WireGuard, OpenVPN client not working

xeidal · December 10, 2024, 10:32am

I have a Mikrotik router RB5009UPr+S+ running RouterOs 7.15 and an Ubiquiti cloud router on a different site.
Trying to create a WireGuard VPN tunnel from the Mikrotik to the Ubiquiti. I have enabled WireGuard server on the Ubituiti and added two clients, one for my android phone and one for the Mikrotik.

Here is the configuration from the Ubituiti
[Interface]
PrivateKey = privkey
Address = 192.168.9.2/32
DNS = 192.168.9.1

[Peer]
PublicKey = pubkey
AllowedIPs = 192.168.9.1/32,192.168.9.2/32,0.0.0.0/0
Endpoint = my.ddns.net:51821

I added added the interface by importing the [Interface] part of the config and the privkey is set for the WireGuard interface on the Mikrotik. I manually created a peer using the publickey from the config, endpoint, allowed ip’s.

Here are the configs from the mikrotik
[admin@xRouterTik] > /interface wireguard print detail
Flags: X - disabled; R - running
0 R name=“SnickerboaWG” mtu=1420 listen-port=51821 private-key=“privkey_from_config” public-key=“generated_public_key”

[admin@xRouterTik] > /interface wireguard peers print detail
Flags: X - disabled; D - dynamic
0 interface=SnickerboaWG name=“SnickerboaClient” public-key=public_key_from_config" private-key=“” endpoint-address=my.ddns.net endpoint-port=51821 current-endpoint-address=x.y.z.a current-endpoint-port=51821
allowed-address=192.168.9.1/32,192.168.9.2/32,192.168.10.0/24,192.168.12.0/24,10.6.50.0/24 preshared-key=“” client-endpoint=“” rx=0 tx=0

I have also opened UDP port 51820, 51821 (I have tested with different ports..) into the Mikrotik. I have tried to add a address to the wireguard interface like 192.168.9.2/32 but nothing works.
First I got something about peer handshake fails and there is TX traffic and no RX.
Now there is nothing in the logs, only “TX/RX Errors” increasing on the wireguard interface Traffic stats

I have tried for days, reading documentation, watching youtube guides, the Android WireGuard client IS WORKING so the Ubiquiti WireGuard server is working!

Why is it so impossible or difficult to add a WireGuard client on the Mikrotik router??

I have also tried to setup a OpenVPN client on the Mikrotik but the Mikrotik doesn’t support comp-lzo, reneg-sec.
I get this in the log when I try to import the ovpn config from the Ubiquiti on the Mikrotik
unsupported configuration parameter ‘comp-lzo’
unsupported configuration parameter ‘reneg-sec’

Could someone please help, should it not be possible to add a VPN client on Mikrotik?
Should I invest in something like a Netgate / Pfsense instead?

holvoetn · December 10, 2024, 10:45am

I have plenty of WG tunnels between MT gear and other stuff (Linux, Windows, Android, …).
It works.
It is not impossible nor difficult if you use the correct settings.

Having only TX and no RX is normal.
Wireguard always tries to send. Only when you see something coming back, then you know it works.

Since you do not show any key-pair…
First thing to check when setting up wireguard on Mikrotik:
make SURE your public keys are set correctly on BOTH ends.

On Tik you should use Public key from Ubiquity peer.
On Ubiquity you should use public key from Mikrotik peer.

Also, if your Ubiquity is acting as “server”, you should set Persistent Keepalive (typically 25s) on MT peer settings.

yhfung · December 10, 2024, 1:32pm

Based on your presentation please add firewall filter to allow UDP 51821 to a “suitable location” before the input drop line. I hope this might help you to resolve the problems.

anav · December 10, 2024, 4:31pm

So the ubiquiti is the Server Peer for handshake,
So why this bizarre setup?
Here is the configuration from the Ubiquiti
[Interface]
PrivateKey = privkey
Address = 192.168.9**.2/**32
DNS = 192.168.9.1

It should be
[Interface]
PrivateKey = privkey
Address = 192.168.9.1/32
DNS = 192.168.9.1
OR
[Interface]
PrivateKey = privkey
Address = 192.168.9.2/32
DNS = 192.168.9.2

Now in terms of the peer settings that are associated with the MT ROUTER. It makes no sense.
Why do you put endpoint in on the ubiquiti settings, its the server, the MT sends a handshake to ubiquiti not the other way round.

Further the allowed IPs make no sense.
From a technical point of view, 0.0.0.0/0 means ALL addresses, so the fact that you also have other IPs on the line is comical.
From a wireguard process, putting 0.0.0.0/0 on a client peer in the Server Peer Device means that no other client peers will ever work as the 0.0.0.0 will catch all traffic originating from the Server peer device heading into the tunnel AND any response traffic from clients coming back into the tunnel trying to get back to the client peer.

IF, you absolutely need 0.0.0.0/0 ( it would seem you are saying you want users on the MT to go out Ubiquite WAN, then you should create a SECOND wireguard interface between the two JUST for that purpose and keep the current wireguard for the following.
a. lan users on MT to reach lan on ubiquite (or just admin )
b. lan users on UBiquite to reach lan on MT (or just admin )
c. for admin to configure both routers while local at either rouer
d. for admin to configure both routers ( while at a cafe etc., directly to ubiquiti, or via relay on ubquiti to MT router)

PublicKey = pubkey
AllowedIPs = 192.168.9.1/32,192.168.9.2/32,0.0.0.0/0
Endpoint = my.ddns.net:51821

The ubiquiti needs to have the listen port open on its “input chain”
The ubiquiti needs forward chain firewall rules to allow certain traffic, not my problem suffice to say.
current wireguard ( incoming wireguard to LAN, incoming wireguard to ubitquit {like input chain} → (only the local admin IP on MT and any wireguard Ips for remote devices)
current wireguard allows incoming wireguard for admin IPs (local lan, and remote devices) and outgoing back into wireguard to be able to reach MT
internet wireguard new ( incoming from MT, out the Wan OF UBIQUITE, {like forward chain rule}

Please post full config on MT device
/export file=anynameyouwish (minus router serial number, any public WANIP information, vpn keys etc.)

xeidal · December 11, 2024, 3:52pm

Thanks for the replies, I have learned a lot and now I finally got it working!
Im no expert in networking, Im a developer but I have some experience in networking and I run a small homelab with some VLANs and stuff..

The config file I had was correct (the one in the first post in this thread), it was exported from the Ubiquiti WireGuard server when I added a client there.
As I understand it the Ubiquiti WireGuard server got the ip 192.168.9.1 and each client got a different assigned IP to use, for this client it was 192.168.9.2

When I added the WireGuard interface on the Mikrotik I needed to use the Private key from the config under the [Interface] section, the public key was generated from the private key when I created the interface. The config could be imported but as I found out, I should not include the [Peer] section to import the config, only the [Interface] section, this was not so clear when I first tried..
There is an import function in the GUI or we can use the CLI..

The port in the WireGuard interface was added in the firewall to allow UDP on that port from WAN, I used port 51821

I then needed to add an address / network for the WireGuard interface I created and set the IP I received in the config, in my case 192.168.9.2.

Then I created the WireGuard Peer.
Here I needed to use the Public key given in the config under the [Peer] section and the private key under the WireGuard peer was not set, I think I got a bit confused about this in the beginning and seleted the “auto” option, I belive that overwrites the public key I provided..
The easiest to create the peer was to use the CLI imho

The public-key, allowed-address, endpoint-address, endpoint-port is from the config-file [Peer] section

/interface wireguard peers add interface=SnickerboaWG public-key=“<peer_public_key_from_config>” allowed-address=192.168.9.0/23,192.168.10.0/24,192.168.12.0/24,10.6.50.0/24 endpoint-address=the.remote.address.or.fqdn endpoint-port=51821

Then I added the firewall to allow incoming traffic from the WireGuard interface, I used “established, related”

Then I could see in the stats that traffic was sent and received, TX, RX. I could also ping from the Mirkotik router from the WireGuard interface to for example ip 192.168.9.1 in my case.

In my case I wanted to allow traffic from a VLAN I have so I added a forward rule to allow traffic from my VLAN 10.6.4.0/22 to the remote addresses (I added a firewall address list with the addresses).

I also needed to add routing for it to work, I was not able to add this in the GUI so I used the CLI (SnickerboaWG is the WireGuard interface)

/ip route add dst-address=192.168.9.0/24 gateway=SnickerboaWG
/ip route add dst-address=10.6.50.0/24 gateway=SnickerboaWG
/ip route add dst-address=192.168.12.0/24 gateway=SnickerboaWG
/ip route add dst-address=192.168.10.0/24 gateway=SnickerboaWG

In my case there was also an issue with some mangle rules I had but it finally was resolved..

It would have been nice to have an import function for the complete config, both the WireGuard [Interface], [Peer] and the Address from the config..

Anyway, thats the basic steps I used, there are probably better ways to do it..