Issue with Wireguard connection

Hello there,

My setup is as follows


FritzBox <—-ISP—-> wireguard Tunnel <—ISP—> Mikrotik

The wireguard service on Mikrotik is setup to listen on port 9999, with the required firewall rules defined to accept input packets only for that port.
On the other end, the Fritz connects on that port and exposes port Y for wireguard connection.

The connection works; however- at random times- it drops and the Mikrotik’s logs mention the impossibility to complete the handshake.

The only way to reset it, is to go on the Mikrotik and change listening port 9999 to (example) 9998.

By doing so the connection re-establish, and I can see the fritz side that - despite was configured to connect on port 9999 - has established the connection through 9998.

If after the ‘recovery’ I switch back again to 9999, it’ll work again. Until the next ‘hang’ condition.

Considering that I don’t have input rules accepting connections on port 9998 this is extremely odd.

Anyone with similar experience?

Firstly, no advice can be given without the full config of the MT and at least the wireguard settings on the fritzbox
/export file=anynameyouwish ( minus router serial number, any public WANIP information, keys etc.. )

Secondly, your statement is problematic.
The wireguard service on Mikrotik is setup to listen on port 9999, with the required firewall rules defined to accept input packets only for that port.
On the other end, the Fritz connects on that port and exposes port Y for wireguard connection.

ONE device should be set as the wireguard peer SERVER for handshake and the other should be set up as the wireguard peer CLIENT for handshake so one of the above is false.

a. either the MT listens on the port and the fritz doesn need to have any ports open( as the fritz is the client peer).
OR
b. the fritz needs a port forwarded to it, and listens on that port, and the MT doesn (being the client peer)