Mikrotik Wireguard peer does not start on reboot

rizwan602 · December 11, 2021, 1:47am

Hello,

I have set up a Mikrotik peer in a Routerboard RB760iGS running the latest ROS (7.1) connecting to another peer (at home) which is also a RB760iGS running ROS (7.1).

The peer is defined in:

/interface wireguard peer

And the peer works once I have set it up. I am able to use my “road warrior” MikroTik and connect to home and web sites see me coming from my home address. Great!

But when I reboot my road warrior MikroTik, upon reboot, the peer does not “activate”. There are no handshakes and no traffic flows.

I can start the peer by either of these methods: 1) Edit the entry and change something, such as the keep alive or 2) Click on enable

Strangely, the peer is not “disabled” either. It is in a status somewhere in between. Only when I disable it, is when the entry is greyed out in Winbox.

So as a result, I have no internet access unless I got into the road warrior MikroTik and perform one of the 2 steps above. And then everything works.

What am I missing here? How can the peer be started/enabled on its own after a reboot? Right now it seems want to be ‘touched’ by a script or human.

holvoetn · December 11, 2021, 4:43pm

This used to be an issue in earlier versions of 7.1rc , I think it was solved in rc6.
Strange it pops up again…

I circumvented it with a script. Maybe it’s because that script is still running I haven’t noticed on the devices which I upgraded to 7.1…

anav · December 11, 2021, 5:47pm

One cannot tease with such a script and then not provide it. Do we have to beg, pray or pay for it? ))
Perhaps one should test your current setup with the script disabled, to ensure we have a consistent issue!

holvoetn · December 11, 2021, 6:03pm

I know.
Was planning to do just that tomorrow.

rizwan602 · December 11, 2021, 6:21pm

Yes – please do. Thanks!

holvoetn · December 11, 2021, 6:30pm

Took the easier road and checked the log of the device which is now sitting 105km away from home
Just did a reboot to be sure …

The issue is not there.
Netwatch properly logged status as being down at startup but after 10 seconds the interface came up without assistance.
And that was logged as well.

For archive purposes, this is a script you can use if you do have this problem (raw version which works for me. Could be fine tuned with proper search of ITF name etc etc)

:delay 25
/interface wireguard peer disable 0
:delay 5
/interface wireguard peer enable 0
:log info "WGPeer toggled"

rizwan602 · December 11, 2021, 7:12pm

For archive purposes, this is a script you can use if you do have this problem (raw version which works for me. Could be fine tuned with proper search of ITF name etc etc)
:delay 25
/interface wireguard peer disable 0
:delay 5
/interface wireguard peer enable 0
:log info "WGPeer toggled"

I am not good with all this so can you tell me where/how you implemented this? (Does this run only on startup?) If so how do you do that?

holvoetn · December 11, 2021, 8:46pm

Tool Netwatch
Host, ip address on other side of tunnel
Down script. Paste script from above
Time to check. Up to you. I would say 1 to 5 minutes. It should only run after a reboot.

eworm · December 11, 2021, 9:22pm

You have a dns name (not just an ip address) in peer’s endpoint-address, right. This is still an issue, I have an open issue with SUP-62097.
Looks like the peer does not come up when the first resolve fails. If this happens again, please check if peer’s current-endpoint-address is empty.

anav · December 11, 2021, 9:26pm

Interesting inch worm that was an early question of mine somewhere in some thread somewhere that probably no one from MT read or ignored.
Firewall address list items at least for firewall rules seem to stay up to date. IS THERE TTL or some feature where it regularly checks?
I was wondering if so , if the router does something similar for WG associated rules where we use IP Cloud addresses…

Is it a one time thing only??

holvoetn · December 11, 2021, 9:51pm

And that’s why I prefer to use plain ip when possible… it’s simple.

holvoetn · December 11, 2021, 9:59pm

Oh and BTW
That setup of mine also uses ddns name as endpoint.
So it is not a 100% cause.

NeoPhyTex360 · December 12, 2021, 2:19pm

Same here. Not reconnecting after a failure (keeping my remote devices without communication after the daily reboot)

sapce4u · January 25, 2022, 4:50pm

Hello Community,
i have the same problem. After reboot or failed, the peer does not come automatically up.
All Firewall running of RouterOS 7.2rc1.

Regards

obscurus · February 7, 2022, 1:17pm

The same issue. Only manual disable/enable peer on server help to resolve.
No connection even i do it after 110s after Mikrotik start via script. Only manual disable/enable peer… No DNS name on server configuration.
ROS 7.1rc3

holvoetn · February 7, 2022, 1:58pm

Solution for now.

anav · February 7, 2022, 3:15pm

Alternatively check the script under this heading
(2) MYNETNAME - SPECIAL CONSIDERATION FOR ENDPOINT
found at this link - https://forum.mikrotik.com/viewtopic.php?t=182340

holvoetn · February 7, 2022, 3:26pm

link is not ok

anav · February 7, 2022, 4:42pm

What is wrong with the link? Ahh weird, fixed and THANKS!!
Check it out, especially sol/n 2

anav · February 7, 2022, 7:01pm

Not sure what scripting you are referring to?
The scripts are to address when the client device is rebooted and the WG tunnel connection is attempted prior to the MYNETNAME resolving of the far end public IP.
I guess also for any interruption that may occur.