Is Mikrotik RB2011UiAS too old for Wireguard?

rama · February 13, 2024, 9:57am

RB2011UiAS

Firmware Type ar9344
Factory Firmware 3.33
Current Firmware 6.49.12
Upgrade Firmware 7.13.3

Could someone please confirm if RB2011UiAS can support Wireguard.
I have spent the last three days without success trying to connect RB2011UiAS Wireguard with a remote Wireguard (server not Mikrotik). This setup works with MT sxt. I was wondering if RB2011UiAS is too old for Wireguard.

It is only for very low traffic single peer connection. I could not even establish the tunnel connction.

Many thanks

andkar · February 13, 2024, 11:07am

RB2011 runs wireguard just fine. It must be some issue with your config.
Btw current firmware should be upgraded.

rama · February 13, 2024, 11:38am

Great I shall persevere

Cheers

spippan · February 13, 2024, 11:59am

have two online with a S2S wireguard VPN to my RB1100AHx4
no problems regarding support for WG

(keep in mind to not expect big performance numbers there )

rama · February 13, 2024, 12:24pm

Thanks for the feed-back. Struggling a bit at the moment.

RB211------192.168.1.0/24---BThub2--( 192.168.1.254 NAT)----Internet-----WG-server.

Problem:
No tunnel, No ping response from WG server. I suspect its a routing problem.

WG peer on 2011:
Allowed Address: 0.0.0.0/0
Tried srcnat: out-intf:wireguard-intf

Route:

DST-ADDRESS GATEWAY DISTANCE

0 As 0.0.0.0/0 192.168.1.254 1 Default GW to LAN
1 IsH 10.101.206.176/32 remote end :ip 1
DAc 10.101.206.176/32 wg-mt 0 Local wireguard intf
2 As remote end:ip 192.168.1.254 1
DAc 192.168.1.0/24 bridge-ofc 0 Local LAN

Any hint would be appreciated.

tangent · February 13, 2024, 12:34pm

WireGuard behind NAT is a little tricky. Try my config. It’s terminated on a CRS328, and it saturates my 5 Mbit/s uplink without struggling. It might have more CPU than an RB2011, but not a whole lot more.

rama · February 13, 2024, 3:06pm

Thanks for the config. Tired NAT

chain=srcnat action=src-nat to-addresses=192.168.1.254 src-address=10.101.206.176

Still stuck at initiating a tunnel connection. The MT is sending out handshake but not getting any response back. The strange thing is that SXT-SA is working with WG on the same LAN through the 192.168.1.254 gw.

Appreciate your encouragment.

Mesquite · February 13, 2024, 3:46pm

I can “see” its a config error from the rsc file and topology diagram presented.

rama · February 21, 2024, 8:54am

Confirmation:
Wireguard on RB2011UiAS works
Thanks