Wireguard site to site connected but peers cant use it

Guentha · December 15, 2023, 10:43pm

I am finally moving away from PPTP and decided to set up a wireguard tunnel between my home office and my CoLo. I have setup the connection following “The Network Berg” setup instructions. I even used the 192.168.32.0/24 network for the wireguard. Everything went well and the router can ping each other and see resources on either side…however, none of the peers can see the local lans. site B can ping both the wireguard interfaces 192.168.32.1 and 2. Peers on site A can only ping its local wireguard interface 192.168.32.1.

I know the first thing everyone is gonna want is the configs but I share a 10g connection with several other admins(play site) and they all have access too and configs on Site A’s router so I want to be very careful and only give the info I need. what section of the config do you need to look at or are there any simple things to try since the connection is working but peers can’t use it.

Site A 172.16.50.0/24 Wireguard 192.168.32.1
Site B 10.10.0.0/24 Wireguard 192.168.32.2

site A is the server and the CoLo
Site B is my home network.

we can do whatever with site B but I need to be carful with site A since it affects others. I do have nightly backups just in case.

Site A
/interface wireguard
add listen-port=13231 mtu=1420 name=WG-Mission
/interface wireguard peers
add allowed-address=192.168.32.0/24,10.10.0.0/24 interface=WG-Mission \
    persistent-keepalive=25s public-key=\
    "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"

Site B
/interface wireguard
add listen-port=13231 mtu=1420 name=WG-Home
/interface wireguard peers
add allowed-address=192.168.32.0/24,172.16.50.0/24 endpoint-address=\
    63.230.131.249 endpoint-port=13231 interface=WG-Home \
    persistent-keepalive=24s public-key=\
    "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"

erlinden · December 15, 2023, 11:12pm

You might want to have a look at the official tutorial:
https://help.mikrotik.com/docs/display/ROS/WireGuard#WireGuard-SitetoSiteWireGuardtunnel

jspool · December 15, 2023, 11:22pm

It’s very difficult to guess with limited info but for basics:
Each router will need a route to the other routers subnet via the wireguard interface.
For testing you can also change the allowed address in the wg peer on each end to 0.0.0.0/0 to debug if its a mismatch in the allowed networks.

Guentha · December 16, 2023, 12:59am

There is a route on both routers. the routers themselves can ping anything on both lans. but internal devices cannot see the other networks.

Yes I know my publics are on here. I guess if people want to be dicks they can go ahead.

Site A
#       DST-ADDRESS        GATEWAY           DISTANCE
0  Xs   0.0.0.0/0          65.153.36.1               
1  Xs   10.10.0.0/24       *F018C5                  1
2  Xs   0.0.0.0/0          67.5.64.10               2
3  Xs   192.168.0.0/24     192.168.0.1               
4  Xs   63.230.131.224/27  67.5.64.10                
5  Xs   10.69.69.0/24      ether3                    
6  Xs   0.0.0.0/0          67.5.64.10                
  DAv   0.0.0.0/0          CenturyLink              2
7  IsH  10.0.69.0/24       *F018C6                  1
  DAc   10.1.10.0/24       ether10                  0
8  As   10.10.0.0/24       WG-Mission               1
  DAc   10.10.10.0/24      Cluster                  0
  DAc   10.69.69.0/24      ether3                   0
  DAc + 63.230.131.224/27  CLink Bridge             0
  DAc + 63.230.131.224/27  ether11                  0
  DAc + 63.230.131.224/27  ether11                  0
  DAc + 63.230.131.224/27  ether11                  0
  DAc + 63.230.131.224/27  ether11                  0
  DAc + 63.230.131.224/27  ether11                  0
  DAc + 63.230.131.224/27  ether11                  0
  DAc + 63.230.131.224/27  ether11                  0
  DAc + 63.230.131.224/27  ether11                  0
  DAc + 63.230.131.224/27  ether11                  0
  DAc + 63.230.131.224/27  ether11                  0
  DAc + 63.230.131.224/27  ether11                  0
  DAc + 63.230.131.224/27  ether11                  0
  DAc + 63.230.131.224/27  ether11                  0
  DAc + 63.230.131.224/27  ether11                  0
  DAc + 63.230.131.224/27  ether11                  0
  DAc + 63.230.131.224/27  ether11                  0
  DAc + 63.230.131.224/27  ether11                  0
  DAc + 63.230.131.224/27  ether11                  0
  DAc + 63.230.131.224/27  ether11                  0
  DAc + 63.230.131.224/27  ether11                  0
  DAc + 63.230.131.224/27  ether11                  0
  DAc + 63.230.131.224/27  ether11                  0
  DAc + 63.230.131.224/27  ether11                  0
  DAc + 63.230.131.224/27  ether11                  0
  DAc + 63.230.131.224/27  ether11                  0
  DAc + 63.230.131.224/27  ether11                  0
  DAc   67.5.64.10/32      CenturyLink              0
  DAc   172.16.50.0/24     Cluster                  0
  DAc   172.16.69.0/24     vlan30 - Richard         0
  DAc   192.168.0.0/24     Cluster                  0
  DAc   192.168.32.0/24    WG-Mission               0

Site B
#      DST-ADDRESS      GATEWAY       DISTANCE
  DAd  0.0.0.0/0        24.16.120.1          2
  DAc  10.10.0.0/24     internal             0
  DAc  24.16.120.0/22   ether1               0
0  As  172.16.50.0/24   WG-Home              1
  DIcH 172.16.50.0/24   sfp-sfpplus1         0
  DAc  192.168.32.0/24  WG-Home              0

anav · December 16, 2023, 3:23am

Assuming Site A is the wireguard server for handshake, then putting keep alive on any peers is a waste of time so drop the keep alive on site A.
Also at site A, the peer setting for peer B should be 192.168.32.2/32

To be clear also site A needs an ip route
/ip route
add dst-address=10.10.0.0/24 gateway=WG-Mission

Site A needs firewall rules that stated
add chain=input action=accept dst-port=13231 protocol=udp
add chain=forward action=accept src-address=172.16.50.0/24 out-interface=WG-Mission
add chain=forward action=accept dst-address=172.16.50.0/24 in-interface=WG-Mission src-address=10.10.0.0/24

In terms of Site B.
/ip route
add dst-address=172.16.50.0/24 gateway=WG-Home

Site A needs firewall rules that stated
add chain=forward action=accept src-address=10.10.0.0/24.0/24 out-interface=WG-Home
add chain=forward action=accept dst-address=10.10.0.0/24/24 in-interface=WG-Mission src-address=172.16.50.0/24

Guentha · December 16, 2023, 4:00am

thanks for all the help. turns out that sometimes you just need a break. I walked away for a while and pulled out my phone. put in an IP address of a remote server and BAM! pulled right up. Grabbed another workstation and it works too. Turns out its something wrong with my main workstation. It doesn’t like to route to anything on a 172.16.X.X network. not sure where that’s messed up but now I know where to start looking.