Wireguard - can not have active more than 1 peer

Crau · March 2, 2025, 4:43pm

Hello,
I’ve set on a ac2 (RBD52G-5HacD2HnD) for wireguard 2 peers - once I edit and save a peer the other peer is not working anymore. I’ve set the interface and peers like on this video on a pc https://www.youtube.com/watch?v=okihqaMni-w and also on an android.

About those peers from my router here are the details - on peers setup I test just activating or deactivating the check-box for responder (can be seen activated below for an inactive connection - and then the active one stop working, loading data on the mobile):

/interface bridge
add admin-mac=48::D6 auto-mac=no comment=defconf name=bridge port-cost-mode=short
/interface wireless
set [ find default-name=wlan2 ] band=5ghz-n/ac channel-width=20/40/80mhz-Ceee disabled=no frequency=auto \
    installation=indoor mode=ap-bridge name=5g ssid=MYROUTER-MT5
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX disabled=no distance=indoors \
    frequency=auto installation=indoor mode=ap-bridge name=24 ssid=MYROUTER-MT station-roaming=enabled wireless-protocol=802.11 \
    wmm-support=enabled
/interface wireguard
add listen-port=27711 mtu=1420 name=wireguard1
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireguard peers
add allowed-address=192.168.55.11/24 client-address=192.168.55.11/24 client-endpoint=some-name.org client-listen-port=27711 \
    comment=S24w interface=wireguard1 name=peer1 public-key="s55vcPXtKS..."
add allowed-address=192.168.55.23/24 client-address=192.168.55.23/24 client-endpoint=some-name.org client-listen-port=27711 \
    interface=wireguard1 name=peer4 private-key="0I0ONRJ..." public-key=\"....2J92r1M="
add allowed-address=192.168.55.127/24 interface=wireguard1 name=peer202501 public-key=\"i....mg=" responder=yes
 

/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=accept chain=input comment="Allow L2PT / IPSec / Wireguard VPN access" dst-port=500,1701,4500,27711 \
    in-interface-list=WAN log=yes protocol=udp
add action=accept chain=input in-interface-list=WAN protocol=ipsec-esp
add action=accept chain=input in-interface-list=WAN protocol=ipsec-ah
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=\
    new in-interface-list=WAN
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
/ip firewall mangle
add action=change-mss chain=forward comment="Fix  MSS  for  VPN  server" new-mss=1360 protocol=tcp src-address=192.168.21.0/24 \
    tcp-flags=syn tcp-mss=!0-1360
add action=change-mss chain=forward comment="Fix  MSS  for  VPN  server" dst-address=192.168.21.0/24 new-mss=1360 protocol=tcp \
    tcp-flags=syn tcp-mss=!0-1360
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat comment="Wirequard masquared" src-address=192.168.55.0/24

Would you please help with some thoughts? Thank you in advance!

eltikpad · March 2, 2025, 5:14pm

I dont think you need to (or should) set the “client-listen-port” on both peers. The peer usually picks one itself, and in this case they are both the same so you can only have one connected.

CGGXANNX · March 2, 2025, 5:15pm

You need to change the prefix length /24 in the allowed-address field (and client-address field too) of the peers to /32.

Crau · March 2, 2025, 5:19pm

Thanks - I’ve changed to /32 on mikrotik settings (on clients setup I didn’t changed it) and it works now!

anav · March 2, 2025, 5:35pm

To be clear, the problem was the first client captured all of the/24 subnet so the second address was never seen/used by the router.
The server for handshake requires the ability to see each peer.
The clue of when to use a separate wireguard interface is overlap.
Lets say you had a wireguard connection to one other router and your own devices remotely.
If the requirement was for your local subnets ( on the server peer for handshake ) to go out the INTERNET of the client peer router for handshake, then one would be forced to use
0.0.0.0/0 in the peer settings to the other router, and in this case any remote peers would never be seen/used.
Sol/n use a second wireguard interface.