Microtik wireguard to Raspberry pi

zeusgr1 · September 27, 2021, 11:24am

Hello friends, im struggling to make this work 2 days now without success. I have wireguard on raspberry pi3 and Windows and android clients connect successfully. I can not connect with mikrotik rb2011uias-2hnd-in as a client. I tried all the guides for wireguard config but nothing, no connection. I dont have static ip on any of both sides and i use ddns. Any help is appreciated.

rplant · September 28, 2021, 1:24am

Hi,

Export your wireguard config, and make sure it’s endpoint-port is correct.
If ok, try making the endpoint-address an ip address (rather than DNS name) apparently this can cause issues if dns is not available when wireguard is started.
(Might need a script to stop and then restart wireguard later on startup if this is the problem)

/interface wireguard export

…

/interface wireguard peers
add allowed-address=192.168.98.2/32 endpoint-address=192.168.94.2 endpoint-port=2344 interface=wireguard1
public-key=“SomePublicKeyStuff”

holvoetn · September 28, 2021, 1:18pm

I have wireguard running on Hex as server, on mAP, mAP Lite en SXT LTE as client.
On mAP and mAP Lite I consequently need to toggle the peer (disable, wait some seconds and then enable again) before the interface kicks in gear for the first time.
On mAP I used a small script with the push button the help for this. I am sure some more advanced scripting can make this work automatically.
Although I do think this is a bug with the current implementation (minor one, I fully realize this is development channel). This interface should start on its own.
Could this be what you are experiencing ?

Once it is running, it handles disconnects quite smoothly. Only initial startup needs some special care and love

zeusgr1 · September 28, 2021, 6:33pm

I tried also with ip address with same result

This is my export

[admin@MikroTik] > /interface wireguard export

jan/02/1970 02:10:25 by RouterOS 7.1rc4

software id = 6AV9-JQVR

model = 2011UiAS-2HnD

serial number =

/interface wireguard
add listen-port=51820 mtu=1420 name=wireguard1
/interface wireguard peers
add allowed-address=0.0.0.0/0 endpoint-address=85.178.50.8 endpoint-port=51820 interface=wireguard1 persistent-keepalive=30s public-key=
“key=”

anav · September 28, 2021, 8:06pm

DOes the mikrotik connect to the ISP modem (aka direct to the ISP and not a router behind the ISP router )??

zeusgr1 · September 29, 2021, 6:20am

It is behind the ISP router.

rplant · September 29, 2021, 9:41am

Hi, It sort of seems reasonable,

Some thoughts,

Do you have a static routing entry or rule to route things to the wireguard interface.
Disable that for a while.

In winbox, wireguard / peers, open the peer.

When you enable wireguard, do you get both TX and RX.
If not Stop and fix this, (it’s pretty much destination IP address, Port and Public/Private keys, perhaps some route thing).

Do you have an ip address on your wireguard interface. (And also at the raspberry pi end)
Strictly you probably don’t need one, but it likely makes fault finding a bit easier.

eg.
/ip address
add address=192.168.98.10/24 interface=wireguard1 network=192.168.98.0

Then in your peer setting change it to: allowed-address=192.168.98.0/24,0.0.0.0/0

(Presumably the raspberry pi might have allowed-address=192.168.98.10,someOtherRange for this peer)

Then ping the raspberry pi (wireguard ip address) from the Router.

If you get that working, the rest is probably ordinary routing issues.

If you have a static routing entry (above), try turning it on again,
do you still get tx/rx, can you still ping the raspberry pi address from the router.