Help needed for setting up Wireguard for android device

slaz · January 18, 2022, 5:33pm

Hello,

I would appreciate if I could please get some help on setting up the RB5009UG as a Wireguard server to connect with android phone.
Here is my server config:

Here is my android phone config:
Interface:
name:home
private key:IPrxxxxx
Public Key: D0Pkxxxx
Addresses: 192.168.201.2/24
DNS servers: 192.168.200.1

Peer:
Public key: uQe9xxxx
Endpoint: xxxx:51820
Allowed IP’s: 0.0.0.0/1, 128.0.0.0/1

Thank you lots in advance and much appreciated

own3r1138 · January 18, 2022, 6:32pm

Check this topic.
https://forum.mikrotik.com/viewtopic.php?t=182340

slaz · January 18, 2022, 6:41pm

I read the topic but it’s not clear for me how to make it work

Sob · January 18, 2022, 6:49pm

What about other config on RB? Addresses, routes, … what you posted is not enough to make it work. Does wireguard1 interface have any IP address? Something like 192.168.201.1/24 perhaps? Also what you posted is wrong, there should be no endpoint for peer on RB.

slaz · January 18, 2022, 6:51pm

[sami@Mikrotik_router] > ip address/ print
Flags: D - DYNAMIC
Columns: ADDRESS, NETWORK, INTERFACE

ADDRESS NETWORK INTERFACE

0 192.168.200.1/24 192.168.200.0 eth2-lan
1 50.0.0.1/24 50.0.0.0 bridge-guest
2 D xxxx/32 10.0.0.1 digi
3 192.168.201.1/24 192.168.201.0 Wireguard_Android

[sami@Mikrotik_router] > ip route/ print
Flags: D - DYNAMIC; X, I, A - ACTIVE; c, s, v, y - COPY
Columns: DST-ADDRESS, GATEWAY, DISTANCE

DST-ADDRESS GATEWAY DISTANCE

0 Xs eth1-wan 1
;;; Mullvad
1 Xs 0.0.0.0/0 wireguard1 1
DAv 0.0.0.0/0 digi 1
DAc 10.0.0.1/32 digi 0
DAc 50.0.0.0/24 bridge-guest 0
DAc 192.168.200.0/24 bridge-lan 0
DAc 192.168.201.0/24 Wireguard_Android 0
;;; Wireguard range
2 s 192.168.201.0/24 bridge-lan 1

[sami@Mikrotik_router] > interface/wireguard/print
Flags: X - disabled; R - running
0 R name="Wireguard_Android" mtu=1420 listen-port=51820 private-key="mDi4OWxxx" public-key="/dfg9AjYxxx"

/interface wireguard peers
add allowed-address=192.168.201.3/32 interface=Wireguard_Android public-key="WmgyUSxxxx"

Sob · January 18, 2022, 6:54pm

I also added a bit to message, but you were too fast. Get rid of peer’s endpoint on RB.

slaz · January 18, 2022, 6:56pm

I did. posted updated config above

Sob · January 18, 2022, 7:04pm

Your Android config has address 192.168.201.2/24, but peer on RB has allowed-address=192.168.201.3/32, that won’t work.

slaz · January 18, 2022, 7:07pm

changed the android to 192.168.201.3/32 but no joy yet

anav · January 18, 2022, 7:07pm

Change android settings
Use DNS 1.1.1.1, 9.9.9.9
and
Allowed IPs Try 0.0.0.0/0 if your intent is to go out the internet of the MT router ???
If your intent is to access a subnet on the MT router put that there instead…

The entries of 0.0.0.0/1 and 128.0.0.1, I have no idea will do but nothing I have seen before.

Sob · January 18, 2022, 7:07pm

And you don’t want this route:

;;; Wireguard range
2 s 192.168.201.0/24 bridge-lan 1

Sob · January 18, 2022, 7:09pm

@anav: 0.0.0.0/1 plus 128.0.0.0/1 is the same as 0.0.0.0/0, only doing it this way with two parts probably helps with overriding device’s existing default route.

slaz · January 18, 2022, 7:12pm

disabled the route
[sami@Mikrotik_router] > ip route/ print
Flags: D - DYNAMIC; X, I, A - ACTIVE; c, s, v, y - COPY
Columns: DST-ADDRESS, GATEWAY, DISTANCE

DST-ADDRESS GATEWAY DISTANCE

0 Xs eth1-wan 1
;;; Wireguard range
1 Xs 192.168.201.0/24 bridge-lan 1
;;; Mullvad
2 Xs 0.0.0.0/0 wireguard1 1
DAv 0.0.0.0/0 digi 1
DAc 10.0.0.1/32 digi 0
DAc 50.0.0.0/24 bridge-guest 0
DAc 192.168.200.0/24 bridge-lan 0
DAc 192.168.201.0/24 Wireguard_Android 0

but not yet there

Sob · January 18, 2022, 7:16pm

Does Android client have any status? Can it try to ping 192.168.201.2? And when you do that, is there any change in peer’s Rx and Tx on RB? If not, do you see at least some incoming packets on WG port 51820? You can use Tools->Torch on WAN interface (digi). And of course your router does have public IP address, right?

slaz · January 18, 2022, 7:24pm

Android looks connected and tx changes all the time ( increasing ) but the rx remains at 0 all the time. I ping from android to router but I don’t receive anything. On the peer I can see this

The router has a public ip yes. It’s PPoE and I connect to it using DDNS ( no-ip ).
WIth torch on the wan interface on port 51820 I can see packets running

anav · January 18, 2022, 7:27pm

did you try android via cellular or are you using house wifi??

Have you posted your router config yet??
/export hide-sensitive file=anynameyouwish

slaz · January 18, 2022, 7:29pm

android is via 4G cause I want to make sure it works and wifi does not interfere

slaz · January 18, 2022, 7:35pm

Config is here
export_config_18_Jan.rsc (32.5 KB)

slaz · January 18, 2022, 7:43pm

In case it’s wanted I can always setup a discord share screen session or a team viewer to help easier

anav · January 18, 2022, 7:53pm

Input chain rule..
add action=accept chain=input comment=“Allow Wireguard” dst-port=51820
in-interface=eth1-wan protocol=udp

Should be
add action=accept chain=input comment=“Allow Wireguard” dst-port=51820
in-interface=digi protocol=udp

alternatively this would have worked as well.
add action=accept chain=input comment=“Allow Wireguard” dst-port=51820
in-interface-list=WAN protocol=udp

although I do see something potentially off on the interface list members
/interface list member
add interface=eth1-wan list=LAN ???
add interface=eth2-lan list=LAN
add interface=eth3-lan list=LAN
add interface=eth4-lan list=LAN
add interface=eth5-lan list=LAN
add interface=eth6-lan list=LAN
add interface=eth7-lan list=LAN
add interface=eth8-lan list=LAN
add interface=digi list=WAN
add interface=eth1-wan list=WAN
add interface=bridge-lan list=LAN