Unable to log in to Winbox via Wireguard

theflowski · November 6, 2024, 7:57am

Good afternoon! I have a Debian VPS server that I use as a routing server, I configured it with the mikrotik hex s client, there are pings, but I can’t log into mikrotik via winbox

[admin@kgu-aktanberdi] > /export 
# 2024-11-06 12:56:57 by RouterOS 7.16.1
/interface wireguard
add listen-port=51820 mtu=1420 name=wireguard1
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/ip firewall connection tracking
set udp-timeout=10s
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface ovpn-server server
set auth=sha1,md5
/interface wireguard peers
add allowed-address=192.168.12.0/24 endpoint-address=############ endpoint-port=51820 interface=wireguard1 name=peer1 persistent-keepalive=20s public-key=\
    "##############"
/ip address
add address=192.168.12.3/24 interface=wireguard1 network=192.168.12.0
/ip dhcp-client
add interface=ether1
/ip firewall filter
add action=accept chain=input dst-port=51820 in-interface=wireguard1 protocol=udp
add action=accept chain=forward in-interface=wireguard1 out-interface=ether1
add action=accept chain=forward in-interface=ether1 out-interface=wireguard1
add action=log chain=input dst-port=51820 in-interface=wireguard1 log-prefix=WireGuard-Input: protocol=udp
add action=log chain=forward in-interface=wireguard1 log-prefix=WireGuard-Forward:
add action=accept chain=input dst-port=8291 in-interface=wireguard1 protocol=tcp
add action=accept chain=input dst-port=8291 in-interface=ether1 protocol=tcp
/ip firewall nat
add action=masquerade chain=srcnat out-interface=wireguard1
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/ip ipsec profile
set [ find default=yes ] dpd-interval=2m dpd-maximum-failures=5
/ip route
add disabled=no dst-address=192.168.1.0/24 gateway=192.168.12.1 routing-table=main suppress-hw-offload=no
add dst-address=192.168.12.0/24 gateway=192.168.12.1
/system clock
set time-zone-name=Asia/Almaty
/system identity
set name=kgu-aktanberdi
/system note
set show-at-login=no

anav · November 6, 2024, 11:14am

probably because you dont understand the rules you are using… seems like your through crap on the wall hoping something would stick.

When you create the IP address for wireguard, the router automatically creates a rule
add dst-address=192.168.12.0/24 interface=wireguard1 routing-table=main

so get rid of this manual rule you made
add dst-address=192.168.12.0/24 gateway=192.168.12.1

Do tell me why you have this rule???
/ip firewall filter
add action=accept chain=input dst-port=51820 in-interface=wireguard1 protocol=udp ???
or this rule…
add action=log chain=input dst-port=51820 in-interface=wireguard1 log-prefix=WireGuard-Input: protocol=udp

+++++++++++++++++++++
Remote users connecting to the Mikrotik to access the LAN should be very possible, and the debian vbs plays a part in that and since we dont see your rules their its hard to tell if something at that end may be blocking ( probably not but possible ).

3. Where are the default firewall rules??

theflowski · November 7, 2024, 12:39pm

Оказлось я забыл открыть порты на VPS сервере

anav · November 7, 2024, 1:51pm

“It turned out I forgot to open the ports on the VPS server”

Makes sense, as there was nothing seriously preventing it on the router side, nonetheless, one can always improve (cleanup) their config.