WireGuard - multiple instances

Fasterski · December 14, 2024, 5:42pm

Hi there,
I came across weird behaviour (or perhaps it is my lack of understanding how MK implemented WG) when I added Site to Site WG configuration. In a nut shell I have had my mobile and laptops connect to my WG home router for some time now and it worked flawlessly.
I have decided to to replace an ppp S2S connection with WireGuard which was proving a challenge until I started looking at the logs and what I have found that the S2S tunnels were trying to connect to the phone / laptops WG instance resulting in failure due to mismatched public keys once is temporarily disabled that WG site the S2S remote location connects no problem.

I do have the sites and remote site configured on different ports so they would not conflict yet the remote site for some reason rema to be getting the phone/laptop site to respond.

What am I missing ? Or is this a bug.

Thanks in advance.

hapoo · December 14, 2024, 5:50pm

Likely a configuration mistake. Please post your config for both the router and remote locations. (Hide keys)

holvoetn · December 14, 2024, 6:06pm

Pay attention to which public key you place where and make sure each peer has a unique address.

If that doesn’t help, indeed post config for review.
All peers.

Fasterski · December 15, 2024, 2:09am

her is the config for wireguard on both ends

Main Site
/interface wireguard
add disabled=yes listen-port=13231 mtu=1420 name=WG-HQ
add listen-port=13232 mtu=1420 name=WG-S2S
/interface wireguard peers
add allowed-address=10.10.100.2/32,192.168.220.0/24 interface=WG-S2S name=WG-Kubara public-key=“-+PK MK interface±”
add allowed-address=10.10.0.3/32 comment=iPhone16Pro interface=WG-HQ name=iphone16pro public-key=“-+phone PK±”

add address=10.10.100.1/24 comment=“WG 2412” interface=WG-S2S network=10.10.100.0

Remote Site
/interface wireguard
add listen-port=13232 mtu=1420 name=WG-Kubara
/interface wireguard peers
add allowed-address=10.10.100.1/32,192.168.26.0 endpoint-address=myhomeendpoint endpoint-port=13232 interface=WG-Kubara name=“WG-S2S Kubara” persistent-keepalive=10m public-key=“-+PK MK interface±”

add address=10.10.100.2/24 interface=WG-Kubara network=10.10.100.0

The one for the iPhone pro worked for ages . Now to get the remote site to work I need to disable site WG-S2S on the main router. Only then the remote site connects, but obviously my iPhone does not as the interface for it in disabled.

Hope this illustrates the problem I have.

anav · December 15, 2024, 3:06am

Well from the limited information provided you have the wg main site disabled.
Other than than that
change your Remote SITE settings for allowed IPs to 10.100.100.**0/24,**192.168.2.6.0

This will give you the opportunity to wireguard into the S2S site from the iphone.
On the wireguard main forward chain ensure you include a rule.
add chain=forward action=accept comment=“wg relay” in-interface=WG-HQ out-interface=WG-HQ

Note on the main site you will need a route
/ip route
add dst-address=192.168.220.0/24 gateway=WG-HQ table=main

Similarly on the S2S site
/ip route
add dst-address=192.168.26.0/24 gateway=WG-Kubara table=main

Without both configs, no more help is possible.
/export file=anynameyouwish (minus router serial number, any public WANIP information, vpn keys etc, )

Fasterski · December 15, 2024, 4:33pm

Thanks anav,

The reason the first site is disabled is so that my remote site works.

I do want to keep them separate ( one for iPhones/Laptops/Tablets ) road warrior scenario and second for the S2S .

the problem is that for some reason the S2S (Kubara) somehow wants to connect to the WG-HQ site even thought the ports are different for both. Only if I disable the WG-HQ site (interface) then it skips over to the WG-S2S. Should it do it ?

Just to reiterate the S2S configuration is working and routing if the WG-HQ is disabled. What I do not get is why the remote site is trying to connect on port 13231 even thought it is configured for 13232..

To answer other questions I don’t need to have the phones to connect to the remote site.

I do have the routes set as you have stated. The configuration is huge so I thought I would only post the one related to WG.

so here it is again updated with routes

Main Site
/interface wireguard
add disabled=yes listen-port=13231 mtu=1420 name=WG-HQ
add listen-port=13232 mtu=1420 name=WG-S2S
/interface wireguard peers
add allowed-address=10.10.100.2/32,192.168.220.0/24 interface=WG-S2S name=WG-Kubara public-key=“-+PK MK interface±”
add allowed-address=10.10.0.3/32 comment=iPhone16Pro interface=WG-HQ name=iphone16pro public-key=“-+phone PK±”

add address=10.10.100.1/24 comment=“WG 2412” interface=WG-S2S network=10.10.100.0

/ip route
add comment=WireGuard-Kubara disabled=no distance=1 dst-address=192.168.220.0/24 gateway=WG-S2S routing-table=main scope=30 suppress-hw-offload=no target-scope=10

this route is added once the interface is started
DAc 10.10.100.0/24 WG-S2S 0

Remote Site
/interface wireguard
add listen-port=13232 mtu=1420 name=WG-Kubara
/interface wireguard peers
add allowed-address=10.10.100.1/32,192.168.26.0 endpoint-address=myhomeendpoint endpoint-port=13232 interface=WG-Kubara name=“WG-S2S Kubara” persistent-keepalive=10m public-key=“-+PK MK interface±”

add address=10.10.100.2/24 interface=WG-Kubara network=10.10.100.0

/ip route
add comment=“WireGuard - 6.x Backups” disabled=no distance=1 dst-address=192.168.26.0/24 gateway=WG-Kubara pref-src=“” routing-table=main scope=30 suppress-hw-offload=no target-scope=10

this route is added once the interface is started
DAc 10.10.100.0/24 WG-Kubara 0

Is there any other configuration related to WG I need to share to help me solve this issue?

anav · December 27, 2024, 1:40pm

Cannot help further without some context.
Draw a diagram showing the devices at both ends of the tunnel.
Also the full config of the MT and the second device if MT and if not at least the wireguard settings minus any actual public WANIP information or keys.

/export file=anynameyouwish ( minus router serial number, any public WANIP information, keys etc. )

mozerd · December 27, 2024, 4:55pm

To the MAIN Site
You’ve assigned one WireGuard interface called “wireguard” 2 listening ports … IMO this is wrong – you can achieve your objective if you assign the Main Site 2 WireGuard Interfaces - each with its own listening ports etc. and in that way you have effective separation for your remote objectives …

Its not that you cannot have multiple listening ports on the same interface – you can – but that introduces another level of complexity like dst-nat rules for redirection …
Another advantage to the method I suggest is you will have a performance improvement for your remote users – that has been my experience …

anav · December 27, 2024, 8:06pm

Mozerd I think your saying one wireguard interface and simply use two IP addresses for each purpose with same interface name.