The peers (peerA and peerB - Windows clients) need to speak to the subnets which sit behind the Mikrotik peer (in the below example - 172.16.0.0/16), e.g.:
This works perfectly for peerA, but peerB is unable to initiate a handshake with the Mikrotik (pcap shows the request reaching the Mikrotik, but it does not reply).
I’ve seen this thread, where I can see that it should be possible to have multiple peers on a single WG interface.
Yes it should work looking at your information.
Please post full config on router.
/export file=anynameyouwish ( minus serial number and any public WANIP info )
Also ensure that Client B, gets the same public IP from the router that client A received, but the router gets Client Bs public IP and set on the router peer B settings.
Is there some firewall or other setting on peer B windows blocking ??
Also ensure that Client B, gets the same public IP from the router that client A received, but the router gets Client Bs public IP and set on the router peer B settings.
Checked and confirmed to be unique.
Is there some firewall or other setting on peer B windows blocking ??
I don’t believe so, pcap shows the handshake reaching the Mikrotik public IP from peerB’s public IP, but no reply from the Mikrotik:
With peerA, I can see full handshake exchange - as you’d expect.
(1) Is this an internet facing router? If so you are in serious deficiency of firewall rules and is really a security risk.
(2) Is this a cloud router, I dont understand your setup at all, need network diagram?
(3) What is the LAN, I see ether1 is disabled so thats not useful. I see bonded ether9 and ether10
and the vlans part of the bonding, so is that your WAN and if so, how does that work?? Is it one WAN, two wans, very confusing overall.
(1) Is this an internet facing router? If so you are in serious deficiency of firewall rules and is really a security risk.
(2) Is this a cloud router, I dont understand your setup at all, need network diagram?
Many thanks for considering this.
The router has access to WAN via one of the VLANs on the bonding interface. The router is essentially an endpoint connected to a pair of TOR switches. WAN connectivity is handled by a cluster of (different) routers. Firewalling is done closer to server cluster by dedicated equipment/systems. Traffic can pass through this router, but there is a deny all rule for input traffic.
(3) What is the LAN, I see ether1 is disabled so thats not useful. I see bonded ether9 and ether10
and the vlans part of the bonding, so is that your WAN and if so, how does that work?? Is it one WAN, two wans, very confusing overall.
One VLAN for (essentially) WAN, one VLAN for management LAN.
Nothing here to say why A works and B does not.
Yes, very strange that the router doesn’t respond to the handshake. The public IP of peerB is reachable from the Mikrotik.
I didn’t check details, but make sure that you have correct keys for peerB. In case there would be some mixup, WG would simply ignore request from, as it would see it, unknown peer.
I found the solution in this thread. The issue is with the endpoint being set as a blank value in the peer config - “endpoint-address” should be entirely absent if it isn’t specified (peerA below is correct, peerB is incorrect):
When I sent the initial config, it was after recreating the nodes entirely, so seems I accidentally fixed the issue for PeerA (for a second time). Just an unfortunate coincidence.
Via the WI, you need to collapse the “Endpoint” field and then click “OK” - not [“Apply” + “OK”] - which seems to commit the empty dropdown. Weirdly, if you return to the peer after committing the config successfully, the empty dropdown will be present again, but not present in the export:
It’s interesting, I would have expected that if blank address should have any effect, if would be the same as any wrong address. Which would be something you may not even notice, because WG is very keen on roaming, so even if you set peer’s address to any wrong address, first packet from peer will update current-endpoint-address and it will work just fine:
