Apologies but I am still very new to Mikrotiks
I have two Mikrotiks that are blank config save for the bare minimum to get connection to the internet.
ether2 set up with LAN IPs, DHCP server and the rest
ether1 set up as a DHCP client WAN
Masq set up in the NAT
Both Mikrotiks are set up the same and both are using the LTE and getting public IPs, and can route LAN to the internet with no problems, currently zero firewall rules and no other config to right home about.
However when I set up Wireguard and the peers on both I get no handshake. I know I am missing something but I have no idea what.
R1 set up peer:
Name: Wireguard-1
Endpoint: (blank)
Endpoint Port: (blank)
Allowed IPs: 0.0.0.0/0
Keep Alive 25s
IP Address added
10.0.0.1/30 → Wireguard-1
R2 set up peer:
Name: Wireguard-1
Endpoint: R1 Public IP
Endpoint Port: 13231
Allowed IPs: 0.0.0.0/0
Keep Alive 25s
IP Address added
10.0.0.2/30 → Wireguard-1
Can anyone help me with what I am missing? Thank you in advance!
I have tried it where I add the Endpoint on both routers with each others public IP
& I have tried it with R1 having a blank endpoint and R2 having the Public IP of R1
Neither of these things work.
10.0.0.1 just wont speak to 10.0.0.2
I have gotten the handshake on the current config to work once however this time both where connected via ether1 - WAN both routers WAN where DHCP and they had IPs on the same network (10.10.1.5 & 10.10.1.4) handshake was fine.
But on the LTE which routes traffic to the internet fine both have public IPs and the handshake will not happen.
I also attached one of them to my Leased Line and it had a static public IP on the WAN and the handshake still failed
Very confusing setup.
You need to select which one is the server for handshake…
Also why are your LAN subnets the same behind each router, make them different.
Yes LAN IPs are the same just because it’s a lab, and I can’t get the tunnel up & handshaking in the first place.
These would be different in reality.
In this R2 is the server as far as I know.
As far as I know R1 needs a peer set to R2
And R2 a peer to R1
Only R1s peer have an endpoint public IP set to R2 as R2 is the server correct?
If the wans are private IPs on the same network and I set up wireguard like this handshake is fine.
Once they are both on LTE with public’s the handshake never happens.
Any help would be amazing, when you say select one for the server is there a step I missed?
# mar/18/2024 23:52:08 by RouterOS 7.8
# software id =
#
# model = L41G-2axD&FG621-EA
# serial number =
/interface lte
set [ find default-name=lte1 ] allow-roaming=no band=""
/interface ethernet
set [ find default-name=ether1 ] name="ether1 - WAN"
/interface wireguard
add listen-port=13231 mtu=1420 name=wireguard1
/ip pool
add name=dhcp_pool0 ranges=10.2.1.50-10.2.1.254
/ip dhcp-server
add address-pool=dhcp_pool0 interface=ether2 lease-time=1d name="LAN - DHCP"
/port
set 0 name=serial0
/interface wireguard peers
add allowed-address=0.0.0.0/0 endpoint-address=R2 PUBLIC IP endpoint-port=\
13231 interface=wireguard1 persistent-keepalive=25s public-key=\
"R2 Public KEY"
/ip address
add address=10.2.1.254/24 interface=ether2 network=10.2.1.0
add address=10.0.0.2/30 interface=wireguard1 network=10.0.0.0
/ip dhcp-client
add interface="ether1 - WAN"
/ip dhcp-server network
add address=10.2.1.0/24 dns-server=10.2.1.254, 8.8.8.8 gateway=10.2.1.254
/ip dns
set allow-remote-requests=yes servers=10.1.1.254
/ip dns static
add address=UNIFI SERVER PUBLIC IP match-subdomain=yes name=unifi
add address=UNIFI SERVER PUBLIC IP match-subdomain=yes name=unifi.local
add address=UNIFI SERVER PUBLIC IP match-subdomain=yes name=unifi.localdomain
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN
R2
-------------------
# mar/18/2024 23:10:07 by RouterOS 7.8
# software id =
#
# model = L41G-2axD&FG621-EA
# serial number =
/interface lte
set [ find default-name=lte1 ] allow-roaming=no band=""
/interface wifiwave2
add
/interface ethernet
set [ find default-name=ether1 ] mac-address=MAC name=\
"ether1 - WAN"
set [ find default-name=ether2 ] mac-address=MAC
set [ find default-name=ether3 ] mac-address=MAC
set [ find default-name=ether4 ] mac-address=MAC
/interface wireguard
add listen-port=13231 mtu=1420 name=wireguard2
/ip pool
add name=dhcp_pool0 ranges=10.1.1.50-10.1.1.254
/ip dhcp-server
add address-pool=dhcp_pool0 interface=ether2 lease-time=1d name="LAN - DHCP"
/port
set 0 name=serial0
/interface wireguard peers
add allowed-address=10.0.0.2/32,10.2.1.0/24 interface=wireguard2 public-key=\
"R1 PUBLIC KEY"
/ip address
add address=10.1.1.254/24 interface=ether2 network=10.1.1.0
add address=10.0.0.1/30 interface=wireguard1 network=10.0.0.0
/ip dhcp-client
add interface="ether1 - WAN"
/ip dhcp-server network
add address=10.1.1.0/24 dns-server=10.1.1.254,8.8.8.8 gateway=10.1.1.254
/ip dns
set allow-remote-requests=yes servers=10.1.1.254
/ip firewall filter
add action=accept chain=input port=13231 protocol=udp
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN
…
Recommend updating to the latest stable or more specifically to 7.14.2 when it comes out.
I dont have clue what your are doing port forwarding as that is intended from external to internal ( or internal to internal sometimes )…
Also its not clear who on R2 will be going to R1 and vice versa… and for what purpose.
Everything on ether2 on R1 is sent via wg to ether2 on R2 and visa versa
That part is neither here nor there at this point as the handshake just doesn’t happen on 10.0.0.1 & 10.0.0.2. No idea why, I keep trying to figure out what would be stopping it and I’m lost, firewall rule missing ? Maybe
Well you have no firewall rules so all should be permitted…
On R2 try adding add chain=input action=accept comment=“wg handshake” dst-port=13231 protocol=udp
FACEPALM, -we forgot routes
ON R1 Add add dst-address=10.1.1.0/24 gateway=wireguard1 routing-table=main comment=“route to remote subnet”
ON R2 add add dst-address=10.2.1.0/24 gateway=wireguard2 routing-table=main comment=“route to remote subnet”
Hmm you didnt change allowed IPs on router2… and there is no need for persistent keep alive on the unit that is server for handshake.
Should be (R2) : /interface wireguard peers
add allowed-address=10.0.0.1/32,10.2.1.0/24 interface=wireguard1
public-key="R1 PUBLIC KEY"
I noted I had assumed the server for handshake was 10.0.0.1 for wg Ip but its actually the reverse so my rule in a previous post was incorrect, this fixes that as well.
If you still have problems after that then i suspect one of three things.
a. the keys dont match up properly
b. the wanip on R2 is actually not public/reachable
c. your non-standard DNS setup is screwing things up.
