Hey guys,
I have problem with my wireguards clients if they try to connect my v4 VRRP WAN ip address. Tunnels will not come up. If I entered the real ip of a datacenter router, tunnel immediately comes up.
I checked everything I know, I even captured packets between interfaces (a redacted trace is attached). I can see incoming request and RouterOS sends something back with its real ip.
Ok I thought this is maybe my problem, I added a NAT rule so outgoing packets have VRRP IP they connect to. But this does not solve my problem.
Interestingly not all wireguard devices have this issue, it is mainly LTE sites and other CG-NAT plagued locations.
Another annoying problem is with sites with native public v4 addresses, they stuck to a router even if I switched VRRP back to other router. They dont disconnect and connect to VRRP master, even if I disabled whole wireguard interface.
My site endpoints are some RouterOS devices, OPNsense firewalls, Android and iOS Smartphones.
My network is fairly simple: I have two routers at a datacenter with three WAN v4 adresses, one assigend to each router and the third is assiged to VRRP.
The sites are homes some with native v4 some with CG-NAT and some LTE with CG-NAT too. We use BGP to propagate local subnets between datacenter and other sites.
It is a hobbists network hosted for fun and educational purposes, nothing productive or company-driven.
Btw on v6 everything is working as expected.
Is there a easy workaround of some kind to get a failover between both routers at datacenter site?
Here are a small map of this network with two site examples and config snippets of one tunnel on my datacenter router.
wireguard config
/interface wireguard
add listen-port=54771 mtu=1420 name=wg-CSHomeBGPLocal
/interface wireguard peers
add allowed-address=::/0,0.0.0.0/0 comment=CSHomeBGP interface=wg-CSHomeBGPLocal public-key="xyz="
/ip address
add address=10.0.1.0 interface=wg-CSHomeBGPLocal network=10.0.1.1
interface config
/interface vrrp
add interface=ether1-WAN name=vrrp-ether1-WAN-v4 vrid=10
add interface=ether1-WAN name=vrrp-ether1-WAN-v6 v3-protocol=ipv6 vrid=20
/interface ethernet
set [ find default-name=ether1 ] comment="WAN Uplink" disable-running-check=no name=ether1-WAN
/ip address
add address=192.0.0.2/29 interface=ether1-WAN network=192.0.0.0
add address=192.0.0.3 interface=vrrp-ether1-WAN-v4 network=192.0.0.0
nat/firewall config
/ip route
add dst-address=0.0.0.0/0 gateway=192.0.0.6
/interface list member
add interface=ether1-WAN list=Public
add interface=vrrp-ether1-WAN-v4 list=Public
add interface=vrrp-ether1-WAN-v6 list=Public
/ip firewall connection tracking
set enabled=yes
/ip firewall filter
add action=accept chain=input comment="Allgemein - Verbindungen erlauben" connection-state=established,related,untracked
add action=accept chain=forward comment="Allgemein - Verbindungen erlauben" connection-state=established,related,untracked
add action=accept chain=input comment="Wireguard Inbound" dst-port=54768-54780 in-interface-list=Public protocol=udp
/ip firewall nat
add action=src-nat chain=srcnat comment="NAT auf CARP IP" out-interface-list=Public to-addresses=192.0.0.3
Further configuration snippets I think is not needed, because tunnel itself is not going up.
Error messages on both sites are:
wireguard-Datacenter-Firewall: xyz=: Handshake for peer did not complete after 5 seconds, retrying (try 2)
Example config snippet of a RouterOS Site:
/interface wireguard
add listen-port=54771 mtu=1420 name=wireguard-Datacenter-Firewall
/interface wireguard peers
add allowed-address=::/0,0.0.0.0/0 endpoint-address=192.0.0.3 endpoint-port=54771 interface=wireguard-Datacenter-Firewall persistent-keepalive=25s public-key="xyz="
/ip address
add address=10.0.1.1 interface=wireguard-Datacenter-Firewall network=10.0.1.0
