No, I am quite sure it isn't!Hi, are you sure the config is correct?
Yes, I do not need, and this is possibly the point!First of all you do not need to have the peer private key on the mikrotik.
As I mentioned before, /system logging add topics=Wireguard produces NOTHING: this is the reason I insist the packet is accepted and then discarded. IF there is a way to see the reason Mikrotik discards the incoming packet (wrong key, wrong IP, whatever) it is welcome.You can enable WireGuard logging to check addresses, etc., by enabling logging topic=Wireguard.
Did you understand that it is one week that I am performing ALL these very elementary debugging steps?To check how the raw Wireguard packets might appear on the Mikrotik, use Winbox by going to "Tools -> Packet Sniffer". Select the WAN interface and port 13231. Click on [Apply], [Start], and finally the [Packets] button to open the window where the tracing is displayed. Remember to press the [Stop] button to end the capture when you're done.
On the Linux box, use: "tcpdump -i -name-of-wireguard-interface port 13231" to trace the packet flow. You might also use "nc -v -u 1234567890.sn.mynetname.net 13231" to send udp packets. One UDP packet is sent for each [enter].
I worked in customer support for 40+ years: X25, SNA, UDLC, Uniscope, TCP, OSI, etc. I was between the field engineers and the producer of software/hardware. At that time, bugs were very, very, usual: problems had to be reproduced and clearly reported to developers! I also got prizes for my great support skill. Unfortunately I am not an expert in today's protocols, even if I try to learn day by day. I think I know how to supply all the needed information. It is simply annoying for support people to read huge quantity of useless information so I try to focus to the basics and supply more info (that, may be, I cannot guess they exist) as soon as the expert says it is required.Too funny Larsa, I wonder how many times that needs to be stated, to "See the Light" regarding ensuring first posts are relevant .
Death by a 1000 cuts LOL.. I simply dont help those that dont post the required information anymore. I tried to make it better but failed.
I thought the MT configuration I posted on Tue Feb 13, 2024 1:45 pm was what is needed. Is that not enough? Or you mean that the full configuration of MT is required? You can fid it here: http://www.rescas.eu/listing/download/public/pippo.zip. That said, while android works fine, I am pretty convinced the MT side is OK and the problem must be on the linux side. In other words, once a very similar packet comes from Android (two different android phones) and it is passed to wireguard and a very similar one is not passed, something in the packet itself must be wrong, so no need at all to investigate on MT!From the little revealed:
Looking at your linux settings.
- missing keep alive
Mikrotik. Allowed IPs 0.0.0.0/0 is wrong.
Best to post complete MT config minus sensitive bits.
I ignored the post thus far due to this omission. The problem is not yours its the lack of guidance provided by the site, to ensure new posters
were well prepared to make their first post.
This is the full config.Yes full config please.
Also 0.0.0.0/0 is fine on the android but NOT on the mikrotik
Yes: from the very beginning I was convinced the problem is ONLY in the Linux box. I opened this post while I was in the hope someone had already faced the problem and/or could give generic help.I had a quick glance at the configuration, though only for WireGuard and the firewall. Everything seems to be in order, and considering that the mobile devices are working, there probably isn't any issue with your RB2011. Thus, unfortunately you'll have to continue troubleshooting with your Linux box, the local network, or perhaps even your ISP.
/interface wireguard
add listen-port=13231 mtu=1420 name=wireguard1
/interface wireguard peers
add allowed-address=10.3.53.2/32 interface=wireguard1 private-key="xxx" public-key="xxx"
Fixed. Yes, it was WireGuardX, but now I am back to one WireGuard interface and I am testing only on that one. I have some configuration backups and I am no longer worried to break my working Android connection.- Keep in mind that with MikroTik ROS, having 0.0.0.0 as the "allowed IP", you can only have one connection per "peer". As a suggestion, create a dedicated WireGuard interface and peer specifically for testing with your Linux box. Could it possibly be "WireGuardX" that you're using for this?
Ok, may be my environment was not detailed: that linux box is connected via 5G network to a "mobile phone" provider (Iliad) and can access internet (web, email, etc.) with no problem. The MT is connected to a fiber provider (TIM) and, as well, can access the internet. The mobile phones are connected to the same 5G network. I NEVER try to connect both phone + linux to wireguard.- Is the ingress traffic for the Linux box working? Are you receiving any traffic, for example, with tcpdump -i wg-interface 'UDP port xxxx'?
Sorry, I think I don't full understand the question. If you mean place one working phone in tethering, connect to it with Linux and try WG, yes, I tried, no it behaves exactly in the same way.- Does it make any difference if you connect the Linux box to internet using your Android?
Where can I see the handshake? By the way, in WinBox -> Wireguard -> I see Tx and Rx count grow with Android and stay at 0 (after reset, of course) with linux.- When connecting the Androids compared to Linux, what is the status of the "handshake" on the RB2011?
You mean configure an other linux box as WG server? Not easy/fast to do in my environment but I will plan to do that in the future: very clever idea!- Try connecting to another Linux box using the same keys as on RB2011. Does it work?
Wilco. You now have the present configuration here: http://www.rescas.eu/listing/download/public/pippo.zip1. Next time you perform an export, you can simply use "/export" without any other flags.
When testing your Linux WireGuard Config following link provides you with excellent clues
@Larsa, "A brilliantly elaborate pedagogy " .... I could not have said better myself .... ]Pro Custodibus Team are TRUE masters of guidanceI absolutely love the format of the Pro Custodibus blogs!
A brilliantly elaborate pedagogy using images in combination with a well-thought-out flow of explanatory text is among the best resources you can find on the internet. This is how I think User Guides and examples should look like on the Mikrotik help page.
Yes, I am between B1 and B2. I am afraid English is not my mother tongue and I am not able to explain something from the very beginning:When testing your Linux WireGuard Config following link provides you with excellent clues
add action=accept chain=input comment="*** WireGuard ***" dst-port=13231 log= yes log-prefix="rsc WIREGUARD VPN UDP" protocol=udp
Frame 2: 190 bytes on wire (1520 bits), 190 bytes captured (1520 bits)
Ethernet II, Src: 00:00:00_00:00:00 (00:00:00:00:00:00), Dst: 00:00:00_00:00:00 (00:00:00:00:00:00)
Internet Protocol Version 4, Src: 37.161.45.106, Dst: 82.54.167.114
User Datagram Protocol, Src Port: 18645, Dst Port: 13231
WireGuard Protocol
Type: Handshake Initiation (1)
Reserved: 000000
Sender: 0x3e73b8ff
Ephemeral: Cso1+7+SM0xqi9PSbrYfbqmk95Nc94negMEoIadh7jk=
[Has Private Key: False]
Encrypted Static
Encrypted Timestamp
mac1: ea1db43525f35fd49dc3ece66ea67287
mac2: 00000000000000000000000000000000
[Stream index: 1]
[Response in Frame: 3]
Frame 1: 190 bytes on wire (1520 bits), 190 bytes captured (1520 bits)
Ethernet II, Src: 00:00:00_00:00:00 (00:00:00:00:00:00), Dst: 00:00:00_00:00:00 (00:00:00:00:00:00)
Internet Protocol Version 4, Src: 37.161.45.106, Dst: 82.54.167.114
User Datagram Protocol, Src Port: 18645, Dst Port: 13231
WireGuard Protocol
Type: Handshake Initiation (1)
Reserved: 000000
Sender: 0x4b775352
Ephemeral: 3zxzPOAfrZUs14W2tE7Ztaj2PAX8o0+E7qbeZMMityw=
[Has Private Key: False]
Encrypted Static
Encrypted Timestamp
mac1: dd28c99cd37f4f51d4f3818e4852d047
mac2: 00000000000000000000000000000000
[Stream index: 0]
I used it and I see the incoming "Handshake Initiation" packet coming in.The standard system log in RouterOS for Wireguard lacks logging at the packet level so you need to use WinBox "Packet Sniffer" to trace the Wireguard ingress/egress traffic.
Here is why I seriously doubt my writing is understandable: IF the "Handshake Initiation" packet reaches the MT, how can "any firewall, ZeroTier, Tailscale, Docker or anything else" play a rule? If MT would answer to "Handshake Initiation", yes, I could guess something in the return path that blocks it, but I cannot imagine anything in the present scenario.If the Linux machine's interface isn't directly connected to the internet, I suggest you deactivate any firewall, ZeroTier, Tailscale, Docker or anything else that might affect the network traffic. After that's sorted out, check that iptables are completely empty and that the routing table doesn't have any strange entries. FYI, having two firewalls in sequence might cause problems if "double-NAT" occurs.
Yes, that is very clear and is what I did from the beginning.Just to be on the safe side regarding how to manage the Wireguard keys: If you want to connect Linux to the same Wireguard peer that your Androids use, you must have an exact copy of the mobile's private and public keys in the Linux Wireguard configuration. If you instead use Linux genkey/pubkey, you must update the corresponding keys in Mikrotik's Wireguard Peer configuration.
In this case, there is no way to have just one peer for both Android and Linux.Linux device should produce both a private key and a public key.
Linux had the wrong private key while I placed it trusting the configuration file produced by Mikrotik.Thus the statement that linux had the wrong private key makes no sense to me.
Yes, it was my fault due to the reason above.If you didnt use the private key and public generated key from your linux device in creating the wireguard interface, thats an error on your part.
FIXED!!!