To start, I have a very basic Mikrotik Router config as a simple switch plus WiFi AP, and DHCP client (for management). I’ve used the following config for this router:
/interface bridge add name=bridge-lan
/interface bridge port add bridge=bridge-lan interface=all
/ip dhcp-client add interface=bridge-lan disabled=no
/ip settings set ip-forward=no
/interface wireless set [find] ssid=YourWifiName frequency=auto disabled=no mode=ap-bridge
/interface wireless security-profiles set [ find default=yes ] authentication-types=wpa2-psk mode=dynamic-keys wpa2-pre-shared-key=YourWifiPassword
/user add disabled=no group=full name=YourUserName password=YourUserPassword
/user remove [find (name="YourUserName" = false)]
I need to be able to remotely manage this router from a distance for any potential future features, so I have set up a WireGuard client which connects to my Wireguard Server. I don’t need any fancy routing, this WireGuard client will simply be for remote router management over SSH and Winbox.
Here is my WireGuard Client config on the mikrotik:
/interface/wireguard add name="wg0" mtu=1420 listen-port=13231 private-key="XYZXYZYXZ" public-key="ZYXZYXZYX"
/interface/wireguard/peers add allowed-address=10.200.200.0/24 endpoint-address=<MyServerPublicIP> endpoint-port=51820 interface=wireguard1 \
public-key="ZYXZYXMyServerPublicKeyXYZ"
/ip/address add address=10.200.200.175/30 interface=wg0
/ip/route add dst-address=10.200.200.1/24 gateway=wg0
My WireGuard server is configured properly with the Peer IP address and key listed in it’s config. This server is a functional system running wire guard on a raspberry pi with several other clients with no issues.
So, as soon as I activate the WireGuard Client (Or if the router has been sitting for a few minutes) on the Mikrotik router, I cannot ping it from the Server. I get a timeout. Output from server:
# ping 10.200.200.175
PING 10.200.200.175 (10.200.200.175) 56(84) bytes of data.
^C
--- 10.200.200.175 ping statistics ---
4 packets transmitted, 0 received, 100% packet loss, time 3052ms
However, as soon as I initiate a ping from the terminal of the Mikrotik router out to the server IP, I get a response:
[link@MikroTik] > ping 10.200.200.1
SEQ HOST SIZE TTL TIME STATUS
0 10.200.200.1 56 64 29ms349us
1 10.200.200.1 56 64 8ms486us
2 10.200.200.1 56 64 5ms599us
3 10.200.200.1 56 64 7ms73us
4 10.200.200.1 56 64 4ms770us
sent=5 received=5 packet-loss=0% min-rtt=4ms770us avg-rtt=11ms55us max-rtt=29ms349us
Now that I have initiated the ping, I can again ping this WireGuard client from the server:
]# ping 10.200.200.175
PING 10.200.200.175 (10.200.200.175) 56(84) bytes of data.
64 bytes from 10.200.200.175: icmp_seq=1 ttl=64 time=6.35 ms
64 bytes from 10.200.200.175: icmp_seq=2 ttl=64 time=4.58 ms
64 bytes from 10.200.200.175: icmp_seq=3 ttl=64 time=5.74 ms
64 bytes from 10.200.200.175: icmp_seq=4 ttl=64 time=5.24 ms
^C
--- 10.200.200.175 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3003ms
rtt min/avg/max/mdev = 4.588/5.484/6.356/0.655 ms
Now if I logout of everything and wait about 5-10 minutes, again my server does not have the ability to ping the Mikrotik router, and I have to login to the router and initiate the ICMP ping again to the server to allow the server to ping it.
Any suggestions to keep this wire guard tunnel open? Of course I could just put a script that continuously pings the server, but I feel like there should be a better way to do this.