Community discussions

MikroTik App
 
DL7JP
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 85
Joined: Sat Oct 19, 2013 4:14 pm

wireguard configuration

Thu Jan 28, 2021 10:10 pm

I am experimenting with wg - performance is impressive, but if there is something wrong, I find it hard to debug. I did not come across much documentation so far, is there something detailed around on Mikrotik specifics?

I want to connect multiple peers (Android, IOS, Win10) to a router and tried to have them all on one wireguard interface: 10.0.0.1/24 assiged to the wireguard1, 10.0.0.2/24, 10.0.0.3/24, etc. to the peers (each one of course with separate key pairs). I saw packets incoming, but I could not establish more than one tunnel to a peer, others did not receive responses back from the server. Using a separate wireguard interface for each peer worked: e.g., 10.0.0.1/30 for wireguard1, 10.0.0.2/30 for peer 1, 10.0.0.5/30 for wireguard2, 10.0.0.6/30 for peer 2, etc. I also had to assign different incoming udp ports to each interface, putting them all on the same port did not work.

I am wondering if this is intended behavior, or if I made mistakes in my configuration? Do I actually need a /30 subnet for each interface and peer?

Overall, it's great if it works, but deployment is hard :-).
Last edited by DL7JP on Fri Jan 29, 2021 1:25 am, edited 1 time in total.
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: wireguard configuration

Fri Jan 29, 2021 1:25 am

One common interface is enough. Why it doesn't work for you, it's hard to tell. I don't think there's anything in current RouterOS to help you with that, some statistics for individual peers, logs, or anything.
 
DL7JP
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 85
Joined: Sat Oct 19, 2013 4:14 pm

Re: wireguard configuration

Fri Jan 29, 2021 11:48 am

One common interface is enough. Why it doesn't work for you, it's hard to tell. I don't think there's anything in current RouterOS to help you with that, some statistics for individual peers, logs, or anything.
I tried to reproduce this by setting up a new interface, now I can have multiple clients on it. No idea why it was consistently not working before... will keep an eye on it. Some debugging support in future version would be good, e.g. error messages for arriving udp packets that cannot be processed or the like.
Anyway, thanks for your help!
 
cybmp3
just joined
Posts: 1
Joined: Thu Apr 08, 2021 1:27 pm

Re: wireguard configuration

Thu Apr 08, 2021 1:38 pm

Encountered the same problem.
wireguard-server-config.png
wireguard-peers-config.png
address.png
client1-config.png
client2-config.png
client1-ping-success.png
client2-ping-failure.png
You do not have the required permissions to view the files attached to this post.
 
indy
newbie
Posts: 25
Joined: Sun Mar 22, 2020 10:17 pm

Re: wireguard configuration

Sun Apr 11, 2021 1:57 pm

Overlapping subnets between peers on the same interface probably produce conflicts with the protocols "cryptokey-routing" feature.
From my interpretation the allowed addresses are a mix between routing table and acl.

Who is online

Users browsing this forum: No registered users and 25 guests