I can connect and handshaking works. It is my understanding that I should now be able to ping the Wireguard server from the client, which I cannot.
Server config:
Code: Select all
# jun/04/2023 16:14:56 by RouterOS 7.9
# software id = 95II-DH98
#
# model = CCR1009-7G-1C-1S+
# serial number = HE808VWZSKD
/interface bridge
add arp=proxy-arp fast-forward=no mtu=1500 name=bridgeLAN
add arp=proxy-arp fast-forward=no mtu=1500 name=bridgeWAN
/interface ethernet
set [ find default-name=ether1 ] comment="to Internet/Zeecon" l2mtu=1588
set [ find default-name=ether2 ] l2mtu=1588
set [ find default-name=ether3 ] l2mtu=1588
set [ find default-name=ether4 ] comment="to switch/LAN"
/interface wireguard
add listen-port=44355 mtu=1420 name=wireguard
/interface list
add exclude=dynamic name=discover
add name=LAN
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=aes-128-cbc
/ip pool
add name=OVPN_Pool ranges=172.16.100.100-172.16.100.150
/port
set 0 name=serial0
set 1 name=serial1
/ppp profile
add local-address=172.16.100.1 name=Open-VPN-Profile remote-address=OVPN_Pool
/routing bgp template
set default disabled=no output.network=bgp-networks
/routing ospf instance
add disabled=no name=default-v2
/routing ospf area
add disabled=yes instance=default-v2 name=backbone-v2
/snmp community
set [ find default=yes ] addresses=0.0.0.0/0
/system logging action
set 1 disk-file-name="" disk-lines-per-file=500
/certificate settings
set crl-download=yes crl-use=yes
/interface bridge port
add bridge=bridgeWAN hw=no ingress-filtering=no interface=ether1
add bridge=bridgeWAN hw=no ingress-filtering=no interface=ether2
add bridge=bridgeLAN hw=no ingress-filtering=no interface=ether3
add bridge=bridgeLAN hw=no ingress-filtering=no interface=ether4
/ip settings
set accept-redirects=yes max-neighbor-entries=8192
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface list member
add interface=sfp-sfpplus1 list=discover
add interface=ether1 list=discover
add interface=ether2 list=discover
add interface=ether3 list=discover
add interface=ether4 list=discover
add interface=ether5 list=discover
add interface=ether6 list=discover
add interface=ether7 list=discover
add interface=bridgeLAN list=discover
add interface=bridgeWAN list=LAN
add interface=wireguard list=LAN
/interface ovpn-server server
set auth=sha1 certificate=server cipher=aes256-cbc enabled=yes \
require-client-certificate=yes
/interface pptp-server server
# PPTP connections are considered unsafe, it is suggested to use a more modern VPN protocol instead
set default-profile=Open-VPN-Profile
/interface wireguard peers
add allowed-address=10.10.105.3/32 interface=wireguard public-key=\
"haBPq4+PwfvYZllBDQbQXjcPm90bL2JbkJAx9cbkAH4="
/ip address
add address=[public_ip_router]/30 comment="Static Internet Address" interface=\
bridgeWAN network=[ISP_gateway]
add address=172.16.0.1/22 interface=bridgeLAN network=172.16.0.0
add address=192.168.1.1/22 comment="subnet for ubiquiti m5 ap and clients" \
interface=bridgeLAN network=192.168.0.0
add address=10.10.105.1/24 interface=wireguard network=10.10.105.0
/ip dns
set servers=8.8.4.4, xxx.xxx.xxx.xxx
/ip firewall address-list
add address=xxx.xxx.xxx.xxx/24 list=Administrator
add address=xxx.xxx.xxx.xxx/24 list=Administrator
add address=xxx.xxx.xxx.xxx/24 list=Administrator
/ip firewall filter
add action=drop chain=input comment="drop DNS from WAN" connection-state=new \
dst-port=53 in-interface=bridgeWAN protocol=tcp
add action=drop chain=input dst-port=53 in-interface=bridgeWAN protocol=udp
add action=accept chain=input comment="allow established connections" \
connection-state=established
add action=accept chain=input comment="allow related connections" \
connection-state=related
add action=accept chain=input dst-port=44355 log=yes log-prefix=wg protocol=\
udp src-address-list=Administrator
add action=drop chain=input comment="drop invalid connections" \
connection-state=invalid
add action=accept chain=input comment=\
"allow external ICMP for admin range only" in-interface=bridgeWAN \
protocol=icmp src-address-list=Administrator
add action=accept chain=input comment="Allow local ICMP" in-interface=\
bridgeLAN protocol=icmp
add action=accept chain=input comment="accept local traffic" disabled=yes \
in-interface=!bridgeWAN src-address=172.16.0.0/22
add action=accept chain=input in-interface=bridgeLAN
add action=accept chain=input comment="allow RDP for admin range only" \
dst-port=51572 log-prefix=RDP protocol=tcp src-address-list=Administrator
add action=accept chain=input comment=\
"allow winbox only for admin range only" dst-port=8291 protocol=tcp \
src-address-list=Administrator
add action=accept chain=input comment=\
"allow webgui only for admin range only" dst-port=80 protocol=tcp \
src-address-list=Administrator
add action=accept chain=input comment=\
"allow OpenVPN only for admin range only" dst-port=1194 log=yes \
log-prefix=1194 protocol=tcp src-address-list=Administrator
add action=accept chain=input disabled=yes dst-port=1194 log=yes log-prefix=\
1194 protocol=udp
add action=accept chain=input comment="allow ssh only for admin range only" \
dst-port=22 protocol=tcp src-address-list=Administrator
add action=drop chain=input comment="drop all else"
add action=fasttrack-connection chain=forward comment="default fasttrack" \
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="allow established connections" \
connection-state=established
add action=drop chain=forward comment="drop invalid connections" \
connection-state=invalid
add action=accept chain=forward comment="allow internet traffic" \
in-interface=bridgeLAN out-interface=bridgeWAN
add action=accept chain=forward comment="allow port forwarding" \
connection-nat-state=dstnat
add action=accept chain=forward disabled=yes in-interface=bridgeWAN \
src-address=172.16.100.0
add action=drop chain=forward comment="drop all else"
/ip firewall nat
add action=masquerade chain=srcnat comment="internet traffic NAT rule" \
out-interface=bridgeWAN
add action=dst-nat chain=dstnat comment="Panasonic PBX" dst-port=38760 \
in-interface=bridgeWAN protocol=tcp to-addresses=172.16.5.100 to-ports=\
38760
add action=dst-nat chain=dstnat disabled=yes dst-address=[public_ip_of_router] \
dst-port=38760 protocol=tcp to-addresses=172.16.0.152 to-ports=38760
add action=dst-nat chain=dstnat disabled=yes dst-address=[public_ip_of_router] \
dst-port=38760 protocol=tcp to-addresses=172.16.5.100 to-ports=38760
add action=dst-nat chain=dstnat disabled=yes dst-address=[public_ip_of_router] \
icmp-options=8:8 protocol=icmp to-addresses=172.16.0.220
add action=dst-nat chain=dstnat comment=RDP dst-port=51572 log=yes \
log-prefix=RDP protocol=tcp to-addresses=172.16.0.220 to-ports=3389
add action=masquerade chain=srcnat comment=OpenVPN disabled=yes
/ip route
add disabled=no dst-address=0.0.0.0/0 gateway=[ISP_gateway]
add disabled=yes dst-address=172.16.0.220/32 gateway=*E
/ip service
set telnet disabled=yes
set ftp disabled=yes
set api disabled=yes
set winbox address=xxx.xxx.xxx.xxx/32,172.16.0.0/22
set api-ssl disabled=yes
/ppp secret
add name=jj profile=Open-VPN-Profile service=ovpn
/system clock
set time-zone-autodetect=no time-zone-name=America/Chicago
/system identity
set name=FaithAcademy_CCR1009
/system logging
add action=disk topics=ovpn
add prefix=firewall: topics=firewall
/system note
set show-at-login=no
/tool sniffer
set filter-interface=ether4 filter-ip-address=172.16.5.0/24 filter-stream=yes \
streaming-enabled=yes streaming-server=172.16.1.23
Code: Select all
[Interface]
PrivateKey =
Address = 10.10.105.3/32
DNS = 8.8.8.8
[Peer]
PublicKey = iL9W08Zk48tXu5z0XqbyamdV1KZoQi4/8v3H+napzRQ=
AllowedIPs = 10.10.105.0/24
Endpoint = 107.182.96.246:44355
PersistentKeepalive = 10