Wireguard, only 1 peer works

Simba91 · December 7, 2022, 12:12am

At my wits end trying to get this working, hoping someone here can set me back on the right track -

use case: 3x Smartphones, 3x laptop computers wish to access the Home LAN over a VPN when away from home

I’ve enabled Wireguard, and setup 1 client for each. Installed the official Wireguard app and configured.

My phone works, but I can’t get any other device to complete the handshake. This happens regardless of wireguard being active on my phone, and it happens on wifi or off wifi.

Thanks,

# RouterOS 7.5
# software id = W5M1-5E8A
#
# model = RB760iGS
/interface wireguard
add listen-port=51820 mtu=1420 name=wireguard1
/interface wireguard peers
add allowed-address=10.0.0.2/32 interface=wireguard1 persistent-keepalive=20s public-key=""
add allowed-address=10.0.0.3/32 endpoint-address="" interface=wireguard1 public-key=""
add allowed-address=10.0.0.4/32 endpoint-address="" interface=wireguard1 public-key=""
add allowed-address=10.0.0.5/32 endpoint-address="" interface=wireguard1 public-key=""

/ip firewall filter
add action=accept chain=input comment="allow wireguard handshake" dst-port=51820 log=yes log-prefix=wg: protocol=udp
add action=accept chain=input comment="allow WireGuard traffic" protocol=udp src-address=10.0.0.0/24

/ip firewall mangle
add action=mark-connection chain=prerouting disabled=yes dst-address=192.168.88.1 dst-port=53 layer7-protocol=*2 new-connection-mark=local-dns-forward protocol=tcp
add action=mark-connection chain=prerouting disabled=yes dst-address=192.168.88.1 dst-port=53 layer7-protocol=*4 log=yes new-connection-mark=local-dns-forward passthrough=yes protocol=udp
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat dst-port=53 in-interface-list=LAN log-prefix=dns-cap protocol=udp src-address-list="!DNS Servers" to-addresses=192.168.88.226 to-ports=53
add action=dst-nat chain=dstnat dst-address-list="!DNS Servers" dst-port=53 in-interface-list=LAN log-prefix=DNS-Capture protocol=tcp src-address-list="!DNS Servers" to-addresses=192.168.88.226
add action=masquerade chain=srcnat dst-address=192.168.88.226 dst-port=53 log-prefix=DNS-Capture protocol=udp src-address=192.168.88.0/24 src-address-list="!DNS Servers"
add action=masquerade chain=srcnat dst-address=192.168.88.226 dst-port=53 log-prefix=DNS-Capture2 protocol=tcp src-address=192.168.88.0/24

Client configs are here, each client with unique keys.

[Interface]
Address = 10.0.0.x/24
ListenPort = 51820
PrivateKey = PK1
DNS = 192.168.88.1


[Peer]
PublicKey = PubKey1
AllowedIPs = 0.0.0.0/0, ::/0
Endpoint = xxx:51820

And the log shows:

[APP] Status update notification timeout for tunnel 'Home'. Tunnel status is now 'connected'.
[NET] peer(server_key) - Handshake did not complete after 5 seconds, retrying (try 2)
[NET] peer(server_key) - Sending handshake initiation
[NET] peer(server_key) - Handshake did not complete after 5 seconds, retrying (try 2)
[NET] peer(server_key) - Sending handshake initiation
[NET] peer(server_key) - Sending handshake initiation

anav · December 7, 2022, 1:00am

(1) Make sure you dont have empty/null settings… and I suspect your doing it to ‘hide’ stuff.
However using that syntax is confusing. The peer settings for allowed IPs on the MT dont need keep alive or endpoint etc…

FROM:
/interface wireguard
add listen-port=51820 mtu=1420 name=wireguard1
/interface wireguard peers
add allowed-address=10.0.0.2/32 interface=wireguard1 persistent-keepalive=20s public-key=“”
add allowed-address=10.0.0.3/32 endpoint-address=“” interface=wireguard1 public-key=“”
add allowed-address=10.0.0.4/32 endpoint-address=“” interface=wireguard1 public-key=“”
add allowed-address=10.0.0.5/32 endpoint-address=“” interface=wireguard1 public-key=“”
TO:
/interface wireguard
add listen-port=51820 mtu=1420 name=wireguard1
/interface wireguard peers
add allowed-address=10.0.0.2/32 interface=wireguard1 public-key=“whateverA”
add allowed-address=10.0.0.3/32 interface=wireguard1 public-key=“whateverB”
add allowed-address=10.0.0.4/32 interface=wireguard1 public-key=“whateverC”
add allowed-address=10.0.0.5/32 interface=wireguard1 public-key=“whateverD”

(2) Not showing the full config is not helpful ! For example only showing some of the firewall rules is not all that helpful …
I cannot comment on them as they are not there and they can impact your success.

as far as this rule…UDP is not required.
add action=accept chain=input comment=“allow WireGuard traffic” src-address=10.0.0.0/24

(3) Why are you mangling ??? Reason?

(4) Very strange set of dst-nat rules, what are you trying to accomplish there??

++++++++++++++++++++++++++++++++
So far dont see major issues but then again you dont have the complete config presented.

Sob · December 7, 2022, 1:25am

Yep, it’s endpoint-address=“”, see http://forum.mikrotik.com/t/wireguard-interface-with-multiple-peers/161969/11

Simba91 · December 7, 2022, 1:48pm

Hey Anav, thanks for responding. I tried to snip my config for brevity. Sorry it made it more confusing; I’m still learning about most of this and my configuration is far from clean so I tried to keep it to the relevant parts. The IP mangles and additional DNS stuff in my firewall rules are intended to be for a captive dns, I was following a tutorial earlier this year and it seemed to work. If it’s suboptimal, that’s good to know and I can revisit that. Here’s the full config, if you’re interested. https://pastebin.com/PM6YGCC5

Simba91 · December 7, 2022, 1:49pm

Superstar! This was exactly the issue. I had setup the config for my phone over SSH, but the others in the Web Config, causing the empty “endpoint address”. So subtle lol.

Thank you!

anav · December 7, 2022, 1:58pm

Yeah I would be leery of copying code not because its dangerous, but because if you dont understand it, then it may not be actually meeting the requirement, or at least in an optimal manner.
The requirement is what I was looking for. What are you trying to do with DNS??

Simba91 · December 7, 2022, 2:09pm

Valid point! I added the mangle for logging/debugging something at the time - though I don’t recall what. It’s just noise, and the rules were disabled - now deleted.

The DNS use case is for filtering. I want all DNS traffic not destined for my 2 internal DNS servers (Primary: 192.168.88.211, Secondary: 88.226) to be redirected to the primary, unless it’s the DNS servers themselves hitting quad-9, or if the traffic is on vlan 107.

anav · December 7, 2022, 3:08pm

Yeah that is one set of convoluted DNS requirements. Too much for me to chew on LOL.

Sob · December 7, 2022, 10:17pm

Why convoluted? It’s quite simple, I’m sure you saw it here many times. You know, all those “force users to use my Pi-hole” and such.

Simba91 · December 8, 2022, 6:40pm

All good, you’ve both been very helpful and I appreciate it.

This was the tutorial I used for the Captive DNS portal: https://erikthiart.com/blog/force-all-dns-traffic-to-go-through-pi-hole-using-mikrotik

It’s not all that convoluted, and I’m reading both of your responses in another thread to verify my firewall rules are appropriate.

anav · December 8, 2022, 7:12pm

All good.