Wireguard and iOS

gotsprings · July 16, 2024, 6:09pm

I have Wireguard working on:
Tik to Tik.
Windows to Tik
Android to Tik

Every iOS device fails.

Anyone using iOS devices with Mikrotik Wireguard successfully?

anav · July 16, 2024, 6:39pm

Yes, do you want to skype, discord, teamviewer. nothing but the best for you!!

faxxe · July 16, 2024, 6:44pm

Completely flawless on few iphones and ipads

gotsprings · July 16, 2024, 8:37pm

https://www.wireguardconfig.com/qrcode

The same congif on a Android works.

Yet Apple Devices just stare at me.

anav · July 16, 2024, 9:00pm

You kill me, do not use crutches LOL.
Do you or do you not have a public IP at the MT router or at least can forward a port from the ISP router.
If you do, ditch any attempt to use qr code quickies, and config from knowledge.

gotsprings · July 16, 2024, 9:03pm

Co Hort was using QR codes.

I used the same page and my android phone works fine. Yet his iPhone doesn’t pass any traffic. (Or show a connection as I stare at the router.)

Public IP is not an issue.

[Interface]
PrivateKey = Hidden
Address = 192.168.99.32/32
DNS = 8.8.8.8

[Peer]
PublicKey = Hidden
AllowedIPs = 0.0.0.0/1, 128.0.0.0/1
Endpoint = BlahBlah.sn.mynetname.net:13231

anav · July 16, 2024, 9:04pm

…

gotsprings · July 16, 2024, 10:37pm

Was away from the keyboard.

………

???

What’s that mean?

anav · July 16, 2024, 10:49pm

…

gotsprings · July 17, 2024, 12:05am

Must have missed it.

I don’t have/use discord.

I appreciate the offer thou.

I was trying to get Wireguard to work on his MAC and that didn’t work either.

He has Windows on that computer and Wireguard works fine.

Exported his tunnels to the MAC side… And they don’t work.

anav · July 17, 2024, 12:39am

…

gotsprings · July 17, 2024, 3:45am

Anav,

Could you copy paste me a config file that works on a MAC?

Like I typed… I can’t even get an imported tunnel to work.

Larsa · July 17, 2024, 6:59am

Pro tip: Use ZeroTier for a way easier life without worrying about public IPs and all that.

gotsprings · July 17, 2024, 8:52am

Larsa

Integrator ignored me and required this site to use 192.168.1.0/24.

Which would cause an issue at most residential sites.

Next issue would be that Zerotier changed their pricing dramatically and will probably cancel my account when renewal comes up. I am on the old price schedule. They contacted me a while ago and wanted to increase my fees by a factor of 10.

So not looking to add anything more to Zerotier as it may get yanked away.

Wireguard starts up and roams from connection to connection really really fast. So prefer use that.

I just don’t have any Mac devices to test against anymore.

Plus I hate to reinvent the wheel rather than use the “standard settings”.

I spend maybe 20 seconds adding Wireguard clients to servers.

Sadly I have spent a few hours with this APPLE ISSUE.

gotsprings · July 17, 2024, 9:27am

Anav… I do have TeamViewer.

Larsa · July 17, 2024, 9:36am

Okay, I didn’t quite catch the main issue you’re facing but ZeroTier is free for personal use with unlimited networks up to 25 devices anyway and the commercial licenses are among the cheapest out there.

As for Wireguard, I’ve never really had any issues with Apple devices and the only problem I’ve run into before was the lack of public IPv4 addresses. But that’s all in the past now that we’ve switched to SD-WAN, both at home and work. Hassle-free networking FTW!

EDIT:
If you’re not a fan of ZeroTier there are tons of other options out there, both open source and commercial.

gotsprings · July 17, 2024, 10:06am

Larsa,

I was a huge fan of it… When it was $500 a year.

If you check around… About a year ago Zerotier started reaching out to users and telling us they wanted to change the yearly to $7000 or more.

As I stated… I don’t have a. Issue with Public IPs.

Also configurations that work on Windows and Android don’t work at all on Apple devices.

I used to have Apple devices to test things on. But I have not needed any of them in years. And they were a waste of my time and money.

Routing switching wireless. That’s what I am supposed to focus on.

This is a one off in the integrator who brought me in needed to replace the router in a fairly “messy residential install”. Rather that rebuild the subnets and reassign the hardware devices… I had to match the old router’s setting

The issue arose when we found out the customer had been using openVPN to view his cameras when away from home.

Since openVPN was broken and not properly supported in Mikrotik for over a decade… I had always used L2TP+IPSec. When Wireguard was added to routerOS7 I started to move everything over.

I tested L2TP+IPSec yesterday on MAC devices… And they worked just fine. Now the issue becomes “well we told the customer about how you said Wireguard is so much more efficient. So now we are stuck.”

tangent · July 17, 2024, 11:07am

Have you tried 0.0.0.0/0? Yes, I’m aware of the longest-prefix /1 trick, but the question stands.

Alternately, try checking the WG client’s “Exclude private IPs” box, which will change this value to a long list that avoids tunneling access to RFC1918 addresses.

Is the remote using PresharedKey? If so, you need to provide it here.

Be assured, WireGuard works just fine on Apple devices. I’m typing this on a macOS laptop, and I’m submitting this post through a WG tunnel. This one happens to be terminated on a Linux server, but I’ve got other tunnels successfully terminated on a hAP ax³ running 7.15.2. I just retested that one with an iPhone before posting.

anav · July 17, 2024, 12:15pm

Who uses those allowed IPs>>

Its standard for a wireguard peer device ( client for handshake)
its either

a. wireguardsubnet,subnetA,subnetB where subnetA,B are on the local LAN of the MT device
b. 0.0.0.0/0 which is used if the clients wish to go out internet at MT device and includes all items in a. if required.

gotsprings · July 17, 2024, 1:34pm

No preshared keys

I asked Mike to try changing the 0.0.0.0/1 to 0.0.0.0/0