mikrotik hex as wireguard client not working

RouterOS General
1

I have following config file prepared and tested on my wireguard server. My WG server has connected
asus router, linux server, iOS iPhones, windows pcs, macbook notebooks

here is my config prepared for Mikrotik hex:

[Interface]
PrivateKey = [given private key]
Address = [hex ipv4addr]/32,[hex ipv6addr]/128

[Peer]
PublicKey = [given public key]
PresharedKey = [given preshared key]
Endpoint = [my wg server]:51820
AllowedIPs = [wg ipv4 range]/24,[wg ipv6 range]/112

now I did:

/interface wireguard
add name=wg0 listen-port=51820 private-key=“[given private key]”

/ip address
add address=[hex ipv4addr]/32 interface=wg0

/ipv6 address
add address=[hex ipv6addr]/128 interface=wg0

/interface wireguard peers
add interface=wg0 public-key=“[given public key]” preshared-key=“[given preshared key]” endpoint-address=[my wg server] endpoint-port=51820 allowed-address=1[wg ipv4 range]/24,[wg ipv6 range]/112


and result is this in hex (visible from WebFig)


[Interface]
ListenPort = 51820
//invalid Private key
PrivateKey = AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEA=
//invalid ip
Address = 192.168.177.2/24

[Peer]
PublicKey = [!!!invalid key!!!]
AllowedIPs = 0.0.0.0/0, ::/0
PresharedKey = [given preshared key]

almost all is wrong. Is there any way to properly setup WG as client of my VPN VLAN please ?

BTW it is extremely hostile and unfriendly to setup for beginners :frowning:

A.

2

Please update your HEX to latest 7.18.2, do upgrade (system - router board, upgrade), reboot and repeat thru winbox.
Seems you do right things.
All you need to do to make sure HEX wg client is working:

  1. Main nenu - wireguard- 1st tab: Add wg interface (wg0) with private key provided from client config, section [interface].
  2. Main nenu - wireguard- 2nd tab (peers):Add peer (assign to wg0 interface created) with public key, preshared key,endpoint ip, port, allowed addresses like 0.0.0.0/0 and keepalive timeout, from client config , section [peer].
    Then check status and time of last handshake of peer created.

All above you can do thru winbox 3.41, gui, easy copy-paste: main menu - wireguard.

If everything’s ok, then you may proceed to assigning ip address for wg0 interface and doing some routings or manglings.

3

What is your firewall configuration? Create one like in my example and everything will work for you. Wireguard tunnel configuration tutorial will be here -https://mikrotikmasters.com/mikrotik-to-mikrotik-wireguard-tunnel/

/ip firewall address-list
add address=192.168.177.0/24  list=Authorized
/interface list member
add comment=interface=bridge list=LAN
add comment=interface=ether1 list=WAN
add interface=wireguard list=LAN

/ip firewall filter
add action=accept chain=input connection-state=established,related,untracked
add action=drop chain=input connection-state=invalid 
add action=accept chain=input  protocol=icmp
add action=accept chain=input dst-address=127.0.0.1
add action=accept chain=input comment="WireGuard traffic" dst-port=13231  protocol=udp
add action=accept chain=input comment="admin access" in-interface-list=LAN src-address-list=Authorized
add action=drop chain=input comment="drop all else" 
add action=fasttrack-connection chain=forward connection-state=established,related connection-mark=no-mark
add action=accept chain=forward connection-state=established,related,untracked
add action=accept chain=forward comment="internet traffic"  in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="Wiregurard to LAN" in-interface=wireguard dst-address=192.168.177.0/24
add action=accept chain=forward connection-nat-state=dstnat 
add action=drop chain=forward comment="drop all else"
4

It is not clear what you are doing on the hex as you dont provide an actual config… nor is it clear what you are connecting to, a third party provider, your own server somewhere??
Nor are the requirements stated, what is the purpose of the wg connection for the hex… to reach internet through remote site, to reach subnets on remote site, or for others to reach hex LAN etc… or to config remote site, or to be able to config hex remotely…


/ip address
add address=[hex ipv4addr]/32 interface=wg0
TO:
/ip address
add address=[hex ipv4addr**]/24** interface=wg0

5

first, thank U very much for super fast response, I appreciate it very much

I updated MikroTik hex S to latest routerOS
deleted all previous and run same command again from bash
UI looks now a bit different, I can see entered values, but still no traffic at all

Setup is still much different to linux, OSX, iOS, android all…
To make sure that configuration is ok, I imported it to my android phone and it started immediately ok.

any hint please ? do I need to setup firewall (there is nothing as firewall in webui menu) ?

FYI,
most web tutorials about MikroTik and WG is not suitable for me. my HEX is on IPV4 net behind NAT :frowning:

I am linux devops and I decided to do HEX evaluation as we think of it as of replacement for Aruba SD WAN (70 pcs). I am not in routerOS …but in my situation, it seemed cheapest and easiest to try evaluation myself…maybe its not good idea :frowning:

6

Its an excellent cheap wireguard device as a host and its easy to setup.
You just have to be clear on the requirements and a network diagram also helps in planning.

7

Well, if the device is connected to the internet and has no firewall properly set, it might soon become a problem if it is not already.
You shouldn’t even THINK of connecting a Mikrotik device to the internet without a firewall configured.
But the default configuration of Mikrotik SoHo devices, such as the hex, come with a pre-installed default firewallm good enough in 99.9% of cases, so unless you removed it, it should be there.

Check the basic rules:
http://forum.mikrotik.com/t/the-twelve-rules-of-mikrotik-club/182164/1

Do read here instructions on how to export your configuration and post it for review:
http://forum.mikrotik.com/t/forum-rules/173010/1

8

Hi Jaclaz, I assumed the OP, when he stated he was behind NAT, meant that the hex was behind an upstream router ( aka ISP or own )??

9

What is the status of peer?
Last handshake time?
Logs?

There are firewall rules, winbox gui ip->firewall, 1st tab.
Try to disable all the firewall rules temporarily.

10

thanks for reactions.

I think biggest blocker is, that I am not in routerOS and I use chat GPT to search for commands for diagnostics

I've disabled all FW rules from UI: IP -> firewall select all, disable all

here is what I got in hex:
/ip address print where interface=wg0
Columns: ADDRESS, NETWORK, INTERFACE

ADDRESS NETWORK INTERFACE

0 [hex ipv4addr]/32 [hex ipv4addr] wg0

/ipv6 address print where interface=wg0
Flags: D - DYNAMIC; G - GLOBAL, L - LINK-LOCAL
Columns: ADDRESS, INTERFACE, ADVERTISE

ADDRESS INTERFACE ADVERTISE

0 DL fe80::b721:6755:6fd0:e811/64 wg0 no
1 G [hex ipv6addr]/128 wg0 no

/interface wireguard print detail
Flags: X - disabled; R - running
0 R name="wg0" mtu=1420 listen-port=51820 private-key="[given private key]" public-key="[here I have public key that is stored on my WG server??]"

/interface wireguard peers print detail
Flags: X - disabled; D - dynamic
0 interface=wg0 name="peer1" public-key="[given public key]" private-key="" endpoint-address=[my wg server] endpoint-port=51820
current-endpoint-address=[correct ipv4 addr] current-endpoint-port=51820 allowed-address=[correct ranges for ipv4 and ipv6]
preshared-key=[given preshared key] client-endpoint="" rx=0 tx=0

I can ping ok my WG server over ipv4
/ping [my wg server DNS name] interface=ether1 count=3
SEQ HOST SIZE TTL TIME STATUS
0 xxx.xx.xx.xxx 56 57 3ms159us
1 xxx.xx.xx.xxx 56 57 2ms875us
2 xxx.xx.xx.xxx 56 57 2ms860us
sent=3 received=3 packet-loss=0% min-rtt=2ms860us avg-rtt=2ms964us max-rtt=3ms159us

but that's all, no connection established , no data transfer

is there a way to import WG config through QR code as with phone or at least import my hex.conf file directly ?
I have no idea whether there is problem in my configuration (entered over cli) or something else in hex.. or maybe in our network, I can't even test if UDP conn can establish (chatgpt gives wrong commands), very very frustrating.

11

We also have not any idea until you post your configuration, after, maybe.

12

No
I explained here:
http://forum.mikrotik.com/t/mikrotik-hex-as-wireguard-client-not-working/183469/2

  1. Main nenu - wireguard- 1st tab: Add wg interface (wg0) with private key provided from client config, section [interface].
    Do not enter enything else exept of private key !!!
    Indeed, public key will show after creation, and it will correspond to server config public key, section [peer] for this particular client (there are many clients you can create at sever side).
  2. Main nenu - wireguard- 2nd tab (peers):Add peer (assign to wg0 interface created) with public key, preshared key,endpoint ip, port, allowed addresses like 0.0.0.0/0 and keepalive timeout, from client config , section [peer].
    Then check status and time of last handshake of peer created.

Just a couple of clicks, no significant advantages of QR

You hiding too much information.
The only thing you should hide is endpoint IP address.
The rest (private key, public key, preshared) you can re-generate with wireguard, after sucessfull debug and launch.
There is no need to hide things like “allowed-address=[correct ranges for ipv4 and ipv6]”

13

just to make it clear

I NEVER entered any other values except those I sent as cli commands in my first post = not even public key to WG interface, only public key for peer.
WG server I use is my private with 10+ stations behind,…

I didnt expect such troubles with HEX :frowning:, I have to rethink the test environment, of course outside of my production WG VPN :slight_smile: to be able to share all necessary details.

thank you for your help

A.

14

I’ve started from very begin…

  1. test the RJ45 socket and network (as we have 802.x applied and only natted ipv4 available)
    mikrotik is connected to RJ45 wall socket H024B
    [admin@MikroTik] /interface/wireguard/peers> /tool/ping address=seznam.cz count=5 interval=200ms
    SEQ HOST SIZE TTL TIME STATUS
    0 77.75.79.222 56 57 2ms485us
    1 77.75.79.222 56 57 2ms274us
    2 77.75.79.222 56 57 2ms309us
    3 77.75.79.222 56 57 2ms206us
    4 77.75.79.222 56 57 2ms230us
    sent=5 received=5 packet-loss=0% min-rtt=2ms206us avg-rtt=2ms300us max-rtt=2ms485us

  2. replace hex with linux workstation (z83-4) and test wg0.conf with mikrotik client setup
    plugged z83-4 workstation (with working wg client) to the H024B socket
    wg-quick up wg0 (z83-4 has now its own wg0.conf), connection estabilished and WG server reports z83-4 wg client active and connected now
    then wg-quick down wg0, replace z83-4 wg0.conf with mikrotik wg0.conf prepared for mikrotik (still in H024B socket), wg-quick up wg0, connection estabilished and WG server reports mikrotik wg client active and connected

  3. tried to use mikrotik webui to add mikrotik wg0.config
    replug HEX to H024B
    in webui Files → Upload, wg0.conf ok (the same file I used to replace in linux z83-4 workstation)
    Wireguard → WG Import, select wg0.conf ok, no error, but no communication in wireguard or peer tx/rx and WG server reports mikrotik wg client inactive and NOT connected
    removed all from HEX and tried doing same over command line (just for sure), with same result

this leads to conclusion:
HEX webui menu for import WG config is not working (req. report bug)
microtic CAN’T work as wireguard client for non mikrotik server (RPI5 in my case)

all your promo videos shows that U can interconnect 2 HEX easily, with is something I can’t test, but no video shows my setup

may be I’ll have better luck with different router board :frowning:

15

Hi,

I have used Mikrotiks in this way many times, so it’s definitely possible :slight_smile: I have no experience with the hEX S, but they all run the same software, so in terms of Wireguard, there will be no differences.

I wouldn’t use the wg import function, but configure the tunnels manually. The import is there mainly for compatibility reasons, but what it does exactly is not totally clear. It’s only a few commands anyway.

Also, I would mostly refrain from using ChatGPT blindly. It usually gives bad advice for networking stuff, and particularly for RouterOS.

Your first task is getting the handshake to succeed. That you have no “last handshake” showing in the peer “print details” command shows that no handshake is completed. (You also have this visible in the GUI.)

I suggest the following steps:

  1. Set a reasonable “persistent keepalive” value. 10s should suffice. (This should also be set in in your config for non-Mikrotik devices btw.) Does the “last handshake” value appear? If it doesn’t that means that either the server is unreachable or the keys mismatch.
  2. Route addition is not done on Mikrotik (again, afaik) automatically Table=auto is the default in wg-quick, which adds routes based on AllowedIPs). You have two ways to add it, the simplest being setting the address not as /32 but as /24 and similarly for ipv6. The other is to add explicit routes.
  3. If you wish for the server side to be able to initiate connections towards the Mikrotik, setup your firewall to allow traffic from the wg tunnel to your router. On the default firewall this can be done by adding the wg interface to the LAN interface list.
  4. Export and post your full configuration. Redact as necessary, but not too much.
16

For the mother of god this !!!
/export file=anynameyouwish (minus router serial number, any public WANIP information, keys )

Also a network diagram to show the relationship between devices…