WG handshake drops !!

Emaaan · December 10, 2023, 3:53pm

Hello
I have strange issue with wireguard, I have make the cofiguration correctly and peers can connect using the wg without any issues
one week ago and when some peers use specific isp it block the connection but when they use another internet connection they can connect successfully using wg

this is the message I got or the peer try to connect through specific internet provider
Handshake for peer 1 (xx.xx.xx.xx:13231) did not complete after 5 seconds, retrying (try 16)

Can anyone help me to figure out where the issue?

Thanks

holvoetn · December 10, 2023, 4:03pm

I suspect one of the peers is not on a fixed IP but a dynamic IP (normal or CGNAT) ?
Set on that peer keep-alive time to 25s.
Then see what happens.

anav · December 10, 2023, 5:06pm

I dont like to suspect, guess or speculate. I am not an investor! ;-PP

Please provide facts/evidence
/export file=anynameyouwish ( minus router serial number, public WANIP information, keys etc… )

Additionally, the client devices wireguard settings would be necessary to review.

Emaaan · December 11, 2023, 7:23am

Here the wireguard configuration for one peer

[Interface]
PrivateKey = -------------------------------
Address = 10.10.10.3/32

[Peer]
PublicKey = -----------------------------------------
AllowedIPs = 10.10.10.0/24, 10.10.0.0/24, 172.16.10.0/22
Endpoint = DDNS:13231
PersistentKeepalive = 25

and it works fine when connect using for example internet connection from company XX and it drop when connect through internet from company YY

\

dec/11/2023 10:01:12 by RouterOS 7.8

software id = BZL3-5HPC

model = RB4011iGS+5HacQ2HnD

serial number = HW910DXSMZ2

/interface ethernet
set [ find default-name=ether1 ] arp=proxy-arp comment=local name=
ether1-local
set [ find default-name=ether2 ] name=ether2
set [ find default-name=ether6 ] comment=wan
set [ find default-name=sfp-sfpplus1 ] disabled=yes
/interface wireless
set [ find default-name=wlan1 ] distance=indoors frequency=auto installation=
indoor mode=station-pseudobridge ssid=MikroTik-C0E3AF wireless-protocol=
nv2-nstreme-802.11
set [ find default-name=wlan2 ] band=2ghz-b/g/n channel-width=20/40mhz-XX
distance=indoors frequency=auto installation=indoor mode=ap-bridge ssid=
MikroTik-52516A wireless-protocol=802.11
/interface wireguard
add listen-port=13231 mtu=1420 name=WG1
add disabled=yes listen-port=13233 mtu=1420 name=WG2
/interface vlan
add arp=proxy-arp interface=ether5 name=vlan10 vlan-id=10
add interface=ether10 name=vlan99 vlan-id=99
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip ipsec profile
add enc-algorithm=aes-256,aes-192,3des name=Ipsecp2p
/ip ipsec peer
add address=xxxxxxxxxxxx disabled=yes name=B2 profile=
Ipsecp2p
/ip ipsec proposal
add auth-algorithms=sha256,sha1 disabled=yes enc-algorithms=
aes-256-cbc,aes-192-cbc name=p2pproposal1
/ip pool
add name=dhcp_server_main ranges=172.16.10.50-172.16.11.200
add name=dhcp_pool2 ranges=172.16.10.2-172.16.10.62
add name=dhcp_pool6 ranges=10.10.0.2-10.10.0.254
/ip dhcp-server
add address-pool=dhcp_pool1 interface=ether1-local lease-time=3d10m name=
Main-dhcp
add address-pool=dhcp_pool2 interface=vlan10 lease-time=3d10m name=
Server-dhcp
/port
set 0 name=serial0
set 1 name=serial1
/ppp profile
add change-tcp-mss=yes name=VPNp2p use-encryption=yes
add name=Site2Site
/system logging action
set 0 memory-lines=10000
set 3 remote=172.16.10.159
/ip firewall connection tracking
set udp-timeout=20s
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ip settings
set max-neighbor-entries=8192
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface list member
add interface=wlan1 list=WAN
add interface=ether1-local list=LAN
add interface=ether2-student list=LAN
add interface=ether3 list=LAN
add interface=ether4 list=LAN
add interface=ether5 list=LAN
add interface=ether6 list=WAN
add interface=ether7 list=WAN
add interface=ether8 list=WAN
add interface=ether9 list=LAN
add interface=ether10 list=LAN
add interface=sfp-sfpplus1 list=LAN
add interface=wlan2 list=LAN
/interface ovpn-server server
set auth=sha1 certificate=Server cipher=aes256-cbc
require-client-certificate=yes
/interface pptp-server server

PPTP connections are considered unsafe, it is suggested to use a more modern VPN protocol instead

set authentication=chap,mschap2
/interface sstp-server server
set authentication=chap,mschap2 default-profile=Site2Site enabled=yes
/interface wireguard peers
add allowed-address=10.10.0.3/24 interface=WG1 public-key=
“xxxxxxxxxxxxxxxxxx”
add allowed-address=10.10.10.4/32 interface=WG1 public-key=
“xxxxxxxxxxxxxxxxxxxxxx”
add allowed-address=10.10.10.11/32 interface=WG1 public-key=
“xxxxxxxxxxxxxxxxxxxxx”

/ip address
add address=172.16.10.1/23 interface=ether1-local network=172.16.10.0
add address=10.10.1.2/24 interface=ether6 network=10.10.1.0
add address=172.16.1.1/24 disabled=yes interface=ether1-local network=
172.16.1.0
add address=10.10.0.1/24 interface=vlan10 network=10.10.0.0
add address=10.10.10.1/24 interface=WG1 network=10.10.10.0
/ip arp
add address=10.10.0.20 interface=ether1-local mac-address=10:29:56:36:8A:4c
add address=10.10.0.22 interface=ether1-local mac-address=11:19:51:15:81:2E
add address=10.10.0.21 interface=ether1-local mac-address=B1:9A:4C:A0:60:54
/ip cloud
set ddns-enabled=yes ddns-update-interval=3m
/ip dhcp-client
add comment=defconf interface=ether1-local
/ip dhcp-server network
add address=10.10.0.0/24 gateway=10.10.0.1
add address=172.16.10.0/23 dns-server=172.16.10.1
gateway=172.16.10.1
/ip dns
set allow-remote-requests=yes servers=10.10.1.1,8.8.8.8,8.8.4.4
/ip dns static
add address=192.168.99.99 comment=defconf name=router.lan
/ip firewall address-list
add address=172.16.10.0/23 list=local
add address=10.10.0.0/24 disabled=yes list=local
add address=172.16.20.0/22 list=local
/ip firewall filter
add action=drop chain=input comment=“Protect DNS” dst-port=53 in-interface=
ether6 protocol=udp
/ip firewall nat
add action=masquerade chain=srcnat comment=“local LANs masquerade”
dst-address-list=!local src-address-list=local to-addresses=10.10.1.0/24
add action=masquerade chain=srcnat disabled=yes src-address=10.10.10.0/24
/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=10.10.1.1 pref-src=
“” routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add disabled=yes distance=1 dst-address=172.16.20.0/22 gateway=172.16.99.2
pref-src=“” routing-table=main scope=30 suppress-hw-offload=no
target-scope=10
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/ppp secret
add local-address=10.10.90.1 name=Emaan profile=VPNp2p remote-address=
10.10.90.254 service=ovpn
add local-address=172.16.99.3 name=b0 profile=Site2Site remote-address=
172.16.99.4 service=sstp
/system clock
set time-zone-name=Asia/Riyadh
/system identity
set name=FW1
/system leds
add interface=wlan2 leds=“wlan2_signal1-led,wlan2_signal2-led,wlan2_signal3-le
d,wlan2_signal4-led,wlan2_signal5-led” type=wireless-signal-strength
add interface=wlan2 leds=wlan2_tx-led type=interface-transmit
add interface=wlan2 leds=wlan2_rx-led type=interface-receive
/system logging
set 1 action=disk
set 3 action=disk
/system ntp client
set enabled=yes
/system ntp server
set enabled=yes
/system ntp client servers
add address=time.windows.com
add address=pool.ntp.org
/system resource irq rps
set sfp-sfpplus1 disabled=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

What else I can provide ?

Thanks for your replies though

anav · December 11, 2023, 12:57pm

(1) Why the duplicate??

Interface]
PrivateKey = -------------------------------
Address = 10.10.10.3/32
[Peer]
PublicKey = -----------------------------------------
AllowedIPs = 10.10.10.0/24, 10.10.0.0/24, 172.16.10.0/22
Endpoint = DDNS:13231
PersistentKeepalive = 25

Please provide a diagram because your LAN and WAN dont make any sense…
You have no bridge, some assorted vlans random and then random assigned IPs to some ports but some ports have nothing, LACKS structure such that I have no clue of what you are doing.

Emaaan · December 13, 2023, 5:52am

Hello again

I attach this diagram I hope it helps

https://drive.google.com/file/d/1My8tSUdKq5z1-iCfncun9OwbYMLK7sSD/view?usp=drive_link

Thanks for your reply.

anav · December 13, 2023, 1:42pm

Nope diagram is not accessible…
and you didnt answer the question asked?

Emaaan · December 13, 2023, 4:22pm

Hello

I am terribly sorry didn’t notice the question

so there’s no duplicates these two different network subnets , I use one with server and the other subnet with wireguard interface .. is there any wrong configurations in them?

and here’s the diagram again

https://drive.google.com/file/d/1EwJzlTwbqDSj3dAArzVHCrD3-9g-gx1A/view?usp=sharing

thanks for your help and reply

memelchenkov · December 13, 2023, 6:19pm

You did not give details what country. Many world countries now block VPNs. If you live in a such one that means they start blocking. Another variant — specific ISP blocks. First of all you should talk to the ISP where is not working and get official answer about open port or DPI hardware. Only then look into your router.

If it starts a week ago without touching config — absolutely obviously the issue is not on your side.

anav · December 13, 2023, 6:26pm

Okay looking at the diagram you have

AN ISP providing you with a private IP address 10.10.1.2
So you do not have a public IP address.?
Can the ISP router forward the wireguard port to your router??
You have no firewall rules WHY??
You have three pools listed and this doesnt match the vlans in the diagram at all… in fact, you have two pools that overlap.,…
/ip pool
add name=dhcp_server_main ranges=172.16.10.50-172.16.11.200
add name=dhcp_pool2 ranges=172.16.10.2-172.16.10.62
add name=dhcp_pool6 ranges=10.10.0.2-10.10.0.254

and the very next line indicates a dhcp server accessing a dhcp_pool1
/ip dhcp-server
add address-pool=dhcp_pool1 interface=ether1-local lease-time=3d10m name=\

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

So nothing in the config and the diagram make sense to me…

Do you have enough ports for each VLAN, if not use bridge and assign all vlans to bridge and go from there…
Why is WLAN1 a WAN interface, you have two WAN interfaces???
Why is SSPFplus1 a LAN member but a disabled interface??

Why do you have two ether1s define… get rid of the disbled one, just adds confusion
add address=172.16.10.1/23 interface=ether1-local network=172.16.10.0
add address=10.10.1.2/24 interface=ether6 network=10.10.1.0
add address=172.16.1.1/24 disabled=yes interface=ether1-local network=
172.16.1.0

Why is this in static DNS setting?
/ip dns static
add address=192.168.99.99 comment=defconf name=router.lan

Dont understand your maquerade rules…
You fail to identify out-interface=ether6 anywhere??
The first rule is WRONG, if you want to assign a fixed IP the method is incorrect.
The second is disable, more confusing stuff to remove.
/ip firewall nat
add action=masquerade chain=srcnat comment=“local LANs masquerade”
dst-address-list=!local src-address-list=local to-addresses=10.10.1.0/24
add action=masquerade chain=srcnat disabled=yes src-address=10.10.10.0/24

Its either
add action=masquerade chain=srcnat out-interface=ether6 ( dynamic but can be used for static)
add action=src-nat chain=srcnat out-interface=ether6 to-address=10.10.1.2

memelchenkov · December 13, 2023, 6:43pm

@anav, so it works by accident rather than not works by accident? Cool.

anav · December 13, 2023, 7:52pm

If 13231 is the default wg port number then yes chnge it to something else 15689 and perhaps that will help. The rest is config issues not WG related I dont think