Issues with Mikrotik acting as WG client

Kitem · October 31, 2023, 10:42am

Hi All,

I’m having some issues in connect my hAPac2 to a WG server hosted in my house on a Unifi DM

I can connect with my PC and mobile without issues, but I can’t with the Mikrotik.

Here is my configuration (hopefully I don’t miss any important info

# 2023-10-31 11:33:12 by RouterOS 7.11.2
# software id = ZWBX-KG0E
#

/interface bridge
add name=br-local
/interface wireless
set [ find default-name=wlan1 ] disabled=no ssid=MikroTik
set [ find default-name=wlan2 ] disabled=no ssid=MikroTik
/interface wireguard
add listen-port=13231 mtu=1420 name=WG1
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/ip pool
add name=dhcp_pool1 ranges=10.0.0.2-10.0.0.254
/ip dhcp-server
add address-pool=dhcp_pool1 interface=br-local name=dhcp1

/interface bridge port
add bridge=br-local interface=ether2
add bridge=br-local interface=ether3
add bridge=br-local interface=ether4
add bridge=br-local interface=ether5
add bridge=br-local interface=wlan1
add bridge=br-local interface=wlan2

/interface wireguard peers
add allowed-address=192.168.50.1/32,192.168.50.5/32,0.0.0.0/0 comment=UDM \
    endpoint-address=XX.XXX.XX.XX endpoint-port=62930 interface=WG1 \
    public-key="UDM_WG_Server_Public_Key"

/ip address
add address=10.0.0.1/24 interface=br-local network=10.0.0.0
add address=192.168.50.5 interface=WG1 network=192.168.50.5

/ip dhcp-client
add interface=ether1

/ip dhcp-server network
add address=10.0.0.0/24 dns-server=1.1.1.1,1.0.0.1 gateway=10.0.0.1

/ip firewall mangle
add action=change-mss chain=forward new-mss=clamp-to-pmtu out-interface=WG1 \
    passthrough=yes protocol=tcp tcp-flags=syn

/ip firewall nat
add action=masquerade chain=srcnat
add action=masquerade chain=srcnat out-interface=WG1

/ip route
add disabled=yes distance=1 dst-address=0.0.0.0/0 gateway=WG1 pref-src="" \
    routing-table=main scope=30 suppress-hw-offload=no target-scope=10

/system clock
set time-zone-name=Europe/Madrid
/system note
set show-at-login=no

I can surf Internet.
If I’m pinging with the 10.0.0.1 addresses, it works fine as well if I’m using 192.168.50.5

https://ibb.co/dKczdZY

If I activate the following Route, I can’t surf anymore.

https://imgbb.com/gDSWFM2

Any help on what I’m missing/doing wrong?

Thanks

EDIT: I forgot that I aim to route all the traffic via the WG, so the IP shown will be from my house.
Thanks

anav · October 31, 2023, 11:25am

Where is the WG located.
We are assuming its not at your house, so where is it??

This is incorrect.
/interface wireguard peers
add allowed-address=192.168.50.1/32,192.168.50.5/32,0.0.0.0/0 comment=UDM
endpoint-address=XX.XXX.XX.XX endpoint-port=62930 interface=WG1
public-key=“UDM_WG_Server_Public_Key”

What is the purpose of the entry of allowed peers!! Clearly you are just writing numbers down without any knowledge.
https://forum.mikrotik.com/viewtopic.php?t=182340

Also on the HAPAC peer line for the UDM server, you must have persistent-keep-alive set to say 35s.

Kitem · October 31, 2023, 6:48pm

Hi anav,
thanks for your reply.

The UDM is located at my house, while at the moment I’m abroad.

I will have a look at the thread you quote, but I thought that, in mikrotik, the peer section is also use to connect to the wireguard server.
But maybe I’ll find the answer in the thread.

On UDM I don’t see a persistent-keep-alive value to set

Kitem · October 31, 2023, 10:51pm

I tried again (and again) following your post.

In the end, there was always the same issue. Whenever I try to add the route

/ip route
dst-address=0.0.0.0/0 gwy=wg-interface-name table=use-WG

I cannot surf anymore.

I reset the configuration. From scratch I

Setup DHCP Client on ether1
Create the bridge interface
Setup IP to bridge interface
Setup the DHCP Server on the bridge interface
Input the masquerade rule

I can surf, but when I try to ping the public IP of the WG_Server, from both the Mikrotik and the Macbook terminal, I get a timeout response.

The strange thing is that if I connect the Macbook to the WG_Server using the WG app, it connects, and then I can ping the public IP of the server (only from the Macbook).

This is the actual setup:

CLIENT
ISP Router —> Mikrotik hAPac2 —> Macbook

SERVER (ISP Fiber cable connects directly to the UDM Pro)
UDM Pro hosting the WG server

Not sure the reason why I can’t ping the server

anav · November 1, 2023, 12:41am

I understand you have a UDM router at home and this device has wireguard Server instance.

You also have a hapac2 but where is it located??
Assuming you have some sort of connection to the internet wherever you use it either from a wifi at hotel or plugged in matters little.
As stated you have a wireguard client setup on the router to phone UDM home.

I will repeat myself,
For the allowed Peers on the MT client device this is wrong!!
/interface wireguard peers
add allowed-address=192.168.50.1/32,192.168.50.5/32,0.0.0.0/0 comment=UDM
endpoint-address=XX.XXX.XX.XX endpoint-port=62930 interface=WG1
public-key=“UDM_WG_Server_Public_Key”

Tell me what you hope to accomplish with the allowed peers you have chosen!! Explain it in words!!
Yes it needs persistent-keep-alive setting on the hapac2, and specifically on the peer setttings above for the UDM.

For sourcenat you need
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1
add action=masquerade chain=srcnat out-interface=WG1

FOR IP route you need

/ip route
add dst-address=0.0.0.0/0 gateway=ether1-gatewayIP routing-table=main
add dst-address=0.0.0.0/0 gateway=WG1 routing-table=useWG

NOW set a fixed static lease on your macbook or PC to an IP of 10.0.0.5/32 (wired for example) and a different one for wifi so you could access local WAN for ex.

Add A table and a Routing Rule
/routing table add fib name=useWG
/routing rule add src-address=10.0.0.5/32 action=lookup table=useWG

The idea being you need to connect to the regular internet and IP route, to create the tunnel and then you want one use to go through the tunnel.

Kitem · November 1, 2023, 1:55am

I connect the MT to whatever network I found while traveling.
In this case, it’s wired connected to a Movistar (Spanish ISP) modern/router

I will repeat myself,
For the allowed Peers on the MT client device > this is wrong!!
/interface wireguard peers
add allowed-address=192.168.50.1/32,192.168.50.5/32,0.0.0.0/0 comment=UDM
endpoint-address=XX.XXX.XX.XX endpoint-port=62930 interface=WG1
public-key=“UDM_WG_Server_Public_Key”

Tell me what you hope to accomplish with the allowed peers you have chosen!! > Explain it in words!!

My only aim is to driven all the traffic via the wireguard interface. I changed it to 0.0.0.0/0

Yes it needs persistent-keep-alive setting on the hapac2, and specifically on the peer setttings above for the UDM.

For sourcenat you need
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1
add action=masquerade chain=srcnat out-interface=WG1

FOR IP route you need

/ip route
add dst-address=0.0.0.0/0 gateway=ether1-gatewayIP routing-table=main
add dst-address=0.0.0.0/0 gateway=WG1 routing-table=useWG

NOW set a fixed static lease on your macbook or PC to an IP of 10.0.0.5/32 (wired for example) and a different one for wifi so you could access local WAN for ex.

Add A table and a Routing Rule
/routing table add fib name=useWG
/routing rule add src-address=10.0.0.5/32 action=lookup table=useWG

I tried with the IP I set for the bridge interface, but when I add this

add dst-address=0.0.0.0/0 gateway=WG1  routing-table=useWG

I can’t surf anymore

I now can see the WG is connecting (last handshake value starts counting), but goes back to zero every 5 second

Kitem · November 1, 2023, 7:45am

But I don’t understand why if I ping my UDM I can’t get an answer, while if I’m connecting using the Wireguard app via that Macbook it connects w/o problem.

Also, is it normal for the last handshake timer to reset every 5/6 seconds? (video below)

https://jumpshare.com/s/Pg4GpbPjBmNlKxFYucJw