No Android Push Notifications with Wireguard Roadwarrorier Setup

wolkenschaufler · January 29, 2025, 7:56am

Hi,

i have setup a wireguard roadwarrior VPN. Everything works flawless exept two things:

One wireguard peer is a Android Phone and i didn’t recieve any more push notifications with an active tunnel. If i switch the tunnel off, the notifications are working.
I cannot use Winbox with an active tunnel.

/interface wireguard
add listen-port=13231 mtu=1280 name=wireguard1
/interface wireguard peers
add allowed-address=10.9.0.2/32 comment=Poco interface=wireguard1 name=Poco public-key=""
add allowed-address=10.9.0.3/32 comment="HP Elite" interface=wireguard1 name="HP Elite" public-key=""
add allowed-address=10.9.0.4/32 comment=Xiaomi interface=wireguard1 name=Xiaomi public-key=""

# 2025-01-29 08:47:07 by RouterOS 7.17
# software id = SVBQ-F015
#
# model = RB5009UPr+S+
# serial number = 
/ip firewall address-list
add address=172.16.0.0/12 list=RFC1918
add address=10.0.0.0/8 list=RFC1918
add address=192.168.0.0/16 list=RFC1918
add address=172.20.0.0/16 list=LAN_NET
/ip firewall filter
add action=accept chain=input comment="ALLG. | Aufgebaute Verbindungen erlauben \"established, related\"" connection-state=established,related
add action=drop chain=input comment="ALLG. | Block invalid input" connection-state=invalid
add action=accept chain=input comment="LAN/VPN -> FW | Zugriff zur Firewall erlauben" in-interface-list=LAN
add action=accept chain=input comment="VPN | WireGuard Port vom WAN aus erlauben" dst-port=13231 in-interface-list=WAN protocol=udp
add action=drop chain=input comment="ALLG. | Alle ohne Verbindungsstatus blockieren"
add action=fasttrack-connection chain=forward comment=Fasttrack connection-mark=no-mark connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="ALLG. | Aufgebaute Verbindungen erlauben" connection-state=established,related,untracked
add action=drop chain=forward comment="ALLG. | Block invalid forward" connection-state=invalid
add action=accept chain=forward comment="WEBSERVER | dstnat erlauben" connection-nat-state=dstnat in-interface-list=WAN
add action=accept chain=forward comment="LAN -> WAN | Internetzugriff" in-interface-list=LAN
add action=drop chain=forward comment="ALLG. | Alles andere verwerfen"
/ip firewall nat
add action=masquerade chain=srcnat comment="masquerade on WAN" out-interface-list=WAN
add action=dst-nat chain=dstnat comment="Portforwarding to webserver http(s)" dst-address-list=!RFC1918 dst-address-type=local dst-port=80,443 protocol=tcp \
    to-addresses=172.20.0.10
add action=masquerade chain=srcnat comment="hairpin NAT" dst-address=172.20.0.10 out-interface-list=LAN src-address-list=LAN_NET

And finally the peer configuration of the android phone:

[Interface]
Address = 10.9.0.2/32
MTU = 1280
PrivateKey = 

[Peer]
AllowedIPs = 172.20.0.0/16, 10.9.0.1/32
Endpoint = XXXX.de:13231
PublicKey =

As i unterstand should

add action=accept chain=input comment="LAN/VPN -> FW | Zugriff zur Firewall erlauben" in-interface-list=LAN

allow the use of winbox trough the wireguard tunnel. But every time i tried to login, i get a login failure in the logs of router os.

Thanks for any hints!

BW Maximilian

TheCat12 · January 29, 2025, 9:55am

Since you haven’t posted the full config, you have to make sure the WG interface is part of the LAN interface list.

And the hairpin NAT rule should be the first one because rules are evaluated from top to bottom

And the AllowedIPs of the peer should be set to 0.0.0.0/0 to send all traffic through the tunnel since we’re talking about a road warrior setup

wolkenschaufler · January 29, 2025, 11:01am

I’ve already added the Wireguard to the LAN list:

/interface list
add name=PORT-FORWARD-LIST
add comment=defconf name=LAN
add comment=defconf name=WAN
/interface list member
add interface=bridge list=LAN
add interface=wireguard1 list=LAN
add interface=pppoe-telekom-fiber list=WAN

But this should be only related to my second problem.

Sorry, than i didn’t wan’t a road warrior setup. I want only the traffic from 172.20.0.0/16 to be routed trough the tunnel.

I’ve already played around with mtu size, but with no sucess.

wolkenschaufler · January 29, 2025, 3:54pm

Here i found a workaround.

Excluding the google play services from wireguard solves the problem with no push notifications.

In my opinion, however, it is only a symptom control and not the cause of the problem.

wolkenschaufler · January 30, 2025, 8:10pm

In the hope that someone can help me, here is my complete configuration:

# 2025-01-30 21:00:13 by RouterOS 7.17
# software id = SVBQ-F015
#
# model = RB5009UPr+S+
# serial number = 
/caps-man channel
add band=2ghz-g/n control-channel-width=20mhz frequency=2412,2432,2472 name=\
    2G
add band=5ghz-a/n/ac control-channel-width=20mhz frequency=5180,5260,5500 \
    name=5G
/caps-man datapath
add client-to-client-forwarding=yes local-forwarding=yes name=default
/interface bridge
add name=bridge
/interface wireguard
add listen-port=13231 mtu=1280 name=wireguard1
/interface vlan
add interface=ether1 name=vlan7-pppoe vlan-id=7
/caps-man security
add authentication-types=wpa2-psk encryption=aes-ccm group-encryption=aes-ccm \
    name=SSID
/caps-man configuration
add channel=2G country=germany datapath=default installation=indoor mode=ap \
    name=2G security= ssid=SSID
add channel=5G country=germany datapath=default installation=indoor mode=ap \
    name=5G security= ssid=SSID
/caps-man interface
add channel=2G configuration=2G datapath=default disabled=no l2mtu=1600 \
    mac-address= master-interface=none name="2G Buero" \
    radio-mac= radio-name= security=SSID
add channel=2G configuration=2G datapath=default disabled=no l2mtu=1600 \
    mac-address= master-interface=none name="2G DG" \
    radio-mac= radio-name= security=SSID
add channel=2G configuration=2G datapath=default disabled=no l2mtu=1600 \
    mac-address= master-interface=none name="2G WZ" \
    radio-mac= radio-name= security=SSID
add channel=5G configuration=5G datapath=default disabled=no l2mtu=1600 \
    mac-address= master-interface=none name="5G Buero" \
    radio-mac= radio-name= security=SSID
add channel=5G configuration=5G datapath=default disabled=no l2mtu=1600 \
    mac-address= master-interface=none name="5G DG" \
    radio-mac= radio-name= security=SSID
add channel=5G configuration=5G datapath=default disabled=no l2mtu=1600 \
    mac-address= master-interface=none name="5G WZ" \
    radio-mac= radio-name= security=SSID
/interface list
add comment=defconf name=LAN
add comment=defconf name=WAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_pool0 ranges=172.20.200.10-172.20.200.100
/ip dhcp-server
add address-pool=dhcp_pool0 interface=bridge name=dhcp
/interface pppoe-client
add add-default-route=yes allow=pap,chap,mschap2 disabled=no interface=\
    vlan7-pppoe name=pppoe-telekom-fiber profile=default-encryption user=\
    xxxx@t-online.de
/caps-man manager
set ca-certificate=auto certificate=auto enabled=yes
/caps-man provisioning
add action=create-dynamic-enabled master-configuration=2G name-format=\
    identity
/interface bridge port
add bridge=bridge interface=ether2
add bridge=bridge interface=ether3
add bridge=bridge interface=ether4
add bridge=bridge interface=ether5
add bridge=bridge interface=ether6
add bridge=bridge interface=ether7
add bridge=bridge disabled=yes interface=ether8
add bridge=bridge interface=sfp-sfpplus1
/ip neighbor discovery-settings
set discover-interface-list=*2000010
/interface detect-internet
set detect-interface-list=WAN
/interface list member
add interface=bridge list=LAN
add interface=wireguard1 list=LAN
add interface=pppoe-telekom-fiber list=WAN
/interface ovpn-server server
add mac-address= name=ovpn-server1
/interface wireguard peers
add allowed-address=10.9.0.2/32 comment=Poco interface=wireguard1 name=Poco \
    public-key=""
add allowed-address=10.9.0.3/32 comment="HP Elite" interface=wireguard1 name=\
    "HP Elite" public-key=""
add allowed-address=10.9.0.4/32 comment=Xiaomi interface=wireguard1 name=\
    Xiaomi public-key=""
/ip address
add address=172.20.0.80/16 interface=bridge network=172.20.0.0
add address=10.9.0.1/28 interface=wireguard1 network=10.9.0.0
/ip cloud
set update-time=no
/ip dhcp-server lease
...
/ip dhcp-server network
add address=172.20.0.0/16 dns-server=172.20.0.80 gateway=172.20.0.80 \
    ntp-server=172.20.0.80
/ip dns
set allow-remote-requests=yes servers=1.1.1.1,8.8.8.8
/ip dns adlist
add ssl-verify=no url=\
    https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts
/ip dns static
add address=172.20.0.10 disabled=yes match-subdomain=yes name=domain.de type=A
/ip firewall address-list
add address=172.16.0.0/12 list=RFC1918
add address=10.0.0.0/8 list=RFC1918
add address=192.168.0.0/16 list=RFC1918
add address=172.20.0.0/16 list=LAN_NET
/ip firewall filter
add action=accept chain=input comment=\
    "ALLG. | Aufgebaute Verbindungen erlauben \"established, related\"" \
    connection-state=established,related
add action=drop chain=input comment="ALLG. | Block invalid input" \
    connection-state=invalid
add action=accept chain=input comment=\
    "LAN/VPN -> FW | Zugriff zur Firewall erlauben" in-interface-list=LAN
add action=accept chain=input comment=\
    "VPN | WireGuard Port vom WAN aus erlauben" dst-port=13231 \
    in-interface-list=WAN protocol=udp
add action=drop chain=input comment=\
    "ALLG. | Alle ohne Verbindungsstatus blockieren"
add action=fasttrack-connection chain=forward comment=Fasttrack \
    connection-mark=no-mark connection-state=established,related hw-offload=\
    yes
add action=accept chain=forward comment=\
    "ALLG. | Aufgebaute Verbindungen erlauben" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="ALLG. | Block invalid forward" \
    connection-state=invalid
add action=accept chain=forward comment="WEBSERVER | dstnat erlauben" \
    connection-nat-state=dstnat in-interface-list=WAN
add action=accept chain=forward comment="LAN -> WAN | Internetzugriff" \
    in-interface-list=LAN
add action=drop chain=forward comment="ALLG. | Alles andere verwerfen"
/ip firewall nat
add action=masquerade chain=srcnat comment="hairpin NAT" dst-address=\
    172.20.0.10 out-interface-list=LAN src-address-list=LAN_NET
add action=masquerade chain=srcnat comment="masquerade on WAN" \
    out-interface-list=WAN
add action=dst-nat chain=dstnat comment="Portforwarding to webserver http(s)" \
    dst-address-list=!RFC1918 dst-address-type=local dst-port=80,443 \
    protocol=tcp to-addresses=172.20.0.10
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/ip ipsec profile
set [ find default=yes ] dpd-interval=2m dpd-maximum-failures=5
/ip service
set ftp disabled=yes
set ssh port=2200
set api disabled=yes
/ip smb shares
set [ find default=yes ] directory=pub
/system clock
set time-zone-name=Europe/Berlin
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp client servers
add address=ntp1.fau.de
add address="ntp1.ewetel.de "
/system scheduler
add interval=5m name="DynDNS Update" on-event=\
    "/system script run DynDNS-Strato" policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-time=startup
/system script
add dont-require-permissions=no name=DynDNS-Strato owner=admin policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source=":\
    global ddnsuser \"domain.de\"\r\
    \n:global ddnspass \"xxxxxxxx\"\r\
    \n:global theinterface \"pppoe-telekom-fiber\"\r\
    \n:global ddnshost1 \"domain.de\"\r\
    \n\r\
    \n:global ipddns\r\
    \n:global ipfresh [/ip address get [find where interface=\$theinterface] v\
    alue-name=address]     \r\
    \n\r\
    \n:if ([ :typeof \$ipfresh ] = nil ) do={\r\
    \n\r\
    \n    :log info (\"DynDNS: No ip address on \$theinterface .\")\r\
    \n\r\
    \n} else={\r\
    \n\r\
    \n    :for i from=( [:len \$ipfresh] - 1) to=0 do={ \r\
    \n\r\
    \n        :if ( [:pick \$ipfresh \$i] = \"/\") do={ \r\
    \n\r\
    \n            :set ipfresh [:pick \$ipfresh 0 \$i];\r\
    \n\r\
    \n        } \r\
    \n    }\r\
    \n\r\
    \n    :if (\$ipddns != \$ipfresh) do={\r\
    \n\r\
    \n        :log info (\"DynDNS: IP-DynDNS = \$ipddns\")\r\
    \n        :log info (\"DynDNS: IP-Fresh = \$ipfresh\")\r\
    \n        :log info \"DynDNS: Update IP needed, Sending UPDATE...!\"\r\
    \n\r\
    \n        :global str1 \"/nic/update\\\?hostname=\$ddnshost1&myip=\$ipfres\
    h\"\r\
    \n        /tool fetch address=dyndns.strato.com src-path=\$str1 user=\$ddn\
    suser password=\$ddnspass mode=https dst-path=(\"/DynDNS.\".\$ddnshost1)\r\
    \n\r\
    \n        :delay 1\r\
    \n\r\
    \n        :global str1 [/file find name=\"DynDNS.\$ddnshost1\"];\r\
    \n        /file remove \$str1\r\
    \n        :global ipddns \$ipfresh\r\
    \n        :log info \"DynDNS: IP updated to \$ipfresh!\"\r\
    \n\r\
    \n    } else={\r\
    \n\r\
    \n        :log info \"DynDNS: dont need changes\";\r\
    \n\r\
    \n    }\r\
    \n}"
/tool bandwidth-server
set enabled=no
/tool mac-server
set allowed-interface-list=*2000010
/tool mac-server mac-winbox
set allowed-interface-list=*2000010

TheCat12 · January 30, 2025, 9:11pm

I’m starting to think the following rule is the culprit:

add action=accept chain=input comment=\
    "VPN | WireGuard Port vom WAN aus erlauben" dst-port=13231 \
    in-interface-list=WAN protocol=udp

Try removing the in-interface-list and see if anything changes

wolkenschaufler · February 1, 2025, 1:43pm

If i change this as you descriped, it is possible to connect to RouterOS (Android Mikrotik App) with an active tunnel inside the LAN, but not from outside.

This is a little step forward: With

in-interface-list=WAN

this is also not possible.