Community discussions

MikroTik App
 
indymx
just joined
Topic Author
Posts: 13
Joined: Wed Jan 12, 2022 3:38 pm

Wireguard / Windows 11 client no handshake

Sat Jun 03, 2023 2:56 pm

I have two Android devices that are successfully connecting to my MT wireguard VPN, however, Windows 11 client gets no handshake. Below is a redacted config. (removed the sensitive information)

Is there a known issue with the windows 11 client anyone can point me to? Or is this a config issue that I'm just not seeing?
# jun/03/2023 07:34:10 by RouterOS 7.9.2
# software id = ULHV-P6A5
#
# model = RB2011iLS
# serial number = 
/interface bridge add admin-mac=XX:XX:XX:XX:XX:XX auto-mac=no comment=defconf name=bridge
/interface ethernet set [ find default-name=ether4 ] rx-flow-control=on tx-flow-control=on
/interface ethernet set [ find default-name=sfp1 ] advertise=100M-full,1000M-half,1000M-full,10000M-full,2500M-full,5000M-full
/interface l2tp-ether add allow-fast-path=no circuit-id="" connect-to=0.0.0.0 cookie-length=0 digest-hash=md5 disabled=yes l2tp-proto-version=l2tpv3-ip mtu=auto name=l2tp-ether1 use-ipsec=no use-l2-specific-sublayer=no
/interface wireguard add listen-port=13231 mtu=1420 name=wireguard1
/interface list add comment=defconf name=WAN
/interface list add comment=defconf name=LAN
/interface lte apn set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wireless security-profiles set [ find default=yes ] supplicant-identity=MikroTik
/ip ipsec peer add disabled=yes exchange-mode=ike2 name=peer1 passive=yes
/ip ipsec proposal set [ find default=yes ] auth-algorithms=sha256 enc-algorithms=aes-256-cbc pfs-group=none
/ip pool add name=dhcp ranges=10.167.0.150-10.167.0.254
/ip pool add name=pool1 ranges=192.168.0.0/24
/ip dhcp-server add add-arp=yes address-pool=dhcp always-broadcast=yes interface=bridge lease-time=3m name=dhcp1
/port set 0 name=serial0
/ppp profile set *FFFFFFFE use-ipv6=no
/routing bgp template set default disabled=no output.network=bgp-networks
/routing ospf instance add disabled=no name=default-v2
/routing ospf area add disabled=yes instance=default-v2 name=backbone-v2
/user group add name=prometheus policy=read,winbox,api,!local,!telnet,!ssh,!ftp,!reboot,!write,!policy,!test,!password,!web,!sniff,!sensitive,!romon,!rest-api
/interface bridge port add bridge=bridge comment=defconf ingress-filtering=no interface=ether2
/interface bridge port add bridge=bridge comment=defconf ingress-filtering=no interface=ether3
/interface bridge port add bridge=bridge comment=defconf ingress-filtering=no interface=ether4
/interface bridge port add bridge=bridge comment=defconf ingress-filtering=no interface=ether5
/interface bridge port add bridge=bridge comment=defconf ingress-filtering=no interface=ether6
/interface bridge port add bridge=bridge comment=defconf ingress-filtering=no interface=ether7
/interface bridge port add bridge=bridge comment=defconf ingress-filtering=no interface=ether8
/interface bridge port add bridge=bridge comment=defconf ingress-filtering=no interface=ether9
/interface bridge port add bridge=bridge comment=defconf ingress-filtering=no interface=ether10
/interface bridge port add bridge=bridge comment=defconf ingress-filtering=no interface=sfp1
/ip neighbor discovery-settings set discover-interface-list=LAN
/ip settings set max-neighbor-entries=8192
/ipv6 settings set accept-redirects=no disable-ipv6=yes forward=no max-neighbor-entries=8192
/interface detect-internet set detect-interface-list=all wan-interface-list=WAN
/interface l2tp-server server set use-ipsec=yes
/interface list member add comment=defconf interface=bridge list=LAN
/interface list member add comment=defconf interface=ether1 list=WAN
/interface ovpn-server server set auth=sha1,md5
/interface pptp-server server
# PPTP connections are considered unsafe, it is suggested to use a more modern VPN protocol instead
set enabled=no
/interface sstp-server server set default-profile=default-encryption enabled=yes
/interface wireguard peers add allowed-address=192.168.0.2/32 interface=wireguard1 public-key="sdscXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
/interface wireguard peers add allowed-address=192.168.0.4/32 interface=wireguard1 public-key="7wl/XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
/interface wireguard peers add allowed-address=192.168.0.3/32 interface=wireguard1 public-key="hif8XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
/ip address add address=10.167.0.1/24 comment=defconf interface=bridge network=10.167.0.0
/ip address add address=192.168.0.1/24 interface=wireguard1 network=192.168.0.0
/ip cloud set ddns-enabled=yes
/ip cloud advanced set use-local-address=yes
/ip dhcp-client add comment=defconf interface=ether1 use-peer-dns=no
/ip dhcp-server config set store-leases-disk=immediately
/ip dns set servers=10.167.0.8,10.167.0.12
/ip dns static add address=10.167.0.1 comment=defconf name=router.lan
/ip firewall address-list add address=10.167.0.0/24 list=LAN
/ip firewall address-list add address=xx.sn.mynetname.net list=WAN
/ip firewall filter add action=fasttrack-connection chain=forward connection-state=established,related hw-offload=yes
/ip firewall filter add action=accept chain=forward connection-state=established,related
/ip firewall filter add action=accept chain=input comment="accept established,related" connection-state=established,related
/ip firewall filter add action=accept chain=input dst-port=13231 protocol=udp
/ip firewall filter add action=drop chain=input comment="block everything else" in-interface=ether1
/ip firewall filter add action=drop chain=forward connection-state=invalid
/ip firewall mangle add action=mark-connection chain=prerouting dst-address-list=WAN new-connection-mark="Hairpin Nat" passthrough=yes src-address-list=LAN
/ip firewall nat add action=masquerade chain=srcnat comment="defconf: masquerade" out-interface=ether1
/ip firewall nat add action=masquerade chain=srcnat dst-address=10.167.0.0/24 src-address=10.167.0.0/24
/ip firewall nat add action=masquerade chain=srcnat comment="masq. vpn traffic" src-address=192.168.0.0/24
/ip firewall nat add action=dst-nat chain=dstnat disabled=yes dst-port=53 log=yes protocol=udp src-address=!10.167.0.8 to-addresses=10.167.0.8 to-ports=53
/ip firewall nat add action=dst-nat chain=dstnat disabled=yes dst-port=53 log=yes protocol=tcp src-address=!10.167.0.8 to-addresses=10.167.0.8 to-ports=53
/ip firewall nat add action=masquerade chain=srcnat disabled=yes dst-address=10.167.0.8 dst-port=53 protocol=tcp src-address=10.167.0.0/24
/ip firewall nat add chain=srcnat
/ip firewall nat add chain=srcnat
/ip ipsec policy set 0 disabled=yes
/ip route add check-gateway=ping disabled=yes dst-address=0.0.0.0/0 gateway=ether1
/ip route add check-gateway=ping disabled=yes dst-address=0.0.0.0/0 gateway=ether1
/ip ssh set always-allow-password-login=yes forwarding-enabled=both strong-crypto=yes
/ip upnp interfaces add disabled=yes interface=ether2 type=internal
/ipv6 nd set [ find default=yes ] advertise-dns=no disabled=yes interface=bridge managed-address-configuration=yes ra-interval=20s-1m
/system note set show-at-login=no
/system ntp client set enabled=yes
/system ntp server set broadcast=yes enabled=yes manycast=yes multicast=yes use-local-clock=yes
/system ntp client servers add address=129.6.15.28
/system ntp client servers add address=132.163.96.1
/system scheduler add interval=1d name=reboot-3am on-event="/system reboot" policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon start-date=sep/17/2022 start-time=03:00:00
/system watchdog set watchdog-timer=no


 
holvoetn
Forum Guru
Forum Guru
Posts: 5326
Joined: Tue Apr 13, 2021 2:14 am
Location: Belgium

Re: Wireguard / Windows 11 client no handshake

Sat Jun 03, 2023 3:08 pm

If the Android clients work, most likely the issue is with the config on Windows side.
Show that config too please.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Wireguard / Windows 11 client no handshake

Sat Jun 03, 2023 3:20 pm

There must be windows 11 issues. Firewall perhaps? Anitivirus program ??
 
indymx
just joined
Topic Author
Posts: 13
Joined: Wed Jan 12, 2022 3:38 pm

Re: Wireguard / Windows 11 client no handshake

Sun Jun 04, 2023 4:04 am

I have disabled the windows firewall... I will dig in further to see if anything else could be blocking it, but nothing I'm aware of.
 
indymx
just joined
Topic Author
Posts: 13
Joined: Wed Jan 12, 2022 3:38 pm

Re: Wireguard / Windows 11 client no handshake

Sun Jun 04, 2023 4:10 am

duplicate...
Last edited by indymx on Sun Jun 04, 2023 5:02 am, edited 1 time in total.
 
indymx
just joined
Topic Author
Posts: 13
Joined: Wed Jan 12, 2022 3:38 pm

Re: Wireguard / Windows 11 client no handshake

Sun Jun 04, 2023 5:01 am

My Windows 11 client config is : (redacted of course)
[Interface]
PrivateKey = ECgkF9CXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Address = 192.168.0.3/32
DNS = 192.168.0.1
MTU = 1420

[Peer]
PublicKey = 3OEST0XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
AllowedIPs = 192.168.0.0/24, 10.167.0.0/24
Endpoint = XX.XX.XX.XX:13231

 
indymx
just joined
Topic Author
Posts: 13
Joined: Wed Jan 12, 2022 3:38 pm

Re: Wireguard / Windows 11 client no handshake  [SOLVED]

Sun Jun 04, 2023 5:23 am

I appears that it was a bad install. I had originally installed a version from the Microsoft Store and that one does not work. Uninstalled, reinstalled from the Wireguard website and recreated the tunnel and everything on the Windows 11 laptop is functioning correctly now.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Wireguard / Windows 11 client no handshake

Sun Jun 04, 2023 3:33 pm

So the advice is to be sure to download wireguard for windows from the wireguard official website?
 
indymx
just joined
Topic Author
Posts: 13
Joined: Wed Jan 12, 2022 3:38 pm

Re: Wireguard / Windows 11 client no handshake

Mon Jun 05, 2023 12:06 am

Yes sir, that definitely seems to be the case. The version downloaded from the Microsoft Store looked identical to the version from the wireguard website, with the exception of it not working at all.. ;) Live and learn. :D
 
indymx
just joined
Topic Author
Posts: 13
Joined: Wed Jan 12, 2022 3:38 pm

Re: Wireguard / Windows 11 client no handshake

Sat Jun 10, 2023 5:36 pm

Ok. I was at home when I tested this and it was working, both connected to my home wifi and via my phones hotspot. (this is how I connect when I am away from home.)

Now that I am out on the road, I am getting the "no handshake" again.

Nothing about the setup has changed other than the location I am sitting.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Wireguard / Windows 11 client no handshake

Sat Jun 10, 2023 6:00 pm

It is useless to check wireguard from your home wifi??
You should be checking from your phone using your cellular connection.

You are missing the keep alive setting on the client??
 
indymx
just joined
Topic Author
Posts: 13
Joined: Wed Jan 12, 2022 3:38 pm

Re: Wireguard / Windows 11 client no handshake

Sun Jun 11, 2023 4:45 pm

had my wife reboot the router, started working again after that. Not sure what the issue was....
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Wireguard / Windows 11 client no handshake

Sun Jun 11, 2023 7:37 pm

Its possible the WANIP changed if dynamic.........
 
indymx
just joined
Topic Author
Posts: 13
Joined: Wed Jan 12, 2022 3:38 pm

Re: Wireguard / Windows 11 client no handshake

Mon Jun 12, 2023 5:56 am

I thought of that as well, but that wasn't the case. I have a couple of services behind the firewall that are port forwarded that were not working either, something was not happy on the router...
 
MatoB
just joined
Posts: 6
Joined: Tue Jun 06, 2023 10:33 am

Re: Wireguard / Windows 11 client no handshake

Mon Jun 12, 2023 10:01 am

Hi there,
I've got a question regarding wireguard problem. My WG interface is 10.255.255.1/24, in WG interface/Peers the allowed address is 10.255.255.3/32 . I have two subnets first one is 172.16.0.1/22 and the other one is 172.16.10.1/22 the problem is that I want the WG to be able to reach both of my networks, but unfortunately the interface works only with the first network 172.16.0.1/22. I have put into configuration file also the allowed address, but nothing helped. The route is set default 10.255.255.0/24 to Gateway:wireguard1
I don't know what did I do wrong, is there anybody with any kind of idea?
Thanks a lot
Martin
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Wireguard / Windows 11 client no handshake

Thu Jun 15, 2023 8:04 pm

Its called starting your own thread, please post separately, and I will have a loook.
 
MatoB
just joined
Posts: 6
Joined: Tue Jun 06, 2023 10:33 am

Re: Wireguard / Windows 11 client no handshake

Sun Jun 18, 2023 10:41 am

Its called starting your own thread, please post separately, and I will have a loook.
I'm sorry for messing this up. It was first time for me to post and ask for something. I've made new topic:
Is it okay like this:
viewtopic.php?t=197152

Who is online

Users browsing this forum: bashay8, biomesh, dmconde, haedertowfeq and 58 guests