Anyone ever have issues with Wireguard to mikrotik?

RouterOS Beginner Basics
1

If you guys think this doesnt belong here then I can remove it as I know it may not be related to Mikrotik itself

I have a wireguard VPN set up to my mikrotik. We use it for people working from home and also we have a separate site with about 4 people, they all use a wireguard client to connect to the NAS in our main office.

It currently does not work on two laptops. One is a person who works from home and the other is on a remote laptop we have at a customer location. (All the people on the remote site it works for, possibly because they have a strong fibre internet connection?)

I am able to ping the NAS from both laptops, but when I type \192.168.88.194 into the address bar, the windows credentials box pops up ‘Enter username and password’. This is normally what you would expect. However when I type in user and password (which I know for a fact are 100% correct) it takes ages to load, and eventually pops up an error

"\192.168.88.194 is not accessible. you might not have permission to use this network resource. contact the administrator of this server to find out if you have access permissions.

the remote call procedure failed.’

I have tried reinstalling wireguard and using a different wireguard peer but it doesnt work. The same wireguard peer works on different laptops anyway. Also, the person who works from home tried to use a 4g hotspot to connect and it didnt work. Yet from a different location, it DOES work with 4g hotspot, from the same phone, laptop, and all same config settings.

If anyone has seen this error before let me know but I cant find any results online for it.

EDIT: also seeing that if i try to connect to one of our IP phones via google chrome (on a laptop remotely accessing the network), it manages to ask for user and pass but once you enter the correct details it just loads indefinitely.

2

Without seeing the config of the router and the config of the wireguard on the laptop, its unknown. ALso windows has firewalls and AV programs that can interfere.
Perhaps there are some MTU issues…

3

Best is to make packet-capture and spot for issues…this smells indeed MTU or alike.
If you get authentication-box already etc then I doubt “settings” of Wireguard are at play here.
Firewall-rules also seems OK at this point then, but that can be checked in the logs (if you enable logging on each “drop” rule at least)

4

Anav and Jvan, thank you for your replies. I will look into MTU

Earlier today I also couldnt connect from my own home PC, but now suddenly I am able to a few hours later. Not sure why.. here is my config anyway.

Still can’t connect on a certain remote laptop we have on a customer site. When I type the IP of the NAS into a web browser, it loads some of the text on the page but not the images. When I do it on my (now working) home PC, it loads everything. I attached images of both. On the one where the images/color isnt loaded you can see the loading bar in the top left (it is still loading after 10 minutes)

Seems like it can load all the text but not images? Could that be some clue?

# aug/26/2023 18:06:34 by RouterOS 7.4
# software id = JCY8-AFLA
#
# model = RB2011iL
# serial number = E7DD0F73B4C5
/interface bridge
add admin-mac=DC:2C:6E:4C:59:6F auto-mac=no comment=defconf name=bridge
/interface ethernet
set [ find default-name=ether7 ] name=ether7-access
/interface pppoe-client
add add-default-route=yes interface=ether1 name=pppoe-out2 use-peer-dns=yes \
    user=eir@eir.ie
/interface wireguard
add listen-port=369 mtu=1420 name=Mikrotik-Wireguard
add disabled=yes listen-port=369 mtu=1420 name=wireguard_attempt2
/interface vlan
add interface=ether3 name=guest vlan-id=20
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.88.10-192.168.88.254
add name=dhcp_pool1 ranges=10.0.10.100-10.0.10.254
/ip dhcp-server
add address-pool=dhcp interface=bridge name=defconf
add address-pool=dhcp_pool1 interface=guest lease-time=1h name=guest
/port
set 0 name=serial0
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=ether6
add bridge=bridge comment=defconf interface=ether7-access
add bridge=bridge comment=defconf interface=ether8
add bridge=bridge comment=defconf interface=ether9
add bridge=bridge comment=defconf interface=ether10
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=pppoe-out2 list=WAN
/interface wireguard peers
add allowed-address=192.168.32.13/32 comment=redacted interface=\
    Mikrotik-Wireguard public-key=\
    "redacted"
add allowed-address=192.168.32.14/32 comment=redacted interface=\
    Mikrotik-Wireguard public-key=\
    "redacted"
add allowed-address=192.168.32.20/32 comment=redacted interface=\
    Mikrotik-Wireguard public-key=\
   "redacted"
add allowed-address=192.168.32.25/32 comment=redacted interface=\
    Mikrotik-Wireguard public-key=\
    "redacted"
add allowed-address=192.168.32.26/32 comment=redacted interface=\
    Mikrotik-Wireguard public-key=\
    "redacted"
add allowed-address=192.168.32.24/32 comment=redacted interface=\
    Mikrotik-Wireguard public-key=\
    "redacted"
add allowed-address=192.168.32.23/32 comment=redacted interface=\
    Mikrotik-Wireguard public-key=\
    "redacted"
add allowed-address=192.168.32.29/32 comment=redacted interface=Mikrotik-Wireguard \
    public-key="redacted"
add allowed-address=192.168.32.31/32 comment=redacted interface=Mikrotik-Wireguard \
    public-key="redacted"
add allowed-address=192.168.32.21/32 comment="redacted K" interface=\
    Mikrotik-Wireguard public-key=\
    "redacted"
add allowed-address=192.168.32.19/32 comment=redacted interface=\
    Mikrotik-Wireguard public-key=\
    "redacted"
add allowed-address=192.168.32.22/32 comment=redacted interface=\
    Mikrotik-Wireguard public-key=\
    "redacted"
add allowed-address=192.168.32.27/32 comment=redacted interface=\
    Mikrotik-Wireguard public-key=\
    "redacted"
add allowed-address=192.168.32.35/32 comment=redacted interface=\
    Mikrotik-Wireguard public-key=\
    "redacted"
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
    192.168.88.0
add address=192.168.32.1/24 interface=Mikrotik-Wireguard network=192.168.32.0
add address=10.0.10.1/24 interface=guest network=10.0.10.0
/ip dhcp-client
add interface=ether1
/ip dhcp-server lease
add address=192.168.88.216 client-id=1:0:1f:c1:1c:c4:20 mac-address=\
    00:1F:C1:1C:C4:20 server=defconf
add address=192.168.88.215 client-id=1:0:1f:c1:1c:c4:1b mac-address=\
    00:1F:C1:1C:C4:1B server=defconf
add address=192.168.88.200 client-id=1:0:1f:c1:1c:c4:8c mac-address=\
    00:1F:C1:1C:C4:8C server=defconf
add address=192.168.88.165 client-id=1:0:1f:c1:1c:c4:8e mac-address=\
    00:1F:C1:1C:C4:8E server=defconf
add address=192.168.88.202 client-id=1:0:1f:c1:1c:c4:1e mac-address=\
    00:1F:C1:1C:C4:1E server=defconf
add address=192.168.88.204 client-id=1:0:1f:c1:1c:c4:92 mac-address=\
    00:1F:C1:1C:C4:92 server=defconf
add address=192.168.88.214 client-id=1:0:1f:c1:1c:c4:1c mac-address=\
    00:1F:C1:1C:C4:1C server=defconf
add address=192.168.88.212 client-id=1:0:1f:c1:1c:c4:91 mac-address=\
    00:1F:C1:1C:C4:91 server=defconf
add address=192.168.88.203 client-id=1:0:1f:c1:1c:c4:89 mac-address=\
    00:1F:C1:1C:C4:89 server=defconf
add address=192.168.88.206 client-id=1:0:1f:c1:1c:c4:8d mac-address=\
    00:1F:C1:1C:C4:8D server=defconf
add address=192.168.88.205 client-id=1:0:1f:c1:1c:c4:8f mac-address=\
    00:1F:C1:1C:C4:8F server=defconf
add address=192.168.88.207 client-id=1:0:1f:c1:1c:c4:90 mac-address=\
    00:1F:C1:1C:C4:90 server=defconf
add address=192.168.88.198 client-id=1:0:1f:c1:1c:c4:23 mac-address=\
    00:1F:C1:1C:C4:23 server=defconf
add address=192.168.88.218 client-id=1:0:1f:c1:1c:c9:80 mac-address=\
    00:1F:C1:1C:C9:80 server=defconf
add address=192.168.88.213 client-id=1:0:1f:c1:1c:c4:8b mac-address=\
    00:1F:C1:1C:C4:8B server=defconf
add address=192.168.88.154 client-id=1:0:1f:c1:1c:c4:8a mac-address=\
    00:1F:C1:1C:C4:8A server=defconf
add address=192.168.88.199 client-id=1:0:1f:c1:1c:c4:1f mac-address=\
    00:1F:C1:1C:C4:1F server=defconf
add address=192.168.88.163 client-id=1:34:f6:2d:89:e4:82 mac-address=\
    34:F6:2D:89:E4:82 server=defconf
add address=192.168.88.211 client-id=1:0:1f:c1:1c:c9:7b mac-address=\
    00:1F:C1:1C:C9:7B server=defconf
add address=192.168.88.38 client-id=1:0:11:32:b8:2c:31 mac-address=\
    00:11:32:B8:2C:31 server=defconf
add address=192.168.88.196 client-id=1:90:9:d0:0:9:11 mac-address=\
    90:09:D0:00:09:11 server=defconf
add address=192.168.88.27 mac-address=6C:2B:59:E6:FB:01 server=defconf
add address=192.168.88.194 client-id=1:0:11:32:ae:a2:7f mac-address=\
    00:11:32:AE:A2:7F server=defconf
add address=192.168.88.30 client-id=1:0:12:41:b4:7c:7 mac-address=\
    00:12:41:B4:7C:07 server=defconf
add address=192.168.88.117 client-id=1:90:9:d0:16:f2:1f mac-address=\
    90:09:D0:16:F2:1F server=defconf
add address=192.168.88.58 client-id=1:0:0:d:15:1b:51 comment="IP Camera" \
    mac-address=00:00:0D:15:1B:51 server=defconf
add address=192.168.88.18 client-id=1:b8:ec:a3:fd:1d:1f mac-address=\
    B8:EC:A3:FD:1D:1F server=defconf
/ip dhcp-server network
add address=10.0.10.0/24 gateway=10.0.10.1
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=\
    192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input dst-port=369 in-interface-list=WAN protocol=udp
add action=accept chain=input comment="allow LAN traffic" in-interface-list=\
    LAN
add action=drop chain=input comment="drop all else"
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=accept chain=forward in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward dst-address=192.168.88.194 in-interface=\
    Mikrotik-Wireguard
add action=accept chain=forward comment="allow port forwarding" \
    connection-nat-state=dstnat
add action=drop chain=forward dst-address=192.168.88.0/24 src-address=\
    10.0.10.0/24
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat dst-address=192.168.88.0/24 src-address=\
    192.168.88.0/24
add action=dst-nat chain=dstnat comment="FreePBX Media UDP" dst-address=\
    my.public.ip.address dst-port=2000-65001 protocol=udp to-addresses=192.168.88.27 \
    to-ports=2000-65001
add action=dst-nat chain=dstnat comment="FreePBX LetsEncrypt" dst-address=\
    my.public.ip.address dst-port=80 protocol=tcp to-addresses=192.168.88.194 \
    to-ports=80
add action=dst-nat chain=dstnat comment="FreePBX Tunnel TCP" dst-address=\
    my.public.ip.address dst-port=5090 protocol=tcp to-addresses=192.168.88.27 \
    to-ports=5090
add action=dst-nat chain=dstnat comment="FreePBX SIP TCP" dst-address=\
    my.public.ip.address dst-port=5060 protocol=tcp to-addresses=192.168.88.27 \
    to-ports=5060
add action=dst-nat chain=dstnat comment="FreePBX SIP TLS" dst-address=\
    my.public.ip.address dst-port=5061 protocol=tcp to-addresses=192.168.88.27 \
    to-ports=5061
add action=dst-nat chain=dstnat comment="NAS access" dst-address=\
    my.public.ip.address dst-port=5500-5501 protocol=tcp to-addresses=192.168.88.194 \
    to-ports=5500-5501
add action=dst-nat chain=dstnat comment=Camera dst-address=my.public.ip.address \
    dst-port=8008 protocol=tcp to-addresses=192.168.88.30 to-ports=8008
/ip firewall service-port
set sip disabled=yes
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
    33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
/system clock
set time-zone-name=Europe/Dublin
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

I removed all the public key info from the screenshot and the router config as I am not sure if this could be used to log into my network or not..
page not loading NAS.PNG
wg cfg.PNG
page IS loading NAS.PNG

5

Okay so changing MTU to 1300 in Wireguard → Wireguard → (double click interface) → MTU appears to have fixed the problem. I dont really know what MTU does but that definitely seems to have been the problem given this remote laptop which hasn’t worked for months is now suddenly working. Thanks for the help guys!

6

Internet MTU (Maximum Transmission Unit) is 1500 bytes. Packets <= MTU avoid Layer 3 fragmentation or Layer 2 packet drop. See MTU in RouterOS for more.
All encapsulating protocols such as tunneling, VPN, Wiregauard, etc. add a header which increases packet size.
The consequence is down stream interface MTU must be lowered to avoid exceeding upstream MTU size.
Encapsulation header sizes are defined so choosing an exact MTU size becomes possible.
I use 6to4 tunnel with 20 byte header and then set MTU to 1480.
I suggest Google Search: Wireguard header size
Reddit r/WireGuard: MTU issue/questions

7

default MTU on wireguard is 1420…
I actually increased it to 1500 for one scenario and it worked out.

If your MT is at the client end Try this…
/ip firewall mangle
add action=change-mss chain=forward comment=“Clamp MSS to PMTU for Outgoing packets” new-mss=clamp-to-pmtu out-interface=wireguard1 passthrough=yes protocol=tcp tcp-flags=syn

OR
/ip firewall mangle
add action=change-mss chain=forward new-mss=1380 out-interface=wireguard1 protocol=tcp tcp-flags=syn tcp-mss=1381-65535

Don’t know why or how they work but people have had success with the above, especially with third party vpn providers.

8

What do you mean by MT at the client end? I have a MT router in work premises, then remote laptop with wireguard on it at a completely separate location

9

While the connection is better now that I changed MTU in wireguard winbox to 1300, it still seems to be slightly slow at moving files onto the server and moving through the folders on the NAS. So maybe something is still wrong possibly. But at least its letting me log onto the server unlike before.

When copying files onto the NAS it goes up to like 1 MB/s, then suddenly down to 0 bytes/s, then it says ‘a network error occured’

10

If your MT is a client device for the handshake, in this case it appears not to be the case.

Just ensure the MTU is the same at both ends of the tunnel and try different numbers seeing as no one else has any other ideas…
1420 and up (1440. 1460. 1480. 1500, 1520)
1420 and down (1400, 1380, 1360, 1340)

11

This forum topic’s (Path MTU discovery) author ended with an potentially useful RouterOS script: http://forum.mikrotik.com/t/path-mtu-discovery/112257/1