing-table=main suppress-hw-offload=no
/system clock
set time-zone-name=Europe/London
/system identity
set name=
-------------------

From R1

My IP
IPv4 Address. . . . . . . . . . . : 10.2.1.253
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 10.2.1.254

tracert 10.1.1.254

Tracing route to 10.1.1.254 over a maximum of 30 hops

1 1 ms 1 ms 1 ms 10.2.1.254

First Hop hits ether2 DG?

Hmm you didnt change allowed IPs on router2............ and there is no need for persistent keep alive on the unit that is server for handshake.

Should be (R2) :
/interface wireguard peers
add allowed-address=10.0.0.1/32,10.2.1.0/24 interface=wireguard1 \
public-key="R1 PUBLIC KEY"

I noted I had assumed the server for handshake was 10.0.0.1 for wg Ip but its actually the reverse so my rule in a previous post was incorrect, this fixes that as well.

If you still have problems after that then i suspect one of three things.
a. the keys dont match up properly
b. the wanip on R2 is actually not public/reachable
c. your non-standard DNS setup is screwing things up.

Hmm you didnt change allowed IPs on router2............ and there is no need for persistent keep alive on the unit that is server for handshake.

Should be (R2) :
/interface wireguard peers
add allowed-address=10.0.0.1/32,10.2.1.0/24 interface=wireguard1 \
public-key="R1 PUBLIC KEY"

I noted I had assumed the server for handshake was 10.0.0.1 for wg Ip but its actually the reverse so my rule in a previous post was incorrect, this fixes that as well.

If you still have problems after that then i suspect one of three things.
a. the keys dont match up properly
b. the wanip on R2 is actually not public/reachable
c. your non-standard DNS setup is screwing things up.

R2 has 0.0.0.0/0 on the Peer for wireguard should that not just let everything through?

I have never tried it because its outside of the design as I understand it. I could be wrong though.