Wireguard annoying route problem

challado · February 9, 2023, 12:47pm

Hello all.
I have several sites to integrate using wireguard. Each site have your internal class C network (192.168.XXX) and all sites need to communicate with each other. I have configured a central point with address 192.168.10.1 and I have estabilished a OSPF PTMP route distribution with these router and all routes are installed OK from several another routers (192.168.10.x/24 network), but I have a annoying problem that makes me crazy! All allowed-address I have put the IP Address to the peer (on these case 192.168.10.X/32 on router to peer and on peer to router) and 0.0.0.0/0 on all peers.
On my case, I have a route to ip address 192.168.14.0/24 installed on router to ip 192.168.10.4 (the correct peer), but when I will traceroute to one ip address on these network, the peer 192.168.10.10 answer “unreachable route”. I don’t understand why! If I put on allowed-address the correct class from each route (example, allowed-peers on 192.168.10.4 as 192.168.10.1/32,192.168.14.0/24 and on 192.168.10.1 allowed-peers as 192.168.10.4,192.168.14.0/24) all works OK, but to mantain all allowed-address in all peers and central router will be impraticable.
Anyone can answer WHY mikrotik does not respect 0.0.0.0/0 and allow all traffic on tunnel? In linux all works OK (i made a test).

Znevna · February 9, 2023, 12:54pm

Less talk, more config.

anav · February 9, 2023, 1:03pm

First do you even understand how wireguard works…
Read first - https://forum.mikrotik.com/viewtopic.php?t=182340

First you need a clear plan,
Second a network diagram
Three set of users requirements that do not discuss config at all.
a. identify all users,devices, groups of users/devices, including admin
b. identify their required traffic flow
c. identify what they should not be able to do.

Then a logical efficient config can be found. Put in the work above and then as zvena indicated, FOR EACH MT Device involved…
/export file=anynameyouwish ( minus router serial number and any public WANIP information, keys etc. )

Then assistance can be rendered.

challado · February 9, 2023, 1:06pm

If you can’t understand the cenary with few lines, sorry for you. But, follow the configuration to help you with your difficulty to understand.
On central Router

/interface wireguard
add listen-port=14340 mtu=1420 name=wireguard-wg0
add listen-port=14341 mtu=1420 name=wireguard-wg1
/interface wireguard peers
add allowed-address=192.168.10.2/32,192.168.10.0/24,0.0.0.0/0 comment=“SITE A” interface=wireguard-wg0 persistent-keepalive=10s public-key=“aPublicKey”
add allowed-address=192.168.10.3/32,192.168.10.0/24,0.0.0.0/0 comment=“SITE B” interface=wireguard-wg0 persistent-keepalive=10s public-key=“aPublicKey”
add allowed-address=192.168.10.4/32,192.168.10.0/24,0.0.0.0/0 comment=“SITE C” interface=wireguard-wg0 persistent-keepalive=10s public-key=“aPublicKey”
add allowed-address=192.168.10.5/32,192.168.10.0/24,0.0.0.0/0 comment=“SITE D” interface=wireguard-wg0 persistent-keepalive=10s public-key=“aPublicKey”

On Peers
/interface wireguard
add listen-port=14340 mtu=1420 name=wireguard-CENTRALSITE
/interface wireguard peers
add allowed-address=192.168.10.1/32,192.168.10.0/24,0.0.0.0/0 endpoint-address=mycentralsite.dyndns.org endpoint-port=14340 interface=wireguard-CENTRALSITE persistent-keepalive=10s public-key=“aPublicKey”

/ip route print
Flags: D - DYNAMIC; I, A - ACTIVE; c, s, r, o, v, y - COPY
Columns: DST-ADDRESS, GATEWAY, DISTANCE

DST-ADDRESS GATEWAY DISTANCE

…

DAr 192.168.5.0/24 192.168.128.2%wireguard-wg1 120
DAo 192.168.14.0/24 192.168.10.4%wireguard-wg0 110
DAo 192.168.17.0/24 192.168.10.11%wireguard-wg0 110
DAo 192.168.18.0/24 192.168.10..12%wireguard-wg0 110
DAo 192.168.19.0/24 192.168.10..13%wireguard-wg0 110
DAo 192.168.150.0/24 192.168.10.13%wireguard-wg0 110

anav · February 9, 2023, 1:12pm

Why are you wasting our time. Read the article, provide a diagram and put in an honest effort here if you want help, my help anyway.

challado · February 9, 2023, 1:42pm

I have put the configuration above. I won’t see any “wasting time” puting it on here, because a word to the wise is enough. It’s a mesh network using wireguard. All peers follow the same configuration posted on peer section.

eworm · February 9, 2023, 1:49pm

The problem is your central router having 192.168.10.0/24 in allowed addresses. It will map that to just one peer.

Oh, probably having 0.0.0.0/0 there causes the same problem. You should read about how allowed addresses works.

challado · February 9, 2023, 1:56pm

Thanks for your reply eworm. If I remove 192.168.10.0/24 from allowed-peers, the communication between routers are lost. All communications between central router and peers are OK and I need these communication because the peers need to communicate one with other.
My real problem is why mikrotik won’t obey the route received from OSPF from a one network (in these case 192.168.14.x/24) sending it to OTHER peer (in case, the route installed on main table go to 192.168.10.4 but 192.168.10.10 answer “ROUTE UNREACHABLE”).
In documentation (https://help.mikrotik.com/docs/display/ROS/WireGuard) says:

allowed-address (IP/IPv6 prefix; Default: ) List of IP (v4 or v6) addresses with CIDR masks from which incoming traffic for this peer is allowed and to which outgoing traffic for this peer is directed. The catch-all 0.0.0.0/0 may be specified for matching all IPv4 addresses, and ::/0 may be specified for matching all IPv6 addresses.

JoshDi · February 9, 2023, 2:30pm

challado, to get the fastest support - its easiest if you can provide us with your complete configuration so that we can review and provide the changes necessary. Snippets of configuration omit key details that could be causing or contributing to the issues you are facing.

a network diagram would also be helpful so we can understand if all of the wireguard connections are to one router (many routers connecting via WG to one router) or if its more hub and spoke (routers connect to each other and then another router connect to that one)

one of the problems you may be facing is that you are using a /24, when you really need to use a /31 or /30 subnet for each wireguard instance. having multiple wireguard instances on the same subnet can cause problems like this.

please run one of the commands below (depending on which ROS version you are running). This will help get you the quickest help from the forum and an explaination what is wrong.

V6 firmware

/export hide-sensitive file=anynameyouwish

(minus router serial number, public WANIP information, keys etc )

V7 firmware

/export file=anynameyouwish

(minus router serial number, public WANIP information, keys etc )

challado · February 9, 2023, 2:34pm

Josh
Put the keys here, in my concern, can cause a chance to anyone have access to my keys. But I promess that I won’t repeat any key here. I have thinked to create several instances of wireguard but on Linux it works like a charm. But to solve problem I’ll do that.

JoshDi · February 9, 2023, 3:27pm

challado, to get the fastest support - its easiest if you can provide us with your complete configuration so that we can review and provide the changes necessary. Snippets of configuration omit key details that could be causing or contributing to the issues you are facing.

a network diagram would also be helpful so we can understand if all of the wireguard connections are to one router (many routers connecting via WG to one router) or if its more hub and spoke (routers connect to each other and then another router connect to that one)

one of the problems you may be facing is that you are using a /24, when you really need to use a /31 or /30 subnet for each wireguard instance. having multiple wireguard instances on the same subnet can cause problems like this.

Josh
Put the keys here, in my concern, can cause a chance to anyone have access to my keys. But I promess that I won’t repeat any key here. I have thinked to create several instances of wireguard but on Linux it works like a charm. But to solve problem I’ll do that.

put the keys in here? What? When you run either of those commands, you can remove those keys - we dont need those to help you diagnose. but we do need every configuration line so we can see if there are any firewall rule issues etc to help you debug.

there is no other information to help you further without the answers to the questions we are asking from you.

Run those commands, remove or mask the lines you are worried for security reasons (like your mikrotik serial number and WG keys). Or dont post the configuration - there is nothing else to comment on at this point.

challado · February 9, 2023, 3:54pm

Josh
Put the keys here, in my concern, can cause a chance to anyone have access to my keys. But I promess that I won’t repeat any key here. I have thinked to create several instances of wireguard but on Linux it works like a charm. But to solve problem I’ll do that.

put the keys in here? What? When you run either of those commands, you can remove those keys - we dont need those to help you diagnose. but we do need every configuration line so we can see if there are any firewall rule issues etc to help you debug.

there is no other information to help you further without the answers to the questions we are asking from you.

Run those commands, remove or mask the lines you are worried for security reasons (like your mikrotik serial number and WG keys). Or dont post the configuration - there is nothing else to comment on at this point.

Josh
My mikrotik does not have any firewall enabled (at the moment) and all installation are clean only running wireguard vpn. These device are buyed only to run wireguard.
But, as your suggestion, I create several wireguard interfaces, put every on wireguard instance a /31 network and now i’m testing. For these moment have solved the issue.