Wireguard tunnel connecting but it does not seem to communicate properly

RouterOS General
1

Hello
I created on a hAP lite a Wireguard configuration.
PublicKey = xxxxxxxxxx
PrvateKey = xxxxxxxxxx

The hAP is connected to my ISP Router in DMZ, so, the addresses are:
192.168.1.4 ether1
192.168.88.1 bridge
192.168.90.1/32 wireguard tunnel

So, i add in the “peer” section the wg interface, the public key generated from wireguard app, the allowed IPs (0.0.0.0/0) and a 30s keepalive.
So, everything is configured server-side. Also opened port 13231 on firewall and opened 192.168.90.1/32

If i connect to the tunnel via my iOS wireguard app, configuring endpoint, address (192.168.90.2) and DNS (192.168.90.1) the connection estabilishes properly and i am able to navgate on internet trough the tunnel.

But the same thing is not happening on another hAP, that is in my office. Because if i configure the same public key (OF COURSE THE IOS APP TUNNELING HAS BEEN DEACTIVATED) (generated with the ios app and set on the server), the endpoint and port 13231, the allowed ips 0.0.0.0/0 and 30s keepalive, the connection estabilishes TX and RX, the handshake is working, but if i ping 192.168.90.1 from the client mikrotik hAP, the TX and RX packet still remains 0, and, if i connect to the hAP server and torch, the established connection on UDP (caused by the ping requests from client) it’s not there.

what i should do?

2

So just to get this straight.
Your ISP gets a private IP??
In other words you can either forward a port (by port) or all ports by DMZ, to the LANIP of the hapac, and the traffic heading for a specific PORT to your ISPs public IP will reach your hapac?

If that is the case it should work just fine.

  1. Create the wireguard interface ( the public key generated by the hap is the one you use for all remote devices/user that will connect to the tunnel ( they stick your public IP on their peer settings that identify the router as the peer).

  2. Create the address for the interface.
    wrong:
    192.168.90.1/32
    right:
    /ip address
    192.168.90.1/24

  3. Create input chain rule on router for incoming port
    Create input chain rule on router accept in-interface=wireguard if you need to be able to configure the router remotely
    Create forward chain rule on router accept in-interface=wireguard out-interface=bridge to reach LAN subnet

  4. On router peer addresses minimal format looks like
    add allowed-addresses=192.168.90.2/32 interface=wireguard public-key=“---------” comment=“remote device 1”
    add allowed-addresses=192.168.90.3/32 interface=wireguard public-key=“–+±----” comment=“remote device 2”
    add allowed-addresses=192.168.90.4/32 interface=wireguard public-key=“–++±–” comment=“remote device 3”
    etc…
    Note: One can add a pre-shared key to both ends for additional security.

  5. Ensure Wireguard interface is part of LAN interface list!

++++++++++++++++++++++++++
If you want assistance if things still not working need to see config
/export file=anynameyouwish ( minus router serial number, any public WANIP information, keys )

As for client peers…
Yes minimal format is to include if only accessing router/subnets:
allowed-ips=192.168.90.1/32,192.168.88.0/24 endpoint address, endpoint port, public key generated by router, persistent-keep-alive=XX seconds.

Note 192.168.90.0/24 is also valid, and actually necessary if there is another router or end device that users/admin will access while in wireguard.


If accessing internet through router ( which includes both router and subnets as well ):
allowed-ips=0.0.0.0/0 endpoint address, endpoint port, public key generated by router, persistent-keep-alive=XX seconds.

3

yes my isp gets a private IP, i am able to do DMZ and port forwarding. The IP is not static, but i set a script in the hapac to update a personal domain that i have on cloudflare every 10 minutes.
if i connect to the IP or to my domain i can configure the hapac via WebFig or via WinBox. Also the WG listen port is working fine because with the ios app it works.

btw ASAP tomorrow i will post here the configs…server and client…

this thing is very weird because instead with the IOS app it works very well.

4

Okay I understand better now, what is going on.
For the HAPAC at the office… then…
Lets give it a wireguard address
/ip address
192.168.90.2/24 interface=wireguard network=192.168.90.0

Its settings would be
add allowed address=192.168.90.0/24,192.168.88.0./24 endpoint-address=HomerouterIP endpoint-port=13231
interface=wireguard public-key=“—±±” persistent-keep-alive=35s comment=“home router”

/input chain rule
allow wireguard traffic assuming you want to be able to configure hap office router from home or road warrior.
/forward chain rule
allow wireguard traffic to specific subnet or IP ( if you need to access office from home or remote road warrior )

/ip route
add dst-address=192.168.88.0/24 gateway=wireguard routing-table=main ( if office users need to reach home subnet or home subnet user needs to reach office and get return traffic )

++++++++++++++++++

On home router,
add firewall rule forward chain
add chain=forward action=accept in-interface=wireguard out-interface=wireguard comment=“relay traffic”
basically enables road warrior to come into home router and then go and reach office HAP or office hap subnets…

Best to see both configs when able.

5

thank you very much! tomorrow will try this and upload the configs.
btw i have to create a tunnel that forwards all the internet traffic, like i’m connected to my home network physically, not only LAN 192.168.90.0/24

6

There is no lan 192.168.90…it really just a wireguard subnet with no dhcp or anything but sits at the LAN level and thus is subject to L3 firewall rules.
Okay so who is using the full internet ???

Is it the roadwarriors using home internet
Is it the roadwarriors using office internet
Is it the home users using the office internet.
Is is the office users using the home internet

Requirements need to be detailed enough not to cause more questions LOL

7

is it the office users (me) using the home internet
also i will use it on my iphone, but let’s focus on the mikrotik XD

8

No problem, once you post both config, I will be able to ensure it meets the needs.

9

hi anav, here’s the configs :slight_smile:
i re-explain the scheme:
Office Network: SXT LTE6 (not hapac, sorry i was wrong)
Home Network: HAPAC
The HAPAC should be the server, and the SXT the client.

SXT:

# 2025-05-15 18:24:04 by RouterOS 7.15.2
# software id = xxxxx
# model = SXTR
# serial number = xxxxx
/interface bridge
add admin-mac=xxxxx auto-mac=no comment=defconf name=bridge
/interface wireguard
add listen-port=13231 mtu=1420 name=tunnelcdncassia
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface lte apn
add apn=wap.tim.it authentication=chap name=TIM_APN user=WAPTIM
add apn=ibox.tim.it name=TIM_IPNAT_APN
/interface lte
set [ find default-name=lte1 ] allow-roaming=yes apn-profiles=TIM_IPNAT_APN \
    band=1,3 sms-read=no
/ip pool
add name=default-dhcp ranges=192.168.188.10-192.168.188.254
/ip dhcp-server
add address-pool=default-dhcp interface=bridge name=defconf
/queue type
add fq-codel-ecn=no kind=fq-codel name=fq-codel-ethernet-default
/queue interface
set ether1 queue=fq-codel-ethernet-default
set ether2 queue=fq-codel-ethernet-default
/routing table
add disabled=no fib name=tunnelcdncassia
/interface bridge port
add bridge=bridge comment=defconf interface=ether1
add bridge=bridge comment=defconf interface=ether2
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=lte1 list=WAN
/interface wireguard peers
add allowed-address=0.0.0.0/0 endpoint-address=xxxxxx endpoint-port=13232 interface=\
    tunnelcdncassia name=tunnel persistent-keepalive=35s public-key=\
    "bPrJt8x4ubRsoex/tYMHRp9PLWHFtjALxt2XXXXXXXX"
/ip address
add address=192.168.188.1/24 comment=defconf interface=bridge network=\
    192.168.188.0
add address=192.168.90.2/24 interface=tunnelcdncassia network=192.168.90.0
/ip dhcp-server config
set store-leases-disk=2h5m
/ip dhcp-server lease
add address=192.168.188.216 client-id=1:44:db:d2:26:cf:7a mac-address=\
    44:DB:D2:26:CF:7A server=defconf
/ip dhcp-server network
add address=192.168.188.0/24 comment=defconf dns-server=192.168.188.1 \
    gateway=192.168.188.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.188.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input disabled=yes dst-port=80 in-interface-list=WAN \
    protocol=tcp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    disabled=yes in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new disabled=yes in-interface-list=WAN
add action=accept chain=forward in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward connection-nat-state=dstnat
add action=accept chain=input disabled=yes in-interface=lte1
add action=accept chain=input comment="wg accept from 13231" dst-port=13231 \
    protocol=udp
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat disabled=yes dst-port=80 in-interface=lte1 \
    protocol=tcp to-addresses=192.168.188.1
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/ip route
add disabled=yes distance=1 dst-address=192.168.1.1/32 gateway=*7 \
    routing-table=main scope=30 suppress-hw-offload=no target-scope=10
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" \
    dst-port=33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
/system clock
set time-zone-name=Europe/Rome
/system note
set show-at-login=no
/system scheduler
add disabled=yes interval=10m name=ddnsupdater_schedule on-event=\
    "/system script run ddnsupdater" policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-date=2025-04-23 start-time=19:08:26
/system script
add dont-require-permissions=no name=ddnsupdater owner=admin policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="XXXXXXXXX"
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

HAPAC:

# 2025-05-15 18:24:45 by RouterOS 7.12.1
# software id = xxxxxx
#
# model = RB941-2nD
# serial number = xxxxxxxxx
/interface bridge
add admin-mac=xxxxx auto-mac=no comment=defconf name=bridge
/interface wireless
set [ find default-name=wlan1 ] disabled=no distance=indoors frequency=auto \
    installation=indoor mode=ap-bridge ssid=MikroTik-8DE3B5 \
    wireless-protocol=802.11
/interface wireguard
add listen-port=13231 mtu=1420 name=xxxxx #[disabled, does not matter]#
add listen-port=13232 mtu=1420 name=tunnelPassignano #[this is the wireguard paired with "tunnelcdncassia"]#c
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk comment=defconf \
    disable-pmkid=yes mode=dynamic-keys supplicant-identity=MikroTik
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=default-dhcp interface=bridge lease-time=10m name=defconf
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=pwr-line1
add bridge=bridge comment=defconf interface=wlan1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/interface wireguard peers
add allowed-address=192.168.89.2/32 interface=WG_MAIN_HOST-CASSIA837 \
    public-key="4JwHbGQpfvh56Rl+GxTsakLjN2XXXXXXXXXXX"
add allowed-address=0.0.0.0/0 interface=tunnelPassignano \
    persistent-keepalive=30s public-key=\
    "WUMbb9AbakP5VZNlumITivJIByiZmXXXXXXXXX"
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
    192.168.88.0
add address=192.168.89.1/24 interface=XXXXXXXXX #[not relevant wireguard]# network=\
    192.168.89.0
add address=192.168.90.2/24 interface=tunnelPassignano network=192.168.90.0
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=\
    192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    disabled=yes in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
add action=accept chain=input comment="wg inbound" dst-port=13231 protocol=\
    udp
add action=accept chain=input comment="wg data" src-address=192.168.89.0/24
add action=accept chain=input dst-port=13232 protocol=udp
add action=accept chain=input src-address=192.168.90.0
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
    33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
/system clock
set time-zone-name=Europe/Rome
/system note
set show-at-login=no
/system scheduler
add interval=10m name=schedule1 on-event=ddnsupdater policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-date=2025-05-13 start-time=21:08:38
/system script
add dont-require-permissions=no name=ddnsupdater owner=admin policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="XXXXX #[CLOUDFLARE DDNS UPDATE SCRIPT]#"
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
10

In the end I made it. It had emerged that the problem was related to the fact that I had not noticed that a key was obsolete (in the meantime, perhaps while I was setting it up, I had it changed) and I did not realize that they were different.
I was also Pinging the client’s WireGuard interface, not the server’s: obviously the traffic didn’t go the other way. Thanks Anav for the help anyway!!!

11

To confirm all good now?

12

So far, yes.