CHR WireGuard Issues

Fluffy3000 · December 17, 2024, 9:13pm

EDIT: I’m an idiot and typo’d an IP address. I’ve updated the code to be a copy of a working Wireguard config if anyone finds it useful.

I have wireguard set up on a CHR, I’m able to establish a connection, logs show a successful handshake and keepalive packets, but I can’t get any traffic through the tunnel in either direction. What am I doing wrong?

Mikrotik Config

# 2024-12-17 14:06:30 by RouterOS 7.16.2
# software id = 
#
/interface ethernet
set [ find default-name=ether1 ] disable-running-check=no
/interface wireguard
add listen-port=25618 mtu=1420 name=WG private-key="<PRIVKEY>"
/port
set 0 name=serial0
set 1 name=serial1
/interface wireguard peers
add allowed-address=10.200.0.2/32 client-address=10.200.0.2/32 client-endpoint=<FQDN> client-keepalive=20s client-listen-port=25618 interface=WG is-responder=yes name=\
    "TEST" persistent-keepalive=20s public-key="<PUBKEY>"
/ip address
add address=10.10.11.29/24 comment=LAN interface=ether1 network=10.10.11.0
add address=10.200.0.1/24 comment=WG interface=WG network=10.200.0.0
/ip dhcp-client
add interface=ether1
/ip dns
set servers=8.8.8.8
/ip firewall filter
add action=drop chain=input comment="drop invalid" connection-state=invalid
add action=drop chain=forward comment="drop invalid" connection-state=invalid
add action=accept chain=input comment="accept established,related,untracked" connection-state=established,related,untracked
add action=accept chain=input comment="allow WireGuard traffic" dst-address=10.10.11.29 dst-port=25618 protocol=udp
add action=accept chain=input comment="allow WireGuard traffic" in-interface=WG
add action=accept chain=forward comment="allow WireGuard traffic" in-interface=WG
add action=accept chain=input comment="accept ICMP" protocol=icmp
add action=accept chain=input comment="accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input comment=mgmt dst-port=22,80,443 protocol=tcp
add action=drop chain=forward comment="drop everything not explicitly allowed" disabled=yes
add action=drop chain=input comment="drop everything not explicitly allowed" disabled=yes
/ip route
add disabled=no distance=10 dst-address=0.0.0.0/0 gateway=10.10.11.1 pref-src=10.10.11.29 routing-table=main suppress-hw-offload=no
/system clock
set time-zone-name=America/Denver
/system logging
add topics=wireguard
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp client servers
add address=utcnist.colorado.edu

Client config (Windows):

[Interface]
PrivateKey = <PRIVKEY>
ListenPort = 25618
Address = 10.200.0.2/32
DNS = 8.8.8.8

[Peer]
PublicKey = <PUBKEY>
AllowedIPs = 10.10.11.0/24
Endpoint = FQDN:25618
PersistentKeepalive = 20

Fluffy3000 · December 17, 2024, 9:17pm

NEVERMIND. I’m an idiot. I typo’d an IP address and wasted 3 hours debugging.

holvoetn · December 18, 2024, 6:43am

We’ve all been there