Hello everyone!,
I configuring a new router (RB5009UG+S+), and I can’t configure correctly WireGuard VPN.
My configuration tunnel for wireguard is:
[Interface]
PrivateKey = xxxxxxxxxxxx
Address = 10.10.81.238/32
[Peer]
PublicKey = yyyyyyyyyyyyyy
AllowedIPs = 10.0.0.0/8
Endpoint = WIREGUARD_SERVER_IP:51820
I configured in mikrotik like follow:
[admin@RT-MKT-01] > interface/wireguard/peers/print detail
Flags: X - disabled
0 interface=VPN
public-key="yyyyyyyyyyyyyyy"
endpoint-address=WIREGUARD_SERVER_IP endpoint-port=51820
current-endpoint-address=WIREGUARD_SERVER_IP current-endpoint-port=51820
allowed-address=10.0.0.0/8 rx=0 tx=0
[admin@RT-MKT-01] > interface/wireguard/print detail
Flags: X - disabled; R - running
0 R name="VPN" mtu=1420 listen-port=13231
private-key="xxxxxxxxxxxx"
public-key="zzzzzzzzzzzzzzzzz"
Finally, I added IP (10.10.81.238) in a address lists.
I tested this configuration in another mikrotik (hEX S) and works, I don’t know the diferences in configuration or if I missing a step.
Exist the way to get a wireguard logs in mikrotik? it’s handshake error? where I can see?.
Thx for any information 
Might be easier if you show the full config of your router
Terminal
/export file=anynameyouwish
Hide info like serial number, public WANIP etc
Then post between code quotes for easier readability.
You did open that port on your router for input ?
Thx holvoetn for your replay, I’m connecting this router to another wireguard server, other server accept request (I using now in my pc , and the new mikrotik router is in a whitelist).
The only diferen I have (I think) is this router have 2 vlans, but I actualy don’t know if this can generate this problems.
# model = RB5009UG+S+
/interface bridge
add ingress-filtering=no name=bridgeLan vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] name=ether1-LAN
set [ find default-name=ether2 ] name=ether2-LAN
set [ find default-name=ether3 ] name=ether3-LAN
set [ find default-name=ether4 ] name=ether4-LAN
set [ find default-name=ether5 ] name=ether5-LAN
set [ find default-name=ether6 ] name=ether6-LAN
set [ find default-name=ether7 ] name=ether7-WAN-FLAN
set [ find default-name=ether8 ] name="ether8-WAN-IPLAN "
/interface wireguard
add listen-port=13231 mtu=1420 name="VPN"
/interface vlan
add interface=bridgeLan name="VLAN 40 ND MOBILE" vlan-id=40
/interface list
add name=WAN
add name=LANs
add name=VLANs
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_pool0 ranges=172.16.0.40-172.16.0.250
add name=dhcp_pool1 ranges=172.16.1.2-172.16.1.254
add name=dhcp_pool2 ranges=172.16.0.2-172.16.0.254
/ip dhcp-server
add address-pool=dhcp_pool1 interface="VLAN 40 ND MOBILE" lease-time=10m \
name="Server-dhcp 2"
add address-pool=dhcp_pool2 allow-dual-stack-queue=no interface=bridgeLan \
lease-time=10m name=Server-dhcp1
/interface bridge port
add bridge=bridgeLan ingress-filtering=no interface=ether1-LAN
add bridge=bridgeLan ingress-filtering=no interface=ether2-LAN
add bridge=bridgeLan ingress-filtering=no interface=ether3-LAN
add bridge=bridgeLan ingress-filtering=no interface=ether4-LAN
add bridge=bridgeLan ingress-filtering=no interface=ether5-LAN
add bridge=bridgeLan ingress-filtering=no interface=ether6-LAN pvid=40
/ip neighbor discovery-settings
set discover-interface-list=none
/ip settings
set max-neighbor-entries=8192
/ipv6 settings
set max-neighbor-entries=8192
/interface bridge vlan
add bridge=bridgeLan untagged=\
ether1-LAN,ether2-LAN,ether3-LAN,ether4-LAN,ether5-LAN,bridgeLan \
vlan-ids=1
add bridge=bridgeLan tagged=\
ether1-LAN,ether2-LAN,ether3-LAN,ether4-LAN,ether5-LAN,bridgeLan \
untagged=ether6-LAN vlan-ids=40
/interface list member
add interface="ether8-WAN-IPLAN " list=WAN
add interface=ether7-WAN-FLAN list=WAN
add interface=bridgeLan list=LANs
add interface="VLAN 40 ND MOBILE" list=VLANs
/interface ovpn-server server
set auth=sha1,md5
/interface wireguard peers
add allowed-address=10.0.0.0/8 endpoint-address=WIREGUARD_SERVER_IP \
endpoint-port=51820 interface="VPN" public-key=\
"xxxxx"
/ip address
add address=PUBLIC_1/24 interface="ether8-WAN-IPLAN " network=\
PUBLIC_1_BROADCAST
add address=172.16.0.1/24 interface=bridgeLan network=172.16.0.0
add address=172.16.1.1/24 interface="VLAN 40 ND MOBILE" network=172.16.1.0
add address=10.10.81.238 interface="VPN" network=10.10.81.238
/ip dhcp-client
add add-default-route=no interface=ether7-WAN-FLAN
/ip dhcp-server network
add address=172.16.0.0/24 dns-server=1.1.1.1,8.8.8.8 gateway=172.16.0.1
add address=172.16.1.0/24 dns-server=8.8.8.8,1.1.1.1 gateway=172.16.1.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4
/ip firewall filter
add action=fasttrack-connection chain=forward connection-state=\
established,related hw-offload=yes
add action=accept chain=input connection-state=established,related,untracked
add action=accept chain=input comment="Enable ICMP" protocol=icmp
add action=drop chain=input comment="Drop invalid connections" \
connection-state=invalid
add action=drop chain=forward connection-state=invalid
/ip firewall mangle
add action=passthrough chain=prerouting
add action=passthrough chain=forward
add action=passthrough chain=postrouting
/ip firewall nat
add action=masquerade chain=srcnat comment="ISP NAT" out-interface-list=WAN
add action=masquerade chain=srcnat comment="WireGuard VPN Nat" out-interface=\
"VPN"
/ip route
add check-gateway=ping disabled=no distance=10 dst-address=0.0.0.0/0 gateway=\
PUBLIC_2_GATEWAY pref-src="" routing-table=main scope=30 suppress-hw-offload=\
no target-scope=10
add check-gateway=ping disabled=no distance=1 dst-address=0.0.0.0/0 gateway=\
PUBLIC_1_GATEWAY pref-src="" routing-table=main scope=30 \
suppress-hw-offload=no target-scope=10
/system identity
set name=RT-MKT-01
/system note
set show-at-login=no
/system package update
set channel=testing
2 things I am missing (but it may be nothing)
- your wireguard interface VPN is not part of any interface list (but that should not make any difference since your firewall basically allows almost all traffic in forward chain, I hope you have other measure in place to protect that device)
- you don’t use persistent-keepalive setting on RB5009 (which is recommended for a “client” connecting towards a “server”).
persistent-keepalive=25s
PS 10.0.0.0/8 is a WIDE range to allow !!??
You are sure your public keys are correct on both ends ?
Other thing, the nature of wireguard is it ALWAYS sends. Only when something comes back, you know it works.
From your output of “interface/wireguard/peers/print detail” I see it shows 0 tx.
Are you sure that IP address and port of the server can be reached from that RB5009 and is correct ?
Last but not least, what ROS version do you have on that RB5009 ?
hahaha thx for your conciderations!.
- For wireguard interface, I added but when I used “/export”, is not exported.
- Is not keep a live a problem, BUT! they give me the solution , when I added the parameter, the connection automatically show traffic, so I rememberd I don’t added a route table xD (now is working!)
- yes 10.0.0.0/8 is very large, but the real network is in another location, and use different sub-segment from 10.x.x.x.x, is just for easily maintain and added new segments.
I’m testing and configuring this new router, the firewall rules is now actually empty, but If you have sugestion or any post/blog/data I can read to get better security policy, I realy really appreciate it.
And again, thx for your help .
/ip route
add disabled=no distance=1 dst-address=10.0.0.0/8 gateway="VPN" \
pref-src="" routing-table=main scope=30 suppress-hw-offload=no \
target-scope=10
Glad it works now.
Default firewall rules are good enough to use as starting point.
Your set as it is now is not default 
mmmm… do you have a list of default firewall rules?, where I can find?
Terminal
/system/default-configuration/print file=RB5009
And then have a good look at the script inside that file RB5009.rsc.