Multiple Wireguard Interface do not allow same Public Key

Dear Forum,

Currently I fight with the following problem.
My VPN-Provider offers different Server where I can connect via Wireguard. For each Server he provides me the necessary keys, IPs and Ports.
For each Server I want to connect to, I create a different Interface with a different peer:

interface/wireguard

 0 X  name="GermanyVPN" mtu=1420 listen-port=63000 private-key="y...." public-key="..."

 1 X  name="UnitedKingdomVPN" mtu=1420 listen-port=63000 private-key="..." public-key="..."
 
 interface/wireguard/peers

0 X interface=GermanyVPN public-key="..." endpoint-address=... endpoint-port=63000  allowed-address=0.0.0.0/0 persistent-keepalive=15m

1 X interface=UnitedKingdomVPN public-key="..." endpoint-address=... endpoint-port=63000  allowed-address=0.0.0.0/0 persistent-keepalive=15m

Now I want to add a third Interface with a third peer:

interface/wireguard

 0 X  name="GermanyVPN" mtu=1420 listen-port=63000 private-key="...." public-key="..."

 1 X  name="UnitedKingdomVPN" mtu=1420 listen-port=63000 private-key="..." public-key="..."
 
 2 X  name="UnitedStatesVPN" mtu=1420 listen-port=63000 private-key="..." public-key="..."
 
 interface/wireguard/peers

0 X interface=GermanyVPN public-key="AAAAA" endpoint-address=... endpoint-port=63000  allowed-address=0.0.0.0/0 persistent-keepalive=15m

1 X interface=UnitedKingdomVPN public-key="BBBBB" endpoint-address=... endpoint-port=63000  allowed-address=0.0.0.0/0 persistent-keepalive=15m

2 X interface=UnitedStatesVPNpublic-key="BBBBB" endpoint-address=... endpoint-port=63000  allowed-address=0.0.0.0/0 persistent-keepalive=15m

As it happens, Peer 1 and Peer 2 have the same public Key, which is okay since they are using different Interfaces. But MT does not allow me to add Peer 2 with the following error:

failure: entry already exists

What am I doing wrong? I should be able to use the same PublicKey for different Peers on different Interfaces, right?

Actually it is not ok.
Within the same device you can not have 2 peers (different interface or not) with the same public key.

See this thread where this also been discussed.
http://forum.mikrotik.com/t/defect-cannot-add-wireguard-peers-with-same-key-to-different-wireguard-interfaces/153124/1

Current RouterOS doesn’t allow it, but there’s no reason why it shouldn’t be possible. If Windows client can do it (and it really can), RouterOS should too.

Well, I guess the jury is still out on that, as I’ve indicated in the past, whether this is a bug or a feature.

I wonder how many experiencing this ‘behavior’ actually took the effort to report it to support.

Hi holvoetn,

I already read the linked Thread and in your last answer you wrote

Nevertheless, personally I still think it is illogical to have multiple peers using the same key and going to the SAME ip ( and same allowed address ?).

But that’s not the case here. I have a different endpoint-IP for all Peers (sorry I just saw that I masked them for anonymity, but they are different) as well as different IPs under ip/address for each Interface!

I will contact the MikroTik support and post the result here!

Cheers

The work around of creating another interface isnt that bad.

There’s no workaround, RouterOS doesn’t allow peers with duplicate keys at all, even when they are on different interfaces.

Sorry thats what I meant, if the person wants two connections with the same peers, they have to create another wireguard interface on the MT Client device.

Oops you are talking keys now…

Crystal clear after reading this!!!
https://www.wireguard.com/protocol/#:~:text=If%20an%20additional%20layer%20of%20symmetric-key%20crypto%20is,to%20be%20an%20all-zero%20string%20of%2032%20bytes.

This I can understand, the MT behaviour is following the Schema of Wireguard.
https://www.procustodibus.com/blog/2021/01/same-key-multiple-peers/

VPN providers I know use the same Peer Public Key on all their servers. NordVPN atleast use different keys for their servers per country and if more than one city then each city has it’s own key.

I asked Mikrotik to allow the same key when the destination address differs. They are thinking about that if try will allow that or not.

I tested with NordVPN to have multiple connections in the same city and it worked fine. I used a Windows client and a connection from the router.

Hi msatter, as long as one of the two keys being shared is unique I would have thought that would be good enough to create a safe enough environment. Just guessing though.

Hi,

I just got a reply from the support.
They are aware of this limitation and will fix it in a future update of RouterOS.

Cheers

Thanks for the feedback.
So we can classify it as a bug as from now

They specifically used the word ‘limitation’:

Hello,
Thank you for the report. We are aware of the limitation and are looking forward to lift it in the future release of RouterOS.

Take into account those guys (most of them) are not native English speaking. So “limitation” might translate a bit different depending on who uses it.

If it truly is a limitation, as in purposefully implemented, this means they applied this “specific reduction of functionality” for some reason.
My best guess: most likely they encountered some side-effects they could not directly solve at that moment, then it could be easier to block that particular config from being used so the rest could be released.
But that’s all speculation.

FYI:
The problem is fixed with Version v7.2rc4

And at the same broke the rest of RouterOS. NOT GOOD.

Details, details, …

They really need to get their testing and release process in order.
7.1.3 and 7.2rc4 are really, how should I say… problematic from what I read here.

Though I have both running on Hex (7.1.3) and hap ac2 (7.2rc4) in SOHO environment (and with current homework activities, that’s also considered critical nowadays !).
Nothing fancy but super stable as it should be.

Concrete walls are not details.

Just need a bit more power to get through

Got a weak skull, atleast weaker than concrete is.