hello
yes, i know it is very old problem. I red several forum about this but i didn't get solution.
I have a chateau lte12 firmware 7.14rc1 (testing)
My problem is protonvpn WireGuard setup: Handshake for peer did not complete after 5 seconds, retrying (try 2)
- firewall is off.
- IP forward on
- RP Strict
I found some solutions but no one for my problem
Any suggestions will be appreciated
Thanks

Its probably your chateau configuration.

Hi
Please, what do you mean? I tried to reset but i didn't fix it
I tried to downgrade without get any change
thanks any way

Some possible reasons.

The destination IP address or port is wrong.
One (or both) of the Public keys is wrong.
The clock is wrong.

Perhaps your government or ISP blocks protonvpn.
(I would assume you would know if they did though)

Some possible reasons.

The destination IP address or port is wrong.
One (or both) of the Public keys is wrong.
The clock is wrong.

Perhaps your government or ISP blocks protonvpn.
(I would assume you would know if they did though)

Thanks for your opinion but nothing about your possible reasons: clock ok, ip ok and government or ISP allow...
the possible reason is hardware problem: with other router wireguard or IKEv2/IPSec work

After update dhcp-client stuck on searching. Sometime is tough to get the lte repeater or LTE Aggregation.
Thank you

Definitely a problem in your config........

hi
yes definitely my config

# model = RBD53G-5HacD2HnD
# serial number = D7B00C01D3A8
/ip firewall filter
add action=accept chain=output protocol=icmp
add action=accept chain=input connection-state=established,related protocol=\
icmp
add action=accept chain=input connection-state=new dst-port=67 \
in-interface-list=LAN protocol=udp src-port=68
add action=accept chain=input connection-state=established,related,new
add action=accept chain=output connection-nat-state=srcnat,dstnat \
connection-state=invalid,established,related,new,untracked
add action=drop chain=input connection-state=invalid,untracked
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN
add action=masquerade chain=srcnat out-interface=CH-UK#1
add action=accept chain=input dst-port=67 protocol=udp src-port=68
add action=masquerade chain=srcnat src-address=192.168.100.0/24
/ip firewall raw
add action=accept chain=prerouting comment="defconf: accept DHCP discover" dst-address=255.255.255.255 dst-port=67 in-interface-list=LAN protocol=udp src-address=0.0.0.0 src-port=68
/ip firewall service-port
set irc disabled=no
set rtsp disabled=no

Is there something else that i can do?
thank you for your help

Needing the raw rule, might indicate some sort of dubiousness.

You could fix the port your MT client connects from, (in the example below 13231)
Add the following rules, enable them and see what gets logged, and how/if the counters count.
(Alternatively, set the firewall rules below to log packets to/from proton vpn's port)

The log indicates the interface the packet came in, or is going out, check they are what you expect.
Make sure the ip address it is leaving with is correct.
Check the port it is leaving with is correct.
Disable them once you have analyzed the traffic and are happy it is doing what you want.

The following rule looks to have potential to cause issues.

OP has mangled decent default settings into a mess.

The following rule looks to have potential to cause issues. [/quote]

hi
Unfortunately The situation isn't change.
That rule is report on the proton guide: https://protonvpn.com/support/wireguard ... k-routers/
Public and private key are right. address and dns are right
Thank you for your suggestions

Suggest get rid of made up rules, raw or otherwise, stick to default rules. Add wireguard settings
THEN flush the proton rule down the toilet you talk about instead use this:
add chain=srcnat action=masquerade out-interface=wireguard

Also ensure you add this mangle rule to help with any potential MTU issues.

/ip firewall mangle
add action=change-mss chain=forward comment="Clamp MSS to PMTU for Outgoing packets" \
new-mss=clamp-to-pmtu out-interface=wireguard passthrough=yes protocol=tcp tcp-flags=syn

By the way I dont even see an IP address in your config for wireguard or allowed IPs etc............

Another possibility

If you have a routing entry like: You should probably think about this route very carefully.
(Perhaps see what happens if change to dst-address=8.8.8.8 )

Hello
I get it. I feel a little bit loser but i'm hobbyist. forgive me
I had some problem with hardware because when i unplug the wire the router lost the setting or bricked. i had to fix it, twice, throughout netinstall. so I updated firmware too. so far it works.
As your suggestions i had to fix mtu: 1360 is a compromise. I have to change server to get a good speed.
I should fix firewall for remote videocamera: if you have advice i'd be grateful

DHPC-client is still stuck on searching

thanks again
see you

my config:

# 2024-03-02 08:19:07 by RouterOS 7.14
# software id = 1GE8-5YHF
#
# model = RBD53G-5HacD2HnD
# serial number = D7B00C01D3A8

/interface bridge
add name=brd priority=0x9000

/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n country=italy disabled=no \
frequency=2452 mode=ap-bridge ssid=chateau12lte24ghz wireless-protocol=802.11
set [ find default-name=wlan2 ] band=5ghz-a/n/ac country=italy disabled=no \
frequency=5700 mode=ap-bridge ssid=chateau12lte5ghz wireless-protocol=802.11

/interface lte
set [ find default-name=lte1 ] allow-roaming=yes band="" sms-read=yes

/interface wireguard
add listen-port=51820 mtu=1360 name=WG0

/interface list
add name=WAN
add name=LAN

/interface lte apn
set [ find default=yes ] apn=iliad name=ILIAD use-network-apn=no

/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk mode=\
dynamic-keys supplicant-identity=MikroTik

/ip hotspot profile
set [ find default=yes ] html-directory=hotspot

/ip pool
add name=dhcp_pool0 ranges=192.168.88.2-192.168.88.254

/ip dhcp-server
add address-pool=dhcp_pool0 interface=brd name=dhcp1

/routing table
add disabled=no fib name=WG0

/interface bridge port
add bridge=brd interface=ether1
add bridge=brd interface=wlan1
add bridge=brd interface=ether2

/ip neighbor discovery-settings
set discover-interface-list=LAN

/interface list member
add interface=lte1 list=WAN
add interface=brd list=LAN

/interface wireguard peers
add allowed-address=0.0.0.0/0,10.2.0.0/30,::/0 endpoint-address=146.70.179.18 \
endpoint-port=51820 interface=WG0 persistent-keepalive=35s public-key=\
"QA+TBTylpDuM0c/gbNfX7/efivIMg7P0ncLMBtTvglg="

/ip address
add address=192.168.88.1/24 interface=brd network=192.168.88.0
add address=10.2.0.1/30 interface=WG0 network=10.2.0.0

ip dhcp-client
add interface=brd use-peer-dns=no use-peer-ntp=no

/ip dhcp-server network
add address=192.168.88.0/24 dns-server=10.2.0.1 gateway=192.168.88.1

/ip dns
set allow-remote-requests=yes servers=10.2.0.1

/ip firewall filter
add action=accept chain=input protocol=icmp
add action=accept chain=forward dst-port=80-443 out-interface=WG0 protocol=\
tcp src-address=192.168.88.0/24
add action=drop chain=input connection-state=invalid in-interface-list=!LAN
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN
add action=masquerade chain=srcnat out-interface=WG0
add action=masquerade chain=srcnat out-interface=brd

/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=WG0 pref-src="" \
routing-table=WG0 scope=30 suppress-hw-offload=no target-scope=10

/ip service
set www-ssl disabled=no

/routing rule
add action=lookup disabled=no src-address=192.168.88.0/24 table=WG0

/system clock
set time-zone-name=Europe/Rome

/system note
set show-at-login=no

/tool mac-server
set allowed-interface-list=LAN

/tool mac-server mac-winbox
set allowed-interface-list=LAN

I think your best option is to reset to the default config and work from there.

Once reset,

You can choose from the following as suits your requirements.
Set up the name for the Router
Set up the password for the Router.
Set up your wireless as required.
/ip services, Turn off unneeded services (I rarely use anything but winbox)
/ip firewall service-port, (Commonly I disable the Sip ALG)

Note: I don't know this type of lte unit, I assume you can work your way
around it.

Note: If ether1 is setup as an (unwanted) wan port, you can attach
ether1 to the bridge, and disable the dhcp client.


You could perhaps make a backup of this configuration.

Next:
Set up Wireguard.

Modified from https://protonvpn.com/support/wireguard ... k-routers/
You will likely need to open this URL to make sense of some of the following.

Step 3:
Step 4: (Take care with this, They are the server, you get 10.2.0.2, they get 10.2.0.1)
Step 5

Add the endpoint address, endpoint port, and public key from the
WireGuard config file. Look for the lines starting PublicKey= and
Endpoint=.
Step 6

Rather than just applying masquerade, Make the interface a WAN interface,
(This both causes it to masquerade, and also firewalls it)
Step 7

Do this later. Step 8 In lte apn interface configuration turn off peer-dns.

**Possibly** ** Testing **
At this point you should be able to test if wireguard is working.
(You will only be able to ping 10.2.0.1 (Assuming they have set it up to answer pings), and get dns things from it)

Turn on the wireguard interface.
You should if configured correctly get tx, rx and handshake.

Try the following from the mikrotik. Try pinging 10.2.0.1 from your laptop.
do nslookup/dig from laptop to 10.2.0.1

** End testing **



Step 9 (Once testing is successful)

Replace x.x.x.x in the following with the endpoint address from the config file (Endpoint=). I assume the above should work correctly, otherwise you may need to play with it a little.

Step 9A (was step 7)
Enable the wireguard inteface. (May still be enabled from testing above)

Then check that a traceroute to x.x.x.x still goes via the main lte interface.
Check that a traceroute to 8.8.8.8 goes via the wireguard interface. Edit: Hopefully near working...

You will still likely need:

/ip firewall mangle
add action=change-mss chain=forward comment="Clamp MSS to PMTU for Outgoing packets" \
new-mss=clamp-to-pmtu out-interface=wireguard-inet passthrough=yes protocol=tcp tcp-flags=syn

And perhaps reduce the wireguard mtu if required.

One issue with the above is that there is no DNS available when wireguard is turned off.

You could perhaps add 8.8.8.8 and/or 1.1.1.1 as dns servers

Fixed all changes capture by bold or colour, except firewall rules were removed and proper ones added.

/interface bridge
add name=brd priority=0x9000
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n country=italy disabled=no \
frequency=2452 mode=ap-bridge ssid=chateau12lte24ghz wireless-protocol=802.11
set [ find default-name=wlan2 ] band=5ghz-a/n/ac country=italy disabled=no \
frequency=5700 mode=ap-bridge ssid=chateau12lte5ghz wireless-protocol=802.11
/interface lte
set [ find default-name=lte1 ] allow-roaming=yes band="" sms-read=yes
/interface wireguard
add listen-port=51820 mtu=1420 name=WG0
/interface list
add name=WAN
add name=LAN
/interface lte apn
set [ find default=yes ] apn=iliad name=ILIAD use-network-apn=n
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk mode=\
dynamic-keys supplicant-identity=MikroTik
/ip pool
add name=dhcp_pool0 ranges=192.168.88.2-192.168.88.254
/ip dhcp-server
add address-pool=dhcp_pool0 interface=brd name=dhcp1
/routing table
add disabled=no fib name=via-WG0
/interface bridge port
add bridge=brd interface=ether1
add bridge=brd interface=ether2
add bridge=brd interface=wlan1
add bridge=brd interface=wlan2
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add interface=lte1 list=WAN
add interface=brd list=LAN
/interface wireguard peers
add allowed-address=0.0.0.0/0 endpoint-address=xxxxxx \
endpoint-port=51820 interface=WG0 persistent-keepalive=35s public-key=\
"===================="
/ip address
add address=192.168.88.1/24 interface=brd network=192.168.88.0
add address=10.2.0.2/30 interface=WG0 network=10.2.0.0
ip dhcp-client
add interface=brd use-peer-dns=no use-peer-ntp=no
/ip dhcp-server network
add address=192.168.88.0/24 dns-server=PROTON_supplied_DNS_address gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes servers=1.1.1.1
/ip firewall filter
add action=accept chain=input connection-state=established,related,untracked
add action=drop chain=input connection-state=invalid
add action=accept chain=input protocol=icmp comment="check ICMP"
add action=accept chain=input in-interface-list=LAN comment="allow users to router services"
add action=drop chain=input comment="drop all else" { put this rule in last, ensure above LAN rule is in place! }
++++++++++++++++++++++++++++++++++++++++++++++
add action=fasttrack-connection chain=forward connection-state=established,related hw-offload=yes
add action=accept chain=forward connection-state=established,related,untracked
add action=drop chain=forward connection-state=invalid comment="drop connection-state=invalid"
add action=accept chain=forward in-interface-list=LAN out-interface-list=WAN disabled=yes {enable if applicable}
add action=accept chain=forward in-interface-list=LAN out-interface=WG0 comment="allow users to enter tunnel"
add action=accept chain=forward connection-nat-state=dstnat disabled=yes { enable if required for port forwarding}
add action=drop chain=forward comment="drop all else"
add action=accept chain=input protocol=icmp
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN
add action=masquerade chain=srcnat out-interface=WG0
/ip firewall mangle
add action=change-mss chain=forward comment="Clamp MSS to PMTU for Outgoing packets" \
new-mss=clamp-to-pmtu out-interface=wireguard-inet passthrough=yes protocol=tcp tcp-flags=syn
/ip route
add dst-address=0.0.0.0/0 gateway=WG0 routing-table=via-WG0
/ip service
set www-ssl disabled=no
/routing rule
add action=lookup disabled=no src-address=192.168.88.0/24 table=via-WG0
/tool mac-server
set allowed-interface-list=NONE
/tool mac-server mac-winbox
set allowed-interface-list=LAN

NOTE:
It is not clear if you want your users to be able to access the local WAN if wireguard tunnel is not available.
Your routing rule allows the router to find an available route on the main table ( action=lookup )
If you wanted no access to local WAN if the tunnel goes down then best to set action=lookup-only-in-table
In any case you will note that the two forward chain LAN to WAN rules are separate for local WAN and for WG0
Currently, LAN to WAN is disabled so users would not be able to access the local WAN regardless.

Also are all the users the same, maybe you want some to use only local WAN and not wireguard??
ANother idea might be to have two subnets, one that goes out wiregaurd only and another which only goes out local WAN

(edited, thanks rplant)

Use Anav's config, it seems likely more flexible.

One minor change
(10.2.0.1 seems to be the IP that protonvpn uses for its end)

Fixed! Thanks..........

thanks a lot to everyone!

Is it working now??