Wireguard issues; can connect but can't access hosts

jbai256 · August 12, 2024, 4:32am

So I’m trying to get wireguard working on my RB5009UG+S+ running version 7.14.3 of RouterOS and I’m stuck. I am trying to get an Android phone running the official wireguard client connected so that I can access my home NAS from the road. I want to get my Linux laptop connected via Network Manager, but phone is more important at this point.

I followed the guide here: https://www.youtube.com/watch?v=vn9ky7p5ESM

The client app on the phone reports no issues when I connect Upon invoking the connection in the app, I see output as the app reaches out to my router. All looks good; however, when I try to ping the wireguard IP (or any IP on my router), I get timeouts. Everything is unreachable.

A few facts about my setup:

Interface wireguard1 is set up and listening to udp port 13231 with MTU of 1420
The home LAN has an IP of 10.0.0.0/24
The wireguard1 interface has an IP of 10.2.0.1/24
The wireguard interface is not part of an interface list (LAN/WAN, etc), nor does it belong to a bridge
A firewall input rule for udp 13231 exists that allows traffic to pass
I’ve added the peer along with appropriate public keys in the router’s wireguard peer config
Address I assigned to the client / phone is 10.2.0.3/24, and it has been listed as an “address” in the phone’s wg interface
I’ve added the router as a peer on the Android phone, adding 0.0.0.0/0 as the “allowed IPs”

The app log on the phone doesn’t report key errors, so it is appearing that keys are not the issue. That’s my guess, anyway. I’m concerned that my network configuration is not set up right.

Any suggestions? I’ve been excited to get this working but this has really beat me up. I wouldn’t be surprised if it’s something small and simple that is keeping it from working as expected.

Thanks!

rplant · August 12, 2024, 5:48am

Have you added 10.0.2.3/32 as an allowed IP address in the Peer setting on the Mikrotik?

When you look at the peer setting on the Mikrotik are you getting updated Tx, Rx and Last Handshake values.

anav · August 12, 2024, 11:31am

/export file=anynameyouwish (minus router serial number, any public WANIP information, keys, etc. )
and
phone settings.

jbai256 · August 12, 2024, 8:40pm

No, rx, tx and handshake are all zeroed out. I went back to my app log on the phone and this is what I found:

--------- beginning of events
08-12 13:18:18.885 13855 13855 I wm_on_create_called: [89633512,com.wireguard.android.activity.MainActivity,performCreate,12]
08-12 13:18:18.893 13855 13855 I wm_on_start_called: [89633512,com.wireguard.android.activity.MainActivity,handleStartActivity,8]
08-12 13:18:18.895 13855 13855 I wm_on_resume_called: [89633512,com.wireguard.android.activity.MainActivity,RESUME_ACTIVITY,0]
08-12 13:18:18.901 13855 13855 I wm_on_top_resumed_gained_called: [89633512,com.wireguard.android.activity.MainActivity,topStateChangedWhenResumed]
08-12 13:18:18.926 13855 13855 I viewroot_draw_event: [VRI[MainActivity],reportDrawFinished seqId=0]
08-12 13:18:41.202 13855 13855 I auditd  : type=1400 audit(0.0:67296): avc:  denied  { read } for  comm="DefaultDispatch" name="somaxconn" dev="proc" ino=2563534 scontext=u:r:untrusted_app:s0:c30,c257,c512,c768 tcontext=u:object_r:proc_net:s0 tclass=file permissive=0 app=com.wireguard.android
--------- beginning of main
08-12 13:18:56.855 13855 13948 D WireGuard/GoBackend/MyVPN: peer(2sjU…Ym0Y) - Handshake did not complete after 5 seconds, retrying (try 2)
08-12 13:18:56.856 13855 13948 D WireGuard/GoBackend/MyVPN: peer(2sjU…Ym0Y) - Sending handshake initiation
08-12 13:19:01.945 13855 13889 D WireGuard/GoBackend/MyVPN: peer(2sjU…Ym0Y) - Handshake did not complete after 5 seconds, retrying (try 2)
08-12 13:19:01.945 13855 13889 D WireGuard/GoBackend/MyVPN: peer(2sjU…Ym0Y) - Sending handshake initiation
08-12 13:19:07.141 13855 13948 D WireGuard/GoBackend/MyVPN: peer(2sjU…Ym0Y) - Handshake did not complete after 5 seconds, retrying (try 2)
08-12 13:19:07.142 13855 13948 D WireGuard/GoBackend/MyVPN: peer(2sjU…Ym0Y) - Sending handshake initiation
08-12 13:19:12.207 13855 13947 D WireGuard/GoBackend/MyVPN: peer(2sjU…Ym0Y) - Handshake did not complete after 5 seconds, retrying (try 2)
08-12 13:19:12.207 13855 13947 D WireGuard/GoBackend/MyVPN: peer(2sjU…Ym0Y) - Sending handshake initiation
08-12 13:19:17.359 13855 13889 D WireGuard/GoBackend/MyVPN: peer(2sjU…Ym0Y) - Handshake did not complete after 5 seconds, retrying (try 2)
08-12 13:19:17.360 13855 13889 D WireGuard/GoBackend/MyVPN: peer(2sjU…Ym0Y) - Sending handshake initiation
08-12 13:19:22.480 13855 13948 D WireGuard/GoBackend/MyVPN: peer(2sjU…Ym0Y) - Handshake did not complete after 5 seconds, retrying (try 2)
08-12 13:19:22.481 13855 13948 D WireGuard/GoBackend/MyVPN: peer(2sjU…Ym0Y) - Sending handshake initiation

I’m assuming this implies a key related issue?

anav · August 12, 2024, 10:42pm

Since you didnt provide the config as asked, I will move on.

abbio90 · August 13, 2024, 9:26am

the VPN’s Nat is probably missing