Community discussions

MikroTik App
 
ghostzero
just joined
Topic Author
Posts: 22
Joined: Sun May 30, 2021 1:26 am

WireGuard - 7.1beta6 - Can't get it to work - Howto setup?

Sun May 30, 2021 2:56 am

Hi,

one of the reasons I upgraded to the RouterOS v7 BETA was the WireGuard VPN feature.

I have tried to set it up but I just can't seem to get it working. I already have IKEv2 VPN in use but the certificate management is kind of annoying (small business - mostly just family members).

I setup a "/interface/wireguard" and a corresponding peer.
Then I installed the Android App and configured the other site with the corresponding public keys - copied them between the devices to it cannot be a typo.

I opened the port for UDP and chain input in the firewall. I tried with "0.0.0.0/0" in allowed IPs and the expected VPN IP address.

I use the same network address as the IKEv2 VPN, so the firewall rules themselves should work fine.

Now, I just can't seem to get it working. I get some tx and rx packets but I cannot access any of the internal devices.

Furthermore, sometimes if I delete WireGuard configuration the router kind of freezes and I have to cut the power supply. Any ideas what I could be doing wrong. As it didn't work and due to the freezes for now I have deleted the config again.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18959
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: WireGuard - 7.1beta6 - Can't get it to work - Howto setup?

Mon May 31, 2021 1:49 pm

 
ghostzero
just joined
Topic Author
Posts: 22
Joined: Sun May 30, 2021 1:26 am

Re: WireGuard - 7.1beta6 - Can't get it to work - Howto setup?

Mon May 31, 2021 8:15 pm

@anav Thanks. I will check out it and hopefully can get it working.
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 26287
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: WireGuard - 7.1beta6 - Can't get it to work - Howto setup?

Tue Jun 01, 2021 1:21 pm

 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18959
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: WireGuard - 7.1beta6 - Can't get it to work - Howto setup?

Tue Jun 01, 2021 2:29 pm

@Normis some observations/questions:

(1) Why is it necessary to assign an IP address to the wireguard interface. For example in my wireguard setup between two MT routers and an iphone and MT router I do no such thing?

(2) I am using IP cloud addresses from MT devices as endpoint address and source addresses. The latter I know maintains the mynetname and (Dynamically) resolves it to the current name. It appears that may not be the case for the wireguard tunnel. Can you confirm that using MT mynetname in the wireguard endpoint address will continue to resolve the name properly if the IP changes? If not can you please add that functionality, because its a. plain smart and b. be consistent in MT configuration expectations/functionality.

(3) I think you should add an example of smart phone to manage MT router via MT app as well, as a practical use of Wireguard functionality.
 
ghostzero
just joined
Topic Author
Posts: 22
Joined: Sun May 30, 2021 1:26 am

Re: WireGuard - 7.1beta6 - Can't get it to work - Howto setup?

Tue Jun 01, 2021 8:58 pm

@Normis Thanks for the documentation. What I am missing is how to set it up with mobile endpoints because those do not have a fix IP and in your configuration both office specify a listen port and endpoint address.

I guess I can just skip the listen port and endpoint address on the mobile endpoint and it should work?

@anav I think you need the IP address assigned in case you e.g. want to access the router as DNS server or similar? Not 100% sure though.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18959
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: WireGuard - 7.1beta6 - Can't get it to work - Howto setup?

Tue Jun 01, 2021 10:33 pm

Hi ghost, one of my clients is my iphone so if you need help with the dynamic scenario let me know.
Hmm well considering my client devices use my router for internet, they are using my router for DNS services already??
 
ghostzero
just joined
Topic Author
Posts: 22
Joined: Sun May 30, 2021 1:26 am

Re: WireGuard - 7.1beta6 - Can't get it to work - Howto setup?

Tue Jun 01, 2021 11:04 pm

Well my scenario would be more for external clients to connect via wireguard and then use the router as DNS to access internal services. I think for this you need to assign an IP to the wireguard interface but not 100% sure.

I will probably not be able to do further tests until Thursday,Friday or Saturday. I will let you know about the results then.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18959
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: WireGuard - 7.1beta6 - Can't get it to work - Howto setup?

Tue Jun 01, 2021 11:26 pm

Interesting, my guess is that for internal service within the router, you dont need DNS, you need forward chain firewall rules.
 
ghostzero
just joined
Topic Author
Posts: 22
Joined: Sun May 30, 2021 1:26 am

Re: WireGuard - 7.1beta6 - Can't get it to work - Howto setup?

Wed Jun 02, 2021 9:36 pm

Yes. At least that is my guess. As long as you only need to access devices inside the network and not the router itself, it most likely is enough to not assign an IP address. Cannot be sure, of course, but I might test this later on. But first I need to get it working in general but I think I know now what I forgot during my first tries, so I am hopeful.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18959
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: WireGuard - 7.1beta6 - Can't get it to work - Howto setup?

Thu Jun 03, 2021 1:42 am

Yes. At least that is my guess. As long as you only need to access devices inside the network and not the router itself, it most likely is enough to not assign an IP address. Cannot be sure, of course, but I might test this later on. But first I need to get it working in general but I think I know now what I forgot during my first tries, so I am hopeful.
Actually ghostzero, in my configuration not only do I reach and configure the RBG router behind the CCR1009 from my cell phone I also reach and manage the CCr1009, and for the icing on the cake I also manage the other end of the tunnel through the tunnel, and reach the RB4011 with my cell phone and configure the RB4011. No IP address associated with wireguard interface anywhere!!
 
ghostzero
just joined
Topic Author
Posts: 22
Joined: Sun May 30, 2021 1:26 am

Re: WireGuard - 7.1beta6 - Can't get it to work - Howto setup?

Thu Jun 03, 2021 9:33 am

ok. but that only works if you can access the router through an IP outside the VPN subnet and have wireguard go over it. if you want to use an IP in the same subnet and have wireguard be outside your router's subnets, I think you need to assign an IP to the router though it mit not be needed in most scenarios as one intends to forward to local IPs anyway.

So I would say it probably depends on the exact use case configuration, if it is needed. I definitely think I will need to assign an IP to my router as I will use the router as DNS but in the VPN subnet but if one doesn't do so, it might not be needed.
However, I think in case you want to use your router as endpoint you most likely will need it as it is relevant for the allowed address list of the target endpoint.

But I think the most important thing is that it works for one's configuration, no matter if an IP has to be assigned or not :)
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18959
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: WireGuard - 7.1beta6 - Can't get it to work - Howto setup?

Thu Jun 03, 2021 3:40 pm

Concur with your last statement.
However the first comment was wishy washy (" if you want to use an IP in the same subnet and have wireguard be outside your router's subnets, I think you need to assign an IP to the router though it mit not be needed in most scenarios as one intends to forward to local IPs anyway").

I dont even know what that means and would need a practical example of such a case. So far there is nothing I cannot do through the tunnel in terms of accessing subnets on any connected device.
It sounds like for some reason you want to create a separate subnet for a device to belong to behind the router ............but why??
 
ghostzero
just joined
Topic Author
Posts: 22
Joined: Sun May 30, 2021 1:26 am

Re: WireGuard - 7.1beta6 - Can't get it to work - Howto setup?

Thu Jun 03, 2021 5:47 pm

@anav Probably not explained to well what I meant and I don't know if I actually will do with this post.

But I am currently using ipsec for VPN and there no interface was did exist, the clients just got an IP assigned, so I was using multiple subnets to give different VPN clients different permissions - would not have been necessary but it made it easier to configure.
This should not be necessary with Wireguard as an interface is created and permissions/routes/firewall rules can be assigned using the interface.
However, I already have the rules from my ipsec VPNs active, so I most likely will keep them with Wireguard for convenience sake.At least in the beginning.

But as mentioned in my previous post, the most important thing is to get it working as I expect it too, so I will probably do some experimenting once I have time.

Hopefully over the weekend I will be able to get find the time to do some trials and get it working.

Also thanks for your input.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18959
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: WireGuard - 7.1beta6 - Can't get it to work - Howto setup?

Thu Jun 03, 2021 7:43 pm

That makes sense in terms of transferring from ipsec to wireguard in your scenario!! Gluck in testing.
 
ghostzero
just joined
Topic Author
Posts: 22
Joined: Sun May 30, 2021 1:26 am

Re: WireGuard - 7.1beta6 - Can't get it to work - Howto setup?

Mon Jun 07, 2021 7:29 am

Sadly, I didn't find time to do any tests over the weekend. Not sure yet, when I will find them but I will let you know about the results once I do.
 
ghostzero
just joined
Topic Author
Posts: 22
Joined: Sun May 30, 2021 1:26 am

Re: WireGuard - 7.1beta6 - Can't get it to work - Howto setup?

Fri Jul 30, 2021 2:56 pm

We have made documentation here: https://help.mikrotik.com/docs/display/ROS/WireGuard
Sadly, I want to set it up for mobile clients, so this is not really helpful.
I tried a lot and stumbled upon these threads:
viewtopic.php?t=174417
viewtopic.php?t=173561

and I am having the same issues. I can establish the wireguard connection but no forwarding to internal networks happens. I don't see any dropped packets in the firewall either, also I moved all relevant allow rules to the top of the firewall.

Would be nice if there is an example of how to configure this and maybe also a troubleshoot section.

On my tests I also noticed various issues regarding wireguard interface/peer changes kind of freezes the router: viewtopic.php?f=1&t=177223
which makes testing way more complicated.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18959
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: WireGuard - 7.1beta6 - Can't get it to work - Howto setup?

Fri Jul 30, 2021 6:25 pm

Hey ghost,
a. draw a network diagram of what you intend.
b. post your config
/export hide-sensitive file=anynameyouwish

c. post pics of wireguard settings on server router and on a client device (lets say iphone)
(and just use fake numbers for the pics but in the right spots to give us an idea of what you are filling in where)
 
ghostzero
just joined
Topic Author
Posts: 22
Joined: Sun May 30, 2021 1:26 am

Re: WireGuard - 7.1beta6 - Can't get it to work - Howto setup?

Fri Jul 30, 2021 9:49 pm

I have now tried forwarding the WireGuard Port to my Internet fallback Mikrotik router instead of the main one and try WireGuard there. I used the same configurations with the same allow rules etc. and I got it working immediately without any issues. Access to internal networks was immediately possible, forwarding to internal LAN required some mangle rules because the default gateway for the internal LAN devices is not the fallback router but once I did so even those worked.

Needed to forward the traffic as the fallback internet is not on an open public IP, so I cannot access the router from it.
On my main router I was not even able to ping the router itself.

So I guess this might be a hardware specifc issue.

My Internet fallback router is a: RBwAPR-2nD (MIPSBE)

And my main router is a CCR1009-7G-1C-1S+ (TILE)
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18959
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: WireGuard - 7.1beta6 - Can't get it to work - Howto setup?

Fri Jul 30, 2021 11:11 pm

Interesting,
I have my ccr1009 as my main router (stock firmware) and behind that using the RB450Gx4 as the wireguard server (beta firmware), at the other end, I am using an RB4011 behind an ISPs modem/router hub as the client (also on beta firmware)
I also use my iphone as a client device.
 
ghostzero
just joined
Topic Author
Posts: 22
Joined: Sun May 30, 2021 1:26 am

Re: WireGuard - 7.1beta6 - Can't get it to work - Howto setup?

Sat Jul 31, 2021 12:36 am

Maybe I will buy a cheap corresponding device for wireguard server too and return the main to stock firmware. Would probably be a better solution currently anyway - until ROS7 is at least in RC status - but I wanted to test it first before commiting.
 
ghostzero
just joined
Topic Author
Posts: 22
Joined: Sun May 30, 2021 1:26 am

Re: WireGuard - 7.1beta6 - Can't get it to work - Howto setup?

Sat Jul 31, 2021 5:05 pm

I have now ordered a "RBD52G-5HacD2HnD-TC" to use for VPN for now. I only have one or two clients at once, so it should have more than enough bandwidth and it is ARM 32Bit based like your devices are.

Who is online

Users browsing this forum: No registered users and 14 guests