Wireguard on Windows (client), no gateway, can't ping router

GiovanniG · January 27, 2024, 9:13pm

Hi, I’ve configured Wireguard on Mikrotik, I can connect to it, but the PC gets 0.0.0.0 as gateway, wrong config on client?
Also, I have a /24 on both sides, but I can’t ping the router IP on the same subnet, does it has sense?
What is wrong here?

[Interface]
PrivateKey = aJAtji26KI
Address = 192.168.97.2/24
DNS = 8.8.8.8

[Peer]
PublicKey = laEM5eI1
AllowedIPs = 0.0.0.0/0
Endpoint = 146.X.X.X:13231
PersistentKeepalive = 10

This is a DOS ipconfig:
Scheda sconosciuta WIreguard-test:

Suffisso DNS specifico per connessione:
Indirizzo IPv4. . . . . . . . . . . . : 192.168.97.2
Subnet mask . . . . . . . . . . . . . : 255.255.255.0
Gateway predefinito . . . . . . . . . : 0.0.0.0

jhbarrantes · January 27, 2024, 10:53pm

Think client should be a /32, not /24. Could it be this?

Regards.

gabacho4 · January 27, 2024, 11:02pm

Please provide the full configuration on your Mikrotik router (export hide-sensitive file=AnyNameYouWish), as well as the client config.

rplant · January 28, 2024, 1:54am

Does the wireguard inteface on the router have IP address 192.168.97.x/24 on it (I would normally use 192.168.97.1/24).
Does the wireguard peer configuration on the router have an allowed ips of 192.168.97.2 (only) for your peer.

I would normally add 192.168.97.0/24 to the allowed ip list on your PC. (Not strictly necessary, but then you can easily remove the
0.0.0.0/0 entry for testing)

Edit:
0.0.0.0 as default gateway looks correct.

GiovanniG · January 28, 2024, 10:35am

Thanks for help,
I figured out Wireguard use UDP, why it said me “connected” if I just created a TCP destnat? That’s a tricky behaviour of the app, it shouldn’t write connected.
So instead of TCP I destnatted UDP and I’m able to ping the router, I also appreciate that the app leaves me configuring the network and subnet, so I specified there the LAN net and I srcnat all wireguard client IP to that NAT, works! While I’m using my gateway for internet..

jhbarrantes · January 28, 2024, 11:12am

You need to accept UDP port in firewall filter, at input chain. dst-nat rule would only make sense if the server is somewhere below the router (it is a client of the natted network). You shouldn’t need anything on NAT to reach the gateway or other subnets that router may manage.

Regards.

gabacho4 · January 28, 2024, 1:13pm

Provide the config for the router and client and chances are we can easily help you get things sorted. Otherwise, it’s all guessing complicated by language barrier and the fact that I don’t think you know exactly what it is you’re doing. Last response from me until I see configs. The other guys can keep guessing while you do random crap behind the scenes.

GiovanniG · January 29, 2024, 9:19am

As I wrote it’s below the main router, it’s an OS7, the main router is OS6. WIthout dstnat it won’t work
Wireguard works, the problem was I did a TCP destnat instead of UDP and that the Wireguard app it’s tricky and wrote “connected” even if it is not at all connected. I figure it out only because I had RX 0 bytes and 0 links that made me suspicious

GiovanniG · March 3, 2024, 12:09pm

With 7.14 Mikrotik has solved the log problem.
The connection may still unstable, the problem is connected with the keys in my opinion, the relation between public and private key may change and it’s needed to add again key to Peer

anav · March 3, 2024, 12:51pm

Wrong in every thought…
and by not posting your config from the very beginning, how was anyone supposed to know you for example you had improper formats for wireguard
keys dont change magically either…

GiovanniG · March 3, 2024, 5:57pm

if the 7.14 continues to work good as now it won’t be necessary to upload any config, let’s see

anav · March 4, 2024, 12:20am

I wouldnt hold my breath on 7.14, at least for BTH its giving people some issues so expect an update sooner rather than later.