I have been working a lot with Mikrotik in the past. Not I only use it in private environment and so far did not had any issues. Recently my RB2011 had some issues, so I bought a used CCR1009 for my home and did a fresh installation using RouterOS v 7.12.
I used wireguard for some time on my old RB2011 for connection to another Mikrotik router as well as for mobile connection. It worked very good. Now, with the CCR1009 I have some issues. I configured it the same way like I did on the RB2011 - but for some reason it is not working. Strange thing is, that it looks like the packets were (internally) not forwarded to the wireguard-interface. In the firewall I can see incoming packets for the wireguard-port, but on the wireguard-side nothling seems to happen. The CCR1009 does not count any incoming wireguard-packets. I added the wireguard-topic to the logging, but no entries for wireguard coming up.
Are there any “special” things for the CCR1009 regarding wireguard?
There should be nothing special for a CCR 10xx vs. RB2011 configuration-wise. There may be an architecture related bug that cannot be affected by configuration, there may be an issue in 7.12 (you haven’t specified what version was running on the 2011), but most likely by experience, there is some difference in the configuration that you deem to be unrelated to the Wireguard but it actually is.
So to let us exclude the last possibility, we need to see an export of the configuration from which any passwords, secrets, private keys and, eventually, public/global addresses have been removed. Run /export hide-sensitive file=somename in the [Terminal] window, download somename.rsc, use your favourite text editor to obfuscate public/global addresses and/or login names to VPN services if any, and post the result here between [/code] and [/code] tags.
Just out of curiosity, moving from a 2011 to a 1009 is a huge leap, what has made you choose a 1009 over a 5009? Could you get a 1009 off eBay?
Hi,
on the RB2011 was running 7.12 as well I think. I just reconfigured everything following a tutorial. The wireguard configuration is not that complicated and I really do not know whats going on here. Status right now is that it looks like some connection is there (rx and tx on wireguard interface are counting) but there is no routing possible between the two sites.
Relevant configuration looks like this:
What about the routes? You should have a route to 172.16.0.0/24 with wireguard_g43 or 10.255.255.2 as a gateway at Side A, and a route to 192.168.23.0/24 with wireguard_f2 or 10.255.255.1 as a gateway at Side B, have you got them?
Your config seems off to me. Lets assume the CCR1009 is the WG server for the handshakes for both the other router and the mobile connection.
(1) Not sure a /30 mask cuts it a /29 mask gives you six useable IPs, since you seem shy to use the standard /24.
(2) The allowed IPs on the CCR1009 are missing the wireguard identification for the hEX?? Should be
/interface wireguard peers add allowed-address=10.255.255.2/32,172.16.0.0/24 interface=wireguard_g43 public-key=“1234567890”
(3) Looking at the HEX, Same omission… add allowed-address=10.155.255.0/24 192.168.23.0/24 endpoint-address=1.2.3.4 endpoint-port=13232 interface=wireguard_f2 public-key=
“1234567890”
(4) The other problem on the hex is you are missing the persistent-keep-alive=35s or whatever.
(5) As noted by sindy on both the CCR10009 and hex you will need a manual route for the remote subnet . add dst-address=remotesubnet gateway=wireguard-interface table=main
Thank you for checking my code and your recommondations. I can try the config later when I’am back home, but I’am not sure about everything:
A /30 mask should work fine. I also had this in the past as wireguard was working with RB2011. Sure I can try a /29 subnet.
2+3. From the wireguard-tutorial I found only the local subnets should be added here, not the wireguard-IPs itself. Was this explained wrong? On the hEX the old wireguard-config had only the 192.168.23.0/24 subnet listed here and as mentioned before, it was always working fine without any issue.
I will add this and see if it changes anything
I’am not really sure if I will have to add this manually, because this routing-entry is created by the allowed-address config from the wireguard-configuration automatically. I also checked it yesterday, routing-entries for the remote-subnets were created and also were pointing to the wireguard-interface.
Yes, give it a go, for all the suggestions, otherwise why ask for help??
As for the last point, hogwash. The MT device only creates routes automatically for local interfaces.
Hence why in the route list you will see routes for local subnets and even the wireguard interface.
Since the router is not aware of remote subnets it does no such thing as create routes for them, and why we have to…
IF they are there its because they were entered manually previously and you carried them over.
When the automatic signatures still worked on this forum, Anav’s said “use my advice at your own risk”. So:
a /30 mask is fine
2.+3. you only need to add the subnet attached to Wireguard interface if you want to access that address through the tunnel. We cannot know whether this is the case or not. It is, however, not added automatically, at least the manual does not mention that and it would be against the general philosophy.
this is necessary to refresh the pinhole in the NAT behind which one of the devices is connected during the time where there is a long (typically, more than 3 minutes) gap in payload traffic.
That’s strange because my 7.12 does not behave like this - the subnets from allowed-addresses do not automatically create routes via the WG interface. It would again go against the concept - you may have two wireguard interfaces both providing a tunnel to the same remote destination and you want to decide on your own about mutual priority of these tunnels for that destination. So are the routes you can see indeed marked as D (dynamically created)?
The reason for the suggestion of /29 mask was due to the following sentence (requirements driven).
Quote: “I used wireguard for some time on my old RB2011 for connection to another Mikrotik router as well as for mobile connection. It worked very good. Now, with the CCR1009 I have some issues.” unquote.
Concur, that if the requirements have changed and now only include two wireguard connections, /30 is fine.
For the mobile-phone I used another wireguard interface, thats why a /30 subnet is enough for my case.
I reviewed my configuration and added the remote-subnets to the allowed-addresses. Also added the keepalive on the hEX. Finally wireguard is working now. And you were absolutely right: The routing-entry is not generated automatially - sorry, my bad. Maybe I got confused by an older entry which was already there. So I had to create it manually.
