Community discussions

MikroTik App
 
paintballer4lfe
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 59
Joined: Tue Dec 06, 2016 5:10 pm

Wireguard?!?!?!?!

Mon Mar 08, 2021 8:17 pm

I have a CHR running beta 3 and a 3011 running beta 4 and really I'm just trying to get a wireguard tunnel up.

Wireguard config on CHR
IP set to 172.2.2.1 for wireguard interface
/interface wireguard
add listen-port=13259 mtu=1420 name=wireguardSRV private-key="<key>"
/interface wireguard peers
add allowed-address=0.0.0.0/0 interface=wireguardSRV persistent-keepalive=15s public-key="<client-pub-key>"
RB3011 config
IP set to 172.2.2.2 for wireguard interface
/interface wireguard
add listen-port=5149 mtu=1420 name=CHR-WG1 private-key="<key>"
/interface wireguard peers
add allowed-address=0.0.0.0/0 endpoint-address=70.39.x.x endpoint-port=13259 interface=CHR-WG1 persistent-keepalive=15s public-key="<server-pub-key>"
Firewall and NAT is disabled for both ends basically (I allow unrestricted access for both my WAN's on rb3011 and CHR.

There's absolutely no logging for wireguard so no freaking clue why the tunnel wont come up.
Last edited by paintballer4lfe on Mon Mar 08, 2021 9:44 pm, edited 3 times in total.
 
mducharme
Trainer
Trainer
Posts: 1777
Joined: Tue Jul 19, 2016 6:45 pm
Location: Vancouver, BC, Canada

Re: Wireguard with dual WAN - Routing?!?!?!

Mon Mar 08, 2021 9:26 pm

/routing table
add name=ether1
/ip mangle
add action=mark-routing chain=prerouting in-interface=ether1 passthrough=no
/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=70.39.67.49 routing-table=ether1 scope=30 target-scope=10
This is the mangle config on my CHR which yeah does nothing in terms of ruting data back out through ether 1 lol.
I haven't personally used policy routing yet in RouterOS 7, but even for RouterOS 6 this doesn't make sense. You are telling your router to take any packet that is received on ether1 and immediately send it back out ether1 again instead of delivering it like normal. So your gateway (ISP?) is going to send the packet back to you and you are going to send it back to the gateway and so on in a loop until the TTL finally expires. And you seem to be missing the routing mark to set in the mark routing mangle rule, so even that loop will not be happening right now.
 
paintballer4lfe
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 59
Joined: Tue Dec 06, 2016 5:10 pm

Re: Wireguard with dual WAN - Routing?!?!?!

Mon Mar 08, 2021 9:42 pm

/routing table
add name=ether1
/ip mangle
add action=mark-routing chain=prerouting in-interface=ether1 passthrough=no
/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=70.39.67.49 routing-table=ether1 scope=30 target-scope=10
This is the mangle config on my CHR which yeah does nothing in terms of ruting data back out through ether 1 lol.
I haven't personally used policy routing yet in RouterOS 7, but even for RouterOS 6 this doesn't make sense. You are telling your router to take any packet that is received on ether1 and immediately send it back out ether1 again instead of delivering it like normal. So your gateway (ISP?) is going to send the packet back to you and you are going to send it back to the gateway and so on in a loop until the TTL finally expires. And you seem to be missing the routing mark to set in the mark routing mangle rule, so even that loop will not be happening right now.
Alright cool yeah just ignore the routing stuff, I redid the thread so I can just figure out why wireguard isn't functioning. Mangle stuff I can deal with way later since I have it working fine in my core and I don't think I should have to use mangle for a simple wireguard setup.

So yeah if you know anything about wireguard glance at the new thread data and see if anything is missing or incorrect.
 
paintballer4lfe
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 59
Joined: Tue Dec 06, 2016 5:10 pm

Re: Wireguard?!?!?!?!

Mon Mar 08, 2021 11:37 pm

Tested with windows wireguard client since ya know, logging isn't needed for Tik's. Handshake fails on the client, the Tik see's the packets coming in but has an unknown(0) for out interface. Seems the Tik doesn't know what to do with the wireguard packets.

I have an SSTP tunnel up on the CHR and it's working fine. But tryin to bring up a wireguard tunnel for testing and potential port over from SSTP.
 
mducharme
Trainer
Trainer
Posts: 1777
Joined: Tue Jul 19, 2016 6:45 pm
Location: Vancouver, BC, Canada

Re: Wireguard?!?!?!?!

Tue Mar 09, 2021 4:51 am

Tested with windows wireguard client since ya know, logging isn't needed for Tik's. Handshake fails on the client, the Tik see's the packets coming in but has an unknown(0) for out interface. Seems the Tik doesn't know what to do with the wireguard packets.

I have an SSTP tunnel up on the CHR and it's working fine. But tryin to bring up a wireguard tunnel for testing and potential port over from SSTP.
I haven't used wireguard before, but I was able to create a functional wireguard tunnel between my two MikroTik devices at home (both 7.1beta4) following this tutorial:

https://www.youtube.com/watch?v=lS4zeMACT3w

It is up and running and passes traffic just fine. The only part that wasn't super obvious is that I didn't have to manually specify a private key - leaving it blank and clicking OK or Apply will result in a proper private key being auto generated.
 
paintballer4lfe
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 59
Joined: Tue Dec 06, 2016 5:10 pm

Re: Wireguard?!?!?!?!

Tue Mar 09, 2021 6:56 pm

Tested with windows wireguard client since ya know, logging isn't needed for Tik's. Handshake fails on the client, the Tik see's the packets coming in but has an unknown(0) for out interface. Seems the Tik doesn't know what to do with the wireguard packets.

I have an SSTP tunnel up on the CHR and it's working fine. But tryin to bring up a wireguard tunnel for testing and potential port over from SSTP.
I haven't used wireguard before, but I was able to create a functional wireguard tunnel between my two MikroTik devices at home (both 7.1beta4) following this tutorial:

https://www.youtube.com/watch?v=lS4zeMACT3w

It is up and running and passes traffic just fine. The only part that wasn't super obvious is that I didn't have to manually specify a private key - leaving it blank and clicking OK or Apply will result in a proper private key being auto generated.
Yeah what that guy does in the video is how mine are setup. It's not negotiating the actual key exchange according to the windows client logs so my CHR is apparently refusing to allow keys to be exchanged and checked. And yes it is configured correctly.

Who is online

Users browsing this forum: No registered users and 15 guests