Wireguard tunnel extremely slow, barely working (Winbox not working), possible reasons?

RouterOS General
1

I have a wireguard tunnel from a mobile device to a CHR, the setup described here: http://forum.mikrotik.com/t/routeros-blatantly-ignores-pref-src-can-this-really-be-a-bug/180360/38

Ping works flawlessly. Enthusiastically I tried connecting to Winbox over it but surprisingly I just get “Failed to establish secure connection”. I tried simple TCP server/client over the tunnel with netcat and that seems to work too. SSH is a mixed bag: Often it times out and doesn’t work. Sometimes I can login. Once the session is established, each key stroke would take seconds.

What would be possible reasons for something like this?

The only out-of-the-ordinary things are: (1) Using DNAT/mangle per this link. (2) Possibly the tunnel packets go over other wireguard tunnels.

The immediate obvious idea was MTU. I decreased MTU on both ends to 1300 but it didn’t make any difference.

Here is a sniffer output of a Winbox session where I just get “Failed to establish secure connection”:

19 time=228.69  num=20 direction=rx interface=wg-mobile src-address=10.227.33.10:50834 dst-address=10.227.4.2:8291 (winbox) protocol=ip ip-protocol=tcp size=64 cpu=2 ip-packet-size=64 ip-header-size=20 dscp=0 identification=0 fragment-offset=0 ttl=64 tcp-flags=syn
20 time=228.69  num=21 direction=tx interface=wg-mobile src-address=10.227.4.2:8291 (winbox) dst-address=10.227.33.10:50834 protocol=ip ip-protocol=tcp size=60 cpu=2 ip-packet-size=60 ip-header-size=20 dscp=0 identification=0 fragment-offset=0 ttl=64 tcp-flags=syn,ack 
21 time=228.981 num=22 direction=rx interface=wg-mobile src-address=10.227.33.10:50834 dst-address=10.227.4.2:8291 (winbox) protocol=ip ip-protocol=tcp size=52 cpu=3 ip-packet-size=52 ip-header-size=20 dscp=0 identification=0 fragment-offset=0 ttl=64 tcp-flags=ack 
22 time=228.996 num=23 direction=rx interface=wg-mobile src-address=10.227.33.10:50834 dst-address=10.227.4.2:8291 (winbox) protocol=ip ip-protocol=tcp size=93 cpu=0 ip-packet-size=93 ip-header-size=20 dscp=0 identification=0 fragment-offset=0 ttl=64 tcp-flags=psh,ack 
23 time=228.996 num=24 direction=tx interface=wg-mobile src-address=10.227.4.2:8291 (winbox) dst-address=10.227.33.10:50834 protocol=ip ip-protocol=tcp size=52 cpu=0 ip-packet-size=52 ip-header-size=20 dscp=0 identification=35258 fragment-offset=0 ttl=64 tcp-flags=ack 
24 time=229.004 num=25 direction=tx interface=wg-mobile src-address=10.227.4.2:8291 (winbox) dst-address=10.227.33.10:50834 protocol=ip ip-protocol=tcp size=103 cpu=1 ip-packet-size=103 ip-header-size=20 dscp=0 identification=35259 fragment-offset=0 ttl=64 tcp-flags=psh,ack 
25 time=229.88  num=26 direction=tx interface=wg-mobile src-address=10.227.4.2:8291 (winbox) dst-address=10.227.33.10:50834 protocol=ip ip-protocol=tcp size=103 cpu=1 ip-packet-size=103 ip-header-size=20 dscp=0 identification=35260 fragment-offset=0 ttl=64 tcp-flags=psh,ack 
26 time=230.83  num=27 direction=tx interface=wg-mobile src-address=10.227.4.2:8291 (winbox) dst-address=10.227.33.10:50834 protocol=ip ip-protocol=tcp size=103 cpu=1 ip-packet-size=103 ip-header-size=20 dscp=0 identification=35261 fragment-offset=0 ttl=64 tcp-flags=psh,ack 
27 time=232.68  num=28 direction=tx interface=wg-mobile src-address=10.227.4.2:8291 (winbox) dst-address=10.227.33.10:50834 protocol=ip ip-protocol=tcp size=103 cpu=1 ip-packet-size=103 ip-header-size=20 dscp=0 identification=35262 fragment-offset=0 ttl=64 tcp-flags=psh,ack 
28 time=234.019 num=29 direction=rx interface=wg-mobile src-address=10.227.33.10:50834 dst-address=10.227.4.2:8291 (winbox) protocol=ip ip-protocol=tcp size=52 cpu=1 ip-packet-size=52 ip-header-size=20 dscp=0 identification=0 fragment-offset=0 ttl=64 tcp-flags=fin,ack 
29 time=234.019 num=30 direction=tx interface=wg-mobile src-address=10.227.4.2:8291 (winbox) dst-address=10.227.33.10:50834 protocol=ip ip-protocol=tcp size=52 cpu=1 ip-packet-size=52 ip-header-size=20 dscp=0 identification=35263 fragment-offset=0 ttl=64 tcp-flags=fin,ack 
30 time=234.027 num=31 direction=rx interface=wg-mobile src-address=10.227.33.10:50835 dst-address=10.227.4.2:8291 (winbox) protocol=ip ip-protocol=tcp size=64 cpu=2 ip-packet-size=64 ip-header-size=20 dscp=0 identification=0 fragment-offset=0 ttl=64 tcp-flags=syn 
31 time=234.027 num=32 direction=tx interface=wg-mobile src-address=10.227.4.2:8291 (winbox) dst-address=10.227.33.10:50835 protocol=ip ip-protocol=tcp size=60 cpu=2 ip-packet-size=60 ip-header-size=20 dscp=0 identification=0 fragment-offset=0 ttl=64 tcp-flags=syn,ack 
32 time=234.266 num=33 direction=rx interface=wg-mobile src-address=10.227.33.10:50834 dst-address=10.227.4.2:8291 (winbox) protocol=ip ip-protocol=tcp size=64 cpu=3 ip-packet-size=64 ip-header-size=20 dscp=0 identification=0 fragment-offset=0 ttl=64 tcp-flags=ack 
33 time=234.266 num=34 direction=tx interface=wg-mobile src-address=10.227.4.2:8291 (winbox) dst-address=10.227.33.10:50834 protocol=ip ip-protocol=tcp size=103 cpu=3 ip-packet-size=103 ip-header-size=20 dscp=0 identification=35264 fragment-offset=0 ttl=64 tcp-flags=psh,ack 
34 time=234.271 num=35 direction=rx interface=wg-mobile src-address=10.227.33.10:50835 dst-address=10.227.4.2:8291 (winbox) protocol=ip ip-protocol=tcp size=52 cpu=0 ip-packet-size=52 ip-header-size=20 dscp=0 identification=0 fragment-offset=0 ttl=64 tcp-flags=ack 
35 time=234.308 num=36 direction=rx interface=wg-mobile src-address=10.227.33.10:50835 dst-address=10.227.4.2:8291 (winbox) protocol=ip ip-protocol=tcp size=109 cpu=1 ip-packet-size=109 ip-header-size=20 dscp=0 identification=0 fragment-offset=0 ttl=64 tcp-flags=psh,ack 
36 time=234.308 num=37 direction=tx interface=wg-mobile src-address=10.227.4.2:8291 (winbox) dst-address=10.227.33.10:50835 protocol=ip ip-protocol=tcp size=52 cpu=1 ip-packet-size=52 ip-header-size=20 dscp=0 identification=52636 fragment-offset=0 ttl=64 tcp-flags=ack 
37 time=234.502 num=38 direction=rx interface=wg-mobile src-address=10.227.33.10:50834 dst-address=10.227.4.2:8291 (winbox) protocol=ip ip-protocol=tcp size=40 cpu=2 ip-packet-size=40 ip-header-size=20 dscp=0 identification=0 fragment-offset=0 ttl=64 tcp-flags=rst 
38 time=239.299 num=39 direction=rx interface=wg-mobile src-address=10.227.33.10:50835 dst-address=10.227.4.2:8291 (winbox) protocol=ip ip-protocol=tcp size=52 cpu=3 ip-packet-size=52 ip-header-size=20 dscp=0 identification=0 fragment-offset=0 ttl=64 tcp-flags=fin,ack 
39 time=239.299 num=40 direction=tx interface=wg-mobile src-address=10.227.4.2:8291 (winbox) dst-address=10.227.33.10:50835 protocol=ip ip-protocol=tcp size=52 cpu=1 ip-packet-size=52 ip-header-size=20 dscp=0 identification=52637 fragment-offset=0 ttl=64 tcp-flags=fin,ack 
40 time=239.543 num=41 direction=rx interface=wg-mobile src-address=10.227.33.10:50835 dst-address=10.227.4.2:8291 (winbox) protocol=ip ip-protocol=tcp size=52 cpu=0 ip-packet-size=52 ip-header-size=20 dscp=0 identification=0 fragment-offset=0 ttl=64 tcp-flags=ack

10.227.4.2 is RouterOS (Winbox) and 10.227.33.10 is the mobile client.

I really can’t see anything out of the ordinary here and I really have a hard time what could possibly make the tunnel work so far but still WinBox to fail (and SSH to cause issues)

2

When you provide nothing, nothing can be seen.

So lets get some clarity.
What is the home mikrotik router? model and I assume you have no public IP.
Confirm you also have a CHR in the cloud that you use as the wireguard server for handshake.

The idea being you as a remote user can access your router and subnets while away from home, or something like that.
Right now there is very little context.

For starters would want config of both router and chr
/export file=anynameyouwish ( minus router serial #, any publicWANIP information, keys etc.)

3

@anav: It is the setup in http://forum.mikrotik.com/t/routeros-blatantly-ignores-pref-src-can-this-really-be-a-bug/180360/38 so public IP and multiple WANs.

However, upon more and more debugging it turns out the issue is still the DNAT, or, more accurately the missing source address.
It seems that for some packets, a different source address is selected, to the backwards translation on the DNAT fails. In the sniffer output it can be seen that packages are re-transmitted multiple times. I assume this is because subsequent packets never made it to the client.

Hence best to continue in the DNAT/pref-src thread