Cannot get WireGuard to route traffic

Hello everyone,

Since a few days I’m struggling to get my WireGuard setup working.
I have a successful handshake on the client, but cannot access any internal nor any internet resources anymore as soon as the WireGuard connection is established.
I tried to log the dropping firewall connections to the log, but cannot see any meaningful data?

Maybe somebody here has an idea or can point me to the right direction?

I have also attached my full config with export hide-sensitive

Thanks a lot and have a great day!

# 2024-04-17 22:29:13 by RouterOS 7.12.1
# software id = K1NV-BNTF
#
# model = RB4011iGS+
# serial number = D4480DA24C5E
/interface bridge
add admin-mac=08:55:31:3B:D9:F5 auto-mac=no comment=defconf name=bridge
/interface ethernet
set [ find default-name=ether1 ] comment=";;; ok PC"
set [ find default-name=ether2 ] comment=";;; DATADUMP"
set [ find default-name=ether3 ] comment=";;; access point"
set [ find default-name=sfp-sfpplus1 ] comment=";;; glas"
/interface wireguard
add listen-port=13231 mtu=1420 name=wireguard1
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip ipsec mode-config
add name=vpn-dhcp
/ip ipsec profile
set [ find default=yes ] enc-algorithm=aes-256,aes-128
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=aes-192-cbc,aes-128-cbc
/ip pool
add name=default-dhcp ranges=192.168.88.50-192.168.88.240
add name=dhcp-vpnpool next-pool=default-dhcp ranges=\
    192.168.88.241-192.168.88.250
add name=ovpn-pool ranges=192.168.77.2-192.168.77.254
/ip dhcp-server
add address-pool=default-dhcp interface=bridge lease-time=10m name=defconf
/port
set 0 name=serial0
set 1 name=serial1
/ppp profile
add bridge=bridge local-address=192.168.88.1 name=vpn-ppp-profile \
    remote-address=dhcp-vpnpool
add local-address=192.168.77.1 name=ovpn remote-address=ovpn-pool
/routing bgp template
set default disabled=no output.network=bgp-networks
/routing ospf instance
add disabled=no name=default-v2
/routing ospf area
add disabled=yes instance=default-v2 name=backbone-v2
/interface bridge port
add bridge=bridge comment=defconf ingress-filtering=no interface=ether2
add bridge=bridge comment=defconf ingress-filtering=no interface=ether3
add bridge=bridge comment=defconf ingress-filtering=no interface=ether4
add bridge=bridge comment=defconf ingress-filtering=no interface=ether5
add bridge=bridge comment=defconf ingress-filtering=no interface=ether6
add bridge=bridge comment=defconf ingress-filtering=no interface=ether7
add bridge=bridge comment=defconf ingress-filtering=no interface=ether8
add bridge=bridge comment=defconf ingress-filtering=no interface=ether9
add bridge=bridge comment=defconf ingress-filtering=no interface=ether10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ip settings
set max-neighbor-entries=8192
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface l2tp-server server
set allow-fast-path=yes authentication=mschap2 default-profile=\
    vpn-ppp-profile enabled=yes use-ipsec=yes
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=sfp-sfpplus1 list=WAN
add interface=wireguard1 list=LAN
/interface ovpn-server server
set auth=sha1,md5 certificate=ovpn-server
/interface wireguard peers
add allowed-address=192.168.100.2/32 comment=ok-phone interface=wireguard1 \
    public-key="fltFWFh4u9An5cclF/eeu7LzNv1uZtgSeJvMo69PLQE="
add allowed-address=192.168.100.3/32 comment=sour-laptop interface=wireguard1 \
    public-key="cKipB78OurOKCH22JV/09EOxABFYNrR/NIFDFTMgyE4="
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
    192.168.88.0
add address=192.168.100.1/24 interface=wireguard1 network=192.168.100.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
# DHCP client can not run on slave or passthrough interface!
add comment=defconf interface=ether1
add interface=sfp-sfpplus1
/ip dhcp-server lease
add address=192.168.88.17 mac-address=00:11:32:76:37:22 
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
add address=192.168.88.17 comment=nas name=data.asdf
/ip firewall filter
add action=accept chain=input comment="allow wireguard" dst-port=13231 \
    log-prefix=allow-wireguard protocol=udp
add action=accept chain=input comment="allow wireguard traffic" log-prefix=\
    allow-wireguard-traffic protocol=udp src-address=192.168.100.0/24
add action=accept chain=input comment="wireguard general" in-interface=\
    wireguard1
add action=accept chain=forward comment="wireguard fwd" in-interface=\
    wireguard1
add action=accept chain=forward comment="router to wireguard" dst-address=\
    192.168.100.0/24 log-prefix=router-to-wireguard src-address=\
    192.168.88.0/24
add action=accept chain=forward comment="wireguard to router" dst-address=\
    192.168.88.0/24 log-prefix=wireguard-to-router src-address=\
    192.168.100.0/24
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid log-prefix=drop-invalid
add action=accept chain=input dst-port=500,1701,4500 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN log-prefix=drop-not-from-lan
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN log-prefix=drop-not-STNATed
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat out-interface=bridge src-address=\
    192.168.88.0/24
/ip route
add dst-address=192.168.88.0/24 gateway=ovpn-client1
/ip service
set telnet disabled=yes
set www-ssl certificate=www-ssl disabled=no
/ppp secret
add name=ok profile=vpn-ppp-profile
add name=cat profile=vpn-ppp-profile
add name=okvpn profile=ovpn
add name=catvpn profile=ovpn
/routing bfd configuration
add disabled=no interfaces=all min-rx=200ms min-tx=200ms multiplier=5
/system clock
set time-zone-name=Europe/Zurich
/system note
set note="Welcome!!!" show-at-login=no
/system resource irq rps
set sfp-sfpplus1 disabled=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

myFile.conf.rsc (8.27 KB)

(1) It would seem you have a problem on your WAN interface:

/ip dhcp-client
# DHCP client can not run on slave or passthrough interface!
add comment=defconf interface=ether1
add interface=sfp-sfpplus1

(2) wg settings seem fine…

(3) To allow traffic to router for config purposes … from wireguard you have duplication!!!
Both rules do the same thing only one is required.

add action=accept chain=input comment=“allow wireguard traffic” log-prefix=
allow-wireguard-traffic protocol=udp src-address=192.168.100.0/24
add action=accept chain=input comment=“wireguard general” in-interface=
wireguard1

What I would do for now is only one rule:

add action=accept chain=input comment=“allow wireguard traffic” log-prefix=
allow-wireguard-traffic protocol=udp in-interface=wireguard1

If at some point in time, some of the future remote wireguard users only need access to the LAN ( to reach servers securely for example ), then add a source address list, for only the admin.

(4) Forward chain rules are a bit confusing. Only need one rule, access from remote users to local LAN.
If you connect another router with subnets that need to be reached then more rules can be addded, so just need.

add action=accept chain=forward comment=“wireguard fwd” in-interface=
wireguard1 dst-address=192.168.88.0/24

If at some future time you need to limit remote users to a specific LANIP, or a different subnet add rules accordingly.

(5) In general clean up rules. All input chain rules together and all forward chain rules together.
The order of your rules are all screwed up as well within a chain.

(6) Remove this rule, not required…
add action=masquerade chain=srcnat out-interface=bridge src-address=
192.168.88.0/24

To answer the title, by creating an IP address for wireguard, it becomes a local interface and thus the router creates a route for that traffic. So you should not have to do any routing..
One reason to create route is if you have to reach remote subnets via wireguard, but not the case here ( allowed IPs would have same remote subnet identified )

Hello again

Thanks a lot for your input!
So I made some progress
I’m able to connect from my laptop now and access resources.
Somehow it does not yet work from my Android phone. But probably that is an unrelated issue.

But I’d still like to maybe clarify some of your points?

To answer the title, by creating an IP address for wireguard, it becomes a local interface and thus the router creates a route for that traffic. So you should not have to do any routing..

As I understood, I did this already with:

/ip address
add address=192.168.100.1/24 interface=wireguard1 network=192.168.100.0

Or do I miss something here?

I don’t necessarily mean to manually setup routes, but that I can access the resources in the internet and the resources in the local net, when being connected to my wireguard tunnel.

Secondly, regarding the other points:

 /ip dhcp-client
# DHCP client can not run on slave or passthrough interface!
add comment=defconf interface=ether1
add interface=sfp-sfpplus1

(1) Can you elaborate what you mean with " DHCP client can not run on slave or passthrough interface!"?
Should I remove the ether1 interface here?

(3+4) I cleaned up a rules, as to my understanding, hope they are fine now!

/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=accept chain=input comment="allow wireguard" dst-port=13231 log-prefix=allow-wireguard protocol=udp
add action=accept chain=input comment="wireguard traffic" in-interface=wireguard1 log-prefix=allow-wireguard-traffic protocol=udp
add action=accept chain=forward comment="router to wireguard" dst-address=192.168.100.0/24 log-prefix=router-to-wireguard src-address=192.168.88.0/24
add action=accept chain=forward comment="wireguard to router" dst-address=192.168.88.0/24 log-prefix=wireguard-to-router src-address=192.168.100.0/24
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid log-prefix=drop-invalid
add action=accept chain=input dst-port=500,1701,4500 protocol=udp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN log-prefix=drop-not-from-lan
add action=accept chain=forward comment="defconf: accept in ipsec policy"  ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN log-prefix=drop-not-STNATed
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN

Thanks a lot again!
Your help is highly appreciated!

(1) Yes local interface created.
Extra routing only required if visiting subnets at other end of tunnel and you need to tell router to get there you need to go through tunnel.

(2) It means an error on your config.
Remove ether1 from dhcp client, it has nothing to do with WAN

(3) FW rules are not the way I like them but if all is working for you then dont change.

Hello!
Cool, thanks

Regarding

(3) FW rules are not the way I like them but if all is working for you then dont change…

I’m very eager to learn and understand it better, what would you improve in that setup?

Thanks already!!

/ip firewall address-list
add address=192.168.88.XX list=Authorized comment=“admin desktop”
add address=192.168.100.2 list=Authorized comment=“admin remote phone”
add address=192.168.100.2 list=Authorized comment=“admin remote laptop”

The question I have is the other VPN only for internal users or are you expecting external VPN users coming in on WAN. If so only you as admin??
add address=OTHERVPN address list=Authorized { If applicable }

/ip firewall filter
{ default rules to keep }
add action=accept chain=input comment=“defconf: accept established,related, untracked” connection-state=established,related,untracked
add action=accept chain=input comment=“defconf: drop invalid” connection-state=invalid
add action=accept chain=input comment=“accept ping” protocol=icmp
add action=accept chain=input comment=“defconf: accept to local loopback (for CAPsMAN)” dst-address=127.0.0.1
{ admin rules }
add action=accept chain=input comment=“wireguard handshake” dst-port=13231 log-prefix=allow-wireguard protocol=udp
add action=accept chain=input comment=other VPN handshake" dst-port=500,1701,4500 protocol=udp
add action=accept chain=input comment=“allow admin access” in-interface-list=LAN src-address-list=Authorized
log-prefix=Admin-Access protocol=udp
add action=accept chain=input comment=“users to services” dst-port=53 protocol=udp in-interface-list=LAN
add action=accept chain=input comment=“users to services” dst-port=53 protocol=tcp in-interface-list=LAN
add action=drop chain=input comment=Drop all else" { add as very last rule }
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
{ default rules to keep }
add action=accept chain=forward comment=“defconf: accept in ipsec policy” ipsec-policy=in,ipsec
add action=accept chain=forward comment=“defconf: accept out ipsec policy” ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment=“defconf: fasttrack” connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=“defconf: accept established,related, untracked” connection-state=established,related,untracked
add action=drop chain=forward comment=“defconf: drop invalid” connection-state=invalid
{ admin rules }
add action=accept chain=forward comment=internet traffic" in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment=“wg to LAN” in-interface=wireguard1 dst-address=192.168.88.0/24
add action=accept chain=forward comment=“port forwarding” connection-nat-state=dstnat disabled=yes { enable if required or remove }
add action=drop chain=-forward comment=“Drop all else”