Wireguard Keeps trying to reconnect

lnc1995 · March 30, 2024, 10:46am

7.14.1 changelogs : wireguard - do not attempt to connect to peer without specified endpoint-address;
But it seems still not fixed in 7.14.2,when i disconnect from my android phone,the router will log a lot of “Handshake for peer did not complete after 5 seconds,retrying (try 2)” message.

flies · April 4, 2024, 9:18pm

Observing same issue on 7.14.2 even though it mentions fixed on 7.14.1.

jayooo · April 5, 2024, 12:02am

Do you have persistent keepalive disabled?

anav · April 5, 2024, 12:51am

Persistent keep alive is required on the client ( for handshake ) peer and not on the Server (for handshake) peer.

jayooo · April 5, 2024, 2:45am

Yes but it seems like they might possibly have it enabled on the router side, as the router is logging an attempt every xx seconds.

flies · April 5, 2024, 8:12am

Nope, neither endpoint nor keepalived persistant is enabled on mikrotik server, yet it still tries to handshake in loop once device was online for a while.

https://ss.codeone.pl/ss-2024-04-05-10-14-55-1712304895-Hzo6SuR2.png
https://ss.codeone.pl/ss-2024-04-05-10-15-57-1712304957-jMmCVhNo.png

I can see in 7.15 beta 6, that it might be fixed there, but not on 7.14 branch.

What’s new in 7.15beta6 (2024-Mar-08 08:23):
*) wireguard - do not attempt to connect to peer without specified endpoint-address;

VMX · April 18, 2024, 2:10pm

I’m experiencing the same issue on 7.14 here (see attached image).

My Hex S keeps trying to complete the handshake with my Pixel 7 Pro, even though my phone has been disconnected from the VPN for hours. Persistent keepalive is NOT enabled in any of the devices, and it has never been.

Also, I’m not sure if the issue is related, but I’ll mention it just in case because it looks like too much of a coincidence to me:

While the VPN continues to work perfectly fine from my Pixel phone despite what you see in the logs, my MacBook on the other hand has suddenly lost the ability to use this same VPN tunnel (same interface).

I have NEVER modified the configuration, either on the MikroTik or any of the peers, and both have been working just fine for several months. But at some point this week, when I tried to connect from my MacBook (also using the official Wireguard client), this started happening. The connection is established according to the Wireguard app (“Active”, green light), but I have no connectivity. Can’t access neither local or remote resources, everything just times out from the Mac.

I can also confirm that the MacBook can correctly connect to a different Wireguard interface I have on a difference device (a Raspberry Pi), meaning the issue must specifically be related to the MikroTik tunnel only.

The important bit here is that the “Handshake for peer did not complete…” messages are referring to my Pixel, not my MacBook! Whereas it’s my MacBook connection that stopped working, not my Pixel’s.

So I’m just wondering: could this bug somehow be causing the MikroTik to only listen for connections coming from the Pixel peer, while ignoring the rest?

Happy to help troubleshoot this as I’m highly interested in gaining VPN access from my MacBook again

Edit: I can also confirm this is NOT fixed in 7.15 beta 9. The handshake logs about my Pixel keep coming every minute, and my MacBook is still unable to connect to the VPN.

llamajaja · April 18, 2024, 3:20pm

Believe this is a known issue with the BTH functionality being addressed for imminent 7.15 release. Imminent used loosely.

akarpas · October 28, 2024, 12:28pm

I’m on version 7.16.1:

My Wireguard connection / setup (client to server) works perfect.
But once I disconnect from from the server (Mikrotik router) Mikrotik router starts generating logs as it would be trying to handshake back to the client for a number amount of time until it stops.
I’m getting logs stating it tries 20 times every 5 seconds

wireguard_ak: [XX] xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx=: Handshake for peer did not complete after 5 seconds, retrying (try 2)

I can see some said it had to be fixed but seems to be its not even in newest version of OS

anav · October 28, 2024, 3:21pm

Without seeing your config at least the wirguard settings, impossible to comment one way or the other.
Are you using BTH settings or just normal wireguard settings.
If the former would need to see snapshot of BTH settings and config part of wireguard etc… of relevant MT devices.
(and wireguard settings of any singular device like android phone or windows laptop ).

Dont show actual WANIP information or keys of course…

akarpas · October 29, 2024, 6:24pm

Mikrotik - Server

/interface wireguard
add listen-port=15231 mtu=1420 name=wireguard_TB

/interface wireguard peers
add allowed-address=192.168.55.0/24 interface=wireguard_TB name=TB public-key=
“xxxxxxXxxxXxXXXXXXxxxxXxXXxXXxXxXXXXXXXxxxX(client Public key)=”

Mac- Client

[Interface]

PrivateKey = xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx(=

Address = 192.168.55.10/32

DNS = 192.168.55.254

[Peer]

PublicKey = xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx(Server Public key)=

AllowedIPs = 0.0.0.0/0

Endpoint = X.X.X.X:15231

PersistentKeepalive = 25

akarpas · October 29, 2024, 6:27pm

as I said it connect fast no problems, it is stable not disconnecting , if broken reconnects extremely fast. All good. But once I click disconnect session on MAC Mikrotik starts generating logs for tries to connect back to the client

anav · October 29, 2024, 7:18pm

Well your allowed IPs, on the SErver peer Router is not correct.
/interface wireguard peers
add allowed-address=192.168.55.0/24 interface=wireguard_TB name=TB public-key=
“xxxxxxXxxxXxXXXXXXxxxxXxXXxXXxXxXXXXXXXxxxX(client Public key)=”

Each peer client should be detailed in a separate line.

SERVER ROUTER:
If you have a mac client anywhere, and another client peer anywhere..
/interface wireguard peers
add allowed-address=192.168.55.2 interface=wireguard_TB comment=“mac peer”
public-key=“==="
add allowed-address=192.168.55.3 interface=wireguard_TB comment=“other client peer”
public-key="*@@@=====”

If you had a router with subnet that either your server router users needed access to, OR, remote users needed to come to server router and visit one of your local subnets
add allowed-address=192.168.55.4,192.168.50.0/24 interface=wireguard_TB comment=“other client router peer”
public-key=“====+++++”

Corresponding Client PEER DEVICE SETTINGS…
MAC
/interface wireguard peers
add allowed-address=192.168.55.1 interface=wireguard_Mac comment=“Server peer” endpoint-=1.2.3.4 |
endpoint -port=XYABC persistent-keep-alive=35s public-key= “++++++”

OTHER CLIENT
/interface wireguard peers
add allowed-address=192.168.55.1 interface=wireguard_Other comment=“Server peer” endpoint-=1.2.3.4 |
endpoint -port=XYABC persistent-keep-alive=45s public-key= “++++++”

OTHER CLIENT ROUTER
/interface wireguard peers
add allowed-address=192.168.55.0/24,192.168.8.0/24 interface=wireguard_Router comment=“Server peer” endpoint-=1.2.3.4 |
endpoint -port=XYABC persistent-keep-alive=30s public-key= “++++++”

IF any of the client peers needed to go out internet of the Server router, allowed-IPs would change to 0.0.0.0/0

akarpas · October 29, 2024, 9:38pm

ilium007 · March 11, 2025, 11:37am

This is still happening for me in 7.18.1.

“Server” is trying to constantly connect to peers with no endpoint address defined. Persistent keep alive on server has been disabled.

anav · March 11, 2025, 11:47am

post config
/export file=anynameyouwish (minus router serial number, any public IP information, keys)

CGGXANNX · March 11, 2025, 11:56am

Enable the “Responder” checkbox for the affected peer in RouterOS.

rexsllemel · March 28, 2026, 12:21pm

This fixed my issue lol, I’m on 7.21.2(stable)