Mikrotik Wireguard

poolip · October 6, 2022, 6:58am

Hi guys
I want to know dose mikrotik wireguard need public static ip in both side?
i have public static ip in one site but another side not have static ip
I use my smart phone for one side
tunnel has revive but not send

holvoetn · October 6, 2022, 8:28am

Nope.
1 side public accessible IP is enough (doesn’t even have to be static).

See here:
https://forum.mikrotik.com/viewtopic.php?t=182340

If still unclear, give a bit more detail on your setup (diagram) and post config of your Mikrotik device (minus serial number, public IP info and secret keys) and your phone.

poolip · October 11, 2022, 9:03am

Flags: X - disabled; R - running
0 R name=“wireguard1” mtu=1420 listen-port=24520
private-key=“KNcCDU9C4T6psjjUCF7NWUDi9hknw33chc0Q07C0bFF=”
public-key=“3T1kdtIsnksUBiHOtMJyFBrHxfInvPCaFT+HUJxqZWo=”

peer config :
0 wireguard1 qEd6f6QjGwKgOyWXh1vdw5X9PmrCKUDESbvU6Pot3j0= 24520 ::/0

holvoetn · October 11, 2022, 10:20am

Full config please:
terminal: /export show-sensitive file=
Then post between [__code] quotes.

And REMOVE those Private/public keys from previous post please.

anav · October 11, 2022, 11:09am

Yes need complete configs from client and server devices.

For mikrotik devices
/export ( minus serial #, and any public IP information and keys LOL)

For non-MT devices,
any public IP info and keys.

poolip · October 17, 2022, 8:14am

R1:
/interface wireless
set [ find default-name=wlan1 ] ssid=MikroTik
/interface wireguard
add listen-port=13231 mtu=1412 name=Wi-01
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/interface wireguard peers
add allowed-address=0.0.0.0/0 interface=Wi-01 public-key=
“cx/jdfHbcM/UF322qMdVvdpCf7chdo25FLDCypT+LTI=”
/ip address
add address=192.168.1.2/24 interface=ether1 network=192.168.1.0
add address=10.0.0.2/24 interface=Wi-01 network=10.0.0.0
/ip firewall filter
add action=accept chain=input dst-port=13231 protocol=udp
/system routerboard settings
set cpu-frequency=300MHz

R2:
/interface wireless
set [ find default-name=wlan1 ] ssid=MikroTik
/interface wireguard
add listen-port=13231 mtu=1412 name=Wi1
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/interface wireguard peers
add allowed-address=0.0.0.0/0 interface=Wi1 public-key=
“sb9G+/9/BpTKHBfX32Ri2WQ6XhXhl0QaaAGTq7uWgSA=”
/ip address
add address=192.168.1.1/24 interface=ether1 network=192.168.1.0
add address=10.0.0.1/24 interface=Wi1 network=10.0.0.0
/ip firewall filter
add action=accept chain=forward dst-port=13231 protocol=udp

holvoetn · October 17, 2022, 8:27am

Twice it has been asked to post complete config.
Not partial.

poolip · October 17, 2022, 9:30am

this is al config
export file

holvoetn · October 17, 2022, 10:23am

Impossible.

Where is your bridge ?
Where are ethernet interfaces ?
And a dozen of other settings which should at least be there with a default setup ...
It should at least start with something like:

aug/01/2022 14:41:36 by RouterOS 7.4

software id = LB29-6B5U

model = RBD53iG-5HacD2HnD

serial number =

Don't tell me you started from an EMPTY config (NOTHING in it) and only added the lines above ?

jvanhambelgium · October 17, 2022, 10:41am

Doberman · October 17, 2022, 10:42am

You’ve already found the answer.
If he did so it is quite clear why it does not work.

poolip · October 17, 2022, 11:03am

yes both router config from empty.this is 2 new router rb751 and rb951 with ros version 7.5

jan/02/1970 03:58:49 by RouterOS 7.5

software id = 0WJ4-WSVX

model = 751G-2HnD

serial number = 2F7A023AFD45

/interface ethernet
set [ find default-name=ether1 ] name="Eth 01 - WAN"
/interface wireless
set [ find default-name=wlan1 ] ssid=MikroTik
/interface wireguard
add listen-port=13231 mtu=1412 name=Wireguard
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/interface wireguard peers
add allowed-address=0.0.0.0/0 interface=Wireguard public-key=
"cx/jdfHbcM/UF322qMdVvdpCf7chdo25FLDCypT+LTI="
/ip address
add address=192.168.1.2/24 interface="Eth 01 - WAN" network=192.168.1.0
add address=10.0.0.2/24 interface=Wireguard network=10.0.0.0
/ip firewall filter
add action=accept chain=input dst-port=13231 protocol=udp
/system routerboard settings
set cpu-frequency=300MHz

\

jan/03/1970 03:52:14 by RouterOS 7.5

software id = LHAV-RQDT

model = RB951G-2HnD

serial number = 96500B45E4B2

/interface ethernet
set [ find default-name=ether1 ] name="Eth 01 - WAN"
/interface wireless
set [ find default-name=wlan1 ] ssid=MikroTik
/interface wireguard
add listen-port=13231 mtu=1412 name=Wireguard1
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/interface wireguard peers
add allowed-address=0.0.0.0/0 interface=Wireguard1 public-key=
"sb9G+/9/BpTKHBfX32Ri2WQ6XhXhl0QaaAGTq7uWgSA="
/ip address
add address=192.168.1.1/24 interface="Eth 01 - WAN" network=192.168.1.0
add address=10.0.0.1/24 interface=Wireguard1 network=10.0.0.0
/ip firewall filter
add action=accept chain=forward dst-port=13231 protocol=udp

holvoetn · October 17, 2022, 11:34am

Reset to default settings and start over applying wireguard config ON TOP of existing config.
Then report back if it works or not.

poolip · October 17, 2022, 11:52am

both router reset with no default config
same problem still

holvoetn · October 17, 2022, 12:19pm

I did not say " no default config"

You need the default config.

poolip · October 17, 2022, 1:05pm

why i need default config?
i do basic config in my router.its not complex thing .wireguared tunnel run but when i ping each tunnel side its timeout
i think it didnot related to basic config at all.

anav · October 17, 2022, 1:17pm

You come here asking for help and then state, I dont want your help.

A config is made up of many parts working together…
If you cannot understand that then you have lots to learn about MT configs before even looking at wireguard!

holvoetn · October 17, 2022, 1:20pm

(somebody beat me to it…)

If you are so certain, why do you come here for assistance ?
How do you think that tunnel is going to be setup and working if the basic networking part has not been configured ?

I’ll put it otherwise, maybe that makes it more clear:
How do you think you can drive a normal car if no roads have been made available to drive on or if the car was not equipped with tires ?
You’re not !

Read this part from the Mikrotik Help pages:
https://help.mikrotik.com/docs/display/ROS/WireGuard#WireGuard-Applicationexamples

I will highlight:
Two remote office routers are connected to the internet and office workstations are behind NAT. Each office has its own local subnet, 10.1.202.0/24 for Office1 and 10.1.101.0/24 for Office2.

This assumes (apart from wireguard) two WORKING configurations.
And then you add wireguard …

anav · October 17, 2022, 1:23pm

Fixed it for ya…

holvoetn · October 17, 2022, 1:25pm

Made my reply a bit more clear.

And now I’m outta here … this is beyond comprehension.