I’m migrating from OVPN to WireGuard. The “clients” are all Windows 10.

The WireGuard connections works fine (file transfer, access servers in the LAN and so on). The LAN range is 192.168.10.0/24 and the VPN range is 10.8.1.0/24. All routing works as expected.

But in the clients log (Windows 10) I get a lot of “packet has invalid nonce X (max X+1)” where X = 47, 56, 66, 74. I assume this is not expected but could not find much about.

MTU mismatch perhaps…??

Not sure what is on the windows 10 for mTU but the MT defaults to 1420 so would try to keep them the same at both ends of the tunnel.
If there is no known windows setting to change, try changing the mT to 1500 for example.

I tried MTU from 1280 to 1500 in the client but the problem remains.

But noticed that the log occurs for about 8~10 seconds with small or large package traffic. In other words I get a nonce with 10 packets or 1,000 packets interval.

I will keep testing and if I found something new I post it for documentation.

did you ensure you changed both ends of the tunnel at windows and at MT so they matched for each change?

Googling for the error turned up a result about this being an indication something is trying to access that PC/device with invalid crypto info.
Are you sure the port you use for WG is not being used by something else internally ?
Or is something externally scanning that port ?

Are those client PCs connected to an “open” network by any chance ?

anav, yes, I tried the same and different MTUs in each peer, not to affect the simptom.

holvoetn, I found this too, but
1 - if no data transferring in the tunnel (a file transfer or some service consuming - allowedips = lan-range/24 and vpn-range/24) no nonce so it looks like a tunnel problem between the peers during transmissions
2 - I tried isolating the allowedips in both peers to just RB/32 and Client/32 communication, simulate some traffic, and also getting the nonce

Can you try a port scanner tool, target it to that PC with the port being used for wireguard and then check the logs for that timestamp ?

I will scan the traffic and post if I found any, but I have limited access to the client side right now. Thanks in advance.

This indicates you are getting duplicated / replayed packets somewhere.

Post complete config on MT device.
/export file=anynameyouwish ( minus router serial # and any public WANIP info )

It’s a two wan (eth1 and eth2), but I’m using only the eth1 (default route).

dec/28/2022 08:51:05 by RouterOS 7.6

software id =

model = RB750Gr3

serial number =

/interface ethernet
set [ find default-name=ether1 ] name=ether1-claro
set [ find default-name=ether2 ] name=ether2-zetanet
set [ find default-name=ether3 ] disabled=yes
set [ find default-name=ether4 ] disabled=yes
set [ find default-name=ether5 ] arp=proxy-arp name=ether5-lan
/interface ovpn-server
add name=ovpn-in1 user=“”
/interface wireguard
add listen-port=14232 mtu=1420 name=wireguard1
/interface list
add name=wan
add name=lan
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=vpn-pool ranges=192.168.10.61-192.168.10.69
/port
set 0 name=serial0
/ppp profile
add local-address=192.168.10.2 name=vpn-profile remote-address=vpn-pool
/queue simple
add dst=ether1-claro max-limit=600M/600M name=eth1 queue=default/default
target=“”
add limit-at=30M/30M max-limit=100M/100M name=eth1-voip packet-marks=
voip-packet parent=eth1 priority=1/1 queue=default/default target=“”
add max-limit=300M/300M name=eth1-general parent=eth1 queue=
pcq-upload-default/pcq-download-default target=“”
add dst=ether2-zetanet max-limit=100M/100M name=eth2 queue=default/default
target=“”
add limit-at=30M/30M max-limit=50M/50M name=eth2-voip packet-marks=
voip-packet parent=eth2 priority=1/1 queue=default/default target=“”
add max-limit=80M/80M name=eth2-geral parent=eth2 queue=
pcq-upload-default/pcq-download-default target=“”
/routing bgp template
set default disabled=no output.network=bgp-networks
/routing ospf instance
add disabled=no name=default-v2
/routing ospf area
add disabled=yes instance=default-v2 name=backbone-v2
/routing table
add fib name=voip
add fib name=to-eth1
add fib name=to-eth2
add fib name=tv
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface list member
add interface=ether1-claro list=wan
add interface=ether2-zetanet list=wan
add interface=ether5-lan list=lan
add interface=wireguard1 list=lan
/interface ovpn-server server
set auth=sha256 certificate=server cipher=aes256 enabled=yes port=14231
protocol=udp require-client-certificate=yes
/interface wireguard peers
add allowed-address=10.8.1.100/32 comment=max interface=wireguard1
public-key=“…”
/ip address
add address=192.168.10.2/24 interface=ether5-lan network=192.168.10.0
add address=10.1.1.92/24 interface=ether1-claro network=10.1.1.0
add address=10.1.2.2/24 interface=ether2-zetanet network=10.1.2.0
add address=10.8.1.1/24 interface=wireguard1 network=10.8.1.0
/ip dns
set allow-remote-requests=yes servers=192.168.10.1,8.8.8.8,8.8.4.4
/ip firewall address-list
add address=…com.br list=voip
/ip firewall filter
add action=accept chain=input comment=
“aceita conexoes estabelecidas e relacionadas” connection-state=
established,related
add action=drop chain=input comment=“descarta conexoes invalidas”
connection-state=invalid
add action=accept chain=input comment=“aceita openvpn” dst-port=14231
protocol=udp
add action=accept chain=input comment=“aceita wireguard vpn” dst-port=14232
protocol=udp
add action=add-src-to-address-list address-list=port-scan
address-list-timeout=1w chain=input comment=“deteccao de port scan”
in-interface-list=wan log=yes log-prefix=port-scan protocol=tcp psd=
21,3s,3,1
add action=drop chain=input comment=“descarte geral dos links”
in-interface-list=wan
add action=drop chain=forward comment=“descarta conexoes invalidas”
connection-state=invalid
add action=drop chain=forward comment=
“descarta conexoes vindas da internet que nao tenham base no nat”
connection-nat-state=!dstnat connection-state=new in-interface-list=wan
/ip firewall mangle
add action=mark-connection chain=prerouting comment=“voip connection-mark”
connection-state=new dst-address-list=voip new-connection-mark=
voip-connection passthrough=yes
add action=mark-routing chain=prerouting comment=“voip routing-mark”
connection-mark=voip-connection in-interface-list=lan new-routing-mark=
voip passthrough=yes
add action=mark-packet chain=forward comment=“voip packet-mark (qos)”
connection-mark=voip-connection new-packet-mark=voip-packet passthrough=
no
add action=mark-routing chain=prerouting comment=
“teamviewer tcp routing-mark” dst-port=5938 new-routing-mark=tv
passthrough=no protocol=tcp
add action=mark-routing chain=prerouting comment=
“teamviewer udp routing-mark” dst-port=5938 new-routing-mark=tv
passthrough=no protocol=udp
add action=mark-routing chain=prerouting comment=
“forca conexoes TS externas na eth2 onde temos IP fixo” dst-port=3389
in-interface=ether5-lan new-routing-mark=to-eth2 packet-mark=no-mark
passthrough=no protocol=tcp tcp-flags=“”
add action=mark-connection chain=input comment=
“marca conexoes entrando pela porta 1” connection-state=new in-interface=
ether1-claro new-connection-mark=eth1-conn passthrough=yes
add action=mark-routing chain=output comment=
“marca pacotes saindo que entraram pela porta 1” connection-mark=
eth1-conn new-routing-mark=to-eth1 passthrough=no
add action=mark-connection chain=input comment=
“marca conexoes entrando pela porta 2” connection-state=new in-interface=
ether2-zetanet new-connection-mark=eth2-conn passthrough=yes
add action=mark-routing chain=output comment=
“marca pacotes saindo que entraram pela porta 2” connection-mark=
eth2-conn new-routing-mark=to-eth2 passthrough=no
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=wan
/ip firewall raw
add action=drop chain=prerouting comment=“bloqueio de port scan detectado”
src-address-list=port-scan
/ip firewall service-port
set irc disabled=no
set sip disabled=yes
set rtsp disabled=no
/ip route
add comment=“rota geral (ether1-netwatch)” disabled=no distance=1
dst-address=0.0.0.0/0 gateway=10.1.1.1 routing-table=main scope=30
suppress-hw-offload=no target-scope=10
add comment=“rota geral (ether2-netwatch)” disabled=no distance=2
dst-address=0.0.0.0/0 gateway=10.1.2.1 pref-src=“” routing-table=main
scope=30 suppress-hw-offload=no target-scope=10
add comment=“rota principal para voip (ether2-netwatch)” disabled=no
distance=1 dst-address=0.0.0.0/0 gateway=10.1.2.1 pref-src=0.0.0.0
routing-table=voip scope=30 suppress-hw-offload=no target-scope=10
add comment=“garante rota de saida no mesmo link de entrada” disabled=no
dst-address=0.0.0.0/0 gateway=10.1.1.1 routing-table=to-eth1
add comment=“garante rota de saida no mesmo link de entrada” disabled=no
dst-address=0.0.0.0/0 gateway=10.1.2.1 routing-table=to-eth2
add comment=“rota principal para TeamViewer (ether2-netwatch)” disabled=no
distance=1 dst-address=0.0.0.0/0 gateway=10.1.2.1 pref-src=0.0.0.0
routing-table=tv scope=30 suppress-hw-offload=no target-scope=10
add comment=“rota fixa para teste de eth2 com netwatch” disabled=no distance=
1 dst-address=192.203.230.10/32 gateway=10.1.2.1 pref-src=0.0.0.0
routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add comment=“rota fixa para teste de eth1 com netwatch” disabled=no distance=
1 dst-address=192.5.5.241/32 gateway=10.1.1.1 pref-src=0.0.0.0
routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add comment=“rota alternativa para TeamViewer (ether1-netwatch)” disabled=no
distance=2 dst-address=0.0.0.0/0 gateway=10.1.1.1 pref-src=0.0.0.0
routing-table=tv scope=30 suppress-hw-offload=no target-scope=10
add comment=“rota alternativa para voip (ether1-netwatch)” disabled=no
distance=2 dst-address=0.0.0.0/0 gateway=10.1.1.1 pref-src=0.0.0.0
routing-table=voip scope=30 suppress-hw-offload=no target-scope=10
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www address=192.168.10.0/24
set ssh disabled=yes
set api disabled=yes
set winbox address=192.168.10.0/24
set api-ssl disabled=yes
/ppp secret
add name=max profile=vpn-profile service=ovpn
add name=ivo profile=vpn-profile service=ovpn
add name=cassiano profile=vpn-profile service=ovpn
add name=anelise profile=vpn-profile service=ovpn
add name=paulo profile=vpn-profile service=ovpn
add name=lorenzo profile=vpn-profile service=ovpn
/system clock
set time-zone-name=America/Sao_Paulo
/system identity
set name=lan-router
/system package update
set channel=testing
/tool e-mail
set address=… from=“…”
port=587 user=…
/tool netwatch
add comment=“monitora o link ether1-claro” disabled=no down-script=“/ip route
disable [find comment~"ether1-netwatch"]\r
\n/log error "Link Claro Down"\r
\n/delay 2000ms\r
\n/tool e-mail send to="…" subject="Link Claro Down"”
host=192.5.5.241 http-codes=“” interval=30s test-script=“” type=simple
up-script=“/ip route enable [find comment~"ether1-netwatch"]\r
\n/tool e-mail send to="…" subject="Link Claro Up"”
add comment=“monitora o link ether2-zetanet” disabled=no down-script=“/ip rout
e disable [find comment~"ether2-netwatch"]\r
\n/log error "Link Zetanet Down"\r
\n/delay 2000ms\r
\n/tool e-mail send to="…" subject="Link Zetanet Down"”
host=192.203.230.10 http-codes=“” interval=30s test-script=“” type=simple
up-script=“/ip route enable [find comment~"ether2-netwatch"]\r
\n/tool e-mail send to="…" subject="Link Zetanet Up"”
/tool sniffer
set filter-port=14232

I believe so.

I checked the client side with a sniffer at lan interface and found that the same package is sent twice (same content, same wg counter) with a interval of ~0.0002s and that’s the cause of the log message. The time indicates the package is sent twice at its origin and not replayed or the delta will be longer.

This duplicated packages are valid and part of the communication (I checked the content with another sniffer at the wg interface), not a third part package.

Also tested with three Windows, all the exact same problem.

I will keep using OVPN for now until figure out if it’s a problem in my router config or what.

After updating to version 7.12, the issue with the packages was resolved, so anyone encountering this problem can try a simple update.