WireGuard - Sending initiation handshake to peer1 did not complete after 5 sec

RouterOS General
1

Hello, I have a WG server running on a 5009 ROS 7.5 and i have a WG road warrior client.

I am trying to connect from my road warrior client to mikrotik and i get this error: Sending initiation handshake to peer1 did not complete after 5 sec

mikrotik is not behind CGNAT. Also i want to mention that i already have l2tp with IPSEC vpn server on mikrotik and roadwarriors are working perfectly. I want to switch from l2tp VPN to wireguard VPN because it is easier to setup on mobile phones and devices generally.

My mikrotik config is the bellow:

/interface bridge
add admin-mac=DC:2C:6E:3B:C7:89 auto-mac=no comment=defconf name=bridge.LAN
/interface wireguard
add listen-port=13231 mtu=1420 name=wireguard1
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_pool1 ranges=10.0.0.100-10.0.0.199
add name=vpn_pool ranges=10.10.10.2-10.10.10.11
/ip dhcp-server
add address-pool=dhcp_pool1 interface=bridge.LAN lease-time=1w1d name=dhcp1
/ppp profile
add change-tcp-mss=yes local-address=10.10.10.1 name=vpn_profile \
    remote-address=vpn_pool use-encryption=yes
/interface bridge port
add bridge=bridge.LAN comment=defconf interface=ether3
add bridge=bridge.LAN comment=defconf interface=ether4
add bridge=bridge.LAN comment=defconf interface=ether5
add bridge=bridge.LAN comment=defconf interface=ether6
add bridge=bridge.LAN comment=defconf interface=ether7
add bridge=bridge.LAN comment=defconf interface=ether8
add bridge=bridge.LAN comment=defconf interface=sfp-sfpplus1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ip settings
set tcp-syncookies=yes
/ipv6 settings
set disable-ipv6=yes
/interface l2tp-server server
set authentication=mschap2 default-profile=vpn_profile enabled=yes use-ipsec=\
    required
/interface list member
add comment=defconf interface=bridge.LAN list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=ether2 list=WAN
add interface=wireguard1 list=LAN
/interface ovpn-server server
set auth=sha1,md5
/interface wireguard peers
add allowed-address=172.16.10.3/32,10.0.0.0/24 interface=wireguard1 \
    public-key="SNXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX6yTM="
/ip address
add address=10.0.0.1/24 comment=defconf interface=bridge.LAN network=10.0.0.0
add address=91.XXX.169.238/30 interface=ether1 network=91.XXX.169.236
add address=172.16.10.1/24 comment="WG VPN" interface=wireguard1 network=\
    172.16.10.0

/ip dhcp-server network
add address=10.0.0.0/24 gateway=10.0.0.1
/ip dns
set allow-remote-requests=yes servers=1.1.1.1,1.0.0.1
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=add-src-to-address-list address-list="port scanners" \
    address-list-timeout=2w chain=input comment="Port Scanners to list" \
    protocol=tcp psd=21,3s,3,1
add action=add-src-to-address-list address-list="port scanners" \
    address-list-timeout=2w chain=input comment="NMAP FIN stealth scan" \
    protocol=tcp tcp-flags=fin,!syn,!rst,!psh,!ack,!urg
add action=add-src-to-address-list address-list="port scanners" \
    address-list-timeout=2w chain=input comment="FIN/PSH/URG scan" protocol=\
    tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack
add action=add-src-to-address-list address-list="port scanners" \
    address-list-timeout=2w chain=input comment="ALL/ALL scan" protocol=tcp \
    tcp-flags=fin,syn,rst,psh,ack,urg
add action=add-src-to-address-list address-list="port scanners" \
    address-list-timeout=2w chain=input comment="NMAP NULL scan" protocol=tcp \
    tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg
add action=add-src-to-address-list address-list="port scanners" \
    address-list-timeout=2w chain=input comment="SYN/FIN scan" protocol=tcp \
    tcp-flags=fin,syn
add action=add-src-to-address-list address-list="port scanners" \
    address-list-timeout=2w chain=input comment="SYN/RST scan" protocol=tcp \
    tcp-flags=syn,rst
add action=jump chain=input comment="SYN Flood INPUT" connection-state=new \
    jump-target=syn-attack protocol=tcp tcp-flags=syn
add action=accept chain=input comment="WG VPN Rule" dst-port=13231 protocol=\
    udp
add action=accept chain=input comment="VPN Allow Rules" dst-port=1701 \
    protocol=udp
add action=accept chain=input dst-port=4500 protocol=udp
add action=accept chain=input dst-port=500 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=drop chain=input src-address-list="port scanners"
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=jump chain=forward comment="SYN Flood FW" connection-state=new \
    jump-target=syn-attack protocol=tcp tcp-flags=syn
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
add action=accept chain=syn-attack connection-state=new limit=400,5:packet \
    protocol=tcp tcp-flags=syn
add action=drop chain=syn-attack connection-state=new log=yes log-prefix=\
    SYN-ATK protocol=tcp tcp-flags=syn
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat disabled=yes dst-port=30000-35000 \
    in-interface-list=WAN protocol=udp to-addresses=10.0.0.220 to-ports=\
    30000-35000
add action=dst-nat chain=dstnat dst-port=5001 in-interface-list=WAN protocol=\
    tcp to-addresses=10.0.0.220 to-ports=5001
add action=dst-nat chain=dstnat dst-port=5090 in-interface-list=WAN protocol=\
    tcp to-addresses=10.0.0.220 to-ports=5090
add action=dst-nat chain=dstnat dst-port=5090 in-interface-list=WAN protocol=\
    udp to-addresses=10.0.0.220 to-ports=5090
/ip firewall raw
add action=drop chain=prerouting dst-port=53 in-interface-list=WAN log=yes \
    log-prefix="WAN DNS" protocol=udp
/ip firewall service-port
set sip disabled=yes
/ip route
add disabled=no dst-address=0.0.0.0/0 gateway=91.XXX.169.237 routing-table=\
    main suppress-hw-offload=no

My Client setup is above:

[Interface]
PrivateKey = XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
ListenPort = 13231
Address = 172.16.10.3/32

[Peer]
PublicKey = TgXXXXXXXXXXXXXXXXXXXXXXXXXXXXXmE=
AllowedIPs = 172.16.10.1/32, 10.0.0.0/24
Endpoint = 91.XXX.169.238:13231

WG interface and peer from mikrotik side and client side seems to have some packet traffic but access is not reachable.

Also from mikrotik peer side, the handshake of my client is 00:00:00.

Any ideas what is wrong?

2

(1) Client

  • Ensure the client devices DNS entry is 172.16.10.1 ( just to ensure its not some weird DNS issue).
  • For the allowed IPs put 172.16.10.0/24 vice 10.1/32 the other entry is fine as you intend to visit LAN devices on the server!!
    AllowedIPs = 172.16.10.1/32, 10.0.0.0/24
    persistent keep alive–>> ???

(2) On the server why do you have this as allowed IPs?? Allowed IPs are not meant to identify local subnets!!!..
10.0.0.0/24

3

Did all the above, still the same error from the WG client. it is very strange. I did a reboot at the router, but again nothing changed.

4

Ios, android or windows client ??

5

I have tried from windows client using my home Wi-Fi and I tried with my android phone using 5g. Both devices the same error.

6

Grasping at straws here but looking at anything I dont use… and out of the norm…

(1) Disable this for testing…
/ip settings
set tcp-syncookies=yes

(2) Disable this for testing
/ip firewall raw
add action=drop chain=prerouting dst-port=53 in-interface-list=WAN log=yes
log-prefix=“WAN DNS” protocol=udp

7

again nothing changed. How can i debug what is wrong?

I remembered now that i am using similar config with the same filter rules and settings with wireguard and was working perfectly. I don’t know what is wrong with mine.

8

Well on the server you should see in logs the initial connection “handshake” when the tunnel first is established.
Then in wireguard monitoring TRAFFIC, you should see the keep alive pings every xx seconds from the client…

9

it is crazy, i can see the keep alive packets both from server and client side, still the tunnel is not established. How is that possible?

it is not a firewall issue and i can’t find the real problem. Is it a bug?

10

How are you attempting to connect.
Pinging only or trying to reach a MT lan subnet device or trying to go out MT internet???

Okay
Post your latest MT config and the client config settings please.

11

Is there anyway the ISP blocks wireguard? I am connected direct with a WAN IP i got from my ISP and there is no dual nat. the WAN type is VDSL super vectoring 200 mbps with static IP.

I will destroy the WG interface and client settings and i will set it again.

12

If you were in like Iran that would be entirely possible.
In general, if you can port forward you can do wireguard.
In other words there is no set WG port, you can choose to use any port 15533 for example or 45454.

13

you won’t believe this but i used port 51820 on WG interface and it worked.

The default 13231 port and the port 12345 i used didn’t work for some reason. Randomly 2 different ports that i used seems to be blocked from ISP???