question about "wireguard responder"

RCarter · August 3, 2024, 11:56am

i’m having a hard time understanding this line in 7.15 changelog

*) wireguard - added option to mark peer as responder only;

and the relative documentation

is-responder (yes | no; Default: no)

Specifies if peer is intended to be connection initiator or only responder. Should be used on WireGuard devices that are used as “servers” for other devices as clients to connect to. Otherwise router will all repeatedly try to connect “endpoint-address” or “current-endpoint-address” causing unnecessary system logs to be written.

should i use it for site2site peers or for roadwarrior ones?

holvoetn · August 3, 2024, 1:15pm

You should use this for the device which acts as initiator of the connection.
Not if some device is only waiting for connections to come in (useless there).

So roadwarrior situation:
The mobile device should have it. The “server” not (yeah yeah, wireguard is all peers, I know …)

Site 2 site: can be both if both have a fixed IP.
If only one has a fixed IP, it should be used on the site with dynamic IP.

RCarter · August 3, 2024, 1:22pm

if that is the case the utility is lost to me:
wouldn’t i want something that flags on the “server” a specific peer as “you should not try to reach this one, it will always be it that contacts you” to avoid spamming packets to a non existent endpoint?
or am i misinterpreting this?

holvoetn · August 3, 2024, 1:43pm

Now you mention this, my explanation was completely backwards
Oops …

In that case, tick “responder”.
That’s what it does. It does not go out, it only listens.

What it should be then:

You should use this for the device which acts as arrival of the connection.
Only if some device is simply waiting for connections to come in.

So roadwarrior situation:
The mobile device should NOT have it. The “server” does (yeah yeah, wireguard is all peers, I know …)

Site 2 site: can be none if both have a fixed IP.
If only one has a fixed IP, it should be used on the site with static IP.

RCarter · August 3, 2024, 1:50pm

oh, ok, great, so that’s exactly what i need

thanks a lot!

anav · August 3, 2024, 3:05pm

Not required at all unless using BTH, which should only be used if both ends do not have a public IP or the ISP router cannot forward ports to the MT device.
Otherwise advise avoiding all that nonsense.

RCarter · August 3, 2024, 3:11pm

may i ask why would you avoid that?
for a “roadwarrior only” scenario it sound great on the wireguard “server”

rplant · August 4, 2024, 4:23am

It used to (at minimum) stop a lot of annoying log messages on the server, I assume it still might.

Njumaen · August 4, 2024, 7:37am

Shot myself in the foot by using it on the “server” side in a router-router-VPN scanario.

Result was that new packets form the “client/caller” passed flawlessly, so I could reach other services in my home lab but new packets from the “server/responder” were dropped! Not what I expected but in a very close definition of being a responder quite obvious… LOL

So: Do not use it unless you need it!

Cheers,

Ralf.

jaclaz · August 4, 2024, 8:09am

And the “worst writing in a short sentence” 2024 award goes to the anonymous Mikrotik developer for the sentence:

Should be used on WireGuard devices that are used as “servers” for other devices as clients to connect to.

anav · August 4, 2024, 10:31am

Not required for standard setups as stated and its redundant anyway. Its basic understanding of how wireguard works → A peer client at handshake initiates the connection, the peer Server responds.
Why would the admin need to tell himself anything extra, he knows the config already. Its confusing and I see no point to it.
Its strictly a BTH function when there is no clear client server relationship as the connection is done at the MT cloud.

holvoetn · August 4, 2024, 11:39am

It does result in a lot less log messages on the server side.

anav · August 4, 2024, 2:32pm

I get zero logged messaged on my server side… false information

boxybh · October 2, 2024, 11:13am

i agree.
i have routers at remote sites which have static ip and connected to my router

and i have static ip on myside and some other outers connect from their to me

to me keeping off has worked fine till now

tihovsky · November 7, 2024, 12:02pm

Tried to setup mikrotik wireguard in a site-to-site manner, whereas one side is having CGNAT and is the connection initiator (client side, B).
The other server side (side A) site has a bridged WAN fixed public IPv4 and is set as a responder, without the endpoint/port set nor persistent keep-alive being set.

Now, I didn’t manage to set things up fully working, likely due to some other rules bugging me that I will need to trobubleshoot further or CGNAT might be preventing tunnel establishment.

Either way, I noticed side A is trying to initiate the connection regardless of the fact that it is checked off as a responder (in 7.16.1).
Likely a bug to report, so here is the related log excerpt on site A:

…
Handshake for peer did not complete after 5 seconds, retrying (try 16)
Wireguard: Sending handshake initiation to peer ((einval))
Wireguard: Handshake for peer did not complete after 5 seconds, retrying (try 17)
Wireguard: Sending handshake initiation to peer ((einval))
…
Handshake for peer did not complete after 5 seconds, retrying (try 20)
Wireguard: Sending handshake initiation to peer ((einval))
Handshake for peer did not complete after 20 attempts, giving up
…

mantouboji · November 8, 2024, 5:07am

I think: when site A has a “fixed” IP address, act as a SERVER, and site B is a roaming one, or behind a NAT gateway, act as a CLIENT.

In site A, should mark peer B as a responder.

In site B, don’t need mark anyone.