All looks perfect and works without problem when my iPhone is on 5G. But as as soon as it connects to WiFi, my VPN tunnel stops working. I have tried this at my two different friend WiFI networks and have the same. iPhone connects to the tunnel, but nothing works, no internet, not access to my router, nothing. It is extremely difficult to troubleshoot as I have my phone with me and I can’t be in two places at the same time.
Anyone has good ideas of what to test and what could be wrong?
Well if it works on 5G then you know your router and phone are setup correctly.
Wondering if one has to do something different on the phone when connecting via WIFI, dont think so?
I just made an interesting test. I have created hotspot on another iPhone connected to 5G. Then my iPhone connected to that hotsport on WiFi and still Wireguard was not working. It looks that it connects, I can see some data being sent over the tunnel (shows in Wireguard status), but it does not seem to be working: I can’t access internet, I can’t access my Mikrotik router. As soon as I disconnect from hotspot, all starts working. Same issue with other two WiFi networks.
Now, I’m wondering if it is iPhone problem, or Wireguest app problem or is it still something to be configured in Mikrotik, even though that sounds not realistic. It should not be any difference for Mikrotik whether I connect from 5G or WiFi.
Edit: Wireguard logs states “handshake did not complete after 5 seconds”. That is very strange, especially in the case with another iPhone as hotspot. Also, wen I tested with WiFi, one of them I can access and make sure that outgoing packets to Wireguard VPN tunnel were passing through the router. So, it is really interesting now, where is the problem.
So, I have made tests with iPhone and laptop running Debian linux on 3 different WiFi networks. Behavior is all the same:
iPhone on 5G - works no problem
iPhone on WiFi - does not work, handshake did not complete in 5 seconds
laptop on WiFi - does not work, same issue
laptop on WiFi that is actually hotspot connection to iPhone wile its on 5G - works no problem
As mentioned before, same behavior on 3 different WiFi networks.
Then I have tried changing MTU size as LdB suggested. I have tried 576 (smallest allowed), then 1500, then some different sizes around 1000 - same issue, it just does not work on WiFi.
Honestly speaking, I do not know what to check more and where to search for an issue. My configuration is 100% the same as in Mikrotik Documentation of Roadwarrior setup. Any ideas? I have started to lean towards switching to OpenVPN.
If you’re trying to use WG on your home wifi, you need to configure a hairpin NAT on your router. The 5G connection works because it’s hitting your router from the WAN.
The test should not be Laptop on LAN going out wifi to same router,
The test should be like cellular, from a separate WAN source, like a friends house etc.. to the router in his house.
The problem is that he can connect to his router via WG from his iphone from any cellular connection but never when at friends house on wifi or anywwhere else on wifi.
Makes no sense to me…
What I tried now is that I connect iPhone to the same WiFi that does not work for iPhone and laptop. Then I have made hotspot in mobile phone and connected laptop to this hotspot. And all is working! I know that iPhone is sharing WiFi just because of external IP adress I can see on WG server router. Packets are reaching and being accepted. If I connect directly to WiFi with my laptop (same external IP), then WG server router shows “handshake did not complete in 5 sec”.
I have tried changing MTU in iPhone WG client config as well as on WG server. Nothing seems to be helping.
Then, I have tried to check on WG git source and saw that at least iPhone client had not been updated for past 15 months. I’m not sure about WG clients for other platforms, but that in any way does not seem to be very promising.
Regards,
Edit: I have messed up a bit. My 5G and home router IP adresses are extremely similar, so I’ve got confused a bit. When I was sharing internet via hotstop, it was having 5G connection, so that is why all was working. What I stated above is still true to when I connect laptop to WiFi, WG server router gets faults “handshake did not complete in 5 sec”. So, back to square 1.
It is true that the app does not get updated often, but I’ve been using it for a few years now with no issue. The difference for me being that my WG server is a VM within my LAN, not on my router.
I have actually found the issue, and apparently it is my own fault. The problem is that MT router running WG server has ‘white list’ of IP addresses that can connect to VPN services. My 5G IP address on iPhone and external IP address of WiFi network differs only by last digits and I was simply confused thinking that WiFi external address was also added to ‘white list’. I could only see the problem when I set up OpenVPN service on MT router which was also working only on 5G. Then I immediately realized that I need to check white list one more time and I was surprised how much similar those IP addresses are.
So, my own fault. Thank you all for your ideas and support.
Wrong.
There is no whitelist created by the wireguard interface???\
By creating a wireguard interface and a wireguard IP address, one setups the possibility of a working wireguard structure.
You still need the input chain rule to allow the handshake of clients to reach the router.
You still need an input chain rule to allow yourself as admin coming in on wireguard to access the config ( could be combined with other existing rules )
You still need a forward chain rule to allow incoming wireguard traffic to local subnets
Most importantly the Allowed IPs setting on the MT router for each peer client is critical in
a. allowing that client to exit the tunnel and enter the router, (by wireguard IP address, and if from another client router, subnets on that router )
All to say, I have no idea what this whitelist is that you are talking about??
Probably OP has an address list in his firewall configuration and access to the UDP port of WireGuard is only allowed for addresses in that list. And he forgot to extend the list with ranges outside of the mobile operator.
White list is just as I called it white list. Normally it is an entry in address list and only that address is allowed to reach WG port from outside. Basically speaking, only allowed IP adresses can reach WG port. All that is done via firewall and has nothing to do with WG setup.
@CGGXANNX yes, that is exactly what has happened to me
A whitelist to allow external WANIPs to connect to your wireguard port is not required. That is the purpose of the VPN connection. Only those with proper encrypted credentials will be able to connect and thus there is no need for a whitelist.
Well yes and no When you have address list with allowed IPs, then you will not reveal open ports to random IP adresses. That is mainly why I do it. If you get scanned for open VPN common ports, it will not respond in case you have white list addresses. The rest yes, nobody will be able to connect without required credentials.