I am experimenting with wg - performance is impressive, but if there is something wrong, I find it hard to debug. I did not come across much documentation so far, is there something detailed around on Mikrotik specifics?
I want to connect multiple peers (Android, IOS, Win10) to a router and tried to have them all on one wireguard interface: 10.0.0.1/24 assiged to the wireguard1, 10.0.0.2/24, 10.0.0.3/24, etc. to the peers (each one of course with separate key pairs). I saw packets incoming, but I could not establish more than one tunnel to a peer, others did not receive responses back from the server. Using a separate wireguard interface for each peer worked: e.g., 10.0.0.1/30 for wireguard1, 10.0.0.2/30 for peer 1, 10.0.0.5/30 for wireguard2, 10.0.0.6/30 for peer 2, etc. I also had to assign different incoming udp ports to each interface, putting them all on the same port did not work.
I am wondering if this is intended behavior, or if I made mistakes in my configuration? Do I actually need a /30 subnet for each interface and peer?
Overall, it’s great if it works, but deployment is hard :-).
One common interface is enough. Why it doesn’t work for you, it’s hard to tell. I don’t think there’s anything in current RouterOS to help you with that, some statistics for individual peers, logs, or anything.
I tried to reproduce this by setting up a new interface, now I can have multiple clients on it. No idea why it was consistently not working before… will keep an eye on it. Some debugging support in future version would be good, e.g. error messages for arriving udp packets that cannot be processed or the like.
Anyway, thanks for your help!
Overlapping subnets between peers on the same interface probably produce conflicts with the protocols “cryptokey-routing” feature.
From my interpretation the allowed addresses are a mix between routing table and acl.
