Can't get WireGuard to work (the way I want)

RouterOS General
1

So, I have a WireGuard (responder?) on my VPS server that I want to use as a VPN. I want to set up my Mikrotik to wrap all traffic from/to connected devices with WireGuard.

I have created a config file on my VPS server:

[Interface]
PrivateKey = XXX
Address = 10.66.66.6/32,fd42:42:42::6/128
DNS = 8.8.8.8,8.8.4.4

[Peer]
PublicKey = XXX
PresharedKey = XXX
Endpoint = <VPS Server IP>:62785
AllowedIPs = 0.0.0.0/0,::/0

It works just fine on official WireGuard clients.

Here is my Mikrotik config:

# 2024-06-05 16:48:39 by RouterOS 7.15
# software id = P7DF-AID8
#
# model = RB952Ui-5ac2nD
# serial number = CC460E042B5D
/interface bridge
add admin-mac=2C:C8:1B:1D:E7:03 auto-mac=no comment=defconf name=bridge port-cost-mode=short
/interface wireguard
add listen-port=61712 mtu=1420 name=wireguard-interface
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=default-dhcp interface=bridge lease-time=10m name=defconf
/ip smb users
set [ find default=yes ] disabled=yes
/interface bridge port
add bridge=bridge comment=defconf interface=ether2 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf interface=ether3 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf interface=ether4 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf interface=ether5 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf interface=wlan1 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf interface=wlan2 internal-path-cost=10 path-cost=10
/ip firewall connection tracking
set udp-timeout=10s
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ipv6 settings
set disable-ipv6=yes
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=wireguard-interface list=WAN
/interface wireguard peers
add allowed-address=0.0.0.0/0,::/0 endpoint-address=<VPS Server IP> endpoint-port=62785 interface=wireguard-interface name=peer1 preshared-key=XXX public-key=XXX
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=192.168.88.0
add address=10.66.66.6 comment="WireGuard Network" interface=wireguard-interface network=10.66.66.0
/ip dhcp-client
add comment=defconf interface=ether1 use-peer-dns=no
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes servers=1.1.1.1,8.8.8.8,8.8.4.4 use-doh-server=https://1.1.1.1/dns-query verify-doh-cert=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=passthrough chain=input disabled=yes log=yes
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/ip route
add disabled=no distance=1 dst-address=0.0.0.0/1 gateway=wireguard-interface pref-src=0.0.0.0 routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add disabled=no distance=1 dst-address=128.0.0.0/1 gateway=wireguard-interface pref-src=0.0.0.0 routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add disabled=no distance=1 dst-address=<VPS Server IP>/32 gateway=ether1 pref-src="" routing-table=main scope=30 suppress-hw-offload=no target-scope=10

This Mikrotik device is behind another Mikrotik which hooked up directly to my ISP (static, non-NAT IP).
I can provide its config too if necessary, but there’s a lot of private info to edit out, so, by request.

This time WireGuard config was imported via “WG Import” function, so I expect it to be 100% correct.

I see this in log:

wireguard-interface: [peer1] : Handshake for peer did not complete after 5 seconds, retrying (try 2)

And also a lot of these (from firewall’s logged input chain):

input: in:bridge out:(unknown 0), connection-state:new src-mac 64:70:02:c6:f6:04, proto UDP, 192.168.88.254:51903->192.168.88.255:20561, len 50

I cant even see any packets with in firewall’s log.

What am I missing here?

2

So to be clear the VPS is a cloud server running wireguard.
The biggest problem is assigning the same IP nomenclature to both devices… 10.66.66.6

VPS settings:

Change IP to 10.66.66.1

PEER
-Do not use preshared key.
-For peer ensure you put the public key issued by the mikrotik router.
-For Allowed IPs as this device is a server. EACH PEER gets its OWN allowed IPs config line.

  • the one for the mikrotik should include
    a. the wireguard IP address of the MT,
    b. any subnets coming from the MT that need access.

AllowedIPs = 10.66.66.2/32,192.168.88.0/24


0.0.0.0/0 is nonsensical as no other clients will work as ALL traffic will be captured by this peer.

MT SETTINGS:

PEER
-remove preshared key
-public key should be the one issued by the VPS device.
-IP address should be in the format: add address=10.66.66.2**/24** comment=“WireGuard Network” interface=wireguard-interface network=10.66.66.0


Allowed IPs = 0.0.0.0/0 interface=wireguard endpoint=XXXX endpoint-port=YYYYY persistent-keep-alive=35s public-key=“^^^^^^^^^^^^^^^^^^”
++++++++++++++++++++++++++++++++
Bit confused if all your subnet traffic is going out wireguard, why have doh server? Unless doh server is going out wireguard tunnel as well for DNS??

-REMOVE this static default DNS setting.
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan

-THIS Route is NOT required, it is created automatically by the router… REMOVE
add disabled=no distance=1 dst-address=0.0.0.0/1 gateway=wireguard-interface pref-src=0.0.0.0 routing-table=main scope=30 suppress-hw-offload=no target-scope=10

-Similarly the 128 route is not required.
add disabled=no distance=1 dst-address=128.0.0.0/1 gateway=wireguard-interface pref-src=0.0.0.0 routing-table=main scope=30 suppress-hw-offload=no target-scope=10

Similarly this route is NOT required.
add disabled=no distance=1 dst-address=/32 gateway=ether1 pref-src=“” routing-table=main scope=30 suppress-hw-offload=no target-scope=10

First you need to establish the tunnel which means the router must be able to go out to the local internet.
Since its not clear you have default-route=yes selected in IP DHCP Client, you may need to add a manual route.
First add a table:
/routing table
add fib name=via-WG

Then the necessary routes:
add dst-address=0.0.0.0/0 gateway=ether1-gateway-IP routing-table=main comment=“Lan Gateway IP providing WAN IP to your router”
add dst-address=0.0.0.0/0 gateway=wireguard routing-table=via-WG comment=“special route for subnet”

Now you need two routing rules.
/routing rule
add min-prefix=0 action=lookup-only-in-table table=main comment=“allow local traffic”
add src-address=192.168.88.0/24 action=lookup table=via-WG

+++++++++++++++++++++++++++++++++++++++++++++++++++++

You have no firewall rules to speak of so technically all is allowed???

Now give that a shot and see how much progress has been made. This may take a few iterations.

3

what if you change “routing-table=wg” ?

add:
/routing table
add disabled=no fib name=wg

modify:
/ip route
add disabled=no distance=1 dst-address=0.0.0.0/1 gateway=wireguard-interface pref-src=0.0.0.0 routing-table=wg scope=30 suppress-hw-offload=no target-scope=10
add disabled=no distance=1 dst-address=128.0.0.0/1 gateway=wireguard-interface pref-src=0.0.0.0 routing-table=wg scope=30 suppress-hw-offload=no target-scope=10

add
add action=mark-routing chain=prerouting disabled=no dst-address=!192.168.88.0/24 new-routing-mark=wg passthrough=yes src-address=192.168.88.0/24


ps - my “add address” line looks like:
add address=10.66.66.6**/24** comment=“WireGuard Network” interface=wireguard-interface network=10.66.66.0

4

Thanks for your reply!
So, the first thing I want to point to is that I deployed WireGuard on VPS using this tool: https://github.com/angristan/wireguard-install
I don’t really have an idea how it works internally.


Change IP to 10.66.66.1

So I would need some time to figure out how to do that.
It gives different IPs for each client config, starting with 10.66.66.1, so this MikroTik is the 6th device that I try to connect. Previous 5 are using official WireGuard clients and work just fine. This exact WG config works fine there too!


PEER
-Do not use preshared key.
-For peer ensure you put the public key issued by the mikrotik router.
-For Allowed IPs as this device is a server. EACH PEER gets its OWN allowed IPs config line.

  • the one for the mikrotik should include
    a. the wireguard IP address of the MT,
    b. any subnets coming from the MT that need access.

AllowedIPs = 10.66.66.2/32,192.168.88.0/24


0.0.0.0/0 is nonsensical as no other clients will work as ALL traffic will be captured by this peer.

MT SETTINGS:

PEER
-remove preshared key
-public key should be the one issued by the VPS device.
-IP address should be in the format: add address=10.66.66.2/24 comment=“WireGuard Network” interface=wireguard-interface network=10.66.66.0

I will try that tommorow, when I’m near that MikroTik again!


Bit confused if all your subnet traffic is going out wireguard, why have doh server? Unless doh server is going out wireguard tunnel as well for DNS??

No idea. Seen it in some guide and tried. And tried A LOT of guides during the last three days. And that didn’t help with anything, obviously.


-REMOVE this static default DNS setting.
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan

Have no idea how it got into the config, honestly.


-THIS Route is NOT required, it is created automatically by the router… REMOVE
add disabled=no distance=1 dst-address=0.0.0.0/1 gateway=wireguard-interface pref-src=0.0.0.0 routing-table=main scope=30 suppress-hw-offload=no target-scope=10

-Similarly the 128 route is not required.
add disabled=no distance=1 dst-address=128.0.0.0/1 gateway=wireguard-interface pref-src=0.0.0.0 routing-table=main scope=30 suppress-hw-offload=no target-scope=10


Similarly this route is NOT required.
add disabled=no distance=1 dst-address=/32 gateway=ether1 pref-src=“” routing-table=main scope=30 suppress-hw-offload=no target-scope=10

First you need to establish the tunnel which means the router must be able to go out to the local internet.
Since its not clear you have default-route=yes selected in IP DHCP Client, you may need to add a manual route.
First add a table:
/routing table
add fib name=via-WG

Then the necessary routes:
add dst-address=0.0.0.0/0 gateway=ether1-gateway-IP routing-table=main comment=“Lan Gateway IP providing WAN IP to your router”
add dst-address=0.0.0.0/0 gateway=wireguard routing-table=via-WG comment=“special route for subnet”

Now you need two routing rules.
/routing rule
add min-prefix=0 action=lookup-only-in-table table=main comment=“allow local traffic”
add src-address=192.168.88.0/24 action=lookup table=via-WG

With the current routing I can just disable WireGuard interface and the “default” internet access immediately starts to work again. Will it still be so when I apply these changes?


You have no firewall rules to speak of so technically all is allowed???

The MiktoTik “in front” of this one has its firewall set properly and running fine for more than a year, so I just deleted all the rules from this MT to not give them a chance to interfere with my attempts in any way.

5

KK,

So the VPS server is doing its thing correctly.
Each client pEER gets its own IP.

Since its assigned 6 to the MT,
then on the MT
/ip address
add address=10.66.66.6/24 interface=wireguard network=10.66.66.0

The wg address of the VPS cannot be the same and it should probably be 10.66.66.1

6

&

I’m dumb. I mindlessly copied /32 mask from the config and forgot that it equals to just one address!
Will try tomorrow, thank you a lot, guys!

7

So… I tried everything mentioned here, but no luck.
I tried to ping the VPS server IP from WG Mikrotik, but all the packets are lost. What can be the reason?
But I can ping it from the second Mikrotik (my network gateway) just fine.
Completely disabling all firewall rules on the second Mikrotik didn’t help at all.
Nevermind, fixed it. Let me check things one more time now.

UPD: Nope, still doesn’t work. Total Rx on WG peer and interface is 0, no matter what I try.

Current config:

# 2024-06-07 13:43:32 by RouterOS 7.15
# software id = P7DF-AID8
#
# model = RB952Ui-5ac2nD
# serial number = CC460E042B5D
/interface bridge
add admin-mac=2C:C8:1B:1D:E7:03 auto-mac=no comment=defconf name=bridge \
    port-cost-mode=short
/interface wireguard
add listen-port=61712 mtu=1420 name=wireguard-interface
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=default-dhcp interface=bridge lease-time=10m name=defconf
/interface bridge port
add bridge=bridge comment=defconf interface=ether2 internal-path-cost=10 \
    path-cost=10
add bridge=bridge comment=defconf interface=ether3 internal-path-cost=10 \
    path-cost=10
add bridge=bridge comment=defconf interface=ether4 internal-path-cost=10 \
    path-cost=10
add bridge=bridge comment=defconf interface=ether5 internal-path-cost=10 \
    path-cost=10
add bridge=bridge comment=defconf interface=wlan1 internal-path-cost=10 \
    path-cost=10
add bridge=bridge comment=defconf interface=wlan2 internal-path-cost=10 \
    path-cost=10
/ip firewall connection tracking
set udp-timeout=10s
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ipv6 settings
set disable-ipv6=yes
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=wireguard-interface list=WAN
/interface wireguard peers
add allowed-address=10.66.66.6/32,192.168.88.0/24 endpoint-address=\
    <VPS Server IP> endpoint-port=62785 interface=wireguard-interface name=peer1 \
    public-key=XXX
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
    192.168.88.0
add address=10.66.66.6/24 comment="WireGuard Network" interface=\
    wireguard-interface network=10.66.66.0
/ip dhcp-client
add comment=defconf interface=ether1 use-peer-dns=no
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=\
    192.168.88.1
/ip dns
set allow-remote-requests=yes servers=1.1.1.1,8.8.8.8,8.8.4.4
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=\
    out,none out-interface-list=WAN
8

Let’s get one thing straight, because maybe I have the whole WireGuard idea wrong:
Is it possible to use WireGuard as a VPN for all devices connected to my Mikrotik, without them having WireGuard clients?
So the WireGuard tunnel will be completely transparent to them and they won’t know that my Mikrotik and my VPS are actually different devices.
That’s why I specified that WireGuard desn’t work the way I want in the title.

9

Yes, it is possible.
The main scenario.
You make wireguard with static route or mangle at the mikrotik and all the wired\wireless clients are using it transparently with no special additional software.
Just dhcp.

So the problem is there is no clear and understandable guide or how to . How to make in 2 steps wireguard client.

And even more.
After you manage to setup wireguard vpn client, you can enable back-to-home (which is wireguard too) and when you connect remotely with lte you will be able to use that wireguard vpn client transparently
I use it in this way.
Very convenient.

Mikrotik means pain and frustration. And bugs.
But my first post and anav’s post will help you.

Life would be boring without struggle with mikrotik setup.
Get mikrotik set up or die trying )

10

The main focus is finally being recognized, articulation of clear requirements.

a. You wish to send the entire LAN out VPS for internet.?
b. You wish to send the entire LAN to VPS to reach subnet at VPS but with no internet through VPS?

What happens if the VPN tunnel for whatever reason is NOT working.
c. if VPS internet is the goal, should user be then sent out the local WAN for internet, or get NO internet ???

Without clarity progress cannot be made.
Mangling is only required in certain scenarios.

+++++++++++++++++++++++++++++++++++++++++++
Any requirement that requires internet at the VPS site means,
MT
/interface wireguard peers
add allowed-address=0.0.0.0/0 endpoint-address=
endpoint-port=62785 interface=wireguard-interface name=peer1
public-key=XXX persistent-keep-alive=35s

/routing table
add fib name=VPS-ONLY

/ip route
add dst-address=0.0.0.0/0 gateway=wireguard-interface routing-table=VPS-ONLY

/routing rule
add src-address=192.168.88.0/24 action=lookup-only-in-table table=VPS-ONLY

Note: If you want users to be able to access local WAN if VPS connection is not working change action to action=lookup

11

So here is what the main problem was.
The WireGuard server installation script I mentioned earlier turned out to be buggy. It assigned its first generated client configuration the same IP (10.66.66.1) that was already assigned to the WireGuard server.

And here is the config that finally worked for me:

/interface wireguard
add listen-port=13231 mtu=1420 name=wireguard1
/interface wireguard peers
add allowed-address=0.0.0.0/0 endpoint-address=<VPS Server IP> endpoint-port=\
    62785 interface=wireguard1 name=peer1 preshared-key="" public-key=""
/ip address
add address=10.66.66.2/24 interface=wireguard1 network=10.66.66.0
/ip dns
set allow-remote-requests=yes servers=1.1.1.1,8.8.8.8,8.8.4.4
/ip firewall nat
add action=masquerade chain=srcnat out-interface=wireguard1
/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=10.66.66.1 \
    routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add disabled=no distance=1 dst-address=<VPS Server IP>/32 gateway=10.0.1.1 \
    routing-table=main scope=30 suppress-hw-offload=no target-scope=10

Routing my VPS server IP over my gateway turned out to be absolutely necessary, it won’t work otherwise.


a. You wish to send the entire LAN out VPS for internet.?
b. You wish to send the entire LAN to VPS to reach subnet at VPS but with no internet through VPS?

What happens if the VPN tunnel for whatever reason is NOT working.
c. if VPS internet is the goal, should user be then sent out the local WAN for internet, or get NO internet ???

a. yep
c. right now I think of the VPS-only option, but it can change later


/routing table
add fib name=VPS-ONLY

/ip route
add dst-address=0.0.0.0/0 gateway=wireguard-interface routing-table=VPS-ONLY

/routing rule
add src-address=192.168.88.0/24 action=lookup-only-in-table table=VPS-ONLY

>
> Note: If you want users to be able to access local WAN if VPS connection is not working change action to action=lookup

Thanks! I will modify my config in this way to be able to fast switch between "VPS only" and "WAN backup" options.
12

Yeah, I can really feel that now :smiley:

13

Hi there!
Did you manage to get it working at the end?
trying to do same setup :confused: