Hello, a few days ago, I configured my Mikrotik router with Wireguard to act as a server for some of my devices. I then installed Wireguard on two Android phones, using the parameters that are automatically proposed when generating the Peer on the router (I just had to add the Endpoint) and they both work perfectly. Since I don’t need to use them at the same time, I only have one peer on the router and I always access that one. So far, so good.

I then installed wireguard on linux (Fedora XFCE 39) and performed the same steps as on phones: it doesn’t work! What I see is that the “Handshake Initiation” packet exits the linux box, arrives in the router and passes the firewall (accept). At this point it vanishes. Unlike what happens when connecting from the phone, nothing appears on the wireguard interface and I don’t have any error messages, logs or anything else. I checked all the parameters dozens of times and I don’t see any errors.

One strange fact is that, given that on the router I can see both the private and public keys for the peer, I tried to have Linux generate the public key, starting from the same private one (wg pubkey public) and it generates a totally different key compared to the one the router provided:
1dyIGxarO5faR9r+XQ33qp/f6Ykn6PsiTEL2aH5CPCk= is the one from mikrotik, TpPPXH1qSGF8tgP7k3sxW6sKoQO1+IcGxbs30vd2QkA= is the one that generated by linux.

I also installed a new Fedora 39 XFCE Linux box: same behavior!

At this point I suspect that they use a different coding system (possible???) and I am lost.

Suggestions?

@resca, to trace traffic on the Linux box, use for example, “tcpdump -i name-of-wg-interface”. On the MikroTik, use Winbox “Tools → Packet Sniffer” and select the wg-interface to trace packets in real-time. If you don’t receive any traffic on the Linux box, you might have a firewall or double-NAT problem somewhere along the line.

Regarding the Linux WireGuard private/public keys, endpoint address, and port number, they must be an exact copy of the configuration you have on the Android devices.

@larsa, I understand my description is not complete! Let me say in other words:
-I used WireShark on Linux and I see the “Handshake Initiation” transmission.
-I used Packet Sniffer on Mikrotik and I see the incoming “Handshake Initiation” packet.
-I added an Action-log on my firewall line that accepts the packets on my wireguard line and it triggers, so the packet IS accepted.
-I monitor the Traffic on Wireguard interface and I see NOTHING: no activity at all.
-While wireguard reports 0 input packets, I cannot expect any output packets, so non reason - by now - to check further elements.
In contrast, when I connect with Android, the “Handshake Initiation” causes input packet count on wireguard interface to 1, immediately afterwards one output packet appears on the wireguard interface and a packet is sent to the phone and the handshake continues.

So the problem is definitely that the packet is accepted by the firewall but someway discarded by/before the wireguard interface
I would like to have something to understand why the “Handshake Initiation” is not received by wireguard OR it is received and discarded without any log, message or whatever.
My GUESS, considering this strange difference between the two public keys, is that Linux uses a wrong/incompatible method.

I forgot to mention that the Wireguard endpoint in the Mikrotik also needs to match the network addresses of the received packets. Even if the Linux box is using the correct keys, ROS will simply discard the packets if the “allowed addresses” do not match the Linux address. You can enable WireGuard logging to check addresses, etc., by enabling logging topic=Wireguard.

I suspect the config is wrong on both wireguard and linux.

@resca; since you only have one peer on the Mikrotik, ensure there isn’t already an active session on it. If the handshake of the peer is under two minutes there is likely an active tunnel.

Hi, are you sure the config is correct? I’ ve just set up a wireguard vpn and I am using it on linux with no problem. First of all you do not need to have the peer private key on the mikrotik. I use kubuntu, so I use the KDE interface, but I report my configuration which should be the same despite of graphical interface.

The ip of my machine for wireguard is 10.0.1.40.
PrivateKey= the one generated on my machine with wg genkey | wg publickey command

In the “peers” section:
Publickey: the one from mikrotik
Allowed ips: 0.0.0.0/0
Endpoint address: domain name of my office
Endpoint port: obviously the port of my office firewall I am connecting to

In IPV4 section
method: manual
Address: 10.0.1.40
Netmask: 255.255.255.255
Gateway: 0.0.0.0

No, I am quite sure it isn't!

Yes, I do not need, and this is possibly the point!
Even if I don't need, when I configure the peer, Mikrotik is so kind to prepare for me a sample of the configuration file to copy on the client and it contains the private and the public key (and other stuff). I just copied this file to two Android phones and they both work. So, my guess (correct me if I am wrong) Mikortik generates a random private key and the related public key so I don't need to generate anything on the client (linux box, android or whatever). Exactly as I had to generate nothing on the phones.

I made TWO tests: 1) Generate the public key from the private key: the result is not the same key. 2) Ignore the file generated by Mikrotik, generate a pair of keys on linux and place the public key in Mikrotik's peer. In both cases, the incoming "Handshake Initiation" is accepted and then ignored.

Do you confirm you discard the Mikrotik generated sample and 1) Generate Private and related Public keys on linux, place the public in the peer and that is all? This doesn't work for me.

My linux configuration is:
PrivateKey = ....
Address = 10.3.53.2/24
DNS = 10.3.53.1
ListenPort = 13231

[Peer]
PublicKey = ....
AllowedIPs = 0.0.0.0/0
Endpoint = 1234567890.sn.mynetname.net:13231

And Mikrotik configuration is

interface/wireguard/print
Flags: X - disabled; R - running
0 R name="wireguard1" mtu=1420 listen-port=13231 private-key="...."
public-key="...."
interface/wireguard/peers/print
Columns: INTERFACE, PUBLIC-KEY, ENDPOINT-PORT, ALLOWED-ADDRESS

INTERFACE PUBLIC-KEY ENDPOINT-PORT ALLOWED-ADDRESS

0 wireguard1 .... 13231 0.0.0.0/0

As I mentioned before, /system logging add topics=Wireguard produces NOTHING: this is the reason I insist the packet is accepted and then discarded. IF there is a way to see the reason Mikrotik discards the incoming packet (wrong key, wrong IP, whatever) it is welcome.

To check how the raw Wireguard packets might appear on the Mikrotik, use Winbox by going to “Tools → Packet Sniffer”. Select the WAN interface and port 13231. Click on [Apply], [Start], and finally the [Packets] button to open the window where the tracing is displayed. Remember to press the [Stop] button to end the capture when you’re done.

On the Linux box, use: “tcpdump -i -name-of-wireguard-interface port 13231” to trace the packet flow. You might also use “nc -v -u 1234567890.sn.mynetname.net 13231” to send udp packets. One UDP packet is sent for each [enter].

Did you understand that it is one week that I am performing ALL these very elementary debugging steps?
How do you think I could write “I see a packet exiting the linux … reaching the filter … being accepted” without those tools?
Instead of nc, I used netcat -v -u -z 1234567890.sn.mynetname.net 13231 does it matter?

I believe that packet-level tracing provides an excellent starting point to ensure that packets reach their destination without obstacles along the way. However, it’s up to you to choose the tools that best fit your situation.

A tip to improve your chances of getting help in this user forum is to attach a complete export of your MikroTik configuration, along with relevant parts of your Linux environment, such as Wireguard.conf, iptables, or any firewalls in use. It’s also helpful to provide a brief network typology, including whether your connection is public or private, as well as other details like WAN connections, and so forth.

Btw, netcat is the same as nc, so it shouldn’t matter.

Too funny Larsa, I wonder how many times that needs to be stated, to “See the Light” regarding ensuring first posts are relevant .
Death by a 1000 cuts LOL.. I simply dont help those that dont post the required information anymore. I tried to make it better but failed.

@resca: Have you checked the handshake status of the Wireguard peer using WinBox? When everything is okay, the handshake timer will increment up to two minutes and then start over again. If the handshake is okay, you might have other problems like routing or a firewall blocking the payload traffic.

I worked in customer support for 40+ years: X25, SNA, UDLC, Uniscope, TCP, OSI, etc. I was between the field engineers and the producer of software/hardware. At that time, bugs were very, very, usual: problems had to be reproduced and clearly reported to developers! I also got prizes for my great support skill. Unfortunately I am not an expert in today’s protocols, even if I try to learn day by day. I think I know how to supply all the needed information. It is simply annoying for support people to read huge quantity of useless information so I try to focus to the basics and supply more info (that, may be, I cannot guess they exist) as soon as the expert says it is required.

Of course, while I am not expert in this particular scenario, it MIGHT be enough to say: I feed the mikrotik produced client configuration to both Android and Linux. The first works, the latter doesn’t and MAY BE an expert can say: yes, we know this is due to that. Very very easy.

ALL, I say again ALL the requests by “Larsa” are of already supplied data and suggest to use the tools that I already used: no value added. The only appreciable contribution is by “vawtech” that, at least, supplied a configuration and confirms wireguard may work between Linux and Mikrotik.

No one ever answered on the main question: how can I trace/log/log why a packet accepted it not passed to wireguard. No one!
What is the missing required information: The model of the router? The color of the Fedora 39 PC? The brand of the Android phone that connects with no problem? Let me know, please!

From the little revealed:

Looking at your linux settings.

• missing keep alive

Mikrotik. Allowed IPs 0.0.0.0/0 is wrong.

Best to post complete MT config minus sensitive bits.
I ignored the post thus far due to this omission. The problem is not yours its the lack of guidance provided by the site, to ensure new posters
were well prepared to make their first post.

Judging from the number of results for a google search for github projects related to mikrotik wireguard:
http://www.google.com/search?hl=it&source=hp&biw=&bih=&q=github+mikrotik+wireguard
you must be not the first one to have difficulties in properly configuring wireguard (from Linux).

You could try this one (bash):
https://github.com/IgorKha/wireguard-mikrotik
and see if it creates a different setup from the one you now have.

A non-written note says that it won’t work on orange or yellow Fedora 39 PC’s (not on tuesdays or wednesdays, unless there is a full moon and the year is a leap one).

Here is a link to Anav’s user guide “Wireguard Success For The Beginner” which might come in handy..

I thought the MT configuration I posted on Tue Feb 13, 2024 1:45 pm was what is needed. Is that not enough? Or you mean that the full configuration of MT is required? You can fid it here: http://www.rescas.eu/listing/download/public/pippo.zip. That said, while android works fine, I am pretty convinced the MT side is OK and the problem must be on the linux side. In other words, once a very similar packet comes from Android (two different android phones) and it is passed to wireguard and a very similar one is not passed, something in the packet itself must be wrong, so no need at all to investigate on MT!

Please note that, to avoid to disrupt the working connection I use with Android, I configured a second wireguard interface on port 13232 dedicated to linux but my final goal would be to connect just to only one with all my devices. Of course not simultaneously!

Looking to change keepalive and Allowed IPs on linux. Thanks for the suggestion.

Yes full config please.
Also 0.0.0.0/0 is fine on the android but NOT on the mikrotik

This is the full config.
http://www.rescas.eu/listing/download/public/pippo.zip
… or you need it pasted in full text into a code block (quite long!)?

Can you explain, in few words, while android connects fine, why the present configuration may be wrong? Shouldn’t MT be unaware if the client is a phone, a linux or a windows PC?