Wireguard tunnel not working

Cynrik · July 17, 2024, 4:33pm

Hello,

I’m running an RB4011iGS+5HacQ2HnD with rOS 7.15.2 and configured a Wireguard RoadWarrior like described here:
https://help.mikrotik.com/docs/display/ROS/WireGuard#WireGuard-Applicationexamples

The windows client is unsuccessful connecting to the RB4011iGS+5HacQ2HnD wireguard.
Error: 2024-07-17 18:14:57.768396: [TUN] [Example] Startup complete
2024-07-17 18:14:59.057288: [TUN] [Example] Sending handshake initiation to peer 1 (91.112.XX.XXX:13213)
2024-07-17 18:15:04.182467: [Example] [Aras] Handshake for peer 1 (91.112.XX.XXX:13213) did not complete after 5 seconds, retrying (try 2)

The regarding configs on RB4011iGS+5HacQ2HnD for Wireguard:

/ip address print
Columns: ADDRESS, NETWORK, INTERFACE
# ADDRESS           NETWORK        INTERFACE 
;;; defconf
0 192.168.0.1/24    192.168.0.0    bridge    
1 192.168.111.1/24  192.168.111.0  vlan200   
2 91.112.XX.XXX/30  91.112.XX.XXX  ether1    
3 192.168.4.1/24    192.168.4.0    wireguard1

/interface wireguard print 
Flags: X - disabled; R - running 
 0  R name="wireguard1" mtu=1420 listen-port=13231 
      private-key="XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXpriv=" 
      public-key="XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXpub"

/interface wireguard peers print
Columns: INTERFACE, PUBLIC-KEY, ENDPOINT-PORT, ALLOWED-ADDRESS
# INTERFACE   PUBLIC-KEY                                    E  ALLOWED-ADDRES
0 wireguard1  XXXXXXXXXXXXXXXXclientpublickey=  0  192.168.4.2/32

/ip firewall filter print
Flags: X - disabled, I - invalid; D - dynamic 
 0  D ;;; special dummy rule to show fasttrack counters
      chain=forward action=passthrough

 1    ;;; allow ALL WireGuard traffic
      chain=input action=accept src-address=192.168.4.0/24 log=yes log-prefix="" 
 2    ;;; allow WireGuard traffic ICMP
      chain=input action=accept protocol=icmp src-address=192.168.4.0/24 log=yes log-prefix="" 

 3    ;;; allow WireGuard
      chain=input action=accept protocol=udp dst-port=13231 log=yes log-prefix="" 

 4    ;;; allow WireGuard traffic MSSQL TCP
      chain=input action=accept protocol=tcp src-address=192.168.4.0/24 port=1433 log=yes log-prefix="" 

 5    ;;; allow WireGuard traffic MSSQL UDP
      chain=input action=accept protocol=udp src-address=192.168.4.0/24 port=1433 log=yes log-prefix="" 

 6    ;;; defconf: accept established,related,untracked
      chain=input action=accept connection-state=established,related,untracked 

 7    ;;; defconf: drop invalid
      chain=input action=drop connection-state=invalid 

 8    ;;; defconf: accept ICMP
      chain=input action=accept protocol=icmp 

 9    ;;; defconf: accept to local loopback (for CAPsMAN)
      chain=input action=accept dst-address=127.0.0.1 

10    ;;; defconf: drop all not coming from LAN
      chain=input action=drop in-interface-list=!LAN 

11    ;;; defconf: accept in ipsec policy
      chain=forward action=accept ipsec-policy=in,ipsec 

12    ;;; defconf: accept out ipsec policy
      chain=forward action=accept ipsec-policy=out,ipsec 

13    ;;; defconf: fasttrack
      chain=forward action=fasttrack-connection hw-offload=yes connection-state=established,related 

14    ;;; defconf: accept established,related, untracked
      chain=forward action=accept connection-state=established,related,untracked 

15    ;;; defconf: drop invalid
      chain=forward action=drop connection-state=invalid 

16    ;;; defconf: drop all from WAN not DSTNATed
      chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface-list=WAN

[code]
/interface list member print
Columns: LIST, INTERFACE
# LIST  INTERFACE 
;;; defconf
0 LAN   bridge    
;;; defconf
1 WAN   ether1    
2 LAN   wireguard1

Wireguard Client config:
[Interface]
PrivateKey = XXXXXXXXXXXXXXXXXXXXXXXXpriv=
Address = 192.168.4.2/24
[Peer]
PublicKey = XXXXXXXXXXpubkeyfrommikrotik=
AllowedIPs = 192.168.0.0/24
Endpoint = 91.112.XX.XXX:13213

Please help me getting a working wireguard config and that a client can connect and access the remote devices.
What diagnostic options do i have on the Mikrotik side?

Kind regards,
Cynrik

dang21000 · July 17, 2024, 9:16pm

Endpoint port configured on client isnt the same in the wireguard1 interface and input filter rule.
And put conf in CODE, it’s more easy to read.

Cynrik · July 18, 2024, 7:48am

Hi,

Please clarify what you mean with “Endpoint port configured on client isnt the same in the wireguard1 interface and input filter rule”.
Do you see a misconfiguration?

sindy · July 18, 2024, 7:56am

Yes, you have made a typo when configuring the client. On the 4011, you use port 13231, whereas the client’s woes in the log mention port 13213.

Cynrik · July 18, 2024, 8:00am

Thank you so much for the hint!

Cynrik · July 18, 2024, 8:11am

Actually the VPN clients have access to everything to the remote site.
Now i want to allow only specifiy ports (MS SQL) to be open.

Based on the config, how can i achieve this also?

sindy · July 18, 2024, 8:36am

It is actually highly recommended to learn how the firewall works before setting up any VPN connection.

The rules in /ip/firewall/filter control who can connect where.

In your case, the forward chain currently permits any kind of connections to get established, except those whose inital packet arrived via WAN and has not been dst-nated.

I personally prefer to block everything that has not been explicitly permitted; others prefer to permit everything that has not been explicitly blocked. The rules from the default configuration are optimized for performance, sacrificing readability, so the last one in chain forward, action=drop in-interface-list=WAN connection-nat-state=!dstnat, is a kind of a shortcut for the following three ones:
in-interface-list=WAN connection-nat-state=dstnat action=accept
in-interface-list=!WAN action=accept
action=drop
In the default configuration, until you have added the Wireguard interface, there was just WAN and LAN, so only in that special case, !WAN in the rule above could be replaced by LAN without changing the overall effect of the firewall as a whole. But with Wireguard in place, doing so will have the desired effect that Wireguard clients will not be able to get anywhere any more. Which, in turn, will allow you to add selective rules for them, like in-interface=wireguard1 dst-address=a.a.a.a protocol=xyz dst-port=port1,…portN action=accept, before (above) the final “drop the rest” one.

So overall, add the following rules in exactly this order:
chain=forward in-interface-list=WAN connection-nat-state=dstnat action=accept
chain=forward in-interface-list=LAN action=accept
chain=forward in-interface=wireguard1 dst-address=a.a.a.a protocol=xyz dst-port=… action=accept (set a list of ports and/or internal IP addresses as needed)
…repeat the above for all required combinations of protocol, port list, and address…
chain=forward action=drop
Then, disable the rule from the default config that only blocks connections from WAN as mentioned above, so it won’t accept most of the initial packets of connections and they will reach those newly added rules.

Cynrik · July 18, 2024, 12:07pm

Thank you for your help!

The firewall rules still not working correct.
The Mikrotik Wireguard Howto writes to add the Wiregaurd interface to the LAN interface list.
https://help.mikrotik.com/docs/display/ROS/WireGuard

You posted the rule:

chain=forward in-interface-list=LAN action=accept

So with this rule, all access is still granted for the wiregaurds clients, because your rule is for interface list LAN, where wireguard is also included.

How can the firewall rules be adapted, to get them working as aspected?
Why should the wiregaurd interface be added to interface list LAN?

Kind regards,
Cynrik

sindy · July 18, 2024, 12:46pm

The Mikrotik manuals cannot cover all possible application scenarios, so they chose to cover the most typical ones, and the most typical one is that a home user wants to make a device connected using Wireguard (or another VPN) “feel at home” as much as possible. That’s why their “manual for 99 % users” asks you to add wireguard1 as a member interface of interface list LAN.

The rules I have suggested are based on an assumption that, since in your specific case the required treatment for Wireguard users differs from the 99% “feel at home” one, you have not added wireguard1 to interface list LAN. Since you have posted only the part of configuration you assumed to be relevant, I could not spot that bit of information even if it would have come to my mind.

So if you remove wireguard1 from interface list LAN, does the firewall start behaving the way you want? One more point, the way the firewall is done, it only blocks newly created connections; those already established ones will not be affected by removal wif the interface from the interface list.

One more remark, access to the services of the router itself (web, winbox, ssh, dns, …) is controlled by firewall chain input, not forward. So by removing wireguard1 from interface list LAN, you will also prevent the wireguard client from being able to configure the router or use it as a DNS server. If that’s not what you want, you will have to add some permissive rules to chain input as well.

Cynrik · July 18, 2024, 6:26pm

Removing the wireguard interface from interface list LAN fixed the problem.
Thank you again for your help!