Hello,
I would like to connect my routeros device to a wireguard VPN server on Ubuntu linux. The server was setup this way:
https://techviewleo.com/install-wireguard-vpn-server-on-ubuntu/?expand_article=1
The linux side has a fixed ip, udp port 51820 opened on the firewall, and a peer is added:
#wg show
interface: wg0
public key: Fgi*****************jHQ=
private key: (hidden)
listening port: 51820
peer: g5*******************EA=
allowed ips: 0.0.0.0/0
persistent keepalive: every 25 seconds
The client side (routeros HAP AX3) was setup this way:
/interface/wireguard
add name="wg-vpn" listen-port=12614
/interface/wireguard/peers
add interface=wg-vpn public-key="Fgi*****************jHQ=" endpoint-address=not_telling_com endpoint-port=51820 allowed-address=0.0.0.0/0 persistent-keepalive=25s
I also have this in the input chain:
3 ;;; wireguard
chain=input action=accept protocol=udp dst-port=12000-12999
Actually, I have mupltiple wireguard interfaces on this HAP AX3:
/interface wireguard
add listen-port=12614 mtu=1420 name=wg-cerebellum-loerolite
add listen-port=12714 mtu=1420 name=wg-laci-ekke
add listen-port=12414 mtu=1420 name=wg-laci-laptop
add listen-port=12514 mtu=1420 name=wg-laci-phone
add listen-port=12614 mtu=1420 name=wg-vpn
add listen-port=12314 mtu=1420 name=wg1
And many of them have peers that are working just fine. Here are some examples:
Flags: X - disabled; D - dynamic
0 ;;;
interface=wg1 public-key="8o**********QU=" endpoint-address=not_telling
endpoint-port=12419 current-endpoint-address=not_telling current-endpoint-port=12419
allowed-address=192.168.19.0/24,10.19.0.0/16,172.16.19.0/24 persistent-keepalive=25s rx=127.0KiB tx=323.9KiB
last-handshake=7s
1 ;;;
interface=wg1 public-key="o5*********QY=" endpoint-address=not_telling
endpoint-port=12305 current-endpoint-address=not_telling current-endpoint-port=12305
allowed-address=192.168.5.0/24,172.16.5.0/24 persistent-keepalive=25s rx=3164.9MiB tx=845.3MiB last-handshake=1m22s
As you can see, the last-handshake is not that old, and they are working as expected. However, the working configurations are routeros devices on both ends. But this new one (called wg-vpn) that does not work is using Ubuntu linux on the other side.
First I thought that the problem must be on the linux side, since this is the first time I’m trying to use linux on the other side. But then I noticed two things. One is that tx=0 and rx=0 on the peer:
12 ;;; not_telling
interface=wg-vpn public-key="Fgi*****************jHQ=" endpoint-address=not_telling
endpoint-port=51820 current-endpoint-address=not_telling current-endpoint-port=51820 allowed-address=0.0.0.0/0
persistent-keepalive=25s rx=0 tx=0
The other thing is that it does not even try to do the handshake.
/system logging
add topics=wireguard,debug
/log/print follow
But it does not print out anything about it. Which is not what I would expect.
If I disable the wireguard interface on the remote (routeros) side of any other peers, then I see these messages popping up in the logs:
11:29:52 wireguard,debug wg-laci-laptop: s*********M=: Handshake for peer did not complete after 5 seconds, retrying (try 2)
11:29:52 wireguard,debug wg-cerebellum-loerolite: fc**********FQ=: Handshake for peer did not complete after 5 seconds, retrying (try 2)
11:29:52 wireguard,debug wg-laci-ekke: 6U******AQ=: Handshake for peer did not complete after 5 seconds, retrying (try 2)
But for this new peer, there are no logs at all. Seems like it is not trying to connect - even though the endpoint address was given, and persistent keepalive was set.
So there is no error message, and there is no log to examine.
I’m stuck, please help me.
