Wireguard handshake but no traffic

jfad · February 10, 2024, 5:22pm

Hello to all!

First post in this community, hope you guys can help out.
I’ve been trying to make a dynamic WG connection between 2 sites, both of them using a ddns address.
Site A has an EdgeRouter and is the current WG server (public IP under ddns.net)
Site B has a Mikrotik and is the one to connect to WG as as client (public IP under duckdns.org)

So far I was able to get a handshake but unfortunately I’m not able to get any traffic from the Mikrotik via the WG tunnel

Can you guys help to identify the issue?

EdgeRouter config (server)
Public IP under xxx.ddns.net
Wireguard interface: 10.6.69.1
Listening port: 51280
Peer: mikrotik
Allowed IP: 10.6.69.6/32
endpoint: xxx.duckdns.org:13231

Mikrotik config (client)
Public IP under xxx.duckdns.org

/interface wireguard
add listen-port=13231 mtu=1420 name=WG-CasaPollo
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1_WAN list=WAN
add interface=WG-CasaPollo list=WAN
/interface wireguard peers
add allowed-address=0.0.0.0/0 client-address=10.6.69.6/24 client-dns=\
    1.1.1.1,8.8.8.8 client-endpoint=xxx.duckdns.org client-listen-port=\
    13231 endpoint-address=xxx.ddns.net endpoint-port=51280 interface=\
    WG-CasaPollo persistent-keepalive=25s public-key=\
    "xxx"
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
    192.168.88.0
add address=10.6.69.6/24 interface=WG-CasaPollo network=10.6.69.0
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf dns-server=10.0.0.2 gateway=\
    192.168.88.1
/ip firewall filter
add action=fasttrack-connection chain=forward comment="from the network berg" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="from the network berg" \
    connection-state=established,related
add action=accept chain=input comment="WG-casapollo (Mikrotik guides)" \
    dst-port=13231 protocol=udp src-port=""
add action=drop chain=forward comment="from the network berg" \
    connection-state=invalid
add action=drop chain=forward comment="from the network berg" \
    connection-nat-state=!dstnat connection-state=new in-interface=ether1_WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN

Mesquite · February 10, 2024, 7:26pm

Peer address on the Mikrotik router should be
/interface wireguard peers
add allowed-address=0.0.0.0/0 client-address=10.6.69**.0/**24
endpoint-address=xxx.ddns.net endpoint-port=51280 interface=
WG-CasaPollo persistent-keepalive=25s public-key=
“xxx”

Do not require client address on edgerouter, it is acting as server for handshake.

Do not require input chain rule for wireguard on MT, it is NOT server for handshake, so remove…
add action=accept chain=input comment=“WG-casapollo (Mikrotik guides)”
dst-port=13231 protocol=udp src-port=“”

+++++++++++++++++++++++++++++++++++++++++

If you didnt want to masquerade all the MT traffic out the wireguard to its IP address .6, and simply allow the local subnets to enter the tunnel.
ONe would only need to include those subnets on the edgerouter allowed IPs.

for example- Allowed IP: 10.6.69.6/32,192.168.88.0/24

TheCat12 · February 10, 2024, 7:40pm

Also Wireguard interface should be part of LAN interface list, not WAN, at least in my opinion

Mesquite · February 10, 2024, 8:13pm

Its not a matter of belonging to a particular interface is some rule.
It can be assigned to a particular interface for various reasons…
In fact, for third party Wireguard connections, making the WG interface part of the WAN interface makes sense.
Then one need not create a separate sourcenat rule for wireguard.

If the router is the server for handshake, and you have users coming in that need access to the WAN for example, ensuring they are part of the LAN interface will
a. allow them access to DNS services and any forward chain LAN to WAN allow rules.

Bottom line, look at your firewall rules and traffic needs and apply what makes sense.

jfad · February 11, 2024, 10:12am

Thanks for the suggestion!!

I’ve modified my config as you’ve proposed but I still can’t ping 10.6.69.1 from the Mikrotik or get any traffic out from the WG interface.
On the Edge router i’ve added as allowed IP 10.6.69.6/32 and 192.168.88.0/24 but as soon as I remove the endpoint xxx.duckdns.org:13231 I no longer get a handshake.

Any ideas why it doesn’t work?

/interface wireguard
add listen-port=13231 mtu=1420 name=WG-CasaPollo
/interface list member
add interface=WG-CasaPollo list=LAN
/interface wireguard peers
add allowed-address=0.0.0.0/0 client-address=10.6.69.0/24 client-dns=\
    1.1.1.1,8.8.8.8 client-endpoint=xxx.duckdns.org client-listen-port=\
    13231 endpoint-address=xxx.ddns.net endpoint-port=51280 interface=\
    WG-CasaPollo persistent-keepalive=25s public-key=\
    "xxx"
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
    192.168.88.0
add address=10.6.69.6/24 interface=WG-CasaPollo network=10.6.69.0
/ip firewall filter
add action=fasttrack-connection chain=forward comment="from the network berg" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="from the network berg" \
    connection-state=established,related
add action=drop chain=forward comment="from the network berg" \
    connection-state=invalid
add action=drop chain=forward comment="from the network berg" \
    connection-nat-state=!dstnat connection-state=new in-interface=ether1_WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN

Peer address on the Mikrotik router should be
/interface wireguard peers
add allowed-address=0.0.0.0/0 client-address=10.6.69**.0/**24
endpoint-address=xxx.ddns.net endpoint-port=51280 interface=
WG-CasaPollo persistent-keepalive=25s public-key=
“xxx”

Do not require client address on edgerouter, it is acting as server for handshake.

Do not require input chain rule for wireguard on MT, it is NOT server for handshake, so remove…
add action=accept chain=input comment=“WG-casapollo (Mikrotik guides)”
dst-port=13231 protocol=udp src-port=“”

+++++++++++++++++++++++++++++++++++++++++

If you didnt want to masquerade all the MT traffic out the wireguard to its IP address .6, and simply allow the local subnets to enter the tunnel.
ONe would only need to include those subnets on the edgerouter allowed IPs.

for example- Allowed IP: 10.6.69.6/32,192.168.88.0/24

gigabyte091 · February 11, 2024, 11:00am

That’s normal, how will router know where to send handshake and establish connection if you remove endpoint.

If you look at the post from @Mesquite he didn’t remove endpoint…

jfad · February 11, 2024, 12:41pm

Thanks, I’ve misread the message from @Mesquite.

In anycase, now that i have the endpoint on the Edgerouter correct, handshake works but not able to ping the Edgerouter from the Mirkrotik

Any suggestions of what to do?

thanks again for the support!

Mesquite · February 11, 2024, 1:43pm

jfad, YOU HAD TWO endpoints in your mikrotik config.
There is no such thing as client endpoint in your scenario.
The edgepoint router acts as the server for the initial handshake ( after established its a peer to peer connection).

SO two things need to happen’

get rid of client duckstuff on MIkrotik Allowed IPs setting. You only need the endpoint identifying the edge router .
get rid of the duck settings on the edge router, they are meaningless
all that should be on the edge router for address on the allowed IPs, is the 10.6.69.6/32

To to recap:
MT
/interface wireguard peers
add allowed-address=0.0.0.0/0 endpoint-address=xxx.ddns.net endpoint-port=51280 interface=
WG-CasaPollo persistent-keepalive=25s public-key=“xxx”

EDGE:
Allowed IP: 10.6.69.6/32 publickey=xxxxx etc..

jfad · February 11, 2024, 3:51pm

Thanks Mesquite!

works like a charm now!