Hello.
On a M/T device with OS 7.18 an ARM, I have enabled wiregard via BTH and it works perfectly on an Android mobile .
But as soon as I activate it (Activate) from the corresponding wireguard client in windows10 it shows me that it works but I can’t connect neither with winbox (specifically it gives fatall error ), nor with Browser in “some other” network tools I have on my internal network , which as I said before with my mobile I connect normally. You mean I created a new peer for WIN and configured it correctly , besides it shows that it (the client) is connected. Does anyone know what is the mistake I’m doing; or if there is some other problem?
Thanks a lot for any answers.
Do you have an appropriate allowedips value on your windows client configuration in the [peer] section
Something like
AllowedIPs = 192.168.1.0/24
(Change as required for your Mikrotik lan range)
Perhaps if you want all traffic to go via the VPN (Probably don’t use this if your Mikrotik is behind cgnat).
AllowedIPs=0.0.0.0/0
Sorry we cannot guess and thus need to see information.
Im assuming you dont have a public IP and your ISP router does not forward ports and thus why BTH.
We would need to see the config…
/export file=anynameyouwish ( minus router serial number, any public WANIP information, vpn keys )
We would need to see the following JPEGs - dont forget to remove ( in Paint one can use eraser) the column entries of public key, endpoint, and endpoint current address!!!
- Menu Wireguard → sub tab of PEERS
- Menu IP → Sub menu IP CLOUD → Right Hand menu selection of “Back to Home Users”
AND - Menu IP —. Sub menu Firewall — subtag of Filter Rules and take a jeg only of the DYNAMIC ‘D’ entries due to BTH.
I believe they normally show AT THE TOP OF THE list
Thank you so much for take a look.
Well this is :
# 2025-03-10 21:02:50 by RouterOS 7.18.1
# software id = XXXXXXXXX
#
# model = L41G-2axD
# serial number = XXXXXXXXXXX
/interface bridge
add admin-mac=XXXXXXXXXXXX arp=proxy-arp auto-mac=no name=bridge \
port-cost-mode=short
/interface wifi
set [ find default-name=wifi1 ] channel.band=2ghz-ax .frequency=2300-7300 \
.skip-dfs-channels=10min-cac .width=20/40mhz-Ce configuration.country=\
"United States" .mode=ap .ssid=myWiFi disabled=no mtu=1500 \
security.authentication-types=wpa2-psk,wpa3-psk .encryption="" .wps=\
disable
/interface wireguard
add comment=back-to-home-vpn listen-port=17628 mtu=1420 name=back-to-home-vpn
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/port
set 0 name=serial0
/zerotier
set zt1 disabled=no disabled=no
/zerotier interface
add allow-default=no allow-global=no allow-managed=yes disabled=no instance=\
zt1 name=zerotier1 network=XXXXXXXXXXXXXX
/interface bridge port
add bridge=bridge interface=ether2 internal-path-cost=10 path-cost=10
add bridge=bridge interface=ether3 internal-path-cost=10 path-cost=10
add bridge=bridge interface=ether4 internal-path-cost=10 path-cost=10
add bridge=bridge interface=wifi1 internal-path-cost=10 path-cost=10
add bridge=bridge interface=ether1 internal-path-cost=10 path-cost=10
add bridge=bridge disabled=yes interface=zerotier1 internal-path-cost=10 \
path-cost=10
/ip firewall connection tracking
set udp-timeout=10s
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/ipv6 settings
set disable-ipv6=yes forward=no
/interface list member
add disabled=yes interface=bridge list=LAN
add interface=ether1 list=WAN
add interface=ether2 list=LAN
add interface=ether3 list=LAN
add interface=ether4 list=LAN
add interface=wifi1 list=LAN
/interface ovpn-server server
add mac-address=XXXXXXXXXXXXX name=ovpn-server1
/interface wireguard peers
add allowed-address=192.168.216.5/32 client-address=::/0 endpoint-port=17628 \
interface=back-to-home-vpn name=Lap persistent-keepalive=30s public-key=\
"PUBLIC KEY"
/ip cloud
set back-to-home-vpn=enabled ddns-update-interval=10m
/ip cloud back-to-home-user
add allow-lan=yes comment=" Blackview BV4900Pro" name=\
"ZeroTier | hAP ax lite" private-key=\
"PRIVATE KEY" public-key=\
"PUBLIC KEY"
add allow-lan=yes name=Laptop public-key=\
"PUBLIC KEY"
add allow-lan=yes comment=" Blackview BV4900Pro" name=Lap private-key=\
"PRIVATE KEY" public-key=\
"PUBLIC KEY"
/ip dhcp-client
add interface=bridge
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=10.222.10.0 comment=defconf name=router.lan type=A
/ip firewall filter
add action=accept chain=input disabled=yes dst-port=17628 protocol=udp \
src-address=192.168.216.0/24
add action=accept chain=forward in-interface=zerotier1
add action=accept chain=input in-interface=zerotier1
/ip firewall nat
add action=masquerade chain=srcnat ipsec-policy=out,none src-address=\
10.222.10.0/24
add action=masquerade chain=srcnat dst-address=10.222.10.0/23 src-address=\
192.168.192.0/23
/ip ipsec profile
set [ find default=yes ] dpd-interval=2m dpd-maximum-failures=5
/ip route
add disabled=yes distance=1 dst-address=0.0.0.0/0 gateway=10.222.10.1 \
pref-src="" routing-table=main scope=30 suppress-hw-offload=no \
target-scope=10
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set winbox port=XX
set api-ssl disabled=yes
/ip upnp
set show-dummy-rule=no
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
33434-33534 protocol=udp
add action=accept chain=input comment=\
"defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
ipsec-esp
add action=accept chain=input comment=\
"defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
"defconf: drop everything else not coming from LAN" in-interface-list=\
!LAN
add action=accept chain=forward comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
"defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
ipsec-esp
add action=accept chain=forward comment=\
"defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
"defconf: drop everything else not coming from LAN" in-interface-list=\
!LAN
/system clock
set time-zone-name=XXXXXXXX/XXXXXXX
/system clock manual
set dst-delta=+XX:00 time-zone=+XX:00
/system identity
set name=ZeroTier
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp client servers
add address=XXXXXXXXXXXX
/tool bandwidth-server
set authenticate=no enabled=no
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=none
/tool mac-server ping
set enabled=no
/tool romon
set enabled=yes
-
Quick question is this device behind another router… There are hardly any firewall rules…
AND you have no IP addresses. There is something seriously wrong with the config. -
Did you manually enter the wireguard peer settings for 192.168.216.5 or did the router create that entry…I dont see any entry for the other peer… 216.4 is why I ask.
Well, this router M / T, is in a network with 5 other routers and they all work perfectly, specifically this router is behind a LTE which gives Internet to the rest of the network, it is also connected to zerotier net without any problem so far and actually some test I did with OPVN also worked normally , without problem and this, only Wireguard (from PC-Laptop) has a problem, while from the Android mobile works normally.
And yes I manually put the peer 5 , because how else will the M/T create it ? I think it automatically passes only from mobile and BTH app.Also and of course it has IP address, I uploaded screenshoot.
As for the peer (216.4) probably left over from earlier tests - tests I did, thanks for the suggestion, I already deleted it.
Also, I Up a config with client wireguard.
[Interface]
PrivateKey = PRIVATE KEY
ListenPort = 17628
Address = 192.168.216.5/32
DNS = 1.1.1.3
[Peer]
PublicKey = PUBLIC KEY
AllowedIPs = 0.0.0.0/0
Endpoint = XXXXXXXXX.vpn.mynetname.net:17628
PersistentKeepalive = 30
My understanding is that MT dynamically creates any peer settings in wireguard when added during BTH.
I will confirm later.