Wireguard - can't connect to internet

normaluser · December 16, 2023, 1:53pm

Hello everyone. I’m trying to setup a wireguard sever on my mikrotik router to connect to my home network from my windows computer. The computer and the router are able to estabilish a connection (or so it seems), however the computer cannot connect to the internet.
The Mikrotik router is connected to my ISP router and on the latter I forwarded port 13231.
My setup is the following:

# model = RouterBOARD 952Ui-5ac2nD
/interface bridge
add admin-mac=E4:8D:8C:B2:87:CC auto-mac=no comment=defconf name=bridge
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX \
    disabled=no distance=indoors frequency=auto installation=indoor mode=\
    ap-bridge ssid="MikroTik 2GHz" wireless-protocol=802.11
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=\
    20/40/80mhz-XXXX disabled=no distance=indoors frequency=auto \
    installation=indoor mode=ap-bridge ssid="MikroTik 5GHz" \
    wireless-protocol=802.11
/interface wireguard
add listen-port=13231 mtu=1420 name=wireguard1
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk mode=\
    dynamic-keys supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.88.10-192.168.88.254
add name=vpn-pool ranges=192.168.8.10-192.168.8.99
/ip dhcp-server
add address-pool=dhcp interface=bridge name=defconf
/ppp profile
add dns-server=192.168.8.250 local-address=192.168.8.250 name=vpn-profile \
    remote-address=vpn-pool use-encryption=yes
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=wlan1
add bridge=bridge comment=defconf interface=wlan2
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=wireguard1 list=LAN
add interface=wireguard1 list=WAN
/interface ovpn-server server
set auth=sha1 certificate=server cipher=aes128,aes256 default-profile=\
    vpn-profile enabled=yes require-client-certificate=yes
/interface wireguard peers
add allowed-address=192.168.100.2/32 interface=wireguard1 \
    persistent-keepalive=25s public-key=\
    "MYCOMPUTERPUBLICKEY"
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
    192.168.88.0
add address=192.168.100.1/24 interface=wireguard1 network=192.168.100.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=\
    192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
/ip upnp
set enabled=yes
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ppp secret
add name=Marcus profile=vpn-profile
/system clock
set time-zone-name=Europe/Rome

On my computer I have the following wireguard setup:
[Interface]
PrivateKey = MYCOMPUTERPRIVATEKEY
Address = 192.168.100.3/24
DNS = 192.168.100.1

[Peer]
PublicKey = MYMIKROTIKPUBLICKEY
AllowedIPs = 0.0.0.0/0
Endpoint = xxxxxxxxx.xx.mynetname.net:13231

What can I do? Thank you for your help!

anav · December 16, 2023, 9:00pm

Remove wireguard as part of the WAN list, it makes little sense, LAN is fine and makes sense!!
Persistent keep alive on the router (server for handshake) is NOT required and should be removed.

Where are your firewall rules and routes ??? Partial config is useless for assistance.

You need keep alive set on your PC.

normaluser · December 16, 2023, 9:31pm

Ok thank you, I removed Wireguard from WAN and removed keepalive.

I don’t have any firewall rules, I tried to delete them all to see if it would work (I know, not the best idea…).

My routes are the following:

/ip route print
Flags: D - DYNAMIC; A - ACTIVE; c - CONNECT, d - DHCP
Columns: DST-ADDRESS, GATEWAY, DISTANCE
    DST-ADDRESS       GATEWAY      DISTANCE
DAd 0.0.0.0/0         192.168.1.1         1
DAc 192.168.1.0/24    ether1              0
DAc 192.168.88.0/24   bridge              0
DAc 192.168.100.0/24  wireguard1          0

I’ll set keepalive on PC.

anav · December 17, 2023, 12:12am

Everything looks good, no firewall rules means all traffic should pass. It should work from what Isee.

normaluser · December 17, 2023, 7:37am

That’s good to hear, thank you.
However it still doesn’t work. I can handshake correctly (by checking wireguard/peers last handshake on MikroTik router), but I can’t connect to the internet nor to the other devices connected to the LAN. Maybe I have some NAT problem?

anav · December 17, 2023, 12:37pm

Are you sure the windows computer is allowing you to access the wireguard tunnel… seems thats the area to focus on.

normaluser · December 17, 2023, 1:25pm

I think so, what should I check?

On the pc I don’t see any error, the only thing is that the number of sent packets is way higher than the received (the received are almost zero). The same happens when trying to use an android client