Wireguard - Multiple connections as a client

durabado · January 16, 2024, 1:50pm

Hi, I want to configure routeros to connect as a wireguard client to two servers simultaneously. I am using some VPN service provider out there (like mullvad or surfshark. Doesn’t matter) and I want it to have a connection to two servers in different locations at the same time. I generate separate connection keys at the vpn provider, but I have a problem configuring wireguard in routeros.

I am able to configure one connection correctly, but when I create the configuration for the second server I have a problem.

The problem appears in the IP/address list where the second address gets the invalid parameter (screenshoot 1).

At first I thought it was because the ip’s (which are set by the vpn provider) are the same, but even when I change them to different ones (see screenshot 2) it has paramert invalid.

Do you have any ideas what I should change to set this?
Please elaborate answers if possible, I am new to the microtik world and just learning the configuration so an elaborate answer will help me understand the problem.

mantouboji · January 16, 2024, 3:09pm

My RB4011 connect to 3 VPS by WireGuard at same time, so it’s not a difficult thing.

I setup a WireGuard interface for every VPS, so wg1 for VPS1, wg2 for the second, and wg3 for the third one.

And assign a unique Private IP address and network for every wg interface. Like:
wg1 10.1.1.1/24
wg2 10.1.2.1/24
wg3 10.1.3.1/24

durabado · January 16, 2024, 3:27pm

Hello,

As you can see in the second attachment even when the IPs are different, it continues to be marked invalid, but I don’t know for what reason. Also, the IP for the WG client forces me to have a vpn provider, in the one I use every client (in the config file I download from it) has the same IP.

mantouboji · January 16, 2024, 5:38pm

Every local WireGuard interface should use its own port. You assigned same port to both interface, this is the error. Change one of them to a new port.

EzPC · February 15, 2024, 10:31am

How would this be different when dealing with multiple peer connections? So far the instructions I have found indicate you need one WG interface and then you add your peers each one assigned a different Interface address

[Interface]
PrivateKey = XXXXXXXXXXXXXXXXXXXX
ListenPort = 132313231
Address = 192.168.1.4/24
DNS = 192.168.1.1

[Peer]
PublicKey = XXXXXXXXXXXXXXXXXXXXXXXXXXXXX
AllowedIPs = 0.0.0.0/0
Endpoint = DOMAIN:1323132311

The ListenPort is the same for all peer connections or is that wrong? I did find another reference to my issue with the following explanation that I am not sue about with regard to the IP mask. The instructins I have found say to set the MASK to /24.

Unable to have two devices connected at the same time.

Check and verify that each peer has the ClientIP/32 in the Allowed Address.

For example, if the WireGuard interface is using 192.168.1.0/24, and one of the peers has 192.168.1.4/24 in the Allowed Address option, then only one client will work. It appears that the MikroTik will attempt to route all 192.168.1.0/24 request to 192.168.1.4.

So should the WG Interface and the Peers use 192.168.1.XXX/32 masking or only the Peers and leave the WG subnet as /24

Mesquite · February 15, 2024, 9:29pm

Outbound is problem, if each wg peer setting to the third party provider is 0.0.0.0/0 for allowed IPs, then it wont work.
By having a different interface and different port, the problem is avoided.