I´m new to Mikrotik Routers and RouterOS7, but everything so went good so far.
With my old router, which didn´t support Wireguard natively, I used a ubuntu VM for wireguard.
There everything worked 100%, but my goal was to set up Wireguard on the new Mikrotik RB5009.
So I set it up and everything is working with Android (immediate connection to peer, no problems).
But with Windows (Client Version 0.5.3 - official from the Wireguard website) I got an error in the Log with “Handshake to peer 1 Failed …”
The IP is reachable and I tested serveral MTUs, Keepalive Change from 25 to 10 or other - no sucess, reconfigured serveral times the complete config, no sucess.
Windows Firewall is off, reinstalled, no success.
Tested it with a fresh Windows 10 Install (Main System is Windows 11) - same Error in Log.
Exported from Android, where everything works, same Error in Log.
I checked the public key on both configs (Mikrotik + Client) multiple times, copy&pasted it, wrote the lines manual, no connection what so ever…
I´m 100% sure the config is correct, and like I said - I exported the working config from my Android device and imported it to windows, still - no handshake possible.
I exported the working android config and imported it to 2 different windows installations, same issue, still no sucessful handshake.
Windows firewalls are off - and before with the ubuntu wireguard server it worked fine, not with the MT.
I don´t think it´s a MT issue, if it would be a problem by the MT itself no other client would work.
So it has to be some sort of bug or another tiny thing in the config itself maybe?
Other ideas what I can try?
I´m really lost right now, because it makes no sense
It is working in Android perfectly. The common thing with you guy is that we have Mikrotik and RB5009 specifically. I do not know if this could be related…strange but..
Below now the Windows Config:
Note - the public Key of the "Desktop" Entry is: tUluRiFoys7Uev+HYr+AKk4BYH+eyWGhSPpmaPL8OU0= (and i double checked this - multiple times!)
[Interface]
Address = 10.111.20.60/32
DNS = 10.111.2.1/32
PrivateKey = uCbvO9OkVIfIoowhinf/c2T7Bc1QP7tq236HBdqwzXU=
The error which is appearing in the windows log is still:
2023-11-07 15:32:04.522260: [TUN] [VPN] Handshake for peer 1 (37.85.XX.XX:13231) did not complete after 5 seconds, retrying (try 7)
2023-11-07 15:32:04.522260: [TUN] [VPN] Sending handshake initiation to peer 1 (37.85.XX.XX:13231)
2023-11-07 15:32:09.626017: [TUN] [VPN] Handshake for peer 1 (37.85.XX.XX:13231) did not complete after 5 seconds, retrying (try
2023-11-07 15:32:09.626017: [TUN] [VPN] Sending handshake initiation to peer 1 (37.85.XX.XX:13231)
Remove persistent keep alive settings on the Mikrotik Router settings for client peers. These are useless.
Allowed IPs on windows,
a. are you sure there are spaces between each entry??
What I was expecting only was 10.111.20.0/24 10.111.2.0/24 / 10.111.3.0/24 / 10.111.4.0/24 / 10.111.5.0/24 doesnt seem to make sense??? How many wg interfaces do you have running on the MT.
assuming all the rest 192.168… are local subnets on the MT.
Did you try different DNS setting on windows, like 1.1.1.1 just for giggles.
would need to see the full MT config …
/export file=anynameyouwish (minus router serial number, public WANIP information etc.)
Tried, but had no positive effect, still same issue, but thanks for the advice, will remove it out of each peer.
Yeah the spaces are no problem, same config on each android device and there it straight works.
10.111.20.0/24 is the wireguard interface
10.111.2.0/24 is my main subnet/intranet
10.111.3-5.0/24 are my other networks (separted in vlans - for guest/vpn etc.)
192.168.70.0/24 - First WAN Conn - Telekom 4G+
192.168.71.0/24 - Second WAN Conn - Telekom 5G
192.168.72.0/24 - Third WAN Conn - Vodafone 5G
192.168.73.0/24 - Gli.Net Router (Old Router) which connects to a VPN via Surfshark and relies as a external VPN Gateway, which connects to a defined WAN connection to one of the above gateways (had a Lancom Router before the Mikrotik and next steps are to terminate the surfshark vpn directly on the MT, but this is project for another day)
But I tried it only with 10.111.20.0/24 as allowed subnets and it still doesn´t work.
yes, normally in this config dns is 1.1.1.1 because I only need Split Tunneling with my wireguard vpn and my dns at home is still not configured 100% correct.
But this didn´t worked either.
Do you need the full .rsc file?
Because it´s a bit confusing and the config is long as heck because I have dozens of routing tables for a stable function (see multiple wans and usecases for serveral clients…).
Yeah, would be much easier with fiber and 1 gig… but here we go, germany ftw ^^
Better change your keys. You’ve just reduced the key strength to ~32 bits, a search through the public IP space to find the WG endpoint that responds to that key pair.
Be careful what you copy-paste into a public post!
Of course, like I said, on android it´s working fine. In the wireguard log on windows it resolves to the correct wan public ip, so yes, 100% sure.
My IP adress should one with location in germany (I´m german) - and my previous posted IP adress is a cellular network ip adress from “Deutsche Telekom”.
Yes it´s cellular, but with this special APN prov. by Deutsche Telekom there is no carrier grade NAT, so this IP is fully accessible from the outside, no problems
I live in germany, so it´s not related to my problem?!
Of course, changed both keys, but thanks for your conserns! Really kind
My IP changes 1-3x randomly a day (because of cellular…)
Yeah sure
At this time I stopped fixing it, I´m not at home this week and needed a working tunnel
At this point I reactivated my ubuntu machine, which is working, but the goal still is to bring this wireguard thing on the MT fully working!
Which config do you need? Full config file?
How I said, I´m lost, in my opinion there should not be a issue in this config.
Hopefully I´m wrong and it´s not a bug…
I tried dodging the bullet and not move to PCC instead of using ECMP+…
And this was the only fault… corrected the routes and it worked like instant…
Will move to PCC at the weekend.
In addition I will set my routers before the mikrotik in ip-passthrough mode, so I can avoid “recursive” routing… acutal all routers on the wan ports of the MT are “nated” so double-nat is never a good idea…
But does somebody of you know what happens in this situation:
wan1 (4g cellular)
→ ip-passthrough
→ interface assign IP via DHCP from the cellular apn
→ connection drops on the “passthrough” router, so gateway will not be reachable
→ is the uplink (or route) offline in this case? like I “unplugged” the eth cable? or will the interface still have the IP have assigned to it and all packets will be dropped because of “interface seems online / route active”?
