wireguard between to mikrotiks

tbuyvoets · December 30, 2021, 7:51pm

I have issues with connecting a chr and a rb2011 to each other with wireguard. Nothing is happening. A packet caputure on both mikrotiks for port 51820 showed nothing.
I also setup road warriors via wireguard 1 on both mikrotiks, This works perfect.

My config chr:

/interface wireguard
add listen-port=13231 mtu=1420 name=wireguard1
add listen-port=51820 mtu=1420 name=wireguard2

/interface wireguard peers
add allowed-address=192.168.80.2/32 interface=wireguard1 public-key=\
    "q+/QStpFhxpjTW0R7gNiVYldU7ryR97oyOh7BKu8aVE="
add allowed-address=10.251.251.0/24 endpoint-address={{WAN_IP}:51820 \
    interface=wireguard2 public-key=\
    "+zvUFn+gi9lxE0eRXUYyO1sX5MBhCV6ghqU9HfCKKUc="

/ip firewall filter
add action=accept chain=input port=51820 protocol=udp
add action=accept chain=input comment="Allow wireguard 1" dst-port=13231 \
    protocol=udp

/ip address
add address=192.168.80.1/24 interface=wireguard1 network=192.168.80.0
add address=10.251.251.1/24 interface=wireguard2 network=10.251.251.0

my config rb2011:

/interface wireguard
add listen-port=13231 mtu=1420 name=wireguard1
add listen-port=51820 mtu=1420 name=wireguard2
/interface wireguard peers
add allowed-address=192.168.70.2/32 interface=wireguard1 public-key=\
    "DzvTnIs/4g7i/CN6vVtJtOL098L4e8wDyajoW04FEQg="
add allowed-address=10.251.251.0/24 endpoint-address=151.248.16.245:51820 interface=wireguard2 public-key=\
    "WFWjbTBsILXwW6Rp0PEwPzR/XK2l1gXmXBeEpB5COR0="

/ip firewall filter
add action=accept chain=input port=51820 protocol=udp
add action=accept chain=input comment="Allow wiregaurd1" dst-port=13231 protocol=udp

/ip address
add address=192.168.70.1/24 interface=wireguard1 network=192.168.70.0
add address=10.251.251.2/24 interface=wireguard2 network=10.251.251.0

wireguard1 interface is used for road warriors this is working perfectly
wireguard2 interface is used for connecting these 2 mikrotiks. This doesn’t work.

anav · December 30, 2021, 8:58pm

Quick question for the initial connection between the routers, which one is acting as the peer/client and which one is acting as the server?
One has to send an initial packet to establish the tunnel to the other.
After the tunnel is created it can be used to move traffic in either direction of course.

Sob · December 30, 2021, 9:00pm

What exactly are you trying to do? With this config you should be able to access 10.251.251.x on the other side (if it’s not blocked by firewall). But if you’d want to connect LANs behind routers, you’d have to include them in peers’ allowed-address and add routes to them.

anav · December 30, 2021, 11:56pm

Heheh we should get our Doctorates you and I Sob.
We seem to spend much of our time pulling teeth out of OPs

tbuyvoets · January 1, 2022, 5:33pm

The idea is that both routers can access lan of both. I know I have to add tho’s subnets to the allowed addresses.

The point is that the tunnel between the two doesn’t establish. At both sites I did an packet capture on the wan interface for port 51820. No packets arive at both sides. It looks like both routers don’t sent the initial packet.

holvoetn · January 1, 2022, 5:57pm

WG is a pretty easy interface to setup.
Once setup correctly, you should see packets flowing both sides rather quickly. That’s only way you’ll know it works before routing etc is handled.

Are you 200% sure that port 51820 is open to at least one of both routers ?
No other modem/device in between on either end which requires some port forwarding ?

Question:
what’s this double bracket doing there ?
endpoint-address={{WAN_IP}:51820

PS: you might want to remove some of the public info about your connection. It’s plain visible for everyone !
For now it doesn’t matter, it’s not working

erlinden · January 1, 2022, 6:03pm

I’m missing the /ip/route (where you should add the private ip range that should be routed over the WG tunnel).

sindy · January 1, 2022, 6:18pm

It’s not only the route to the remote LAN subnet via the wireguard2 interface that is missing at both machines (or merely hasn’t been posted), it is also the subnet address of the remote LAN subnet that is missing on the allowed-address list on the /interface/wireguard/peer rows.

Other than that, I hazily remember the Wireguard not to attempt to establish the tunnel until it gets a payload packet to deliver. So start by pinging 10.251.251.1 from the 2011 while sniffing for traffic on port 51820.