Both Openvpn and Wiregurard fail

RouterOS Beginner Basics
1

Hello,

Hello
Sorry for any mistakes, I’m a very new user of RouterOS.
Please help me:
I’m using a new L009UiGS-2HaxD router on which I can’t make an openvpn connection with a local server or a public one. Similarly, I can’t make any wireguard connection with a local or public peer. I mention that the only configurations in RouterOS are those of openvpn and those of wireguard, nothing else. The firewall settings are the default ones.
I can control both, wireguard peer and openvpn servers and there is nothing wrong by that side.

On router OS log I have:

ovpn-import1716634168: terminating… - TLS error: handshake timed out (6)
wireguard1: ******************: Handshake for peer did not complete after 5 seconds, retrying (try 2)

My Configuration:

[i]
# 2024-05-25 14:08:10 by RouterOS 7.14.3
# software id = ******
#
# model = L009UiGS-2HaxD
# serial number *****
/interface bridge
add admin-mac=D******* auto-mac=no comment=defconf name=bridge
/interface wifi
set [ find default-name=wifi1 ] channel.band=2ghz-ax .skip-dfs-channels=\
    10min-cac .width=20/40mhz configuration.country=Romania .mode=ap .ssid=\
    MkrTk disabled=no security.authentication-types=wpa2-psk,wpa3-psk .ft=yes \
    .ft-over-ds=yes
/interface wireguard
add listen-port=13231 mtu=1420 name=wireguard1
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=default-dhcp interface=bridge name=defconf
/port
set 0 name=serial0
/interface ovpn-client
add add-default-route=yes auth=sha256 certificate=cert_ovpn-import1716634168 \
    cipher=aes256-gcm connect-to=****.asuscomm.com mac-address=\
    F*****name=ovpn-import1716634168 port=53147 profile=\
    default-encryption protocol=udp user=mkrtk verify-server-certificate=yes
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=ether6
add bridge=bridge comment=defconf interface=ether7
add bridge=bridge comment=defconf interface=ether8
add bridge=bridge comment=defconf interface=sfp1
add bridge=bridge comment=defconf interface=wifi1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface detect-internet
set detect-interface-list=all
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/interface wireguard peers
add allowed-address=10.0.0.0/24,192.168.1.0/24 endpoint-address=\
    *****.asuscomm.com endpoint-port=51820 interface=wireguard1 \
    persistent-keepalive=25s preshared-key=\
    "0l0PvGnu61ntlqdm3MNRYHeeerrd6leFPHIwSmPgD5sE=" public-key=\
    "UMBznxAPzQ3657+1GswijiXZ2jwHaWk2dmHWTFTb3kjCXw="
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
    192.168.88.0
add address=10.0.0.1/30 interface=wireguard1 network=10.0.0.0
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=\
    192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" \
    dst-port=33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
/system clock
set time-zone-name=Europe/Bucharest
/system note
set show-at-login=no
/system routerboard settings
set enter-setup-on=delete-key
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN[/i]
WireGuard clients can handshake CRS326, but not much more
2

Dont care about openvpn etc etc. but will help with wirguard.

Does your MT router have a public IP address or connected to an ISP router with a public IP at which you can forward a port to the MT router?

Okay I will assume the answer is no and you seem to be connecting to a wireguard server elsewhere and that site has a subnet 192.168.1.0/24
Everything looks okay for the most part…

Personal preference.

/interface detect-internet
set detect-interface-list=none

/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=
192.168.88.0
add address=10.0.0.1**/24** interface=wireguard1 network=10.0.0.0

Would Modify forward chain firewall rules by replacing this rule with clearer rules:
add action=drop chain=forward comment=
“defconf: drop all from WAN not DSTNATed” connection-nat-state=!dstnat
connection-state=new in-interface-list=WAN

TO
add action=accept chain=forward comment=“internet traffic” in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment=“wireguard access” in-interface-list=LAN out-interface=wireguard1
add action=accept chain=forward comment="incoming wireguard traffic? in-interface=wireguard1 src-address=192.168.1.0/24 out-interface-list=LAN
add action=drop chain=forward comment=“drop all else”

]Missing Config Maybe??

/ip firewall nat
add action=masquerade chain=srcnat comment=“defconf: masquerade”
ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat out-interface-list=wireguard1

This ensure any traffic leaving the MT router over wireguard1, will have the wireguard address 10.0.0.1/32 instead of 192.168.88.XY
THe above rule is required if the other side is ONLY expecting the wireguard IP, if it fully expects and can deal with .88 subnet, then there is no need to add this rule.

This does bring up a point, why doesnt the server have 10.0.0.1 and this MT device something like 10.0.0.2/24 ???

++++++++++++++++++++++++++++++++++++++++

PROBLEMS.

You have no route to tell the router to use wireguard to reach/or return traffic to 192.168.1.0/24 ???

You have not stated which LAN users need to visit 192.168.1.0/24 ???

You have not stated the purpose off the wireguard connection…??

3

Router is connected to an ISP router (Asus) with a public IP.
All LAN users should reach peer’s LAN.
The purpose of wireguard connection is to bridge 2 different locations over internet. Would be ideal if MT can be managed to be bridged directly to other router (Asus) so that it takes LAN IP from Asus and all MT clients take LAN IP from Asus and stop MT’s DHCP. I mention here, both routers will be in the end connected to internet using PPPOE but now MT is for testing purposes connected to Asus’s LAN.
I’am confused with your advises and I dont understand 198.168.88.xx subnet role in MT topology.
Overall I think is a handshake issue since 0 Rx package is detected and destination server display wireguard: wg0: Invalid handshake initiation from 188.26.137.***:13231
Thank you

4

Hello again,

I made all setting related to ip, firewall, routes. Router accept incoming wg connection but fail to connect like “client” to another wg peer. No RX packet…no handshake…Log: : Handshake for peer did not complete after 5 seconds, retrying (try 2). I tried to tune MTU but the same issue. Peer which should accept connection report: wireguard: wg0: Invalid MAC of handshake, dropping packet from 86.120.*.:13231

Could be a bug?
Please, any suggestion?

5

Post your latest config and I will relook.

6

2024-06-02 17:22:40 by RouterOS 7.15

software id = W

model = C53UiG+5HPaxD2HPaxD

serial number =

/interface bridge
add admin-mac=D8:01:C8:84:79:B9 auto-mac=no comment=defconf name=bridge
/interface wifi
set [ find default-name=wifi1 ] channel.band=5ghz-ax .skip-dfs-channels=
10min-cac .width=20/40/80mhz configuration.mode=ap .ssid=MikroTik-8479B8
disabled=no security.authentication-types=wpa2-psk,wpa3-psk .ft=yes
.ft-over-ds=yes
set [ find default-name=wifi2 ] channel.band=2ghz-ax .skip-dfs-channels=
10min-cac .width=20/40mhz configuration.mode=ap .ssid=MikroTik-8479B8
disabled=no security.authentication-types=wpa2-psk,wpa3-psk .ft=yes
.ft-over-ds=yes
/interface wireguard
add listen-port=13231 mtu=1420 name=wireguard1
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=default-dhcp interface=bridge name=defconf
/disk settings
set auto-media-interface=bridge auto-media-sharing=yes auto-smb-sharing=yes
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=wifi1
add bridge=bridge comment=defconf interface=wifi2
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/interface wireguard peers
add allowed-address=0.0.0.0/0 endpoint-address=..2**.** endpoint-port=
41194 interface=wireguard1 name=peer1 persistent-keepalive=25s
preshared-key="*****=" public-key=
"****"
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=
192.168.88.0
add address=10.100.0.0 interface=wireguard1 network=10.100.0.0
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=
192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=
"defconf: accept established,related,untracked" connection-state=
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN"
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy"
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy"
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack"
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=
"defconf: accept established,related, untracked" connection-state=
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid"
connection-state=invalid
add action=drop chain=forward comment=
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat
connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade"
ipsec-policy=out,none out-interface-list=WAN
/ip ssh
set host-key-size=4096
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=
"defconf: accept established,related,untracked" connection-state=
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=
invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=
icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute"
dst-port=33434-33534 protocol=udp
add action=accept chain=input comment=
"defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=
udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500
protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=
ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=
ipsec-esp
add action=accept chain=input comment=
"defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=
"defconf: drop everything else not coming from LAN" in-interface-list=
!LAN
add action=accept chain=forward comment=
"defconf: accept established,related,untracked" connection-state=
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid"
connection-state=invalid
add action=drop chain=forward comment=
"defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=
"defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1"
hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=
icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=
500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=
ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=
ipsec-esp
add action=accept chain=forward comment=
"defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=
"defconf: drop everything else not coming from LAN" in-interface-list=
!LAN
/system clock
set time-zone-name=Europe/Bucharest
/system note
set show-at-login=no
/system routerboard wps-button
set enabled=yes on-event=wps-accept
/system script
add comment=defconf dont-require-permissions=no name=wps-accept owner=*sys
policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon
source="\r
\n :foreach iface in=[/interface/wifi find where (configuration.mode="a
p" && disabled=no)] do={\r
\n /interface/wifi wps-push-button $iface;}\r
\n "
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

7

I mention that a tried many tutorials and I had the same issue. Example https://protonvpn.com/support/wireguard-mikrotik-routers/. I tested with 3 different peers…the same issue..

8

(1) Remove the peer name… pre-shared key ( do not use this attribute )
/interface wireguard peers
add allowed-address=0.0.0.0/0 endpoint-address=..2**.** endpoint-port=
41194 interface=wireguard1 name=peer1 persistent-keepalive=25s
preshared-key=“*****=” public-key=\

(2) By all means you can add a comment…
/interface wireguard peers
add allowed-address=0.0.0.0/0 endpoint-address=..2**.** endpoint-port=
41194 interface=wireguard1 persistent-keepalive=25s
public-key=“------------------------” comment=“Server Peer”

(3) What was the IP address assigned by the third party VPN provide, 10.100.0.0 makes no sense to me??

(4) Did proton assign a DNS address for you to use??

(5) I would be more explicit in firewall rules so at least do this.
Remove this rule:
add action=drop chain=forward comment=
“defconf: drop all from WAN not DSTNATed” connection-nat-state=!dstnat
connection-state=new in-interface-list=WAN

REPLACE WITH:
add action=accept chain=forward in-interface-list=LAN out-interface-list=WAN comment=“internet traffic”
add action=accept chain=forward in-interface-list=LAN out-interface=wireguard1 comment=“LAN to Wireguard”
add action=drop chain=forward comment=“drop all else”

(6) add A sourcenat rule to ensure all LAN traffic is seen as your single assigned wireguard IP address!!!
/ip firewall nat
add action=masquerade chain=srcnat comment=“defconf: masquerade”
ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat out-interface=wireguard1

(7) The next part is how do lan users get routed to the tunnel??? You have no routing that I can see.
I will assume you have a default route=yes selected at IP DHCP CLient ???

In any case, you need an additional table, a corresponding route and two routing rules.
/routing table
add fib name=to-WG

/ip route
add dst-address=0.0.0.0/0 gateway=wireguard1 routing-table=to-WG
/ip routing rules
add min-prefix=0 action=lookup-only-in-table table=main comment=“allows local traffic”
add src-address=192.168.88.0/24 action=lookup table=to-WG comment=“forces all external traffic to wireguard”

Note: If you never want the LAN to use the local WAN if wireguard is not working change action to action=lookup-only-in-table

(8) Also recommended for MT when a client to third party VPN is add a mangle rule ( does not affect fastrack)
add action=change-mss chain=forward comment=“Clamp MSS to PMTU for Outgoing packets” new-mss=clamp-to-pmtu out-interface=wireguard1 passthrough=yes protocol=tcp tcp-flags=syn

9

Done!


..I followed all your instructions but the situation is the same...no handshake...no RX package...moreover..now lan clients can't reach the internet.


My new conf:

2024-06-02 20:34:52 by RouterOS 7.15

software id =

model = C53UiG+5HPaxD2HPaxD

serial number =

/interface bridge
add admin-mac=D4::B4 auto-mac=no comment=defconf name=bridge
/interface wifi
set [ find default-name=wifi1 ] channel.skip-dfs-channels=10min-cac
configuration.country=Romania .mode=ap .ssid=MiT disabled=no
security.authentication-types=wpa2-psk,wpa3-psk .ft=yes .ft-over-ds=yes
set [ find default-name=wifi2 ] channel.skip-dfs-channels=10min-cac
configuration.country=Romania .mode=ap .ssid=MiT disabled=no
security.authentication-types=wpa2-psk,wpa3-psk .ft=yes .ft-over-ds=yes
add configuration.ssid=HII disabled=no mac-address=D6****************:B8
master-interface=wifi1 name=wifi3
add configuration.ssid=HII disabled=no mac-address=D******:B9
master-interface=wifi2 name=wifi4
/interface wireguard
add listen-port=13231 mtu=1420 name=wireguard1
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=default-dhcp interface=bridge name=defconf
/routing table
add fib name=to-WG
add fib name=to-WG
/disk settings
set auto-media-interface=bridge auto-media-sharing=yes auto-smb-sharing=yes
/interface bridge filter
add action=drop chain=forward in-interface=wifi3
add action=drop chain=forward out-interface=wifi3
add action=drop chain=forward in-interface=wifi4
add action=drop chain=forward out-interface=wifi4
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=wifi1
add bridge=bridge comment=defconf interface=wifi2
add bridge=bridge interface=wifi3
add bridge=bridge interface=wifi4
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/interface wifi access-list
add action=accept disabled=no mac-address=4A7
/interface wireguard peers
add allowed-address=0.0.0.0/0 comment="Server Peer" endpoint-address=
..2. endpoint-port=41194 interface=wireguard1 name=peer2
persistent-keepalive=25s public-key=
"o*******="
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=
192.168.88.0
add address=10.7.0.10 interface=wireguard1 network=10.7.0.0
/ip dhcp-client
add comment=defconf interface=ether1
add interface=bridge
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=
192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=
"defconf: accept established,related,untracked" connection-state=
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN"
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy"
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy"
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack"
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=
"defconf: accept established,related, untracked" connection-state=
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid"
connection-state=invalid
add action=drop chain=forward comment=
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat
connection-state=new in-interface-list=WAN
/ip firewall mangle
add action=change-mss chain=forward comment=
"Clamp MSS to PMTU for Outgoing packets" new-mss=clamp-to-pmtu
out-interface=wireguard1 passthrough=yes protocol=tcp tcp-flags=syn
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade"
ipsec-policy=out,none out-interface-list=WAN
add action=accept chain=forward comment="internet traffic" in-interface-list=
LAN out-interface-list=WAN
add action=accept chain=forward comment="LAN to Wireguard" in-interface-list=
LAN out-interface=wireguard1
add action=masquerade chain=srcnat comment="defconf: masquerade"
ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat out-interface=wireguard1
/ip route
add dst-address=0.0.0.0/0 gateway=wireguard1 routing-table=to-WG
add dst-address=0.0.0.0/0 gateway=wireguard1 routing-table=to-WG
/ip ssh
set host-key-size=4096
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=
"defconf: accept established,related,untracked" connection-state=
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=
invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=
icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute"
dst-port=33434-33534 protocol=udp
add action=accept chain=input comment=
"defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=
udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500
protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=
ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=
ipsec-esp
add action=accept chain=input comment=
"defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=
"defconf: drop everything else not coming from LAN" in-interface-list=
!LAN
add action=accept chain=forward comment=
"defconf: accept established,related,untracked" connection-state=
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid"
connection-state=invalid
add action=drop chain=forward comment=
"defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=
"defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1"
hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=
icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=
500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=
ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=
ipsec-esp
add action=accept chain=forward comment=
"defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=
"defconf: drop everything else not coming from LAN" in-interface-list=
!LAN
/routing rule
add action=lookup-only-in-table comment="allows local traffic" min-prefix=0
table=main
add action=lookup comment="forces all external traffic to wireguard"
src-address=192.168.88.0/24 table=to-WG
/system clock
set time-zone-name=Europe/Bucharest
/system note
set show-at-login=no
/system routerboard wps-button
set on-event=wps-accept
/system script
add comment=defconf dont-require-permissions=no name=wps-accept owner=*sys
policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon
source="\r
\n :foreach iface in=[/interface/wifi find where (configuration.mode="a
p" && disabled=no)] do={\r
\n /interface/wifi wps-push-button $iface;}\r
\n "
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

10

(1) Duplicate table, remove one of them.
/routing table
add fib name=to-WG
add fib name=to-WG

(2) No where did I recommend bridge filters??
REMOVE or disable until wireguard is working!!
/interface bridge filter
add action=drop chain=forward in-interface=wifi3
add action=drop chain=forward out-interface=wifi3
add action=drop chain=forward in-interface=wifi4
add action=drop chain=forward out-interface=wifi4

Also tell me the use case. What are you trying to accomplish with those rules, there may be another way!

(3) MODIFY wireguard address slightly!!
add address=10.7.0.10/24 interface=wireguard1 network=10.7.0.0

(4) You can remove this static DNS setting.
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan

(5) why not add some remote servers to DNS…
/ip dns
set allow-remote-requests=yes servers=1.1.1.1,9.9.9.9

(6) You FAILED to make the forward chain rules I requested.
this rule is still there!!!
add action=drop chain=forward comment=
“defconf: drop all from WAN not DSTNATed” connection-nat-state=!dstnat
connection-state=new in-interface-list=WAN

I SEE THE PROBLEM you stuck them IN THE WRONG PLACE.
You put then SOURCENAT Rules by mistake.

(7) Duplicate routes.
/ip route
add dst-address=0.0.0.0/0 gateway=wireguard1 routing-table=to-WG
add dst-address=0.0.0.0/0 gateway=wireguard1 routing-table=to-WG

+++++++++++++++++++++

11

My new conf:

2024-06-03 19:37:50 by RouterOS 7.15

software id =

model = C53UiG+5HPaxD2HPaxD

serial number =

/interface bridge
add admin-mac=D4:::::::B4 auto-mac=no comment=defconf name=bridge
/interface wifi
set [ find default-name=wifi1 ] channel.skip-dfs-channels=10min-cac
configuration.country=Romania .mode=ap .ssid=MiT disabled=no
security.authentication-types=wpa2-psk,wpa3-psk .ft=yes .ft-over-ds=yes
set [ find default-name=wifi2 ] channel.skip-dfs-channels=10min-cac
configuration.country=Romania .mode=ap .ssid=MiT disabled=no
security.authentication-types=wpa2-psk,wpa3-psk .ft=yes .ft-over-ds=yes
/interface wireguard
add listen-port=13231 mtu=1420 name=wireguard1
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=default-dhcp interface=bridge name=defconf
/routing table
add fib name=to-WG
/disk settings
set auto-media-interface=bridge auto-media-sharing=yes auto-smb-sharing=yes
/interface bridge filter

no interface

add action=drop chain=forward in-interface=*B

no interface

add action=drop chain=forward out-interface=*B

no interface

add action=drop chain=forward in-interface=*C

no interface

add action=drop chain=forward out-interface=C
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=wifi1
add bridge=bridge comment=defconf interface=wifi2
add bridge=bridge interface=B
add bridge=bridge interface=C
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/interface wifi access-list
add action=accept disabled=no mac-address=42::::::A7
/interface wireguard peers
add allowed-address=0.0.0.0/0 comment="Server Peer" endpoint-address=
..2.* endpoint-port=41194 interface=wireguard1 name=peer2
persistent-keepalive=25s public-key=
"o***************="
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=
192.168.88.0
add address=10.7.0.10/24 interface=wireguard1 network=10.7.0.0
/ip dhcp-client
add comment=defconf interface=ether1
add interface=bridge
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=
192.168.88.1
/ip dns
set allow-remote-requests=yes servers=1.1.1.1,9.9.9.9
/ip firewall filter
add action=accept chain=input comment=
"defconf: accept established,related,untracked" connection-state=
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN"
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy"
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy"
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack"
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=
"defconf: accept established,related, untracked" connection-state=
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid"
connection-state=invalid
/ip firewall mangle
add action=change-mss chain=forward comment=
"Clamp MSS to PMTU for Outgoing packets" new-mss=clamp-to-pmtu
out-interface=wireguard1 passthrough=yes protocol=tcp tcp-flags=syn
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade"
ipsec-policy=out,none out-interface-list=WAN
add action=accept chain=forward comment="internet traffic" in-interface-list=
LAN out-interface-list=WAN
add action=accept chain=forward comment="LAN to Wireguard" in-interface-list=
LAN out-interface=wireguard1
add action=masquerade chain=srcnat comment="defconf: masquerade"
ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat out-interface=wireguard1
/ip route
add dst-address=0.0.0.0/0 gateway=wireguard1 routing-table=*400
/ip ssh
set host-key-size=4096
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=
"defconf: accept established,related,untracked" connection-state=
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=
invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=
icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute"
dst-port=33434-33534 protocol=udp
add action=accept chain=input comment=
"defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=
udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500
protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=
ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=
ipsec-esp
add action=accept chain=input comment=
"defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=
"defconf: drop everything else not coming from LAN" in-interface-list=
!LAN
add action=accept chain=forward comment=
"defconf: accept established,related,untracked" connection-state=
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid"
connection-state=invalid
add action=drop chain=forward comment=
"defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=
"defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1"
hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=
icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=
500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=
ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=
ipsec-esp
add action=accept chain=forward comment=
"defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=
"defconf: drop everything else not coming from LAN" in-interface-list=
!LAN
/routing rule
add action=lookup-only-in-table comment="allows local traffic" min-prefix=0
table=main
add action=lookup comment="forces all external traffic to wireguard"
src-address=192.168.88.0/24 table=to-WG
/system clock
set time-zone-name=Europe/Bucharest
/system note
set show-at-login=no
/system routerboard wps-button
set on-event=wps-accept
/system script
add comment=defconf dont-require-permissions=no name=wps-accept owner=*sys
policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon
source="\r
\n :foreach iface in=[/interface/wifi find where (configuration.mode="a
p" && disabled=no)] do={\r
\n /interface/wifi wps-push-button $iface;}\r
\n "
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN


Thank you!

12

Please, could someone to tell me what is wrong with my above config ? I have still no handshake between wireguard peers (router and remote server). No mater what configuration I use, I never succeeded to see incoming packets from remote peer. What is wrong? I think before a routing or firewall issue there is a connection issue but the same conf of peer I use for many wireguards working connections.


Thanks!

13

(1) There is a problem with some rules you have or interfaces or both hence this.......

_# no interface
add action=drop chain=forward in-interface=*B

no interface

add action=drop chain=forward out-interface=*B

no interface

add action=drop chain=forward in-interface=*C

no interface

add action=drop chain=forward out-interface=*C_

add bridge=bridge interface=*B
add bridge=bridge interface=*C

Are you trying to force users out internet at a third party provider or simply to reach a subnet at a different router ( server peer for handshake), if so what subnet.
Also is some subnet from that distant router trying to reach your subnet and if so which subnet...

FIX THAT!!

(2) MISSING FORWARD CHAIN FIREWALL RULES. You put them in ip firewall nat rules for some strange reason!!!
Remove those forward chain rules in the wrong spot and Add after invalid rule............
TO:
add action=drop chain=forward comment="defconf: drop invalid"
connection-state=invalid
add action=accept chain=forward comment="internet traffic" in-interface-list=
LAN out-interface-list=WAN
add action=accept chain=forward comment="LAN to Wireguard" in-interface-list=
LAN out-interface=wireguard1

(3) Why is the simple routing table giving you an error??
/ip route
add dst-address=0.0.0.0/0 gateway=wireguard1 routing-table=*400

should be table=to-WG Its an available choice not sure what you entered ????

14

Hello!

to be more clear I attach my network diagram and I will explain my goal:
I want MT be able to connect to that WG server hosted by VPS and all MT clients…phone, pc, laptop reach the internet via WG server.
For “redundancy” MT use LTE and WAN for internet connection and should be able to do mission described using no matter which connection.
Also MT has BTH (back to home) vpn enable ans should stay enabled.
Firewall, routes and other settings are the default ones.
All MT clients should communicate between them.
Any recommendation on how can I manage settings for routes, firewall etc on MT in order to met all previous requests?

Thanks!
config.rsc (7.87 KB)
Untitled Diagram (1).jpg

15

Jesus, all that comments for nothing.

On a fresh, default ROS installation all you need is described here: http://forum.mikrotik.com/t/mikrotik-wireguard-server-with-road-warrior-clients/148392/1

ROS follows basically the concept described in the WG quickstart CLI section. No Latvian magic involed. https://www.wireguard.com/quickstart/

16

Where is the main internet on your diagram WAN1, I only see LTE??
What is the role of that asus router??

Why do you have two wireguards defined on the L1009?
I can see the requirement for a NORMAL wiregaurd connection to the VPS as you state all subnets to get internet through VPS.
But what happens if the wireguard connection is not working, what do you intend for local MT internet traffic, to go out local WAN or not at all ???

Also what do you mean BTH.
Are you saying that as the admin you normally access L1009 through the VPS, but in case the VPS is not working you want to use BTH to reach the L1009 from remote location???