I did simple RoadWarrior style configuration where mobile client is connecting to Internet via mikrotik and wireguard
Initiallty this configuration worked but after a while it started to trow errors:
22:33:32 wireguard,debug wireguard1: bQe944f7N4kCSXROQcDf1kheES0gTHzSsvGiUtZWUWQ=: Handshake for peer did not complete after 5 seconds, retrying (try 10)
I understood handshake should be at 25 sec.
At least that is the general recommendation for devices behind firewall.
Already tried that on both sides ?
You can’t have same allowed-address=192.168.99.0/24 for multiple peers on same interface, it should be allowed-address=192.168.99.X/32 (where X is what that peer has).
Concur, My iphone setting is ONE address.
thus your peer settting for allowed addressess
on MT PEER SETTINGS
Android
/interface wireguard peers
add allowed-address=192.168.99**.X/32** comment=“OnePlus 7” interface=wireguard1
persistent-keepalive=1m
public-key=
add allowed-address=192.168.99.Y/32 comment=“iPhone 11” interface=wireguard1
persistent-keepalive=1m
public-key=\
For example on my iphone I use 10.2.0.2/32
Nothing wrong with having the endpoint address on iphone or android peer settings to be 0.0.0.0/0 as one is wanting internet through the MT WG server location.
The other issue could be routes… WHERE ARE THEY??
At a minimum you need dst-address=192.168.99.0/24 gwy=wireguard1 table=main
This also looks suspect:
add action=masquerade chain=srcnat comment=“WireGuard → Internet”
out-interface=ether1-wan src-address=192.168.99.0/24
There is no need to masquerade traffic coming from your iphone out to the internet??
I suppose it cannot hurt but not sure what you accomplish with it???
UNLESS your MT is behind another Router like an ISP router where you cannot create a static route??
Assuming if true, then at least you can forward ports otherwise the MT couldnt be an MT wg server.
note1; This is not best security practices, not recommended to use plain text services
/ip service
set telnet address=192.168.88.0/24
set ftp address=192.168.88.0/24
set www port=81
note2: this does not look like a legitimate rule as if it was for the establishment of an encrypted connection (VPN) it would be input chain
if it was for port forwarding to a server it would be in the dst nat chain.
add action=accept chain=forward dst-port=443 in-interface=ether1-wan
log-prefix="fw-log → " protocol=tcp
It seems that changing from network to host alone worked, but i am confused why.
Documentation is not very descriptive on WireGuard and using networks seems to be more flexible configuration for many clients when i do not care about specific IP
Running joke/discussion around here between anav and Sob.
anav seems to be amongst the very few (if not the only one) insisting on NOT using internal IP addresses on WG-endpoints (which BTW DOES work without on Mikrotik to Mikrotik connections, no discussion there. But it’s mighty confusing for most people).
But for the connection from his iPhone he has to or it will not work.
Yes, I forget about the IP address wrt not needed the IP Route.
I prefer to use Routes then IP address. IP address confuses me LOL
For the record Holvoeten I dont espouse anything on non-MT devices. My iphone has an Ip address assigned to it, so that on my MT I can know which IP is coming through the tunnel.
Not necessarily the case for MT devices where I care about the IP address of individual devices coming through, not one, and not necessarily just one subnet, I could care less what the IP address of the wg interface is
In this case the issue was PEER overlap. Probably caused by over reliance on IP addresses and wg interfaces
The catch is that when you have multiple peers connected to same interface, router must use something to determine what should it send to which client. If you have allowed-address=192.168.99.0/24 for both and there’s packet to 192.168.99.x, should it go to first one or second one? It’s impossible to choose. If there’s only one peer (e.g. on client side), then whole subnet is fine, as all will be sent to server and it can do routing between clients.
