# jul/11/2022 12:12:36 by RouterOS 7.4rc2
# software id = AP1J-KID8
#
# model = RBmAPL-2nD
# serial number = FACA0F65D6AA
/interface wireless
set [ find default-name=wlan1 ] ssid=MikroTik
/interface wireguard
add listen-port=13231 mtu=1420 name=wireguard1
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/interface wireguard peers
add endpoint-address=<mywgpeer> endpoint-port=<myport> interface=wireguard1 \
public-key="<mykey>"
/ip address
add address=10.23.1.59/24 interface=ether1 network=10.23.1.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add interface=ether1
/ip firewall nat
add action=masquerade chain=srcnat
/system clock
set time-zone-name=America/Los_Angeles
This was after doing another reset config with no defaults. I then re-configured a wireguard setup - again, nothing happens. As in - this mAP lite appears to never reach out to the wireguard peer and attempt to connect. I see no log lines indicating anything.
Just for fun I tried configuring a IPSec link - that worked fine.
Can you also specify (drawing might be easier) how this map lite is going out to internet ?
Connected via Wifi or Ethernet ?
Is the device (from terminal) able to get outside (ping using IP and name) ?
How are you planning to use this device with wireguard ?
To connect what to where ?
As it is now, it is really just a Proof of Concept and nothing more
Please provide drawing with the big picture and the building blocks. Much easier then a wall of text.
Things I’m already missing:
no bridge ?
your wireguard interface does have a private key, I assume ? It’s not shown (not even redacted).
peer definition: what allowed IP addresses are to be used ?
peer definition: public key has been defined ? It’s not shown.
The ML will act as a wireless adapter/bridge for a IoT appliance that has an ethernet port. There’s existing wifi in the building.
By bridge - are you referring to the “standard” bridge for a Mikrotik device? There used to be one - after the new config with no defaults there isn’t one. Since there’s only one port on this device, and I’m not going to be bridging the wifi/ethernet/wireguard, I ASSuMEd that no bridge would be immediately required. I’m happy to do another reset to defaults and enable the standard config.
Peer - this device will be 10.23.1.59. It should talk on my 10.23.1.0/24 wireguard network - that’s how all my other devices work.
Public/private - should be there…
when I do a “export show-sensitive” I see the public-key without mention of the private. When I do a “print detail” I see a private key. I just use whatever keys get auto-generated when I create the wireguard interface.
Correct. That will be the final config. But first I need wireguard working regardless - it shouldn’t matter whether the internet connection is wired or wireless.
First, your Interface wireguard1 needs an IP address. But I can’t see how your wireless, Ethernet and wireguard could communicate when there is nothing like a bridge configured.
If I was having problems fowarding/communicating between interfaces then I’d agree. But my problem is the wireguard interface never initiates communication to the peer. I’ve never seen that before.
Is internet access working normally on that device ?
No internet access. No wireguard.
Unless your complete wireguard setup is running on private equipment ?
You need a WAN port ( wifi) connected to an existing AP.
Test if ping works using ip and name.
Only if that works, you can look at wireguard.
Once wg works, bridge wg and eth together.
When wg itf starts and dns is not working, it will not, I repeat NOT, retry until peer status is toggled.
Only then it tries again.
That’s the current way Mikrotik made it.
But that also is consequence of a non functional network… no DNS from the start.
Internet access for ML is fine. It has working DNS, resolves hostnames, and can ping without issue. I have toggled peers and wireguard interface repeatedly - no change.
My problem is the wireguard interface never even attempts to begin handshaking. This isn’t a routing/address/firewall/bridge problem - at least to my ignorant eyes. The wireguard service simply appears to never actually start.
This is not my first wireguard setup, nor my first Mikrotik wireguard setup. It is my first run with a mAP Lite - which shouldn’t have anything to do with this but it’s all I can point to. It’s also my first run with 7.4rc2 - maybe I should drop back to 7.3.1.
I sincerely appreciate any and all help. But I fail to see the relevance of most of these questions. Once I get a wireguard even attempting to handshake - then these questions become far more pertinent. But since the ML has a network connection, it has an internet connection, it has DNS, it can ping the intended wireguard peer, it can resolve the hostname of the wireguard peer, and there are no firewall lines that would block wireguard since there are no firewall lines at all - something’s broken. It might be me.
Unlike other VPN types, Wireguard is by default silent. If there’s no traffic trying to use its interface, it does not try to contact peers (unless you set keepalive for them).
