Wireguard connection "issues"

anav · March 25, 2022, 1:42pm

As I often say to my mother: “Hoder you say that to me”.
Hoelvoten is a diplomat, I dont have time for niceties after politely asking several times.

¡Qué arrogancia! Si sabes tanto, ¿por qué estás aquí pidiendo ayuda? Me sientes Don Cabrone?

Very loosely translated,
MOFO, We love to help, but its harder when the jackass you brought to the water trough refuses to drink… or something like that.

donsergio · March 25, 2022, 2:16pm

Mira anav …. Usa el google translator si quieres, aquí no se ha faltado el respeto a nadie y en todo momento se ha respondido correctamente… y no se te ha faltado al respeto….

El por qué no he facilitado el export completo? Porque PENSABA que no hacía falta, ni dar las IPs de mis VPS ni nada que no tiene que ver “todo internet”….

Has perdido las maneras, yo no lo he hecho con ningún tipo de maldad ni arrogancia…. Pero vaya… que muchas gracias por su ayuda

Sob · March 25, 2022, 2:34pm

I think it’s obvious that posted WG config is not the issue. So either it’s something else in config that’s seemingly unrelated (it happened before), or it’s something hidden happening inside, and then you’d need to come up with a way how it can be reliably reproduced. Set up a lab, try to break connection between devices, check what exactly happens, play with packet sniffer, etc..

anav · March 25, 2022, 3:05pm

Jajaja DonSergio,
I will be in Spain in Jun, perhaps we can have a friendly tennis match or bike ride in the mountains.

That was my point, you thought you knew better than the people you were asking to help! You were deciding which help was needed…
If that is not arrogance, it is at least ignorance!

Let me put it in a way you should understand, what do the Spanish people think of their government at the moment…
I am sure people have lots of obvious good ideas to fix the problems, but the government like Sergio is NOT listening. ))
Abrazos Cabrone!

I am getting gordo drinking cervezas waiting for your config… dont let my waistline be on your conscious!

nickologic · June 21, 2023, 3:39am

Hello,

I have a Wireguard VPN set up between two sites. One end (Server) has a static IP address.

The remote end is connected via Wireguard on cellular internet service (with a dynamic IP addresses provided by AT&T Wireless and T-Mobile)

If the remote end has been powered down, and obtains a new IP address from the carrier, the Wireguard tunnel is not reestablished.

I have net watch script running on the remote end to ping the IP address off the server side LAN (10.3.0.1), however this does not reestablish the tunnel as I have to restart the peer interface manually.

Here is the full config of the remote end:

Thank you.

2023-06-20 23:37:09 by RouterOS 7.10

software id = 8YJZ-2DS3

model = RB750Gr3

serial number = HCR081D42DA

/interface bridge
add admin-mac=18:FD:74:34:50:75 auto-mac=no comment=defconf name=bridge
/interface wireguard
add listen-port=13231 name=local2uwv
/interface vlan
add interface=bridge name=CBRS-sub11 vlan-id=11
add interface=bridge name=RADIUS-vlan12 vlan-id=12
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/ip ipsec profile
add dh-group=modp2048 enc-algorithm=aes-256 hash-algorithm=sha256 name=
local2uipsec
/ip ipsec proposal
add auth-algorithms=sha256 enc-algorithms=aes-256-cbc name=local2uipsec
pfs-group=modp2048
/ip pool
add name=default-dhcp ranges=10.10.1.2-10.10.1.253
add comment=“CBRS /16” name=CBRSvlan ranges=172.10.1.21-172.10.1.254
/ip dhcp-server
add address-pool=default-dhcp insert-queue-before=bottom interface=bridge
lease-time=10m name=defconf
add address-pool=CBRSvlan comment=“CBRS subscriber DHCP” interface=CBRS-sub11
lease-time=23h59m name=CBRS-dhcp
/port
set 0 name=serial0
/ppp profile
add local-address=192.168.88.1 name=local2uwv
/snmp community
set [ find default=yes ] name=l2uprivate
/interface bridge port
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge interface=ether1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface bridge vlan
add bridge=bridge tagged=CBRS-sub11,RADIUS-vlan12 vlan-ids=11
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether2 list=WAN
/interface wireguard peers
add allowed-address=0.0.0.0/0 endpoint-address=47.180.38.235 endpoint-port=
25112 interface=local2uwv persistent-keepalive=30s public-key=
“/oRdN+nfRUaUp03cYBxAAgSsGVRKNyCpWpVhKRCc5XY=”
/ip address
add address=10.10.1.1/24 comment=defconf interface=bridge network=10.10.1.0
add address=10.1.0.2/30 interface=local2uwv network=10.1.0.0
add address=172.10.1.1/16 interface=CBRS-sub11 network=172.10.0.0
/ip dhcp-client
add comment=defconf interface=ether2
/ip dhcp-relay
add dhcp-server=10.2.0.1 disabled=no interface=ether2 name=remotedhcp
/ip dhcp-server network
add address=10.10.1.0/24 comment=defconf dns-server=10.10.1.1 domain=
local2u.com gateway=10.10.1.1
add address=172.10.1.1/32 comment=CBRS dns-server=10.3.0.10,172.10.1.1
domain=cbrsinstitutewv.local2u.com gateway=172.10.1.1 netmask=16
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=drop chain=input disabled=yes protocol=icmp
add action=accept chain=input comment=
“defconf: accept established,related,untracked” connection-state=
established,related
add action=accept chain=forward comment=“Allow traffic to 20147”
in-interface=local2uwv
add action=drop chain=input comment=“defconf: drop invalid” connection-state=
invalid
add action=accept chain=input comment=
“defconf: accept to local loopback (for CAPsMAN)” dst-address=127.0.0.1
add action=accept chain=input in-interface=CBRS-sub11
add action=accept chain=forward in-interface=CBRS-sub11 src-address-list=“”
add action=accept chain=input comment=“defconf: accept ICMP” protocol=icmp
add action=accept chain=input comment=“Allow access to management http”
dst-address=10.10.1.1 dst-port=80 in-interface-list=all protocol=tcp
add action=accept chain=input comment=“Allow Winbox from Datacenter VM”
dst-address=10.10.1.1 dst-port=8291 protocol=tcp src-address=10.3.0.0/24
add action=drop chain=input comment=“defconf: drop all not coming from LAN”
disabled=yes in-interface-list=!LAN
add action=fasttrack-connection chain=forward comment=“defconf: fasttrack”
connection-state=established,related disabled=yes hw-offload=yes
add action=accept chain=forward comment=
“defconf: accept established,related, untracked” connection-state=
established,related,untracked
add action=drop chain=forward comment=“defconf: drop invalid”
connection-state=invalid
add action=drop chain=forward comment=
“defconf: drop all from WAN not DSTNATed” connection-nat-state=!dstnat
connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment=“defconf: masquerade”
ipsec-policy=out,none out-interface-list=WAN
/ip firewall service-port
set h323 disabled=yes
set sip ports=5262,5061
/ip ipsec policy
set 0 proposal=local2uipsec
/ip route
add disabled=no distance=1 dst-address=10.3.0.0/24 gateway=10.1.0.1 pref-src=
“” routing-table=main suppress-hw-offload=no
/ipv6 firewall address-list
add address=::/128 comment=“defconf: unspecified address” list=bad_ipv6
add address=::1/128 comment=“defconf: lo” list=bad_ipv6
add address=fec0::/10 comment=“defconf: site-local” list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment=“defconf: ipv4-mapped” list=bad_ipv6
add address=::/96 comment=“defconf: ipv4 compat” list=bad_ipv6
add address=100::/64 comment=“defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment=“defconf: documentation” list=bad_ipv6
add address=2001:10::/28 comment=“defconf: ORCHID” list=bad_ipv6
add address=3ffe::/16 comment=“defconf: 6bone” list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=
“defconf: accept established,related,untracked” connection-state=
established,related,untracked
add action=drop chain=input comment=“defconf: drop invalid” connection-state=
invalid
add action=accept chain=input comment=“defconf: accept ICMPv6” protocol=
icmpv6
add action=accept chain=input comment=“defconf: accept UDP traceroute” port=
33434-33534 protocol=udp
add action=accept chain=input comment=
“defconf: accept DHCPv6-Client prefix delegation.” dst-port=546 protocol=
udp src-address=fe80::/10
add action=accept chain=input comment=“defconf: accept IKE” dst-port=500,4500
protocol=udp
add action=accept chain=input comment=“defconf: accept ipsec AH” protocol=
ipsec-ah
add action=accept chain=input comment=“defconf: accept ipsec ESP” protocol=
ipsec-esp
add action=accept chain=input comment=
“defconf: accept all that matches ipsec policy” ipsec-policy=in,ipsec
add action=drop chain=input comment=
“defconf: drop everything else not coming from LAN” in-interface-list=
!LAN
add action=accept chain=forward comment=
“defconf: accept established,related,untracked” connection-state=
established,related,untracked
add action=drop chain=forward comment=“defconf: drop invalid”
connection-state=invalid
add action=drop chain=forward comment=
“defconf: drop packets with bad src ipv6” src-address-list=bad_ipv6
add action=drop chain=forward comment=
“defconf: drop packets with bad dst ipv6” dst-address-list=bad_ipv6
add action=drop chain=forward comment=“defconf: rfc4890 drop hop-limit=1”
hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment=“defconf: accept ICMPv6” protocol=
icmpv6
add action=accept chain=forward comment=“defconf: accept HIP” protocol=139
add action=accept chain=forward comment=“defconf: accept IKE” dst-port=
500,4500 protocol=udp
add action=accept chain=forward comment=“defconf: accept ipsec AH” protocol=
ipsec-ah
add action=accept chain=forward comment=“defconf: accept ipsec ESP” protocol=
ipsec-esp
add action=accept chain=forward comment=
“defconf: accept all that matches ipsec policy” ipsec-policy=in,ipsec
add action=drop chain=forward comment=
“defconf: drop everything else not coming from LAN” in-interface-list=
!LAN
/system clock
set time-zone-name=America/New_York
/system identity
set name=l2uinstitutewv
/system logging
add topics=l2tp
/system note
set show-at-login=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool netwatch
add down-script=”:log info "Connection to 10.3.0.1 unsuccessful""
host=10.3.0.1 interval=30s type=simple