I am trying to setup a wireguard connection between my router and a laptop (“roadwarrior” style). I am unable to get an handshake. I triple checked my keys, but I am still stuck. I don’t know what to check/test to locate and solve the issue. I post my config bellow. Any help appreciated.
Thanks in advance !
# 2025-02-11 12:31:59 by RouterOS 7.17.2
# model = RB5009UPr+S+
/interface bridge
add admin-mac=XXX auto-mac=no comment=defconf name=bridge \
port-cost-mode=short
/interface ethernet
set [ find default-name=ether2 ] l2mtu=1500 poe-out=off
/interface wireguard
add comment="Roadwarrior VPN to LAN" listen-port=13231 mtu=1420 name=\
wireguard1
/interface list
add name=WAN
add name=LAN
/ip pool
add name=default-dhcp ranges=10.9.9.100-10.9.9.254
/ip dhcp-server
add address-pool=default-dhcp interface=bridge lease-time=1d name=lan_dhcp
/interface bridge port
add bridge=bridge interface=ether1 internal-path-cost=10 path-cost=10
add bridge=bridge interface=ether2 internal-path-cost=10 path-cost=10
add bridge=bridge interface=ether3 internal-path-cost=10 path-cost=10
add bridge=bridge interface=ether4 internal-path-cost=10 path-cost=10
add bridge=bridge interface=ether5 internal-path-cost=10 path-cost=10
add bridge=bridge interface=ether6 internal-path-cost=10 path-cost=10
add bridge=bridge interface=ether7 internal-path-cost=10 path-cost=10
add bridge=bridge interface=ether8 internal-path-cost=10 path-cost=10
/ip firewall connection tracking
set udp-timeout=10s
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add interface=bridge list=LAN
add interface=sfp-sfpplus1 list=WAN
/interface ovpn-server server
add mac-address=... name=ovpn-server1
/interface wireguard peers
add allowed-address=10.9.8.226/32 comment="My laptop" interface=\
wireguard1 name=AAA public-key=\
"XXX"
/ip address
add address=10.9.8.1/22 interface=bridge network=10.9.8.0
add address=10.9.8.225/27 comment=VPN interface=wireguard1 network=10.9.8.224
/ip dhcp-client
add interface=sfp-sfpplus1
/ip dhcp-server network
add address=10.9.8.0/22 dns-server=10.9.8.1 gateway=10.9.8.1
/ip dns
set allow-remote-requests=yes cache-size=20480KiB
/ip dns adlist
add ssl-verify=no url=\
https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input comment="Accept incoming wireguard" dst-port=\
13231 packet-mark="" protocol=udp
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat comment=VOIP dst-port=5060 in-interface-list=\
WAN protocol=tcp to-addresses=10.9.11.3 to-ports=5060
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/ip ipsec profile
set [ find default=yes ] dpd-interval=2m dpd-maximum-failures=5
/ip smb shares
set [ find default=yes ] directory=pub
/ipv6 address
add address=::1 from-pool=general-pool6 interface=bridge
/ipv6 dhcp-client
add add-default-route=yes interface=sfp-sfpplus1 pool-name=general-pool6 \
request=prefix use-peer-dns=no
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
33434-33534 protocol=udp
add action=accept chain=input comment=\
"defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
ipsec-esp
add action=accept chain=input comment=\
"defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
"defconf: drop everything else not coming from LAN" in-interface-list=\
!LAN
add action=accept chain=forward comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
"defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
ipsec-esp
add action=accept chain=forward comment=\
"defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
"defconf: drop everything else not coming from LAN" in-interface-list=\
!LAN
/ipv6 nd
set [ find default=yes ] interface=bridge ra-interval=20s-1m
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
Why do you have specific mention of packet-mark in that accept rule for wireguard port ?
add action=accept chain=input comment="Accept incoming wireguard" dst-port=\
13231 packet-mark="" protocol=udp
Secondly, it might be better to use separate IP subnet for wireguard connections. You currently have overlap with your LAN.
Thanks for you quick answer. I removed the spurious ‘packet-mark’ setting in the FW rules without success. I also tried to split the network. Here is my new config. Still no handshake. Are there other things I could check ?
# 2025-02-11 14:40:57 by RouterOS 7.17.2
#
# model = RB5009UPr+S+
/interface bridge
add admin-mac=XXX auto-mac=no comment=defconf name=bridge \
port-cost-mode=short
/interface ethernet
set [ find default-name=ether2 ] l2mtu=1500 poe-out=off
/interface wireguard
add comment="Roadwarrior VPN to LAN" listen-port=13231 mtu=1420 name=\
wireguard1
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=default-dhcp ranges=10.9.9.100-10.9.9.254
/ip dhcp-server
add address-pool=default-dhcp interface=bridge lease-time=1d name=lan_dhcp
/interface bridge port
add bridge=bridge interface=ether1 internal-path-cost=10 path-cost=10
add bridge=bridge interface=ether2 internal-path-cost=10 path-cost=10
add bridge=bridge interface=ether3 internal-path-cost=10 path-cost=10
add bridge=bridge interface=ether4 internal-path-cost=10 path-cost=10
add bridge=bridge interface=ether5 internal-path-cost=10 path-cost=10
add bridge=bridge interface=ether6 internal-path-cost=10 path-cost=10
add bridge=bridge interface=ether7 internal-path-cost=10 path-cost=10
add bridge=bridge interface=ether8 internal-path-cost=10 path-cost=10
/ip firewall connection tracking
set udp-timeout=10s
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add interface=bridge list=LAN
add interface=sfp-sfpplus1 list=WAN
add interface=wireguard1 list=LAN
/interface ovpn-server server
add mac-address=FE:78:80:A8:78:03 name=ovpn-server1
/interface wireguard peers
add allowed-address=10.10.10.2/32 comment="laptop" interface=\
wireguard1 name=AAA public-key=XXX
/ip address
add address=10.9.8.1/22 interface=bridge network=10.9.8.0
add address=10.10.10.1/24 comment=VPN interface=wireguard1 network=10.10.10.0
/ip dhcp-client
add interface=sfp-sfpplus1
/ip dhcp-server network
add address=10.9.8.0/22 dns-server=10.9.8.1 gateway=10.9.8.1
/ip dns
set allow-remote-requests=yes cache-size=20480KiB
/ip dns adlist
add ssl-verify=no url=\
https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input comment="Accept incoming wireguard" dst-port=\
13231 protocol=udp
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=accept chain=forward comment=\
"Accept all wireguard incoming traffic" disabled=yes in-interface=\
wireguard1 src-address=10.9.8.224/27
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat comment=VOIP dst-port=5060 in-interface-list=\
WAN protocol=tcp to-addresses=10.9.11.3 to-ports=5060
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/ip ipsec profile
set [ find default=yes ] dpd-interval=2m dpd-maximum-failures=5
/ip smb shares
set [ find default=yes ] directory=pub
/ipv6 address
add address=::1 from-pool=general-pool6 interface=bridge
/ipv6 dhcp-client
add add-default-route=yes interface=sfp-sfpplus1 pool-name=general-pool6 \
request=prefix use-peer-dns=no
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
33434-33534 protocol=udp
add action=accept chain=input comment=\
"defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
ipsec-esp
add action=accept chain=input comment=\
"defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
"defconf: drop everything else not coming from LAN" in-interface-list=\
!LAN
add action=accept chain=forward comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
"defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
ipsec-esp
add action=accept chain=forward comment=\
"defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
"defconf: drop everything else not coming from LAN" in-interface-list=\
!LAN
/ipv6 nd
set [ find default=yes ] interface=bridge ra-interval=20s-1m
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
In case the problem is elsewhere, I also attach the client config:
[Interface]
Address = 10.10.10.2/32
PrivateKey = AAA
Dns = 10.9.8.1
[Peer]
PublicKey = BBB
AllowedIPs = 0.0.0.0/0
Endpoint = xxx.xxx.xxx.xxx:13231
Thanks
Is that RB5009 your direct connection to internet ?
Or is there an ISP router in between ?
The first thing you should see, is in firewall increase for the counter for that accept rule for port 13231.
anav
February 11, 2025, 3:28pm
5
As already stated: You do not have an accept rule for the incoming wireguard handshake.add chain=input action=accept comment=“wg handshake” dst-port=13231 protocol=udp
I would also be clearer on forward chain.add action=drop chain=forward comment=
TO:add action=accept chain=forward comment=“internet traffic” in-interface-list=LAN out-interface-list=WAN
Is that RB5009 your direct connection to internet ?
Or is there an ISP router in between ?
Directly connected to the internet. The WAN IP adress is public and can be pinged from the outside.
echo "hello" | nc -u XXXX 13231
SOLVED: It was a stupid dynamic DNS update problem. The endpoint did change between two tests. Now everything works well with the configuration posted above. Many thanks.
anav
February 11, 2025, 3:31pm
7
Awesome glad its working for you.
Yea. As often the problem is not where I am focusing…