WierGuard not working

nemke · September 7, 2024, 11:50am

Hello
have probem with WireGurd, can find and explain, and it is strange.

RB3011, Wireguard server, Withpublic IP:

add comment=LoraGateways listen-port=56658 mtu=1420 name=wireguard2

/interface wireguard peers
add allowed-address=20.99.99.1/24 comment=“LoraGateway1” endpoint-port=56658 interface=wireguard2
is-responder=yes name=Lora1_Gateway persistent-keepalive=30s public-key=
“Q35lC4z6H9P8IlAwQNDIb81YaoKk2KZcHJf+41kNhBM=”
add allowed-address=20.99.99.4/24 comment=“LoraGateway4” endpoint-port=56658 interface=
wireguard2 is-responder=yes name=Lora4_Gateway persistent-keepalive=30s preshared-key=
“MJOA/fprZCthgz3WC0PeQWsN06s7JhXEN6q/oPLTl0o=” public-key=“Er5ohu9TAUQ5NZmvuGE5VN2hhYdI9xZLXhtCaYSPBxM=”
add allowed-address=20.99.99.2/24 comment=“LoraGateway2” endpoint-port=56658 interface=
wireguard2 is-responder=yes name=LoraGateway2 persistent-keepalive=30s preshared-key=
“2J/eF3HaH+SZv9ITwS+u4ifrkNLqO3FfqpEub2sYKG0=” public-key=“hsePqlq552j86MRayoiBHfNMy/MWMetnXuZCEKHp3F4=”
add allowed-address=20.99.99.3/24 comment=“LoraGateway3” endpoint-port=56658 interface=
wireguard2 is-responder=yes name=LoraGateway3 persistent-keepalive=30s public-key=
“Xm3Uiafrh9CsrbVsWjZNoSbgC819hjJrf48PpjDF0k0=”

/ip address
add address=20.99.99.254/24 interface=wireguard2 network=20.99.99.0
add address=192.168.200.1/24 comment=Security+Management interface=vlan20 network=192.168.200.0

/ip firewall filter
add action=accept chain=forward comment=IoT src-address=20.99.99.0/24

/ip firewall nat
add action=masquerade chain=srcnat comment=“WireGuard LoraWan” src-address=20.99.99.0/24
/ip route
add dst-address=10.99.99.0/24 gateway=wireguard2

Site 1 (Mikoritk LoraGateway1) no public ip

/interface wireguard
add listen-port=56658 mtu=1420 name=wireguard1
/interface wireguard peers
add allowed-address=20.99.99.254/24,192.168.200.0/24 endpoint-address=77.105.63.227 endpoint-port=56658 interface=wireguard1 name=Server-Lora persistent-keepalive=30s public-key=“BWzbgLQaTKU+R0ewRJ9yRLVlsN8XV50ke+Qnv/rRDz4=”

/ip address
add address=20.99.99.1/24 interface=wireguard1 network=20.99.99.0

/ip route
add disabled=no dst-address=192.168.200.0/24 gateway=wireguard1 routing-table=main suppress-hw-offload=no

Site 2 (Mikoritk LoraGateway2) no public ip

/interface wireguard
add listen-port=56658 mtu=1420 name=wireguard1
/interface wireguard peers
add allowed-address=20.99.99.254/24,192.168.200.0/24 endpoint-address=77.105.63.227 endpoint-port=56658 interface=wireguard1 name=Server-LoraWAN persistent-keepalive=30s preshared-key=“2J/eF3HaH+SZv9ITwS+u4ifrkNLqO3FfqpEub2sYKG0=” public-key=
“BWzbgLQaTKU+R0ewRJ9yRLVlsN8XV50ke+Qnv/rRDz4=”

/ip address
add address=20.99.99.2/24 interface=wireguard1 network=20.99.99.0

/ip route
add disabled=no distance=1 dst-address=192.168.88.0/24 gateway=wireguard1 routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add disabled=no dst-address=192.168.200.0/24 gateway=wireguard1 routing-table=main suppress-hw-offload=no

rEst 2 site are the same…

Wireguardis up, there is tunnel betwen server and all 4 peer, but routing is problem.
From server (20.99.99.254)I can ping all peer in best case 1-2. Same settup is all 4 peers.

What is problem ? Is my bed understandig or MT don’t work how it need ?

Alsto trydo this:
Site 1 (Mikoritk LoraGateway1) no public ip

/interface wireguard
add listen-port=56658 mtu=1420 name=wireguard1
/interface wireguard peers
add allowed-address=20.99.99.0/24,192.168.200.0/24 endpoint-address=77.105.63.227 endpoint-port=56658 interface=wireguard1 name=Server-Lora persistent-keepalive=30s public-key=“BWzbgLQaTKU+R0ewRJ9yRLVlsN8XV50ke+Qnv/rRDz4=”
on all ppers and stil same
and liek this

Site 1 (Mikoritk LoraGateway1) no public ip

/interface wireguard
add listen-port=56658 mtu=1420 name=wireguard1
/interface wireguard peers
add allowed-address=20.99.99.254/30,192.168.200.0/24 endpoint-address=77.105.63.227 endpoint-port=56658 interface=wireguard1 name=Server-Lora persistent-keepalive=30s public-key=“BWzbgLQaTKU+R0ewRJ9yRLVlsN8XV50ke+Qnv/rRDz4=”

Same…

Any help ?

Idea is to have access to all 4 peer from server, and peers tohave acces to lokal network 192.168.200.0/24

sindy · September 7, 2024, 12:23pm

Based on what have you concluded this? The wireguard interfaces are always shown as Running, even if no peers are configured. So it requires sniffing to determine whether the communicaton between the peers has indeed been established.

I don't know whether you are nervous or typing on a phone with spellchecker off, but apart from a lot of typos, sometimes I feel as if some "not" was missing (a sentence mogu pingati sve pirove, u najlepšim slučaju 1-2 does not make much sense). So I'm not sure what issues you actually encounter. Your Wireguard related setup seems fine to me, so from the "hub" peer, you should be able to ping all 4 of the "spoke" peers if pinging their 20.99.99.x addresses from the 20.99.99.254 address or any 192.168.200.x one (as these are on the allowed-address lists in the configurations of spoke devices).

There are other issues in your setup that need to be clarified and fixed, but this basic funtionality of pinging between the peers themselves has to work first, so let's make sure it does and then we can move further.

nemke · September 7, 2024, 1:05pm

Hello
Sorry for gramer.

If I ping from 10.99.99.254(server) peer 20.99.99.1 no reply
If I ping from 10.99.99.254(server) peer 20.99.99.2 no reply
If I ping from 10.99.99.254(server) peer 20.99.99.3 I have reply
If I ping from 10.99.99.254(server) peer 20.99.99.4 I have reply

From all peers have handshake

Then I change in wireguard peers settup on Server “allowed-ips: 20.99.99.0/24” and the ping stops on peer 3,4 and work on 1,2. Newer on all 4

There is no reason that tunnel don’t work on all 4, the same setting is on all.

sindy · September 7, 2024, 1:20pm

No need to say sorry, I was just explaining where my uncertainty regarding what is the actual issue comes from.

In your OP, you've mostly used **2**0.99.99.x, now you show to be pinging **1**0.99.99.x. Could it be as simple as having a typo on the first two peers? I have seen a manually added route towards **1**0.99.99.0/24 via wireguard2 on the "hub" router although a route to **2**0.99.99.0/24 has been added dynamically as you have attached **2**0.99.99.254/24 to the interface so I was wondering what the reason was. Maybe there is a typo in the configuration of "spoke" peers 1 and 2 (or of "spoke" peers 3 and 4, I have no idea which variant is "correct" as in "intended", but **2**0.99.99.x is a public address whereas **1**0.99.99.x is a private one)?

nemke · September 7, 2024, 2:21pm

[Backup-Ruter] > ping 20.99.99.3
SEQ HOST SIZE TTL TIME STATUS
0 20.99.99.3 56 64 3ms752us
1 20.99.99.3 56 64 3ms830us
sent=4 received=4 packet-loss=0% min-rtt=3ms680us avg-rtt=3ms797us
max-rtt=3ms928us

[Backup-Ruter] > ping 20.99.99.2
SEQ HOST SIZE TTL TIME STATUS
0 20.99.99.2 timeout
1 20.99.99.2 timeout
sent=2 received=0 packet-loss=100%

[Backup-Ruter] > ping 20.99.99.1
SEQ HOST SIZE TTL TIME STATUS
0 20.99.99.1 timeout
1 20.99.99.1 timeout
sent=2 received=0 packet-loss=100%

[Backup-Ruter] > ping 20.99.99.4
SEQ HOST SIZE TTL TIME STATUS
0 20.99.99.4 timeout
1 20.99.99.4 timeout
sent=2 received=0 packet-loss=100%

I am tired so i write 10.xx.xx.xx insted 20.xx.xx.xx

sindy · September 7, 2024, 3:28pm

Strictly speaking both 20.99.99.254/30 and 20.99.99.254/24 are incorrect ways to express the 30-bit prefix 20.99.99.252 and the 24-bit prefix 20.99.99(.xx), respectively, but the Wireguard configuration is apparently not that picky and accepts these formats, treating them the same like the formally correct ones. So I start inclining to an assumption that it is not the difference in contents of the allowed-address list that has an effect but the process of chaning it. How do you reach the “spoke” devices, and are they each behind a different public address?

nemke · September 7, 2024, 4:41pm

Every of 4 devices (peers) are from different IP addresses and behind nat. So I enable on server site (Rb3011) responder=yes and didn’t input nothing on endpoint so connection is “initiated” from peer side to public ip of server.

I access them peers (for now) over romon. I have access to MT router on every of 4 location (where are peers) to I access main MT (on location) over romon and then to peers (device).
Idea is to connect peers directly on my main MT (RB3011) over WireGuard, it fast and secure and not to care if someone chang something on location network…

/32and /30 I just try to be sure that WireGuard on MT don’t use it explicity. But /24 is ok. So 20.99.99.254/24 (server) and 20.99.99.(1),(2),(3),(4)/24 must work. I think that MT from some reason can’t use more peers behind nat…WireGuard on Ubuntu work in this scenario, but on MT don’t.
So or is MT firmwere problem or SOME specific firewall rule or peers settup need to be done,which I miss or don’t know about.

BTW all 5 devices (server and peers) are on lates ver 7.15.3

So, if someone have config that work in this condition, can post to try to change my.

sindy · September 7, 2024, 6:01pm

Grrr… I’ve got it in front of my eyes all the time.

The mistake are the /24 masks in the allowed-address lists on the “hub” device. Change 20.99.99.1/24 to 20.99.99.1/32, 20.99.99.2/24 to 20.99.99.2/32 and so on and you’ll be good. The thing is that when the virtual Wireguard router receives a packet from the main router via a particular Wireguard interface, it matches its destination address to the allowed-address lists of all the peers attached to that interface, from the first peer to the last one until the first match. So with the current settings, where allowed-address of all the peers is effectively 20.99.99.0/24, the virtual router sends a ping for any of the .1 .. .4 addresses to the first peer.

nemke · September 7, 2024, 7:42pm

So, i change on Server side: On peer side:

Peer 1 Allowed-ips: 20.99.99.1/32 Allowed-ips: 20.99.99.254/32. 192.168.200.0/24

Peer 2 Allowed-ips: 20.99.99.2/32 Allowed-ips: 20.99.99.254/32. 192.168.200.0/24

Peer 3 Allowed-ips: 20.99.99.3/32 Allowed-ips: 20.99.99.254/32. 192.168.200.0/24

Peer 4 Allowed-ips: 20.99.99.4/32 Allowed-ips: 20.99.99.254/32. 192.168.200.0/24

ip address wireguard2=20.99.99.254/24 ip adddres wireguard1=20.99.99.(1)(2)(3)(4)/24

Now, ping work on 3 peers 1,2,and 4 peer 3 don’t.
On those 3 (working 1,2,4) I have ping on both direction from server to peer and oposite.
On 3 peer (3), don’t have any (from server to peer and oposite)

[Backup-Ruter] > ping 20.99.99.3
SEQ HOST SIZE TTL TIME STATUS
0 126 (No error information)
0 20.99.99.254 84 64 426us host unreachable
1 126 (No error information)
1 20.99.99.254 84 64 437us host unreachable
2 126 (No error information)
2 20.99.99.254 84 64 558us host unreachable
3 126 (No error information)
3 20.99.99.254 84 64 420us host unreachable
sent=4 received=0 packet-loss=100%

sindy · September 7, 2024, 7:55pm

At this stage I’ve got no other idea than checking one more time that there is no typo in the settings of the .2 and .3 peers in the central site configuration, as .2 may shadow the .3 due to a typo in the mask (e.g. /3**1** instead of /3**2) and the .3 may be just wrong (something similar to 20.99.98**.3/32).

On the remote devices, 20.99.99.x/24 was as fine as 20.99.99.254/32 since there is no other peer than the central router, so nothing to get shadowed.

nemke · September 7, 2024, 9:31pm

Hm, strange…
I change something on wireguard setup of peer on server side (for 3 peer). Just change PresharedKey on auto,and after that put it back on none. So after “refresing tunnel” everything work. Now all is ok all pings are valid. It must be, that all settup and change mess up something…
Now I understand logic of config, and why didn’t work.
If I don’t put strict rule on allowed-ips (on server site xx.xx.xx/32) server can understand what to do with ever peer connection, because xx.xx.xx.xx/24 is same network FOR ALL peers. Peer site, like you write is not problem because he is just one.

Now this is solved. And I learn something new and usefull.

MANY THANKS MAN, you rock