Hi.
Yesterday I tried to configure the wireguard interface on mikrotik router.
from my point of view everything is tuned fine,but no handshake so I must be doing something wrong.
if someone can spot where will be apreciated.
here’s the wireguard interface config
here’s the ip range assigned to the interface
here’s the peer config on the server
and here’s the config on the client
P.D:oh and I forgot I have a firewall rule with the wireguard port forwarded to the router local ip
Would need to see the MT config full to assess properly
/export file=anynameyouwish ( minus router serial#, public WANIP information or keys etc. )
So far nothing stands out, but ensure you have a persistent keep alive setting on your MT client device.
tried that before (putting persistentkeepalive 10 in both router and client config) but didn’t change anything
Why would you put it on the router???
Provide information, if you need assistance
removed code
This is the main error I see → You do not use NAT rules for wireguard.
Wireguard is a service on the ROUTER itself, which means you need to do this on the INPUT CHAIN rules.
Delete this rule… why did you think you were port forwarding ?? ( port forwarding is when you want external users to access your servers on the LAN )
#rule to open upd port for mikrotik wireguard
add action=dst-nat chain=dstnat dst-port=13231 in-interface=pppoe-out1
protocol=udp to-addresses=192.168.88.1 to-ports=13231
Add…
/ip firewall filter
add action=accept chain=input comment=
“defconf: accept established,related,untracked” connection-state=
established,related,untracked
add action=drop chain=input comment=“defconf: drop invalid” connection-state=
invalid
add action=accept chain=input comment=“defconf: accept ICMP” protocol=icmp
add action=accept chain=input comment=
“defconf: accept to local loopback (for CAPsMAN)” dst-address=127.0.0.1
add action=accept chain=input dst-port=13231 protocol=udp comment=“wireguard handshake”
add action=drop chain=input comment=“defconf: drop all not coming from LAN”
in-interface-list=!LAN[/size]
ok so,as I understand,the firewall filter is for filtering packages that go directly to the router itself,and the NAT is just for packages that go to devices inside the network
thanks for the help and explanation. 
P.D:added the new rule but doesn’t seems to work,still waiting in the handshake
Not quite…
Input chain is for traffic TO the router ( think router services, VPN, DNS, NTP, WINBOX etc._
Forward chain is for traffic THRU the router WAN to LAN, LAN to WAN, LAN to LAN.
NAT is for part of the firewall and is used to delineate sourcenat rules AND destination nat rules ( of which port forwarding is a subset ).
YOu need to post your new updated config, I only go by evidence not hearsay '=)
removed code
Look at POST #6.
I clearly highlighted IN BLUE, the input chain rule you needed to add, to allow an external device to reach the router on the port and start the handshake…
You also failed to remove this rule in your NAT, which I clearly said to remove.
/ip firewall nat
add action=accept chain=input comment=“wireguard handshake” dst-port=13231
in-interface=pppoe-out1 protocol=udp
Since you appear not to want to cooperate, l8r. Gluck!
solution found:
is just as was explained in post #6 just keep in mind that if you add the rule with the mikrotik terminal that will drop the rule to the bottom,and needs to be before the defconf:drop all not coming from LAN rule,since in mikrotik the rules order gives preference so router will always follow the most upper rule
thanks for all the help anav and sorry for not being a good listener
No worries, glad you got it fixed.
A trick many use is to find where in the order one wants to put a rule in winbox,
And then copy the rule at that spot, change the settings, make a suitable comment, apply and save and new rule right where you want it.
camulodunum, Apparently you posted the config in post 5 and again in post 10, but then deleted it. Why? It makes it very hard for anyone else to follow this thread. Remember, many of the people who read any particular thread are trying to learn. When critical parts of the thread are deleted, it makes it hard to follow, and damn near impossible to learn from others.
Assuming you sanitized your posted config to prevent sensitive information from being made public, there is little to be gained by deleting it.
I just don’t feel comfortable with having all my router’s config exposed on an internet forum.
for the shake of other people learning I can post how was the problem,the part of the configuration where it was,and how to solve it. but I don’t think having all my config exposed makes any sense.
Your caution is natural and not a bad thing, but nothing can be gleaned from the configs you posted, dont worry, Your choice to post or not post or to delete is up to you,…
Thank you, this solved my “no handshake” issue.
@hightechlab, no worries, the important is not to copy and rule stick it in and move on!!.
THe key is understanding that the handshake is TO the router. Such traffic is handled in the input chain.