WireGuard configuration not working

Hello friends,

I am in the process of configuring WireGuard on my hAP ax³, but I am at a loss as to what might be wrong with my configuration.

My goal is to connect to my home network via mobile data from my iPhone. The traffic to the Internet should also work via the tunnel.

An initial handshake appears to be taking place, but I can’t access the Internet via IP or DNS. I just get a timeout there.

Here is my current configuration:

# 2024-08-17 09:26:03 by RouterOS 7.15.3

/interface bridge
add name=bridge-vlan vlan-filtering=yes

/interface ethernet
set [ find default-name=ether1 ] advertise="10M-baseT-half,10M-baseT-full,100M\
    -baseT-half,100M-baseT-full,1G-baseT-half,1G-baseT-full" name=\
    ether1-modem poe-out=off
set [ find default-name=ether2 ] disabled=yes
set [ find default-name=ether3 ] name=ether3-mgmt
set [ find default-name=ether4 ] name=ether4-uplink1
set [ find default-name=ether5 ] name=ether5-uplink2

/interface wireguard
add listen-port=2486 mtu=1420 name=wireguard

/interface vlan
add interface=ether1-modem name=vlan7-telekom vlan-id=7
add interface=bridge-vlan name=vlan10-mgmt vlan-id=10
add interface=bridge-vlan name=vlan20-trusted vlan-id=20
add interface=bridge-vlan name=vlan30-untrusted vlan-id=30
add interface=bridge-vlan name=vlan40-iot vlan-id=40
add interface=bridge-vlan name=vlan50-server vlan-id=50

/interface bonding
add mode=802.3ad name=bonding-uplink slaves=ether4-uplink1,ether5-uplink2

/interface pppoe-client
add add-default-route=yes disabled=no interface=vlan7-telekom name=\
    pppoe-out-telekom use-peer-dns=yes user=\
    ####################################

/interface list
add name=mgmt
add name=lan
add name=wan

/interface wifi channel
add band=5ghz-ax disabled=no name=channel-5ghz skip-dfs-channels=10min-cac \
    width=20/40/80mhz
add band=2ghz-ax disabled=no name=channel-2ghz width=20mhz

/interface wifi datapath
add bridge=bridge-vlan client-isolation=no disabled=no name=\
    datapath-untrusted vlan-id=30
add bridge=bridge-vlan disabled=no name=datapath-trusted vlan-id=20
add bridge=bridge-vlan client-isolation=no disabled=no name=datapath-iot \
    vlan-id=40

/interface wifi security
add authentication-types=wpa2-psk,wpa3-psk disabled=no encryption="" ft=yes \
    name=sec

/interface wifi configuration
add country=Germany disabled=no name=cfg-trusted security=sec ssid=\
    "TS - Trusted"
add country=Germany disabled=no name=cfg-untrusted security=sec ssid=\
    "TS - Untrusted"
add country=Germany disabled=no name=cfg-iot security=sec ssid="TS - IoT"

/interface wifi
set [ find default-name=wifi2 ] channel=channel-2ghz configuration=\
    cfg-trusted configuration.mode=ap datapath=datapath-trusted disabled=no \
    name=wifi-2ghz-trusted
add configuration=cfg-untrusted configuration.mode=ap datapath=\
    datapath-untrusted disabled=no mac-address=D6:01:C3:52:DB:0A \
    master-interface=wifi-2ghz-trusted name=wifi-2ghz-untrusted
set [ find default-name=wifi1 ] channel=channel-5ghz configuration=\
    cfg-trusted configuration.mode=ap datapath=datapath-trusted disabled=no \
    name=wifi-5ghz-trusted
add configuration=cfg-untrusted configuration.mode=ap datapath=\
    datapath-untrusted disabled=no mac-address=D6:01:C3:52:DB:0A \
    master-interface=wifi-5ghz-trusted name=wifi-5ghz-untrusted
add configuration=cfg-iot configuration.mode=ap datapath=datapath-iot \
    disabled=no mac-address=D6:01:C3:52:DB:0B master-interface=\
    wifi-2ghz-trusted name=wifi-2ghz-iot
add configuration=cfg-iot configuration.mode=ap datapath=datapath-iot \
    disabled=no mac-address=D6:01:C3:52:DB:09 master-interface=\
    wifi-5ghz-trusted name=wifi-5ghz-iot

/ip pool
add name=dhcp-pool-untrusted ranges=192.168.30.200-192.168.30.254
add name=dhcp-pool-trusted ranges=192.168.20.200-192.168.20.254
add name=dhcp-pool-iot ranges=192.168.40.200-192.168.40.254
add name=dhcp-pool-server ranges=192.168.50.200-192.168.50.254

/ip dhcp-server
add address-pool=dhcp-pool-untrusted interface=vlan30-untrusted name=\
    dhcp-untrusted
add address-pool=dhcp-pool-trusted interface=vlan20-trusted name=dhcp-trusted
add address-pool=dhcp-pool-iot interface=vlan40-iot name=dhcp-iot
add address-pool=dhcp-pool-server disabled=yes interface=vlan50-server name=\
    dhcp-server

/interface bridge port
add bridge=bridge-vlan frame-types=admit-only-vlan-tagged interface=\
    bonding-uplink

/ipv6 settings
set disable-ipv6=yes

/interface bridge vlan
add bridge=bridge-vlan tagged=bonding-uplink,bridge-vlan vlan-ids=10
add bridge=bridge-vlan tagged=bonding-uplink,bridge-vlan vlan-ids=20
add bridge=bridge-vlan tagged=bonding-uplink,bridge-vlan vlan-ids=30
add bridge=bridge-vlan tagged=bonding-uplink,bridge-vlan vlan-ids=40
add bridge=bridge-vlan tagged=bonding-uplink,bridge-vlan vlan-ids=50

/interface list member
add interface=vlan10-mgmt list=lan
add interface=pppoe-out-telekom list=wan
add interface=vlan20-trusted list=lan
add interface=vlan30-untrusted list=lan
add interface=vlan40-iot list=lan
add interface=vlan50-server list=lan
add interface=ether3-mgmt list=mgmt

/interface wireguard peers
add allowed-address=192.168.1.2/32 client-address=192.168.1.2/32 client-dns=\
    192.168.1.1 client-endpoint=####.####.de interface=wireguard name=\ ; dyndns
    test private-key="####################################" \
    public-key="="####################################""

/ip address
add address=192.168.88.1/24 interface=ether3-mgmt network=192.168.88.0
add address=192.168.10.1/24 interface=vlan10-mgmt network=192.168.10.0
add address=192.168.20.1/24 interface=vlan20-trusted network=192.168.20.0
add address=192.168.30.1/24 interface=vlan30-untrusted network=192.168.30.0
add address=192.168.40.1/24 interface=vlan40-iot network=192.168.40.0
add address=192.168.50.1/24 interface=vlan50-server network=192.168.50.0
add address=192.168.1.1 interface=wireguard network=192.168.1.1

/ip cloud
set update-time=yes

/ip dhcp-client
# DHCP client can not run on slave or passthrough interface!
add interface=ether5-uplink2

/ip dhcp-server network
add address=192.168.20.0/24 dns-server=192.168.20.1 domain= ############## \
    gateway=192.168.20.1
add address=192.168.30.0/24 gateway=192.168.30.1
add address=192.168.40.0/24 gateway=192.168.40.1
add address=192.168.50.0/24 dns-server=192.168.50.1 domain=############## \
    gateway=192.168.50.1

/ip dns
set allow-remote-requests=yes

/ip dns static
add address=192.168.50.10 name=##############
add address=192.168.10.10 name=##############

/ip firewall address-list
add address=192.168.10.0/24 list=VLANs
add address=192.168.20.0/24 list=VLANs
add address=192.168.30.0/24 list=VLANs
add address=192.168.40.0/24 list=VLANs
add address=192.168.50.0/24 list=VLANs
add address=0.0.0.0/8 comment="defconf: RFC6890" list=no_forward_ipv4
add address=169.254.0.0/16 comment="defconf: RFC6890" list=no_forward_ipv4
add address=224.0.0.0/4 comment="defconf: multicast" list=no_forward_ipv4
add address=255.255.255.255 comment="defconf: RFC6890" list=no_forward_ipv4
add address=127.0.0.0/8 comment="defconf: RFC6890" list=bad_ipv4
add address=192.0.0.0/24 comment="defconf: RFC6890" list=bad_ipv4
add address=192.0.2.0/24 comment="defconf: RFC6890 documentation" list=\
    bad_ipv4
add address=198.51.100.0/24 comment="defconf: RFC6890 documentation" list=\
    bad_ipv4
add address=203.0.113.0/24 comment="defconf: RFC6890 documentation" list=\
    bad_ipv4
add address=240.0.0.0/4 comment="defconf: RFC6890 reserved" list=bad_ipv4
add address=0.0.0.0/8 comment="defconf: RFC6890" list=not_global_ipv4
add address=10.0.0.0/8 comment="defconf: RFC6890" list=not_global_ipv4
add address=100.64.0.0/10 comment="defconf: RFC6890" list=not_global_ipv4
add address=169.254.0.0/16 comment="defconf: RFC6890" list=not_global_ipv4
add address=172.16.0.0/12 comment="defconf: RFC6890" list=not_global_ipv4
add address=192.0.0.0/29 comment="defconf: RFC6890" list=not_global_ipv4
add address=192.168.0.0/16 comment="defconf: RFC6890" list=not_global_ipv4
add address=198.18.0.0/15 comment="defconf: RFC6890 benchmark" list=\
    not_global_ipv4
add address=255.255.255.255 comment="defconf: RFC6890" list=not_global_ipv4
add address=224.0.0.0/4 comment="defconf: multicast" list=bad_src_ipv4
add address=255.255.255.255 comment="defconf: RFC6890" list=bad_src_ipv4
add address=0.0.0.0/8 comment="defconf: RFC6890" list=bad_dst_ipv4
add address=224.0.0.0/4 comment="defconf: RFC6890" list=bad_dst_ipv4

/ip firewall filter
add action=accept chain=input comment="defconf: accept ICMP after RAW" \
    protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=accept chain=input comment="accept wireguard" dst-port=2486 \
    protocol=udp
add action=accept chain=input comment="accept wireguard traffic" src-address=\
    192.168.1.0/24
add action=accept chain=input comment="accept all coming from MGMT" \
    in-interface-list=mgmt
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!lan
add action=accept chain=forward comment=\
    "defconf: accept all that matches IPSec policy" disabled=yes \
    ipsec-policy=in,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=wan
add action=drop chain=forward comment="defconf: drop bad forward IPs" \
    src-address-list=no_forward_ipv4
add action=drop chain=forward comment="defconf: drop bad forward IPs" \
    dst-address-list=no_forward_ipv4
add action=accept chain=forward comment="accept trusted to mgmt" \
    in-interface=vlan20-trusted out-interface=vlan10-mgmt
add action=accept chain=forward comment="accept trusted to untrusted" \
    in-interface=vlan20-trusted out-interface=vlan30-untrusted
add action=accept chain=forward comment="accept trusted to iot" in-interface=\
    vlan20-trusted out-interface=vlan40-iot
add action=accept chain=forward comment="accept trusted to server" \
    in-interface=vlan20-trusted out-interface=vlan50-server
add action=drop chain=forward comment="drop traffic between VLANs" \
    in-interface-list=lan out-interface-list=lan

/ip firewall nat
add action=accept chain=srcnat comment=\
    "defconf: accept all that matches IPSec policy" disabled=yes \
    ipsec-policy=out,ipsec
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    out-interface-list=wan

/ip firewall raw
add action=accept chain=prerouting comment=\
    "defconf: enable for transparent firewall" disabled=yes
add action=accept chain=prerouting comment="defconf: accept DHCP discover" \
    dst-address=255.255.255.255 dst-port=67 in-interface-list=lan protocol=\
    udp src-address=0.0.0.0 src-port=68
add action=drop chain=prerouting comment="defconf: drop bogon IP's" \
    src-address-list=bad_ipv4
add action=drop chain=prerouting comment="defconf: drop bogon IP's" \
    dst-address-list=bad_ipv4
add action=drop chain=prerouting comment="defconf: drop bogon IP's" \
    src-address-list=bad_src_ipv4
add action=drop chain=prerouting comment="defconf: drop bogon IP's" \
    dst-address-list=bad_dst_ipv4
add action=drop chain=prerouting comment="defconf: drop non global from WAN" \
    in-interface-list=wan src-address-list=not_global_ipv4
add action=drop chain=prerouting comment=\
    "defconf: drop forward to local lan from WAN" disabled=yes dst-address=\
    192.168.88.0/24 in-interface-list=wan
add action=drop chain=prerouting comment=\
    "defconf: drop local if not from default IP range" disabled=yes \
    in-interface-list=lan src-address=!192.168.88.0/24
add action=drop chain=prerouting comment="defconf: drop bad UDP" port=0 \
    protocol=udp
add action=jump chain=prerouting comment="defconf: jump to ICMP chain" \
    jump-target=icmp4 protocol=icmp
add action=jump chain=prerouting comment="defconf: jump to TCP chain" \
    jump-target=bad_tcp protocol=tcp
add action=accept chain=prerouting comment=\
    "defconf: accept everything else from LAN" in-interface-list=lan
add action=accept chain=prerouting comment=\
    "defconf: accept everything else from WAN" in-interface-list=wan
add action=accept chain=prerouting comment=\
    "defconf: accept everything else from MGMT" in-interface-list=mgmt
add action=drop chain=prerouting comment="defconf: drop the rest"
add action=drop chain=bad_tcp comment="defconf: TCP flag filter" protocol=tcp \
    tcp-flags=!fin,!syn,!rst,!ack
add action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=fin,syn
add action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=fin,rst
add action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=fin,!ack
add action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=fin,urg
add action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=syn,rst
add action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=rst,urg
add action=drop chain=bad_tcp comment="defconf: TCP port 0 drop" port=0 \
    protocol=tcp

/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh address=192.168.20.0/24,192.168.88.0/24
set api disabled=yes
set winbox address=192.168.20.0/24,192.168.88.0/24
set api-ssl disabled=yes

/ip ssh
set strong-crypto=yes

/system clock
set time-zone-name=Europe/Berlin

/system identity
set name="hAP ax^3"

/system note
set show-at-login=no

/tool bandwidth-server
set enabled=no

/tool mac-server
set allowed-interface-list=mgmt

/tool mac-server mac-winbox
set allowed-interface-list=mgmt

Any help would be very much appreciated!

Okay I might have found the needle in the haystack. I should probably change the client adress to a /24:

From:

/interface wireguard peers
add allowed-address=192.168.1.2/32 client-address=192.168.1.2/32 ...

To:

/interface wireguard peers
add allowed-address=192.168.1.2/24 client-address=192.168.1.2/24 ...

Gonna try that out later and will update this topic.

Okay that did not help at all, somebody any idea?

Sure think will take a look!
By the way actually not, the client peer for handshake should be identified as its /32 address!!

Hey will be visiting your fair city for one day, night in September!!

1. What is the point of vlan10 if you dont have a pool or dhcp server etc…Further
   you are using ether3 as an OFF bridge access to the router which is fine. So is the intent to have any port
   anywhere in you network accessible to the vlan10 network??? I see it is going to the bonded switch, which I assume
   at least will be used to give the switch its IP address. So you do need some subnet structure!!
   Further you need to add this vlan to the managment interface list!!
   However you will see below I actually recommend to get rid of vlan10.

2. /interface bridge vlan can be shortened TO:
   /interface bridge vlan
   add bridge=bridge-vlan tagged=bonding-uplink,bridge-vlan vlan-ids=10,20,30,40,50

3. Assuming you have a reachable public IP ( either on the router directly or you can forward port from an upstream ISP router )

Keep the settings simple and only required info:
/interface wireguard peers
add allowed-address=192.168**.1.2/32** interface=wireguard public-key=“xxxxx” comment=“mobile laptop”

4. MAJOR problem: Your ISP settings are done through PPPOE so DISABLE your ip dhcp client and the warning will go away as well.
   /ip dhcp-client
   # DHCP client can not run on slave or passthrough interface!
   add interface=ether5-uplink2 disabled=yes

5. Add wireguard to lan list and if the remote laptop wireguard connection is the admins, then you will want to do so for mgmt list.
   /interface list member
   add interface=pppoe-out-telekom list=wan
   add interface=vlan10-mgmt list=lan
   add interface=vlan20-trusted list=lan
   add interface=vlan30-untrusted list=lan
   add interface=vlan40-iot list=lan
   add interface=vlan50-server list=lan
   add interface=wireguard list=lan
   add interface=ether3-mgmt list=mgmt
   add interface=vlan10mgmt list=mgmt
   add interface=wireguard list=mgmt ???

6. Add neighbours discovery!
   /ip neighbor discovery-settings
   set discover-interface-list=mgmt

7. Only keep for the mac-winbox encrypted access…
   /tool mac-server
   set allowed-interface-list=NONE
   
   /tool mac-server mac-winbox
   set allowed-interface-list=mgmt

8. Any further problems are due to overcomplicated and not needed firewall rules.
   a. remove any raw rules

Modify to the following.
Afterwards when things are working feel free to add some back after troubleshooting.

/ip firewall address-list
add address=192.168.10.0/24 list=TrustedDestination comment=“to management”
add address=192.168.30.0/24 list=TrustedDestination comment=“to untrusted”
add address=192.168.40.0/24 list=TrustedDestination comment=“to iot”
add address=192.168.50.0/24 list=TrustedDestination comment=“to server”

/ip firewall filter
add action=accept chain=input connection-state=established,related,untracked
add action=drop chain=input connection-state=invalid
add action=accept chain=input protocol=icmp
add action=accept chain=input comment=“wg handshake” dst-port=2486 protocol=udp
add action=accept chain=input comment=“accept admin access” in-interface-list=mgmt
( If you ever need to be more specific create a firewall address list as allowed source IPs )
add action=accept chain=input comment=“users to services” in-interface-list=LAN dst-port=53 protocol=udp
add action=accept chain=input comment=“users to services” in-interface-list=LAN dst-port=53 protocol=tcp
add action=drop chain=input comment=“Drop all else” { put this rule in last "}
++++++++++++++++++++++++++++++++++++++++++
add action=fasttrack-connection chain=forward connection-state=established,related
add action=accept chain=forward connection-state=established,related,untracked
add action=drop chain=forward connection-state=invalid
add action=accept chain=forward comment=“internet traffic” in-interface-list=LAN out-interface=list=WAN
add action=accept chain=forward comment=“port forwarding” connection-nat-state= dstnat { disable or remove if not required }
add action=accept chain=forward comment=“admin access” in-interface-list=mgmt out-interface-list=LAN
add action=accept chain=forward comment=“vlan20 access” src-address=192.168.20.0/24 dst-address-list=TrustedDestination
add action=accept chain=forward comment=“drop all else”

After reviewing the config its not clear to me that you need vlan10 at all as you give vlan20 access to everything!!
Why not consider vlan20 the trusted and management network
Further, give only some people in vlan20 access to the router for config purposes by the following method.
In this way you remove one not needed vlan, all smart devices get an IP on the vlan20 network and you use
the input chain to limit actual access to known admin IP addresses.
Thus get rid of vlan10, the need for the TrustedDestination address list etc…


/interface list member
add interface=pppoe-out-telekom list=wan
add interface=vlan20-trusted list=lan
add interface=vlan30-untrusted list=lan
add interface=vlan40-iot list=lan
add interface=vlan50-server list=lan
add interface=wireguard list=lan
add interface=ether3-mgmt list=lan { assuming you want access to internet from here }
add interface=vlan20 list=mgmt
add interface=wireguard list=mgmt
add interface=ether3-mgmt list=mgmt

/ip firewall address list { from static dhcp leases where applicable }
add address=192.168.20.X list=Authorized comment=“local admin pc”
add address=192.168.20.Y list=Authorized comment=“local admin laptop wifi”
add address=192.168.20.Z list=Authorized comment=“local admin smartphone/ipad wifi”
add address=192.168.1.2/32 list=Authorized comment=“remote admin wg laptop”
add address=192.168.1.3/32 list=Authorized comment=“remote admin wg smartphone/ipad”
add address=192.168.88.B/32 list=Authorized comment=“off bridge config access”

and firewall rules become…
/ip firewall filter
add action=accept chain=input connection-state=established,related,untracked
add action=drop chain=input connection-state=invalid
add action=accept chain=input protocol=icmp
add action=accept chain=input comment=“wg handshake” dst-port=2486 protocol=udp
add action=accept chain=input comment=“accept admin access” in-interface-list=mgmt src-address-list=Authorized
add action=accept chain=input comment=“users to services” in-interface-list=LAN dst-port=53 protocol=udp
add action=accept chain=input comment=“users to services” in-interface-list=LAN dst-port=53 protocol=tcp
add action=drop chain=input comment=“Drop all else” { put this rule in last "}
++++++++++++++++++++++++++++++++++++++++++
add action=fasttrack-connection chain=forward connection-state=established,related
add action=accept chain=forward connection-state=established,related,untracked
add action=drop chain=forward connection-state=invalid
add action=accept chain=forward comment=“internet traffic” in-interface-list=LAN out-interface=list=WAN
add action=accept chain=forward comment=“port forwarding” connection-nat-state= dstnat { disable or remove if not required }
add action=accept chain=forward comment=“admin access” in-interface-list=mgmt out-interface-list=LAN
{ optional to restrict more by src-address-list of trusted, as not sure if all of vlan20 needed access to other vlans or just the admin }
add action=accept chain=forward comment=“drop all else”