Wireguard education needed

RouterOS General
1

Hello all,

I have a working wire guard setup 2 endpoints, simple configuration MT both ends 7.12.1, basic default config, and it works.

The relevant aspect of setup, Office A, on multi-homed ISP. Office B, single homed ISP.

On occasion the VPN tunnel will go down for no apparent reason. Basic traceroute/ping show no connectivity issue, but TX/RX packets are definitely not taking the same path, when VPN is disconnected.

When the wire guard traffic flows bidirectionally through the same connection on the multi-homed ISP, not mattering which one, just that it is the same one. All is good. Whenever the traffic is split inbound one way outbound the other, and experimentation with the ISP forcing traffic onto one connection or the other changing it up in all the various combinations, to keep wire guard VPN connected the traffic needs to flow bidirectionally over the same multi-homed link.

So, now I am guessing/presuming that the problem is some issue with the nature of the UDP packet and or some timeout?? I need someone more educated than I to explain what is happening and moreover is there possible fix/workaround ?

Best regards/Happy Holidays

2

Not enough info provided to help. network diagram and config
/export file=anynameyouwish ( minus router serial number, any public WANIP information, keys etc.).

Which end is the server for the initial handshake?
What does multi-homed mean?

3

To answer the questions, both offices have public (No NAT) IPv4 address. Either end can be the server as I understand the wire guard documentation from MT, the config is quite literately from the MT documentation example with the IP address modified as appropriate.

ISP A – Multi-homed, that is to say thy have 3 independent backbone providers, full BGP peering on all 3. Connectivity issue occurs when packets egress one backbone provider, and ingress from a different provider.

ISP B – One backbone provider only

The issue is not really a configuration issue as much as a question on how the VPN protocol works, and if this can be explained.

4

https://www.wireguard.com/
https://www.wireguard.com/#cryptokey-routing
https://www.wireguard.com/papers/wireguard.pdf

5

Did you find it mate?

Updated: I found it thanks for the help

6

What?
Stop … what’s your problem?

7

If it’s multi-homed ISP part… it might be similar to http://forum.mikrotik.com/t/wireguard-multi-wan-policy-routing/174145/1

8

Check out the Pro Custodibus blogs about WireGuard which are absolutely outstanding in my opinion. For example, have a look at "Primary WireGuard Toplogies"

If you're using a multi-homed WireGuard setup, you'll need to use policy routing for each inbound IP address you want to connect to due to a limitation in ROS. Check the link that Ammo posted in the previous post.

Happy Easter to you all!

EDIT:
Here is an example of a DHCP script that automatically sets up rules for policy routing that. It should be used on all inbound WireGuard WAN interfaces except default gateway. Using this, mangling is not needed. If you have static addresses you might use what is available under ($bound=1).

:local if   $interface
:local ip   $"lease-address"
:local gw   $"gateway-address"

:if ($bound=1) do={
    /routing table add fib name=$if comment=$if
    /routing rule add src-address=$ip table=$if action=lookup comment=$if
    /ip route add dst-address=0.0.0.0/0 routing-table=$if gateway=$if distance=20 
} else { 
    /ip route remove [find routing-table=$if]
    /routing rule remove [find table=$if]
    /routing table remove [find name name=$if]
}