HELP - Unable to connect WireGuard when WAN is Public IP

cj8124 · December 8, 2023, 2:48pm

Dear all,

I’m having difficulties with WireGuard. I have a setup that work, when the WAN IP is set on private IP and routed to a modem/ONT.
If the WAN is a static public IP, my WireGuard setup is unable to connect, it failed handshake. the TX value is rising, but RX value on Wireguard is 0.

Can someone please help me. Here is my setup.

# model = RB5009UG+S+
/interface bridge
add admin-mac=DC:2C:6E:31:28:E1 auto-mac=no comment=defconf name=bridge
/interface ethernet
set [ find default-name=ether8 ] name="ether8 - CBN 250MB"
set [ find default-name=sfp-sfpplus1 ] advertise="10M-half,10M-full,100M-half,\
    100M-full,1000M-half,1000M-full,10000M-full,2500M-full,5000M-full"

/interface l2tp-client
add connect-to=tsno.access.ly disabled=no name="Amazon EC2" user=KPM-HQ

/interface wireguard
add listen-port=13231 mtu=1280 name=WG-SurfShark

/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN

/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik

/ip pool
add name=default-dhcp ranges=192.168.38.1-192.168.38.200

/ip dhcp-server
add address-pool=default-dhcp interface=bridge lease-time=3d name=defconf

/ppp profile
add change-tcp-mss=yes local-address=192.168.201.250 name="L2TP Dial In" \
    only-one=yes use-encryption=no

/queue type
add kind=pcq name="PCQ - Download - 100M" pcq-classifier=dst-address \
    pcq-rate=100M
add kind=pcq name="PCQ - Download 50M" pcq-classifier=dst-address pcq-rate=\
    50M
add kind=pcq name="PCQ - Upload - 80M" pcq-classifier=src-address pcq-rate=\
    80M
add kind=pcq name="PCQ - Upload - 30M" pcq-classifier=src-address pcq-rate=\
    30M

/queue tree
add max-limit=250M name="Global Download - 250M" parent=global queue=\
    pcq-download-default
add max-limit=250M name="Upload Global - 250M" parent=global queue=\
    pcq-upload-default
add max-limit=200M name="Download - Internal" packet-mark="Download - LAN" \
    parent="Global Download - 250M" priority=6 queue="PCQ - Download 50M"
add max-limit=200M name="Upload - Internal" packet-mark="Upload - LAN" \
    parent="Upload Global - 250M" priority=6 queue="PCQ - Upload - 30M"

/routing table
add disabled=no fib name=WG1-SurfShark

/interface bridge port
add bridge=bridge comment=defconf ingress-filtering=no interface=ether2
add bridge=bridge comment=defconf ingress-filtering=no interface=ether3
add bridge=bridge comment=defconf ingress-filtering=no interface=ether4
add bridge=bridge comment=defconf ingress-filtering=no interface=ether5
add bridge=bridge comment=defconf ingress-filtering=no interface=ether6
add bridge=bridge comment=defconf ingress-filtering=no interface=ether7
add bridge=bridge comment=defconf ingress-filtering=no interface=sfp-sfpplus1

/ip neighbor discovery-settings
set discover-interface-list=LAN

/ip settings
set max-neighbor-entries=8192

/ipv6 settings
set max-neighbor-entries=8192

/interface l2tp-server server
set enabled=yes use-ipsec=required

/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface="ether8 - CBN 250MB" list=WAN
add interface=WG-SurfShark list=LAN

/interface ovpn-server server
set auth=sha1,md5

/interface wireguard peers
add allowed-address=0.0.0.0/0 endpoint-address=id-jak.prod.surfshark.com \
    endpoint-port=51280 interface=WG-SurfShark persistent-keepalive=25s \
    public-key="qyghLDfpfyparp0M52OVcmhKckayOvbRO2DDLkgJqyk="

/ip address
add address=192.168.38.250/24 comment=defconf interface=bridge network=\
    192.168.38.0
add address=103.113.xx.xx/30 interface="ether8 - CBN 250MB" network=\
    103.113.xx.xx
add address=10.14.0.2/16 interface=WG-SurfShark network=10.14.0.0

/ip dhcp-client
add interface="ether8 - CBN 250MB"

/ip dhcp-server network
add address=192.168.38.0/24 comment=defconf dns-server=192.168.38.250 \
    gateway=192.168.38.250

/ip firewall address-list
add address=192.168.38.0/24 list="All IP"
add address=10.0.0.0/24 list="All IP"
add address=192.168.38.1-192.168.38.249 list="All Client IP"
add address=192.168.38.251-192.168.38.254 list="All Client IP"
add address=192.168.201.99 list="Internet VPN"
add address=192.168.201.1 list="Internet VPN"
add address=192.168.201.0/24 list="All IP"
add address=192.168.87.0/24 list="All IP"
add address=192.168.199.0/24 list="All IP"
add address=192.168.99.0/24 list="All IP"

/ip firewall mangle
add action=change-mss chain=forward new-mss=1200 out-interface=WG-SurfShark \
    passthrough=yes protocol=tcp tcp-flags=syn tcp-mss=1201-65535
add action=mark-routing chain=prerouting disabled=yes dst-address-list=\
    "!All IP" in-interface=bridge new-routing-mark=WG1-SurfShark passthrough=\
    yes src-address=192.168.38.1
add action=mark-packet chain=forward dst-address-list="!All IP" in-interface=\
    bridge new-packet-mark="Upload - LAN" passthrough=yes protocol=!icmp \
    src-address-list="All Client IP"
add action=mark-packet chain=forward dst-address-list="All Client IP" \
    new-packet-mark="Download - LAN" out-interface=bridge passthrough=yes \
    protocol=!icmp src-address-list="!All IP"

/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    src-address-list="All IP"
add action=dst-nat chain=dstnat comment="NAS Redirect" dst-address=\
    103.113.xx.xx src-address-list="All Client IP" to-addresses=192.168.38.1
add action=dst-nat chain=dstnat comment=NAS dst-port=443 in-interface=\
    "ether8 - CBN 250MB" protocol=tcp to-addresses=192.168.38.1 to-ports=443
add action=dst-nat chain=dstnat comment=NAS dst-port=8080 in-interface=\
    "ether8 - CBN 250MB" protocol=tcp to-addresses=192.168.38.1 to-ports=8080
add action=dst-nat chain=dstnat comment=NAS dst-port=9000 in-interface=\
    "ether8 - CBN 250MB" protocol=tcp to-addresses=192.168.38.1 to-ports=9000
add action=dst-nat chain=dstnat comment=NAS dst-port=8081 in-interface=\
    "ether8 - CBN 250MB" protocol=tcp to-addresses=192.168.38.1 to-ports=139
add action=dst-nat chain=dstnat comment=NAS dst-port=548 in-interface=\
    "ether8 - CBN 250MB" protocol=tcp to-addresses=192.168.38.1 to-ports=548
add action=dst-nat chain=dstnat comment=NAS dst-port=139 in-interface=\
    "ether8 - CBN 250MB" protocol=tcp to-addresses=192.168.38.1 to-ports=139
add action=dst-nat chain=dstnat comment=NAS dst-port=445 in-interface=\
    "ether8 - CBN 250MB" protocol=tcp to-addresses=192.168.38.1 to-ports=445
add action=dst-nat chain=dstnat comment=NAS disabled=yes dst-port=137 \
    in-interface="ether8 - CBN 250MB" protocol=udp to-addresses=192.168.38.1 \
    to-ports=137
add action=dst-nat chain=dstnat comment=NAS disabled=yes dst-port=138 \
    in-interface="ether8 - CBN 250MB" protocol=udp to-addresses=192.168.38.1 \
    to-ports=138
add action=dst-nat chain=dstnat comment=NAS disabled=yes dst-port=139 \
    in-interface="ether8 - CBN 250MB" protocol=udp to-addresses=192.168.38.1 \
    to-ports=139
add action=dst-nat chain=dstnat comment=NAS dst-port=445 in-interface=\
    "ether8 - CBN 250MB" protocol=udp to-addresses=192.168.38.1 to-ports=445

/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set h323 disabled=yes
set sip disabled=yes
set pptp disabled=yes

/ip proxy
set port=8083

/ip route
add disabled=no distance=3 dst-address=0.0.0.0/0 gateway=103.113.xx.xx \
    routing-table=main suppress-hw-offload=no
add check-gateway=ping disabled=no distance=1 dst-address=192.168.199.1/32 \
    gateway=192.168.199.250 pref-src="" routing-table=main scope=30 \
    suppress-hw-offload=no target-scope=10
add check-gateway=ping disabled=no dst-address=192.168.87.0/24 gateway=\
    192.168.201.2 routing-table=main suppress-hw-offload=no
add check-gateway=ping disabled=no distance=1 dst-address=0.0.0.0/0 gateway=\
    WG-SurfShark pref-src="" routing-table=WG1-SurfShark scope=30 \
    suppress-hw-offload=no target-scope=10

/ip service
set telnet disabled=yes
set ftp disabled=yes
set www port=8383
set ssh disabled=yes
set api disabled=yes
set winbox port=833
set api-ssl disabled=yes


/system clock
set time-zone-name=Asia/Jakarta

/system routerboard settings
set cpu-frequency=1400MHz

/tool mac-server
set allowed-interface-list=LAN

/tool mac-server mac-winbox
set allowed-interface-list=LAN

I know I have not route any traffic from client IPs to the WireGuard.
I tried the WireGuard interface using ping tool, ping to 1.1.1.1 interface WG-Surfshark >>> it TIMED OUT. and the RX is 0… TX going up, but RX 0…
I will setup the route or WireGuard, after i can ping 1.1.1.1 from Ping Tool.

anav · December 8, 2023, 4:25pm

Confusing post.
Do you have two mikrotik routers you are trying to connect, one with a public IP and one without?
OR
Do you have two WAN connections and neither one seems to work to setup wireguard.

Please also confirm you are using your MT as a wireguard server for the initial handhake and all the clients are remote users…

cj8124 · December 9, 2023, 12:40am

Sorry i forgot to detail it.

I have a few (more than 10) MT, running as wireguard client, connecting to surfshark wireguard VPN server.
Each MT have their own private key, which all the keys are registered with surfshark.
All the MT are configured to connect to surfshark wireguard, it routed some of the international traffic to surfshark. My ISP here is blocking some sites. The wireguard is use to bypass some blocked sites. Not for connecting MTs to each others.

Some MT can connect to surfshark Wireguard. if the WAN is a private IP (MT behind modem with NAT)

Some of the MT has WAN with public IP set as the address. (Only one WAN). And i can not this MT to connect to surfshark wireguard.

All MTs are using ROS 7.8, mikrotik RB5009, all can ping to surfshark wireguard server.

Thank you.

anav · December 9, 2023, 4:33pm

add the surfshark interface to the WAN list, not the LAN list. There is no incoming traffic to your LAN and thus not appropriate. However, all the users going surfshark from your LAN need to be sourcenatted to the single surfshark IP address you have been given ( per connection, aka separate private key and separate IP address ).
The other issue is your mangles, What the heck are you trying to do there??? The only one that makes sense to me so far is the first one…
add action=change-mss chain=forward new-mss=1200 out-interface=WG-SurfShark
passthrough=yes protocol=tcp tcp-flags=syn tcp-mss=1201-65535

I would use ( personal preference):
add action=change-mss chain=forward comment=“Clamp MSS to PMTU for Outgoing packets” new-mss=clamp-to-pmtu out-interface=wireguard1 passthrough=yes protocol=tcp tcp-flags=syn
3. What is this address for its not detailed anywhere??
add address**=10.0.0.0/24** list=“All IP” ??? EDIT: IS THIS the l2tp clients coming in???

what is the purpose of these two address lists identifying the whole subnet except 192.168.38.250 ???
add address=192.168.38.1-192.168.38.249 list=“All Client IP”
add address=192.168.38.251-192.168.38.254 list=“All Client IP”
What address is this used for ??? EDIT: Okay its a static public IP for your wan.
add address=103.113.xx.xx/30 interface=“ether8 - CBN 250MB” network=
103.113.xx.xx
You have a problem, looking 5. above you have entered an address for your WAN BUT BUT you also have this…
/ip dhcp-client
add interface=“ether8 - CBN 250MB”

WRONG, you cannot put in both, its one or the other, so which is it???

More private IP addresses in your firewall address list that make NO SENSE!! ( they do not exist locally )
Where are they coming from???

add address=192.168.201.99 list=“Internet VPN”
add address=192.168.201.1 list=“Internet VPN”
add address=192.168.201.0/24 list=“All IP”
add address=192.168.87.0/24 list=“All IP”
add address=192.168.199.0/24 list=“All IP”
add address=192.168.99.0/24 list=“All IP”

anav · December 9, 2023, 4:49pm

Your sourcenat rule does not define an out interface and Its not clear to me why you are delineating any source addresses???
/ip firewall nat
add action=masquerade chain=srcnat comment=“defconf: masquerade”
src-address-list=“All IP”

Why not:
add action=masquerade chain=srcnat out-interface-list=WAN

Assuming:
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=“ether8 - CBN 250MB” list=WAN
add interface=WG-SurfShark list=WAN